WO2024160207A1 - Overload control method and device in object storage service system - Google Patents

Overload control method and device in object storage service system Download PDF

Info

Publication number
WO2024160207A1
WO2024160207A1 PCT/CN2024/074758 CN2024074758W WO2024160207A1 WO 2024160207 A1 WO2024160207 A1 WO 2024160207A1 CN 2024074758 W CN2024074758 W CN 2024074758W WO 2024160207 A1 WO2024160207 A1 WO 2024160207A1
Authority
WO
WIPO (PCT)
Prior art keywords
access request
target
service node
address
preset threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2024/074758
Other languages
French (fr)
Chinese (zh)
Other versions
WO2024160207A9 (en
Inventor
肖学武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Publication of WO2024160207A1 publication Critical patent/WO2024160207A1/en
Publication of WO2024160207A9 publication Critical patent/WO2024160207A9/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0655Vertical data movement, i.e. input-output transfer; data movement between one or more hosts and one or more storage devices
    • G06F3/0659Command handling arrangements, e.g. command buffers, queues, command scheduling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the embodiments of the present application relate to the field of object storage technology, and more particularly to an overload control method and device in an object storage service system.
  • Object storage service can provide massive, secure, highly reliable, and low-cost data storage capabilities. Tenants can purchase storage resources of the object storage service to store various types of data.
  • the number of tenants in an object storage service system is nearly one million, and each of these nearly one million tenants corresponds to an IP address of the object storage service system.
  • the tenant is considered to be under a connection number attack or overloaded.
  • a tenant in the object storage service system is under a connection number attack, it will also affect the user's access to data corresponding to other tenants in the object storage service system.
  • the embodiments of the present application provide an overload control method and device in an object storage service system, which can effectively reduce the impact range of connection number attacks and avoid affecting tenants of the entire cluster.
  • an embodiment of the present application provides an overload control method in an object storage service system, which is applied to a service node in the object storage service system, wherein the service node is bound to multiple IP addresses, and each of the multiple IP addresses corresponds to one or more tenants.
  • the method includes: receiving an access request from a user device, wherein the access request is used to request access to a storage bucket of a target tenant, wherein the access request includes a target IP address, and the target IP address is one of multiple IP addresses; then, determining the number of TCP connections corresponding to the target IP address in a TCP full-connection queue of the service node; and discarding the access request when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold.
  • the service node since each of the multiple IP addresses bound to the service node corresponds to one or more tenants, when the number of connections corresponding to the target IP address is overloaded, the service node discards the access request of the tenant corresponding to the target IP address, and the service node processes the access requests corresponding to other IP addresses normally. In this way, the impact range of the connection number attack can be effectively reduced to avoid affecting the tenants of the entire cluster.
  • the above-mentioned discarding of the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold value includes: based on the user-mode protocol stack of DPDK, discarding the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold value to alleviate the overload of the number of connections.
  • DPDK is a software library for accelerating data packet processing at the network protocol transport layer. DPDK has efficient processing capabilities, and the user-mode protocol stack based on DPDK can efficiently control the overload of the number of connections.
  • the service node When the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, the service node only discards the current access request containing the target IP address, and the service node will not discard the access requests containing other IP addresses. In this way, the service node will not affect the services corresponding to other tenants during the process of controlling the number of connections overload.
  • the overload control method in the object storage service system provided in an embodiment of the present application also includes: when the number of TCP connections corresponding to the target IP address is less than or equal to a first preset threshold, establishing a TCP connection between the user device and the service node.
  • the service node enters the TCP connection establishment process to establish a TCP connection between the user device and the service node, and places the TCP connection in the TCP full connection queue maintained by the service node, waiting for the application layer to process the access request corresponding to the TCP connection.
  • the overload control method provided in the embodiment of the present application further includes: determining whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold; if the length of the access request queue is greater than the second preset threshold, refusing to process the access request; if the length of the access request queue is less than or equal to When the second preset threshold is exceeded, the access request is processed.
  • each tenant corresponds to an access request queue, which includes all access requests for established TCP connections.
  • the service node After being processed by the above network transmission protocol layer, the service node receives the access request, establishes the TCP connection corresponding to the access request, and then processes the access request at the application layer.
  • the service node refuses to process the access request; when the length of the access request queue is less than or equal to the second preset threshold, it means that the target tenant is not overloaded. At this time, the service node processes the access request to ensure the service quality of the tenant.
  • the first preset threshold is half of the TCP full connection queue capacity.
  • the first preset threshold can be determined based on the TCP full connection queue capacity (queue capacity can also be called queue depth), and the first preset threshold does not need to be adjusted with the processing capacity of the application layer.
  • the embodiment of the present application provides a service node, which is bound to multiple IP addresses, each of which corresponds to one or more tenants, and the service node includes a receiving module, a determining module, and a processing module.
  • the receiving module is used to receive an access request from a user device, the access request is used to request access to the storage bucket of the target tenant, and the access request includes a target IP address, which is one of the multiple IP addresses;
  • the determining module is used to determine the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node;
  • the processing module is used to discard the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold.
  • the processing module is specifically used for a user-mode protocol stack based on DPDK, and when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, the access request is discarded.
  • the processing module is further configured to establish a TCP connection between the user equipment and the service node when the number of TCP connections corresponding to the target IP address is less than or equal to a first preset threshold.
  • the above-mentioned determination module is also used to determine whether the length of the access request queue corresponding to the target tenant's storage bucket is greater than a second preset threshold; the processing module is also used to refuse to process the access request when the length of the access request queue is greater than the second preset threshold; and process the access request when the length of the access request queue is less than or equal to the second preset threshold.
  • the first preset threshold is half of the capacity of the TCP full connection queue.
  • an embodiment of the present application provides a service node, comprising a memory and at least one processor connected to the memory, the memory being used to store computer program code, the computer program code comprising computer instructions, and when the computer instructions are executed by at least one processor, the computing device executes the method described in the first aspect and any one of its possible implementation methods.
  • an embodiment of the present application provides a computer-readable storage medium storing computer instructions, which, when executed on a computer, execute the method described in the first aspect and any one of its possible implementations.
  • an embodiment of the present application provides a computer program product, which includes computer instructions.
  • the computer instructions When the computer instructions are run on a computer, the method described in the first aspect and any one of its possible implementation methods is executed.
  • an embodiment of the present application provides a chip, comprising a memory and a processor, the memory being used to store computer instructions, and the processor being used to call and run the computer instructions from the memory to execute the method described in the first aspect and any one of its possible implementation methods.
  • FIG1 is a schematic diagram of the architecture of a communication system provided in an embodiment of the present application.
  • FIG2 is a schematic diagram of the hardware structure of a service node provided in an embodiment of the present application.
  • FIG. 3 is a schematic diagram of the correspondence between tenants and IP addresses in an object storage service system provided in an embodiment of the present application
  • FIG4 is a schematic diagram of an overload control method in an object storage service system provided in an embodiment of the present application.
  • FIG5 is a second schematic diagram of an overload control method in an object storage service system provided by an embodiment of the present application.
  • FIG6 is one of the structural schematic diagrams of a service node provided in an embodiment of the present application.
  • FIG. 7 is a second schematic diagram of the structure of a service node provided in an embodiment of the present application.
  • a and/or B in this article is merely a description of the association relationship of associated objects, indicating that three relationships may exist.
  • a and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone.
  • first and second in the description and claims of the embodiments of the present application are used to distinguish different objects, rather than to refer to different objects. Describes a specific order of objects.
  • words such as “exemplary” or “for example” are used to indicate examples, illustrations or descriptions. Any embodiment or design described as “exemplary” or “for example” in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as “exemplary” or “for example” is intended to present related concepts in a specific way.
  • OBS object storage service
  • the basic components of the object storage service OBS are buckets and objects.
  • a bucket is a container for storing objects in OBS.
  • Each bucket has attributes such as storage category, access permission, and region.
  • An object is the basic unit of data storage in OBS.
  • An object includes the data of a file and its related attribute information, including key value (Key), metadata (Metadata), and data (Data).
  • Key is the name of the object
  • Metadata is the description information of the object, including system metadata and user metadata
  • Data is the data content of the file.
  • tenants Users who rent OBS resources are called tenants of the object storage service. Tenants can create buckets in OBS and configure bucket access policies through the OBS configuration interface or application programming interface (such as API), and then upload objects to the buckets through the Internet. Optionally, tenants can create one or more buckets.
  • a tenant After a tenant uploads an object in his bucket, other users (through their user devices) can access the tenant's bucket. Specifically, the user device can locate the bucket through the bucket's access domain name and then access the object in the bucket.
  • tenants refer to the owners of buckets in OBS
  • users refer to the visitors of the tenants' buckets.
  • the communication system includes a user device 101 (such as a mobile phone), a border router (BR) 102, and an OBS system 103, wherein the OBS system 103 may include multiple clusters (only one cluster is illustrated in Figure 1), and a cluster includes multiple service nodes, and the service nodes are responsible for creating buckets and managing buckets, etc.
  • a user device 101 such as a mobile phone
  • BR border router
  • OBS system 103 may include multiple clusters (only one cluster is illustrated in Figure 1), and a cluster includes multiple service nodes, and the service nodes are responsible for creating buckets and managing buckets, etc.
  • the user holds a user device 101 , and the user device 101 can access the service node in the OBS system 103 through the Internet and the border router 102 , and obtain objects from the bucket created by the service node.
  • the cluster as a whole presents an IP address to the outside, and the IP address is a virtual IP address.
  • the IP address is a virtual IP address.
  • one IP address carries nearly one million tenants, that is, all tenants of buckets on multiple service nodes in the OBS system 103 correspond to one IP address.
  • a user sends an access request through a user device.
  • the access request is used to access objects in the bucket of the tenant.
  • the service node After receiving the access request, the service node establishes a communication connection (e.g., a transmission control protocol (TCP) connection) between the user device and the service node. Subsequently, the user device can communicate with the service node to transmit data.
  • TCP transmission control protocol
  • the user device can communicate with the service node to transmit data.
  • TCP transmission control protocol
  • there are too many access requests corresponding to the tenant there are too many connections established for data transmission in response to the access requests. At this time, it is considered that the tenant is under connection number attack or the tenant is overloaded.
  • one solution for handling connection number attacks is: after the administrator logs in to the service node, the access request of certain user devices is blocked by iptable technology.
  • iptable is a firewall
  • the service node blocks the source IP address (the source IP address is the IP address of the user device) by iptable in the kernel state.
  • connection number attack since the tenant has been attacked by connection number, the processing efficiency of the service node is very low. At this time, the administrator may face the problem of being unable to log in to the service node, and therefore, cannot handle the connection number attack in a timely and effective manner.
  • Another solution to handle connection number attacks is to block the source IP address on the border router.
  • the source IP addresses are too scattered, for example, legitimate user access requests may be blocked, which will seriously affect the business and put the user's business at risk.
  • an embodiment of the present application provides an overload control method and device in an object storage service system.
  • the method is applied to a service node in the object storage service system.
  • the service node is bound to multiple IP addresses, each of which corresponds to one or more tenants.
  • the overload control method includes: the service node receives an access request from a user device, and the access request is used to request Access the storage bucket of the target tenant, the access request includes the target IP address, and the target IP address is one of the above multiple IP addresses; then, the service node determines the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node; and, if the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, the access request of the user device is discarded.
  • the technical solution provided by the embodiment of the present application can effectively reduce the impact range of the connection number attack and avoid affecting the tenants of the entire cluster.
  • the technical solution provided by the embodiment of the present application does not require the participation of administrators and can adaptively perform overload control.
  • the technical solution provided by the embodiment of the present application controls the number of TCP connections corresponding to the tenant's IP address (the destination IP address), and no longer controls the number of connections by blocking the source IP address (the user's IP address), thereby reducing the impact on the user's business.
  • the device for executing the above-mentioned overload control method is the service node of the OBS system shown in Figure 1.
  • the scheduler can be a desktop computer, a portable computer, a personal digital assistant (PDA) and other devices, and the service node can also be one or more functional modules in the device, which can be either a component in a hardware device, or software running on dedicated hardware, or a combination of hardware and software.
  • the service node can be implemented by one device or multiple devices, and the embodiment of the present application does not specifically limit this.
  • the service node may include: a processor 201, a memory 202, and a communication interface 203.
  • the processor 201, the memory 202, and the communication interface 203 may be connected via a bus 204, or may be connected to each other in other ways.
  • the processor 201 is the control center of the service node, and the processor 201 may be a general-purpose central processing unit (CPU) or other general-purpose processors, wherein the general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the processor 201 may include an application processor (AP), a graphics processing unit (GPU), an image signal processor (ISP), a controller, etc.
  • AP application processor
  • GPU graphics processing unit
  • ISP image signal processor
  • the controller in the processor 201 is the nerve center and command center of the service node.
  • the controller can generate an operation control signal according to the instruction opcode and the timing signal to complete the control of fetching and executing instructions.
  • a memory can also be set in the processor 201 to store instructions and data.
  • the processor 201 may include one or more CPUs, such as CPU 0 and CPU 1 shown in FIG. 2.
  • the memory 202 includes, but is not limited to, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, or an optical memory, a disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer.
  • the memory 202 can store information such as computer instructions.
  • the memory 202 may exist independently of the processor 201.
  • the memory 202 may be connected to the processor 201 via the bus 204 and used to store data, instructions, or program codes.
  • the overload control method in the object storage service system provided in the embodiment of the present application can be implemented.
  • the memory 202 may also be integrated with the processor 201 .
  • the communication interface 203 may be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), etc.
  • the communication interface 203 may receive instructions, messages, or data, etc.
  • the transceiver module may be a device such as a transceiver or a transceiver.
  • the communication interface 203 may also be a transceiver circuit located in the processor 201, for realizing the signal input and signal output of the processor.
  • the communication interface 203 may be a wired interface (port), such as a fiber distributed data interface (FDDI), a gigabit Ethernet (GE) interface, or the communication interface 203 may also be a wireless interface.
  • FDDI fiber distributed data interface
  • GE gigabit Ethernet
  • the bus 204 may be an industry standard architecture (ISA) bus, a peripheral component interconnect (PCI) bus, or an extended industry standard architecture (EISA) bus.
  • ISA industry standard architecture
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus may be divided into an address bus, a data bus, a control bus, etc.
  • FIG2 only uses one thick line, but does not mean that there is only one bus or one type of bus.
  • service node shown in FIG. 2 is only an example of a service node, and the service node may have more or fewer components than those shown in FIG. 2 , may combine two or more components, or may have different component configurations.
  • the following describes an overload control method in an object storage service system provided by an embodiment of the present application with reference to the accompanying drawings.
  • the method is applied to a service node in the object storage service system.
  • the service node is bound to multiple IP addresses (the multiple IP addresses are virtual IP addresses), and each of the multiple IP addresses corresponds to one or more tenants.
  • the OBS system presents multiple IP addresses to the outside world.
  • the multiple IP addresses are virtual IP addresses.
  • the IP address is mounted on a single service node, that is, a service node is bound to multiple IP addresses.
  • each of the multiple IP addresses corresponds to one or more tenants, that is, multiple tenants are hashed on different IP addresses. For example, in Figure 3, tenants 1 and 2 correspond to IP address 1, tenants 3 and 4 correspond to IP address 2, ..., tenants 199 and 200 correspond to IP address 100.
  • the overload control method in the object storage service system may include the following steps:
  • S301 Receive an access request from a user device, where the access request includes a target IP address.
  • the above access request is used to request access to the target tenant's storage bucket (the storage bucket is a bucket created by the target tenant and contains objects).
  • the target IP address in the access request is one of the multiple IP addresses bound to the service node.
  • the user device sends an access request to the domain name server, where the access request includes the domain name of the bucket of the target tenant.
  • the domain name of a bucket can be recorded as bucket1.region1.com, where bucket1 is the identifier of the bucket and region1 indicates the region where the bucket is located.
  • the domain name of a bucket is unique, and each bucket corresponds to a tenant, so the domain name of the bucket also has tenant attributes.
  • the domain name server sends the target IP address to the user device based on the domain name of the target tenant's bucket.
  • the domain name server stores the correspondence between the bucket identifier and the IP address.
  • the domain name server can determine the target IP address corresponding to the bucket according to the domain name of the bucket of the target tenant in the access request, and then return the target IP address to the user device. It can be understood that the bucket in the OBS system can be accessed according to the target IP address.
  • the user equipment sends an access request including the target IP address to the service node.
  • the service node receives the access request from the user equipment.
  • S302 Determine the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node.
  • the service node After the service node receives the access request of the user device, at the network transmission protocol layer, the service node enters the process of establishing a TCP connection, for example, establishing a TCP connection with the user device through a three-way handshake process.
  • the process of establishing a TCP connection reference can be made to the prior art.
  • the service node After the service node completes the process of establishing a TCP connection, the service node places the TCP connection into a TCP full-connection queue maintained by the service node, and then the service node processes (or consumes) the access request corresponding to the TCP connection in the TCP full-connection queue at the application layer.
  • the service node after the service node receives the access request of the user device, the service node does not directly enter the process of establishing a TCP connection, but first determines the number of TCP connections corresponding to the target IP address in the TCP full-connection queue in the service node based on the target IP address in the access request, and determines whether a connection number attack occurs based on the number of TCP connections.
  • the above service node controls the number of connections corresponding to the target IP address at the network protocol transport layer. If the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, it means that the number of TCP connections corresponding to the target IP is overloaded, so the service node discards the access request (also known as rejecting the access request) to alleviate the overload of the number of connections. For example, in conjunction with Figure 4 above, assuming that the target IP address is IP address 1, and IP address 1 corresponds to tenant 1 and tenant 2, if the number of TCP connections corresponding to IP address 1 is overloaded, it indicates that tenant 1 and/or tenant 2 are under attack by the number of connections.
  • the first preset threshold can be determined based on the TCP full connection queue capacity (queue capacity can also be called queue depth), and the first preset threshold does not need to be adjusted with the processing capacity of the application layer.
  • the TCP full connection queue capacity refers to the maximum number of TCP connections that the TCP full connection queue can accommodate.
  • the first preset threshold is one-half of the TCP full connection queue capacity. For example, the capacity of the TCP full connection queue can be 60,000, and the first preset threshold is 30,000.
  • the above S303 is specifically implemented through S3031.
  • a user-mode protocol stack based on the Intel data plane development kit (DPDK) discards an access request when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold.
  • DPDK Intel data plane development kit
  • DPDK is a software library used to accelerate data packet processing.
  • DPDK has efficient processing capabilities, and the user-mode protocol stack based on DPDK can efficiently control the number of connections overload.
  • the service node if the number of TCP connections corresponding to the target IP address is less than or equal to the first preset threshold, it means that the number of TCP connections corresponding to the target IP is not overloaded, and the service node enters the TCP connection establishment process to establish a TCP connection between the user device and the service node, and places the TCP connection in the TCP full connection queue maintained by the service node, waiting for the application layer to process the access request corresponding to the TCP connection.
  • IP address 2 corresponds to tenants 3 and 4
  • the service node can process the access requests of tenants 3 and 4 normally.
  • the service node when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, the service node only discards the current access request containing the target IP address, and the service node will not discard the access request containing other IP addresses. In this way, the service node will not affect the services corresponding to other tenants during the process of controlling the number of connections overload.
  • the service node discards the access request for the storage bucket of tenant 1 and/or tenant 2, and the service node normally processes the access request for accessing the storage bucket of other tenants, such as the service node will normally process the service requests of tenants 3 to tenant 200, that is, in the process of controlling the number of TCP connections overload, the service node minimizes the impact range of the connection number attack to avoid affecting the tenants of the entire cluster, so that the tenants do not interfere with each other.
  • the overload control method in the object storage service system provided by the embodiment of the present application further includes:
  • S305 Determine whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold.
  • each tenant corresponds to an access request queue, and the access request queue includes all access requests for which TCP connections have been established.
  • the service node After being processed by the above network transmission protocol layer, the service node receives the access request, establishes the TCP connection corresponding to the access request, and then processes the access request at the application layer.
  • the service node refuses to process the access request; when the length of the access request queue is less than or equal to the second preset threshold, it means that the target tenant is not overloaded. At this time, the service node processes the access request to ensure the service quality of the tenant.
  • the overload control method in the object storage system is that the service node receives an access request including a target IP address from a user device, the access request is used to request access to the storage bucket of the target tenant, the service node is bound to multiple IP addresses, each of the multiple IP addresses corresponds to one or more tenants, and the above target IP address is one of the above multiple IP addresses; then, the service node determines the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node; and, when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, the access request of the user device is discarded.
  • the service node Since each of the multiple IP addresses bound to the service node corresponds to one or more tenants, when the number of connections corresponding to the target IP address is overloaded, the service node discards the access request of the tenant corresponding to the target IP address, and the service node normally processes the access requests corresponding to other IP addresses, so that the impact range of the connection number attack can be effectively reduced to avoid affecting the tenants of the entire cluster.
  • an embodiment of the present application provides a service node.
  • the service node can be divided into functional modules according to the above method example.
  • each functional module can be divided corresponding to each function, or two or more functions can be integrated into one processing module.
  • the above integrated module can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of modules in the embodiment of the present application is schematic and is only a logical function division. There may be other division methods in actual implementation.
  • FIG6 shows a possible structural diagram of the service node involved in the above embodiment, and the service node is bound to multiple IP addresses, and each of the multiple IP addresses corresponds to one or more tenants.
  • the service node includes a receiving module 601, a determining module 602, and a processing module 603.
  • the receiving module 601 is used to receive an access request from a user device, and the access request is used to request access to the storage bucket of the target tenant.
  • the access request includes a target IP address, and the target IP address is one of the multiple IP addresses, for example, executing S301 in the above method embodiment.
  • the determining module 602 is used to determine the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node, for example, executing S302 in the above method embodiment.
  • the processing module 603 is used to discard the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, for example, executing S303 in the above method embodiment.
  • the processing module 603 is specifically used for discarding the access request based on the user-mode protocol stack of DPDK when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, such as executing S3031 in the above method embodiment.
  • the processing module 603 is also used to establish a TCP connection between the user device and the service node when the number of TCP connections corresponding to the target IP address is less than or equal to the first preset threshold, such as executing S304 in the above method embodiment.
  • the determination module 602 is also used to determine whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold, such as executing S305 in the above method embodiment; the processing module 603 is also used to refuse to process the access request when the length of the access request queue is greater than the second preset threshold, and to process the access request when the length of the access request queue is less than or equal to the second preset threshold, such as executing S306-S307 in the above method embodiment.
  • a second preset threshold such as executing S305 in the above method embodiment
  • modules of the service node described above can also be used to perform other actions in the method embodiment described above. All relevant contents of the steps can be referred to the functional description of the corresponding functional modules and will not be repeated here.
  • FIG. 7 shows another possible structural diagram of the service node involved in the above embodiment.
  • the service node provided in the embodiment of the present application may include: a processing module 701 and a communication module 702.
  • the processing module 701 can be used to control and manage the actions of the service node.
  • the processing module 701 can be used to support the service node to perform S302, S303 (including S3031), S304-S307 in the above method embodiment, and/or other processes for the technology described herein.
  • the communication module 702 can be used to support the communication between the service node and other network entities, for example, to support the service node to communicate with a computing node.
  • the communication module 702 can be used to support the service node to perform S301 in the above method embodiment.
  • the service node may also include a storage module 703 for storing computer instructions and data.
  • the processing module 701 may be a processor or a controller (for example, the processor 201 as shown in FIG. 2 ), and the processor may also be a combination that implements a computing function, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like.
  • the communication module 702 may be a communication interface (for example, the communication interface 203 as shown in FIG. 2 ).
  • the storage module 703 may be a memory (for example, the memory 202 as shown in FIG. 2 ).
  • the processing module 701 is a processor
  • the communication module 702 is a communication interface
  • the storage module 703 is a memory
  • the processor, the transceiver, and the memory may be connected via a bus.
  • the computer program product includes one or more computer instructions.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network or other programmable device.
  • the computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center.
  • the computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more available media integrated.
  • the available medium can be a magnetic medium (e.g., floppy disks, magnetic disks, tapes), an optical medium (e.g., digital video discs (DVD)), or a semiconductor medium (e.g., solid state drives (SSD)), etc.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the modules or units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed.
  • Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be an indirect coupling or communication connection through some interfaces, devices or units, which can be electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor to perform all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage medium includes: flash memory, mobile hard disk, read-only memory, random access memory, disk or optical disk and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present application relate to the technical field of object storage, and provide an overload control method and device in an object storage service system, which can effectively reduce the impact range of a connection flood attack and avoid affecting tenants of the entire cluster. The method is applied to a service node in an object storage service system, the service node is bound to a plurality of IP addresses, and each IP address in the plurality of IP addresses corresponds to one or more tenants. The method comprises: receiving an access request from a user equipment, wherein the access request is used for requesting to access a storage bucket of a target tenant, the access request comprises a target IP address, and the target IP address is one of the plurality of IP addresses; then determining the number of TCP connections corresponding to the target IP address in a TCP accept queue of the service node; and discarding the access request when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold.

Description

对象存储服务系统中的过载控制方法及装置Overload control method and device in object storage service system

本申请要求于2023年01月31日提交国家知识产权局、申请号为202310064237.5、申请名称为“对象存储服务系统中的过载控制方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to a Chinese patent application filed with the State Intellectual Property Office on January 31, 2023, with application number 202310064237.5 and application name “Overload Control Method and Device in Object Storage Service System”, the entire contents of which are incorporated by reference in this application.

技术领域Technical Field

本申请实施例涉及对象存储技术领域,尤其涉及一种对象存储服务系统中的过载控制方法及装置。The embodiments of the present application relate to the field of object storage technology, and more particularly to an overload control method and device in an object storage service system.

背景技术Background Art

对象存储服务(object storage service,OBS)能够提供海量、安全、高可靠、低成本的数据存储能力,租户可以购买对象存储服务的存储资源以存储各类数据。Object storage service (OBS) can provide massive, secure, highly reliable, and low-cost data storage capabilities. Tenants can purchase storage resources of the object storage service to store various types of data.

通常,对象存储服务系统的租户的数量具有近百万,该近百万租户对应对象存储服务系统的一个IP地址。对于某一租户而言,当租户对应的访问请求过多时,则针对访问请求建立的用于传输数据的连接也过多,此时,认为该租户受到连接数攻击或者该租户过载。当对象存储服务系统中的一个租户受到连接数攻击时,也会影响用户访问对象存储服务系统中的其他租户对应的数据。Generally, the number of tenants in an object storage service system is nearly one million, and each of these nearly one million tenants corresponds to an IP address of the object storage service system. For a certain tenant, when there are too many access requests corresponding to the tenant, there are also too many connections established for data transmission in response to the access requests. In this case, the tenant is considered to be under a connection number attack or overloaded. When a tenant in the object storage service system is under a connection number attack, it will also affect the user's access to data corresponding to other tenants in the object storage service system.

因此,对对象存储服务系统进行连接数控制(或称为过载控制)非常重要。Therefore, it is very important to control the number of connections (or overload control) of the object storage service system.

发明内容Summary of the invention

本申请实施例提供一种对象存储服务系统中的过载控制方法及装置,能够有效地减小连接数攻击的影响范围,避免影响整个集群的租户。The embodiments of the present application provide an overload control method and device in an object storage service system, which can effectively reduce the impact range of connection number attacks and avoid affecting tenants of the entire cluster.

为达到上述目的,本申请实施例采用如下技术方案:In order to achieve the above-mentioned purpose, the embodiment of the present application adopts the following technical solution:

第一方面,本申请实施例提供一种对象存储服务系统中的过载控制方法,应用于对象存储服务系统中的服务节点,该服务节点绑定多个IP地址,该多个IP地址中的每一个IP地址对应一个或多个租户,该方法包括:接收来自用户设备的访问请求,该访问请求用于请求访问目标租户的存储桶,该访问请求中包括目标IP地址,该目标IP地址为多个IP地址中的一个;然后,确定服务节点的TCP全连接队列中目标IP地址对应的TCP连接的数量;在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃访问请求。In a first aspect, an embodiment of the present application provides an overload control method in an object storage service system, which is applied to a service node in the object storage service system, wherein the service node is bound to multiple IP addresses, and each of the multiple IP addresses corresponds to one or more tenants. The method includes: receiving an access request from a user device, wherein the access request is used to request access to a storage bucket of a target tenant, wherein the access request includes a target IP address, and the target IP address is one of multiple IP addresses; then, determining the number of TCP connections corresponding to the target IP address in a TCP full-connection queue of the service node; and discarding the access request when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold.

本申请实施例中,由于服务节点绑定的多个IP地址中的每一个IP地址对应一个或多个租户,在目标IP地址对应的连接数过载的情况下,服务节点丢弃该目标IP地址对应的租户的访问请求,服务节点正常处理其他IP地址对应的访问请求,如此,能够有效地减小连接数攻击的影响范围,避免影响整个集群的租户。In an embodiment of the present application, since each of the multiple IP addresses bound to the service node corresponds to one or more tenants, when the number of connections corresponding to the target IP address is overloaded, the service node discards the access request of the tenant corresponding to the target IP address, and the service node processes the access requests corresponding to other IP addresses normally. In this way, the impact range of the connection number attack can be effectively reduced to avoid affecting the tenants of the entire cluster.

一种可能的实现方式中,上述在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃访问请求,包括:基于DPDK的用户态协议栈,在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃该访问请求,以缓解连接数过载。可以理解的,DPDK是一个在网络协议传输层的用来进行数据包处理加速的软件库,DPDK具有高效地处理能力,基于DPDK的用户态协议栈可以高效地进行连接数过载控制。In a possible implementation, the above-mentioned discarding of the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold value includes: based on the user-mode protocol stack of DPDK, discarding the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold value to alleviate the overload of the number of connections. It can be understood that DPDK is a software library for accelerating data packet processing at the network protocol transport layer. DPDK has efficient processing capabilities, and the user-mode protocol stack based on DPDK can efficiently control the overload of the number of connections.

在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,服务节点仅丢弃当前的包含该目标IP地址的访问请求,而服务节点不会丢弃包含其他IP地址的访问请求,如此,服务节点进行连接数过载控制的过程中,不会影响到其他租户对应的业务。When the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, the service node only discards the current access request containing the target IP address, and the service node will not discard the access requests containing other IP addresses. In this way, the service node will not affect the services corresponding to other tenants during the process of controlling the number of connections overload.

一种可能的实现方式中,本申请实施例提供的对象存储服务系统中的过载控制方法还包括:在目标IP地址对应的TCP连接的数量小于或等于第一预设阈值的情况下,建立该用户设备与服务节点之间的TCP连接。In one possible implementation, the overload control method in the object storage service system provided in an embodiment of the present application also includes: when the number of TCP connections corresponding to the target IP address is less than or equal to a first preset threshold, establishing a TCP connection between the user device and the service node.

本申请中,若目标IP地址对应的TCP连接的数量小于或等于第一预设阈值,则说明该目标IP对应的TCP连接数未过载,服务节点进入TCP连接建立流程,以建立用户设备与服务节点之间的TCP连接,并将该TCP连接置入该服务节点维护的TCP全连接队列中,等待应用层处理该TCP连接对应的访问请求。In the present application, if the number of TCP connections corresponding to the target IP address is less than or equal to the first preset threshold, it means that the number of TCP connections corresponding to the target IP is not overloaded, and the service node enters the TCP connection establishment process to establish a TCP connection between the user device and the service node, and places the TCP connection in the TCP full connection queue maintained by the service node, waiting for the application layer to process the access request corresponding to the TCP connection.

一种可能的实现方式中,在建立用户设备与服务节点之间的TCP连接之后,本申请实施例提供的过载控制方法还包括:确定目标租户的存储桶对应的访问请求队列的长度是否大于第二预设阈值;在访问请求队列的长度大于第二预设阈值的情况下,拒绝处理该访问请求;在访问请求队列的长度小于或等于 第二预设阈值的情况下,处理该访问请求。In a possible implementation, after establishing a TCP connection between the user device and the service node, the overload control method provided in the embodiment of the present application further includes: determining whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold; if the length of the access request queue is greater than the second preset threshold, refusing to process the access request; if the length of the access request queue is less than or equal to When the second preset threshold is exceeded, the access request is processed.

本申请中,对于一个租户,每一个租户对应一个访问请求队列,该访问请求队列包括所有的已建立TCP连接的访问请求。在经过上述网络传输协议层的处理,服务节点接收访问请求之后,建立了该访问请求对应的TCP连接之后,进而在应用层处理该访问请求。In this application, for a tenant, each tenant corresponds to an access request queue, which includes all access requests for established TCP connections. After being processed by the above network transmission protocol layer, the service node receives the access request, establishes the TCP connection corresponding to the access request, and then processes the access request at the application layer.

对于目标租户,在上述目标租户的存储桶对应的访问请求队列的长度大于第二预设阈值的情况下,说明该目标租户过载,此时,服务节点拒绝处理该访问请求;在访问请求队列的长度小于或等于第二预设阈值的情况下,说明该目标租户未过载,此时,服务节点处理访问请求,以保证租户的服务质量。For the target tenant, when the length of the access request queue corresponding to the storage bucket of the above target tenant is greater than the second preset threshold, it means that the target tenant is overloaded. At this time, the service node refuses to process the access request; when the length of the access request queue is less than or equal to the second preset threshold, it means that the target tenant is not overloaded. At this time, the service node processes the access request to ensure the service quality of the tenant.

一种可能的实现方式中,上述第一预设阈值为TCP全连接队列容量的二分之一。该第一预设阈值可以根据TCP全连接队列容量(队列容量也可以称为队列深度)的确定,该第一预设阈值无需随应用层的处理能力进行调整。In a possible implementation, the first preset threshold is half of the TCP full connection queue capacity. The first preset threshold can be determined based on the TCP full connection queue capacity (queue capacity can also be called queue depth), and the first preset threshold does not need to be adjusted with the processing capacity of the application layer.

第二方面,本申请实施例提供一种服务节点,该服务节点绑定多个IP地址,该多个IP地址中的每一个IP地址对应一个或多个租户,该服务节点包括接收模块、确定模块以及处理模块。其中,接收模块用于接收来自用户设备的访问请求,该访问请求用于请求访问目标租户的存储桶,该访问请求中包括目标IP地址,该目标IP地址为多个IP地址中的一个;确定模块用于确定服务节点的TCP全连接队列中目标IP地址对应的TCP连接的数量;处理模块用于在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃该访问请求。In the second aspect, the embodiment of the present application provides a service node, which is bound to multiple IP addresses, each of which corresponds to one or more tenants, and the service node includes a receiving module, a determining module, and a processing module. Among them, the receiving module is used to receive an access request from a user device, the access request is used to request access to the storage bucket of the target tenant, and the access request includes a target IP address, which is one of the multiple IP addresses; the determining module is used to determine the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node; the processing module is used to discard the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold.

一种可能的实现方式中,上述处理模块具体用于基于DPDK的用户态协议栈,在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃访问请求。In a possible implementation, the processing module is specifically used for a user-mode protocol stack based on DPDK, and when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, the access request is discarded.

一种可能的实现方式中,上述处理模块还用于在目标IP地址对应的TCP连接的数量小于或等于第一预设阈值的情况下,建立用户设备与服务节点之间的TCP连接。In a possible implementation, the processing module is further configured to establish a TCP connection between the user equipment and the service node when the number of TCP connections corresponding to the target IP address is less than or equal to a first preset threshold.

一种可能的实现方式中,上述确定模块还用于确定目标租户的存储桶对应的访问请求队列的长度是否大于第二预设阈值;处理模块还用于在访问请求队列的长度大于第二预设阈值的情况下,拒绝处理该访问请求;在访问请求队列的长度小于或等于第二预设阈值的情况下,处理该访问请求。In one possible implementation, the above-mentioned determination module is also used to determine whether the length of the access request queue corresponding to the target tenant's storage bucket is greater than a second preset threshold; the processing module is also used to refuse to process the access request when the length of the access request queue is greater than the second preset threshold; and process the access request when the length of the access request queue is less than or equal to the second preset threshold.

一种可能的实现方式中,上述第一预设阈值为TCP全连接队列容量的二分之一。In a possible implementation, the first preset threshold is half of the capacity of the TCP full connection queue.

第三方面,本申请实施例提供一种服务节点,包括存储器和与存储器连接的至少一个处理器,存储器用于存储计算机程序代码,计算机程序代码包括计算机指令,当计算机指令被至少一个处理器执行时,使得计算设备执行第一方面及其可能的实现方式中任意之一所述的方法。In a third aspect, an embodiment of the present application provides a service node, comprising a memory and at least one processor connected to the memory, the memory being used to store computer program code, the computer program code comprising computer instructions, and when the computer instructions are executed by at least one processor, the computing device executes the method described in the first aspect and any one of its possible implementation methods.

第四方面,本申请实施例提供一种计算机可读存储介质,存储有计算机指令,该计算机指令在计算机上运行时,执行第一方面及其可能的实现方式中任意之一所述的方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium storing computer instructions, which, when executed on a computer, execute the method described in the first aspect and any one of its possible implementations.

第五方面,本申请实施例提供一种计算机程序产品,该计算机程序产品包含计算机指令,当计算机指令在计算机上运行时,执行第一方面及其可能的实现方式中任意之一所述的方法。In a fifth aspect, an embodiment of the present application provides a computer program product, which includes computer instructions. When the computer instructions are run on a computer, the method described in the first aspect and any one of its possible implementation methods is executed.

第六方面,本申请实施例提供一种芯片,包括存储器和处理器,存储器用于存储计算机指令,处理器用于从存储器中调用并运行该计算机指令,以执行第一方面及其可能的实现方式中任意之一所述的方法。In a sixth aspect, an embodiment of the present application provides a chip, comprising a memory and a processor, the memory being used to store computer instructions, and the processor being used to call and run the computer instructions from the memory to execute the method described in the first aspect and any one of its possible implementation methods.

应当理解的是,本申请的第二方面至第六方面技术方案及对应的可能的实施方式所取得的有益效果可以参见上述对第一方面及其对应的可能的实施方式的技术效果,此处不再赘述。It should be understood that the beneficial effects achieved by the technical solutions of the second to sixth aspects of the present application and the corresponding possible implementation methods can be referred to the technical effects of the first aspect and its corresponding possible implementation methods mentioned above, and will not be repeated here.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本申请实施例提供的一种通信系统的架构示意图;FIG1 is a schematic diagram of the architecture of a communication system provided in an embodiment of the present application;

图2为本申请实施例提供的一种服务节点的硬件结构示意图;FIG2 is a schematic diagram of the hardware structure of a service node provided in an embodiment of the present application;

图3为本申请实施例提供的一种对象存储服务系统中租户与IP地址的对应关系示意图;3 is a schematic diagram of the correspondence between tenants and IP addresses in an object storage service system provided in an embodiment of the present application;

图4为本申请实施例提供的一种对象存储服务系统中的过载控制方法示意图之一;FIG4 is a schematic diagram of an overload control method in an object storage service system provided in an embodiment of the present application;

图5为本申请实施例提供的一种对象存储服务系统中的过载控制方法示意图之二;FIG5 is a second schematic diagram of an overload control method in an object storage service system provided by an embodiment of the present application;

图6为本申请实施例提供的一种服务节点的结构示意图之一;FIG6 is one of the structural schematic diagrams of a service node provided in an embodiment of the present application;

图7为本申请实施例提供的一种服务节点的结构示意图之二。FIG. 7 is a second schematic diagram of the structure of a service node provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。The term "and/or" in this article is merely a description of the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone.

本申请实施例的说明书和权利要求书中的术语“第一”和“第二”等是用于区别不同的对象,而不是用于 描述对象的特定顺序。The terms "first" and "second" in the description and claims of the embodiments of the present application are used to distinguish different objects, rather than to refer to different objects. Describes a specific order of objects.

在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "for example" in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or designs. Specifically, the use of words such as "exemplary" or "for example" is intended to present related concepts in a specific way.

在本申请实施例的描述中,除非另有说明,“多个”的含义是指两个或两个以上。In the description of the embodiments of the present application, unless otherwise specified, “plurality” means two or more.

首先对本申请实施例提供的对象存储服务系统中的过载控制方法及装置中涉及的一些概念做解释说明。First, some concepts involved in the overload control method and device in the object storage service system provided in the embodiments of the present application are explained.

1、关于对象存储服务(OBS)的一些概念1. Some concepts about object storage service (OBS)

对象存储服务OBS的基本组成是桶和对象。The basic components of the object storage service OBS are buckets and objects.

桶是OBS中存储对象的容器,每个桶具有存储类别、访问权限、所属区域等属性。A bucket is a container for storing objects in OBS. Each bucket has attributes such as storage category, access permission, and region.

对象是OBS中数据存储的基本单位,一个对象包括一个文件的数据与其相关属性信息,包括键值(Key)、元数据(Metadata)、数据(Data)三部分。其中,Key,即对象的名称;Metadata,即对象的描述信息,包括系统元数据和用户元数据;Data,即文件的数据内容。An object is the basic unit of data storage in OBS. An object includes the data of a file and its related attribute information, including key value (Key), metadata (Metadata), and data (Data). Among them, Key is the name of the object; Metadata is the description information of the object, including system metadata and user metadata; Data is the data content of the file.

2、对象存储服务的租户2. Tenants of the Object Storage Service

租用OBS的资源的用户即为对象存储服务的租户,租户可以通过OBS的配置界面或者应用程序编程接口(例如API)在OBS中创建桶,配置桶的访问策略等等,进而租户通过互联网上传对象到桶中。可选地,租户可以创建一个或多个桶。Users who rent OBS resources are called tenants of the object storage service. Tenants can create buckets in OBS and configure bucket access policies through the OBS configuration interface or application programming interface (such as API), and then upload objects to the buckets through the Internet. Optionally, tenants can create one or more buckets.

租户在其桶中上传对象之后,其他的用户(通过其用户设备)可以访问该租户的桶。具体的,用户设备可以通过桶的访问域名来定位桶,进而访问桶中的对象。After a tenant uploads an object in his bucket, other users (through their user devices) can access the tenant's bucket. Specifically, the user device can locate the bucket through the bucket's access domain name and then access the object in the bucket.

在本申请实施例中,租户均指的是OBS中的桶的拥有者,用户均指的是租户的桶的访问者。In the embodiment of the present application, tenants refer to the owners of buckets in OBS, and users refer to the visitors of the tenants' buckets.

下面结合图1介绍一种对象存储服务的通信系统的架构,如图1所示,该通信系统包括用户设备101(例如手机),边界路由器(border router,BR)102以及OBS系统103,其中,OBS系统103可以包括多个集群(图1中仅示意了一个集群),一个集群包括多个服务节点,服务节点负责创建桶并管理桶等。The following introduces the architecture of a communication system for an object storage service in conjunction with Figure 1. As shown in Figure 1, the communication system includes a user device 101 (such as a mobile phone), a border router (BR) 102, and an OBS system 103, wherein the OBS system 103 may include multiple clusters (only one cluster is illustrated in Figure 1), and a cluster includes multiple service nodes, and the service nodes are responsible for creating buckets and managing buckets, etc.

用户持有用户设备101,用户设备101通过互联网络以及边界路由器102可以访问OBS系统103中的服务节点,并从服务节点创建的桶中获取对象。The user holds a user device 101 , and the user device 101 can access the service node in the OBS system 103 through the Internet and the border router 102 , and obtain objects from the bucket created by the service node.

结合图1,对于OBS系统103中的一个集群,该集群整体上对外呈现一个IP地址,该IP地址是虚拟IP地址。通常,一个IP地址承载有近百万的租户,也就是说,OBS系统103中的多个服务节点上的桶的所有租户均对应一个IP地址。1, for a cluster in the OBS system 103, the cluster as a whole presents an IP address to the outside, and the IP address is a virtual IP address. Usually, one IP address carries nearly one million tenants, that is, all tenants of buckets on multiple service nodes in the OBS system 103 correspond to one IP address.

对于某一租户,用户通过用户设备发出访问请求,该访问请求用于访问该租户的桶中的对象,服务节点接收到该访问请求之后,建立该用户设备与服务节点之间的通信连接(例如传输控制协议(transmission control protocol,TCP)连接),后续地,用户设备可以与服务节点之间通信以传输数据。在有些情况下,可能存在较多的用户访问该租户的桶,当租户对应的访问请求过多时,则针对访问请求建立的用于数据传输的连接也过多,此时,认为该租户受到连接数攻击或者该租户过载。For a tenant, a user sends an access request through a user device. The access request is used to access objects in the bucket of the tenant. After receiving the access request, the service node establishes a communication connection (e.g., a transmission control protocol (TCP) connection) between the user device and the service node. Subsequently, the user device can communicate with the service node to transmit data. In some cases, there may be many users accessing the bucket of the tenant. When there are too many access requests corresponding to the tenant, there are too many connections established for data transmission in response to the access requests. At this time, it is considered that the tenant is under connection number attack or the tenant is overloaded.

由于一个集群中的所有租户对外呈现的IP地址相同,因此,当一个租户受到连接数攻击时,将影响整个集群上所有租户的访问,即影响其他用户访问该集群中的其他租户。Because all tenants in a cluster present the same IP address to the outside world, when a tenant is attacked by the number of connections, it will affect the access of all tenants in the entire cluster, that is, it will affect other users' access to other tenants in the cluster.

目前,一种处理连接数攻击的方案是:管理人员登录服务节点之后,通过iptable技术来阻断某些用户设备的访问请求。应理解,iptable是一种防火墙,服务节点在内核态通过iptable进行源IP地址(源IP地址是用户设备的IP地址)阻断,关于使用iptable技术阻断用户设备的访问请求的更多细节可以参考现有技术资料,本申请实施例不做详细介绍。At present, one solution for handling connection number attacks is: after the administrator logs in to the service node, the access request of certain user devices is blocked by iptable technology. It should be understood that iptable is a firewall, and the service node blocks the source IP address (the source IP address is the IP address of the user device) by iptable in the kernel state. For more details about using iptable technology to block the access request of the user device, please refer to the existing technical materials, and the embodiments of this application will not be described in detail.

上述通过iptable技术处理连接数攻击的方案中,由于该租户已经受到连接数攻击,服务节点的处理效率很低,此时,管理人员可能面临无法登录服务节点的问题,因此,也无法及时、有效地处理连接数攻击。In the above solution of handling connection number attacks through iptable technology, since the tenant has been attacked by connection number, the processing efficiency of the service node is very low. At this time, the administrator may face the problem of being unable to log in to the service node, and therefore, cannot handle the connection number attack in a timely and effective manner.

另一种处理连接数攻击的方案是:在边界路由器上,对源IP地址进行阻断。该方案中,存在阻断源IP地址过散,例如可能会将合法的用户的访问请求阻断,这样会严重影响业务,导致用户的业务面临风险。Another solution to handle connection number attacks is to block the source IP address on the border router. In this solution, the source IP addresses are too scattered, for example, legitimate user access requests may be blocked, which will seriously affect the business and put the user's business at risk.

针对以上问题,本申请实施例提供一种对象存储服务系统中的过载控制方法及装置,该方法应用于对象存储服务系统中的服务节点,该服务节点绑定多个IP地址,该多个IP地址中的每一个IP地址对应一个或多个租户,该过载控制方法包括:服务节点接收来自用户设备的访问请求,该访问请求用于请求 访问目标租户的存储桶,该访问请求中包括目标IP地址,目标IP地址为上述多个IP地址中的一个;然后,服务节点确定该服务节点的TCP全连接队列中该目标IP地址对应的TCP连接的数量;并且,在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃该用户设备的访问请求。通过本申请实施例提供的技术方案,能够有效地减小连接数攻击的影响范围,避免影响整个集群的租户。In view of the above problems, an embodiment of the present application provides an overload control method and device in an object storage service system. The method is applied to a service node in the object storage service system. The service node is bound to multiple IP addresses, each of which corresponds to one or more tenants. The overload control method includes: the service node receives an access request from a user device, and the access request is used to request Access the storage bucket of the target tenant, the access request includes the target IP address, and the target IP address is one of the above multiple IP addresses; then, the service node determines the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node; and, if the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, the access request of the user device is discarded. The technical solution provided by the embodiment of the present application can effectively reduce the impact range of the connection number attack and avoid affecting the tenants of the entire cluster.

另外,与上述通过管理人员登录服务节点进行过载控制的方法相比,本申请实施例提供的技术方案无需管理人员参与,可自适应地进行过载控制。与上述通过边界路由器进行过载控制的方案相比,本申请实施例提供的技术方案对租户的IP地址(是目的IP地址)对应的TCP连接的数量进行控制,不再通过阻断源IP地址(用户的IP地址)的方式进行连接数控制,因此,能够降低对用户的业务的影响。In addition, compared with the above-mentioned method of overload control by administrators logging into the service node, the technical solution provided by the embodiment of the present application does not require the participation of administrators and can adaptively perform overload control. Compared with the above-mentioned solution of overload control through the border router, the technical solution provided by the embodiment of the present application controls the number of TCP connections corresponding to the tenant's IP address (the destination IP address), and no longer controls the number of connections by blocking the source IP address (the user's IP address), thereby reducing the impact on the user's business.

本申请实施例中,执行上述过载控制方法的装置为图1所示的OBS系统的服务节点。该调度器可以为台式机、便携式电脑、掌上电脑(personal digital assistant,PDA)等设备,该服务节点也可以是设备中的一个或多个功能模块,该功能模块既可以是硬件设备中的元件,也可以是在专用硬件上运行的软件,或者是硬件与软件的结合。可选地,服务节点可以由一个设备实现,也可以由多个设备实现,本申请实施例对此不作具体限定。In the embodiment of the present application, the device for executing the above-mentioned overload control method is the service node of the OBS system shown in Figure 1. The scheduler can be a desktop computer, a portable computer, a personal digital assistant (PDA) and other devices, and the service node can also be one or more functional modules in the device, which can be either a component in a hardware device, or software running on dedicated hardware, or a combination of hardware and software. Optionally, the service node can be implemented by one device or multiple devices, and the embodiment of the present application does not specifically limit this.

请参考图2,对本申请提供的服务节点的硬件结构进行介绍。图2中所示出的各种部件可以在包括一个或多个信号处理和/或专用集成电路在内的硬件、软件、或硬件和软件的组合中实现。如图2所示,服务节点可以包括:处理器201、存储器202、通信接口203。其中,处理器201、存储器202以及通信接口203之间可以通过总线204连接,或采用其他方式相互连接。Please refer to Figure 2 for an introduction to the hardware structure of the service node provided in the present application. The various components shown in Figure 2 may be implemented in hardware, software, or a combination of hardware and software including one or more signal processing and/or application-specific integrated circuits. As shown in Figure 2, the service node may include: a processor 201, a memory 202, and a communication interface 203. The processor 201, the memory 202, and the communication interface 203 may be connected via a bus 204, or may be connected to each other in other ways.

其中,处理器201是服务节点的控制中心,处理器201可以是通用中央处理单元(central processing unit,CPU),也可以是其他通用处理器等,其中,通用处理器可以是微处理器或者是任何常规的处理器等。例如,处理器201可以包括应用处理器(application processor,AP),图形处理器(graphics processing unit,GPU),图像信号处理器(image signal processor,ISP),控制器等。The processor 201 is the control center of the service node, and the processor 201 may be a general-purpose central processing unit (CPU) or other general-purpose processors, wherein the general-purpose processor may be a microprocessor or any conventional processor, etc. For example, the processor 201 may include an application processor (AP), a graphics processing unit (GPU), an image signal processor (ISP), a controller, etc.

处理器201中的控制器是服务节点的神经中枢和指挥中心。控制器可以根据指令操作码和时序信号,产生操作控制信号,完成取指令和执行指令的控制。可选地,处理器201中还可以设置存储器,用于存储指令和数据。示例性的,处理器201可以包括一个或多个CPU,例如图2中所示的CPU 0和CPU 1。The controller in the processor 201 is the nerve center and command center of the service node. The controller can generate an operation control signal according to the instruction opcode and the timing signal to complete the control of fetching and executing instructions. Optionally, a memory can also be set in the processor 201 to store instructions and data. Exemplarily, the processor 201 may include one or more CPUs, such as CPU 0 and CPU 1 shown in FIG. 2.

存储器202包括但不限于是随机存取存储器(random access memory,RAM)、只读存储器(read only memory,ROM)、可擦除可编程只读存储器(erasable programmable read-only memory,EPROM)、快闪存储器、或光存储器、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质。本申请实施例中,存储器202可以存储计算机指令等信息。The memory 202 includes, but is not limited to, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a flash memory, or an optical memory, a disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer. In the embodiment of the present application, the memory 202 can store information such as computer instructions.

一种可能的实现方式中,存储器202可以独立于处理器201存在。存储器202可以通过总线204与处理器201相连接,用于存储数据、指令或者程序代码。处理器201调用并执行存储器202中存储的指令或程序代码时,能够实现本申请实施例提供的对象存储服务系统中的过载控制方法。In one possible implementation, the memory 202 may exist independently of the processor 201. The memory 202 may be connected to the processor 201 via the bus 204 and used to store data, instructions, or program codes. When the processor 201 calls and executes the instructions or program codes stored in the memory 202, the overload control method in the object storage service system provided in the embodiment of the present application can be implemented.

另一种可能的实现方式中,存储器202也可以和处理器201集成在一起。In another possible implementation, the memory 202 may also be integrated with the processor 201 .

通信接口203可以是收发模块,用于与其他设备或通信网络通信,如以太网,RAN,无线局域网(wireless local area networks,WLAN)等通信,通信接口203可以接收指令、消息或数据等。收发模块可以是收发器、收发机一类的装置。可选地,通信接口203也可以是位于处理器201内的收发电路,用以实现处理器的信号输入和信号输出。通信接口203可以是有线接口(端口),例如光纤分布式数据接口(fiber distributed data interface,FDDI)、千兆以太网(gigabit ethernet,GE)接口,或者,通信接口203也可以是无线接口。The communication interface 203 may be a transceiver module for communicating with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), etc. The communication interface 203 may receive instructions, messages, or data, etc. The transceiver module may be a device such as a transceiver or a transceiver. Optionally, the communication interface 203 may also be a transceiver circuit located in the processor 201, for realizing the signal input and signal output of the processor. The communication interface 203 may be a wired interface (port), such as a fiber distributed data interface (FDDI), a gigabit Ethernet (GE) interface, or the communication interface 203 may also be a wireless interface.

总线204可以是工业标准体系结构(industry standard architecture,ISA)总线、外部设备互连(peripheral component interconnect,PCI)总线或扩展工业标准体系结构(extended industry standard architecture,EISA)总线等。该总线可以分为地址总线、数据总线、控制总线等。为便于表示,图2中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 204 may be an industry standard architecture (ISA) bus, a peripheral component interconnect (PCI) bus, or an extended industry standard architecture (EISA) bus. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG2 only uses one thick line, but does not mean that there is only one bus or one type of bus.

需要说明的是,图2所示的服务节点仅仅是服务节点的一个范例,该服务节点可以具有比图2中所示出的更多的或者更少的部件,可以组合两个或更多的部件,或者可以具有不同的部件配置。It should be noted that the service node shown in FIG. 2 is only an example of a service node, and the service node may have more or fewer components than those shown in FIG. 2 , may combine two or more components, or may have different component configurations.

下面参考附图描述本申请实施例提供的对象存储服务系统中的过载控制方法,该方法应用于对象存储服务系统中的服务节点,该服务节点绑定多个IP地址(该多个IP地址是虚拟IP地址),该多个IP地址中的每一个IP地址对应一个或多个租户。本申请实施例中,OBS系统对外呈现多个IP地址,该多个 IP地址挂载在单台服务节点上,也就是说,一个服务节点绑定了多个IP地址。并且,该多个IP地址中的每一个IP地址对应一个或多个租户,即多个租户散列在不同的IP地址上。例如,图3中的租户1和租户2对应IP地址1,租户3和租户4对应IP地址2,、……,租户199和租户200对应IP地址100。The following describes an overload control method in an object storage service system provided by an embodiment of the present application with reference to the accompanying drawings. The method is applied to a service node in the object storage service system. The service node is bound to multiple IP addresses (the multiple IP addresses are virtual IP addresses), and each of the multiple IP addresses corresponds to one or more tenants. In the embodiment of the present application, the OBS system presents multiple IP addresses to the outside world. The multiple IP addresses are virtual IP addresses. The IP address is mounted on a single service node, that is, a service node is bound to multiple IP addresses. Moreover, each of the multiple IP addresses corresponds to one or more tenants, that is, multiple tenants are hashed on different IP addresses. For example, in Figure 3, tenants 1 and 2 correspond to IP address 1, tenants 3 and 4 correspond to IP address 2, ..., tenants 199 and 200 correspond to IP address 100.

如图4所示,本申请实施例提供的对象存储服务系统中的过载控制方法可以包括以下步骤:As shown in FIG. 4 , the overload control method in the object storage service system provided in the embodiment of the present application may include the following steps:

S301、接收来自用户设备的访问请求,该访问请求中包括目标IP地址。S301: Receive an access request from a user device, where the access request includes a target IP address.

上述访问请求用于请求访问目标租户的存储桶(该存储桶即为目标租户创建的桶,桶内存储有对象),该访问请求中的目标IP地址为服务节点绑定的多个IP地址中的一个。The above access request is used to request access to the target tenant's storage bucket (the storage bucket is a bucket created by the target tenant and contains objects). The target IP address in the access request is one of the multiple IP addresses bound to the service node.

应理解,上述服务节点接收来自用户设备的访问请求的具体过程包括S1-S3:It should be understood that the specific process of the service node receiving the access request from the user equipment includes S1-S3:

S1、用户设备向域名服务器发送访问请求,该访问请求中包括目标租户的桶的域名。S1. The user device sends an access request to the domain name server, where the access request includes the domain name of the bucket of the target tenant.

桶的域名可以记为bucket1.region1.com,bucket1为桶的标识,region1表示桶所在的区域。桶的域名具有唯一性,并且每一个桶对应一个租户,因此,桶的域名也具有租户属性。The domain name of a bucket can be recorded as bucket1.region1.com, where bucket1 is the identifier of the bucket and region1 indicates the region where the bucket is located. The domain name of a bucket is unique, and each bucket corresponds to a tenant, so the domain name of the bucket also has tenant attributes.

S2、域名服务器根据目标租户的桶的域名,向用户设备发送目标IP地址。S2. The domain name server sends the target IP address to the user device based on the domain name of the target tenant's bucket.

上述域名服务器中存储有桶的标识与IP地址的对应关系,域名服务器可以根据访问请求中的目标租户的桶的域名确定与该桶对应的目标IP地址,进而向用户设备返回该目标IP地址。可以理解的,根据目标IP地址能够访问到OBS系统中的桶。The domain name server stores the correspondence between the bucket identifier and the IP address. The domain name server can determine the target IP address corresponding to the bucket according to the domain name of the bucket of the target tenant in the access request, and then return the target IP address to the user device. It can be understood that the bucket in the OBS system can be accessed according to the target IP address.

S3、用户设备向服务节点发送包含目标IP地址的访问请求。相应地,服务节点接收来自用户设备的访问请求。S3. The user equipment sends an access request including the target IP address to the service node. Correspondingly, the service node receives the access request from the user equipment.

S302、确定服务节点的TCP全连接队列中目标IP地址对应的TCP连接的数量。S302: Determine the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node.

可以理解的,通常,在服务节点接收到用户设备的访问请求之后,在网络传输协议层,服务节点进入TCP连接的建立流程,例如通过三次握手的流程与用户设备之间建立TCP连接,关于TCP连接的建立流程可以参考现有技术。服务节点完成TCP连接建立流程之后,服务节点将该TCP连接置入该服务节点维护的TCP全连接队列中,进而服务节点在应用层处理(或者称为消耗)该TCP全连接队列中的TCP连接对应的访问请求。在本申请实施例中,服务节点接收到用户设备的访问请求之后,服务节点并不是直接进入TCP连接的建立流程,而是先根据该访问请求中的目标IP地址,确定该服务节点中的TCP全连接队列中该目标IP地址对应的TCP连接的数量,根据TCP连接的数量判断是否发生连接数攻击。It can be understood that, usually, after the service node receives the access request of the user device, at the network transmission protocol layer, the service node enters the process of establishing a TCP connection, for example, establishing a TCP connection with the user device through a three-way handshake process. For the process of establishing a TCP connection, reference can be made to the prior art. After the service node completes the process of establishing a TCP connection, the service node places the TCP connection into a TCP full-connection queue maintained by the service node, and then the service node processes (or consumes) the access request corresponding to the TCP connection in the TCP full-connection queue at the application layer. In an embodiment of the present application, after the service node receives the access request of the user device, the service node does not directly enter the process of establishing a TCP connection, but first determines the number of TCP connections corresponding to the target IP address in the TCP full-connection queue in the service node based on the target IP address in the access request, and determines whether a connection number attack occurs based on the number of TCP connections.

S303、在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃访问请求。S303: When the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, discard the access request.

上述服务节点在网络协议传输层,对目标IP地址对应的连接数进行控制,若目标IP地址对应的TCP连接的数量大于第一预设阈值,则说明该目标IP对应的TCP连接数过载,从而服务节点丢弃该访问请求(也可以称为拒绝该访问请求),以缓解连接数过载。例如,结合上述图4,假设目标IP地址为IP地址1,该IP地址1对应租户1和租户2,若该IP地址1对应的TCP连接数过载,则表明租户1和/或租户2受到连接数攻击。The above service node controls the number of connections corresponding to the target IP address at the network protocol transport layer. If the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, it means that the number of TCP connections corresponding to the target IP is overloaded, so the service node discards the access request (also known as rejecting the access request) to alleviate the overload of the number of connections. For example, in conjunction with Figure 4 above, assuming that the target IP address is IP address 1, and IP address 1 corresponds to tenant 1 and tenant 2, if the number of TCP connections corresponding to IP address 1 is overloaded, it indicates that tenant 1 and/or tenant 2 are under attack by the number of connections.

上述第一预设阈值可以根据TCP全连接队列容量(队列容量也可以称为队列深度)的确定,该第一预设阈值无需随应用层的处理能力进行调整。可选地,TCP全连接队列容量指的是TCP全连接队列可容纳的TCP连接的数量的最大值。可选地,第一预设阈值为TCP全连接队列容量的二分之一。例如,TCP全连接队列的容量可以为60000,则第一预设阈值为30000。The first preset threshold can be determined based on the TCP full connection queue capacity (queue capacity can also be called queue depth), and the first preset threshold does not need to be adjusted with the processing capacity of the application layer. Optionally, the TCP full connection queue capacity refers to the maximum number of TCP connections that the TCP full connection queue can accommodate. Optionally, the first preset threshold is one-half of the TCP full connection queue capacity. For example, the capacity of the TCP full connection queue can be 60,000, and the first preset threshold is 30,000.

在一种实现方式中,上述S303具体通过S3031实现。In one implementation, the above S303 is specifically implemented through S3031.

S3031、基于数据面开发套件(intel data plane development kit,DPDK)的用户态协议栈,在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃访问请求。S3031. A user-mode protocol stack based on the Intel data plane development kit (DPDK) discards an access request when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold.

可以理解的,DPDK是一个用来进行数据包处理加速的软件库,DPDK具有高效地处理能力,基于DPDK的用户态协议栈可以高效地进行连接数过载控制。It can be understood that DPDK is a software library used to accelerate data packet processing. DPDK has efficient processing capabilities, and the user-mode protocol stack based on DPDK can efficiently control the number of connections overload.

S304、在目标IP地址对应的TCP连接的数量小于或等于第一预设阈值的情况下,建立用户设备与服务节点之间的TCP连接。S304: When the number of TCP connections corresponding to the target IP address is less than or equal to a first preset threshold, establish a TCP connection between the user equipment and the service node.

本申请实施例中,若目标IP地址对应的TCP连接的数量小于或等于第一预设阈值,则说明该目标IP对应的TCP连接数未过载,服务节点进入TCP连接建立流程,以建立用户设备与服务节点之间的TCP连接,并将该TCP连接置入该服务节点维护的TCP全连接队列中,等待应用层处理该TCP连接对应的访问请求。例如,结合上述图4,假设目标IP地址为IP地址2,该IP地址2对应租户3和租户4,若该IP地址2对应的TCP连接数未过载,则表明租户3和租户4未受到连接数攻击,服务节点可以正常处理租户3和租户4的访问请求。 In an embodiment of the present application, if the number of TCP connections corresponding to the target IP address is less than or equal to the first preset threshold, it means that the number of TCP connections corresponding to the target IP is not overloaded, and the service node enters the TCP connection establishment process to establish a TCP connection between the user device and the service node, and places the TCP connection in the TCP full connection queue maintained by the service node, waiting for the application layer to process the access request corresponding to the TCP connection. For example, in conjunction with Figure 4 above, assuming that the target IP address is IP address 2, and IP address 2 corresponds to tenants 3 and 4, if the number of TCP connections corresponding to IP address 2 is not overloaded, it means that tenants 3 and 4 are not attacked by the number of connections, and the service node can process the access requests of tenants 3 and 4 normally.

综上,在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,服务节点仅丢弃当前的包含该目标IP地址的访问请求,而服务节点不会丢弃包含其他IP地址的访问请求,如此,服务节点进行连接数过载控制的过程中,不会影响到其他租户对应的业务。示例性的,参考图4,若目标IP地址为IP地址1,在该IP地址1对应的TCP连接的数量大于第一预设阈值的情况下,服务节点丢弃用于租户1和/或租户2的存储桶的访问请求,服务节点正常处理用于访问其他租户的存储桶的访问请求,如服务节点会正常处理租户3至租户200的服务请求,即服务节点进行TCP连接数过载控制的过程中,最大程度地减小连接数攻击的影响范围,避免影响整个集群的租户,使得租户之间不相互干扰。In summary, when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, the service node only discards the current access request containing the target IP address, and the service node will not discard the access request containing other IP addresses. In this way, the service node will not affect the services corresponding to other tenants during the process of controlling the number of connections overload. Exemplarily, referring to Figure 4, if the target IP address is IP address 1, when the number of TCP connections corresponding to IP address 1 is greater than the first preset threshold, the service node discards the access request for the storage bucket of tenant 1 and/or tenant 2, and the service node normally processes the access request for accessing the storage bucket of other tenants, such as the service node will normally process the service requests of tenants 3 to tenant 200, that is, in the process of controlling the number of TCP connections overload, the service node minimizes the impact range of the connection number attack to avoid affecting the tenants of the entire cluster, so that the tenants do not interfere with each other.

结合图4,如图5所示,上述在建立用户设备与服务节点之间的TCP连接之后,本申请实施例提供的对象存储服务系统中的过载控制方法还包括:In combination with FIG. 4 , as shown in FIG. 5 , after the TCP connection between the user device and the service node is established, the overload control method in the object storage service system provided by the embodiment of the present application further includes:

S305、确定目标租户的存储桶对应的访问请求队列的长度是否大于第二预设阈值。S305: Determine whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold.

S306、在访问请求队列的长度大于第二预设阈值的情况下,拒绝处理访问请求。S306: When the length of the access request queue is greater than a second preset threshold, refuse to process the access request.

S307、在访问请求队列的长度小于或等于第二预设阈值的情况下,处理访问请求。S307: When the length of the access request queue is less than or equal to the second preset threshold, process the access request.

需要说明的是,上述S305-S307是服务节点在应用层执行的动作。It should be noted that the above S305-S307 are actions performed by the service node at the application layer.

本申请实施例中,对于一个租户,每一个租户对应一个访问请求队列,该访问请求队列包括所有的已建立TCP连接的访问请求。在经过上述网络传输协议层的处理,服务节点接收访问请求之后,建立了该访问请求对应的TCP连接之后,进而在应用层处理该访问请求。In the embodiment of the present application, for a tenant, each tenant corresponds to an access request queue, and the access request queue includes all access requests for which TCP connections have been established. After being processed by the above network transmission protocol layer, the service node receives the access request, establishes the TCP connection corresponding to the access request, and then processes the access request at the application layer.

对于目标租户,在上述目标租户的存储桶对应的访问请求队列的长度大于第二预设阈值的情况下,说明该目标租户过载,此时,服务节点拒绝处理该访问请求;在访问请求队列的长度小于或等于第二预设阈值的情况下,说明该目标租户未过载,此时,服务节点处理访问请求,以保证租户的服务质量。For the target tenant, when the length of the access request queue corresponding to the storage bucket of the above target tenant is greater than the second preset threshold, it means that the target tenant is overloaded. At this time, the service node refuses to process the access request; when the length of the access request queue is less than or equal to the second preset threshold, it means that the target tenant is not overloaded. At this time, the service node processes the access request to ensure the service quality of the tenant.

基于以上,本申请实施例提供的对象存储系统中的过载控制方法,服务节点接收来自用户设备的包括目标IP地址的访问请求,该访问请求用于请求访问目标租户的存储桶,该服务节点绑定多个IP地址,该多个IP地址中的每一个IP地址对应一个或多个租户,上述目标IP地址为上述多个IP地址中的一个;然后,服务节点确定该服务节点的TCP全连接队列中该目标IP地址对应的TCP连接的数量;并且,在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃该用户设备的访问请求。由于服务节点绑定的多个IP地址中的每一个IP地址对应一个或多个租户,在目标IP地址对应的连接数过载的情况下,服务节点丢弃该目标IP地址对应的租户的访问请求,服务节点正常处理其他IP地址对应的访问请求,如此,能够有效地减小连接数攻击的影响范围,避免影响整个集群的租户。Based on the above, the overload control method in the object storage system provided by the embodiment of the present application is that the service node receives an access request including a target IP address from a user device, the access request is used to request access to the storage bucket of the target tenant, the service node is bound to multiple IP addresses, each of the multiple IP addresses corresponds to one or more tenants, and the above target IP address is one of the above multiple IP addresses; then, the service node determines the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node; and, when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, the access request of the user device is discarded. Since each of the multiple IP addresses bound to the service node corresponds to one or more tenants, when the number of connections corresponding to the target IP address is overloaded, the service node discards the access request of the tenant corresponding to the target IP address, and the service node normally processes the access requests corresponding to other IP addresses, so that the impact range of the connection number attack can be effectively reduced to avoid affecting the tenants of the entire cluster.

相应地,本申请实施例提供一种服务节点,本申请实施例中,可以根据上述方法示例对该服务节点进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。Accordingly, an embodiment of the present application provides a service node. In an embodiment of the present application, the service node can be divided into functional modules according to the above method example. For example, each functional module can be divided corresponding to each function, or two or more functions can be integrated into one processing module. The above integrated module can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of modules in the embodiment of the present application is schematic and is only a logical function division. There may be other division methods in actual implementation.

在采用对应各个功能划分各个功能模块的情况下,图6示出上述实施例中所涉及的服务节点的一种可能的结构示意图,该服务节点绑定多个IP地址,该多个IP地址中的每一个IP地址对应一个或多个租户。如图6所示,该服务节点包括接收模块601、确定模块602以及处理模块603。其中,接收模块601用于接收来自用户设备的访问请求,该访问请求用于请求访问目标租户的存储桶,该访问请求中包括目标IP地址,该目标IP地址为多个IP地址中的一个,例如执行上述方法实施例中的S301。确定模块602用于确定服务节点的TCP全连接队列中目标IP地址对应的TCP连接的数量,例如执行上述方法实施例中的S302。处理模块603用于在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃该访问请求,例如执行上述方法实施例中的S303。In the case of dividing each functional module according to each function, FIG6 shows a possible structural diagram of the service node involved in the above embodiment, and the service node is bound to multiple IP addresses, and each of the multiple IP addresses corresponds to one or more tenants. As shown in FIG6, the service node includes a receiving module 601, a determining module 602, and a processing module 603. Among them, the receiving module 601 is used to receive an access request from a user device, and the access request is used to request access to the storage bucket of the target tenant. The access request includes a target IP address, and the target IP address is one of the multiple IP addresses, for example, executing S301 in the above method embodiment. The determining module 602 is used to determine the number of TCP connections corresponding to the target IP address in the TCP full connection queue of the service node, for example, executing S302 in the above method embodiment. The processing module 603 is used to discard the access request when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, for example, executing S303 in the above method embodiment.

可选地,上述处理模块603具体用于基于DPDK的用户态协议栈,在目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃访问请求,例如执行上述方法实施例中的S3031。上述处理模块603还用于在目标IP地址对应的TCP连接的数量小于或等于第一预设阈值的情况下,建立用户设备与服务节点之间的TCP连接,例如执行上述方法实施例中的S304。上述确定模块602还用于确定目标租户的存储桶对应的访问请求队列的长度是否大于第二预设阈值,例如执行上述方法实施例中的S305;处理模块603还用于在访问请求队列的长度大于第二预设阈值的情况下,拒绝处理该访问请求,在访问请求队列的长度小于或等于第二预设阈值的情况下,处理该访问请求,例如执行上述方法实施例中的S306-S307。Optionally, the processing module 603 is specifically used for discarding the access request based on the user-mode protocol stack of DPDK when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, such as executing S3031 in the above method embodiment. The processing module 603 is also used to establish a TCP connection between the user device and the service node when the number of TCP connections corresponding to the target IP address is less than or equal to the first preset threshold, such as executing S304 in the above method embodiment. The determination module 602 is also used to determine whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold, such as executing S305 in the above method embodiment; the processing module 603 is also used to refuse to process the access request when the length of the access request queue is greater than the second preset threshold, and to process the access request when the length of the access request queue is less than or equal to the second preset threshold, such as executing S306-S307 in the above method embodiment.

上述服务节点的各个模块还可以用于执行上述方法实施例中的其他动作,上述方法实施例涉及的各 步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。The modules of the service node described above can also be used to perform other actions in the method embodiment described above. All relevant contents of the steps can be referred to the functional description of the corresponding functional modules and will not be repeated here.

在采用集成的单元的情况下,图7示出了上述实施例中所涉及的服务节点的另一种可能的结构示意图。如图7所示,本申请实施例提供的服务节点可以包括:处理模块701和通信模块702。处理模块701可以用于对该服务节点的动作进行控制管理,例如,处理模块701可以用于支持该服务节点执行上述方法实施例中的S302、S303(包括S3031)、S304-S307,和/或用于本文所描述的技术的其它过程。通信模块702可以用于支持该服务节点与其他网络实体的通信,例如支持该服务节点与计算节点通信,例如,通信模块702可以用于支持该服务节点执行上述方法实施例中的S301。可选地,如图7所示,该服务节点还可以包括存储模块703,用于存储计算机指令和数据。In the case of adopting an integrated unit, FIG. 7 shows another possible structural diagram of the service node involved in the above embodiment. As shown in FIG. 7, the service node provided in the embodiment of the present application may include: a processing module 701 and a communication module 702. The processing module 701 can be used to control and manage the actions of the service node. For example, the processing module 701 can be used to support the service node to perform S302, S303 (including S3031), S304-S307 in the above method embodiment, and/or other processes for the technology described herein. The communication module 702 can be used to support the communication between the service node and other network entities, for example, to support the service node to communicate with a computing node. For example, the communication module 702 can be used to support the service node to perform S301 in the above method embodiment. Optionally, as shown in FIG. 7, the service node may also include a storage module 703 for storing computer instructions and data.

其中,处理模块701可以是处理器或控制器(例如可以是上述如图2所示的处理器201),上述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信模块702可以是通信接口(例如可以是上述如图2所示的通信接口203)。存储模块703可以是存储器(例如可以是上述如图2所示的存储器202)。当处理模块701为处理器,通信模块702为通信接口,存储模块703为存储器时,处理器、收发器和存储器可以通过总线连接。Wherein, the processing module 701 may be a processor or a controller (for example, the processor 201 as shown in FIG. 2 ), and the processor may also be a combination that implements a computing function, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like. The communication module 702 may be a communication interface (for example, the communication interface 203 as shown in FIG. 2 ). The storage module 703 may be a memory (for example, the memory 202 as shown in FIG. 2 ). When the processing module 701 is a processor, the communication module 702 is a communication interface, and the storage module 703 is a memory, the processor, the transceiver, and the memory may be connected via a bus.

上述服务节点包含的模块实现上述功能的更多细节请参考前面各个方法实施例中的描述,在这里不再重复。本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。For more details on how the modules included in the service node implement the above functions, please refer to the descriptions in the previous method embodiments, which will not be repeated here. Each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments.

在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行该计算机指令时,全部或部分地产生按照本申请实施例中的流程或功能。该计算机可以是通用计算机、专用计算机、计算机网络或者其他可编程装置。该计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,该计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))方式或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心传输。该计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包括一个或多个可用介质集成的服务器、数据中心等数据存储设备。该可用介质可以是磁性介质(例如,软盘、磁盘、磁带)、光介质(例如,数字视频光盘(digital video disc,DVD))、或者半导体介质(例如固态硬盘(solid state drives,SSD))等。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using a software program, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer, the process or function in accordance with the embodiment of the present application is generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network or other programmable device. The computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more available media integrated. The available medium can be a magnetic medium (e.g., floppy disks, magnetic disks, tapes), an optical medium (e.g., digital video discs (DVD)), or a semiconductor medium (e.g., solid state drives (SSD)), etc.

通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Through the description of the above implementation methods, technicians in the relevant field can clearly understand that for the convenience and simplicity of description, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. The specific working process of the system, device and unit described above can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only schematic. For example, the division of the modules or units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be an indirect coupling or communication connection through some interfaces, devices or units, which can be electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:快闪存储器、移动硬盘、只读存储器、随机存取存储器、磁碟或者光盘等各种可以存储程序代码的介质。 If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor to perform all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage medium includes: flash memory, mobile hard disk, read-only memory, random access memory, disk or optical disk and other media that can store program codes.

以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。 The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions within the technical scope disclosed in the present application should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (12)

一种对象存储服务系统中的过载控制方法,其特征在于,应用于对象存储服务系统中的服务节点,所述服务节点绑定多个IP地址,所述多个IP地址中的每一个IP地址对应一个或多个租户,所述方法包括:An overload control method in an object storage service system, characterized in that it is applied to a service node in the object storage service system, the service node is bound to multiple IP addresses, each of the multiple IP addresses corresponds to one or more tenants, and the method includes: 接收来自用户设备的访问请求;其中,所述访问请求用于请求访问目标租户的存储桶,所述访问请求中包括目标IP地址,所述目标IP地址为所述多个IP地址中的一个;Receive an access request from a user device; wherein the access request is used to request access to a storage bucket of a target tenant, and the access request includes a target IP address, and the target IP address is one of the multiple IP addresses; 确定所述服务节点的传输控制协议TCP全连接队列中所述目标IP地址对应的TCP连接的数量;Determine the number of TCP connections corresponding to the target IP address in the Transmission Control Protocol TCP full connection queue of the service node; 在所述目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃所述访问请求。When the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, the access request is discarded. 根据权利要求1所述的方法,其特征在于,所述在所述目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃所述访问请求,包括:The method according to claim 1, characterized in that, when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold, discarding the access request comprises: 基于数据面开发套件DPDK的用户态协议栈,在所述目标IP地址对应的TCP连接的数量大于所述第一预设阈值的情况下,丢弃所述访问请求。Based on the user mode protocol stack of the data plane development kit DPDK, when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold, the access request is discarded. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, characterized in that the method further comprises: 在所述目标IP地址对应的TCP连接的数量小于或等于所述第一预设阈值的情况下,建立所述用户设备与所述服务节点之间的TCP连接。When the number of TCP connections corresponding to the target IP address is less than or equal to the first preset threshold, a TCP connection is established between the user equipment and the service node. 根据权利要求3所述的方法,其特征在于,在建立所述用户设备与所述服务节点之间的TCP连接之后,所述方法还包括:The method according to claim 3, characterized in that after establishing a TCP connection between the user equipment and the service node, the method further comprises: 确定所述目标租户的存储桶对应的访问请求队列的长度是否大于第二预设阈值;Determine whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold; 在所述访问请求队列的长度大于所述第二预设阈值的情况下,拒绝处理所述访问请求;If the length of the access request queue is greater than the second preset threshold, refusing to process the access request; 在所述访问请求队列的长度小于或等于所述第二预设阈值的情况下,处理所述访问请求。When the length of the access request queue is less than or equal to the second preset threshold, the access request is processed. 根据权利要求1至4任一项所述的方法,其特征在于,The method according to any one of claims 1 to 4, characterized in that 所述第一预设阈值为TCP全连接队列容量的二分之一。The first preset threshold is half of the TCP full connection queue capacity. 一种服务节点,其特征在于,所述服务节点绑定多个IP地址,所述多个IP地址中的每一个IP地址对应一个或多个租户,所述服务节点包括接收模块、确定模块以及处理模块;A service node, characterized in that the service node is bound to multiple IP addresses, each of the multiple IP addresses corresponds to one or more tenants, and the service node includes a receiving module, a determining module, and a processing module; 所述接收模块,用于接收来自用户设备的访问请求;其中,所述访问请求用于请求访问目标租户的存储桶,所述访问请求中包括目标IP地址,所述目标IP地址为所述多个IP地址中的一个;The receiving module is used to receive an access request from a user device; wherein the access request is used to request access to a storage bucket of a target tenant, and the access request includes a target IP address, and the target IP address is one of the multiple IP addresses; 所述确定模块,用于确定所述服务节点的传输控制协议TCP全连接队列中所述目标IP地址对应的TCP连接的数量;The determining module is used to determine the number of TCP connections corresponding to the target IP address in the Transmission Control Protocol TCP full connection queue of the service node; 所述处理模块,用于在所述目标IP地址对应的TCP连接的数量大于第一预设阈值的情况下,丢弃所述访问请求。The processing module is configured to discard the access request when the number of TCP connections corresponding to the target IP address is greater than a first preset threshold. 根据权利要求6所述的服务节点,其特征在于,The service node according to claim 6, characterized in that 所述处理模块,具体用于基于数据面开发套件DPDK的用户态协议栈,在所述目标IP地址对应的TCP连接的数量大于所述第一预设阈值的情况下,丢弃所述访问请求。The processing module is specifically used to discard the access request based on the user mode protocol stack of the data plane development kit DPDK when the number of TCP connections corresponding to the target IP address is greater than the first preset threshold. 根据权利要求6或7所述的服务节点,其特征在于,The service node according to claim 6 or 7, characterized in that: 所述处理模块,还用于在所述目标IP地址对应的TCP连接的数量小于或等于所述第一预设阈值的情况下,建立所述用户设备与所述服务节点之间的TCP连接。The processing module is further configured to establish a TCP connection between the user equipment and the service node when the number of TCP connections corresponding to the target IP address is less than or equal to the first preset threshold. 根据权利要求8所述的服务节点,其特征在于,The service node according to claim 8, characterized in that 所述确定模块,还用于确定所述目标租户的存储桶对应的访问请求队列的长度是否大于第二预设阈值;The determination module is further configured to determine whether the length of the access request queue corresponding to the storage bucket of the target tenant is greater than a second preset threshold; 所述处理模块,还用于在所述访问请求队列的长度大于所述第二预设阈值的情况下,拒绝处理所述访问请求;在所述访问请求队列的长度小于或等于所述第二预设阈值的情况下,处理所述访问请求。The processing module is further configured to refuse to process the access request when the length of the access request queue is greater than the second preset threshold; and to process the access request when the length of the access request queue is less than or equal to the second preset threshold. 根据权利要求6至9任一项所述的服务节点,其特征在于,The service node according to any one of claims 6 to 9, characterized in that: 所述第一预设阈值为TCP全连接队列容量的二分之一。The first preset threshold is half of the TCP full connection queue capacity. 一种服务节点,其特征在于,包括存储器和与所述存储器连接的至少一个处理器,所述存储器用于存储计算机程序代码,所述计算机程序代码包括计算机指令,当所述计算机指令被所述至少一个处理器执行时,使得所述计算设备执行如权利要求1至5任一项所述的方法。A service node, characterized in that it comprises a memory and at least one processor connected to the memory, the memory is used to store computer program code, the computer program code comprises computer instructions, and when the computer instructions are executed by the at least one processor, the computing device executes the method according to any one of claims 1 to 5. 一种计算机可读存储介质,其特征在于,存储有计算机指令,所述计算机指令在计算机上运行时,执行如权利要求1至5任一项所述的方法。 A computer-readable storage medium, characterized in that computer instructions are stored therein, and when the computer instructions are run on a computer, the method according to any one of claims 1 to 5 is executed.
PCT/CN2024/074758 2023-01-31 2024-01-30 Overload control method and device in object storage service system Ceased WO2024160207A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310064237.5 2023-01-31
CN202310064237.5A CN118474122A (en) 2023-01-31 2023-01-31 Overload control method and device in object storage service system

Publications (2)

Publication Number Publication Date
WO2024160207A1 true WO2024160207A1 (en) 2024-08-08
WO2024160207A9 WO2024160207A9 (en) 2024-12-05

Family

ID=92145837

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/074758 Ceased WO2024160207A1 (en) 2023-01-31 2024-01-30 Overload control method and device in object storage service system

Country Status (2)

Country Link
CN (1) CN118474122A (en)
WO (1) WO2024160207A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170171144A1 (en) * 2015-12-09 2017-06-15 Bluedata Software, Inc. Management of domain name systems in a large-scale processing environment
US9807016B1 (en) * 2015-09-29 2017-10-31 Juniper Networks, Inc. Reducing service disruption using multiple virtual IP addresses for a service load balancer
CN109561109A (en) * 2019-01-16 2019-04-02 新华三技术有限公司 A kind of message processing method and device
CN111770137A (en) * 2020-05-29 2020-10-13 苏州浪潮智能科技有限公司 A load balancing method and system based on IPv6 mechanism
WO2022022530A1 (en) * 2020-07-31 2022-02-03 华为技术有限公司 Method for determining public network address of mptcp server and communication device
CN114090280A (en) * 2021-10-12 2022-02-25 新浪网技术(中国)有限公司 Interaction method and device based on remote procedure call protocol

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9807016B1 (en) * 2015-09-29 2017-10-31 Juniper Networks, Inc. Reducing service disruption using multiple virtual IP addresses for a service load balancer
US20170171144A1 (en) * 2015-12-09 2017-06-15 Bluedata Software, Inc. Management of domain name systems in a large-scale processing environment
CN109561109A (en) * 2019-01-16 2019-04-02 新华三技术有限公司 A kind of message processing method and device
CN111770137A (en) * 2020-05-29 2020-10-13 苏州浪潮智能科技有限公司 A load balancing method and system based on IPv6 mechanism
WO2022022530A1 (en) * 2020-07-31 2022-02-03 华为技术有限公司 Method for determining public network address of mptcp server and communication device
CN114090280A (en) * 2021-10-12 2022-02-25 新浪网技术(中国)有限公司 Interaction method and device based on remote procedure call protocol

Also Published As

Publication number Publication date
CN118474122A (en) 2024-08-09
WO2024160207A9 (en) 2024-12-05

Similar Documents

Publication Publication Date Title
He et al. MasQ: RDMA for virtual private cloud
US7761619B2 (en) Method and system for parallelizing completion event processing
US8005022B2 (en) Host operating system bypass for packets destined for a virtual machine
US12192237B2 (en) Detecting attacks using handshake requests systems and methods
US10826841B2 (en) Modification of queue affinity to cores based on utilization
US8234361B2 (en) Computerized system and method for handling network traffic
US20070168525A1 (en) Method for improved virtual adapter performance using multiple virtual interrupts
EP2618257B1 (en) Scalable sockets
US20050213608A1 (en) Pre-configured topology with connection management
TW201703485A (en) Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US11444883B2 (en) Signature based management of packets in a software defined networking environment
WO2018133035A1 (en) Method, network card, host device and computer system for forwarding data packages
CN114666276B (en) Method and device for sending message
CN115714679A (en) Network data packet processing method and device, electronic equipment and storage medium
US8078705B2 (en) Key-configured topology with connection management
CN109361749A (en) Message processing method, related equipment and computer storage medium
US20080002731A1 (en) Full data link bypass
CN107193673A (en) A kind of message processing method and equipment
US20060259570A1 (en) Method and system for closing an RDMA connection
WO2023040303A1 (en) Network traffic control method and related system
CN113726636A (en) Data forwarding method and system of software forwarding equipment and electronic equipment
CN106878320A (en) A method and device for preventing IP address spoofing
WO2024160207A1 (en) Overload control method and device in object storage service system
Argyroulis Recent advancements in distributed system communications
JP3560552B2 (en) Method and apparatus for preventing a flood attack on a server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24749686

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 24749686

Country of ref document: EP

Kind code of ref document: A1