Mechanism for enabling a network address to be shared by multiple labeled containers

摘要

A mechanism is disclosed for enabling a network address to be shared by multiple containers. By allowing multiple containers to share a network address, a limit on network addresses does not limit the number of containers that can be implemented. Despite the fact that the network address is shared by multiple containers, the uniqueness and isolation of each container is still maintained. In one implementation, this is achieved by associating a unique label with each container. With this unique label, it is possible to forward a packet destined for the shared network address to a specific container despite the fact that multiple containers share the same network address. Thus, with this mechanism, it is possible to achieve container isolation and uniqueness without limiting container scalability.

主权项

1. A machine implemented method, comprising:
creating a logical network interface within an operating system (OS) environment mapped to a physical network device; assigning a particular network address to the logical network interface within the OS environment; creating a first OS partition within the OS environment; associating, with the first OS partition, a first label comprising a first category describing information in the first OS partition; creating a second OS partition within the OS environment; associating, with the second OS partition, a second label comprising a second category describing information in the second OS partition; binding the logical network interface to a first process executing within the first OS partition using the first label; binding the logical network interface to a second process executing within the second OS partition using the second label; receiving, by the logical network interface, a first information packet destined for the particular network address and a second information packet destined for the particular network address; determining, using the first information packet, a first packet label; comparing the first packet label with the first label to generate a first match; forwarding, based on the first match, the first information packet to the first process in the first OS partition; determining, using the second information packet, a second packet label; comparing the second packet label with the second label to generate a second match; forwarding, based on the second match, the second information packet to the second process in the second OS partition.