Design And Implementation Of Warden Multi-tenancy Network Isolation

In recent years, cloud computing has gradually landed, the ecosystem tends to mature, cloud computing is more and more accepted by enterprises. Container technology has been developed for a long time, but did not receive enough attention. In recent years, With the use of Docker, LXC, Warden as the representative of the container technology, more and more enterprises begin to use the container technology in the production environment.Container technology provides resource constraints and resource isolation, but only provides PID, NETWORK,, UTS, IPC, USER, MOUNT, etc., There is a certain gap between the safe use of container technology. To start with,This article analyze the Warden source code from the Warden server, Warden client and communication protocol three aspects,describe the design and implementation of Warden.From the current Warden network architecture, analyze the current Warden container defects that Warden does not support multi-tenancy network isolation and communication between the container and other issues. From the route, tunnel, bridge three ways to analyze the host host connectivity solutions, and analyze their advantages and disadvantages, and ultimately choose the bridge as a cross-host connectivity solution.Using VLAN technology to isolate the container network, analyzing the problems after the introduction of the new version of Warden into the tenant gateway, using Iptables to achieve the gateway isolation. In order to provide the global IP address for the container, the IP address allocation is introduced, and the implementation of the IP address distributor is introduced. At last, the design and implementation of bandwidth allocation algorithm is introduced. Finally, functional testing and performance testing of Warden are carried out to verify the effectiveness and performance of multi-tenancy isolation.