CN107643940A - Container creation method, relevant device and computer-readable storage medium - Google Patents
Container creation method, relevant device and computer-readable storage medium Download PDFInfo
- Publication number
- CN107643940A CN107643940A CN201710880952.0A CN201710880952A CN107643940A CN 107643940 A CN107643940 A CN 107643940A CN 201710880952 A CN201710880952 A CN 201710880952A CN 107643940 A CN107643940 A CN 107643940A
- Authority
- CN
- China
- Prior art keywords
- container
- strategy
- strategy group
- variety
- identification information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses container creation method, relevant device and computer-readable storage medium, methods described includes:Terminal device receives configuration information, and the configuration information is used to ask to create container;Target container strategy group is determined according to the configuration information and creates container, the target container strategy group includes at least one container strategy, and the container strategy is used for the operating right for limiting the container created;The target container strategy group is configured in kernel, limits the operating right of the container created according to the target container strategy group for the kernel.Using the embodiment of the present invention, the safety problem such as isolation mech isolation test imperfection in the prior art, the security of hoisting container can be overcome.
Description
Technical field
The present invention relates to technical field of virtualization, more particularly to container creation method, relevant device and computer storage to be situated between
Matter.
Background technology
Container Docker is the more popular virtualization technology of current application.With the extensive use of Docker technologies, its
The safety problem getting worse exposed to the open air, such as isolation mech isolation test imperfection.In practice, it has been found that the main table of Docker safety problem
Present the following aspects:
1), Docker systems itself rely on the security of linux system kernel.At present, Docker technologies rely primarily on
Container is created and manages in CGroups and Namspace technologies, although both technologies solve kernel portion resource logic
The isolation of property, but the security isolation between container is not effectively improved, and still suffers from the risk being pierced.
2) same linux system kernel, is shared between different vessels.When the application program in container is to kernel resources,
Such as process, kernel calls resource carry out malice use, it will influence on same physical host other containers to kernel resources
Justice uses.For example, the randomly generated test problems of frequent malicious access linux system, it would be possible to cause all resources of main frame all
For handling random random access requests, host resource exhausts, influences other business procedure access random, even results in it
His business can not normal operation.
3), after container establishment, if the application program malice in container is compiled using the larger application program of interior Nuclear Authorization
Journey interface (application programming interface, API) is to the resource on physical host, such as storage resource, net
Network resource, network configuration etc. are conducted interviews or changed, it will influence the security of physical host.
4) system file in linux system, can be shared between different vessels.If the application program in container is due to going out
Existing leak bug or malice, can be escaped to access other container storages in main frame from container using the leak of kernel
System file, the problems such as leaking data, corrupted data may be caused.
The content of the invention
The embodiment of the invention discloses container creation method, relevant device and computer-readable storage medium, can overcome existing
The safety problem such as isolation mech isolation test imperfection in technology, the security of hoisting container.
In a first aspect, the embodiments of the invention provide a kind of container creation method, including:
Terminal device receives configuration information, and the configuration information is used to ask to create container;
The terminal device determines target container strategy group according to the configuration information and creates container, the target container
Strategy group includes at least one container strategy, and the container strategy is used for the operating right for limiting the container created;
The target container strategy group is configured in kernel by the terminal device, for the kernel according to the mesh
Mark the operating right for the container that the limitation of container strategy group creates.
By implementing the embodiment of the present invention, using target container strategy group come protective container, container in the prior art is avoided
Caused by isolation mech isolation test imperfection the problems such as leakage of data, the security of container is improved.
In some possible embodiments, the configuration information includes at least one in the following identification information:Tenant's
Mark, the mark of the container created, the mark of application and the mark of role, wherein, at least one of described identification information
Incidence relation be present with the target container strategy group, the mirror image of the application is used to create the container, and the role is pre-
First it is allocated to the container or the attribute of the tenant.Specifically, the mark of the tenant, which is used to identify, need to create container
One tenant or a kind of tenant.Correspondingly, the mark of the container is used to identify the container or first category vessel that need to be created.Institute
The mark for stating application is used to identify the application that need to create container or a kind of application, and the mirror image of the application can be used for creating and hold
Device.The role can refer to the tenant or the role of the container, and the mark of the role or the role are user sides
Or the attribute information that terminal equipment side configures for the container to be created or the tenant in advance, do not do excessive detailed description here.
In some possible embodiments, the terminal device determines target container strategy group simultaneously according to the configuration information
Before creating container, in addition to:The terminal device creates associating between a variety of container strategy groups and a variety of identification informations
System, wherein, every kind of container strategy group in a variety of container strategy groups associates a kind of identification information, in a variety of identification informations not
The container strategy group of same identification information association is different, and at least one of described identification information is times in a variety of identification informations
One kind, the target container strategy group are any of described a variety of container strategy groups, and the container strategy group is included at least
One container strategy.
In the specific implementation, the terminal device need to first create container policy database CSPR.It is stored with the CSPR more
Incidence relation between kind container strategy group and a variety of identification informations.Specifically, system can provide User Interface, Yong Hutong
Cross User Interface and incidence relation between a variety of container strategy groups and a variety of identification informations can be set, and they are preserved extremely
In the CSPR.
In some possible embodiments, any two container strategy at least one container strategy does not rush mutually
It is prominent.Specifically, in CSPR for the container strategy in same container strategy group, any two does not conflict mutually.Wherein, it is every kind of
Container strategy group may include at least one container strategy.Detection container policy conflict is specific in the same container strategy group
Embodiment includes but is not limited to:Detected by the action direction or action scope of container strategy, its embodiment is here
It is not detailed.
In some possible embodiments, a variety of identification informations include the first identification information and the second identification information,
The safe class of the container strategy group of the first identification information association is the first safe class, the second identification information association
The safe class of container strategy group be the second safe class;Every kind of identification information in a variety of identification informations is all matched somebody with somebody in advance
Authority is put, if the authority of first identification information is more than the authority of second identification information, first safety etc.
Level is higher than the second safe class.
Specifically, user can be the identification information configuration different safety class for possessing different operating rights in CSPR
Container strategy group.Can be to possess the larger tenant of operating right (such as example, so that the identification information is the mark of tenant as an example
Super keepe or keeper) configure the container strategy for possessing high safety grade;Correspondingly, possesses the less tenant of operating right
Configuration possesses the container strategy of lower security grade, and the present invention does not limit.
In some possible embodiments, the container strategy includes any one of following:System strengthens safely
SELinux strategies, system capability capability strategies and system calculate safely seccomp strategies;Wherein, it is described
SELinux strategies are used to limit access rights of the container to system file, and the capability strategies are used to limit institute
Inspection and authorization privilege of the container to kernel resources are stated, the seccomp strategies are used to limit the container to kernel application
DLL API calling authority.Alternatively, the container strategy may also include other containers for strengthening container security
Strategy, such as Kernel security enhancing GRSecurity strategies, mirror-image safety strategy, capacitor network security strategy, disk resource plan
Slightly, container flow strategy etc., the present invention do not limit.It is not detailed here on the container strategy.
Second aspect, the embodiments of the invention provide a kind of container to create system, including container core engine, container perform
Engine and kernel;
The container core engine is used to receive configuration information, and the configuration information is used to ask to create container;
The container core engine is additionally operable to determine target container strategy group according to the configuration information and creates container, institute
Stating target container strategy group includes at least one container strategy, and the container strategy is used for the operation for limiting the container created
Authority;
The container enforcement engine is used to the target container strategy group being configured in the kernel, for described interior
Core limits the operating right of the container created according to the target container strategy group.
The introduction for the method that the part for being not shown or not describing on the present invention can describe referring specifically to above-mentioned first aspect,
Here repeat no more.
The third aspect, the embodiments of the invention provide a kind of terminal device, including for performing the side of above-mentioned first aspect
The functional unit of method.
Fourth aspect, the embodiments of the invention provide a kind of terminal device, including memory, communication interface and deposited with described
Storage unit and the processor of communication interface coupling;The memory is used for store instruction, and the processor is used to perform the finger
Order, the communication interface are used to be communicated with other equipment (such as subscription client) under the control of the processor;Wherein,
The method for performing above-mentioned first aspect description described in the computing device during instruction.
5th invention, there is provided a kind of computer-readable recording medium, the computer-readable recording medium storage are used
In the program code for creating container.Described program code includes being used to perform the instruction of the method for above-mentioned first aspect description.
By implementing the embodiment of the present invention, the safety such as the isolation mech isolation test imperfection that container occurs in the prior art can be overcome
Problem, improve the security of container.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described.
Fig. 1 is a kind of network architecture schematic diagram provided in an embodiment of the present invention;
Fig. 2 is another network architecture schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of schematic diagram of User Interface provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic flow sheet of container creation method provided in an embodiment of the present invention;
Fig. 5 is the schematic flow sheet of another container creation method provided in an embodiment of the present invention;
Fig. 6 A are a kind of structural representations of terminal device provided in an embodiment of the present invention;
Fig. 6 B are the structural representations of another terminal device provided in an embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing of the present invention, the technical scheme in the embodiment of the present invention is described in detail.
Fig. 1 is referred to, is a kind of network frame schematic diagram provided in an embodiment of the present invention.The network frame schematic diagram 100
Alternatively referred to as software sharing stack frame schematic diagram, the block schematic illustration include (being illustrated as bin/ using 102, file system 104
Libs), Container Management system 106 (being illustrated as docker and LXC technologies), operating system nucleus 108 (hereinafter referred to as kernel, figure
It is shown as Linux kernel) and hardware service 110 (being illustrated as server).
Specifically, each multiple single mirror images can be made into using 102.The mirror image can be used for creating container.One
The corresponding container of mirror image.Alternatively, the mirror image is understood as the template for creating container.On the mirror image with
And how container is created based on the mirror image, it is not detailed here.As Fig. 1 shows to apply A (App A) and application B (App B) can
A single mirror image, respectively App A ' and App B ' are made into respectively.
In alternative embodiment, file system that the mirror image of application and application can be in sharing operation system (such as linux system)
System 104, such as some base commands and basic function storehouse etc..As shown in Figure 1, App A and App A ' share a file system
Bin/libs resources in system.Correspondingly, App B and App B ' share the bin/libs resources in a file system.
During container establishment, in addition to need to be based on the mirror image of application, also need to carry using in Container Management system 106
The technology or mechanism of confession.The technology or mechanism are used to aiding in the establishment for realizing container docker, the technology or mechanism include but
It is not limited to docker (docker daemon) technology, linux container technology (linux containers, LXC), CoreOS
Rkt technologies, CGroup technologies and Namespace technologies etc..
In alternative embodiment, one or a kind of (group) application can respective production have a mirror image;Or one or it is a kind of should
With also can respective production have multiple mirror images.It that is to say that one or a kind of application can correspond to and create a container, or can correspond to and create
Multiple containers are built, the present invention does not limit.
It is to be understood that when an application has been made into multiple mirror images, correspondingly terminal device (such as physical host,
Also host can be claimed) on can create multiple containers (also claiming container instance).Between different vessels can for example, by CGroup and
The technologies such as Namespace are isolated.In terminal device, each container has each independent running space., should such as Fig. 1
Can not mutually it be accessed with the container of A container and application B.In actual applications, using A container with applying B container not
Presence of the energy mutual perception other side in terminal device, each container think that oneself is individually present in terminal device.This
Outside, using A container and application B container they can be with identical file system resource, such as bin/ in sharing operation system
Libs resources, it for details, reference can be made to described in previous embodiment, repeat no more here.
In same terminal device (such as physical host), identical operating system nucleus 108 is shared between different vessels
(linux kernel) and hardware service 110 (server).The hardware service refers to be deployed in the software sharing stack bottom
The service that is provided of physical equipment (i.e. described terminal device, such as physical host, physical server).On the kernel and
The hardware service present invention does not do excessive detailed description.
In an alternative embodiment, the terminal device includes but is not limited to user equipment (user equipment, UE), clothes
Business device, smart mobile phone (such as Android phone, IOS mobile phones), PC, tablet personal computer, palm PC, mobile Internet
The internet device such as equipment (MID, Mobile Internet Devices) or wearable intelligent equipment, the embodiment of the present invention is not
It is construed as limiting.
Based on the container frame schematic diagram shown in Fig. 1, found during applicant proposes the application, although container solves
The logic sexual isolation of kernel portion of having determined resource, but do not accomplish effective security isolation, i.e. isolation mech isolation test between different vessels
And imperfection.Such as due to can be in sharing operation system between different vessels file system, application in container may be due to
Leak Bug or malice etc., are escaped from container using the leak of kernel, are attacked and are accessed other container storages and are set in terminal
Fileinfo in standby, the problems such as causing leakage of data or corrupted data.
To solve the above problems, another network frame schematic diagram provided in an embodiment of the present invention is given below, please specifically join
See that Fig. 2 shows another network frame schematic diagram provided in an embodiment of the present invention.Such as Fig. 2, the network frame schematic diagram 200 wraps
Include container policy database 202 (container security policy repo, CSPR), kernel (i.e. operating system nucleus)
204th, Container Management system 206, container 208 and (the security policy execute of container enforcement engine 210
Engine, SPEE).
The all parts in network frame schematic diagram 200 are described in detail separately below.
First, the container policy database (CSPR) 202 is that user side or terminal equipment side are independently set.It is described
Be stored with CSPR a variety of identification informations and it is a variety of tactful group between incidence relation;Wherein, a kind of identification information association is a kind of
Container strategy group, different identification informations associate different container strategy groups.A kind of container is bound/identified to i.e. a kind of identification information
Tactful group.
Specifically, system can provide User Interface, for CSPR described in user configuration.As Fig. 3 shows a kind of user
The schematic diagram of interactive interface.User can input on the User Interface shown in Fig. 3 and set every kind of identification information and every kind of
Container strategy group, further they are associated and is saved in CSPR.
In an alternative embodiment, every kind of identification information may include at least one identification information, the identification information include but
It is not limited to any one of following:The mark of the container, the mark of tenant, using the mark of (program) and the mark of role
Know.
Wherein, the mark of the container is used to identify a container or first category vessel.Correspondingly, the mark of the tenant
Available for one tenant of mark or a kind of tenant.The mark of the application can also be used for identifying an application or a kind of application, should
The mirror image of application can be used for creating container.The mark of the role can be the mark of the container or the tenant
Mark.I.e. described role can be the role of the tenant, such as keeper, super keepe, common tenant etc.;Or institute
State the role of container, such as master control container (i.e. the container of management-side), controlled container (container for being managed side) etc..It is described
The mark of role or the role can be the category that user side or terminal equipment side configure for the container or the tenant in advance
Property information, does not do excessive detailed description here.
In an alternative embodiment, every kind of container strategy group may include at least one container strategy, the container strategy or institute
State the operating right that container strategy group is used to limit container.The container strategy include but is not limited to it is any one of following or
Multinomial combination:Enhancing SELinux is tactful safely, system security technology seccomp is tactful, system capability capability for system
Strategy, Kernel security enhancing GRSecurity strategies, mirror-image safety strategy, capacitor network security strategy, disk resource strategy, appearance
Device traffic policy etc..It is exemplary below to provide being specifically described for several container strategies.
The SELinux strategies are used to limit access rights of the container to different files.Specifically, SELinux strategies can
The file accessed needed for process and process all in container is all tagged, so as to which container is being run in a manner of process
When, control which file is the process need to access, and specifically how to go to access these files.Alternatively, the SELinux strategies
Access rights of the container to file can be limited by the form of blacklist or white list.On the SELinux strategies here
Excessive detailed description is not done.
The seccomp strategies are used to limit application programming interface (application of the container to kernel
Programming interface, API) calling and call the processing operation after core A PI.For example, do not authorize kernel
The authority of API written documents, then when calling core A PI establishment files, it can directly refuse or kill for calling core A PI to create
Build the process of file.Alternatively, in the seccomp strategies also can be limited/controlled by the form of blacklist or white list
Core API calling.Excessive detailed description is not done here on the seccomp strategies.
The capability strategies are used for behavior or the ability for limiting container, to prevent container from escaping, cause data to be let out
The problems such as close or corrupted data.Specifically, operating system nucleus (such as linux kernel) in order to kernel resources secure access and
Authorization check, the access of kernel resources and inspection are divided into multiple independent units.Each unit needs to check for describing kernel
Some in terms of content, by checking that making kernel correspondingly operates, and is not detailed here.Linux kernel is from version 2 .2
Rising just has 30 operating system energy power restriction capability (linux system capability, SYS_CAP).These
Which kernel resources capability or can cannot access with control container (the concretely process in container).Can
Selection of land, the capability strategies specifically can limit the ability of container (concrete restriction container by blacklist or white list
To the access rights of kernel resources).For example, so that the blacklist includes network equipment authority CAP_NET_ADMIN as an example, then table
Show that the process in container can not be configured and managed to the network equipment.
The GRSecurity strategies are used to carry out operating system nucleus safe expansion, and defence internal memory is damaged, with enhancing
The security of container.Specifically, all containers on same terminal device (physical host) share identical internal memory, therefore need pair
The safety of internal memory is on the defensive.The GRSecurity strategies can prevent internal memory damaged by intellectual access control, avoid out
Existing leak, the problems such as causing leaking data, loss or breakage.
The mirror-image safety strategy is used for the access for controlling mirror site, while also needs to ensure the integrality of mirror image, with prevention
The mirror image being likely to occur is damaged.Because container is what the mirror image based on application created, therefore during container is created, need by
The relevant information (catalogue and digital signature information of such as mirror image) of the mirror image (image) of application is loaded onto image storage
In MemoryGraph, conducted interviews with the mirror image of the application to loading, so as to described in the mirror image establishment based on the application
Container.In addition,
Verified by mirror image and to ensure the integrality of mirror image, to prevent mirror image to be damaged, it is impossible to successfully create container.Can
Choosing, do not take subsequent treatment measure for the mirror image of mirror image checksum validation failure, exportable prompt message correspondingly, with
Prompt the mirror image of the application imperfect, container docker establishment can not be completed.
The capacitor network security strategy is used to limit the communication between container.Specifically, the safe plan of capacitor network
It can slightly be realized by the rule of setting (such as fire wall iptabls rules) and forbid or allow being in communication with each other between container.On
The capacitor network security strategy does not do excessive detailed description here.
The disk resource strategy is used for the disk usage amount for limiting container, prevents container by terminal device (physical host)
Upper all disk spaces exhaust, and cause other containers can not storage file.Specifically, the disk resource restriction strategy can base
The disk usage amount of container is limited in tenant or file system.For example, the disk usage amount of each container can be inspected periodically
The performance of equipment is influenceed during avoiding disk usage amount excessive.
The container flow strategy is used for the network bandwidth for limiting container, to reduce the disc operating system (disk of container
Operating system, DOS) attack harm.Specifically, the network interface card flow of container can be limited using setting rule
System, the network interface card flow of container is limited for example with flow control procedure (traffic controller, TC).On the appearance
The device flow measurement present invention does not do excessive detailed description.
Below exemplified by supporting operation Relational DBMS MySQL container, as table 1 below shows a kind of container
Tactful group.
Table 1
From upper table 1,3 kinds of container strategies are shown, be respectively capability strategy, seccomp strategy and
SELinux strategies.Wherein, in table 1 each strategy above have exclamation mark "!" be represented as blacklist, that is, forbid authorizing blacklist
Interior authority.Remaining strategy is defaulted as white list, that is, allows to authorize the authority in white list.Such as in SELinux strategies, "/
Var/lib/mysql " represents permission process access/var/lib/mysql catalogues in a reservoir, "!/ var/logs " represents holding
Do not allow (refusal) process access/var/logs catalogues in device.
In an alternative embodiment, can be the container strategy group of different identification informations configuration different safety class in CSPR.
For example, a variety of identification informations include the first identification information and the second identification information, if first identification information pair
The authority that should be pre-configured with is more than the authority that second identification information is correspondingly pre-configured with, then the first safe class is higher than second
Safe class.Wherein, the safe class for the container strategy group that first safe class associates for first identification information, institute
State safe class of second safe class for the container strategy group of second identification information association.I.e. in CSPR, Yong Huke
Possesses the container strategy group compared with high safety grade for the larger identification information configuration of authority, it is respectively used for the behaviour for limiting container
It is also bigger to make authority.
By taking the mark that a kind of identification information includes tenant as an example, user can be that different tenants configure safety etc. in CSPR
The different container strategy of level.For example, for possessing the larger tenant of operating right (such as super keepe or keeper), its
The configurable container strategy for possessing high safety grade;Correspondingly, possessing the less tenant of operating right (such as domestic consumer) can match somebody with somebody
Put the container strategy for possessing lower security grade.
In an alternative embodiment, need to ensure that any two container strategy in same container strategy group does not rush mutually in CSPR
It is prominent, wherein the container strategy group may include at least one container strategy.I.e. for same container strategy group, it is described at least
Any two container strategy in one container strategy does not conflict mutually.
By taking a kind of container strategy group as an example, user need to verify newly-increased in the new volume increasing device strategy into the container strategy group
Container strategy whether do not conflict mutually with all container strategies in the container strategy group and contradiction, if do not conflicted, can permit
Perhaps the new volume increasing device strategy in this group of container strategy group, otherwise, terminate flow or prompt newly-increased container strategy and the container plan
Conflict be present in the container strategy slightly in group.Specifically, can be every in newly-increased container strategy and the container strategy group by detecting
The respective sphere of action of individual container strategy or action direction, for determine newly-increased container strategy whether with the container strategy group
In container strategy exist conflict.The sphere of action is that container strategy is used for the authority for indicating that limitation container carries out some operation
Scope, or action scope.The action direction refers to that container strategy is used to indicate whether the authority for authorizing container to carry out some operation.
In same container strategy group if the sphere of action of newly-increased container strategy without falling into or be not belonging to the container plan
Slightly in group during the sphere of action of existing container strategy, it can represent that the container strategy in the container strategy group does not conflict mutually.Or
In same container strategy group, during if there is carrying out at least two container strategy of same operation for limiting container, if institute
It is mutually not opposite or repel to state each respective action direction of container strategy at least two container strategies, then it represents that the container plan
Container strategy slightly in group does not conflict mutually.
For example, the first strategy and the second strategy, and the first strategy and the second strategy are included in a container strategy group
It is independent of each other and conflicts.Now want in the container strategy group increase newly the 3rd it is tactful when, if the described 3rd is tactful and described
First strategy is used to limit operating right of the container to same operation, such as the authority to identical file access.Correspondingly, such as
The strategy of fruit the 3rd and the first respective action direction (limiting direction) of strategy are conflicting, i.e., the 3rd strategy is used for authorization by direction
Access to file, the first strategy do not authorize the scope to file for indicating, then the 3rd strategy increased newly apparently and the appearance
There is conflict in the first strategy in device strategy group, do not allow to add the 3rd strategy.
And for example, capability strategies and seccomp strategies in a container strategy group simultaneously be present.Generally,
Capability strategies and seccomp strategies need to be used in conjunction with each other.By taking seccomp mount (carry) mandates as an example, lead to
Normal seccomp mount, which authorize to come into force, needs the CAP_SYS_ADMIN (system administration) of capability (SYS_CAP) simultaneously to award
Power.If only the mount in seccomp is authorized in a container strategy group, not to the CAP_SYS_ADMIN in SYS_CAP
Authorize, then it represents that the container strategy group has contradiction and conflict.That is the mount in seccomp authorizes corresponding sphere of action
Belong to the CAP_SYS_ADMIN in (or falling into) SYS_CAP to authorize in corresponding sphere of action, then container strategy correspondingly
This two container strategies in group collide with each other.
Secondly, the kernel 204 is the core of system, the program for management equipment hardware and software resource.Same end
All containers created in end equipment (physical host) share identical kernel 204.To ensure the security of container, kernel can carry
For corresponding security mechanism, such as SELinux, seccomp, capability, GRSecurity etc..Correspondingly, can will be upper
State every container strategy in CSPR in container strategy group implement/to be configured in the security mechanism in kernel correspondingly, so as to hold
Device is protected by the container strategy group, so as to strengthen the security of container.For example, by SELinux strategy implement be configured in
In the SELinux mechanism of core, seccomp strategies are implemented and are configured in the seccomp mechanism of kernel etc..On how will
Container strategy group is configured in kernel in CSPR, is specifically described below, is repeated no more here.
Then, the Container Management system 206 is used to provide the technology and mechanism created needed for container 208.On described
Container Management system 206 can be found in the associated description in previous embodiment, repeat no more here.
Finally, the container enforcement engine (SPEE) 210 is the instrument used needed for dispensing containers strategy group, that is, is being fallen
It need to be aided in completing by SPEE during container strategy group in reality/configuration CSPR.Excessive detailed description is not done here on the SPEE.
On all parts in embodiment described in Fig. 2 how to cooperate complete container establishment so that create container by
The protection of container strategy group, strengthens the security of container, will be described in detail hereinafter in CSPR.
Based on previous embodiment, refer to the flow that Fig. 4 is a kind of container creation method provided in an embodiment of the present invention and show
It is intended to.Method as shown in Figure 4 may include step is implemented as follows:
Step S402, terminal device receives configuration information, and the configuration information is used to ask to create container;
The configuration information is used to create container, and the configuration information includes but is not limited to Container Name, container identification, appearance
Device type, the summary info for describing container application, the application (i.e. application program) being put into the container and the application need
The parameter informations such as the configuration file to be accessed.
In an alternative embodiment, the configuration information may include at least one identification information.At least one of described mark letter
The target container strategy group for determining container to be created is ceased, to strengthen the security of container.Can have on the identification information
Body illustrates referring to the correlation in previous embodiment, repeats no more here.
Step S404, described terminal device determines target container strategy group according to the configuration information and creates container, institute
Stating target container strategy group includes at least one container strategy, and the container strategy is used for the operation for limiting the container created
Authority;
The target container strategy group is used for the security for strengthening the container, and the target container strategy group includes one
Or multiple containers strategy, the container strategy are used for the operating right for limiting the container, can specifically joined on the container strategy
The related elaboration seen in previous embodiment, is repeated no more here.
The target container strategy group is configured in kernel by step S406, described terminal device, for the kernel
The operating right of the container created according to target container strategy group limitation.
Be described below the present embodiments relate to some specific embodiments.
In step S402, the terminal device receives the container from tenant (subscription client, user client) and created
Creatdocker is asked, the container request to create includes being used to ask the configuration information for creating container.The configuration information can
Including at least one identification information, the identification information is used for the target container strategy group for determining the container.Match somebody with somebody on described
Confidence ceases the related elaboration that can be found in the identification information in previous embodiment, repeats no more here.
In step S404, in the case where the configuration information includes at least one identification information, the terminal device can
According at least one identification information in the configuration information, the configuration information institute is found out from container policy database CSPR
Corresponding target container strategy group, at least one described identification information associate with the target container strategy group.Correspondingly, it is described
Terminal device can also create container using the parameter information in the configuration information, and the parameter information refers to create container institute
The parameter needed, the mark of such as container, the application being put into container.Establishment on the container is not detailed here.
Pre-set it is to be understood that the container policy database CSPR can be user side or terminal equipment side, it is described
The incidence relation being stored with CSPR between a variety of identification informations and a variety of container strategy groups.Wherein, a kind of identification information association
A kind of container strategy group, identification information not of the same race associate different container strategy groups.At least one of described identification information is institute
State any of a variety of identification informations in CSPR, the target container strategy group is in the CSPR in a variety of container strategy groups
It is any.Establishment on the CSPR for details, reference can be made to the related elaboration in previous embodiment, repeat no more here.
In step S406, the target container strategy group determined in step S404 can be implemented configuration by the terminal device
Into kernel, so that the kernel limits according to the target container strategy group operating right of the container of establishment.I.e.
The container is in the protection of the target container strategy group, reaches the purpose of enhancing container security.
Exemplified by being configured with capability strategies in the kernel, gone when calling some core A PI in the above-described container
When accessing correspondingly kernel resources, if capability strategies instruction core A PI and unauthorized, kernel can be direct
Refuse or kill for calling core A PI to go to access the process corresponding to kernel resources correspondingly.
The embodiment with reference to described in Fig. 2, all parts in network architecture schematic diagram are described below in embodiments of the present invention
Cooperation relation.Fig. 5 is referred to, is the schematic flow sheet of another container creation method provided in an embodiment of the present invention.Such as Fig. 5
Shown method may include step is implemented as follows:
1. subscription client 502 (user client) creates to the sending strategy of container policy database (CSPR) 504 please
Ask, the tactful request to create is used to ask to create the association between a kind of container strategy group and a kind of identification information in CSPR
Relation.Correspondingly, the CSPR receives the tactful request to create.Wherein, the container strategy group includes at least one container
Strategy.The phase in embodiment described in Fig. 2 is can be found on the container strategy group, the container strategy and the identification information
Close and illustrate, repeat no more here.
2. the CSPR verifies whether each container strategy in the container strategy group conflicts.On the container strategy
Collision detection/checking of container strategy can be found in the associated description in previous embodiment in group, repeat no more here.
3. in the case that the container strategy in the container strategy group does not conflict, the container strategy is stored in CSPR
Mapping relations between group and the identification information.
In an alternative embodiment, subscription client can create in CSPR and store a variety of container strategy groups and a variety of marks
Incidence relation between information.Wherein, a kind of container strategy group associates a kind of identification information, and different container strategy groups associates not
Same identification information.Here, Fig. 5 is not formed and limited only so that a kind of container strategy group associates with a kind of identification information as an example.
4. subscription client 502 sends container request to create to container core engine 508 (docker engine)
(createdocker).Correspondingly, the container core engine 508 receives the container request to create.The container creates please
Ask including configuration information, the configuration information is used to ask to create container.The configuration information may include at least one identification information.
The related elaboration in previous embodiment is can be found on the configuration information, is repeated no more here.The container core engine 508
It is to be used to be responsible for the instrument for creating container docker in Container Management system, does not do excessive detailed description here.
5. the container core engine 508 is to the sending strategy inquiry request of container policy database (CSPR) 504
(querypolicy), the policy lookup request includes at least one identification information in the configuration information.Correspondingly, institute
State CSPR and receive the policy lookup request.
6. the CSPR finds out corresponding target container strategy according at least one of described identification information from CSPR
Group.The target container strategy group is any, at least one of described mark of a variety of container strategy groups stored in the CSPR
It is any of a variety of identification informations stored in the CSPR to know information.
7. the target container strategy group is sent to the container core engine 508 by the CSPR.Correspondingly, the appearance
Device core engine receives the target container strategy group.
8. the container core engine 508 calls docker daemon technologies in Container Management system, using with confidence
Relevant parameter information creating container in breath.It is can be found on the relevant parameter information in the configuration information in previous embodiment
Related elaboration, do not repeat here.It should be noted that the orders of above-mentioned 4-7 and 8 upon execution are variable, you can first
4-7 is performed after performing 8, the present invention does not limit.
Container core engine 506 described in 9-10. utilizes hook hook mechanism, calls (the security of container enforcement engine 506
Policy execute engine, SPEE) each container strategy in the target container strategy group is configured to kernel
In 510.For example, when the target container strategy group includes SELinux strategies, the SPEE calls the phase in SELinux
Functional interface is closed, the SELinux strategies are configured in SELinux.Correspondingly, when the target container strategy group includes
Other strategies in addition to SELinux strategies, the correlation function interface of kernel (such as Linux kernel) is called using SPEE, will
Other strategies in the target container strategy group are configured in kernel.
SPEE described in 11-12., can be to by after the container policy registration in the target strategy container group/be configured to kernel
Container core engine 508 sends feedback message, to notify the configuration of container strategy to finish.Correspondingly, the container core engine can
Container formally is enabled, i.e., the current container is under the protection of the target container strategy group.
By implementing the embodiment of the present invention, the safety such as the isolation mech isolation test imperfection that container occurs in the prior art can be overcome
Problem, improve the security of container.
It is above-mentioned that mainly the embodiment of the present invention is carried from the angle of terminal device and other equipment (such as subscription client) interaction
The scheme of confession is described.It is understood that terminal device, in order to realize above-mentioned function, it comprises perform each function
Corresponding hardware configuration and/or software module.With reference to disclosed in this invention embodiment describe each example unit and calculation
Method step, the embodiment of the present invention can be realized with the combining form of hardware or hardware and computer software.Some function is actually
Performed in a manner of hardware or computer software driving hardware, application-specific and design constraint bar depending on technical scheme
Part.Those skilled in the art can realize described function using different methods to each specific application, still
This realization is it is not considered that the scope of the technical scheme beyond the embodiment of the present invention.
The embodiment of the present invention can carry out the division of functional unit according to above method example to terminal device, for example, can
Each functional unit is divided with corresponding each function, two or more functions can also be integrated in a processing unit
In.Above-mentioned integrated unit can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.Need
It is noted that the division in the embodiment of the present invention to unit is schematical, only a kind of division of logic function is actual real
There can be other dividing mode now.
In the case of using integrated unit, Fig. 6 A show one kind of terminal device involved in above-described embodiment
Possible structural representation.Terminal device 600 includes:Processing unit 602 and communication unit 603.Processing unit 602 was used for end
The action of end equipment 600 is controlled management, for example, processing unit 602 is used to support terminal device 600 to perform the step in Fig. 4
Rapid S404 and step S406, and/or for performing other steps of techniques described herein.Communication unit 603 is used to support
Terminal device 600 and the communication of other equipment, for example, communication unit 603 is used to support terminal device 600 to perform the step in Fig. 4
Rapid S402, and/or for performing other steps of techniques described herein.Terminal device 900 can also include memory cell
601, program code and data for storage terminal device 600.
Wherein, processing unit 602 can be processor, such as can be central processing unit (English:Central
Processing Unit, CPU), general processor, digital signal processor (English:Digital Signal Processor,
DSP), application specific integrated circuit (English:Application-Specific Integrated Circuit, ASIC), scene can compile
Journey gate array (English:Field Programmable Gate Array, FPGA) or other PLDs, crystal
Pipe logical device, hardware component or its any combination.It can realize or perform with reference to described by the disclosure of invention
Various exemplary logic blocks, module and circuit.The processor can also be the combination for realizing computing function, such as comprising
One or more microprocessors combine, combination of DSP and microprocessor etc..Communication unit 603 can be communication interface, transmitting-receiving
Device, transmission circuit etc., wherein, communication interface is to be referred to as, and can include one or more interfaces, such as terminal device is set with other
Interface between standby.Memory cell 601 can be memory.
When processing unit 602 is processor, communication unit 603 is communication interface, when memory cell 601 is memory, this
Terminal device involved by inventive embodiments can be the terminal device shown in Fig. 6 B.
Refering to shown in Fig. 6 B, the terminal device 610 includes:Processor 612, communication interface 613, memory 611.It is optional
Ground, terminal device 610 can also include bus 614.Wherein, communication interface 613, processor 612 and memory 611 can lead to
Bus 614 is crossed to be connected with each other;Bus 614 can be Peripheral Component Interconnect standard (English:Peripheral Component
Interconnect, abbreviation PCI) bus or EISA (English:Extended Industry Standard
Architecture, abbreviation EISA) bus etc..The bus 614 can be divided into address bus, data/address bus, controlling bus etc..
For ease of representing, only represented in Fig. 6 B with a thick line, it is not intended that an only bus or a type of bus.
The step of method or algorithm with reference to described by disclosure of the embodiment of the present invention, can be come real in a manner of hardware
Realized now or by the mode of computing device software instruction.Software instruction can be made up of corresponding software module,
Software module can be stored on random access memory (English:Random Access Memory, RAM), flash memory, read-only deposit
Reservoir (English:Read Only Memory, ROM), Erasable Programmable Read Only Memory EPROM (English:Erasable
Programmable ROM, EPROM), EEPROM (English:Electrically EPROM,
EEPROM), register, hard disk, mobile hard disk, read-only optical disc (CD-ROM) or any other form well known in the art are deposited
In storage media.A kind of exemplary storage medium is coupled to processor, believes so as to enable a processor to read from the storage medium
Breath, and information can be write to the storage medium.Certainly, storage medium can also be the part of processor.Processor and deposit
Storage media can be located in ASIC.In addition, the ASIC can be located in fault test set.Certainly, processor and storage medium
It can also be present in as discrete assembly in terminal device.
One of ordinary skill in the art will appreciate that realize all or part of flow in above-described embodiment method, being can be with
The hardware of correlation is instructed to complete by computer program, described program can be stored in computer read/write memory medium
In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.And foregoing storage medium includes:ROM、
RAM, magnetic disc or CD etc. are various can be with the medium of store program codes.
Claims (14)
1. a kind of container creates system, it is characterised in that including container core engine, container enforcement engine and kernel;
The container core engine is used to receive configuration information, and the configuration information is used to ask to create container;
The container core engine is additionally operable to determine target container strategy group according to the configuration information and creates container, the mesh
Mark container strategy group includes at least one container strategy, and the container strategy is used for the operating rights for limiting the container created
Limit;
The container enforcement engine is used to the target container strategy group being configured in the kernel, for the kernel root
The operating right of the container created according to target container strategy group limitation.
2. container according to claim 1 creates system, it is characterised in that the configuration information include it is following at least
One identification information:The mark of tenant, the mark of the container created, the mark of application and the mark of role, wherein, institute
State at least one identification information and incidence relation be present with the target container strategy group, the mirror image of the application is described for creating
Container, the role are to be pre-configured with the attribute to the container or the tenant.
3. container according to claim 2 creates system, it is characterised in that the container, which creates system, also includes container plan
Slightly database;
The container policy database is used to store the incidence relation between a variety of container strategy groups and a variety of identification informations, its
In, every kind of container strategy group in a variety of container strategy groups associates a kind of identification information, different in a variety of identification informations
The container strategy group of identification information association is different, and at least one of described identification information is any in a variety of identification informations
Kind, the target container strategy group is any of described a variety of container strategy groups, and the container strategy group includes at least one
Individual container strategy.
4. container according to claim 3 creates system, it is characterised in that a variety of identification informations include the first mark
Information and the second identification information, the safe class of the container strategy group of the first identification information association is the first safe class,
The safe class of the container strategy group of the second identification information association is the second safe class;In a variety of identification informations
Every kind of identification information has all been pre-configured with authority, if the authority of first identification information is more than the power of second identification information
Limit, then first safe class is higher than the second safe class.
5. the container according to any one of claim 1-4 claim creates system, it is characterised in that described at least one
Any two container strategy in individual container strategy does not conflict mutually.
6. the container according to any one of claim 1-5 claim creates system, it is characterised in that the container plan
Slightly include any one of following:System safely pacify by enhancing SELinux strategies, system capability capability strategies and system
It is complete to calculate seccomp strategies;Wherein, the SELinux strategies are used to limit access rights of the container to system file, institute
Capability strategies are stated to be used to limit inspection and authorization privilege of the container to kernel resources, the seccomp strategies
For limiting calling authority of the container to kernel API API.
7. a kind of terminal device, it is characterised in that including communication unit and processing unit;
The communication unit is used to receive configuration information, and the configuration information is used to ask to create container;
The processing unit is used to determine target container strategy group according to the configuration information and creates container, the target container
Strategy group includes at least one container strategy, and the container strategy is used for the operating right for limiting the container created;
The processing unit is additionally operable to the target container strategy group being configured in kernel, for the kernel according to
The operating right for the container that the limitation of target container strategy group creates.
8. terminal device according to claim 7, it is characterised in that the configuration information includes at least one in the following
Identification information:The mark of tenant, the mark of the container created, the mark of application and the mark of role, wherein, it is described extremely
There is incidence relation in one item missing identification information, the mirror image of the application is used to create the appearance with the target container strategy group
Device, the role are to be pre-configured with the attribute to the container or the tenant.
9. terminal device according to claim 8, it is characterised in that
The processing unit is additionally operable to create the incidence relation between a variety of container strategy groups and a variety of identification informations, wherein, institute
State every kind of container strategy group in a variety of container strategy groups and associate a kind of identification information, different mark letter in a variety of identification informations
It is different to cease the container strategy group of association, at least one of described identification information is any of described a variety of identification informations, described
Target container strategy group is any of described a variety of container strategy groups, and the container strategy group includes at least one container plan
Slightly.
10. a kind of container creation method, it is characterised in that methods described includes:
Terminal device receives configuration information, and the configuration information is used to ask to create container;
The terminal device determines target container strategy group according to the configuration information and creates container, the target container strategy
Group includes at least one container strategy, and the container strategy is used for the operating right for limiting the container created;
The target container strategy group is configured in kernel by the terminal device, is held for the kernel according to the target
The operating right for the container that the limitation of device strategy group creates.
11. according to the method for claim 10, it is characterised in that the configuration information includes at least one in the following mark
Know information:The mark of tenant, the mark of the container created, the mark of application and the mark of role, wherein, it is described at least
There is incidence relation in one identification information, the mirror image of the application is used to create the container with the target container strategy group,
The role is to be pre-configured with the attribute to the container or the tenant.
12. according to the method for claim 11, it is characterised in that the terminal device determines mesh according to the configuration information
Before marking container strategy group and creating container, in addition to:
The terminal device creates the incidence relation between a variety of container strategy groups and a variety of identification informations, wherein, it is described a variety of
Every kind of container strategy group in container strategy group associates a kind of identification information, different identification information association in a variety of identification informations
Container strategy group it is different, at least one of described identification information is any of described a variety of identification informations, and the target is held
Device strategy group is any of described a variety of container strategy groups, and the container strategy group includes at least one container strategy.
A kind of 13. terminal device, it is characterised in that including:
Memory, communication interface and the processor coupled with the memory and communication interface;The memory refers to for storage
Order, the processor are used to perform the instruction, and the communication interface is used under the control of the processor and other equipment
Communicated;
Wherein, performed described in the computing device during instruction as in any one of claim 10~12 claim methods described
The step of.
14. a kind of computer-readable recording medium, the computer-readable recording medium storage has computer program, and its feature exists
In realization such as any one of claim 10 to 12 methods described when the computer program is executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710880952.0A CN107643940A (en) | 2017-09-26 | 2017-09-26 | Container creation method, relevant device and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710880952.0A CN107643940A (en) | 2017-09-26 | 2017-09-26 | Container creation method, relevant device and computer-readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107643940A true CN107643940A (en) | 2018-01-30 |
Family
ID=61112267
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710880952.0A Pending CN107643940A (en) | 2017-09-26 | 2017-09-26 | Container creation method, relevant device and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107643940A (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450848A (en) * | 2018-09-21 | 2019-03-08 | 北京奇安信科技有限公司 | A kind of Docker East and West direction flow intrusion prevention method and device |
| CN110035079A (en) * | 2019-04-10 | 2019-07-19 | 阿里巴巴集团控股有限公司 | A kind of honey jar generation method, device and equipment |
| CN110659100A (en) * | 2018-06-29 | 2020-01-07 | 华为技术有限公司 | Container management method, device and equipment |
| CN111562970A (en) * | 2020-07-15 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Container instance creating method and device, electronic equipment and storage medium |
| CN111859428A (en) * | 2020-07-22 | 2020-10-30 | 成都安恒信息技术有限公司 | Containerization-based secret key storage method and system |
| CN111935110A (en) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | Method and device for controlling permission of tenant to access container instance |
| CN112347515A (en) * | 2020-11-20 | 2021-02-09 | 福州大学 | Data detection and safety isolation method for edge operating system |
| CN112823493A (en) * | 2018-10-12 | 2021-05-18 | 西门子股份公司 | Method, system, computer program and computer readable medium for automatically configuring a system |
| CN112861118A (en) * | 2021-04-26 | 2021-05-28 | 湖北亿咖通科技有限公司 | Dual-system inter-container security policy isolation method, electronic device and storage medium |
| US11042398B2 (en) | 2018-07-09 | 2021-06-22 | Samsung Electronics Co., Ltd. | System and method for guest operating system using containers |
| CN113656148A (en) * | 2021-08-20 | 2021-11-16 | 北京天融信网络安全技术有限公司 | Container management method and device, electronic equipment and readable storage medium |
| WO2022193513A1 (en) * | 2021-03-17 | 2022-09-22 | 腾讯云计算(北京)有限责任公司 | Docker-based data processing method and related device |
| CN115185642A (en) * | 2022-07-21 | 2022-10-14 | 北京火山引擎科技有限公司 | Container operation control method and device |
| CN115688094A (en) * | 2022-09-13 | 2023-02-03 | 国科础石(重庆)软件有限公司 | Method and device for realizing security level of container vehicle-mounted application and electronic equipment |
| CN115185642B (en) * | 2022-07-21 | 2024-07-02 | 北京火山引擎科技有限公司 | Container operation control method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100132012A1 (en) * | 2008-11-26 | 2010-05-27 | Red Hat, Inc. | Merging mandatory access control (mac) policies in a system with multiple execution containers |
| US8312043B2 (en) * | 2008-11-26 | 2012-11-13 | Red Hat, Inc. | Isolating an execution container in a system with mandatory access control (MAC) |
| US20140181896A1 (en) * | 2012-12-25 | 2014-06-26 | Kaspersky Lab Zao | System and Method for Protecting Computer Resources from Unauthorized Access Using Isolated Environment |
| CN104067285A (en) * | 2012-09-28 | 2014-09-24 | 英特尔公司 | Secure data containers and data access control |
| CN106293875A (en) * | 2016-08-04 | 2017-01-04 | 中国联合网络通信集团有限公司 | The creation method of a kind of Docker container and the system of establishment |
| CN106528224A (en) * | 2016-11-03 | 2017-03-22 | 腾讯科技(深圳)有限公司 | Content updating method and system for Docker container, and server |
-
2017
- 2017-09-26 CN CN201710880952.0A patent/CN107643940A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100132012A1 (en) * | 2008-11-26 | 2010-05-27 | Red Hat, Inc. | Merging mandatory access control (mac) policies in a system with multiple execution containers |
| US8312043B2 (en) * | 2008-11-26 | 2012-11-13 | Red Hat, Inc. | Isolating an execution container in a system with mandatory access control (MAC) |
| CN104067285A (en) * | 2012-09-28 | 2014-09-24 | 英特尔公司 | Secure data containers and data access control |
| US20140181896A1 (en) * | 2012-12-25 | 2014-06-26 | Kaspersky Lab Zao | System and Method for Protecting Computer Resources from Unauthorized Access Using Isolated Environment |
| CN106293875A (en) * | 2016-08-04 | 2017-01-04 | 中国联合网络通信集团有限公司 | The creation method of a kind of Docker container and the system of establishment |
| CN106528224A (en) * | 2016-11-03 | 2017-03-22 | 腾讯科技(深圳)有限公司 | Content updating method and system for Docker container, and server |
Non-Patent Citations (2)
| Title |
|---|
| 柳倩: "面向容器的安全隔离策略机制研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 段赫: "基于LXC容器资源优化的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110659100A (en) * | 2018-06-29 | 2020-01-07 | 华为技术有限公司 | Container management method, device and equipment |
| CN110659100B (en) * | 2018-06-29 | 2022-05-24 | 华为技术有限公司 | Container management method, device and equipment |
| US11042398B2 (en) | 2018-07-09 | 2021-06-22 | Samsung Electronics Co., Ltd. | System and method for guest operating system using containers |
| CN109450848A (en) * | 2018-09-21 | 2019-03-08 | 北京奇安信科技有限公司 | A kind of Docker East and West direction flow intrusion prevention method and device |
| CN109450848B (en) * | 2018-09-21 | 2021-05-25 | 奇安信科技集团股份有限公司 | Method and device for defending Docker east-west flow invasion |
| CN112823493A (en) * | 2018-10-12 | 2021-05-18 | 西门子股份公司 | Method, system, computer program and computer readable medium for automatically configuring a system |
| CN112823493B (en) * | 2018-10-12 | 2023-09-05 | 西门子股份公司 | Method, system, computer program and computer readable medium for automatically configuring a system |
| CN110035079A (en) * | 2019-04-10 | 2019-07-19 | 阿里巴巴集团控股有限公司 | A kind of honey jar generation method, device and equipment |
| CN111562970A (en) * | 2020-07-15 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Container instance creating method and device, electronic equipment and storage medium |
| CN111562970B (en) * | 2020-07-15 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Container instance creating method and device, electronic equipment and storage medium |
| CN111859428A (en) * | 2020-07-22 | 2020-10-30 | 成都安恒信息技术有限公司 | Containerization-based secret key storage method and system |
| CN111935110A (en) * | 2020-07-24 | 2020-11-13 | 北京金山云网络技术有限公司 | Method and device for controlling permission of tenant to access container instance |
| CN111935110B (en) * | 2020-07-24 | 2022-05-06 | 北京金山云网络技术有限公司 | Method and device for controlling permission of tenant to access container instance |
| CN112347515A (en) * | 2020-11-20 | 2021-02-09 | 福州大学 | Data detection and safety isolation method for edge operating system |
| WO2022193513A1 (en) * | 2021-03-17 | 2022-09-22 | 腾讯云计算(北京)有限责任公司 | Docker-based data processing method and related device |
| CN112861118A (en) * | 2021-04-26 | 2021-05-28 | 湖北亿咖通科技有限公司 | Dual-system inter-container security policy isolation method, electronic device and storage medium |
| CN113656148A (en) * | 2021-08-20 | 2021-11-16 | 北京天融信网络安全技术有限公司 | Container management method and device, electronic equipment and readable storage medium |
| CN113656148B (en) * | 2021-08-20 | 2024-02-06 | 北京天融信网络安全技术有限公司 | Container management method, device, electronic equipment and readable storage medium |
| CN115185642A (en) * | 2022-07-21 | 2022-10-14 | 北京火山引擎科技有限公司 | Container operation control method and device |
| WO2024016838A1 (en) * | 2022-07-21 | 2024-01-25 | 北京火山引擎科技有限公司 | Container operation control method and apparatus |
| CN115185642B (en) * | 2022-07-21 | 2024-07-02 | 北京火山引擎科技有限公司 | Container operation control method and device |
| CN115688094A (en) * | 2022-09-13 | 2023-02-03 | 国科础石(重庆)软件有限公司 | Method and device for realizing security level of container vehicle-mounted application and electronic equipment |
| CN115688094B (en) * | 2022-09-13 | 2023-09-15 | 国科础石(重庆)软件有限公司 | Method and device for realizing security level of container vehicle-mounted application and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107643940A (en) | Container creation method, relevant device and computer-readable storage medium | |
| US11334562B2 (en) | Blockchain based data management system and method thereof | |
| US10361998B2 (en) | Secure gateway communication systems and methods | |
| CN110310205B (en) | Block chain data monitoring method, device, equipment and medium | |
| EP3029593B1 (en) | System and method of limiting the operation of trusted applications in the presence of suspicious programs | |
| CN103597494B (en) | Method and apparatus for the use of numerals authority of management document | |
| KR101700552B1 (en) | Context based switching to a secure operating system environment | |
| US9836601B2 (en) | Protecting anti-malware processes | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| US20120311702A1 (en) | System and method for preserving references in sandboxes | |
| CN109818937A (en) | For the control method of Android permission, device and storage medium, electronic device | |
| US9471514B1 (en) | Mitigation of cyber attacks by pointer obfuscation | |
| CN105760787B (en) | System and method for the malicious code in detection of random access memory | |
| CN111159691B (en) | Dynamic credibility verification method and system for application program | |
| US20160028774A1 (en) | Data Access Policies | |
| US9516031B2 (en) | Assignment of security contexts to define access permissions for file system objects | |
| CN110138767B (en) | Transaction request processing method, device, equipment and storage medium | |
| CN109587151A (en) | Access control method, device, equipment and computer readable storage medium | |
| US7596694B1 (en) | System and method for safely executing downloaded code on a computer system | |
| US10459851B2 (en) | Method and apparatus for executing a process on a device using memory privileges | |
| CN105760164B (en) | Method for realizing ACL authority in user space file system | |
| US11914710B2 (en) | System and method for application tamper discovery | |
| KR102439880B1 (en) | System for controlling transmission and reception of file of application and method thereof | |
| CN110222508A (en) | Extort virus defense method, electronic equipment, system and medium | |
| CN105912945A (en) | Safety reinforcing device and operation method of operating system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180130 |
|
| RJ01 | Rejection of invention patent application after publication |