The invention relates to an apparatus or a program for managing a state of a server and to a method for managing a state transition of the server in a virtual network management.
As network systems currently become larger in scale, techniques for automatically registering and managing addition and disconnection of individual servers operating in the network system have been developed.
For example, Patent Document 1 discloses a communication system for notifying all apparatuses of a network address of one server when the server is newly added to an information processing system or for notifying all the servers of the network address of the server when a new communication apparatus is added.
The addition and disconnection of the server at the updating of current network configurations are limited to the case in which the server to be handled is physically connected to the network.
As shown, a physical connection between servers in the known system configuration is disconnected by SLB, FW or SW on a per function basis of servers including an AP (application) server, a Web server, a DB (database) server, a load balancing server, etc. For this reason, a vast amount of process has been needed to update attributes of the servers.
For example, in order to use the Web server as an AP server, the Web server has needed to be physically disconnected from the network, and physically reconnected to a domain of the AP server. Further in order to use a pool server belonging to the Web server as a pool server belonging to the AP server, the physical connection has needed to be also reconnected. The known network configuration is not appropriate for application change.
Patent Document 1: Japanese Laid-open Patent Publication No. 2000-354062
In accordance with Patent Document 1, only a notification of a network address of a newly added server is issued, and a workload of an administrator for setting operation is not reduced.
If a backup server is prepared at each layer in the network configuration, the application of the server is determined on a per layer basis, and a flexible system configuration cannot be formed and updated. Also to shift a server beyond a layer, the server needs to be manually shifted. Setting the network is time consuming, and a setting error can be created. On the other hand, if the network is configured at a single layer, a problem that management of the network configuration becomes difficult is created.
The invention has been developed in view of the above problems, and it is an object of the invention to provide an management apparatus and a management program for reducing workload in management setting in addition and deletion of resources in the case in which the management setting is performed with a physical connection single-layered and a logical connection multi-layered. Also, a dynamic network node management can be performed with a tag VLAN employed in a node management over the network.
A management server is caused to perform, in response to the inputting of a physical connection database storing a physical connection status related to apparatuses and a server, forming the network, a logical connection condition database storing a condition for a logical connection of the network, and a connection instruction of the logical connection of the network, as path calculating means for calculating a path logically connectable from the physical connection condition database and the physical connection database, command generating means for generating a command for modifying, in response to the calculated path, setting to the corresponding apparatus or server, and transmitting means for transmitting the command for modifying the setting.
Also, if the apparatuses forming the network includes a relay apparatus, in a network system in which the network forms a different LAN with an identifier attached thereto during information transmission, after a completion notification notifying of copy ending is received from the server, identification information of the particular LAN for data transmission and reception in accordance with the identifier, is notified to the server, and an instruction to switch the replay process with the server to the LAN by the identifier and the identification information are output to the relay apparatus connected to the server.
Further, the LAN to which the identifier is attached is a tag VLAN.
Further, a verification of the physical connection status with the server is performed when the server is included in a backup server group.
Further, the apparatuses forming the network includes a load balancing apparatus, and detecting means is further included, the detecting means detecting the load balancing apparatus responding to a logical connection instruction if the logical connection instruction to map the server to the load balancing apparatus is input.
The apparatuses forming the network includes a firewall apparatus, and detecting means is further included, the detecting means detecting the firewall apparatus responding to a logical connection instruction if the logical connection instruction to let any server to pass the firewall apparatus is input.
The network configuration of the invention is managed with at a single layer on the physical connection and logically at a multi-layer.
The embodiments of the invention are described below with reference to the drawings.
As shown, a management server 10 is an apparatus managing each node of the network system. The node is an element forming the network. In this embodiment, servers including a DB server 60, a WEB server 90, an AP server 120, etc. and communication apparatuses including an SLB 40, a FW 50, a SW 70, etc. correspond to nodes. A connection between nodes is referred to as a link. In the link, a connection denoted by a solid line indicates a LAN for use in service or other application, and a connection denoted by a broken line indicates a management LAN (hereinafter referred to as a “management LAN”).
A management client 20 is a terminal to be operated by an administrator to operate the management server 10.
The SLB 40 (Server Load Balancer) is a load balancing apparatus of servers. The SLB 40 manages a received process request and transmits the process request to a plurality of servers as management targets within the network.
The FW 50 (Fire Wall) is an apparatus that prevents an unauthorized access from an external network and is communicable with a port authorized and defined beforehand.
The SW 70 (Layer 2 Switch) is a network relay apparatus that determines a destination of a packet according to data of a data link layer (second layer) and transmits the packet.
A DNS (Domain Name Server) server 100 is a server apparatus that converts a domain name as an identifier of a computer into an IP (Internet Protocol) address. The WEB server 90, a load balancing server, the AP server 120, and the DB server 60 are divided and managed by domain.
The WEB server 90 is a server that accumulates a variety of information and transmits these pieces of information via an external network such as the Internet.
A load balancing server 110 is a server apparatus that assigns a process to an appropriate AP server 120 in consideration of a traffic state of a plurality of AP servers 120 within the network.
The AP (application server) server 120 is a server apparatus that receives a request from a user via the WEB server 90 and performs a process of a service system.
The DB (Data Base) server 60 is a database server.
The pool server 130 is a server that is immediately usable when another operating server fails or when a server needs reinforcing in function.
The ID and password are a login ID and password with respect to the corresponding node. The ID and password are used if needed to operate the node. The attribute is registered to indicate which node of the above-described node sorting the corresponding node belongs to.
When the node is registered, a list of ports installed on the node is also registered. The registration of a port allows the port to be used as a connection port during node physical connection. When the registration of each node is completed, information related to the physical connection thereof is registered.
The network category 230 has a plurality of network domains 240, and the network domain 240 has one network switch node 160 and one network service node 140. The network switch node 160 is mapped to the SLB 40 and the FW 50 as previously discussed.
The network category 230 has no basic domain 170. The network category 230 directly registers a node in the network domain 240. Once the node is registered, a type of apparatus is identified using a technique such as SNMP (Simple Network Management Protocol), and the node is automatically sorted based on management information held by the apparatus as to whether the node is either the network switch node 160 or the network service nodes 140.
The administrator newly produces the site 220 (ST01). In this case, the category layer is automatically produced. Next, the server domain 180 is produced (ST02). In this case, the basic domain 170 is also produced. Next, the network domain 240 is produced (ST03). Next, the server is registered in the server domain 180 (ST04). Next, the network service node 140 is registered (ST05). Next, the network switch node 160 is registered (ST06). Next, the physical connection between the network switch nodes 160, including the port numbers, are registered (ST07). Next, the physical connection between the network service node 140 and the network switch node 160, including the port numbers, are registered (ST08).
Through the above-described registration process, the physical connection of the system becomes recognizable by the management server 10. Further, as for the topology discovery function, the physical connection of a system can be automatically recognized in accordance with “Japanese Unexamined Patent Application Publication No. 2005-348051: Apparatus and Method for Discovering Topology of Network Apparatus.”
Next, a logical configuration of the network is determined.
The routing object 612 indicates an object constructed of an apparatus having a function equal to or higher than Layer 3. Also, the routing object 612 contains attribute information indicating whether the routing object 612 is a mere router, an object implementing the server load balancing function (SLB), or an object implementing the firewall (FW). If the routing object 612 is registered as being nonredundant, a single network node belongs thereto, and if the routing object 612 is registered as being redundant, a plurality of network nodes belong thereto.
The subnet object 611 is a subnet based on VLAN extending between SWs 70, and the SW 70 belonging thereto dynamically changes.
The server group 200 is a group sorted according to function with each group composed of a plurality of servers. For example, servers are grouped into an AP server group, a WEB server group, etc. according to function.
The network logical configuration is generated by logically connecting these subnet object 611, routing object 612, and server group 200. A connection rule of the objects, and a connection rule between each object and each group are defined beforehand.
The information necessary to map the subnet object 611 includes VLANID, SW 70 to which VLAN is applied, an identity name, a subnet address, and a subnet mask. The VLANID is automatically produced from an empty VLANID on the side of the management server 10, the SW 70 to which the VLAN is applied is automatically calculated on the side of the management server 10 in accordance with a path calculation, and the identity name, the subnet address and the subnet mask are specified by the administrator when the subnet object 611 is produced.
Information necessary to map the routing object 612 includes attribute information as to whether the routing object 612 is the SLB 40, the FW 50 or the router, an identity name identifying the object, a value of a redundant mode, and information of the related server group 200. The attribute information, the identity name information, and the redundant mode value are input when the routing object 612 is produced. The related server group 200 is specified when the FW 50 and the SLB 40 are produced.
Information necessary to map the logical link includes an identity name, a transmission source object, a transmission destination object, a transmission source connection port, a transmission destination connection port, and an IP address usable range. The identity name, the transmission source object, and the transmission destination object are specified by the administrator when the link is produced, and the transmission source connection port and the transmission destination connection port are specified by the administrator or automatically acquired. Also, the IP address usable range is specified by the administrator.
Under the above-described predefined conditions, the administrator registers the network logical configuration on a GUI screen of the network logical configuration displayed on the screen of the management client 20.
The management program of the management server 10 calculates configuration information to be actually set at each node based on the registered information of the physical configuration obtained in
The request scheduler 11 schedules the process request from the management client 20. If there are a plurality of different commands, the request scheduler 11 sets an appropriate order on the commands and then processes the commands.
The topology compiler 12 calculates the logical configuration. The topology compiler 12 performs a process as to which SW 70 the VLAN is to be set on and what route setting needs to be performed in order for the apparatus to be exactly connected in accordance with the logical configuration.
A routing object 612 directly stores information regarding which physical node corresponds thereto. The topology compiler 12 thus performs a process as to a static path to be set in the FW 50 in relation to the server group 200, a process relating to a modification in the assignment destination of the SLB 40, and other processes.
The topology compiler 12 performs in the calculations thereof in the following order by acquiring an edit right of the logical configuration, registering the logical object and producing the logical link, and then giving an instruction to reflect the settings performed. In accordance with the new configuration, the topology compiler 12 performs a final calculation.
The relation checker 13 determines the calculation results as to whether the physical connection has been performed. The management client GUI 21 is an interface screen displayed on a terminal on which the administrator inputs information. The XML access 14 accesses the configuration results of the network using XML (eXtensible Markup Language). The setting command 15 produces a command to modify each node setting based on the calculation results provided by the topology compiler 12, and transmits the command to each node.
When a modification instruction to an edit mode of the network logical configuration is input from the management client GUI 21 (S201), an edit mode shifting instruction is transmitted to the request scheduler 11 in the management server 10 (S202), and acquisition information of the edit right is transmitted from the request scheduler 11 to the topology compiler 12 (S203). The topology compiler 12 acquires from the XML access 14 data acquisition of a domain as a current edit target (S204). The topology compiler 12 copies configuration information within the domain (S205).
If a subnet (n) (n represents a subnet number on a screen 601) is produced (S211), an instruction related to the subnet is transmitted to the topology compiler 12 via the request scheduler 11 (S212). The topology compiler 12 produces the subnet object 611 (S213) and assigns a VLANID to thereto (S215). This process is performed on all the subnet objects 611 on the screen 601. A subnet address is also checked (S214).
When an FW is produced (S221), the corresponding instruction is transferred to the topology compiler 12 via the request scheduler 11 (S222). The topology compiler 12 produces the routing object 612 (S223). This process is performed on the routing objects 612 of all the FWs on the screen 601.
If an SLB(n) (n represents an SLB number on the screen 601) is produced (S231), the corresponding instruction is transmitted to the topology compiler 12 via the request scheduler 11 (S232). The topology compiler 12 produces the routing object 612 (S233). This process is performed on the routing objects 612 of all the SLBs(n) on the screen 601.
If the server group 200 is produced (S241), the corresponding instruction is transferred to the topology compiler 12 via the request scheduler 11 (S242). The topology compiler 12 produces and registers the server group 200 (S243). This process is performed all the server groups 200 on the screen.
A process for the connection of objects displayed on the screen is preformed next.
A logical link is produced between the FW as the routing object 612 and a subnet (1) (S251), an instruction to produce the logical link is transmitted to the relation checker 13 via the request scheduler 11 (S252), and the relation checker 13 checks whether a connection is possible (S253).
A logical link is produced between the subnet (1) and an SLB(1) (S261), and an instruction to produce the logical link is transmitted to the relation checker 13 via the request scheduler 11 (S262). The relation checker 13 checks whether a connection is possible (S263). In order to determine whether a connection path is present on the physical connection, the topology compiler 12 verifies a reachability (S264).
The reachability is verified by checking the physical connection and finalizing the path in use when the subnet object 611 is connected to at least two routing objects 612. At the time point when the subnet object 611 is connected to one routing object 612, no path is produced. If the two routing objects 612 are connected, the network nodes of the respective routing objects 612 are connected via a VLAN. The VLAN is a substance of the subnet object 611.
A logical link is produced between the SLB(1) and a subnet (2) (S271), and an instruction to produce the logical link is transmitted to the relation checker 13 via the request scheduler 11 (S272). The relation checker 13 checks whether a connection is possible (S273).
A logical link is produced between the subnet (2) and a WEB server group (S281), and an instruction to produce the logical link is transferred to the relation checker 13 via the request scheduler 11 (S282). The relation checker 13 checks whether a connection is possible (S283). The topology compiler 12 verifies a reachability to determine whether a connection path is present on the physical connection (S284).
As illustrated in
A logical link is produced between the subnet (3) and the FW (S311), and an instruction to produce the logical link is transferred to the relation checker 13 via the request scheduler 11 (S312). The relation checker 13 checks whether a connection is possible (S313). Also, the topology compiler 12 verifies a reachability (S314).
A logical link is produced between the FW and a subnet (4) (S321), and an instruction to produce the logical link is transferred to the relation checker 13 via the topology compiler 12 (S322). The relation checker 13 determines whether a connection is possible (S323).
A logical link is produced between a subnet (4) and an SLB(2) (S331), and an instruction to produce the logical link is transferred to the relation checker 13 via the request scheduler 11 (S332). The relation checker 13 determines whether a connection is possible (S333). The topology compiler 12 verifies a reachability (S334).
An logical link is produced between the SLB(2) and a subnet (5) (S341), and the relation checker 13 determines whether a connection is possible (S342).
A logical link is produced between the subnet (5) and the AP group (S351), and an instruction to produce the logical link is transferred to the relation checker 13 via the request scheduler 11 (S352). The relation checker 13 determines whether a connection is possible (S353). Also, the topology compiler 12 verifies a reachability (S354).
When the production of the above-described logical links is completed and an instruction to reflect the settings is input from the management client GUI 21 (S361), the instruction to reflect the settings is transferred to the topology compiler 12 via the request scheduler 11 (S362). The topology compiler 12 performs a process to reflect the settings. More specifically, a path is re-calculated (S363), and the path information is stored on the XML access 14 (S364) (S367), and the setting command 15 is produced (S365), and then transmitted to each node via the request scheduler 11 (S366).
The process of path determination is performed by the topology compiler 12. The path determination process selects the shortest path. If a plurality of path candidates are available, an indication to that effect is output to an operator to allow the operator to select one of the path candidates. Alternatively, an algorithm may be incorporated to select successively the path candidates in order.
The path production of the VLAN is performed on the copy produced when the edit right is first acquired. For this reason, the operation of the system is continued with the state prior to edit starting maintained. When the instruction to reflect the settings is finally issued, the edited data is replaced with the current configuration information, and a difference is then reflected in the network apparatuses.
Further, to cancel the editing, copied data is discarded.
As described above, logical setting can be possible to the network domain 240 immediately before the port of the actual server node.
As registered information examples, SLB as attribute information, SLB(1) as an identity name, 1 as a redundant mode, and a WWEB server group as a server group to be mapped are currently registered.
Next, the logical setting related to the FW and the SLB(n) as nodes of the network domain 240 is described. If a connection is made in the relationship between server groups and between a server group and an external network beyond the SLB(n) and the FW, the setting of the FW is needed from the standpoint of network security.
Upon receiving the above-described setting information from the management client GUI 21 (S401), the topology compiler 12 searches the SLB 40, belonging to the routing object 612 represented by the SLB(1), in accordance with the XML access 14 (S402).
An instruction to execute a setting modification of reflecting in a detected SLB 40 apparatus the representative address information and the load balancing policy information is set to be the setting command 15 (S403), and the setting command 15 issues a control command to the apparatus.
One example of the structure example 580 of the setting information includes a representative IP of a server group for the SLB 40, and a server and a load ratio to the server, as the load balancing policy to the server contained in the server group.
Also, if there is an increase or a decrease in the number of servers contained in the server group 200, the following process is performed.
As described above, control to modify the load balancing policy on the network in coordination with the operation of the server can be specified in designing on the object registration window 600.
Discussed next are a method of setting a pass permission to the FW and a method of performing the pass permission setting in coordination with the setting of an increase or a decrease in the number of servers within the server group 200.
The topology compiler 12 produces information for updating the setting information of the FW 50 in accordance with the acquired IP address (s605), and transmit setting modification information to the target FW 50 through the setting command 15.
A server registration within the server domain 180 is discussed next. Also, a modification of the network configuration in a structure with the physical path multiplexed using the tag VLAN is described. First, the registration of the server to the server group 200 is described.
The server domain 180 and the network domain 240 are connected via a logical link between the WEB server group and the subnet (2), a logical link between the WEB server group and the subnet (3), and a logical link between the AP server group and the subnet (5), on the logical configuration screen of
The VLANs of the present embodiment include three types, namely, a management VLAN, a pool VLAN, and a service VLAN. The example of each VLAN is listed on a table of the same figure, and VLANIDs of these VLANs take different values. The management VLAN is a LAN used by the management server 10 to perform management and distribute the service image. The pool VLAN is used to detect the connection status between the server and the SW 70. The service VLAN is used in actual service. It is noted that the port of the SW 70 to which the server is first connected is set in the management VLAN.
As illustrated in
The tag VLAN is a LAN that is constructed based on tag information with a tag attached to a packet. In a network system requiring that the number of servers be increased or decreased depending on status, the server needs to function as the WEB server 90 and the AP server 120. To this end, an environment that permits a program for a Web service and a program for an AP service, having such functions, to be executed needs to be constructed in the server. Furthermore, an OS (operating system) for executing these programs needs to be constructed.
In accordance with the known art, the OS and executing programs are distributed as a master image. The master image is information that contains the OS and an application program for operating the operational service. The master image is image data present for each server group 200. With the image data stored on storage means in the server, the server can operate as the WEB server 90 and the AP server 120. In means (such as PXE boot) that boots the OS not stored on the server by downloading the image of the OS via the network, the tag VLAN is unsupported. In this case, after the image of the OS is distributed to the server via the VLAN, the network setting of the server and the network setting of the adjacent SW 70 are dynamically modified to the tag VLAN so that the network boot can be performed in the network environment of the tag VLAN.
The flow of the boot process of the server is described below. The invention is based on the premise that the server is network bootable.
To boot, the target server requests the deployment server 30 to acquire an IP address through DHCP, for example. When the deployment server 30 assigns the IP address to the target server, the target server requests again the deployment server 30 to boot. The deployment server 30 distributes an OS image called a provisional OS that is specialized for the pool server 130 state. The target server starts a boot process based on the received information (s703). After the completion of the boot, the NIC 75 of the server is actuated (s705).
The actuated NIC 75 transmits an ARP request to the SW 70 in order to verify the connection on the management VLAN.
The ARP is a protocol used to determine from the IP address a physical address (MAC (Media Access Control Address) address). The management server 10 monitors a learning table of the physical address stored by a switch belonging to the network switch node 160 (s706), thereby detecting which port of the SW 70 the NIC 75 of the server is connected to (s707).
Upon verifying the connection, the management server 10 sets in the pool VLAN the port of the SW 70 connected to another NIC 75 different from the NIC 75 of the management VLAN used for server management (s708).
The pool VLAN is a VLAN not accessing another VLAN. By setting in the pool VLAN the other NIC 75, an unnecessary packet transmission is restricted.
Through the above process, the physical connection between the target server and the SW 70 in the network switch node 160 is detected.
The management server 10 sends to the deployment server 30 an instruction to load a master image to the target server and the master image is loaded to the server (s802).
The target server performs an initialization process in accordance with the master image (s803).
Upon completing the initialization process, the target server transmits information to that effect to the management server 10. Upon receiving the information, the management server 10 sends to the request scheduler 11 an acquisition request enquiry to acquire the VLANID to be used in a service network (s804).
The request scheduler 11 asks the topology compiler 12 about the VLANID acquisition request (s805). Upon receiving a reply related to VLANID from the topology compiler 12, the request scheduler 11 supplies the VLANID as a reply to the management server 10. The management server 10 notifies an agent, embedded in the master image of the target server and initiated, of an instruction to set each NIC 75 to the obtained VLANID and the state of the VLAN to “tag present” (s806).
The target server sets an interface based on received information (s807), and supplies a setting completion notification to a management process.
Upon receiving the setting completion notification of the NIC 75 of the target server, the management server 10 issues to the SW 70 to be connected to the target server via the request scheduler 11 an instruction to set VLANID and “tag present” to the connection port of the target server (s808).
Upon receiving the instruction via the request scheduler 11, the topology compiler 12 performs a path calculation to determine the SW 70 to be connected, from the server group 200 the server belongs to and the subnet object 611 (s809), and sets the VLANID and “tag present” on the SW 70 through the setting command 15 (s810). Along with the service VLAN modification, the management VLAN can be switched to “tag present” and connected.
A system performing autonomously an operation related to a dynamic increase or decrease in the server resources does not operate without setting coordination between the server and the network apparatus. For example, to maintain communications over the network, the setting of the server apparatus as to whether the tag VLAN or the port VLAN is set always needs to be in agreement with the setting of the SW 70 apparatus as to whether the tag VLAN or the port VLAN is set. Furthermore, in the case of the tag VLAN, IDs of assigned tags need to be in agreement with each other. Therefore, although the tag VLAN and the port VLAN can be set by constructing the SW 70 and the server in manual setting, such a setting is extremely difficult.
The HDD 706 stores a program for performing the same function as the function of the management server 10, and a management program. The management program may be stored in a collective state or a distributed state.
When the CPU 708 reads the management program from the HDD 706 and executes the read program, the management server 10 functions as the request scheduler 11, the topology compiler 12, the relation checker 13, the XML access 14, and the setting command 15.
The HDD 706 stores the physical connection database storing the physical connection state of the network nodes and the logical connection condition database of the network object.
The CPU 708 stores a variety of data, related to management of the network apparatuses, as the physical connection database and the logical connection condition database, reads the variety of data from the HDD 706, stores the variety of read data onto the RAM 707, and performs a variety of data processes in accordance with information of the physical connection and logical connection stored on the RAM 707.
The invention has been described in detail. The invention is not limited to the above-described embodiments, and it is possible to introduce a variety of modifications and changes without departing from the scope of the invention.
In the above discussion of the embodiments, the tag VLAN is used. The invention is applicable on a technique other than the method of the tag VLAN as long as the technique can logically divide the network. Examples of the technique of dividing logically are WDM (Wavelength Division Multiplex), MPLS (Multi-Protocol Label Switching), etc.
The server has been described as one example. The same technique can manage other network resources.
The invention may be applied in the field of managing networks.
This application is a Continuation of International Application No. PCT/JP2006/306429 under 35 U.S.C. § 111(a), filed Mar. 29, 2006.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/JP2006/306429 | Mar 2006 | US |
Child | 12236270 | US |