Search

CN-122027181-A - Authentication of network-based virtual machine replication

CN122027181ACN 122027181 ACN122027181 ACN 122027181ACN-122027181-A

Abstract

Authentication of network-based virtual machine replication is provided. A method and system for configuring a data modification filter in a virtualized environment. The data modification filter is installed in a virtual machine manager of the virtualized host, wherein the virtual machine manager executes the virtual machine. The data modification filter intercepts data modification operations from the virtual machine. The virtual machine manager includes a certificate management service that stores private certificates for data modification filters and public certificates for replication processing services. The data change filter retrieves the certificate from the certificate management service, establishes an authenticated network connection with the replication processing service using the certificate, and sends the intercepted data change operation to the replication processing service over the authenticated connection. The system enables secure replication of data changes in a virtualized environment.

Inventors

  • O. Ulezki
  • G. Barash
  • B-H. Asulin
  • R. Roma

Assignees

  • 慧与发展有限责任合伙企业

Dates

Publication Date
20260512
Application Date
20250718
Priority Date
20241111

Claims (20)

  1. 1. A method, comprising: Installing a data modification filter in a virtual machine manager of a virtualized host, the virtual machine manager executing a virtual machine, wherein the data modification filter intercepts data modification operations from the virtual machine, wherein the virtual machine manager includes a certificate management service that stores private certificates for the data modification filter and public certificates for a replication processing service, and Instruct the data modification filter to: retrieving the private certificate and the public certificate from the certificate management service; establishing an authenticated network connection with the replication processing service using the private certificate and the public certificate, and The data modification operation is sent to the replication processing service over the authenticated network connection.
  2. 2. The method of claim 1, wherein instructing the data modification filter to establish the authenticated network connection comprises instructing the data modification filter to: Encrypting a request for the replication processing service using the private certificate, and The public certificate is used to decrypt a response from the replication processing service.
  3. 3. The method of claim 1, wherein the data modification filter is one of a plurality of data modification filters installed in the virtual machine manager, and each of the plurality of data modification filters is instructed to retrieve the private certificate and the public certificate from the certificate management service.
  4. 4. The method of claim 1, further comprising: installing the certificate management service in the virtual machine hypervisor of the virtualized host, and And loading the private certificate and the public certificate into the certificate management service.
  5. 5. The method of claim 4, wherein loading the private certificate and the public certificate into the certificate management service comprises instructing the certificate management service to store the private certificate and the public certificate in a file on the virtual machine manager, and the certificate management service to provide the private certificate and the public certificate from the file to the data modification filter.
  6. 6. The method of claim 1, wherein instructing the data modification filter to retrieve the private certificate and the public certificate comprises instructing the data modification filter to: establishing an inter-process communication channel between the data modification filter and the certificate management service, and The certificate is transmitted over the interprocess communication channel.
  7. 7. The method of claim 1, wherein the virtualized host is located at an active site, and the method further comprises: the replication processing service is instructed to replicate the data change operation to a backup site.
  8. 8. The method of claim 1, wherein the data modification operations comprise input/output operations to a virtual storage disk, and each of the input/output operations comprises an offset and binary data of the virtual storage disk.
  9. 9. The method of claim 1, wherein the data modification operation comprises an input/output operation to the virtual storage disk, and the data modification filter intercepts the data modification operation by asynchronously replicating the input/output operation without preventing the input/output operation from proceeding to the virtual storage disk.
  10. 10. An apparatus, comprising: Processor, and A non-transitory computer readable medium storing instructions that, when executed by the processor, cause the processor to: Installing a data modification filter in a virtual machine hypervisor, wherein the virtual machine hypervisor executes a virtual machine, wherein the data modification filter intercepts data modification operations from the virtual machine; generating a first private certificate for the data modification filter and a first public certificate for the replication processing service, and After installing the data modification filter in the virtual machine hypervisor, the first private certificate and the first public certificate are provided to the data modification filter.
  11. 11. The apparatus of claim 10, wherein the instructions further cause the processor to: generating a second public certificate for the data modification filter and a second private certificate for the replication processing service, and Providing the second private certificate and the second public certificate to the replication processing service.
  12. 12. A system, comprising: A first replication host at the active site, and A virtualization host at the active site, the virtualization host comprising a virtual machine manager, the virtual machine manager comprising a certificate management service, the virtualization host configured to: Installing a first data modification filter in the virtual machine hypervisor, the first data modification filter configured to intercept a first data modification operation from a first virtual machine executing on the virtual machine hypervisor; Providing a private certificate and a public certificate from the certificate management service to the first data change filter; establishing an authenticated network connection with the first replication host using the private certificate and the public certificate, and The first data modification operation is sent to the first replication host over the authenticated network connection.
  13. 13. The system of claim 12, wherein the virtualized host is configured to establish the authenticated network connection with the first replication host by asymmetrically encrypting communications with the first replication host.
  14. 14. The system of claim 12, wherein the virtualization host is further configured to: Installing a second data modification filter in the virtual machine manager, the second data modification filter configured to intercept second data modification operations from a second virtual machine executing on the virtual machine manager, and The private certificate and the public certificate are provided from the certificate management service to the second data change filter.
  15. 15. The system of claim 12, further comprising: A management host configured to: installing the certificate management service in the virtual machine hypervisor of the virtualized host, and And loading the private certificate and the public certificate into the certificate management service.
  16. 16. The system of claim 12, wherein the first data modification filter comprises a first process executing in the virtual machine hypervisor, the certificate management service comprises a second process executing in the virtual machine hypervisor, and the virtualization host is configured to provide the private certificate and the public certificate to the first data modification filter by sending the private certificate and the public certificate from the second process to the first process.
  17. 17. The system of claim 12, further comprising: A second replication master at a backup site, the backup site being different from the active site, Wherein the first replication host is configured to replicate the first data modification operation to the second replication host.
  18. 18. The system of claim 17, further comprising: A data store at the backup site, Wherein the second replication host is configured to record the first data change operation on the data store.
  19. 19. The system of claim 12, wherein the first replication host is virtual.
  20. 20. The system of claim 12, wherein the first replication host is physical.

Description

Authentication of network-based virtual machine replication Background Virtualization technology allows multiple virtual machines to run on a single physical host, thereby improving resource utilization and flexibility in a computing environment. These virtual machines act as independent systems, each having its own operating system and applications. By abstracting the hardware resources of the physical machine, virtualization enables multiple isolated virtual environments to be created on a single physical server. The technology innovates the data center and the cloud computing, thereby realizing more effective use of computing resources and greater expandability. In recent years, virtualization concepts have gained widespread attention due to advances in hardware and software capabilities. Modern virtualization platforms use virtual machine hypervisors, also known as virtual machine monitors, to manage allocation of physical resources to virtual machines. This abstraction layer allows multiple operating systems and applications to share the same physical hardware without interfering with each other. Virtualization may be applied to various components of IT infrastructure, including servers, storage, and networks, providing a foundation for flexible computing environments. Virtualization offers many benefits to organizations, including reduced hardware costs, improved energy efficiency, and simplified IT management. It enables new virtual machines to be provided quickly, facilitates easier testing and development environments, and supports legacy applications on modern hardware. Furthermore, virtualization enhances traffic continuity by allowing virtual machines to migrate more easily between physical hosts. In virtualized infrastructure, data backup and disaster recovery are important to prevent data loss and system failures. Drawings For a more complete understanding of the present disclosure and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings. FIG. 1 is a block diagram of a virtualized environment, according to some embodiments. Fig. 2A-2F are block diagrams of intermediate steps in a setup process for a data modification filter, according to some embodiments. Fig. 3 is a flow chart of a filter setting method according to some embodiments. Fig. 4 is a flow chart of a filter setting method according to some embodiments. Corresponding numerals and characters in the various figures generally refer to corresponding parts unless otherwise specified. Detailed Description The following disclosure provides a number of different examples for implementing different features. Specific examples of components and arrangements are described below to simplify the present disclosure. Of course, these are merely examples and are not intended to be limiting. Backup systems for virtualized environments typically copy virtual machines from one location to another for disaster recovery purposes. In one example, the backup system replicates the virtual machine by continually intercepting data change operations made to the virtual machine and sending those data change operations to the backup site. The data change operation may be intercepted with a filter running in a virtual machine manager of the virtualized host. The filter, also referred to as a data modification filter, is a software component of the virtual machine hypervisor that intercepts and replicates modifications made to the data of the virtual machine. For example, the data modification operation may be an I/O operation and the data modification filter may be an input/output (I/O) filter for intercepting the I/O operation from the protected virtual machine. By running within the virtual machine hypervisor, the filter can intercept data change operations with less impact on the performance of the virtual machine. The replication processing service obtains the intercepted data change operations from the filter and processes replication of these intercepted data change operations to the backup site. These data modification operations may be received from the filter via any suitable communication channel, such as a network. The replication management service oversees the backup system, including configuration and coordination of data change filters and replication processing services. One challenge in such backup systems is ensuring that the filter that intercepts the data change operation of the virtual machine is able to authenticate the replication processing service. The data modification filter runs at the virtual machine hypervisor layer and can access sensitive information from the virtual machine. It needs to verify that itself is sending data to a trusted replication processing service, rather than to a potentially malicious party. If there is no proper authentication between the data modification filter and the replication processing service, there is a risk of sending sensiti