CN111404924B - Security management and control method, device, equipment and storage medium of cluster system - Google Patents
Security management and control method, device, equipment and storage medium of cluster system Download PDFInfo
- Publication number
- CN111404924B CN111404924B CN202010172282.9A CN202010172282A CN111404924B CN 111404924 B CN111404924 B CN 111404924B CN 202010172282 A CN202010172282 A CN 202010172282A CN 111404924 B CN111404924 B CN 111404924B
- Authority
- CN
- China
- Prior art keywords
- node
- cluster
- sub
- working
- working node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000003860 storage Methods 0.000 title claims abstract description 21
- 238000007726 management method Methods 0.000 claims description 192
- 238000004891 communication Methods 0.000 claims description 69
- 230000008859 change Effects 0.000 claims description 46
- 230000015654 memory Effects 0.000 claims description 23
- 238000001514 detection method Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 19
- 238000005304 joining Methods 0.000 claims description 9
- 230000001172 regenerating effect Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 5
- 125000004122 cyclic group Chemical group 0.000 claims 2
- 238000005516 engineering process Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 11
- 238000004519 manufacturing process Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 238000002955 isolation Methods 0.000 description 8
- 238000012423 maintenance Methods 0.000 description 8
- 230000004044 response Effects 0.000 description 8
- 230000003068 static effect Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 238000005192 partition Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 102000054766 genetic haplotypes Human genes 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a security management and control method, a security management and control device, electronic equipment and a storage medium of a cluster system; the cluster system comprises at least two sub-clusters for supporting the network application, and the method comprises the following steps: each node in each sub-cluster of the at least two sub-clusters obtains a node list of the sub-cluster to which the node belongs; generating a firewall rule of the sub-cluster according to the security policy of the node and the node list; the firewall rules are applied to construct the firewall between the sub-cluster to which the node belongs and the external sub-cluster, and the intercommunication authority between the node and the node in the node list is opened.
Description
Technical Field
The present invention relates to network security technologies, and in particular, to a security management and control method and apparatus for a cluster system, an electronic device, and a storage medium.
Background
With the continuous development of modern information technology, the scale of data calculation, processing and storage is larger and larger, and the requirement on network security management capability is higher and higher, the traditional haplotype application deployment mode has become more and more elusive when meeting production requirements, and gradually emerges distributed cluster architectures constructed by various emerging technologies, a set of complete services often form different clusters by server applications with different functions, data interaction is performed between the clusters through a network, meanwhile, the cluster network security problem needs to be solved through a well-designed firewall rule and hardware, and in actual production activities, with the continuous increase of cluster types, the continuous scale expansion and the network security management become more and more complex and difficult.
In the related art, solutions for firewalls mainly aim at solving the problems of how to construct a firewall rule set, unified storage and issuing of the firewall rule set and the like in a mode of introducing external network management equipment, adding a gateway layer and other control equipment, and generally require a user to have richer firewall professional knowledge and the use skills of specific network hardware products so as to deploy unified control equipment or add other hardware equipment outside a service cluster, and solve the cluster network security problem by adding carefully designed firewall rules and hardware.
Disclosure of Invention
Embodiments of the present invention provide a security management and control method and apparatus for a cluster system, an electronic device, and a storage medium, which can implement fine-grained isolation between clusters and implement automated management of security policies.
The technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a security management and control method of a cluster system, wherein the cluster system comprises at least two sub-clusters for supporting network application; the safety control method comprises the following steps:
each node in each sub-cluster of the at least two sub-clusters obtains a node list of the sub-cluster to which the node belongs;
generating a firewall rule of the sub-cluster according to the security policy of the node and the node list;
and applying the firewall rules to construct a firewall between the sub-cluster to which the node belongs and an external sub-cluster, and opening the intercommunication permission between the node and the nodes in the node list.
The embodiment of the invention provides a safety control device of a cluster system, wherein the cluster system comprises at least two sub-clusters for supporting network application; the device comprises:
a node list obtaining module, configured to obtain, for each node in each of the at least two sub-clusters, a node list of the sub-cluster to which the node belongs;
a firewall rule generating module, configured to generate a firewall rule of the sub-cluster according to the security policy of the node and the node list;
and the firewall rule application module is used for applying the firewall rules to construct a firewall between the sub-cluster to which the node belongs and an external sub-cluster, and opening the intercommunication permission between the node and the nodes in the node list.
In the above solution, the type of the node in each of the at least two sub-clusters includes a management node and a working node; the node list obtaining module is further configured to:
each working node in each sub-cluster of the at least two sub-clusters sends information of the working node to a management node in the sub-cluster to which the working node belongs, so that the management node generates a node list according to the information of each working node in the sub-cluster to which the management node belongs;
and each working node in each of the at least two sub-clusters sends a node list request to a management node in the sub-cluster to which the working node belongs, and receives a node list of the sub-cluster to which the working node belongs, which is returned by the management node.
In the foregoing solution, the firewall rule generating module is further configured to:
each working node in each of the at least two sub-clusters acquires addresses and ports of other working nodes from a node list of the sub-cluster to which the working node belongs so as to generate firewall rules of the sub-clusters allowing the other working nodes to communicate with the nodes through the addresses and the ports;
wherein the other working nodes are any working nodes except the working node in the sub-cluster to which the node belongs;
each worker node within each of the at least two sub-clusters obtains from the security policy a protocol and port opened by the sub-cluster to an external sub-cluster to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with the worker node via the protocol and port.
In the foregoing solution, the firewall rule generating module is further configured to: prior to generating the firewall rules for the sub-cluster from the security policy for the node and the list of nodes,
each working node in each of the at least two sub-clusters determines a hash value of a current firewall rule and compares the hash value with a hash value prestored last time of the working node;
and when the comparison is consistent, determining that the current firewall rule of the working node passes the verification, and determining that the firewall rule of the sub-cluster is generated according to the security policy of the working node and the node list so as to apply the generated firewall rule.
In the foregoing solution, the node list obtaining module is further configured to: before each node in each of the at least two sub-clusters obtains a list of nodes of the sub-cluster to which the node belongs,
each management node of each sub-cluster of the at least two sub-clusters sends the node change information of the administered sub-cluster to other management nodes of the administered sub-cluster so as to enable other management nodes of the administered sub-cluster to synchronize the stored node list, and
receiving node change information sent by other management nodes of the managed sub-cluster so as to synchronize the stored node list;
the node change information comprises node joining information and node exiting information.
In the foregoing solution, the node list obtaining module is further configured to: before each node within each of the at least two sub-clusters obtains a list of nodes of the sub-cluster to which the node belongs,
each management node in each of the at least two sub-clusters performs the following initialization processing for the new working node requesting to join:
carrying out authentication based on account information and password information on the new working node;
and when the authentication is passed, adding the new working node into the sub-cluster governed by the management node.
In the above solution, the apparatus further comprises: a cycle detection module to:
each working node in each sub-cluster of the at least two sub-clusters sends a node cycle detection request to a management node of the sub-cluster to which the working node belongs so as to obtain node change information of the sub-cluster to which the working node belongs;
wherein the node change information includes at least one of: information of new working nodes joining the sub-cluster; information of a working node exiting the sub-cluster;
updating the firewall rules based on the node change information.
In the foregoing solution, the loop detection module is further configured to:
when the node change information represents that a new working node is added, updating the information of the new working node into the firewall rule;
and when the node change information represents that the withdrawn working node exists, removing the information of the withdrawn working node from the firewall rule.
In the foregoing solution, the loop detection module is further configured to:
each worker node within each of the at least two sub-clusters periodically checks the applied firewall rules;
and when the applied firewall rule is detected to be inconsistent with the firewall rule generated last time, regenerating the new firewall rule of the sub-cluster so as to update the applied firewall rule.
In the foregoing solution, the loop detection module is further configured to:
each working node in each of the at least two sub-clusters obtains a new node list from a management node of the sub-cluster to which the working node belongs;
acquiring addresses and ports of other working nodes in the sub-cluster from the new node list to generate firewall rules of the sub-cluster allowing the other working nodes to communicate with the working nodes through the addresses and the ports;
wherein the other working nodes are any working nodes except the working node in the sub-cluster to which the node belongs;
each worker node within each of the at least two sub-clusters obtains from the security policy a protocol and port opened by the sub-cluster to an external sub-cluster to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with the worker node via the protocol and port.
In the foregoing solution, the firewall rule application module is further configured to:
each worker node in each of the at least two sub-clusters receives a network request from an external sub-cluster;
when the protocol used by the network request is consistent with the protocol used when the firewall rule allows the communication with the working node, and the destination port of the network request is consistent with the port used when the firewall rule allows the cross-cluster communication with the working node, responding to the network request to establish the corresponding network connection;
and when the protocol used by the network request is inconsistent with the protocol used when the firewall rule allows the cross-cluster communication with the working node, and/or the destination port of the network request is consistent with the port used when the firewall rule allows the cross-cluster communication with the working node, rejecting the network request.
In the foregoing solution, the firewall rule applying module is further configured to:
each work node in each of the at least two sub-clusters receives a network request from the sub-cluster to which it belongs;
when the destination address of the network request is consistent with the address used when the firewall rule allows the communication with the working node cluster, and the destination port of the network request is consistent with the port used when the firewall rule allows the communication with the working node cluster, responding to the network request to establish the corresponding network connection;
and when the destination address of the network request is inconsistent with the address used when the cluster communication with the working node is allowed in the firewall rule, and/or the destination port of the network request is inconsistent with the port used when the cluster communication with the working node is allowed in the firewall rule, rejecting the network request.
An embodiment of the present invention provides an electronic device, including:
a memory for storing executable instructions;
and the processor is used for realizing the security control method of the cluster system provided by the embodiment of the invention when the executable instruction stored in the memory is executed.
The embodiment of the invention provides a storage medium, which stores executable instructions and is used for causing a processor to execute so as to realize the security control method of a cluster system provided by the embodiment of the invention.
The embodiment of the invention has the following beneficial effects:
the firewall rules are automatically updated without manual configuration when the cluster nodes are changed based on firewall communication among the sub-clusters.
Drawings
Fig. 1 is an alternative schematic structural diagram of a cluster system according to an embodiment of the present invention;
fig. 2 is an alternative structural schematic diagram of a server 200 of a cluster system according to an embodiment of the present invention;
fig. 3A to 3E are schematic diagrams illustrating alternative flows of a security management method of a cluster system according to an embodiment of the present invention;
FIG. 4 is a system architecture diagram of a web page class service cluster architecture provided by an embodiment of the present invention;
FIG. 5 is a diagram of a deployment architecture of a web page class service cluster system according to an embodiment of the present invention;
fig. 6 is a schematic timing diagram of a security management method of a cluster system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
Before further detailed description of the embodiments of the present invention, terms and expressions referred to in the embodiments of the present invention are described, and the terms and expressions referred to in the embodiments of the present invention are applicable to the following explanations.
1) Long connection: the term "short connection" refers to a connection in which a plurality of packets can be continuously transmitted over one connection, and during the connection maintenance period, if no packet is transmitted, both sides are required to transmit a link check packet, that is, there is no data transmission, and the connection is used without releasing resources for establishing a connection.
2) Command line interface management component: the command line interface processes the commands of a computer program in the form of a text line, the program processing the interface is called a command line interpreter or a command line processor, and the mode is used by a router, a switch and a firewall, and is a series of related commands so as to configure and manage equipment.
3) Iptables: a network firewall is an application software running in a user space, and manages the processing and forwarding of network data packets by controlling a Linux kernel network filter (netfilter) module.
4) Nftable: a new packet classification framework, a new linux firewall manager, is intended to replace existing Iptables.
5) A web application, a service that runs based on a server in a network; i.e. a service deployed in a server of the network (i.e. storing relevant programs and documents of the web application statically in the file system of the server) and running (i.e. starting a running instance of the web application), the content of the web application (including the running process and the running result) is displayed in a page of a user-oriented front-end (e.g. a page in a browser or a page in a dedicated client), and the user's operations in the page of the front-end are submitted to the server, so that the server updates the content displayed in the page of the front-end. For example, network applications include various types of cloud games, online videos, and online documents.
The related technology mainly focuses on solving the problems of how to construct a firewall rule set and how to uniformly store and issue the firewall rule set by introducing external network management equipment, adding gateway layers and other control equipment, generally requires a user to have richer firewall professional knowledge and the use skills of specific network hardware products, deploys uniform control equipment or adds other hardware equipment outside a service cluster, and solves the cluster network security problem by adding hardware to the well-designed firewall rules.
The technical scheme of the related art has the following disadvantages:
1. the use threshold is high, the requirement on professional field knowledge of a user is met, and the learning cost is very high, for example, the firewall equipment based on hardware control at least can be skillfully mastered with the configuration, use, management and other methods of specific hardware equipment, the firewall based on software control requires that the user can master various software use and control rule definition methods, commands and parameters, the use threshold is very high, and the missing, matching and mismatching caused by any human error can bring serious security threat to production, even cause production accidents;
2. the construction cost is high: although the use process is simplified and the learning cost is reduced in the cloud-based security policy management, the prerequisite of the cloud-based security policy management is that the service application must be public cloud or private cloud is introduced, and for many enterprises which cannot use the private cloud technology due to the fact that the public cloud cannot be used for specific reasons or due to factors such as high construction cost, convenience brought by cloud management cannot be enjoyed;
3. coarse management granularity: whether the firewall rules are traditional or cloud firewall rules, the mode of the firewall rule management is very coarse-grained, and the firewall rules are divided based on the security boundaries of subnets or network segments, but in actual production, the firewall rules are often a mixture of a plurality of service clusters superposed in a plurality of subnets or network segments, so that the division of the security boundaries based on the cluster granularity of the services is difficult to realize;
4. the maintenance cost is high, even if fine-grained firewall rule management is realized based on the prior art, due to the characteristics of service development change and cluster technology and hardware technology, a cluster naturally has dynamic property, and due to the dynamic property, the later maintenance cost of the firewall rules applied to the cluster is very high due to framework adjustment required by rapid service development and node change in the cluster.
In summary, the security management technical means in the related art have a relatively coarse granularity, and the security management technical means can be kept at the isolation degree of the internal network and the public network, but cannot achieve fine-grained isolation between the internal network clusters, once an attacker infiltrates into a certain cluster, the attack cost of the attacker on other internal clusters is very low, the management difficulty is large, and the cluster security policy of hundreds of nodes which are manually established and maintained cannot meet the production requirements.
The embodiment of the invention provides a security policy management method and a security policy management system which combine a modern operating system software firewall technology and a cluster management technology, establishes an effective control mechanism for cluster security policies required in production activities, and compared with the management methods in the related technologies, the security control method of the cluster system provided by the embodiment of the invention solves the problem of fine-grained isolation between clusters, realizes a general automatic system for large-scale cluster security policy management, and has innovative value and extremely high practical guiding significance.
The embodiment of the invention provides a security control method, a security control device, electronic equipment and a storage medium for a cluster system, which can solve the problem of fine-grained isolation between clusters and realize a general automation system for large-scale cluster security policy management. In the following, an exemplary application of the cluster system will be explained.
Referring to fig. 1, fig. 1 is an optional architecture schematic diagram of a cluster system 100 provided in an embodiment of the present invention, where the cluster system includes at least 2 sub-clusters; the concrete number and functions are flexibly set according to network applications, and the nodes are abstractions of resources (including computing resources and communication resources) of the physical machine through virtualization technologies. For each sub-cluster, the types of the nodes can be divided into a management node and a working node, wherein the management node is used for cluster node information management, and the working node is used for node local software firewall rule management. The cluster system 100 may be used to support network applications. Such as WEB-like WEB applications.
In fig. 1, a terminal 400 is connected to a server 200 (exemplarily showing WEB servers 200-1-1, 200-1-2 … 200-1-m and static file storages 200-2-1, 200-2-2 … 200-2-n) through a network 300, the network 300 may be a wide area network or a local area network, or a combination of both, the server 200 is connected to a database 500 (databases 500-1, 500-2 … 500-p) through the network 300, the cluster system 100 is respectively formed by three sub-function clusters, the servers and the database in the cluster system are physical machines, a part of the physical machines may be management nodes, or the management nodes may be served by physical machines outside the cluster system, and working components for managing local software firewall rules are run on the physical machine nodes as working nodes, and a management component for managing local node information is operated on part of the physical machine nodes to serve as a management node, the working node reports information to the management node, the management node is used for managing all nodes in the sub-function cluster, and part of the physical machine nodes in the cluster are also called as the management nodes while serving as the working nodes.
Taking the example of supporting WEB-like network applications, the cluster system 100 may include a WEB server cluster, a static file storage cluster and a database cluster, the terminal 400 directly interacts with the WEB server cluster only, the sub-clusters are connected via an intranet to indirectly provide services for clients on the terminal 400, the terminal 400 sends a network request for acquiring a WEB page to a certain node in the WEB server cluster, the node in the WEB server cluster may perform data communication with a node in the static file storage cluster or a node in the database cluster to acquire a WEB page corresponding to the network request as response information (communication between different sub-clusters) and return the response information to the terminal 400, or the terminal 400 sends a network request to the WEB server cluster, the node in the WEB server cluster receiving the network request communicates with other nodes in the WEB server cluster (communication between the same sub-cluster), to acquire a web page corresponding to the network request as response information, and return the response information to the terminal 400.
Referring to fig. 2, fig. 2 is an optional schematic structural diagram of a server 200 of a cluster system according to an embodiment of the present invention, where the server 200 shown in fig. 2 includes: at least one processor 210, memory 250, at least one network interface 220. The various components in server 200 are coupled together by bus system 240. It is understood that the bus system 240 is used to enable communications among the components. The bus system 240 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 240 in fig. 2.
The Processor 210 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor, or the like.
The memory 250 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard disk drives, optical disk drives, and the like. Memory 250 optionally includes one or more storage devices physically located remotely from processor 210.
The memory 250 includes volatile memory or nonvolatile memory, and can also include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), and the volatile Memory may be a Random Access Memory (RAM). The memory 250 described in embodiments of the invention is intended to comprise any suitable type of memory.
In some embodiments, memory 250 is capable of storing data, examples of which include programs, modules, and data structures, or a subset or superset thereof, to support various operations, as exemplified below.
An operating system 251 including system programs for processing various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and processing hardware-based tasks;
a network communication module 252 for communicating to other computing devices via one or more (wired or wireless) network interfaces 220, exemplary network interfaces 220 including: bluetooth, wireless compatibility authentication (WiFi), and Universal Serial Bus (USB), among others.
In some embodiments, the security management apparatus 255 of the cluster system provided by the embodiment of the present invention may be implemented in software, and fig. 2 illustrates the security management apparatus 255 of the cluster system stored in the memory 250, which may be software in the form of programs and plug-ins, and includes the following software modules: node list acquisition module 2551, firewall rule generation module 2552, firewall rule application module 2553, and loop detection module 2554, which are logical and thus can be arbitrarily combined or further split depending on the functions implemented, the functions of each of which will be described below.
As an example, the security manager 255 of the cluster system may be in the form of a software package that includes a series of components for deployment onto initialized nodes of the cluster system to enable the nodes to form different types of nodes, including management nodes (e.g., with management components deployed) and worker nodes (e.g., with worker components deployed).
In other embodiments, the security management and control apparatus of the cluster system provided in the embodiments of the present invention may be implemented in hardware, and for example, the security management and control apparatus of the cluster system provided in the embodiments of the present invention may be a processor in the form of a hardware decoding processor, which is programmed to execute the security management and control method of the cluster system provided in the embodiments of the present invention, for example, the processor in the form of the hardware decoding processor may employ one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), or other electronic elements.
The security control method of the cluster system provided by the embodiment of the present invention will be described below with reference to exemplary applications and implementations of the server provided by the embodiment of the present invention.
Referring to fig. 3A, fig. 3A is an optional schematic flowchart of a security management method of a cluster system according to an embodiment of the present invention, where the cluster system includes at least two sub-clusters for supporting a network application; the description will be made in conjunction with steps 101-104 shown in fig. 3A.
In step 101, each node in each of at least two sub-clusters obtains a node list of the sub-cluster to which the node belongs.
Each sub-cluster is used for realizing one or more functions supporting network application, fine-grained division of the cluster in the cluster system is actually a process for establishing the cluster system, which can be a process for establishing the cluster system by zero, or can be a process for carrying out capacity reduction or capacity expansion on the existing cluster system by deploying a large number of physical machines as an initial cluster system in advance according to actual service requirements, and in the establishing process, the cluster system is implemented into sub-clusters with different functions according to different service conditions, so that fine-grained division of the cluster is realized.
Referring to fig. 3B, fig. 3B is an optional flowchart of the security management method for a cluster system according to an embodiment of the present invention, where the type of the node in each of at least two sub-clusters includes a management node and a working node; in step 101, each node in each of the at least two sub-clusters obtains the node list of the sub-cluster to which the node belongs, which can be implemented in steps 1011 and 1014.
In step 1011, each worker node in each of the at least two sub-clusters sends information of the worker node to the management node in the sub-cluster to which the worker node belongs.
In some embodiments, each working node in each of at least two sub-clusters sends information of the working node to a management node in the sub-cluster to which the working node belongs, the information of the working node is configured in detail in a basic configuration file of the working node, a cluster name of the working node is configured in the basic configuration file, the working node automatically discovers the working node in the same network segment by default, if a plurality of clusters exist in the same network segment, different clusters can be distinguished by using the attribute, a node name is configured in the basic configuration file, a name in a node name list is randomly specified by default, the node name list is in a node name file in the configuration file, interesting names added by a plurality of configurators exist, and a network protocol address of the node is configured in the basic configuration file.
In step 1012, the management node generates a node list according to the information of each working node in the administered sub-cluster.
In some embodiments, the management node generates a node list according to information of each working node in the governed sub-cluster, where the management node is a node in the physical machine, that is, a working node that governs the sub-cluster, for example, the working node in step 1011 is a working node in the first sub-cluster, and the management node here is a node that governs all physical machines in the first sub-cluster, that is, all working nodes in the first sub-cluster, and when each working node newly joins the first sub-cluster, all management nodes in the first sub-cluster are reported, so that the management node generates the node list according to information of each working node in the governed sub-cluster, where the node list includes a plurality of configuration information corresponding to each working node.
Referring to fig. 3C, fig. 3C is an optional flowchart of the security management method for a cluster system according to the embodiment of the present invention, before each node in each of at least two sub-clusters obtains the node list of the sub-cluster to which the node belongs, each management node in each of at least two sub-clusters performs the following initialization processing on a new working node requesting to join, that is, step 105-.
In step 105, the management node receives account information and password information of the new working node.
In step 106, the management node performs authentication based on the account information and the password information on the new working node.
In step 107, when the authentication passes, the management node adds the new worker node to the sub-cluster.
In some embodiments, taking the first sub-cluster as an example, the configuration administrator of the new working node and the configuration administrator of the management node of the first sub-cluster to be added are the same party, and may be the same organization or individual, so the configuration file of the new working node may be preconfigured with the account information and the password information, and the management node of the first sub-cluster may also be preconfigured with the account information and the password information of the new working node, so that the new working node logs in the management node of the first sub-cluster through the preconfigured account information and password information, and the management node passes the authentication and adds the new working node into the first sub-cluster.
In step 1013, each worker node within each of the at least two sub-clusters sends a node list request to a management node in the sub-cluster to which it belongs.
In step 1014, each worker node within each of the at least two sub-clusters receives a list of nodes of the sub-cluster to which the worker node belongs returned by the management node.
In some embodiments, still taking the sub-cluster as the first sub-cluster as an example, the working node in the first sub-cluster sends a node list request to the management node in the first sub-cluster to which the working node belongs, and the management node in the first sub-cluster receives the node list request sent by the working node, so as to return the node list of the first sub-cluster to which the working node belongs to the working node.
In some embodiments, before each node in each of the at least two sub-clusters obtains the node list of the sub-cluster to which the node belongs, the following technical solution may be further executed, where each management node of each of the at least two sub-clusters sends the node change information of the governed sub-cluster to other management nodes of the governed sub-cluster, so that the other management nodes of the governed sub-cluster synchronize the stored node list, and receives the sent node change information from the other management nodes of the governed sub-cluster to synchronize the stored node list; the node change information comprises node joining information and node exiting information.
In some embodiments, when a working node exits or joins a sub-cluster, the working node itself reports node information to a management node in the joined sub-cluster, so that the management node in the joined sub-cluster learns the node information of the newly joined working node and the node information of the withdrawn working node, thereby updating a node list of the sub-cluster in time, the management node also sends node change information of the governed sub-cluster to other management nodes of the governed sub-cluster, so that other management nodes of the governed sub-cluster synchronize the stored node list, and receives node change information sent from other management nodes of the governed sub-cluster, so as to synchronize the stored node list, that is, node change information synchronization is also performed between management nodes inside the sub-cluster, thereby realizing node list synchronization between the management nodes, the purpose of managing node synchronization within a sub-cluster is primarily to prepare for network partitioning.
Here, a network partition refers to a network split caused by a network device failure, for example, there are four nodes a \ B \ C \ D, where a \ B is in the same sub-cluster, B \ C \ D is in another sub-cluster, if a communication between two sub-clusters fails, that is, a network partition occurs, a \ B and C \ D cannot communicate, and a network partition is a network failure that is difficult to avoid, and therefore, in order to be able to recover autonomously after a network partition occurs, it is necessary to ensure that the latest node list is synchronized in real time between each management node, so as to restart a working node in the node list, in a distributed system, it is usually assumed that the network is asynchronous, which means that the network may cause any repeated, lost, delayed or out-of-order message transmission between nodes, and therefore, even if a working node exits or joins a sub-cluster, all management nodes will be reported, however, in actual network conditions, at the port level, the working nodes may block messaging, time out, and so on.
In step 102, the worker node generates a firewall rule of the sub-cluster according to the security policy of the worker node and the node list.
The security policies of the nodes may be unified or differentiated within the sub-clusters, the default in the security policies is that the communication permissions between the nodes within the sub-clusters are mutually open, and the communication permissions between the sub-clusters are open according to the special configuration in the security policies, and the open mode of each working node in the sub-clusters for communicating with the working nodes in the external sub-clusters is defined according to the security policies, but in the field of network cluster security management, it is necessary to understand professional firewall technical knowledge to enable each physical machine node in the clusters to deploy a firewall rule conforming to the expected security policy, so that the requirement on the administrator of the cluster network is high, in order to reduce the requirement on the administrator in the professional field and reduce the work complexity of the administrator, according to the security policies and node lists set by the administrator, and automatically generating corresponding firewall rules.
In some embodiments, the firewall rules may be automatically generated by relying on basic firewall rule management instructions provided by an operating system, such as Iptables, nfables, and Python language runtime environments, for example, Iptables instructions, if a default policy of a chain is to be set, the default policy of the chain is set to "ACCEPT", and if an INPUT, rwfuture, and OUTPUT chain is to be set to "DROP", the corresponding firewall rule commands are as follows: "iptables-P INPUT DROP; iptables-P FORWARD DROP; iptables-P OUTPUT DROP, prevents a given IP network protocol address, e.g., dropping a packet "iptables-a INPUT-s x.x.x.x-j DROP" from IP address x.x.x.x.x.j DROP ", e.g.: block packets from IP address x.x.x eth0 tcp, the corresponding firewall rule is "iptables-a INPUT-i eth0-p tcp-s x.x.x.x.x-j DROP", allow all SSH connection requests, for example: all SSH connection requests from outside are allowed, i.e. only packets that enter into eth0 interface and are destined to port 22 are allowed, and the corresponding firewall rules command the following: "iptables-A INPUT-i eth0-p tcp-dport 22-m state-state NEW, ESTABISHED-j ACCEPT; the process of generating firewall rules by combining the security policies of the working nodes and the node list is actually to specialize the security policies configured by the administrator as above so as to convert the security policies into a set of firewall rules.
Referring to fig. 3D, fig. 3D is an optional flowchart of the security management method for a cluster system according to the embodiment of the present invention, and the step 102 of generating the firewall rule of the sub-cluster according to the security policy of the node and the node list may be implemented by the following steps 1021-.
In step 1021, each worker node in each of the at least two sub-clusters obtains addresses and ports of other worker nodes from the node list of the sub-cluster to which the worker node belongs.
In step 1022, the worker node generates firewall rules for the sub-cluster that allows communication with the node through the address and port.
In some embodiments, the working node obtains addresses and ports of other working nodes from the node list of the sub-cluster, and the working node generates a firewall rule that allows the working node to communicate with the nodes through the addresses and the ports, where the firewall rule is a specific instruction for implementing a security policy that specifies that the working node is allowed to communicate with other nodes based on the set addresses and ports.
In step 1023, each worker node within each of the at least two sub-clusters loads the locally configured security policy for the worker node.
In step 1024, each worker node within each of the at least two sub-clusters obtains the protocol and port that the sub-cluster opens to the external sub-cluster from the security policy to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with the worker node via the protocol and port.
In some embodiments, the working nodes in the sub-clusters load the locally configured security policies of the working nodes, where the locally configured security policies are pre-configured security policies, and when receiving corresponding instructions through the command line interface management component, the security policies may be updated, where the security policies may specify open ports and communication protocols for the nodes in each sub-cluster to communicate with the nodes in the cluster or with external sub-cluster nodes, and besides the open ports and the communication protocols, the allowed time of communication and the like may be defined, that is, the nodes are allowed to be accessed in a preset time period and the nodes are not allowed to be accessed in other time periods, or the security policies may define the frequency of communication of the nodes, that is, the nodes are not allowed to be accessed when the frequency of communication exceeds a preset frequency and the like.
In some embodiments, the working node obtains the protocol and port opened by the sub-cluster to the external sub-cluster from the security policy to generate a firewall rule allowing communication with the node in the sub-cluster through the protocol and port, where the security policy defines an open port and a communication protocol for the node to communicate with the node in the cluster or with the node in the external sub-cluster, but the security policy is an abstract pre-configured policy for a specific physical machine node, and in order to implement a desired security effect in the security policy in the cluster system, the security policy needs to be implemented by a specific firewall rule, which is difficult to master and makes most people unable to deploy the firewall rule in person, so that the security management method of the cluster system provided by the embodiments of the present invention can automatically generate the firewall rule for the corresponding node in combination with the node list and the locally configured security policy of the node, for example, if the security policy is "block specified network Protocol address (IP, Internet Protocol)", that is, "discard packets from IP address x.x.x.x.x", the firewall rule automatically generated by means of the Iptables, nfables, and Python language operating environment is "Iptables-a INPUT-s x.x.x.x-j DROP", for example, the security policy is "block packets from IP address x.x.x.x eth0 tcp", and the corresponding firewall rule is "Iptables-a INPUT-i eth0-p tcp-s x.x.x.x.x-j DROP".
In some embodiments, before the firewall rules of the sub-clusters are generated according to the security policies of the nodes and the node list, the following technical scheme may be further implemented, where each worker node in each of at least two sub-clusters determines a hash value of a current firewall rule, and compares the hash value with a hash value pre-stored last time of the worker node; and when the comparison is consistent, determining that the current firewall rule of the working node passes the verification, and determining that the firewall rule of the sub-cluster is generated according to the security policy of the working node and the node list so as to apply the generated firewall rule.
In some embodiments, the firewall rules are not generated by null, in most scenarios, for a working node, a version of the firewall rule is already generated, for example, for the working node a, the version of the firewall rule applied by the current working node a is version 2.0, then version 3.0 may be generated based on the existing firewall rule version 2.0 to implement the security policy combined with the node list, in order to ensure that the version 3.0 is correct, it is necessary to check the currently applied version 2.0, i.e., check that the currently applied version 2.0 is not tampered from generation to present, perform a hash check, query the hash value of the corresponding version 2.0 pre-stored when the version 2.0 is generated, and calculate the hash value of the current version 2.0, where the two are identical, which means that the currently applied version 2.0 is identical to the previously generated version 2.0, not tampered with, then the version 3.0 generated based on the currently generated version 2.0 is correct, thereby determining that the node is able to apply the generated firewall rules.
Referring to fig. 3E, fig. 3E is an optional flowchart of the security control method of the cluster system according to the embodiment of the present invention, and the following steps 108 and 110 may also be executed. The execution sequence of the steps 108-110 in the overall technical scheme is not limited herein, but the execution sequence from the step 108 to the step 110 is limited.
In step 108, each worker node in each of the at least two sub-clusters sends a node cycle detection request to the management node of the corresponding sub-cluster.
Here, the working node sends a node cycle detection request to the management node of the sub-cluster to which the working node belongs, so that the management node returns the acquired node list information to the working node sending the cycle detection request, so that the working node can acquire the node change information of the sub-cluster to which the working node belongs.
In step 109, the worker node obtains node change information of the sub-cluster to which the worker node belongs; wherein the node change information includes at least one of: information of new working nodes joining the sub-cluster; information of the worker node that exited the sub-cluster.
The working node acquires node change information of the sub-cluster to which the working node belongs, wherein the change information comprises two types, namely information of a new working node which joins the sub-cluster and information of a working node which exits the sub-cluster, at least one of the characteristics can acquire the information of the new working node which joins the sub-cluster or the information of the working node which exits the sub-cluster, and can acquire the information of the new working node which joins the sub-cluster and the information of the working node which exits the sub-cluster.
In step 110, the worker node updates the firewall rules based on the node change information.
In some embodiments, updating the firewall rules based on the node change information can be achieved by the following technical scheme that when the node change information represents that a new working node is added, the information of the new working node is updated to the firewall rules; and when the node change information indicates that the quitted working node exists, removing the information of the quitted working node from the firewall rule.
In some embodiments, when the node change information indicates that there is a new working node joining, the information of the new working node is updated into the firewall rule, where the working nodes in the sub-cluster update the information of the new working node into the firewall rule, for example, the new working node is taken as a node capable of opening communication permissions, and a corresponding firewall rule is generated for updating, and when the node change information indicates that there is a working node exiting, the information of the working node exiting is removed from the firewall rule, for example, the working node exiting is removed from a list of nodes capable of opening communication permissions.
In some embodiments, the following technical solution may be further implemented, where each worker node in each of the at least two sub-clusters periodically checks the applied firewall rule; and when the applied firewall rule is detected to be inconsistent with the firewall rule generated last time, regenerating a new firewall rule of the sub-cluster so as to update the applied firewall rule.
The target rule is to perform nonvolatile storage on the firewall rule generated each time after the firewall rule is generated each time, instead of storing the firewall rule in a random access memory, or store the firewall rule generated each time in a blockchain network which is not easy to be tampered as a comparison target when performing cycle detection, where the periodicity may be a completely fixed time interval or a frequency interval, that is, when a certain number of access volumes (access volume threshold values) are counted in a sub-cluster, the working nodes in the sub-cluster perform cycle detection.
In some embodiments, the new firewall rules of the sub-clusters are regenerated by a technical solution that each working node in each of at least two sub-clusters obtains a new node list from a management node of the sub-cluster to which the working node belongs; acquiring addresses and ports of other working nodes in the sub-cluster from the new node list to generate a firewall rule of the sub-cluster allowing the other working nodes to communicate with the working nodes through the addresses and the ports; each worker node within each of the at least two sub-clusters obtains from the security policy the protocols and ports opened by the sub-cluster to the external sub-cluster to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with the worker node via the protocols and ports.
In some embodiments, the embodiment of regenerating a new firewall rule is similar to the embodiment of generating a firewall rule described in step 1021-.
In step 103, the worker node applies the firewall rules to construct a firewall between the sub-cluster to which the worker node belongs and the external sub-cluster.
In some embodiments, the step 103 of constructing the firewall between the sub-cluster to which the node belongs and the external sub-cluster may be implemented by a technical solution that each working node in each of at least two sub-clusters receives a network request from the external sub-cluster; when the protocol used by the network request is consistent with the protocol used when the firewall rule allows the communication with the working node, and the destination port of the network request is consistent with the port used when the firewall rule allows the cross-cluster communication with the working node, responding to the network request to establish the corresponding network connection; and when the protocol used by the network request is inconsistent with the protocol used when the cross-cluster communication with the working node is allowed in the firewall rule, and/or the destination port of the network request is consistent with the port used when the cross-cluster communication with the working node is allowed in the firewall rule, rejecting the network request.
In some embodiments, each working node in each of the at least two sub-clusters receives a network request from an external sub-cluster, and since the received network request is originated from the external sub-cluster and is equivalent to communication between the sub-clusters, not only the protocol and port used by the network request but also the destination address are determined, when the protocol used by the network request of the external sub-cluster is consistent with the protocol allowed to be communicated with the working node in the firewall rule, and the destination port of the network request is consistent with the port allowed to be communicated with the working node across clusters in the firewall rule, the network request is received and is responded to establish a corresponding network connection, otherwise, the network request is rejected.
In step 104, the working node opens the interworking right between the working node and the working node in the node list.
In some embodiments, the step 104 of opening the interworking right between the working node and the node in the node list may be implemented by a technical solution that each working node in each of at least two sub-clusters receives a network request from the sub-cluster to which the working node belongs; when the destination address of the network request is consistent with the address used when cluster communication with the working node is allowed in the firewall rule, and the destination port of the network request is consistent with the port used when cluster communication with the working node is allowed in the firewall rule, responding to the network request to establish corresponding network connection; and rejecting the network request when the destination address of the network request is inconsistent with the address used when the cluster internal communication with the working node is allowed in the firewall rule and/or the destination port of the network request is inconsistent with the port used when the cluster internal communication with the working node is allowed in the firewall rule.
In some embodiments, each worker node in each of the at least two sub-clusters receives a network request from the sub-cluster to which the worker node belongs, and since the received network request is from the sub-cluster to which the worker node belongs, which is equivalent to communication in the sub-cluster, a protocol and a port used by the network request are determined, when a destination address of the network request is consistent with an address used when intra-cluster communication with the worker node is allowed in the firewall rule, and a destination port of the network request is consistent with a port used when intra-cluster communication with the worker node is allowed in the firewall rule, the worker node receiving the network request responds to the network request to establish a corresponding network connection, otherwise, the network request is rejected.
In the following, an exemplary application of the embodiments of the present invention in a practical application scenario will be described.
The invention provides a set of cluster environment-oriented general security policy management model, which comprises a background service and a command line interface management tool, is suitable for a cloud cluster and a non-cloud traditional physical hardware and network architecture cluster, can provide security management capability for a cluster architecture of any business scene, and maximally reduces security risks in the cluster when suffering network penetration attacks by constructing a firewall (security boundary) between the cluster and opening a service port as required, such as a typical webpage class service cluster structure, see fig. 4, wherein fig. 4 is a system architecture diagram of the webpage class service cluster structure provided by the embodiment of the invention, and the cluster system is respectively composed of three sub-function clusters (or sub-clusters with other numbers of functions), namely, the webpage end server clusters (webpage class servers 1 and 2), a database cluster and a static file storage cluster, wherein a client only directly interacts with a WEB page server cluster, the sub-clusters are connected through an internal network to indirectly provide service for the client, the client sends a network request to a WEB page class server 1 in the WEB server cluster, the WEB page class server 1 can perform data communication with nodes in the static file storage cluster or nodes in the database cluster to acquire response information corresponding to the network request (communication between different sub-clusters) and return the response information to the client, or the client sends a network request to the WEB server cluster, the WEB page class server 1 receiving the network request communicates with other nodes in the WEB server cluster (communication between the same sub-cluster) to acquire response information corresponding to the network request and return the response information to the client, the invention respectively sets the safety boundaries for the three sub-clusters, so that: communication among nodes in the sub-cluster is smooth; the communication among the sub-clusters is opened according to a white list mode, and any unauthorized access is totally rejected by default; when the cluster nodes are changed, the firewall rules are automatically updated without manual configuration.
Referring to fig. 5, fig. 5 is a deployment architecture diagram of a web service cluster system according to an embodiment of the present invention, based on existing cluster node devices, operating systems and software resources, there is no architecture requirement for hardware such as a central processing unit, and only depending on basic firewall rule management instructions provided by the operating system, such as iptables, nfables, and the like, and a Python language running environment, the cluster system according to the embodiment of the present invention is respectively composed of three sub-function clusters (or sub-clusters with other numbers of functions), that is, a web server cluster (web servers 1 and 2), a database cluster, and a static file storage cluster, a background system applied by the security management method of the cluster system according to the embodiment of the present invention is delivered in an independent software package form, and a software package is mainly composed of the following three components: the management component (management component) is used for cluster node information management, the working component (working component) is used for managing node local software firewall rules, and the command line interface management component is suitable for finishing information updating through a command line tool when node information and security policies need updating and maintaining; or editing the local configuration file to complete information updating, the management component can operate in any node, in some embodiments, at least two management component instances operate in the cluster, a plurality of management component instances govern all nodes, and the working component operates in all nodes in the cluster.
Referring to fig. 6, fig. 6 is a schematic timing diagram of a security management and control method of a cluster system according to an embodiment of the present invention, and an operation flow of the security policy management and control system is as follows, where a management node 1 and a management node 2 are management nodes in the same sub-cluster.
Firstly, initializing a management node and a working node, starting a management component operated on the management node, taking charge of changing information to nodes in other management node synchronization sub-clusters, receiving synchronization information from other management nodes, and receiving information report from the working node operated with the working component; and initializing the working node, specifically starting a working component running in the working node, performing authentication interaction with the management node, authenticating the working node with the management node based on an account number and a password in the configuration file, if the authentication is passed, automatically adding the working node into the cluster topology governed by the management node, reporting the information of the working node to all the management nodes, and initializing the firewall environment and the basic rule.
Then, firewall rules are generated and validated, after the management nodes are initialized, available management nodes are randomly selected to keep long connection communication, complete node list information of the sub-cluster is obtained from the working nodes, as the nodes in the default sub-cluster are intercommunicated, namely, a communication white list of default intercommunication is obtained, meanwhile, a locally configured security policy is loaded, the two are combined to automatically generate corresponding firewall rules, before the firewall rules are generated, the firewall rules before generation need to be checked, namely, hash values corresponding to the firewall rules of the previous version are inquired, the firewall rules before generation are subjected to hash calculation, when the two hash values are consistent, the firewall rules before generation are determined to be the firewall rules of the previous version, and the firewall rules are not tampered, so that the next generated firewall rules are correct, the rules will be automatically validated.
The data updating process is introduced as follows, the working node continues to multiplex and manage long connection between nodes, circularly detects whether a new node is added into a sub-cluster or a node exits from the sub-cluster, and when node information is changed, the working node pulls the changed part of data to refresh the data into a local firewall rule.
The new node is online as follows: when a new node is added into the sub-cluster, the initialization processing, the firewall rule generation and validation processing and the data updating processing of the working node are completed along with the starting of the working component on the new node, meanwhile, other nodes complete the data updating processing, and the corresponding firewall rule also automatically takes effect when the new node is successfully added into the sub-cluster. The off-line processing process of the nodes is as follows, when a working node is off-line, the working node is connected with a management interface of a management node in a form of a command line tool and the like, the off-line notification information of the designated node is sent out, and all the working nodes execute data updating processing to finish the normal off-line process of the working node.
The processing procedure of the rule checking is as follows: the working node running the working component regularly checks whether the local firewall rule is consistent with the target rule or not, and automatically executes initialization processing, firewall rule generation and validation processing again to finish the reinitialization of the rule when the content of the rule is inconsistent due to human misoperation, malicious damage and the like.
Referring to table 1, table 1 is a service information configuration example and a security policy configuration example in the security management and control method of the cluster system provided in the embodiment of the present invention.
Table 1 service information configuration example and security policy configuration example
As shown in the above table, the cluster type includes a client side cluster, a database sub-cluster, and a web server sub-cluster, the node type in the client side cluster is a web client, the node type in the database sub-cluster is a distributed file system, the node type in the web server sub-cluster is a server, these sub-clusters have a communication protocol and a port number configured in advance, and an access right is set in advance, that is, whether the node can be accessed by a node of an external sub-cluster, and the usage flow of the security policy control system is as follows: firstly, planning and installing are needed, at least two management nodes need to be planned in a high-availability environment, if no high-availability requirement exists, only one management node can be planned, and a management and control system software package is installed on all nodes of a service cluster; and then configuring, wherein all management nodes configure management information and authentication information through the component configuration file, all working nodes configure a service information file and a security policy information file as required, and do not need to configure any firewall rules, wherein the service information configuration example is as follows: starting: starting a management component and a working component; an example of service information and security policy maintenance is as follows: when the service information and the security policy need to be updated and maintained, the information update can be completed through a command line tool, or the information update can be completed by editing a local configuration file.
Compared with the technical scheme in the related art, the security management and control method of the cluster system provided by the embodiment of the invention has the following advantages by combining the software firewall tool built in the operating system and the service attribute of the cluster system: 1. the learning use threshold is greatly reduced, a user can quickly complete the construction of the security policy only by possessing general basic network knowledge such as network service, network ports, protocol types and the like, and does not need to master professional firewall configuration management skills; meanwhile, the fool-proof design of the safety strategy management and control system can effectively prevent the problems of rule errors, rule failure and the like caused by manual misoperation; 2. the security policy management and control system can completely reuse the hardware resources of the existing service cluster without investing extra hardware system construction cost, is compatible with the traditional hardware environment and the cloud environment, does not introduce third-party dependence, can be realized only by depending on the capability provided by the operating system, and has low construction cost; 3. the security policy management model is naturally adapted to the service attributes along with mixed deployment of the service clusters, fine-grained control according to the service cluster dimensions can be realized without excessive configuration, independent security barriers are constructed for different service clusters, and security threats are greatly reduced; 4. the security policy management and control system automatically constructs firewall rules along with the dynamic expansion of cluster scale, a user only needs to pay attention to the adjustment of the cluster service, and does not need to invest too much energy to the security policy management, so that the operation and maintenance cost is greatly reduced due to the self-adaptability.
The invention provides a set of security policy management method and system aiming at the scene of the modern cluster architecture by combining with the actual production requirement, has very wide practical significance, and has the following beneficial effects: the high-dimensional standardized security policy management model simplifies the firewall rule configuration, lowers the learning use threshold, and improves the deployment implementation and operation and maintenance efficiency; the high-availability architecture is realized by combining the natural distributed characteristics of the cluster scene, and a deployment mode combining with the service cluster is adopted, so that the production reliability is ensured, and the extra hardware cost is not increased; the automatic firewall rule management and system has dynamic expansion and contraction capability along with the cluster, so that the operation and maintenance cost is reduced, and the operation and maintenance quality is improved; the safety isolation of service dimensions is realized by taking the clusters as a unit, and the clusters are communicated as required, so that the safety risk is greatly reduced, and the safety threat in the actual production is solved;
the invention provides a security policy management method and a security policy management system combining a modern operating system software firewall technology and a cluster management technology, wherein an abstracted general security policy management model has cluster granularity security isolation capability, the security policy management method provided by the invention is simultaneously suitable for cluster scenes with different scales and different service types, and the service security isolation of the cluster scenes with any scales and service types by the general security policy management method provided by the invention is within the protection range of the invention.
Continuing with the exemplary structure of the security manager 255 of the cluster system provided by the present invention implemented as a software module, in some embodiments, the cluster system includes at least two sub-clusters for supporting network applications, and as shown in fig. 2, the software module stored in the security manager 255 of the cluster system in the storage 250 may include: a node list obtaining module 2551, configured to obtain, for each node in each of the at least two sub-clusters, a node list of the sub-cluster to which the node belongs; a firewall rule generating module 2552, configured to generate a firewall rule of the sub-cluster according to the security policy of the node and the node list; and the firewall rule application module 2553 is configured to apply the firewall rules to construct a firewall between the sub-cluster to which the node belongs and an external sub-cluster, and open the communication permission between the node and the node in the node list.
In some embodiments, the types of nodes within each of the at least two sub-clusters include a management node and a worker node; the node list acquiring module 2551 is configured to send information of a working node to a management node in the at least two sub-clusters, so that the management node generates a node list according to the information of each working node in the sub-clusters; and each working node in each sub-cluster of the at least two sub-clusters sends a node list request to the management node in the sub-cluster to which the working node belongs, and receives the node list of the sub-cluster to which the working node belongs, which is returned by the management node.
In some embodiments, the firewall rule generation module 2552 is further configured to: each working node in each of the at least two sub-clusters acquires the address and the port of other working nodes from the node list of the sub-cluster to which the working node belongs so as to generate a firewall rule of the sub-cluster allowing the other working nodes to communicate with the node through the address and the port; the other working nodes are any working nodes except the working node in the sub-cluster to which the node belongs; each worker node within each of the at least two sub-clusters obtains from the security policy the protocols and ports opened by the sub-cluster to the external sub-cluster to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with the worker node via the protocols and ports.
In some embodiments, the firewall rule generation module 2552 is further configured to: before the firewall rules of the sub-clusters are generated according to the security policies of the nodes and the node lists, determining the hash value of the current firewall rule by each working node in each of at least two sub-clusters, and comparing the hash value with the hash value pre-stored last time of the working node; and when the comparison is consistent, determining that the current firewall rule of the working node passes the verification, and determining that the firewall rule of the sub-cluster is generated according to the security policy of the working node and the node list so as to apply the generated firewall rule.
In some embodiments, the node list obtaining module 2551 is further configured to: before each node in each sub-cluster of at least two sub-clusters acquires a node list of the sub-cluster to which the node belongs, each management node of each sub-cluster of at least two sub-clusters sends node change information of the managed sub-cluster to other management nodes of the managed sub-cluster so as to enable other management nodes of the managed sub-cluster to synchronize the stored node list, and receives node change information sent by other management nodes of the managed sub-cluster so as to synchronize the stored node list; the node change information comprises node joining information and node exiting information.
In some embodiments, the node list obtaining module 2551 is further configured to: before each node in each sub-cluster of the at least two sub-clusters acquires the node list of the sub-cluster to which the node belongs, each management node of each sub-cluster of the at least two sub-clusters performs the following initialization processing on a new working node which requests to join: carrying out authentication based on account information and password information on the new working node; and when the authentication is passed, adding the new working node into the sub-cluster governed by the management node.
In some embodiments, the security control apparatus 255 of the cluster system further includes: a cycle detection module 2554 to: each working node in each sub-cluster of the at least two sub-clusters sends a node cycle detection request to a management node of the sub-cluster to which the working node belongs so as to obtain node change information of the sub-cluster to which the working node belongs; wherein the node change information includes at least one of: information of new working nodes joining the sub-cluster; information of a working node exiting the sub-cluster; the firewall rules are updated based on the node change information.
In some embodiments, the loop detection module 2554 is further configured to: when the node change information represents that the added new working node exists, the information of the new working node is updated to the firewall rule; and when the node change information indicates that the quitted working node exists, removing the information of the quitted working node from the firewall rule.
In some embodiments, the loop detection module 2554 is further configured to: each worker node within each of the at least two sub-clusters periodically checks the applied firewall rules; and when the applied firewall rule is detected to be inconsistent with the firewall rule generated last time, regenerating a new firewall rule of the sub-cluster so as to update the applied firewall rule.
In some embodiments, the loop detection module 2554 is further configured to: each working node in each of the at least two sub-clusters obtains a new node list from a management node of the sub-cluster to which the working node belongs; acquiring addresses and ports of other working nodes in the sub-cluster from the new node list to generate a firewall rule of the sub-cluster allowing the other working nodes to communicate with the working nodes through the addresses and the ports; the other working nodes are any working nodes except the working node in the sub-cluster to which the node belongs; each worker node within each of the at least two sub-clusters obtains from the security policy the protocols and ports opened by the sub-cluster to the external sub-cluster to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with the worker node via the protocols and ports.
In some embodiments, firewall rules application module 2553 is further configured to: each worker node in each of the at least two sub-clusters receives a network request from an external sub-cluster; when the protocol used by the network request is consistent with the protocol used when the firewall rule allows the communication with the working node, and the destination port of the network request is consistent with the port used when the firewall rule allows the cross-cluster communication with the working node, responding to the network request to establish the corresponding network connection; and when the protocol used by the network request is inconsistent with the protocol used when the cross-cluster communication with the working node is allowed in the firewall rule, and/or the destination port of the network request is consistent with the port used when the cross-cluster communication with the working node is allowed in the firewall rule, rejecting the network request.
In some embodiments, firewall rules application module 2553 is further configured to: each work node in each of the at least two sub-clusters receives a network request from the sub-cluster to which the work node belongs; when the destination address of the network request is consistent with the address used when cluster communication with the working node is allowed in the firewall rule, and the destination port of the network request is consistent with the port used when cluster communication with the working node is allowed in the firewall rule, responding to the network request to establish corresponding network connection; and when the destination address of the network request is inconsistent with the address used when the cluster-internal communication with the working node is allowed in the firewall rule and/or the destination port of the network request is inconsistent with the port used when the cluster-internal communication with the working node is allowed in the firewall rule, rejecting the network request.
Embodiments of the present invention provide a storage medium storing executable instructions, where the executable instructions are stored, and when executed by a processor, will cause the processor to execute a method provided by embodiments of the present invention, for example, a security control method of a cluster system as shown in fig. 3A to 3E.
In some embodiments, the storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.
In some embodiments, executable instructions may be written in any form of programming language (including compiled or interpreted languages), in the form of programs, software modules, scripts or code, and may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
By way of example, executable instructions may correspond, but do not necessarily have to correspond, to files in a file system, and may be stored in a portion of a file that holds other programs or data, such as in one or more scripts in a hypertext Markup Language (HTML) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).
By way of example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.
In summary, according to the embodiments of the present invention, firewalls are respectively set for a plurality of sub-clusters in a cluster network, communication between nodes in the sub-clusters is smooth, and when the cluster nodes are changed based on firewall communication between the sub-clusters, the firewall rules are automatically updated without manual configuration.
The above description is only an example of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present invention are included in the protection scope of the present invention.
Claims (13)
1. A security control method of cluster system is characterized in that,
the cluster system comprises at least two sub-clusters for supporting network applications;
the safety control method comprises the following steps:
each working node in each of the at least two sub-clusters obtains a node list of the sub-cluster to which the working node belongs, and
determining a hash value of a current firewall rule, and comparing the hash value with a hash value prestored last time by the working node;
when the comparison is consistent, determining that the current firewall rule of the working node passes the verification, and generating the firewall rules of the sub-cluster according to the security policy of the working node and the node list, wherein the firewall rules comprise firewall rules allowing other nodes to communicate with the working node and firewall rules allowing external sub-clusters to communicate with the working node;
applying the firewall rules to construct firewalls between the sub-cluster to which the work node belongs and an external sub-cluster, the firewalls opening intercommunication between the sub-cluster to which the work node belongs and the external sub-cluster based on a white list mode, and
opening an intercommunication authority between the working node and the nodes in the node list, wherein the intercommunication authority is realized based on the firewall rules allowing other nodes to communicate with the working node;
the working node sends a node cycle detection request to a management node of the sub-cluster to which the working node belongs so as to obtain node change information of the sub-cluster to which the working node belongs;
updating the firewall rules based on the node change information, wherein the node change information includes at least one of: information of new working nodes joining the sub-cluster; information of a worker node exiting the sub-cluster.
2. The method of claim 1,
each working node in each of the at least two sub-clusters obtains a node list of the sub-cluster to which the working node belongs, and the method comprises the following steps:
each working node in each sub-cluster of the at least two sub-clusters sends the information of the working node to a management node in the sub-cluster to which the working node belongs, so that the management node generates a node list according to the information of each working node in the sub-cluster to which the management node belongs;
and each working node in each sub-cluster of the at least two sub-clusters sends a node list request to a management node in the sub-cluster to which the working node belongs, and receives a node list of the sub-cluster to which the working node belongs, which is returned by the management node.
3. The method of claim 1,
the generating the firewall rules of the sub-cluster according to the security policy of the working node and the node list comprises:
each working node in each of the at least two sub-clusters acquires addresses and ports of other working nodes from a node list of the sub-cluster to which the working node belongs, so as to generate firewall rules of the sub-clusters allowing the other working nodes to communicate with the working node through the addresses and the ports;
wherein the other working nodes are any working nodes except the working node in the sub-cluster to which the node belongs;
each worker node within each of the at least two sub-clusters obtains from the security policy a protocol and port opened by the sub-cluster to an external sub-cluster to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with the worker node via the protocol and port.
4. The method of claim 1,
before each working node in each sub-cluster of the at least two sub-clusters obtains a node list of the sub-cluster to which the working node belongs, the safety control method further includes:
each management node of each sub-cluster of the at least two sub-clusters sends node change information of the managed sub-cluster to other management nodes of the managed sub-cluster so as to enable other management nodes of the managed sub-cluster to synchronize the stored node list, and
and receiving node change information sent by other management nodes of the administered sub-cluster so as to synchronize the stored node list.
5. The method of claim 1,
before each working node in each sub-cluster of the at least two sub-clusters obtains a node list of the sub-cluster to which the working node belongs, the safety management and control method further includes:
each management node of each of the at least two sub-clusters performs the following initialization processing for the new working node requesting to join:
carrying out authentication based on account information and password information on the new working node;
and when the authentication is passed, adding the new working node into the sub-cluster governed by the management node.
6. The method of claim 1, wherein updating the firewall rules based on the node change information comprises:
when the node change information represents that a new working node is added, updating the information of the new working node into the firewall rule;
and when the node change information represents that the quitted working node exists, removing the information of the quitted working node from the firewall rule.
7. The method of claim 1, wherein the safety management method further comprises:
each worker node within each of the at least two sub-clusters periodically checks the applied firewall rules;
and when the applied firewall rule is detected to be inconsistent with the firewall rule generated last time, regenerating the new firewall rule of the sub-cluster so as to update the applied firewall rule.
8. The method of claim 7, wherein the regenerating the new firewall rules for the sub-cluster comprises:
each working node in each sub-cluster of the at least two sub-clusters obtains a new node list from a management node of the sub-cluster to which the working node belongs;
acquiring addresses and ports of other working nodes in the sub-cluster from the new node list to generate firewall rules of the sub-cluster allowing the other working nodes to communicate with the working nodes through the addresses and the ports;
wherein the other working nodes are any working nodes except the working node in the sub-cluster to which the node belongs;
each worker node within each of the at least two sub-clusters obtains from the security policy a protocol and port opened by the sub-cluster to an external sub-cluster to generate firewall rules for the sub-cluster that allow the external sub-cluster to communicate with worker nodes in the sub-cluster via the protocol and port.
9. The method according to any one of claims 1 to 8, wherein the constructing a firewall between the sub-cluster to which the working node belongs and an external sub-cluster comprises:
each worker node in each of the at least two sub-clusters receives a network request from an external sub-cluster;
when the protocol used by the network request is consistent with the protocol used when the firewall rule allows the communication with the working node, and the destination port of the network request is consistent with the port used when the firewall rule allows the cross-cluster communication with the working node, responding to the network request to establish the corresponding network connection;
and when the protocol used by the network request is inconsistent with the protocol used when the firewall rules allow the cross-cluster communication with the working nodes, and/or the destination port of the network request is inconsistent with the port used when the firewall rules allow the cross-cluster communication with the working nodes, rejecting the network request.
10. The method according to any one of claims 1 to 8, wherein said opening the interworking right between the working node and the node in the node list comprises:
each work node in each of the at least two sub-clusters receives a network request from the sub-cluster to which it belongs;
when the destination address of the network request is consistent with the address used when cluster communication with the working node is allowed in the firewall rule, and the destination port of the network request is consistent with the port used when cluster communication with the working node is allowed in the firewall rule, responding to the network request to establish corresponding network connection;
and when the destination address of the network request is inconsistent with the address used when the cluster communication with the working node is allowed in the firewall rule, and/or the destination port of the network request is inconsistent with the port used when the cluster communication with the working node is allowed in the firewall rule, rejecting the network request.
11. A security management apparatus of a cluster system, wherein the cluster system includes at least two sub-clusters for supporting network applications, the apparatus comprising:
a node list obtaining module, configured to obtain, for each working node in each of the at least two sub-clusters, a node list of the sub-cluster to which the working node belongs;
the firewall rule generating module is used for determining the hash value of the current firewall rule, comparing the hash value with the hash value prestored in the working node for the last time, determining that the current firewall rule of the working node passes the verification when the hash value is consistent with the hash value prestored in the working node for the last time, and generating the firewall rules of the sub-cluster according to the security policy of the working node and the node list, wherein the firewall rules comprise firewall rules allowing other nodes to communicate with the working node and firewall rules allowing external sub-clusters to communicate with the working node;
a firewall rule application module, configured to apply the firewall rule to construct a firewall between the sub-cluster to which the working node belongs and an external sub-cluster, where the firewall opens mutual communication between the sub-cluster to which the working node belongs and the external sub-cluster based on a white list mode, and opens an interworking right between the working node and a node in the node list, where the interworking right is implemented based on the firewall rule that allows other nodes to communicate with the working node;
the cyclic detection module is used for sending a node cyclic detection request to the management node of the sub-cluster to which the working node belongs so as to acquire node change information of the sub-cluster to which the working node belongs;
the loop detection module is further configured to update the firewall rule based on the node change information, where the node change information includes at least one of: information of new working nodes joining the sub-cluster; information of the worker node exiting the sub-cluster.
12. An electronic device, comprising:
a memory for storing executable instructions;
a processor, configured to execute the executable instructions stored in the memory, and to implement the security management method of the cluster system according to any one of claims 1 to 10.
13. A computer-readable storage medium having stored thereon executable instructions for causing a processor to perform a method of security management of a cluster system as claimed in any one of claims 1 to 10 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010172282.9A CN111404924B (en) | 2020-03-12 | 2020-03-12 | Security management and control method, device, equipment and storage medium of cluster system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010172282.9A CN111404924B (en) | 2020-03-12 | 2020-03-12 | Security management and control method, device, equipment and storage medium of cluster system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111404924A CN111404924A (en) | 2020-07-10 |
| CN111404924B true CN111404924B (en) | 2022-09-30 |
Family
ID=71428648
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010172282.9A Active CN111404924B (en) | 2020-03-12 | 2020-03-12 | Security management and control method, device, equipment and storage medium of cluster system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404924B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111817894B (en) * | 2020-07-13 | 2022-12-30 | 济南浪潮数据技术有限公司 | Cluster node configuration method and system and readable storage medium |
| CN111935300B (en) * | 2020-08-19 | 2021-09-14 | 腾讯科技(深圳)有限公司 | Message processing method and device, computer equipment and storage medium |
| US11716311B2 (en) * | 2020-11-24 | 2023-08-01 | Google Llc | Inferring firewall rules from network traffic |
| CN112395334A (en) * | 2020-11-30 | 2021-02-23 | 浪潮云信息技术股份公司 | Method for dividing centerless distributed database cluster into a plurality of logic sub-clusters |
| CN113852473A (en) * | 2021-08-20 | 2021-12-28 | 济南浪潮数据技术有限公司 | A cluster deployment method, device and storage medium |
| CN113886515B (en) * | 2021-10-22 | 2025-07-11 | 济南浪潮数据技术有限公司 | A cluster node change processing method, device and equipment based on cluster version |
| CN114143316B (en) * | 2021-11-30 | 2024-03-19 | 招商局金融科技有限公司 | Multi-tenant network communication method, device, container node and storage medium |
| CN114513764B (en) * | 2021-12-06 | 2024-11-01 | 成都中星世通电子科技有限公司 | Multi-node data storage and interaction method |
| CN114710491B (en) * | 2022-03-31 | 2024-04-26 | 深圳昂楷科技有限公司 | Protection method of database cluster, database firewall and medium |
| CN115766289B (en) * | 2022-12-23 | 2024-10-25 | 河南大学 | Distributed network security method for virtual machine cluster |
| CN116743511B (en) * | 2023-08-15 | 2023-11-03 | 中移(苏州)软件技术有限公司 | An authentication method, device, server and storage medium |
| CN118368139B (en) * | 2024-06-13 | 2024-10-01 | 苏州元脑智能科技有限公司 | Group management method, product, equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103647797A (en) * | 2013-11-15 | 2014-03-19 | 北京邮电大学 | Distributed file system and data access method thereof |
| CN105493445A (en) * | 2013-06-07 | 2016-04-13 | 国际商业机器公司 | Regional firewall clustering in a networked computing environment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468568A (en) * | 2014-12-05 | 2015-03-25 | 国云科技股份有限公司 | Virtual machine security isolation method |
| US11895087B2 (en) * | 2018-08-21 | 2024-02-06 | International Business Machines Corporation | Adjusting firewall parameters based on node characteristics |
| CN109218415B (en) * | 2018-08-28 | 2021-06-29 | 浪潮电子信息产业股份有限公司 | A method, node and storage medium for distributed node management |
| CN109788037B (en) * | 2018-12-24 | 2022-03-11 | 北京旷视科技有限公司 | Cluster management method, device and system and computer storage medium |
-
2020
- 2020-03-12 CN CN202010172282.9A patent/CN111404924B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105493445A (en) * | 2013-06-07 | 2016-04-13 | 国际商业机器公司 | Regional firewall clustering in a networked computing environment |
| CN103647797A (en) * | 2013-11-15 | 2014-03-19 | 北京邮电大学 | Distributed file system and data access method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111404924A (en) | 2020-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111404924B (en) | Security management and control method, device, equipment and storage medium of cluster system | |
| Sarmiento et al. | Decentralized SDN control plane for a distributed cloud-edge infrastructure: A survey | |
| US8713177B2 (en) | Remote management of networked systems using secure modular platform | |
| US20200382372A1 (en) | Distributed ledger for configuration synchronization across groups of network devices | |
| Yang et al. | Blockchain-based secure distributed control for software defined optical networking | |
| US9935848B2 (en) | System and method for supporting subnet manager (SM) level robust handling of unkown management key in an infiniband (IB) network | |
| CN112035215A (en) | Node autonomous method, system and device of node cluster and electronic equipment | |
| US11665023B2 (en) | Configuration validation of a device | |
| CN105429938B (en) | Resource allocation method and device | |
| CN115604120B (en) | A multi-cloud cluster resource sharing method, device, equipment and storage medium | |
| US12261744B2 (en) | Fabric availability and synchronization | |
| US10778510B2 (en) | Coordinated network configuration system | |
| CN115134141A (en) | Micro-service container cluster cross-network communication system and communication method thereof | |
| Van Hoye et al. | Logging mechanism for cross-organizational collaborations using Hyperledger Fabric | |
| US11792069B2 (en) | Processing instructions to configure a network device | |
| CN111935195B (en) | Distributed system management method, device, storage medium and distributed management system | |
| US20150127788A1 (en) | Centralized enterprise image upgrades for distributed campus networks | |
| CN113312059A (en) | Service processing system and method and cloud native system | |
| HK40031238B (en) | Security management and control method and apparatus for cluster system, device, and storage medium | |
| HK40031238A (en) | Security management and control method and apparatus for cluster system, device, and storage medium | |
| TWI773200B (en) | Provision and management system and method for container infrastructure service and computer readable medium | |
| US12210861B2 (en) | Decentralized software upgrade image distribution for network device upgrades | |
| CN116032924A (en) | Cross-chain interaction method and device, electronic equipment and storage medium | |
| Iwamoto et al. | Design of the configuration engines with ryu rest api in database-oriented sdn architecture | |
| KR100604593B1 (en) | Dynamic Reconfiguration of Cluster System by Sharing Configuration Information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40031238 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |