Cloud hard disk encryption mounting method and device, electronic equipment and storage medium
1. An encryption mounting method for a cloud hard disk is applied to a host machine in a cloud computing platform, and is characterized by comprising the following steps:
based on at least two preset block device types, an encryption cloud hard disk in a first encryption format is established through a block storage service in a local cloud computing client; the at least two preset block device types comprise a mapping type block device type and a distributed type block device type; the local cloud computing client is used for providing services supported by the cloud computing platform for the host machine and providing resources for the cloud computing platform through the virtual machine on the host machine;
decrypting the encrypted cloud hard disk for the virtual machine through a hard disk simulator and a virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine; the hard disk simulator supports the device drivers of the at least two preset block device types in the first encryption format;
and mounting the decryption cloud hard disk to the virtual machine.
2. The method of claim 1, wherein creating, by a chunk store service in a local cloud computing client, an encrypted cloud hard disk in a first encrypted format based on at least two preset chunk device types comprises:
when the preset block device type is the distributed block device type, generating a key through a key management service in the local cloud computing client, and storing key information of the key in a hard disk information database;
acquiring the key from a key management service in the local cloud computing client, calling a device driver corresponding to the distributed block device type through the block storage service, calling a hard disk simulation tool in the hard disk simulator in the device driver, and creating a virtual encrypted cloud hard disk of the distributed block device type by using the first encryption format and the key;
and associating the virtual encryption cloud hard disk with an entity storage resource pool in the host machine to obtain the encryption cloud hard disk.
3. The method of claim 1, wherein creating, by a storage service in a local cloud computing client, an encrypted cloud hard disk in a first encrypted format based on at least two preset block device types comprises:
when the preset block device type is a mapping block device type, generating a key through a key management service in the local cloud computing client, and storing key information of the key in a hard disk information database;
creating a mapping type block device type cloud hard disk through the block storage service;
sending a request for mounting the mapping type block device type cloud hard disk to the virtual machine through a computing service in the local cloud computing client; the computing service is used for managing computing resources on the cloud computing platform;
acquiring a key through the key management service according to the key information in the hard disk information database;
generating a key container through a virtual machine management tool;
storing, by the computing service, the key in the key container;
updating, by the virtual machine management tool, configuration information of the virtual machine using the key container;
and encrypting the mapping type block device type cloud hard disk according to the first encryption format and the secret key to obtain the encrypted cloud hard disk.
4. The method of claim 2, after associating the virtual encrypted cloud hard disk with a pool of entity storage resources in the host, the method further comprising:
sending a request for mounting the encrypted cloud hard disk to the virtual machine through a computing service in the local cloud computing client;
taking out a key from the key management service according to the key information in the hard disk information database;
generating a key container through a virtual machine management tool;
storing, by the computing service, the key in the key container;
updating, by the virtual machine management tool, configuration information of the virtual machine using the key container.
5. The method according to claim 2 or 3, wherein the generating a key by a key management service in the local cloud computing client and storing key information of the key in a hard disk information database comprises:
calling the key management service to generate a key through the block storage service;
returning, by the key management service, a key link for the key to the chunk store service;
and extracting the identification information of the key from the key link through the block storage service, and storing the identification information as the key information in the hard disk information database.
6. The method according to claim 3 or 4, wherein the decrypting the encrypted cloud hard disk for the virtual machine through a hard disk simulator and a virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine comprises:
and acquiring the key in the key container from the configuration information of the virtual machine through the hard disk simulator, and decrypting the encrypted cloud hard disk by using the key to obtain the decrypted cloud hard disk.
7. The cloud hard disk encryption mounting device is applied to a host machine in a cloud computing platform and is characterized by comprising an encryption creating unit, a decryption unit and a mounting unit,
the encryption creating unit is used for creating an encryption cloud hard disk in a first encryption format through a block storage service in a local cloud computing client based on at least two preset block device types; the at least two preset block device types comprise a mapping type block device type and a distributed type block device type; the local cloud computing client is used for providing services supported by the cloud computing platform for the host machine and providing resources for the cloud computing platform through the virtual machine on the host machine;
the decryption unit is used for decrypting the encrypted cloud hard disk for the virtual machine through a hard disk simulator and a virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine; the hard disk simulator supports the device drivers of the at least two preset block device types in the first encryption format;
and the mounting unit is used for mounting the decryption cloud hard disk to the virtual machine.
8. The apparatus of claim 7,
the encryption creating unit is further configured to generate a key through a key management service in the local cloud computing client when the preset block device type is the distributed block device type, and store key information of the key in a hard disk information database; acquiring the key from a key management service in the local cloud computing client, calling a device driver corresponding to the distributed block device type through the block storage service, calling a hard disk simulation tool in the hard disk simulator in the device driver, and creating a virtual encrypted cloud hard disk of the distributed block device type by using the first encryption format and the key; and associating the virtual encryption cloud hard disk with an entity storage resource pool in the host machine to obtain the encryption cloud hard disk.
9. The apparatus of claim 7,
the encryption creating unit is further configured to generate a key through a key management service in the local cloud computing client when the preset block device type is a mapping block device type, and store key information of the key in a hard disk information database; creating a mapping type block device type cloud hard disk through the block storage service; sending a request for mounting the mapping type block device type cloud hard disk to the virtual machine through a computing service in the local cloud computing client; the computing service is used for managing computing resources on the cloud computing platform; acquiring a key through the key management service according to the key information in the hard disk information database; generating a key container through the virtual machine management tool; and storing, by the computing service, the key in the key container; and updating, by the virtual machine management tool, configuration information of the virtual machine using the key container; and encrypting the mapping type block device type cloud hard disk according to the first encryption format and the secret key to obtain the encrypted cloud hard disk.
10. The apparatus according to claim 8, wherein after the virtual encrypted cloud hard disk is associated with an entity storage resource pool in the host and the encrypted cloud hard disk is obtained, the encryption creation unit is further configured to send, through a computing service in the local cloud computing client, a request for mounting the encrypted cloud hard disk to the virtual machine; and taking out a key from the key management service according to the key information in the hard disk information database; generating a key container through the virtual machine management tool; and storing, by the computing service, the key in the key container; and updating, by the virtual machine management tool, configuration information of the virtual machine using the key container.
11. The apparatus according to claim 8 or 9, wherein the encryption creating unit is further configured to invoke the key management service to generate a key through the chunk storage service; and returning a key link for the key to the chunk store service through the key management service; and extracting the identification information of the key from the key link through the block storage service, wherein the identification information is used as the key information and is stored in the hard disk information database.
12. The apparatus according to claim 9 or 10, wherein the decryption unit is further configured to obtain, by the hard disk emulator, a key in the key container from configuration information of the virtual machine, and decrypt the encrypted cloud hard disk using the key to obtain the decrypted cloud hard disk.
13. An electronic device, comprising: a processor, a memory, and a communication bus, the memory in communication with the processor through the communication bus, the memory storing one or more programs executable by the processor, the processor performing the method of any of claims 1-6 when the one or more programs are executed.
14. A storage medium, characterized in that the storage medium stores one or more programs, which are executable by one or more processors, the programs, when executed by the processors, implementing the method according to any one of claims 1 to 6.
Background
At present, when a cloud hard disk is mounted in an encrypted manner, an existing encryption technology is based on a device mapping mechanism, and generally only supports encryption of a mapping type Block Storage device, such as a Storage Area Network (SAN) type cloud hard disk, but does not support encryption of a distributed type Block Storage device, such as a reliable autonomous distributed object Storage device (RBD) type cloud hard disk, so that the RBD type cloud hard disk cannot be mounted to a virtual machine in an encrypted manner and then shared to computing resources of a cloud computing platform, thereby reducing compatibility of cloud hard disk encryption mounting.
Disclosure of Invention
The embodiment of the invention provides an encryption mounting method and device for a cloud hard disk, an electronic device and a storage medium, which can simultaneously support the encryption mounting of a mapping type block device type and a distributed type block device type cloud hard disk and improve the compatibility of the encryption mounting of the cloud hard disk.
The technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides an encryption mounting method for a cloud hard disk, which is applied to a host in a cloud computing platform, and includes:
based on at least two preset block device types, an encryption cloud hard disk in a first encryption format is established through a block storage service in a local cloud computing client; the at least two preset block device types comprise a mapping type block device type and a distributed type block device type; the local cloud computing client is used for providing services supported by the cloud computing platform for the host machine and providing resources for the cloud computing platform through the virtual machine on the host machine;
decrypting the encrypted cloud hard disk for the virtual machine through a hard disk simulator and a virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine; the hard disk simulator supports the device drivers of the at least two preset block device types in the first encryption format;
and mounting the decryption cloud hard disk to the virtual machine.
In the foregoing solution, the creating an encrypted cloud hard disk in a first encryption format through a block storage service in a local cloud computing client based on at least two preset block device types includes:
when the preset block device type is the distributed block device type, generating a key through a key management service in the local cloud computing client, and storing key information of the key in a hard disk information database;
acquiring the key from a key management service in the local cloud computing client, calling a device driver corresponding to the distributed block device type through the block storage service, calling a hard disk simulation tool in the hard disk simulator in the device driver, and creating a virtual encrypted cloud hard disk of the distributed block device type by using the first encryption format and the key;
and associating the virtual encryption cloud hard disk with an entity storage resource pool in the host machine to obtain the encryption cloud hard disk.
In the foregoing solution, the creating an encrypted cloud hard disk in a first encryption format through a storage service in a local cloud computing client based on at least two preset block device types includes:
when the preset block device type is a mapping block device type, generating a key through a key management service in the local cloud computing client, and storing key information of the key in a hard disk information database;
creating a mapping type block device type cloud hard disk through the block storage service;
sending a request for mounting the mapping type block device type cloud hard disk to the virtual machine through a computing service in the local cloud computing client; the computing service is used for managing computing resources on the cloud computing platform;
acquiring a key through the key management service according to the key information in the hard disk information database;
generating a key container through a virtual machine management tool;
storing, by the computing service, the key in the key container;
updating, by the virtual machine management tool, configuration information of the virtual machine using the key container;
and encrypting the mapping type block device type cloud hard disk according to the first encryption format and the secret key to obtain the encrypted cloud hard disk.
In the above scheme, after associating the virtual encrypted cloud hard disk with an entity storage resource pool in the host to obtain the encrypted cloud hard disk, the method further includes:
sending a request for mounting the encrypted cloud hard disk to the virtual machine through a computing service in the local cloud computing client;
taking out a key from the key management service according to the key information in the hard disk information database;
generating a key container through a virtual machine management tool;
storing, by the computing service, the key in the key container;
updating, by the virtual machine management tool, configuration information of the virtual machine using the key container.
In the above scheme, the generating a key by a key management service in the local cloud computing client, and storing key information of the key in a hard disk information database includes:
calling the key management service to generate a key through the block storage service;
returning, by the key management service, a key link for the key to the chunk store service;
and extracting the identification information of the key from the key link through the block storage service, and storing the identification information as the key information in the hard disk information database.
In the above scheme, the decrypting the encrypted cloud hard disk for the virtual machine through the hard disk simulator and the virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine includes:
and acquiring the key in the key container from the configuration information of the virtual machine through the hard disk simulator, and decrypting the encrypted cloud hard disk by using the key to obtain the decrypted cloud hard disk.
In a second aspect, an embodiment of the present invention provides an encryption mounting apparatus for a cloud hard disk, which is applied to a host in a cloud computing platform, and includes an encryption creating unit, a decryption unit, and a mounting unit, where,
the encryption creating unit is used for creating an encryption cloud hard disk in a first encryption format through a block storage service in a local cloud computing client based on at least two preset block device types; the at least two preset block device types comprise a mapping type block device type and a distributed type block device type; the local cloud computing client is used for providing services supported by the cloud computing platform for the host machine and providing resources for the cloud computing platform through the virtual machine on the host machine;
the decryption unit is used for decrypting the encrypted cloud hard disk for the virtual machine through a hard disk simulator and a virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine; the hard disk simulator supports the device drivers of the at least two preset block device types in the first encryption format;
and the mounting unit is used for mounting the decryption cloud hard disk to the virtual machine.
In the above apparatus, the encryption creating unit is further configured to generate a key through a key management service in the local cloud computing client when the preset block device type is the distributed block device type, and store key information of the key in a hard disk information database; acquiring the key from a key management service in the local cloud computing client, calling a device driver corresponding to the distributed block device type through the block storage service, calling a hard disk simulation tool in the hard disk simulator in the device driver, and creating a virtual encrypted cloud hard disk of the distributed block device type by using the first encryption format and the key; and associating the virtual encryption cloud hard disk with an entity storage resource pool in the host machine to obtain the encryption cloud hard disk.
In the above apparatus, the encryption creating unit is further configured to generate a key through a key management service in the local cloud computing client when the preset block device type is a mapping block device type, and store key information of the key in a hard disk information database; creating a mapping type block device type cloud hard disk through the block storage service; sending a request for mounting the mapping type block device type cloud hard disk to the virtual machine through a computing service in the local cloud computing client; the computing service is used for managing computing resources on the cloud computing platform; acquiring a key through the key management service according to the key information in the hard disk information database; generating a key container through the virtual machine management tool; and storing, by the computing service, the key in the key container; and updating, by the virtual machine management tool, configuration information of the virtual machine using the key container; and encrypting the mapping type block device type cloud hard disk according to the first encryption format and the secret key to obtain the encrypted cloud hard disk.
In the above apparatus, after the virtual encrypted cloud hard disk is associated with the entity storage resource pool in the host to obtain the encrypted cloud hard disk, the encryption creating unit is further configured to send a request for mounting the encrypted cloud hard disk to the virtual machine through a computing service in the local cloud computing client; and according to the key information in the hard disk information database, taking out a key from the key information; generating a key container through the virtual machine management tool; and storing, by the computing service, the key in the key container; and updating, by the virtual machine management tool, configuration information of the virtual machine using the key container.
In the above apparatus, the encryption creating unit is further configured to invoke the key management service to generate a key through the chunk storage service; and returning a key link for the key to the chunk store service through the key management service; and extracting the identification information of the key from the key link through the block storage service, wherein the identification information is used as the key information and is stored in the hard disk information database.
In the above apparatus, the decryption unit is further configured to obtain, by the hard disk emulator, a key in the key container from configuration information of the virtual machine, and decrypt the encrypted cloud hard disk using the key to obtain the decrypted cloud hard disk.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the cloud hard disk encryption and installation method comprises a processor, a memory and a communication bus, wherein the memory is communicated with the processor through the communication bus, the memory stores one or more programs executable by the processor, and when the one or more programs are executed, the processor executes the encryption and installation method of the cloud hard disk.
In a fourth aspect, an embodiment of the present invention provides a storage medium, where the storage medium stores one or more programs, the one or more programs are executable by one or more processors, and when executed by the processors, the programs implement the method for mounting the cloud hard disk in the encryption manner as described in any one of the above.
The embodiment of the invention provides an encryption mounting method and device for a cloud hard disk, electronic equipment and a storage medium, wherein the method comprises the following steps: based on at least two preset block device types, an encryption cloud hard disk in a first encryption format is established through a block storage service in a local cloud computing client; the at least two preset block device types comprise a mapping type block device type and a distributed type block device type; the local cloud computing client is used for providing services supported by the cloud computing platform for the host machine and providing resources for the cloud computing platform through the virtual machine on the host machine; decrypting the encrypted cloud hard disk for the virtual machine through the hard disk simulator and the virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine; the hard disk simulator supports device drivers of at least two preset block device types in a first encryption format; and mounting the decrypted cloud hard disk to the virtual machine. By adopting the scheme, the mapping type block device type and the distributed type block device type encrypted cloud hard disk created by the block storage service can be decrypted by the hard disk simulator supporting the device drivers of at least two preset block device types in the first encryption format, so that the mapping type block device type and the distributed type block device type cloud hard disk can be mounted to the virtual machine in an encrypted form and decrypted on the virtual machine, and the cloud hard disk encryption mounting compatibility is improved.
Drawings
Fig. 1 is a schematic view of a cloud hard disk encryption mounting process in the prior art according to an embodiment of the present invention;
FIG. 2 is a diagram of host software architecture provided by an embodiment of the present invention;
fig. 3 is a first flowchart of an encryption mounting method for a cloud hard disk according to an embodiment of the present invention;
fig. 4 is a flowchart of a second method for mounting an encryption key on a cloud hard disk according to an embodiment of the present invention;
fig. 5 is a flowchart of an encryption mounting method for a cloud disk according to an embodiment of the present invention;
fig. 6 is a fourth flowchart of an encryption mounting method for a cloud hard disk according to an embodiment of the present invention;
fig. 7 is a fifth flowchart of an encryption mounting method for a cloud hard disk according to an embodiment of the present invention;
fig. 8 is a sixth flowchart of an encryption mounting method for a cloud hard disk according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an encryption mounting device for a cloud disk according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
Before further detailed description of the embodiments of the present invention, terms and expressions mentioned in the embodiments of the present invention are explained, and the terms and expressions mentioned in the embodiments of the present invention are applied to the following explanations.
1) The OpenStack is an open-source cloud computing management platform project and is a combination of a series of software open-source projects. OpenStack covers various aspects of networking, virtualization, operating systems, servers, and so on.
2) The render service is a block storage service under an OpenStack platform and is used for providing a stable data block storage service. Illustratively, the shader service can provide functions such as creating, deleting, mounting, and uninstalling cloud disks.
3) Nova service, which is the most core service of OpenStack and is responsible for maintaining and managing computing resources of a cloud environment.
4) dm-crypt LUKS, a hard disk encryption method based on a device mapping mechanism (dm). Wherein, the LUKS (Linux Unified Key setup) is a Linux hard disk partition encryption standard; dm-crypt is a disk encryption function provided by a Linux kernel and based on a device mapping mechanism, all real or virtual block devices in the system can be registered in the Linux kernel through the device mapping mechanism, and all block devices mapped, namely mounted under a device mapping structure are complete block devices in Linux. The cloud hard disk encrypted by dm-crypt cannot be directly mounted on a virtual machine, the cloud hard disk can be mounted only by mapping, and the encrypted SAN storage type cloud hard disk is required to be decrypted firstly when mapping is carried out
5) Ceph, which is a Reliable, auto-rebalancing, auto-recovery Distributed storage system, RADOS (scalable, automated Distributed Object Store) is one of the cores of Ceph. The architecture of the Ceph storage system does not have a central node, and the client calculates the position of the data written by the client through the device mapping relation, so that the client can directly communicate with the storage node, and the performance bottleneck of the central node is avoided. And the client stores the data into the cluster of the Ceph through a block storage device of an RBD block device type.
6) The block storage device, which is a type of input/output device, stores information in fixed-size blocks, each block has its own address, and can read data of a certain length at any position of the device, and illustratively, a hard disk, a U-disk, an SD card, and the like are typical block device types.
7) The RBD block device type is a block storage protocol externally provided based on RADOS, integrates various heterogeneous block devices together in a network link form, and provides unified block storage resources after virtualization for a physical machine or a virtual machine through core management software.
8) The SAN block device type, Storage Area Network (SAN), is a high-speed private subnet that connects Storage devices such as disk arrays and tapes with related servers through connection devices such as optical fiber hubs, optical fiber routers, and optical fiber switches. There is no interworking between SANs.
9) The system comprises a Quick Emulator (QEMU), wherein the QEMU is a virtualization simulator realized by pure software and can simulate hardware equipment of a virtual machine and supervise the virtual machine.
10) Libvirt, which is an open source API, daemon, and management tool for managing virtualization platforms, may provide storage and network interface management for managing virtual machines, QEMU, and other virtualization technologies.
At present, for an encryption mounting method for a cloud hard disk, as shown in fig. 1, a host node 3 installs an OpenStack platform client 10, creates a mapping block device type cloud hard disk, such as a SAN type cloud hard disk, through a shader service 10_1 in the OpenStack platform client 10, and then initiates a request for mounting the SAN type cloud hard disk to a virtual machine by a Nova service 10_2 in the OpenStack platform client, where the Nova service 10_2 encrypts the SAN type cloud hard disk by using an encryption instruction LUKS Format in dm-crypt LUKS to obtain an encryption cloud hard disk 20, because the SAN type cloud hard disk belongs to a cloud hard disk of a device mapping mechanism; the Nova service decrypts the encrypted cloud hard disk 20 by using a decryption instruction LUKS Open in the dm-crypt LUKS, maps the decrypted cloud hard disk 30 to a/dev/mapper directory of a host node, and finally mounts the decrypted cloud hard disk 30 to the virtual machine 40 on the host 3 to provide hard disk service for the virtual machine 40, so that the hard disk in the virtual machine 40 is used as a part of cloud computing resources to realize shared storage. The decryption cloud hard disk 30 is in a decryption state only for the mounted virtual machine 40, and is in an encryption state for other virtual machines in the cloud computing platform.
Because dm-crypt LUKS is an encryption method based on a device mapper mechanism, the current cloud hard disk encryption technology can only encrypt SAN storage cloud hard disks of mapping type block device types, and for distributed block storage types such as RBD block storage devices, a dm-crypt LUKS mode cannot be used for encrypting and mounting distributed block storage devices similar to the RBD block storage devices.
The cloud hard disk encryption mounting method provided by the embodiment of the invention is applied to a host in a cloud computing platform, as shown in fig. 2, a local cloud computing client 100, a virtual machine 200, a hard disk simulator 300 and a virtual machine management tool 400 are installed on a host node 1, wherein the local cloud computing client 100 is used for providing services supported by the cloud computing platform for the host 1, in some embodiments, the local cloud computing client 100 may be an open source cloud computing management platform OpenStack client, the host 1 may call the services and management tools in OpenStack on the host by installing the OpenStack client, wherein the local cloud computing client 100 includes a block storage service 100_1 for creating an encrypted cloud hard disk 500; the local cloud computing client 100 further includes a block storage service 100_2, configured to mount the decrypted cloud hard disk 600 to the virtual machine 200; the virtual machine 200 may be created on the host 1 by a computing service in the local cloud computing client 100, and is used to share computing resources on the host 1 to the cloud computing platform through the virtual machine 200, the virtual machine 200 exists in the host 1, and uses physical hardware resources on the host together with the host, in some embodiments, a hard disk of the virtual machine 200 exists on the host 1 in a folder form, and occupies hard disk resources of the host 1; the hard disk simulator 300 is a software simulator installed on the host 1, and is used for simulating hard disk resources for the virtual machine 200 to use and providing equipment and user space management services; the virtual machine management tool 400 is a management tool of the virtual machine 200 installed on the host 1, exists on the host 1 in the form of a library function, and is a software interface for other services on the host 1 to operate the virtual machine 200; in the embodiment of the present invention, the hard disk simulator 300 and the virtual machine management tool 400 are used to implement decryption of the encrypted cloud hard disk, so as to obtain the decrypted cloud hard disk 600. Based on the host machine software architecture provided by the embodiment of the invention, the encryption mounting of the cloud hard disk of at least two preset block device types can be realized on the host machine.
Fig. 3 is an alternative flow chart of the method provided by the embodiment of the present invention, which will be described with reference to the steps shown in fig. 3.
S101, based on at least two preset block device types, establishing an encrypted cloud hard disk in a first encryption format through a block storage service in a local cloud computing client; the at least two preset block device types comprise a mapping type block device type and a distributed type block device type; the local cloud computing client is used for providing services supported by the cloud computing platform for the host machine, and resources are provided for the cloud computing platform through the virtual machine on the host machine.
In the embodiment of the invention, the host computer firstly creates an encrypted cloud hard disk encrypted in a first encryption format on the host computer through a block storage service in a local cloud computing client based on at least two different preset block device types.
In the embodiment of the invention, the local cloud computing client is used for providing services and management functions supported by a cloud computing platform for a host, wherein the block storage service in the local cloud computing client is used for creating and maintaining the block storage device and is used for providing functions of creating, deleting, mounting and uninstalling the block storage device.
In some embodiments, the local cloud computing client may be an OpenStack client and the block storage service may be a shader service in the OpenStack client.
In this embodiment of the present invention, the first encryption format may be a LUKS format, or may be another encryption format, which is not limited in this embodiment of the present invention.
In the embodiment of the present invention, the at least two preset block device types include a mapping block device type and a distributed block device type.
In the embodiment of the invention, in the cloud computing platform, the block storage devices can be divided into a mapping type block device type and a distributed type block device type according to different driving modes.
In the embodiment of the present invention, the mapping type block device type is a block device based on a device mapping mechanism, and the mapping type block device type manages the storage space of a physical volume in a logical volume group by establishing the logical volume group on the physical volume of the block device through the device mapping mechanism. When data is written into the mapped block device, the data is written into the physical volume according to the mapping relationship between the logical volume and the physical volume. The current dm-crypt LU KS mode is a cloud hard disk encryption mounting mode based on a mapping type block device type.
In some embodiments, the mapped block device type may be a SAN type.
In the embodiment of the invention, the distributed block equipment type is a distributed storage system, the distributed block equipment type manages the storage space of the virtual block equipment through the virtual block equipment mirror image and a corresponding space management program, the distributed block equipment type loads the virtual block equipment to the block equipment of the physical entity, when data is written into the distributed block equipment, the data can be intercepted by the distributed block equipment system before being formally written into a disk, and the space management program is informed to copy one copy of the data to be written, write the data into the virtual block equipment mirror image, and then store the data into the block equipment of the physical entity mapped by the virtual block equipment mirror image. Therefore, the driving structure and organization of the distributed block device type are different from the mapped block device type, and the encryption mounting cannot be performed by using dm-crypt LUKS.
In some embodiments, the distributed block device type may be an RB D type in the distributed storage system Ceph.
S102, decrypting the encrypted cloud hard disk for the virtual machine through the hard disk simulator and the virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine; the hard disk simulator supports device drivers of at least two preset block device types in a first encryption format.
In the embodiment of the invention, in order to enable the encrypted cloud hard disk to be transparently used by the virtual machine without decryption and to simultaneously keep an encrypted state for other equipment, the host can decrypt the encrypted cloud hard disk created by the block storage service for the virtual machine through the installed hard disk simulator and the virtual machine management tool so as to obtain the decrypted cloud hard disk corresponding to the virtual machine.
In the embodiment of the invention, the hard disk simulator supports the device drivers of at least two preset block device types in the first encryption format. Because the hard disk simulator supports the drive of the encrypted mapping type block device type and the encrypted distributed type block device type at the same time, the computing service can decrypt the encrypted cloud hard disk of at least two preset block device types by calling the hard disk simulator and matching with a virtual machine management tool. When the type of the encrypted cloud hard disk is the mapping type block device type, the computing service does not need to decrypt the encrypted cloud hard disk of the mapping type block device type through a dm-crypt method, and can decrypt the encrypted cloud hard disk of the mapping type block device type through a hard disk simulator by using the method the same as the distributed type block device type.
In the embodiment of the invention, the virtual machine management tool is used for storing the key corresponding to the encrypted cloud hard disk in the virtual machine.
In some embodiments, the hard disk emulator may be a QEMU tool version 2.6 and above; the virtual machine management tool may be a Libvirt tool higher than version 2.2.0, or may be other software or tools with the same characteristics, and the embodiment of the present invention is not limited.
S103, mounting the decrypted cloud hard disk to a virtual machine.
In the embodiment of the invention, after the host node obtains the decrypted cloud hard disk, the decrypted cloud hard disk is mounted to the virtual machine to become the hard disk resource of the virtual machine, and then the hard disk resource can be shared to the cloud computing platform through the virtual machine to become the computing resource of the cloud computing platform, so that the encrypted mounting of the cloud hard disk is completed.
It can be understood that, in the embodiment of the present invention, the encrypted cloud hard disk of the mapping type block device type and the encrypted cloud hard disk of the distributed type block device type created by the block storage service may be decrypted by the hard disk simulator supporting the device drivers of at least two preset block device types in the first encryption format, so that both the cloud hard disks of the mapping type block device type and the cloud hard disks of the distributed type block device type may be mounted to the virtual machine in an encrypted form and decrypted on the virtual machine, thereby improving the compatibility of cloud hard disk encryption mounting.
In the embodiment of the present invention, based on fig. 3, S101 may be as shown in fig. 4, and includes S201 to S203, as follows:
s201, when the preset block device type is the distributed block device type, generating a key through a key management service in the local cloud computing client, and storing key information of the key in a hard disk information database.
In the embodiment of the invention, when the preset block device type is the distributed block device type, the host generates a key for encrypting the cloud hard disk through the key management service in the local cloud computing client, and stores key information of the key in the hard disk information database corresponding to the block storage service;
in the embodiment of the present invention, the key management service may be a barbican service in OpenStack, and is configured to provide a cloud computing platform key management function to a host, and the barbican service may generate, store, and manage data in formats of keys, certificates, and the like.
In this embodiment of the present invention, the hard disk information database is a database used for storing cloud hard disk information in the block storage service, and as shown in fig. 5, S2011-S2023 may be included, where the S201 generates a key through a key management service in the local cloud computing client, and stores key information of the key in the hard disk information database, as follows:
s2011, the key management service is invoked to generate a key through the block storage service.
In some embodiments, the host may invoke barbican services to generate keys for encrypting the cloud hard disk through the shader service in the OpenStack client.
S2012, the key link of the key is returned to the chunk store service through the key management service.
In some embodiments, after the barbican service generates the key, the key connection is returned to the shader service.
And S2013, extracting identification information of the key from the key link through the block storage service, and storing the identification information as key information in a hard disk information database.
In this embodiment of the present invention, the key information may be a Universal Unique Identifier (UUID) of the key.
In some embodiments, after receiving the key link returned by barbican service, the Cinder service extracts the key information from the key link and stores the key information in the hard disk information database of the Cinder service.
S202, obtaining a secret key from a secret key management service in a local cloud computing client, calling a device driver corresponding to the distributed block device type through a block storage service, calling a hard disk simulation tool in a hard disk simulator in the device driver, and creating a virtual encrypted cloud hard disk of the distributed block device type by using a first encryption format and the secret key.
In the embodiment of the invention, after the key is generated and stored, the host machine calls the device driver corresponding to the distributed block device type in the block storage service through the block storage service, calls the hard disk simulation tool in the hard disk simulator in the device driver corresponding to the distributed block device type, and creates the virtual encrypted cloud hard disk of the distributed device type by using the first encryption format and the generated key.
In the embodiment of the invention, the block storage service comprises at least two drivers corresponding to preset block device types, and when the cloud hard disk to be created is the distributed block device type, the block storage service calls the device driver corresponding to the distributed block device type to create the distributed block device type cloud hard disk.
In the embodiment of the invention, the device driver corresponding to the distributed block device type calls the hard disk simulation tool in the hard disk simulator to simulate the virtual cloud hard disk of the distributed device type, and meanwhile, the hard disk simulation tool encrypts the virtual cloud hard disk by using the first encryption format and the secret key to finally obtain the virtual encrypted cloud hard disk of the distributed device type.
In some embodiments, when the hard disk emulator is QEMU, the hard disk emulation tool may be QEMU-img 2.10.
S203, associating the virtual encryption cloud hard disk with an entity storage resource pool in the host machine to obtain the encryption cloud hard disk.
In the embodiment of the invention, the host machine can lead the virtual encrypted cloud hard disk into the distributed block device storage resource pool formed by at least one distributed block device mapped on the host machine through the block storage service, so that the virtual encrypted hard disk and the entity distributed block device are associated to obtain the encrypted cloud hard disk.
In this embodiment of the present invention, the entity storage resource pool in the host may be a distributed block device storage resource pool formed by at least one distributed block device mapped to the host, and for example, the entity storage resource pool in the host may be an RBD storage pool at the back end of the host.
It can be understood that, in the embodiment of the present invention, for the distributed device type, the hard disk simulation tool may be called by the block storage service to simulate and encrypt the virtual encrypted cloud hard disk, and then the virtual encrypted cloud hard disk is imported into the physical distributed device storage pool at the back end of the host, so as to obtain a true encrypted cloud hard disk of the distributed device type, thereby implementing encryption of the distributed cloud hard disk of the block device type.
In the embodiment of the present invention, based on fig. 4, after S203, as shown in fig. 6, S204-S208 may be further included, as follows:
s204, sending a request for mounting the encrypted cloud hard disk to the virtual machine through the computing service in the local cloud computing client.
In the embodiment of the invention, when the preset block device type is the distributed block device type, after the host completes the creation of the encryption cloud hard disk, a request for mounting the encryption cloud hard disk to the virtual machine is sent through the computing service in the local cloud computing client.
In some embodiments, when the local cloud computing client is an OpenStack platform client, the computing service may be a nova service in OpenStack.
S205, according to the key information in the hard disk information database, the key is taken out from the key management service.
In the embodiment of the invention, after the computing service sends the mounting request of the encryption cloud platform, the host machine obtains the key information from the hardware information database through the computing service, and takes out the key from the key management service according to the key information.
In some embodiments, the Nova service obtains the UUID of the key from the hard disk information database, and extracts the key from the barbican service according to the UUID of the key.
And S206, generating a key container through the virtual machine management tool.
In the embodiment of the invention, after the computing service acquires the key, the host node calls the virtual machine management tool to generate the key container for storing the key.
In some embodiments, when the virtual machine management tool is libvirt, the secret t file may be generated by libvirt, where the file name of the secret file may be a UUID of the key.
S207, the key is stored in the key container through the calculation service.
And S208, updating the configuration information of the virtual machine by using the key container through the virtual machine management tool.
In the embodiment of the invention, the computing service stores the acquired key in the key container, and then the host node updates the key container as the cloud hard disk information to the virtual machine configuration file information through the virtual machine management tool, so that the decryption tool can decrypt the encrypted cloud hard disk by using the key in the key container.
In some embodiments, after the Libvirt tool generates the secret file, the Nova service stores the acquired key in the secret file, and updates the xm l configuration file of the virtual machine by using the secret file as the cloud hard disk information, so that the key for encrypting the cloud hard disk is correspondingly stored in the virtual machine configuration file, and the decryption tool can unlock the cloud hard disk for the virtual machine through the configuration file of the virtual machine.
It can be understood that, in the embodiment of the present invention, for the encryption cloud hard disk of the distributed device type, the key may be obtained by the virtual machine management tool, and the key is updated in the configuration information of the virtual machine, so that the hard disk simulation tool may obtain the key from the configuration information of the virtual machine for decryption, so as to finally implement decryption of the encryption cloud hard disk of the distributed device type.
In the embodiment of the present invention, based on fig. 3, S101 may further include S301 to S308 as shown in fig. 7, as follows:
s301, when the preset block device type is the mapping type block device type, generating a key through a key management service in the local cloud computing client, and storing key information of the key in a hard disk information database.
In the embodiment of the invention, when the preset block device type is the mapping block device type, the host generates the key through the key management service in the local cloud computing client, stores the key information of the key in the hard disk information database in the same way as the method in S201, and calls the key management service to generate the key through the block storage service; returning the key link for the key to the chunk store service through the key management service; and extracting the key information from the key link through the block storage service and storing the key information in a hard disk information database. And will not be described in detail herein.
S302, creating a mapping type block device type cloud hard disk through a block storage service block.
In the embodiment of the invention, when the preset block device type is the mapping type block device type, the host computer firstly specifies the encryption type of the mapping type block device type cloud hard disk through the block storage service block, and then creates the unencrypted mapping type block device type cloud hard disk according to the encryption type.
In an embodiment of the present invention, the encryption type is a first encryption format.
S303, sending a request for mounting the mapping type block device type cloud hard disk to the virtual machine through a computing service in the local cloud computing client; the computing service is used for managing computing resources on the cloud computing platform.
In the embodiment of the present invention, when the preset block device type is the mapping block device type, a process of sending, by the host, a request for mounting the mapping block device type cloud hard disk to the virtual machine to the cloud computing platform through a computing service in the local cloud computing client is the same as S204, and details are not repeated here.
S304, according to the key information in the hard disk information database, obtaining the key through the key management service.
In the embodiment of the present invention, when the preset block device type is the mapping block device type, the process of obtaining the key by the host through the computing service and according to the key information in the hard disk information database through the key information is the same as S205, and is not described here again.
S305, generating a key container through the virtual machine management tool.
In the embodiment of the present invention, when the preset block device type is the mapping block device type, the process of generating the key container through the virtual machine management tool is the same as S206, and details are not described here.
S306, the key is stored in the key container through the calculation service.
In the embodiment of the present invention, when the preset block device type is the mapping block device type, the process of storing the key in the key container by the host through the computing service is the same as S207, which is not described herein again.
S307, the configuration information of the virtual machine is updated by using the key container through the virtual machine management tool.
In the embodiment of the present invention, when the preset block device type is the mapping block device type, the process of the host machine updating the configuration information of the virtual machine by using the key container through the virtual machine management tool is the same as S208, and details are not described here.
S308, encrypting the mapping type block device type cloud hard disk according to the first encryption format and the key to obtain an encrypted cloud hard disk.
In the embodiment of the invention, the host node can encrypt the mapping type block device type cloud hard disk by using a LuksFormat command in dm-cry pt according to the first encryption format and the key to obtain the encrypted cloud hard disk.
It can be understood that, in the embodiment of the present invention, a mapping type block device type cloud hard disk may be created by a block storage service, and after a mount request of the mapping type block device type cloud hard disk is sent by a computing service, the mapping type block device type cloud hard disk is encrypted in a conventional manner, so that encryption of the mapping type block device type cloud hard disk is achieved.
In the embodiment of the present invention, based on fig. 6 and 7, in S102, the hard disk simulator and the virtual machine management tool are used to decrypt the encrypted cloud hard disk for the virtual machine, and the decrypted cloud hard disk corresponding to the virtual machine is obtained as shown in fig. 8, where the method includes S1021 as follows:
and S1021, acquiring the key in the key container from the configuration information of the virtual machine through the hard disk simulator, and decrypting the encrypted cloud hard disk by using the key to obtain a decrypted cloud hard disk.
In the embodiment of the invention, the host machine can obtain the key container from the configuration information of the virtual machine through the hard disk simulator, obtain the key in the key container, and decrypt the encrypted cloud hard disk by using the key to obtain the decrypted cloud hard disk.
In the embodiment of the present invention, in order to implement the key for the encrypted cloud hard disk obtained by using the method in the embodiment of the present invention, a hard disk simulator supporting device drivers of at least two preset block device types in the first encryption format and a virtual machine management tool supporting a function of creating a key container need to be installed in advance on the host.
In some embodiments, the host where the virtual machine is located needs to install Libvi rt of version more than 2.2.0 and QEMU of version more than 2.6 in advance. The high-version Libvirt/QEMU realizes the native L UKS block drive of the QEMU, and supports the decryption of LUKS encrypted RAW format files, block devices, RBDs and other network devices. This new property of QEMU enables nova to support LUKS encryption with a high version of Libvirt/QE MU.
It can be understood that, in the embodiment of the present invention, no matter the mapping type block device type cloud hard disk or the distributed type cloud hard disk, decryption may be performed by using a hard disk simulator that supports two types of encryption cloud hard disk drives and a virtual machine management tool that can generate a key container, so that the decrypted cloud hard disk may be mounted to a virtual machine, thereby implementing support for encryption mounting of the mapping type block device type cloud hard disk and the distributed type cloud hard disk, and improving compatibility of cloud hard disk encryption mounting.
An embodiment of the present invention provides an encryption mounting device for a cloud hard disk, which is applied to a host in a cloud computing platform, as shown in fig. 9, the encryption mounting device 2 for a cloud hard disk includes an encryption creating unit 20, a decryption unit 21, and a mounting unit 22, wherein,
the encryption creating unit 20 is configured to create an encrypted cloud hard disk in a first encryption format through a block storage service in a local cloud computing client based on at least two preset block device types; the at least two preset block device types comprise a mapping type block device type and a distributed type block device type; the local cloud computing client is used for providing services supported by the cloud computing platform for the host machine and providing resources for the cloud computing platform through the virtual machine on the host machine.
The decryption unit 21 is configured to decrypt the encrypted cloud hard disk for the virtual machine through a hard disk simulator and a virtual machine management tool to obtain a decrypted cloud hard disk corresponding to the virtual machine; the hard disk simulator supports the device drivers of the at least two preset block device types in the first encryption format.
The mounting unit 22 is configured to mount the decryption cloud hard disk to a virtual machine.
In some embodiments, the encryption creating unit 20 is further configured to, when the preset block device type is a distributed block device type, generate a key through a key management service in the local cloud computing client, and store key information of the key in a hard disk information database; calling an equipment driver corresponding to the distributed block equipment type through the block storage service, calling a hard disk simulation tool in the hard disk simulator in the equipment driver, and creating a virtual encrypted cloud hard disk of the distributed block equipment type by using the first encryption format and the key; and associating the virtual encryption cloud hard disk with an entity storage resource pool in the host machine to obtain the encryption cloud hard disk.
In some embodiments, the encryption creating unit 20 is further configured to, when the preset block device type is a mapped block device type, generate a key through a key management service in the local cloud computing client, and store key information of the key in a hard disk information database; creating a mapping type block device type cloud hard disk through the block storage service; sending a request for mounting the mapping type block device type cloud hard disk to the virtual machine through a computing service in the local cloud computing client; the computing service is used for managing computing resources on the cloud computing platform; acquiring a key through the key management service according to the key information in the hard disk information database; generating a key container through the virtual machine management tool; and storing, by the computing service, the key in the key container; and updating, by the virtual machine management tool, configuration information of the virtual machine using the key container; and encrypting the mapping type block device type cloud hard disk according to the first encryption format and the secret key to obtain the encrypted cloud hard disk.
In some embodiments, after the virtual encrypted cloud hard disk is associated with the entity storage resource pool of the host to obtain the encrypted cloud hard disk, the encryption creating unit 20 is further configured to send, through a computing service in the local cloud computing client, a request for mounting the encrypted cloud hard disk to the virtual machine; and taking out a key from the key management service according to the key information in the hard disk information database; generating a key container through the virtual machine management tool; and storing, by the computing service, the key in the key container; and updating, by the virtual machine management tool, configuration information of the virtual machine using the key container.
In some embodiments, the encryption creating unit 20 is further configured to invoke, by the chunk store service, the key management service to generate a key; and returning a key link for the key to the chunk store service through the key management service; and extracting the identification information of the key from the key link through the block storage service, wherein the identification information is used as the key information and is stored in the hard disk information database.
In some embodiments, the decryption unit 21 is further configured to obtain, by the hard disk emulator, a key in the key container from the configuration information of the virtual machine, and decrypt the encrypted cloud hard disk by using the key to obtain the decrypted cloud hard disk.
An embodiment of the present invention provides an electronic device, which is applied to a host of a cloud computing platform, and as shown in fig. 10, the electronic device 8 includes: a processor 54, a memory 55 and a communication bus 56, wherein the memory 55 is in communication with the processor 54 through the communication bus 56, the memory 55 stores one or more programs executable by the processor 54, and when the one or more programs are executed, the processor 54 executes the encryption mounting method for the cloud hard disk according to any one of the foregoing embodiments.
The embodiment of the present invention provides a storage medium, where one or more programs are stored, where the one or more programs are executable by one or more processors 54, and when the program is executed by the processor 54, the method for mounting the cloud hard disk in the encrypted manner according to any one of the above descriptions is implemented.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
- 上一篇:石墨接头机器人自动装卡簧、装栓机
- 下一篇:一种配置和调度虚拟I/O模块的方法和装置