A method and system for limiting the speed of a virtual machine

By detecting the load of physical network cards and capturing packets to obtain the source IP address and tunnel identifier, the source virtual machine can be identified and its speed limited, thus solving the problem of performance interference between virtual machines on multiple physical hosts and achieving efficient speed limiting and cost reduction.

CN113051028BActive Publication Date: 2026-06-19HUAWEI CLOUD COMPUTING TECHNOLOGIES CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HUAWEI CLOUD COMPUTING TECHNOLOGIES CO LTD
Filing Date
2019-12-27
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Performance interference issues exist between virtual machines running on multiple physical hosts. Existing technologies, which limit network speed for individual virtual machines, cannot effectively solve the problems of packet latency and packet loss between multiple physical hosts, resulting in high costs for manual troubleshooting.

Method used

By detecting the network load of the physical network interface card of the computing node, the target virtual machine that exceeds the packet receiving rate limit threshold is selected, and the source IP address and tunnel identifier of the data packet are obtained by packet capture. The list of source virtual machines is determined, and the rate of the source virtual machines is limited.

Benefits of technology

The elimination of the need for manual location of the source virtual machine improves the efficiency of source virtual machine location, reduces costs, and ensures the normal operation of virtual machine network services in a timely manner, thereby improving the efficiency of rate limiting.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN113051028B_ABST
    Figure CN113051028B_ABST
Patent Text Reader

Abstract

A method and system for rate limiting virtual machines (VMs) are disclosed. The method includes: detecting the network load of the physical network interface card (NIC) of a compute node; when the network load exceeds a threshold, selecting a target VM that exceeds the packet reception rate limiting threshold within the compute node; capturing packets from the target VM to obtain the source IP address and tunnel identifier of the data packets entering the target VM; determining a list of source VMs based on the source IP address and the tunnel identifier; and rate limiting the source VMs based on the list of source VMs. This method requires no manual intervention, can locate the list of source VMs, and can perform network rate limiting on the source VMs, thereby reducing costs and improving the efficiency of VM rate limiting.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cloud computing, and in particular to a method and system for limiting the speed of a virtual machine. Background Technology

[0002] With the rapid development of internet technology (IT) and the rapid expansion of the IT market, cloud computing based on virtualization technology has gradually gained widespread attention. Public cloud computing, in particular, uses virtual machines to replace physical hosts for deploying various services, reducing complexity and cost, and is therefore being used by an increasing number of enterprise and individual users.

[0003] At the same time, public clouds also bring some problems, such as performance interference. When multiple virtual machines run on the same physical host, they can share all the resources on the physical host. If the resources on the physical host are limited, all virtual machines running on that physical host will be affected. For example, when the physical host's network card reaches its maximum network bandwidth, all virtual machines running on that physical host may experience increased latency when receiving data packets.

[0004] Currently, network rate limiting for individual virtual machines (VMs) is commonly used to address performance interference between VMs on the same physical host. However, when multiple physical hosts exist, such as physical host 1, physical host 2, and physical host 3, and VMs on physical host 2 and physical host 3 send data packets to VM 1 on physical host 1, even with rate limiting for individual VMs, the total number of packets sent by the sending VMs far exceeds the maximum packet reception capacity of VM 1 on physical host 1. Therefore, if the number of sent data packets reaches the maximum bandwidth that physical host 1's physical network interface card (NIC) can handle, increased packet reception latency or packet loss can still occur, leading to VM network service failures.

[0005] In response to this situation, existing technologies require manual location to resolve, which consumes a lot of manpower and resources, resulting in high costs. Summary of the Invention

[0006] This application provides a method and system for limiting the speed of virtual machines, which improves the efficiency of limiting the speed of virtual machines and reduces costs.

[0007] In a first aspect, this application provides a method for limiting the rate of a virtual machine, the method comprising: detecting the network load of the physical network card of a computing node; when the network load exceeds a threshold, selecting a target virtual machine in the computing node that exceeds the packet receiving rate limiting threshold; capturing packets of the target virtual machine to obtain the source IP address and tunnel identifier of the data packets entering the target virtual machine; determining a list of source virtual machines based on the source IP address and the tunnel identifier; and limiting the rate of the source virtual machines based on the list of source virtual machines.

[0008] In the above technical solution, by capturing packets from the target virtual machine, a list of source virtual machines sending packets to the target virtual machine is found, and rate limiting is applied to the virtual machines in the source virtual machine list. This eliminates the need for manual location of source virtual machines, improving the efficiency of source virtual machine location and reducing costs. Furthermore, rate limiting of source virtual machines can ensure the normal operation of virtual machine network services in a timely manner, improving the efficiency of virtual machine rate limiting.

[0009] In one possible design, selecting a target virtual machine that exceeds the packet reception rate limit threshold on the compute node includes:

[0010] The packet reception rate of the virtual network interface cards of multiple virtual machines in the computing node is detected, and the virtual machine with a packet reception rate greater than the packet reception rate limit threshold is selected as the target virtual machine.

[0011] In the above technical solution, by detecting the packet receiving rate of the virtual network cards of multiple virtual machines, and finding the virtual machine whose packet receiving rate is greater than a threshold among the multiple virtual machines, and taking the virtual machine whose packet receiving rate is greater than the threshold as the target virtual machine, it is possible to locate the virtual machine that causes the physical network card of the computing node to exceed the threshold. This makes it easier to find the source virtual machine based on the target virtual machine, and to limit the rate of the source virtual machine in a timely manner to ensure that the network services of the virtual machine can be carried out normally.

[0012] In one possible design, the source virtual machine list is determined based on the source IP address and the tunnel identifier, including:

[0013] Based on the source IP address and the tunnel identifier, a first virtual machine list and a second virtual machine list are determined respectively; wherein, the first virtual machine list consists of virtual machines included by the source IP address, and the second virtual machine list consists of virtual machines included by the tunnel identifier; the intersection of the first virtual machine list and the second virtual machine list is determined as the source virtual machine list.

[0014] In the above technical solution, packet capture is performed on the target virtual machine to obtain the source IP address and tunnel identifier included in the captured packets. Then, the source virtual machine that may send packets to the target virtual machine is deduced from the source IP address and tunnel identifier respectively. Finally, the intersection of the lists deduced from the two is taken as the source virtual machine. This process eliminates the need for manual location of the source virtual machine, reducing costs and improving the efficiency of locating the source virtual machine.

[0015] In one possible design, rate limiting of the source virtual machines based on the source virtual machine list includes:

[0016] The packet sending rate of the virtual network interface card of the virtual machine in the source virtual machine list is detected, and the source virtual machine whose packet sending rate is greater than the packet sending rate limit threshold is rate-limited.

[0017] In the above technical solution, after obtaining the list of source virtual machines, the packet sending rate of the virtual network card of the virtual machine in the list can be detected, and the rate of the source virtual machine whose packet sending rate exceeds the threshold can be limited, thereby ensuring the normal operation of the network services of the virtual machine in a timely manner.

[0018] In this embodiment, when rate limiting the source virtual machine, a tiered rate limiting method can be used. Of course, a tiered rate limiting method can also be used, and this application does not limit this. Furthermore, when rate limiting the source virtual machine, one source virtual machine or multiple source virtual machines can be rate limited.

[0019] In one possible design, the tunnel identifier is used to identify the Virtual Private Cloud (VPC) to which the virtual machine belongs.

[0020] It should be noted that there is a correspondence between the tunnel identifier and the VPC of the virtual machine in this application.

[0021] Secondly, this application provides a virtual machine rate limiting system, comprising: a load monitoring module for detecting the network load of the physical network card of a computing node; and when the network load exceeds a threshold, selecting a target virtual machine that exceeds the packet receiving rate limiting threshold in the computing node; a packet capture module for capturing packets of the target virtual machine to obtain the source IP address and tunnel identifier of the data packets entering the target virtual machine; a data analysis module for determining a list of source virtual machines based on the source IP address and the tunnel identifier; and a rate limiting control module for rate limiting the source virtual machines based on the list of source virtual machines.

[0022] In one possible design, the load monitoring module is specifically used to select target virtual machines that exceed the packet receiving rate limit threshold in the compute node as follows: detect the packet receiving rate of the virtual network cards of multiple virtual machines in the compute node, and select the virtual machine whose packet receiving rate is greater than the packet receiving rate limit threshold as the target virtual machine.

[0023] In one possible design, the data analysis module is specifically used to determine the source virtual machine list based on the source IP address and the tunnel identifier as follows: a first virtual machine list and a second virtual machine list are determined based on the source IP address and the tunnel identifier, respectively; wherein the first virtual machine list contains virtual machines included by the source IP address, and the second virtual machine list contains virtual machines included by the tunnel identifier; the intersection of the first virtual machine list and the second virtual machine list is determined as the source virtual machine list.

[0024] In one possible design, the rate limiting control module is specifically used to rate limit source virtual machines according to the source virtual machine list in the following manner: detect the packet sending rate of the virtual network card of the virtual machine in the source virtual machine list, and rate limit the source virtual machine whose packet sending rate is greater than the packet sending rate limiting threshold.

[0025] In one possible design, the tunnel identifier is used to identify the Virtual Private Cloud (VPC) to which the virtual machine belongs.

[0026] For the technical effects of the second aspect or various embodiments thereof, please refer to the introduction of the technical effects of the first aspect or various embodiments thereof, which will not be elaborated here.

[0027] Thirdly, this application provides a virtual machine rate limiting device, which has the function of implementing the virtual machine rate limiting method in the first aspect or any possible implementation of the first aspect. The function can be implemented by hardware or by hardware executing corresponding software.

[0028] The device includes a communication interface, a processor, and a memory. The communication interface is used to receive and transmit data, and the processor is configured to support the device in performing the corresponding functions in the first aspect or any possible implementation thereof. The memory is coupled to the processor and stores necessary program instructions for the device.

[0029] Fourthly, a computer-readable storage medium is provided, wherein instructions are stored therein, which, when executed on a computer, cause the computer to perform the methods described in the first aspect and various embodiments.

[0030] Fifthly, a computer program product containing instructions is provided, which, when run on a computer, causes the computer to perform the methods described in the first aspect and various embodiments.

[0031] Sixthly, a chip is provided, wherein logic in the chip is used to perform the methods described in the first aspect and various embodiments. Attached Figure Description

[0032] Figure 1 A network architecture diagram in a public cloud scenario provided in this application embodiment;

[0033] Figure 2A A schematic diagram of computing node 1 provided in an embodiment of this application;

[0034] Figure 2B A schematic diagram of computing node 2 provided in an embodiment of this application;

[0035] Figure 2C A schematic diagram of computing node 3 provided in an embodiment of this application;

[0036] Figure 3 Another network architecture diagram provided in the embodiments of this application;

[0037] Figure 4 A flowchart of a virtual machine rate limiting method provided in this application embodiment;

[0038] Figure 5 This is a schematic diagram of a virtual machine speed limiting system provided in an embodiment of this application;

[0039] Figure 6 This is a schematic diagram of a virtual machine speed limiting device provided in an embodiment of this application. Detailed Implementation

[0040] The embodiments of this application will now be described in further detail with reference to the accompanying drawings.

[0041] Please refer to the following first. Figure 1 The diagram shown illustrates a network architecture in a public cloud scenario that can be applied to embodiments of this application. Figure 1 The network architecture shown can include multiple physical hosts, and each physical host can run multiple virtual machines. The diagram uses only three physical hosts (physical host 1, physical host 2, and physical host 3) as an example. Assume that physical host 1 runs virtual machines (VMs) including VM1, VM2, and VM3; physical host 2 runs virtual machines including VM4, VM5, and VM6; and physical host 3 runs virtual machines including VM7, VM8, and VM9. Figure 1In the architecture diagram shown, physical host 1, physical host 2, and physical host 3 can transmit messages through a router.

[0042] Among them, VM1, VM5, VM6, and VM8 are virtual machines under the network space rented by user A, VM2, VM4, and VM7 are virtual machines under the network space rented by user B, and VM3 and VM9 are virtual machines under the network space rented by user C.

[0043] It should be noted that virtual machines under the same user's leased network space belong to the same virtual private cloud (VPC). That is, VM1, VM5, VM6, and VM8 have the same VPC, VM2, VM4, and VM7 have the same VPC, and VM3 and VM9 have the same VPC.

[0044] exist Figure 1 As illustrated in the diagram, virtual machines can only send data packets between virtual machines within the same user-leased network space. For example, VM1 can send data packets to VM5, VM6, and VM8, but VM1 cannot send data packets to VM2, VM4, VM7, VM3, and VM9. Similarly, VM2 can send data packets to VM4 and VM7, but cannot send data packets to VM1, VM5, VM6, and VM8; VM3 can send data packets to VM9, but cannot send data packets to VM1, VM5, VM6, VM8, VM2, VM4, and VM7.

[0045] It should be noted that this application applies to communication scenarios between multiple physical hosts, which can be a scenario where multiple virtual machines send to one virtual machine, or a scenario where multiple virtual machines send to multiple virtual machines.

[0046] For ease of understanding, an exemplary description of concepts related to this application is provided for reference, as follows:

[0047] 1) Virtual Machine (VM): Using virtualization technology, a physical host is simulated as multiple logical hosts (called virtual machines). A virtual machine refers to a logical host that is simulated by software, has complete hardware system functions, and can run in a completely isolated computer system.

[0048] 2) Virtual Private Cloud (VPC): A logically isolated network space defined by the lessee on cloud resources. Multiple cloud servers can be deployed within the same VPC, and each cloud server can create multiple virtual machines (VMs). All VMs created within the same VPC have different IP addresses, while VMs created in different VPCs can have the same IP address.

[0049] 3) Compute node: The server that runs the virtual machine, i.e., the host machine of the virtual machine. In this application, it can be understood as the physical host that runs the virtual machine.

[0050] 4) Tunnel Identifier (VNI): The tunnel identifier for a Virtual Extensible LAN (VXLAN), used to identify the Virtual Private Cloud (VPC) to which the virtual machine belongs. In this application, it can be understood as Virtual Private Cloud (VPC) information.

[0051] The embodiments of this application involve at least one, including one or more; wherein, multiple means two or more. Furthermore, in the description of this application, terms such as "first" and "second" are used only to distinguish the objects being described and should not be construed as indicating or implying relative importance, nor as indicating or implying order.

[0052] Below, we will first discuss computing node 1 (e.g. Figure 1 The physical host 1) is introduced here, please refer to Figure 2A As shown, compute node 1 may include three virtual machines: VM1, VM2, and VM3. Each virtual machine has a corresponding virtual network interface card (NIC), such as virtual NIC 1 (VNIC1), virtual NIC 2 (VNIC2), and virtual NIC 3 (VNIC3). It also includes an operating system 101, a VXLAN tunnel endpoint (VTEP) device, and a physical NIC 1 (NIC1). The operating system 101 includes a virtual switch 10 and three virtual ports. The virtual switch 10 includes logical bridge 1, logical bridge 2, logical bridge 3, and virtual port 4. It should be noted that in... Figure 2A In the diagram, the virtual network card on the virtual machine is connected to the logical bridge via virtual ports 1, 2, and 3, respectively. It should be understood that the port numbers of the virtual ports shown in the diagram are merely illustrative and this application is not limited thereto.

[0053] by Figure 2A Taking this as an example, the process of a computing node sending and receiving messages will be introduced:

[0054] 1. The process of sending packets by compute node 1 is described below. First, the virtual network card of the virtual machine sends the inner packet to the logical bridge through the virtual port. Then, the logical bridge sends it to virtual port 4. Virtual port 4 can record the correspondence between the logical bridge and the tunnel identifier carried in the inner packet. Next, virtual port 4 can send the inner packet to the VTEP device. The VTEP device encapsulates the inner packet to obtain the outer packet (VXLAN packet). Then, the VTEP device sends the encapsulated outer VXLAN packet to NIC1.

[0055] 2. The process of receiving packets on compute node 1 is described. Assume NIC1 receives an outer VXLAN packet and then sends it to the VTEP device. After receiving the outer VXLAN packet, the VTEP device decapsulates it to obtain the inner packet and tunnel identifier. Then, virtual port 4 determines the logical bridge corresponding to the tunnel identifier based on the recorded mapping between logical bridges and tunnel identifiers, and then sends the inner packet to the virtual machine's virtual network card through the corresponding logical bridge. For example, the recorded mapping between logical bridges and tunnel identifiers for virtual port 4 is as follows: logical bridge 1 corresponds to tunnel identifier 1, logical bridge 2 corresponds to tunnel identifier 2, and logical bridge 3 corresponds to tunnel identifier 3. Assume the VTEP device decapsulates the outer packet to obtain the inner packet and the tunnel identifier with identifier 1. Then, virtual port 4 can send the inner packet to virtual network card 1 through logical bridge 1.

[0056] It should be noted that virtual port 4 can pre-store the correspondence between logical bridges and tunnel identifiers.

[0057] Accordingly, a schematic diagram of computing node 2 can be found in [reference]. Figure 2B As shown, a schematic diagram of compute node 3 can be found in [reference needed]. Figure 2C As shown, the way compute nodes 2 and 3 send and receive messages is similar to that of compute node 1. For details, please refer to the relevant description of compute node 1; it will not be repeated here. It should be noted that... Figure 2B The virtual machines VM5 and VM6 have the same VPC, so they share the same logical bridge 5.

[0058] It should be noted that, Figure 2B and Figure 2C The virtual port connecting the logical bridge and the virtual network card is omitted. In practical applications, the logical bridge and the virtual network card transmit messages through the virtual port.

[0059] Based on the above introduction, Figure 1 The physical hosts in the system can be accessed separately via Figure 2A , Figure 2B as well as Figure 2C The computing nodes shown are used to represent this; in this application, they can be represented as computing nodes. Figure 2A , Figure 2B as well as Figure 2C Substitute the shown computing nodes Figure 1 , to obtain, for example Figure 3 The diagram shown is shown in the image.

[0060] exist Figure 3In the diagram shown, assuming that the tunnel identifier of VM1 is VNI1, the tunnel identifier of VM2 is VNI2, and the tunnel identifier of VM3 is VNI3, the correspondence between the tunnel identifier and VPC can be found in Table 1.

[0061] Table 1

[0062] Tunnel sign VPC VNI1 VPC1 VNI2 VPC2 VNI3 VPC3

[0063] It is understood that Table 1 is merely an illustrative representation and is not limited thereto in this application. Based on Table 1, the tunnel identifier for VM4 is VNI2, the tunnel identifiers for VM5 and VM6 are VNI1, the tunnel identifier for VM7 is VNI2, the tunnel identifier for VM8 is VNI1, and the tunnel identifier for VM9 is VNI3.

[0064] It should be noted that the following example uses communication between three compute nodes (e.g., compute node 1, compute node 2, and compute node 3), and assumes that each of these three compute nodes is running a virtual machine. Combined with... Figure 3 The schematic diagram shown illustrates in detail the virtual machine rate limiting method involved in the embodiments of this application. (See attached diagram.) Figure 4 As shown, the specific steps may include the following:

[0065] S401: Detects the network load of the physical network interface card (NIC) of the computing node.

[0066] In this embodiment, the computing nodes may include multiple nodes, and the network load of the physical network interface cards (NICs) of each computing node can be periodically monitored. As an example, the network load can be the amount of data packets received by the physical host. For instance, the physical NIC of a computing node can monitor the number of data packets it receives every 5 minutes, and also monitor the number of data packets received by each virtual machine running on it within those 5 minutes.

[0067] As another example, network load can be the physical network interface card bandwidth of a computing node, that is, the amount of data transmitted per unit of time. For example, it can be the amount of data transmitted in 1 second.

[0068] As another example, network load can be represented by the rate at which data packets are received. For instance, the rate at which data packets are received within a set time period can be understood as: the rate at which data packets are received = the amount of data received within the set time period / the set time period.

[0069] S402: When the network load exceeds the threshold, select the target virtual machine that exceeds the packet receiving rate limit threshold in the compute node.

[0070] In some embodiments, after detecting the network load of the physical network interface cards (NICs) of each computing node, the network load threshold of each NIC can be compared with the detected network load to determine whether the network load of each NIC exceeds the threshold. For example, after detecting the network load of physical NIC 1 of computing node 1, the network load of physical NIC 1 can be compared with the network load threshold of physical NIC 1 to determine whether the network load of physical NIC 1 exceeds the threshold. If the network load of physical NIC 1 is greater than the network load threshold of physical NIC 1, then it is determined that the network load of physical NIC 1 exceeds the load threshold.

[0071] Similarly, the network load of physical network interface card 2 (NIC 2) of computing node 2 can be compared with the network load threshold of NIC 2 to determine whether the network load of NIC 2 of computing node 2 exceeds the threshold. If the network load of NIC 2 of computing node 2 is greater than the network load threshold of NIC 2, it is determined that the network load of NIC 2 of computing node 2 exceeds the load threshold. If the network load of NIC 2 of computing node 2 is less than the network load threshold of NIC 2, it is determined that the network load of NIC 2 of computing node 2 is normal.

[0072] Similarly, for compute node 3, after detecting the network load of physical network card 3, the network load of physical network card 3 can be compared with the network load threshold of physical network card 3 to determine whether the network load of physical network card 3 exceeds the threshold. If the network load of physical network card 3 is greater than the network load threshold of physical network card 3, it is determined that the network load of physical network card 3 exceeds the load threshold. If the network load of physical network card 3 is less than the network load threshold of physical network card 3, it is determined that the network load of physical network card 3 is normal.

[0073] It should be noted that the network load thresholds corresponding to physical network card 1, physical network card 2, and physical network card 3 may be the same or different, and this application does not limit this.

[0074] For ease of description, the compute node whose network load exceeds the network load threshold will be referred to as the "first compute node", and the virtual machine that causes the network load of the physical network card of the first compute node to exceed the network load threshold will be referred to as the "target virtual machine".

[0075] In some embodiments, the network load of the virtual network cards of multiple virtual machines running on the first compute node can be detected, and then the target virtual machine that causes the network load of the physical network card of the first compute node to exceed the network load threshold can be determined based on the network load of the virtual network cards of each virtual machine.

[0076] For example, in this embodiment of the application, the packet receiving rate of the virtual network interface cards (NICs) of multiple virtual machines in the first computing node can be detected, and the virtual machine with a packet receiving rate greater than the packet receiving rate limit threshold can be selected as the target virtual machine. For example, assuming the first computing node is computing node 1, the packet receiving rate load information of the virtual NICs corresponding to VM1, VM2, and VM3 running on computing node 1 can be detected. Then, the packet receiving rates of VNIC1, VNIC2, and VNIC3 are compared with the packet receiving rate limit thresholds of VNIC1, VNIC2, and VNIC3 respectively to determine whether the packet receiving rates of VNIC1, VNIC2, and VNIC3 exceed the threshold. If the packet receiving rates of VNIC1, VNIC2, and VNIC3 are greater than the corresponding load thresholds, it is determined that the packet receiving rates of VNIC1, VNIC2, and VNIC3 exceed the load thresholds. For example, suppose the packet reception rate limiting threshold for VNIC1 is M, for VNIC2 it is N, and for VNIC3 it is Q. Let the packet reception rates of VNIC1, VNIC2, and VNIC3 be a, b, and c, respectively. Then, we can compare a with M. If a > M, then VNIC1 is overloaded. Similarly, we can compare b with N. If b > N, then VNIC2 is overloaded; if c > Q, then VNIC3 is overloaded.

[0077] Similarly, if the network load of physical network interface card 2 (NIC 2) on compute node 2 exceeds the load threshold, the packet reception rate of the virtual NICs corresponding to VM4, VM5, and VM6 running on compute node 2 can be detected. Then, the packet reception rate of each virtual NIC on compute node 2 is compared with its corresponding packet reception rate limiting threshold to determine whether the packet reception rate of each virtual NIC exceeds the threshold. For example, if the packet reception rate of VM4's virtual NIC is greater than the corresponding packet reception rate limiting threshold, then it is determined that the packet reception rate of VM4's virtual NIC exceeds the packet reception rate limiting threshold. If the packet reception rate of VM4's virtual NIC is less than the corresponding packet reception rate limiting threshold, then it is determined that the packet reception rate of VM4's virtual NIC is normal.

[0078] Similarly, if the network load of physical network interface card 3 (NIC 3) on compute node 3 exceeds the load threshold, the packet reception rate of the virtual NICs corresponding to VM7, VM8, and VM9 running on compute node 3 can be detected. Then, the packet reception rate of each virtual NIC on compute node 3 is compared with its corresponding packet reception rate limiting threshold to determine whether the packet reception rate of each virtual NIC exceeds the threshold. For example, if the packet reception rate of VM8's virtual NIC is greater than the corresponding packet reception rate limiting threshold, then VM8 is determined to have exceeded the packet reception rate limiting threshold; if the packet reception rate of VM8's virtual NIC is less than the corresponding packet reception rate limiting threshold, then the packet reception rate of VM8's virtual NIC is determined to be normal.

[0079] It should be noted that the packet receiving rate limiting thresholds for the virtual network cards corresponding to VM1, VM2, and VM3 running on compute node 1 can be the same or different (i.e., M, N, and Q in the above example can be the same or different); the packet receiving rate limiting thresholds for the virtual network cards corresponding to VM4, VM5, and VM6 running on compute node 2 can be the same or different; and the packet receiving rate limiting thresholds for the virtual network cards corresponding to VM7, VM8, and VM9 running on compute node 3 can be the same or different. This application does not impose any restrictions on this.

[0080] It should be noted that the number of virtual machines that cause the network load of the physical network card of the computing node to exceed the load threshold can be one or more, and this application does not limit this.

[0081] S403: Capture packets on the target virtual machine to obtain the source IP address and tunnel identifier of the data packets entering the target virtual machine.

[0082] First, combine Figure 3 The process of sending a message will be described, assuming... Figure 3 The virtual machines in compute nodes 2 and 3 sent a large number of packets to the virtual machine in compute node 1, causing the physical network card of compute node 1 to exceed the threshold.

[0083] It should be noted that, Figure 3 The VTEP devices shown each have their own IP address. Let's assume the IP address of VTEP device 1 is IP1, the IP address of VTEP device 2 is IP2, and the IP address of VTEP device 3 is IP3. The bold arrows in the diagram indicate the direction of message transmission.

[0084] First, VM4 can send inner-layer packets to logical bridge 4, and VM5 and VM6 can send inner-layer packets to logical bridge 5. After receiving the inner-layer packets, logical bridges 4 and 5 can send them to virtual port 6. In this embodiment, it is assumed that VM5, VM6, and VM8 send a large number of packets to VM1. That is, after virtual port 6 receives the inner-layer packets sent by logical bridge 5, it can determine that the tunnel identifier is VNI1 based on the correspondence between logical bridges and tunnel identifiers. Then, virtual port 6 sends the inner-layer packets and the tunnel identifier VNI1 to VTEP device 2. VTEP device 2 encapsulates the inner-layer packets to obtain VXLAN packets.

[0085] A VXLAN packet can carry the source IP address of the outer packet, the destination IP address of the outer packet, the source IP address of the inner packet, the destination IP address of the inner packet, and a tunnel identifier. Taking VM5 as an example, a VXLAN packet can carry the source IP address (IP2) of the outer packet, the destination IP address (IP1) of the outer packet, and the source IP address (IP2) of the inner packet. VM5 The destination IP address of the inner message VM1 Tunnel identifier VNI1.

[0086] Next, VTEP device 2 can send the encapsulated VXLAN packet to the physical network interface card (NIC2) of compute node 2. NIC2 then forwards the VXLAN packet to the physical network interface card (NIC1) of compute node 1 via a router. It is understandable that the router can send the VXLAN packet to NIC1 based on the destination IP address (IP1) of the outer packet carried in the VXLAN packet.

[0087] After NIC1 receives a VXLAN packet, it can send the VXLAN packet to VTEP device 1. VTEP device can decapsulate the VXLAN packet to obtain the inner packet and tunnel identifier VNI1. Then, VTEP device sends the inner packet and VNI1 to virtual port 4. Virtual port 4 then determines the logical bridge corresponding to VNI1 as logical bridge 1 based on the correspondence between tunnel identifiers and logical bridges, and sends the inner packet to logical bridge 1. Finally, logical bridge 1 sends the inner packet to the virtual network card VNIC1 of VM1.

[0088] Similarly, the process of VM8 sending a message to VM1 is similar to the process of VM5 and VM6 sending a message to VM1, and will not be described in detail here.

[0089] It is understood that the virtual machine used in this application is VM1 as an example. It is not necessarily VM1 that causes the physical network card of compute node 1 to exceed the threshold, and this is not a limitation.

[0090] After selecting the target virtual machine, packet capture can be performed at virtual port 1, which is connected to the virtual network card of VM1 and logical bridge 1. This will allow you to obtain the five-tuple information of the packets. The five-tuple information consists of the source IP address of the outer packet, the destination IP address of the outer packet, the source IP address of the inner packet, the destination IP address of the inner packet, and the tunnel identifier, as described above.

[0091] In this embodiment, once the target virtual machine is identified, the packets received by the target virtual machine within a preset time period can be captured. For example, packets received by VM1 within 5 minutes can be captured. It should be noted that the target virtual machine can receive packets while sending them. Therefore, this application needs to distinguish between packets sent and received by the target virtual machine when capturing data packets, and only captures packets received by the target virtual machine.

[0092] S404: Determine the list of source virtual machines based on the source IP address and tunnel identifier.

[0093] In this embodiment of the application, the list of source virtual machines that sent the message to VM1 can be determined based on the source IP address and tunnel identifier of the message. That is, it is necessary to determine which virtual machine in which VPC sent the message to VM1.

[0094] As shown in Table 1 above, there is a correspondence between tunnel identifiers and VPCs. Therefore, to determine a VPC, it is necessary to determine the tunnel identifier.

[0095] Since virtual machines within the same VPC share the same tunnel identifier, and multiple virtual machines can only send packets within the same VPC, multiple virtual machines can be identified based on their tunnel identifiers. For example, if packet capture of VM1 yields a tunnel identifier of VNI1, then according to Table 1 and its description, the virtual machines with the tunnel identifier VNI1 include: VM1, VM5, VM6, and VM8. Excluding the receiving VM1, the source virtual machines can include at least one of VM5, VM6, and VM8.

[0096] Furthermore, since virtual machines may share the same source IP address, multiple virtual machines can be obtained based on their source IP address. For example, suppose... Figure 3 The IP addresses of VM1, VM2, and VM3 are 192.168.0.2, the IP addresses of VM5, VM4, and VM9 are 192.168.0.3, the IP addresses of VM6 and VM7 are 192.168.0.4, and the IP address of VM8 is 192.168.0.5. For example, please refer to Table 2 below.

[0097] Table 2

[0098]

[0099] It should be noted that Table 2 above is only an illustrative example, and this application is not limited to the table above. For example, one table can be associated with one IP address, etc., and there is no limitation on this.

[0100] Assuming the source IP addresses obtained from packet capture of VM1 are 192.168.0.3 and 192.168.0.4, then according to Table 2 above, the virtual machines with IP addresses of 192.168.0.3 and 192.168.0.4 include: VM5, VM6, VM4, VM7, and VM9.

[0101] As one possible implementation, in this embodiment, a first virtual machine list can be obtained based on the source IP address, a second virtual machine list can be obtained based on the tunnel identifier, and the intersection of the first and second virtual machine lists can be used as the source virtual machine list. Of course, it is understood that the first virtual machine list can also be a list obtained based on the tunnel identifier, and the second virtual machine list can also be a list obtained based on the source IP address; this application does not limit this.

[0102] In some embodiments, a first virtual machine list may be determined first, followed by a second virtual machine list, and finally the virtual machines included in the intersection of the first and second virtual machine lists may be used as the source virtual machine list. In other embodiments, a second virtual machine list may be determined first, followed by a first virtual machine list, and then the virtual machines included in the intersection of the second and second virtual machine lists may be used as the source virtual machine list. It should be noted that the order in which the first and second virtual machine lists are determined is not limited in this application.

[0103] For example, if the list of virtual machines determined by the tunnel identifier is VM5, VM6, and VM8, and the list of virtual machines determined by the source IP address is VM5, VM6, VM4, VM7, and VM9, then the intersection of the two lists is VM5 and VM6. Of course, it's understandable that if the source IP addresses are 192.168.0.3, 192.168.0.4, and 192.168.0.4, then the source virtual machine list would be VM5, VM6, and VM8.

[0104] S405: Limit the rate of the source virtual machines based on the source virtual machine list.

[0105] In this embodiment, the packet sending rate of the virtual network interface card (NIC) of the virtual machines in the source virtual machine list can be detected, and the source virtual machines whose packet sending rate exceeds the packet sending rate limiting threshold can be rate-limited. For example, the network upper limit can be reduced in a stepped manner. For instance, if the network upper limits for VM5, VM6, and VM8 are 10, 20, and 30 respectively, then the network upper limits can be reduced to 5, 10, and 15 respectively.

[0106] Of course, it is understandable that the reduction may not be done in a tiered manner, or the network limit of one virtual machine may be reduced, or the network limit of two virtual machines may be reduced, etc. This application does not limit this.

[0107] Figure 5 A schematic diagram of a rate limiting system for a virtual machine is shown. The system 500 may include: a load monitoring module 501, a packet capture module 502, a data analysis module 503, and a rate limiting control module 504.

[0108] The load monitoring module 501 is used to detect the network load of the physical network card of the computing node; and when the network load exceeds the threshold, it selects the target virtual machine that exceeds the packet receiving rate limit threshold in the computing node.

[0109] The packet capture module 502 is used to capture packets on the target virtual machine to obtain the source IP address and tunnel identifier of the data packets entering the target virtual machine.

[0110] The data analysis module 503 is used to determine the list of source virtual machines based on the source IP address and the tunnel identifier.

[0111] The rate limiting control module 504 is used to limit the rate of the source virtual machines according to the source virtual machine list.

[0112] In one possible design, the load monitoring module 501 is specifically used to select target virtual machines that exceed the packet reception rate limit threshold on the compute node in the following manner:

[0113] The packet reception rate of the virtual network interface cards of multiple virtual machines in the computing node is detected, and the virtual machine with a packet reception rate greater than the packet reception rate limit threshold is selected as the target virtual machine.

[0114] In one possible design, the data analysis module 503 is specifically used to determine the list of source virtual machines based on the source IP address and the tunnel identifier in the following manner:

[0115] Based on the source IP address and the tunnel identifier, a first virtual machine list and a second virtual machine list are determined respectively; wherein, the first virtual machine list consists of virtual machines included by the source IP address, and the second virtual machine list consists of virtual machines included by the tunnel identifier; the intersection of the first virtual machine list and the second virtual machine list is determined as the source virtual machine list.

[0116] In one possible design, the rate limiting control module 504 is specifically used to rate limit the source virtual machines according to the source virtual machine list in the following manner:

[0117] The packet sending rate of the virtual network interface card of the virtual machine in the source virtual machine list is detected, and the source virtual machine whose packet sending rate is greater than the packet sending rate limit threshold is rate-limited.

[0118] In one possible design, the tunnel identifier is used to identify the Virtual Private Cloud (VPC) to which the virtual machine belongs.

[0119] All relevant content of each step involved in the above method embodiments can be referenced from the functional description of the corresponding functional module, and will not be repeated here.

[0120] The module division in this embodiment is illustrative and represents only one logical functional division. In actual implementation, other division methods may be used. Furthermore, the functional modules in each embodiment of this application can be integrated into a single processor, exist as separate physical entities, or be integrated into a single module. The integrated modules described above can be implemented in hardware or as software functional modules.

[0121] like Figure 6 The diagram shows a virtual machine rate limiting device 600 provided in an embodiment of this application. The device 600 includes at least one processor 602, used to implement or support the device 600 in implementing the method provided in the embodiment of this application. Figure 5 The data analysis module shown has the following functions. For example, the processor 602 can determine the source virtual machine list, etc., based on the source IP address and the tunnel identifier. See the detailed description in the method example for details, which will not be repeated here.

[0122] The device 600 may further include at least one memory 601 for storing program instructions. Exemplarily, the memory 601 may be used for mapping logical bridges to tunnel identifiers, etc., as detailed in the method examples, and will not be repeated here. The memory 601 and the processor 602 are coupled. The coupling in this embodiment is an indirect coupling or communication connection between devices, units, or modules, which may be electrical, mechanical, or other forms, for information exchange between devices, units, or modules. The processor 602 may operate in conjunction with the memory 601. The processor 602 may execute program instructions and / or data stored in the memory 601. At least one of the at least one memory may be included in the processor.

[0123] The device 600 may also include a communication interface 603 for communicating with other devices via a transmission medium. The processor 602 can use the communication interface 603 to send and receive data.

[0124] This application does not limit the specific connection medium between the communication interface 603, the processor 602, and the memory 601 described above. Embodiments of this application... Figure 6 The memory 601, processor 602, and communication interface 603 are connected via a bus 604. Figure 6The bus is represented by thick lines. The bus can be divided into address bus, data bus, control bus, etc. For ease of representation, Figure 6 The bus is represented by a single thick line, but this does not mean that there is only one bus or one type of bus.

[0125] In the embodiments of this application, the processor 602 may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field-programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, capable of implementing or executing the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the methods disclosed in the embodiments of this application may be directly executed by the hardware processor, or executed by a combination of hardware and software modules in the processor.

[0126] In this embodiment, memory 601 can be non-volatile memory, such as a hard disk drive (HDD) or a solid-state drive (SSD), or it can be volatile memory, such as RAM. Memory is any medium capable of carrying or storing desired program code in the form of instructions or data structures, and accessible by a computer, but is not limited thereto. The memory in this embodiment can also be a circuit or any other device capable of implementing storage functions for storing program instructions.

[0127] Optionally, the computer execution instructions in the embodiments of this application may also be referred to as application code, and the embodiments of this application do not specifically limit this.

[0128] This application also provides a computer-readable storage medium, including instructions that, when executed on a computer, cause the computer to perform... Figure 4 The method of the embodiment shown.

[0129] This application also provides a computer program product, including instructions that, when run on a computer, cause the computer to perform... Figure 4 The method of the embodiment shown.

[0130] This application embodiment also provides a chip, the logic in the chip being used to execute... Figure 4 The method of the embodiment shown.

[0131] This application describes embodiments of methods, apparatus (systems), and computer program products according to embodiments of this application with reference to flowchart illustrations and / or block diagrams. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by instructions. These instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0132] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0133] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0134] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A method of rate limiting a virtual machine, the method comprising: include: Detect the network load of the physical network interface card (NIC) of the computing node; When the network load exceeds the threshold, select the target virtual machine that exceeds the packet receiving rate limit threshold from the computing node; Packet capture is performed on the target virtual machine to obtain the source IP address and tunnel identifier of the data packets entering the target virtual machine; The source virtual machine list is determined based on the source IP address and the tunnel identifier; Rate limiting is applied to the source virtual machines based on the source virtual machine list.

2. The method of claim 1, wherein, Select the target virtual machine that exceeds the packet reception rate limit threshold in the compute node, including: The packet reception rate of the virtual network interface cards of multiple virtual machines in the computing node is detected, and the virtual machine with a packet reception rate greater than the packet reception rate limit threshold is selected as the target virtual machine.

3. The method of claim 1, wherein, The source virtual machine list is determined based on the source IP address and the tunnel identifier, including: Based on the source IP address and the tunnel identifier, a first virtual machine list and a second virtual machine list are determined respectively; wherein, the first virtual machine list contains virtual machines included by the source IP address, and the second virtual machine list contains virtual machines included by the tunnel identifier; The intersection of the first virtual machine list and the second virtual machine list is determined as the source virtual machine list.

4. The method of claim 1, wherein, Rate limiting is applied to the source virtual machines based on the aforementioned list of source virtual machines, including: The packet sending rate of the virtual network interface card of the virtual machine in the source virtual machine list is detected, and the source virtual machine whose packet sending rate is greater than the packet sending rate limit threshold is rate-limited.

5. The method according to claim 1 or 3, characterized in that, The tunnel identifier is used to identify the Virtual Private Cloud (VPC) to which the virtual machine belongs.

6. A system for limiting the speed of a virtual machine, the system comprising: include: The load monitoring module is used to detect the network load of the physical network interface card of the computing node; And when the network load exceeds the threshold, select the target virtual machine that exceeds the packet receiving rate limit threshold in the computing node; The packet capture module is used to capture packets on the target virtual machine to obtain the source IP address and tunnel identifier of the data packets entering the target virtual machine; The data analysis module is used to determine the list of source virtual machines based on the source IP address and the tunnel identifier; The rate limiting control module is used to limit the rate of the source virtual machines based on the source virtual machine list.

7. The system of claim 6, wherein, The load monitoring module is specifically used to select target virtual machines that exceed the packet reception rate limit threshold in the compute node in the following manner: The packet reception rate of the virtual network interface cards of multiple virtual machines in the computing node is detected, and the virtual machine with a packet reception rate greater than the packet reception rate limit threshold is selected as the target virtual machine.

8. The system of claim 6, wherein, The data analysis module is specifically used to determine the source virtual machine list based on the source IP address and the tunnel identifier in the following manner: Based on the source IP address and the tunnel identifier, a first virtual machine list and a second virtual machine list are determined respectively; wherein, the first virtual machine list contains virtual machines included by the source IP address, and the second virtual machine list contains virtual machines included by the tunnel identifier; The intersection of the first virtual machine list and the second virtual machine list is determined as the source virtual machine list.

9. The system of claim 6, wherein, The rate limiting control module is specifically used to limit the rate of the source virtual machines according to the source virtual machine list in the following manner: The packet sending rate of the virtual network interface card of the virtual machine in the source virtual machine list is detected, and the source virtual machine whose packet sending rate is greater than the packet sending rate limit threshold is rate-limited.

10. The system of claim 6 or 8, wherein, The tunnel identifier is used to identify the Virtual Private Cloud (VPC) to which the virtual machine belongs.

11. A speed limiting apparatus of a virtual machine, characterized by comprising: include: Memory, communication interface, and processor; The memory stores computer instructions; The communication interface is used to receive and send data; The processor is configured to execute computer instructions stored in the memory to cause the device to perform the method as described in any one of claims 1-5.

12. A computer-readable storage medium, characterized in that, The storage medium stores computer instructions that, when executed by a computer, cause the computer to perform the method as described in any one of claims 1-5.

13. A computer program product, characterised in that, The computer program product includes computer instructions that, when executed by a computer, cause the computer to perform the method as described in any one of claims 1-5.