[go: up one dir, main page]

CN118590395A - A network management method, system, electronic device and storage medium for container - Google Patents

A network management method, system, electronic device and storage medium for container Download PDF

Info

Publication number
CN118590395A
CN118590395A CN202410625775.1A CN202410625775A CN118590395A CN 118590395 A CN118590395 A CN 118590395A CN 202410625775 A CN202410625775 A CN 202410625775A CN 118590395 A CN118590395 A CN 118590395A
Authority
CN
China
Prior art keywords
container
network
bridge
network card
mobile network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410625775.1A
Other languages
Chinese (zh)
Inventor
李标标
岑向洲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Guangtong Yuanchi Technology Co ltd
Original Assignee
Shenzhen Guangtong Yuanchi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Guangtong Yuanchi Technology Co ltd filed Critical Shenzhen Guangtong Yuanchi Technology Co ltd
Priority to CN202410625775.1A priority Critical patent/CN118590395A/en
Publication of CN118590395A publication Critical patent/CN118590395A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • H04L41/122Discovery or management of network topologies of virtualised topologies, e.g. software-defined networks [SDN] or network function virtualisation [NFV]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a network management method, a network management system, electronic equipment and a storage medium of a container, and belongs to the technical field of container management technology. The network management method of the container comprises the following steps: creating a network bridge on a host machine, and carrying out network configuration on the network bridge; starting a target container on the host; generating a corresponding container end virtual network card in each target container respectively, and generating a corresponding bridge end virtual network card for each container end virtual network card in the bridge; creating a plurality of mobile network cards by dialing the first container, and generating a policy routing table; the policy routing table is used for describing the mapping relation between the container and the mobile network card; and routing the data packet transmitted by the target container through the network bridge to the corresponding mobile network card according to the strategy routing table. The application can set network isolation for the container and improve the network management capability of the container.

Description

一种容器的网络管理方法、系统、电子设备及存储介质A network management method, system, electronic device and storage medium for container

技术领域Technical Field

本申请涉及容器管理技术领域,特别涉及一种容器的网络管理方法、系统、电子设备及存储介质。The present application relates to the technical field of container management, and in particular to a network management method, system, electronic device and storage medium for a container.

背景技术Background Art

容器(Container)是一种运行于宿主机、用于资源隔离的虚拟化技术。宿主机上可以运行有多个容器,各个容器可以访问局域网,也可以通过移动网络网卡、WLAN(WirelessLocal Area Network,无线局域网)网卡访问因特网。但是相关技术中,容器之间不存在网络隔离,无法实现网络资源的分配。Container is a virtualization technology that runs on a host machine and is used for resource isolation. Multiple containers can run on a host machine, and each container can access the local area network, or the Internet through a mobile network card or a WLAN (Wireless Local Area Network) card. However, in related technologies, there is no network isolation between containers, and network resource allocation cannot be achieved.

因此,如何为容器设置网络隔离,提高对容器的网络管理能力是本领域技术人员目前需要解决的技术问题。Therefore, how to set up network isolation for containers and improve the network management capabilities of containers is a technical problem that technical personnel in this field currently need to solve.

发明内容Summary of the invention

本申请的目的是提供一种容器的网络管理方法、一种容器的网络管理系统、一种电子设备及一种存储介质,能够为容器设置网络隔离,提高对容器的网络管理能力。The purpose of the present application is to provide a network management method for a container, a network management system for a container, an electronic device and a storage medium, which can set network isolation for the container and improve the network management capability of the container.

为解决上述技术问题,本申请提供一种容器的网络管理方法,该方法包括:In order to solve the above technical problems, the present application provides a network management method for a container, the method comprising:

在宿主机上创建网桥,并对所述网桥进行网络配置;Create a network bridge on the host machine and perform network configuration on the network bridge;

在所述宿主机上启动目标容器;其中,所述目标容器包括:用于实现移动网络拨号的第一容器、用于实现安卓应用界面交互的第二容器、以及用于实现仪表应用界面交互的第三容器;Starting a target container on the host machine; wherein the target container includes: a first container for implementing mobile network dialing, a second container for implementing Android application interface interaction, and a third container for implementing instrument application interface interaction;

分别在每一所述目标容器中生成对应的容器端虚拟网卡,并在所述网桥中为每一所述容器端虚拟网卡生成对应的网桥端虚拟网卡;Generate a corresponding container-side virtual network card in each of the target containers, and generate a corresponding bridge-side virtual network card in the bridge for each of the container-side virtual network cards;

利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表;其中,所述策略路由表用于描述容器与移动网络网卡的映射关系;Using the first container to dial up and create multiple mobile network cards, and generate a policy routing table; wherein the policy routing table is used to describe the mapping relationship between the container and the mobile network card;

根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡。The data packet transmitted by the target container through the bridge is routed to the corresponding mobile network card according to the policy routing table.

可选的,还包括:Optionally, also include:

为所述第一容器添加第一防火墙规则,以使所述第一容器通过对应的容器端虚拟网卡发送的数据包中添加有第一标记;Adding a first firewall rule to the first container so that a first tag is added to a data packet sent by the first container through the corresponding container-side virtual network card;

为所述第二容器添加第二防火墙规则,以使所述第二容器通过对应的容器端虚拟网卡发送的数据包中添加有第二标记;Adding a second firewall rule to the second container so that a second tag is added to a data packet sent by the second container through the corresponding container-side virtual network card;

相应的,利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表,包括:Accordingly, the first container is used to dial up and create multiple mobile network cards, and a policy routing table is generated, including:

利用所述第一容器拨号创建第一移动网络网卡和第二移动网络网卡;Using the first container to dial up and create a first mobile network card and a second mobile network card;

生成包含第一映射关系和第二映射关系的所述策略路由表;其中,所述第一映射关系为所述第一标记与所述第一移动网络网卡的映射关系,所述第二映射关系为所述第二标记与所述第二移动网络网卡的映射关系。Generate the policy routing table including a first mapping relationship and a second mapping relationship; wherein the first mapping relationship is a mapping relationship between the first tag and the first mobile network card, and the second mapping relationship is a mapping relationship between the second tag and the second mobile network card.

可选的,根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡,包括:Optionally, routing the data packet transmitted by the target container through the bridge to the corresponding mobile network card according to the policy routing table includes:

根据所述策略路由表将所述第一容器通过所述网桥传输的数据包路由至所述第一移动网络网卡;Routing the data packet transmitted by the first container through the bridge to the first mobile network card according to the policy routing table;

根据所述策略路由表将所述第二容器通过所述网桥传输的数据包路由至所述第二移动网络网卡。The data packet transmitted by the second container through the bridge is routed to the second mobile network card according to the policy routing table.

可选的,还包括:Optionally, also include:

查询WLAN物理网卡的网络命名空间;Query the network namespace of the WLAN physical network card;

将所述WLAN物理网卡的网络命名空间添加至所述第二容器的网络命名空间。Add the network namespace of the WLAN physical network card to the network namespace of the second container.

可选的,还包括:Optionally, also include:

将所述第二容器的默认网络类型设置为以太网;Setting the default network type of the second container to Ethernet;

根据配置文件设置所述第二容器对应的容器端虚拟网卡的dns地址;Set the DNS address of the container-side virtual network card corresponding to the second container according to the configuration file;

将所述第二容器的默认网关设置为所述网桥的IP地址。Set the default gateway of the second container to the IP address of the bridge.

可选的,还包括:Optionally, also include:

将所述第一容器的默认网关设置为所述网桥的IP地址;Setting the default gateway of the first container to the IP address of the bridge;

相应的,在利用所述第一容器拨号创建多个移动网络网卡之后,还包括:Correspondingly, after dialing and creating multiple mobile network cards using the first container, the method further includes:

将所述第一容器拨号操作使用的dns地址设置为所述第一容器的dns地址。The DNS address used for the dial-up operation of the first container is set to the DNS address of the first container.

可选的,在宿主机上创建网桥,并对所述网桥进行网络配置,包括:Optionally, a network bridge is created on the host machine, and network configuration of the network bridge is performed, including:

使用网络桥接工具在宿主机上创建所述网桥,并根据配置文件为所述网桥配置默认IP地址。Use a network bridging tool to create the bridge on the host machine, and configure a default IP address for the bridge according to a configuration file.

本申请还提供了一种容器的网络管理系统,该系统包括:The present application also provides a network management system for a container, the system comprising:

网桥创建模块,用于在宿主机上创建网桥,并对所述网桥进行网络配置;A network bridge creation module, used to create a network bridge on the host machine and perform network configuration on the network bridge;

容器启动模块,用于在所述宿主机上启动目标容器;其中,所述目标容器包括:用于实现移动网络拨号的第一容器、用于实现安卓应用界面交互的第二容器、以及用于实现仪表应用界面交互的第三容器;A container startup module, used to start a target container on the host machine; wherein the target container includes: a first container for implementing mobile network dialing, a second container for implementing Android application interface interaction, and a third container for implementing instrument application interface interaction;

对等网络建立模块,用于分别在每一所述目标容器中生成对应的容器端虚拟网卡,并在所述网桥中为每一所述容器端虚拟网卡生成对应的网桥端虚拟网卡;A peer-to-peer network establishment module, used to generate a corresponding container-side virtual network card in each of the target containers, and to generate a corresponding bridge-side virtual network card in the bridge for each of the container-side virtual network cards;

拨号模块,用于利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表;其中,所述策略路由表用于描述容器与移动网络网卡的映射关系;A dialing module, used to dial up multiple mobile network cards using the first container, and generate a policy routing table; wherein the policy routing table is used to describe the mapping relationship between the container and the mobile network card;

数据路由模块,用于根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡。A data routing module is used to route the data packet transmitted by the target container through the bridge to the corresponding mobile network card according to the policy routing table.

本申请还提供了一种存储介质,其上存储有计算机程序,所述计算机程序执行时实现上述容器的网络管理方法执行的步骤。The present application also provides a storage medium on which a computer program is stored. When the computer program is executed, the steps of the network management method for the container are implemented.

本申请还提供了一种电子设备,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器调用所述存储器中的计算机程序时实现上述容器的网络管理方法执行的步骤。The present application also provides an electronic device, including a memory and a processor, wherein the memory stores a computer program, and when the processor calls the computer program in the memory, the steps executed by the network management method of the container are implemented.

本申请通过在宿主机上创建网桥并进行网络配置;网桥可以将来自不同网络接口的数据包进行转发,通过上述网络隔离机制可以使得每个容器都拥有独立的网络命名空间,避免了容器之间的网络干扰和冲突。在宿主机上启动目标容器后,可以分别在每一目标容器中生成对应的容器端虚拟网卡,还可以在网桥中生成每一容器端虚拟网卡对应的网桥端虚拟网卡,通过上述虚拟网卡的设置方式能够确保了每个容器都能够独立地访问网络,并且彼此之间互不干扰。本申请还利用第一容器拨号创建多个移动网络网卡,并生成策略路由表,根据策略路由表将目标容器通过网桥传输的数据包路由至对应的移动网络网卡。因此,本申请能够为容器设置网络隔离,提高对容器的网络管理能力。本申请同时还提供了一种容器的网络管理系统、一种存储介质和一种电子设备,具有上述有益效果,在此不再赘述。The present application creates a bridge on the host machine and performs network configuration; the bridge can forward data packets from different network interfaces, and the above-mentioned network isolation mechanism can enable each container to have an independent network namespace, avoiding network interference and conflict between containers. After starting the target container on the host machine, a corresponding container-side virtual network card can be generated in each target container, and a bridge-side virtual network card corresponding to each container-side virtual network card can be generated in the bridge. The above-mentioned setting method of the virtual network card can ensure that each container can access the network independently and does not interfere with each other. The present application also uses the first container to dial to create multiple mobile network network cards, and generates a policy routing table, and routes the data packets transmitted by the target container through the bridge to the corresponding mobile network network card according to the policy routing table. Therefore, the present application can set network isolation for the container and improve the network management capabilities of the container. The present application also provides a network management system, a storage medium and an electronic device for a container, which have the above-mentioned beneficial effects and are not repeated here.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例,下面将对实施例中所需要使用的附图做简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application, the following is a brief introduction to the drawings required for use in the embodiments. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1为本申请实施例所提供的一种容器的网络管理方法的流程图;FIG1 is a flow chart of a network management method for a container provided by an embodiment of the present application;

图2为相关技术中宿主机用户空间的结构示意图;FIG2 is a schematic diagram of the structure of the host user space in the related art;

图3为本申请实施例所提供的一种宿主机用户空间的结构示意图;FIG3 is a schematic diagram of the structure of a host user space provided in an embodiment of the present application;

图4为本申请实施例所提供的一种容器的网络管理系统的结构示意图。FIG. 4 is a schematic diagram of the structure of a network management system for a container provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present application clearer, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

下面请参见图1,图1为本申请实施例所提供的一种容器的网络管理方法的流程图。Please refer to FIG. 1 below, which is a flow chart of a network management method for a container provided in an embodiment of the present application.

具体步骤可以包括:Specific steps may include:

S101:在宿主机上创建网桥,并对所述网桥进行网络配置;S101: Create a network bridge on the host machine, and perform network configuration on the network bridge;

其中,本实施例可以应用于智能手机、平板电脑、计算机等电子设备,该电子设备作为宿主机可以运行容器和网桥。网桥是一种工作在数据链路层的网络设备,能够将多个不同容器连接起来并相互通信。在创建网桥之后,可以对网桥进行网络配置,如:设置静态路由、启用IP转发、配置防火墙规则等。作为一种可行的实施方式,本实施例可以使用网络桥接工具brctl在宿主机上创建所述网桥,并根据配置文件为所述网桥配置默认IP地址。Among them, this embodiment can be applied to electronic devices such as smart phones, tablet computers, and computers, which can run containers and bridges as hosts. A bridge is a network device that works at the data link layer and can connect multiple different containers and communicate with each other. After creating a bridge, the network configuration of the bridge can be performed, such as setting static routing, enabling IP forwarding, configuring firewall rules, etc. As a feasible implementation method, this embodiment can use the network bridging tool brctl to create the bridge on the host machine, and configure the default IP address for the bridge according to the configuration file.

S102:在所述宿主机上启动目标容器;S102: Start a target container on the host machine;

其中,本实施例可以通过特定命令或工具在宿主机上启动目标容器,目标容器启动后,目标容器将运行指定的应用程序或服务,并与宿主机及其他容器进行交互,实现特定的业务逻辑或功能需求。所述目标容器包括第一容器、第二容器和第三容器。第一容器用于实现移动网络拨号,第二容器用于实现安卓应用界面交互,第三容器用于实现仪表应用界面交互,本实施例不限定上述每一种目标容器的数量。Among them, this embodiment can start the target container on the host machine through a specific command or tool. After the target container is started, the target container will run the specified application or service and interact with the host machine and other containers to achieve specific business logic or functional requirements. The target container includes a first container, a second container and a third container. The first container is used to implement mobile network dialing, the second container is used to implement Android application interface interaction, and the third container is used to implement instrument application interface interaction. This embodiment does not limit the number of each of the above target containers.

S103:分别在每一所述目标容器中生成对应的容器端虚拟网卡,并在所述网桥中为每一所述容器端虚拟网卡生成对应的网桥端虚拟网卡;S103: Generate a corresponding container-side virtual network card in each of the target containers, and generate a corresponding bridge-side virtual network card in the bridge for each of the container-side virtual network cards;

其中,本实施例可以在目标容器和网桥中生成虚拟网卡,以便建立对等网络;具体的,每一所述目标容器中分别生成有对应的容器端虚拟网卡,网桥中生成有每一容器端虚拟网卡生成对应的网桥端虚拟网卡,即网桥端虚拟网卡的数量于目标容器的数量相同。Among them, this embodiment can generate virtual network cards in the target container and the bridge to establish a peer-to-peer network; specifically, a corresponding container-side virtual network card is generated in each of the target containers, and a corresponding bridge-side virtual network card is generated in the bridge for each container-side virtual network card, that is, the number of bridge-side virtual network cards is the same as the number of target containers.

容器端虚拟网卡使容器在网络中进行通信,网桥端虚拟网卡作为网桥与容器之间的接口,负责转发容器与外部网络之间的流量。通过上述方式确保了容器网络流量的隔离和转发效率,从而提升了整个系统的网络性能和安全性。The container-side virtual network card enables the container to communicate in the network, and the bridge-side virtual network card serves as the interface between the bridge and the container, responsible for forwarding traffic between the container and the external network. The above method ensures the isolation and forwarding efficiency of container network traffic, thereby improving the network performance and security of the entire system.

S104:利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表;S104: Use the first container to dial up and create multiple mobile network cards, and generate a policy routing table;

其中,第一容器为用于实现移动网络拨号的容器,第一容器中可以存在拨号应用程序,以实现拨号功能。本实施例可以利用所述第一容器拨号创建多个移动网络网卡,还可以生成策略路由表,该策略路由表用于描述容器与移动网络网卡的映射关系。上述过程利用第一容器拨号创建移动网络网卡,结合移动网络网卡和策略路由表,可以实现容器对移动网络的灵活访问。Among them, the first container is a container for implementing mobile network dialing, and a dialing application may exist in the first container to implement the dialing function. In this embodiment, the first container can be used to dial to create multiple mobile network network cards, and a policy routing table can also be generated. The policy routing table is used to describe the mapping relationship between the container and the mobile network network card. The above process uses the first container to dial to create a mobile network network card. In combination with the mobile network network card and the policy routing table, flexible access to the mobile network by the container can be achieved.

具体的,本实施例可以通过第一容器进行拨号操作,进而创建多个移动网络网卡。这些移动网络网卡允许目标容器与外部的移动网络进行连接,以便实现目标容器对移动网络的访问。策略路由表用于决定各个容器发出的数据包应该通过的移动网络网卡,以便进行转发。Specifically, in this embodiment, a dial-up operation can be performed through the first container to create multiple mobile network cards. These mobile network cards allow the target container to connect to the external mobile network so as to enable the target container to access the mobile network. The policy routing table is used to determine the mobile network card through which the data packets sent by each container should pass for forwarding.

S105:根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡。S105: Routing the data packet transmitted by the target container through the bridge to the corresponding mobile network card according to the policy routing table.

其中,目标容器可以通过容器端虚拟网卡向网桥中对应的网桥端虚拟网卡发送数据包,宿主机可以基于策略路由表将数据包路由之对应的移动网络网卡,以便实现对因特网的访问。上述目标容器还可以通过网桥实现对局域网的访问。The target container can send data packets to the corresponding bridge-side virtual network card in the bridge through the container-side virtual network card, and the host can route the data packets to the corresponding mobile network card based on the policy routing table to achieve access to the Internet. The above-mentioned target container can also achieve access to the local area network through the bridge.

本实施例通过在宿主机上创建网桥并进行网络配置;网桥可以将来自不同网络接口的数据包进行转发,通过上述网络隔离机制可以使得每个容器都拥有独立的网络命名空间,避免了容器之间的网络干扰和冲突。在宿主机上启动目标容器后,可以分别在每一目标容器中生成对应的容器端虚拟网卡,还可以在网桥中生成每一容器端虚拟网卡对应的网桥端虚拟网卡,通过上述虚拟网卡的设置方式能够确保了每个容器都能够独立地访问网络,并且彼此之间互不干扰。本实施例还利用第一容器拨号创建多个移动网络网卡,并生成策略路由表,根据策略路由表将目标容器通过网桥传输的数据包路由至对应的移动网络网卡。因此,本实施例能够为容器设置网络隔离,提高对容器的网络管理能力。This embodiment creates a bridge on the host machine and performs network configuration; the bridge can forward data packets from different network interfaces. Through the above-mentioned network isolation mechanism, each container can have an independent network namespace, avoiding network interference and conflicts between containers. After starting the target container on the host machine, a corresponding container-side virtual network card can be generated in each target container, and a bridge-side virtual network card corresponding to each container-side virtual network card can be generated in the bridge. The above-mentioned setting method of the virtual network card can ensure that each container can access the network independently and does not interfere with each other. This embodiment also uses the first container to dial to create multiple mobile network network cards, and generates a policy routing table. According to the policy routing table, the data packets transmitted by the target container through the bridge are routed to the corresponding mobile network network card. Therefore, this embodiment can set network isolation for the container and improve the network management capabilities of the container.

作为对于图1对应实施例的进一步介绍,在启动目标容器之后,可以为目标容器添加相应的防火墙规则。通过上述方式,可以使得目标容器通过其对应的容器端虚拟网卡发送数据包时,防火墙会自动在这些数据包中添加预设的标记。这些标记可以是任何能够区分不同容器或不同网络流量的信息。As a further introduction to the embodiment corresponding to FIG. 1 , after starting the target container, corresponding firewall rules can be added to the target container. In the above manner, when the target container sends data packets through its corresponding container-side virtual network card, the firewall will automatically add preset tags to these data packets. These tags can be any information that can distinguish different containers or different network traffic.

具体的,本实施例可以为所述第一容器添加第一防火墙规则,以使所述第一容器通过对应的容器端虚拟网卡发送的数据包中添加有第一标记;还可以为所述第二容器添加第二防火墙规则,以使所述第二容器通过对应的容器端虚拟网卡发送的数据包中添加有第二标记。Specifically, in this embodiment, a first firewall rule may be added to the first container so that a first tag is added to a data packet sent by the first container through the corresponding container-side virtual network card; a second firewall rule may be added to the second container so that a second tag is added to a data packet sent by the second container through the corresponding container-side virtual network card.

进一步的,本实施例还可以利用所述第一容器拨号创建第一移动网络网卡和第二移动网络网卡;在此基础上,生成包含第一映射关系和第二映射关系的所述策略路由表;其中,所述第一映射关系为所述第一标记与所述第一移动网络网卡的映射关系,所述第二映射关系为所述第二标记与所述第二移动网络网卡的映射关系。通过上述方式构建的路由表包含了多个映射关系,每个映射关系都将之前添加的标记与特定的移动网络网卡对应起来。Furthermore, this embodiment can also use the first container to dial up and create the first mobile network card and the second mobile network card; on this basis, generate the policy routing table containing the first mapping relationship and the second mapping relationship; wherein the first mapping relationship is the mapping relationship between the first tag and the first mobile network card, and the second mapping relationship is the mapping relationship between the second tag and the second mobile network card. The routing table constructed in the above manner contains multiple mapping relationships, each mapping relationship corresponds the previously added tag to a specific mobile network card.

在添加第一防火墙规则和第二防火墙规则、以及创建第一移动网络网卡和第二移动网络网卡的基础上,可以根据所述策略路由表将所述第一容器通过所述网桥传输的数据包路由至所述第一移动网络网卡;还可以根据所述策略路由表将所述第二容器通过所述网桥传输的数据包路由至所述第二移动网络网卡。On the basis of adding the first firewall rule and the second firewall rule, and creating the first mobile network network card and the second mobile network network card, the data packets transmitted by the first container through the bridge can be routed to the first mobile network network card according to the policy routing table; the data packets transmitted by the second container through the bridge can also be routed to the second mobile network network card according to the policy routing table.

具体的,第一容器通过网桥发送数据包时,网桥会检查这些数据包中的标记。网桥通过查阅策略路由表可以找到与这个标记相对应的第一移动网络网卡后,可以将这些数据包路由至第一移动网络网卡,从而实现第一容器对移动网络的访问。第二容器通过网桥发送数据包时,网桥会检查这些数据包中的标记。网桥通过查阅策略路由表可以找到与这个标记相对应的第二移动网络网卡后,可以将这些数据包路由至第二移动网络网卡,从而实现第二容器对移动网络的访问。通过上述方式可以确保了容器网络流量的正确转发和高效管理。Specifically, when the first container sends data packets through the bridge, the bridge will check the tags in these data packets. After the bridge can find the first mobile network card corresponding to this tag by consulting the policy routing table, it can route these data packets to the first mobile network card, thereby enabling the first container to access the mobile network. When the second container sends data packets through the bridge, the bridge will check the tags in these data packets. After the bridge can find the second mobile network card corresponding to this tag by consulting the policy routing table, it can route these data packets to the second mobile network card, thereby enabling the second container to access the mobile network. The above method can ensure the correct forwarding and efficient management of container network traffic.

作为一种可行的实施方式,还可以查询WLAN物理网卡的网络命名空间,并将所述WLAN物理网卡的网络命名空间添加至所述第二容器的网络命名空间。通过上述方式可以使得第二容器通过WLAN物理网卡访问因特网,未在网络命名空间中添加WLAN物理网卡的容器(即第一容器和第三容器)无法通过WLAN物理网卡访问因特网。As a feasible implementation, the network namespace of the WLAN physical network card can also be queried, and the network namespace of the WLAN physical network card can be added to the network namespace of the second container. In this way, the second container can access the Internet through the WLAN physical network card, and the containers (i.e., the first container and the third container) that do not add the WLAN physical network card in the network namespace cannot access the Internet through the WLAN physical network card.

作为一种可行的实施方式,还可以通过以下方式对第二容器进行配置:将所述第二容器的默认网络类型设置为以太网;根据配置文件设置所述第二容器对应的容器端虚拟网卡的dns(Domain Name System,域名系统)地址;将所述第二容器的默认网关设置为所述网桥的IP地址。通过上述方式能够确保第二容器在网络通信方面的稳定性和效率,使第二容器能够顺畅地与其他容器或外部网络进行交互,满足不同的业务需求。As a feasible implementation, the second container can also be configured in the following manner: setting the default network type of the second container to Ethernet; setting the dns (Domain Name System) address of the container-side virtual network card corresponding to the second container according to the configuration file; setting the default gateway of the second container to the IP address of the bridge. The above manner can ensure the stability and efficiency of the second container in network communication, so that the second container can interact smoothly with other containers or external networks to meet different business needs.

作为一种可行的实施方式,还可以通过以下方式对第一容器进行配置:将所述第一容器的默认网关设置为所述网桥的IP(Internet Protocol,网际互连协议)地址;在利用所述第一容器拨号创建多个移动网络网卡之后,将所述第一容器拨号操作使用的dns地址设置为所述第一容器的dns地址。通过上述配置可以保证第一容器在网络通信中的稳定性和效率,使第一容器能够顺畅地与其他容器或外部网络进行交互。As a feasible implementation, the first container can also be configured in the following manner: the default gateway of the first container is set to the IP (Internet Protocol) address of the bridge; after using the first container to dial up and create multiple mobile network cards, the DNS address used for the dial-up operation of the first container is set to the DNS address of the first container. The above configuration can ensure the stability and efficiency of the first container in network communication, so that the first container can interact smoothly with other containers or external networks.

下面通过在实际应用中的Android上启动三个容器的网络管理方案说明上述实施例描述的流程。The process described in the above embodiment is explained below by starting a network management solution of three containers on Android in actual application.

请参见图2,图2为相关技术中宿主机用户空间的结构示意图,宿主机用户空间Host userspace中包括第一容器、第二容器和第三容器,第一容器中运行有用于拨号的应用程序tbox app,第二容器中运行有用于与安卓应用界面交互的应用程序Android app,第三容器中运行有用于与仪表应用界面交互的应用程序cluster app。第一容器可以创建移动网络网卡apn1和移动网络网卡apn2,第二容器可以与WLAN物理网卡连接。上述三个容器在Android系统上启动,容器外Android启动部分命名为主机。第一容器用于实现负责移动网络拨号,又称tbox容器;第二容器用于实现Android app ui的交互,又称ivi容器;第三容器用于实现仪表app ui的交互,又称cluster容器。Please refer to Figure 2, which is a schematic diagram of the structure of the host user space in the related technology. The host user space Host userspace includes a first container, a second container and a third container. The first container runs an application tbox app for dialing, the second container runs an application Android app for interacting with the Android application interface, and the third container runs an application cluster app for interacting with the instrument application interface. The first container can create mobile network network cards apn1 and apn2, and the second container can be connected to the WLAN physical network card. The above three containers are started on the Android system, and the Android startup part outside the container is named host. The first container is used to implement mobile network dialing, also known as the tbox container; the second container is used to implement the interaction of the Android app ui, also known as the ivi container; the third container is used to implement the interaction of the instrument app ui, also known as the cluster container.

相关方案中,tbox容器启动后tbox app进行移动网络两路apn的拨号,ivi容器启动后Android app打开WLAN网络,Host宿主机和三个容器都可以使用两路apn移动网络,Host宿主机和三个容器都可以使用WLAN网络。上述方案中,容器没有单独的网络命名空间,没有实现网络隔离;上述方案中整体没有网络管理策略,无法进行移动网络和WLAN网络资源的分配,也无法对单个容器进行网络限制。网络命名空间net namespace是隔离的拥有单独网络栈(网卡、路由转发表、iptables)的环境。网络命名空间用于隔离网络设备和服务。In the related scheme, after the tbox container is started, the tbox app dials the two-way apn of the mobile network. After the ivi container is started, the Android app opens the WLAN network. The host and the three containers can use the two-way apn mobile network, and the host and the three containers can use the WLAN network. In the above scheme, the container does not have a separate network namespace, and network isolation is not implemented; there is no overall network management strategy in the above scheme, and it is impossible to allocate mobile network and WLAN network resources, nor to restrict the network of a single container. The network namespace net namespace is an isolated environment with a separate network stack (network card, routing table, iptables). The network namespace is used to isolate network devices and services.

为了解决上述相关技术存在的缺陷,本申请提供一种基于Android上启动三个容器的网络管理方案,可以实现多容器的网络分配和网络限制。In order to solve the defects of the above-mentioned related technologies, the present application provides a network management solution based on starting three containers on Android, which can realize network allocation and network restriction of multiple containers.

请参见图3,图3为本申请实施例所提供的一种宿主机用户空间的结构示意图,宿主机用户空间Host userspace中包括第一容器、第二容器、第三容器和网桥bridge br0,第一容器的网络命名空间netns(net namespace)包括应用程序tbox app和eth虚拟网卡(即容器端虚拟网卡),第二容器的网络命名空间netns包括应用程序Android app、eth虚拟网卡和WLAN物理网卡,第三容器的网络命名空间netns包括应用程序cluster app和eth虚拟网卡。网桥中包括与第一容器的eth虚拟网卡对应的网桥端虚拟网卡tbox_peer、与第二容器的eth虚拟网卡对应的网桥端虚拟网卡ivi_peer、与第三容器的eth虚拟网卡对应的网桥端虚拟网卡ic_peer。第一容器可以创建移动网络网卡apn1和移动网络网卡apn2。Please refer to Figure 3, which is a schematic diagram of the structure of a host user space provided by an embodiment of the present application. The host user space Host userspace includes a first container, a second container, a third container and a bridge bridge br0. The network namespace netns (net namespace) of the first container includes an application tbox app and an eth virtual network card (i.e., a container-side virtual network card), the network namespace netns of the second container includes an application Android app, an eth virtual network card and a WLAN physical network card, and the network namespace netns of the third container includes an application cluster app and an eth virtual network card. The bridge includes a bridge-side virtual network card tbox_peer corresponding to the eth virtual network card of the first container, a bridge-side virtual network card ivi_peer corresponding to the eth virtual network card of the second container, and a bridge-side virtual network card ic_peer corresponding to the eth virtual network card of the third container. The first container can create mobile network cards apn1 and apn2.

具体的,本实施例在Android开机启动配置过程中,可以执行以下操作A1~A4:Specifically, in this embodiment, during the Android startup configuration process, the following operations A1 to A4 may be performed:

操作A1:在宿主机中进行网桥配置。Operation A1: Configure the network bridge on the host machine.

具体的,本操作中可以在第一容器、第二容器和第三容器启动之前,利用宿主机Host的init进程使用网络桥接工具brctl在宿主机上配置网桥br0并启动网桥br0,还可以为网桥br0配置默认IP地址,如192.168.0.0/24。init进程为Android启动的用户空间的一号进程,所有的用户进程由init进程孵化。Specifically, in this operation, before starting the first container, the second container, and the third container, the init process of the host machine Host can be used to use the network bridge tool brctl to configure the bridge br0 on the host machine and start the bridge br0. The default IP address of the bridge br0 can also be configured, such as 192.168.0.0/24. The init process is the number one process in the user space started by Android, and all user processes are incubated by the init process.

操作A2:设置容器的启动配置,并将虚拟网卡添加到网桥。Action A2: Set the container's launch configuration and add the virtual network card to the bridge.

具体的,第一容器、第二容器和第三容器启动时根据配置文件生成veth pair虚拟网卡(即容器端虚拟网卡),创建对等网络,该网络的一端分配给容器,另一端与lxc.network.link指定的网桥连接,通过lxc.network.veth.pair选项来指定。通过上述方式,可以在第一容器、第二容器和第三容器中添加容器端虚拟网卡,在网桥中添加网桥端虚拟网卡,容器端虚拟网卡与网桥端虚拟网卡形成一个对等网络。Specifically, when the first container, the second container, and the third container are started, a veth pair virtual network card (i.e., container-side virtual network card) is generated according to the configuration file, and a peer-to-peer network is created. One end of the network is assigned to the container, and the other end is connected to the bridge specified by lxc.network.link, which is specified by the lxc.network.veth.pair option. In the above manner, a container-side virtual network card can be added to the first container, the second container, and the third container, and a bridge-side virtual network card can be added to the bridge, so that the container-side virtual network card and the bridge-side virtual network card form a peer-to-peer network.

上述操作A1和操作A2执行后,可以完成第一容器、第二容器和第三容器的局域网搭建,通过网桥可以获取不同网络命名空间的IP地址。After the above operations A1 and A2 are performed, the local area network of the first container, the second container and the third container can be built, and the IP addresses of different network namespaces can be obtained through the bridge.

操作A3:对第二容器进行网络配置。Operation A3: Perform network configuration on the second container.

具体的,本操作可以将第二容器的默认网络类型设置为以太网,不需要命令单独设置虚拟网卡其他信息。本操作还可以设置第二容器中eth虚拟网卡的dns地址(如,8.8.8.8或114.114.114.114),使得第二容器中的应用程序可以访问因特网域名。本操作还可以将WLAN物理网卡的网络命名空间切换到第二容器的网络命名空间中,使得WLAN网络仅被第二容器使用。本操作还可以将第二容器的默认网关设置为网桥IP地址。本操作还可以在第二容器中添加防火墙规则,使得所有从第二容器虚拟网卡接口出去的数据包打特定的标记mark 02。Specifically, this operation can set the default network type of the second container to Ethernet, without the need to set other information of the virtual network card separately. This operation can also set the DNS address of the eth virtual network card in the second container (such as 8.8.8.8 or 114.114.114.114), so that the application in the second container can access the Internet domain name. This operation can also switch the network namespace of the WLAN physical network card to the network namespace of the second container, so that the WLAN network is only used by the second container. This operation can also set the default gateway of the second container to the bridge IP address. This operation can also add firewall rules in the second container, so that all data packets going out of the second container virtual network card interface are marked with a specific mark 02.

操作A4:对第一容器进行网络配置。Operation A4: Perform network configuration on the first container.

具体的,本操作可以将第一容器的默认网关设置为网桥ip地址,还可以为第一容器添加防火墙规则,使得所有从第一容器虚拟网卡接口出去的数据包打特定的标记mark01。Specifically, this operation can set the default gateway of the first container to the bridge IP address, and can also add a firewall rule for the first container so that all data packets going out from the virtual network card interface of the first container are marked with a specific mark01.

具体的,本实施例在启动移动网络后的配置过程中,可以执行以下操作B1~B2:Specifically, in this embodiment, during the configuration process after starting the mobile network, the following operations B1 to B2 may be performed:

操作B1:对第一容器进行网络配置。Operation B1: Perform network configuration on the first container.

具体的,第一容器可以利用tbox app拨号创建移动网络网卡apn1以及移动网络网卡apn2。本操作还可以将使用拨号的dns地址设置为第一容器的dns地址,例如:ip ro add${DNS_IP}dev${IFACE_NAME}。Specifically, the first container can use the tbox app to dial up and create mobile network cards apn1 and apn2. This operation can also set the dns address used for dialing up as the dns address of the first container, for example: ip ro add${DNS_IP}dev${IFACE_NAME}.

操作B2:在宿主机环境中设置策略路由表iptable mark。Operation B2: Set the policy routing table iptable mark in the host environment.

具体的,本实施例可以在宿主机环境中添加策略路由表,所有携带MARK的数据包都走创建的策略路由表。上述策略路由表可以将携带来源标记为MARK 02的数据包从移动网络网卡apn2发送出去,还可以将携带来源为MARK 01的数据包从移动网络网卡apn1发送出去。Specifically, in this embodiment, a policy routing table can be added in the host environment, and all packets carrying MARK go through the created policy routing table. The above policy routing table can send packets carrying source mark MARK 02 from the mobile network card apn2, and can also send packets carrying source mark MARK 01 from the mobile network card apn1.

上述方案中,第一容器、第二容器和第三容器都通过启动单独的网络命名空间实现网络隔离,第一容器和第二容器可以通过veth虚拟网卡和网桥的方式访问局域网和因特网,第三容器只能访问局域网。In the above scheme, the first container, the second container and the third container all achieve network isolation by starting a separate network namespace. The first container and the second container can access the local area network and the Internet through the veth virtual network card and the bridge, and the third container can only access the local area network.

本方案中,移动网络网卡apn1和apn2通过策略路由表区分,移动网络网卡apn1只能由第一容器使用,移动网络网卡apn2只能由第二容器使用;WLAN网络只能由第二容器使用,并且对于宿主机环境和其他容器不可见。可见,本方案是基于Android和容器网络命名空间原理,依靠veth虚拟网卡和网桥桥接,通过策略路由表的配置,使得每个容器的网络独立分布,还能够控制每个容器和宿主机的网络能力。In this solution, mobile network cards apn1 and apn2 are distinguished by the policy routing table. Mobile network card apn1 can only be used by the first container, and mobile network card apn2 can only be used by the second container; WLAN network can only be used by the second container, and is invisible to the host environment and other containers. It can be seen that this solution is based on the principles of Android and container network namespaces, relying on veth virtual network cards and bridge bridging, and through the configuration of policy routing tables, the network of each container is independently distributed, and the network capabilities of each container and the host can be controlled.

若使用本方案,第二容器启动WLAN网络验证可以达到以下效果:第二容器中Android app可以正常使用WLAN网络访问因特网;宿主机环境中WLAN物理网卡不可见,无法访问因特网;第三容器WLAN物理网卡不可见,无法访问因特网;第一容器WLAN物理网卡不可见,无法访问因特网。If this solution is used, the second container starts WLAN network verification to achieve the following effects: the Android app in the second container can use the WLAN network to access the Internet normally; the WLAN physical network card in the host environment is invisible and cannot access the Internet; the WLAN physical network card in the third container is invisible and cannot access the Internet; the WLAN physical network card in the first container is invisible and cannot access the Internet.

若使用本方案,第一容器启动移动网络验证可以达到以下效果:第一容器中可以正常访问因特网;第二容器中可以正常访问因特网;host无法访问因特网;第三容器无法访问因特网;抓取tcpdump测试策略路由正常生效,第二容器使用移动网络apn2,第一容器使用移动网络网卡apn1。If this solution is used, the following effects can be achieved by starting mobile network verification in the first container: the Internet can be accessed normally in the first container; the Internet can be accessed normally in the second container; the host cannot access the Internet; the third container cannot access the Internet; the policy routing is captured and tested to be effective normally, the second container uses the mobile network apn2, and the first container uses the mobile network card apn1.

若使用本方案,第三容器网络无法访问局域网,第三容器可以访问第二容器虚拟网卡IP地址和第一容器虚拟网卡IP地址,在WLAN网络和移动网络连接的场景下宿主机无法访问因特网。If this solution is used, the third container network cannot access the local area network, the third container can access the second container virtual network card IP address and the first container virtual network card IP address, and the host cannot access the Internet in the scenario of WLAN network and mobile network connection.

请参见图4,图4为本申请实施例所提供的一种容器的网络管理系统的结构示意图;Please refer to FIG. 4 , which is a schematic diagram of the structure of a network management system for a container provided in an embodiment of the present application;

该系统可以包括:The system may include:

网桥创建模块401,用于在宿主机上创建网桥,并对所述网桥进行网络配置;A network bridge creation module 401 is used to create a network bridge on a host machine and perform network configuration on the network bridge;

容器启动模块402,用于在所述宿主机上启动目标容器;其中,所述目标容器包括:用于实现移动网络拨号的第一容器、用于实现安卓应用界面交互的第二容器、以及用于实现仪表应用界面交互的第三容器;A container startup module 402 is used to start a target container on the host machine; wherein the target container includes: a first container for implementing mobile network dialing, a second container for implementing Android application interface interaction, and a third container for implementing instrument application interface interaction;

对等网络建立模块403,用于分别在每一所述目标容器中生成对应的容器端虚拟网卡,并在所述网桥中为每一所述容器端虚拟网卡生成对应的网桥端虚拟网卡;A peer-to-peer network establishing module 403, used to generate a corresponding container-side virtual network card in each of the target containers, and to generate a corresponding bridge-side virtual network card in the bridge for each of the container-side virtual network cards;

拨号模块404,用于利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表;其中,所述策略路由表用于描述容器与移动网络网卡的映射关系;The dialing module 404 is used to dial up multiple mobile network cards using the first container and generate a policy routing table; wherein the policy routing table is used to describe the mapping relationship between the container and the mobile network card;

数据路由模块405,用于根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡。The data routing module 405 is used to route the data packet transmitted by the target container through the bridge to the corresponding mobile network card according to the policy routing table.

本实施例通过在宿主机上创建网桥并进行网络配置;网桥可以将来自不同网络接口的数据包进行转发,通过上述网络隔离机制可以使得每个容器都拥有独立的网络命名空间,避免了容器之间的网络干扰和冲突。在宿主机上启动目标容器后,可以分别在每一目标容器中生成对应的容器端虚拟网卡,还可以在网桥中生成每一容器端虚拟网卡对应的网桥端虚拟网卡,通过上述虚拟网卡的设置方式能够确保了每个容器都能够独立地访问网络,并且彼此之间互不干扰。本实施例还利用第一容器拨号创建多个移动网络网卡,并生成策略路由表,根据策略路由表将目标容器通过网桥传输的数据包路由至对应的移动网络网卡。因此,本实施例能够为容器设置网络隔离,提高对容器的网络管理能力。This embodiment creates a bridge on the host machine and performs network configuration; the bridge can forward data packets from different network interfaces. Through the above-mentioned network isolation mechanism, each container can have an independent network namespace, avoiding network interference and conflicts between containers. After starting the target container on the host machine, a corresponding container-side virtual network card can be generated in each target container, and a bridge-side virtual network card corresponding to each container-side virtual network card can be generated in the bridge. The above-mentioned setting method of the virtual network card can ensure that each container can access the network independently and does not interfere with each other. This embodiment also uses the first container to dial to create multiple mobile network network cards, and generates a policy routing table. According to the policy routing table, the data packets transmitted by the target container through the bridge are routed to the corresponding mobile network network card. Therefore, this embodiment can set network isolation for the container and improve the network management capabilities of the container.

进一步的,还包括:Furthermore, it also includes:

规则配置模块,用于为所述第一容器添加第一防火墙规则,以使所述第一容器通过对应的容器端虚拟网卡发送的数据包中添加有第一标记;还用于为所述第二容器添加第二防火墙规则,以使所述第二容器通过对应的容器端虚拟网卡发送的数据包中添加有第二标记;a rule configuration module, configured to add a first firewall rule to the first container so that a first tag is added to a data packet sent by the first container through the corresponding container-side virtual network card; and to add a second firewall rule to the second container so that a second tag is added to a data packet sent by the second container through the corresponding container-side virtual network card;

相应的,拨号模块404利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表的过程包括:利用所述第一容器拨号创建第一移动网络网卡和第二移动网络网卡;生成包含第一映射关系和第二映射关系的所述策略路由表;其中,所述第一映射关系为所述第一标记与所述第一移动网络网卡的映射关系,所述第二映射关系为所述第二标记与所述第二移动网络网卡的映射关系。Correspondingly, the dialing module 404 uses the first container to dial to create multiple mobile network network cards, and the process of generating a policy routing table includes: using the first container to dial to create a first mobile network network card and a second mobile network network card; generating the policy routing table including a first mapping relationship and a second mapping relationship; wherein the first mapping relationship is a mapping relationship between the first tag and the first mobile network network card, and the second mapping relationship is a mapping relationship between the second tag and the second mobile network network card.

进一步的,数据路由模块405,根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡的过程包括:根据所述策略路由表将所述第一容器通过所述网桥传输的数据包路由至所述第一移动网络网卡;根据所述策略路由表将所述第二容器通过所述网桥传输的数据包路由至所述第二移动网络网卡。Further, the data routing module 405 routes the data packets transmitted by the target container through the bridge to the corresponding mobile network network card according to the policy routing table, including: routing the data packets transmitted by the first container through the bridge to the first mobile network network card according to the policy routing table; routing the data packets transmitted by the second container through the bridge to the second mobile network network card according to the policy routing table.

进一步的,还包括:Furthermore, it also includes:

WLAN管理模块,用于查询WLAN物理网卡的网络命名空间;还用于将所述WLAN物理网卡的网络命名空间添加至所述第二容器的网络命名空间。The WLAN management module is used to query the network namespace of the WLAN physical network card; and is also used to add the network namespace of the WLAN physical network card to the network namespace of the second container.

进一步的,还包括:Furthermore, it also includes:

第二容器配置模块,用于将所述第二容器的默认网络类型设置为以太网;还用于根据配置文件设置所述第二容器对应的容器端虚拟网卡的dns地址;还用于将所述第二容器的默认网关设置为所述网桥的IP地址。The second container configuration module is used to set the default network type of the second container to Ethernet; it is also used to set the DNS address of the container-side virtual network card corresponding to the second container according to the configuration file; it is also used to set the default gateway of the second container to the IP address of the bridge.

进一步的,还包括:Furthermore, it also includes:

第一容器配置模块,用于将所述第一容器的默认网关设置为所述网桥的IP地址;还用于在利用所述第一容器拨号创建多个移动网络网卡之后,将所述第一容器拨号操作使用的dns地址设置为所述第一容器的dns地址。The first container configuration module is used to set the default gateway of the first container to the IP address of the bridge; and is also used to set the DNS address used for the dial-up operation of the first container to the DNS address of the first container after creating multiple mobile network cards by dialing using the first container.

进一步的,网桥创建模块401在宿主机上创建网桥,并对所述网桥进行网络配置的过程包括:使用网络桥接工具在宿主机上创建所述网桥,并根据配置文件为所述网桥配置默认IP地址。Furthermore, the process in which the bridge creation module 401 creates a bridge on the host machine and performs network configuration on the bridge includes: using a network bridging tool to create the bridge on the host machine, and configuring a default IP address for the bridge according to a configuration file.

由于系统部分的实施例与方法部分的实施例相互对应,因此系统部分的实施例请参见方法部分的实施例的描述,这里暂不赘述。Since the embodiments of the system part correspond to the embodiments of the method part, please refer to the description of the embodiments of the method part for the embodiments of the system part, which will not be repeated here.

本申请还提供了一种存储介质,其上存有计算机程序,该计算机程序被执行时可以实现上述实施例所提供的步骤。该存储介质可以包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The present application also provides a storage medium on which a computer program is stored, and when the computer program is executed, the steps provided in the above embodiment can be implemented. The storage medium may include: a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and other media that can store program codes.

本申请还提供了一种电子设备,可以包括存储器和处理器,所述存储器中存有计算机程序,所述处理器调用所述存储器中的计算机程序时,可以实现上述实施例所提供的步骤。当然所述电子设备还可以包括各种网络接口,电源等组件。The present application also provides an electronic device, which may include a memory and a processor, wherein a computer program is stored in the memory, and when the processor calls the computer program in the memory, the steps provided in the above embodiment may be implemented. Of course, the electronic device may also include various network interfaces, power supplies and other components.

说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的系统而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments. The same and similar parts between the various embodiments can be referred to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the method part description. It should be pointed out that for ordinary technicians in this technical field, without departing from the principles of this application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall within the scope of protection of the claims of this application.

还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的状况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that, in this specification, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "comprise", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, the elements defined by the statement "comprise a ..." do not exclude the presence of other identical elements in the process, method, article or device including the elements.

Claims (10)

1.一种容器的网络管理方法,其特征在于,包括:1. A container network management method, comprising: 在宿主机上创建网桥,并对所述网桥进行网络配置;Create a network bridge on the host machine and perform network configuration on the network bridge; 在所述宿主机上启动目标容器;其中,所述目标容器包括:用于实现移动网络拨号的第一容器、用于实现安卓应用界面交互的第二容器、以及用于实现仪表应用界面交互的第三容器;Starting a target container on the host machine; wherein the target container includes: a first container for implementing mobile network dialing, a second container for implementing Android application interface interaction, and a third container for implementing instrument application interface interaction; 分别在每一所述目标容器中生成对应的容器端虚拟网卡,并在所述网桥中为每一所述容器端虚拟网卡生成对应的网桥端虚拟网卡;Generate a corresponding container-side virtual network card in each of the target containers, and generate a corresponding bridge-side virtual network card in the bridge for each of the container-side virtual network cards; 利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表;其中,所述策略路由表用于描述容器与移动网络网卡的映射关系;Using the first container to dial up and create multiple mobile network cards, and generate a policy routing table; wherein the policy routing table is used to describe the mapping relationship between the container and the mobile network card; 根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡。The data packet transmitted by the target container through the bridge is routed to the corresponding mobile network card according to the policy routing table. 2.根据权利要求1所述容器的网络管理方法,其特征在于,还包括:2. The network management method for a container according to claim 1, further comprising: 为所述第一容器添加第一防火墙规则,以使所述第一容器通过对应的容器端虚拟网卡发送的数据包中添加有第一标记;Adding a first firewall rule to the first container so that a first tag is added to a data packet sent by the first container through the corresponding container-side virtual network card; 为所述第二容器添加第二防火墙规则,以使所述第二容器通过对应的容器端虚拟网卡发送的数据包中添加有第二标记;Adding a second firewall rule to the second container so that a second tag is added to a data packet sent by the second container through the corresponding container-side virtual network card; 相应的,利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表,包括:Accordingly, the first container is used to dial up and create multiple mobile network cards, and a policy routing table is generated, including: 利用所述第一容器拨号创建第一移动网络网卡和第二移动网络网卡;Using the first container to dial up and create a first mobile network card and a second mobile network card; 生成包含第一映射关系和第二映射关系的所述策略路由表;其中,所述第一映射关系为所述第一标记与所述第一移动网络网卡的映射关系,所述第二映射关系为所述第二标记与所述第二移动网络网卡的映射关系。Generate the policy routing table including a first mapping relationship and a second mapping relationship; wherein the first mapping relationship is a mapping relationship between the first tag and the first mobile network card, and the second mapping relationship is a mapping relationship between the second tag and the second mobile network card. 3.根据权利要求2所述容器的网络管理方法,其特征在于,根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡,包括:3. The network management method for a container according to claim 2, characterized in that routing the data packet transmitted by the target container through the bridge to the corresponding mobile network card according to the policy routing table, comprising: 根据所述策略路由表将所述第一容器通过所述网桥传输的数据包路由至所述第一移动网络网卡;Routing the data packet transmitted by the first container through the bridge to the first mobile network card according to the policy routing table; 根据所述策略路由表将所述第二容器通过所述网桥传输的数据包路由至所述第二移动网络网卡。The data packet transmitted by the second container through the bridge is routed to the second mobile network card according to the policy routing table. 4.根据权利要求1所述容器的网络管理方法,其特征在于,还包括:4. The network management method for a container according to claim 1, further comprising: 查询WLAN物理网卡的网络命名空间;Query the network namespace of the WLAN physical network card; 将所述WLAN物理网卡的网络命名空间添加至所述第二容器的网络命名空间。Add the network namespace of the WLAN physical network card to the network namespace of the second container. 5.根据权利要求1所述容器的网络管理方法,其特征在于,还包括:5. The network management method for a container according to claim 1, further comprising: 将所述第二容器的默认网络类型设置为以太网;Setting the default network type of the second container to Ethernet; 根据配置文件设置所述第二容器对应的容器端虚拟网卡的dns地址;Set the DNS address of the container-side virtual network card corresponding to the second container according to the configuration file; 将所述第二容器的默认网关设置为所述网桥的IP地址。Set the default gateway of the second container to the IP address of the bridge. 6.根据权利要求1所述容器的网络管理方法,其特征在于,还包括:6. The network management method for a container according to claim 1, further comprising: 将所述第一容器的默认网关设置为所述网桥的IP地址;Setting the default gateway of the first container to the IP address of the bridge; 相应的,在利用所述第一容器拨号创建多个移动网络网卡之后,还包括:Correspondingly, after dialing and creating multiple mobile network cards using the first container, the method further includes: 将所述第一容器拨号操作使用的dns地址设置为所述第一容器的dns地址。The DNS address used for the dial-up operation of the first container is set to the DNS address of the first container. 7.根据权利要求1所述容器的网络管理方法,其特征在于,在宿主机上创建网桥,并对所述网桥进行网络配置,包括:7. The network management method for a container according to claim 1, characterized in that creating a network bridge on a host machine and performing network configuration on the network bridge comprises: 使用网络桥接工具在宿主机上创建所述网桥,并根据配置文件为所述网桥配置默认IP地址。Use a network bridging tool to create the bridge on the host machine, and configure a default IP address for the bridge according to a configuration file. 8.一种容器的网络管理系统,其特征在于,包括:8. A network management system for a container, comprising: 网桥创建模块,用于在宿主机上创建网桥,并对所述网桥进行网络配置;A network bridge creation module, used to create a network bridge on the host machine and perform network configuration on the network bridge; 容器启动模块,用于在所述宿主机上启动目标容器;其中,所述目标容器包括:用于实现移动网络拨号的第一容器、用于实现安卓应用界面交互的第二容器、以及用于实现仪表应用界面交互的第三容器;A container startup module, used to start a target container on the host machine; wherein the target container includes: a first container for implementing mobile network dialing, a second container for implementing Android application interface interaction, and a third container for implementing instrument application interface interaction; 对等网络建立模块,用于分别在每一所述目标容器中生成对应的容器端虚拟网卡,并在所述网桥中为每一所述容器端虚拟网卡生成对应的网桥端虚拟网卡;A peer-to-peer network establishment module, used to generate a corresponding container-side virtual network card in each of the target containers, and to generate a corresponding bridge-side virtual network card in the bridge for each of the container-side virtual network cards; 拨号模块,用于利用所述第一容器拨号创建多个移动网络网卡,并生成策略路由表;其中,所述策略路由表用于描述容器与移动网络网卡的映射关系;A dialing module, used to dial up multiple mobile network cards using the first container, and generate a policy routing table; wherein the policy routing table is used to describe the mapping relationship between the container and the mobile network card; 数据路由模块,用于根据所述策略路由表将所述目标容器通过所述网桥传输的数据包路由至对应的所述移动网络网卡。A data routing module is used to route the data packet transmitted by the target container through the bridge to the corresponding mobile network card according to the policy routing table. 9.一种电子设备,其特征在于,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器调用所述存储器中的计算机程序时实现如权利要求1至7任一项所述容器的网络管理方法的步骤。9. An electronic device, characterized in that it comprises a memory and a processor, wherein a computer program is stored in the memory, and when the processor calls the computer program in the memory, the steps of the network management method for the container according to any one of claims 1 to 7 are implemented. 10.一种存储介质,其特征在于,所述存储介质中存储有计算机可执行指令,所述计算机可执行指令被处理器加载并执行时,实现如权利要求1至7任一项所述容器的网络管理方法的步骤。10. A storage medium, characterized in that the storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the steps of the network management method for a container according to any one of claims 1 to 7 are implemented.
CN202410625775.1A 2024-05-20 2024-05-20 A network management method, system, electronic device and storage medium for container Pending CN118590395A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410625775.1A CN118590395A (en) 2024-05-20 2024-05-20 A network management method, system, electronic device and storage medium for container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410625775.1A CN118590395A (en) 2024-05-20 2024-05-20 A network management method, system, electronic device and storage medium for container

Publications (1)

Publication Number Publication Date
CN118590395A true CN118590395A (en) 2024-09-03

Family

ID=92537811

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410625775.1A Pending CN118590395A (en) 2024-05-20 2024-05-20 A network management method, system, electronic device and storage medium for container

Country Status (1)

Country Link
CN (1) CN118590395A (en)

Similar Documents

Publication Publication Date Title
JP7701343B2 (en) Virtual private cloud communication and configuration method and related apparatus
JP5488591B2 (en) Communications system
US8861522B2 (en) Method for providing an internal server with reduced IP addresses
US7526569B2 (en) Router and address identification information management server
JP6009630B2 (en) Simultaneous packet data network (PDN) access
CN105577632A (en) A secure network connection method and terminal based on network isolation
CN107276826A (en) A kind of capacitor network collocation method and device
CN101262447A (en) A method for establishing a NAT traversal channel for a system terminal device
CN116132542A (en) Container network management method, container network plug-in and related equipment
CN118784565A (en) A communication method and device between cloud platform virtual private networks
CN111654559B (en) Container data transmission method and device
CN117792995A (en) Tenant communication method, tenant communication device, electronic equipment and storage medium
CN106411742A (en) Message transmission method and device
CN105530159A (en) Cross-IPv6 and IPv4 VPN inter-access method and system
TW538616B (en) Method for providing transparent public addressed networks within private networks
CN103051544B (en) Realize method and the access device of IPv4 private network access IPv6 network
US8683019B1 (en) Enabling external access to a private-network host
CN115865921A (en) A method, system, storage medium, and electronic device for constructing a container network
CN115150327A (en) An interface setting method, device, device and medium
EP2637359A1 (en) Method and system for monitoring locator/identifier separation network
CN113542421A (en) Data forwarding method and device based on 5G user plane functional entity
CN118590395A (en) A network management method, system, electronic device and storage medium for container
CN116566765A (en) A network access method, device and storage medium
KR20020090961A (en) An intelligent network access device and a network access method
JP4191180B2 (en) Communication support device, system, communication method, and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination