CN114282250B - Model container encryption and deployment system - Google Patents
Model container encryption and deployment system Download PDFInfo
- Publication number
- CN114282250B CN114282250B CN202111624762.5A CN202111624762A CN114282250B CN 114282250 B CN114282250 B CN 114282250B CN 202111624762 A CN202111624762 A CN 202111624762A CN 114282250 B CN114282250 B CN 114282250B
- Authority
- CN
- China
- Prior art keywords
- model
- key
- encrypted
- output result
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004883 computer application Methods 0.000 claims abstract description 4
- 238000011161 development Methods 0.000 claims description 34
- 238000000034 method Methods 0.000 claims description 18
- 230000000007 visual effect Effects 0.000 claims description 7
- 230000001419 dependent effect Effects 0.000 claims description 4
- 238000013461 design Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 238000012360 testing method Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 5
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a model container encryption and deployment system, and belongs to the technical field of computer application. According to the system, the model containers submitted by the model producer and the documents are stored in the model resource management platform, so that the management of model resources can be realized, and the automatic deployment of the model containers can be realized in a mode of pulling the configuration files provided by the model producer, thereby solving the problem that the deployment speed of a large number of model containers by the model manager is slow; the mode of encrypting the model by using the SM2 and SM4 mixed encryption algorithm also ensures that the model of the model generator can only run in the K8s cluster of the model manager, and ensures the safety of the model.
Description
Technical Field
The invention belongs to the technical field of computer application, and particularly relates to a model container encryption and deployment system.
Background
Currently, the model and its dependent packages are typically packaged into a portable image using container (Docker) technology and then deployed into a K8s cluster. Two methods are mainly used for deploying containers on a K8s cluster, namely, directly writing a configuration file of Deployment (Deployment), and deploying the containers by applying the configuration file through kubectl; and secondly, configuring the deployed parameters through a visual interface, and automatically generating a configuration file of the deployment by a background. The second deployment mode is simplified to the first deployment mode, and the first deployment mode and the second deployment mode store information such as the name, the label, the mirror image grabbing strategy, the port number of the container, the port number of the node, the number of copies and the like of the container into a configuration file in different modes, and the configuration file is applied by kubecl.
In order to avoid the model container of the developer from being stolen by a third party when the model container is delivered to the first party, the model in the container needs to be encrypted, and the current method for encrypting the container mainly comprises the steps of encrypting the container file by using an encryption algorithm, and decrypting the container by using a decryption algorithm before deployment.
The Chinese patent CN 111930388 provides a sustainable integration method and system based on k8s and docker containers, and provides a method for creating containers based on yaml file configuration, wherein the method comprises the steps of sequentially connecting a git server, a nereus platform, a mirror warehouse and a k8s cluster, creating the containers, starting the containers, deploying the containers into the k8s cluster for management, and supporting the release, online and rollback of java, python, vue codes.
The method for deploying the containers through the configuration files requires professional operation and maintenance personnel to write the configuration files, and in the scene of lacking operation and maintenance personnel and deploying a large number of model containers, the model deployment personnel and model development personnel are required to carry out a large number of communication, so that the deployment efficiency is low, and an automatic deployment technology for the model containers is required; current model container encryption technology is less secure and model developers are reluctant to deliver model containers without encryption measures to the first party.
Disclosure of Invention
First, the technical problem to be solved
The invention aims to solve the technical problems that: how to design a model deployment application system for encrypting a model container by a model developer and automatically deploying the model container by a model manager and decrypting the model, so that the safety of the model is improved, and the problem of low deployment efficiency of a large number of model containers is solved.
(II) technical scheme
In order to solve the technical problems, the invention provides a model container encryption and deployment system, which comprises a model development module and a model management module, wherein the model development module is used for:
encrypting the output result of the model by using an SM2 and SM4 mixed encryption method, and compiling the output result into an executable file according to the used programming language;
converting the model into Web service capable of being called remotely by adopting different frameworks according to the programming language of the model, and packaging the model and the dependent files of the model into a container;
and writing configuration files required by the deployment of the model container, wherein the configuration files comprise: the information such as model names, mirror grabbing strategies, container port numbers, running commands, environment variables, container copy numbers, hardware resources required by container running and data volumes ensures that a container management module can automatically deploy model containers through the configuration files, and meanwhile, a model developer needs to provide design documents, use instructions and test document files of models for the model management module;
providing the hardware resources to a model management module through a visual interface, and storing the hardware resources in a model resource management platform; the information of the model development module comprises the information of the name, address, contact telephone and development business of the model development module;
the model management module is used for searching model information in a model resource library, deploying a corresponding model through a visual interface according to service requirements, and automatically recommending the node port number of a model container according to the available node port number, the used node port number and the required port number to realize automatic deployment of the container; the model information comprises the information of the name, the function, the programming language, the version number, the configuration file address, the mirror name and the mirror address of the model.
Preferably, the available node port numbers include stored and updated node port numbers of the K8s cluster that can provide services externally.
Preferably, the used node port number comprises a node port number already used in the stored and updated K8s cluster.
Preferably, the system further comprises a model using module and a Gateway, wherein the model using module and the Gateway are used for accessing the model instances already deployed in the K8s cluster through the Gateway, and a model decryption algorithm in the Gateway automatically decrypts the model output result and sends the model output result to the model using module.
Preferably, in the SM2 and SM4 hybrid encryption method adopted by the model development module, the output result of the model is encrypted by using a symmetric encryption SM4 algorithm to obtain an encrypted output result, the SM4 key is encrypted by using an asymmetric encryption SM2 algorithm to obtain an encrypted key string, and the output result encrypted by SM4 and the key string encrypted by SM2 are packaged and output to provide data for compiling.
Preferably, the model development module adopts an SM2 and SM4 mixed encryption method specifically as follows:
(1) The model management module initializes an SM2 key pair, a private key is stored in a Gateway, and a public key is issued to the model development module;
(2) The model development module uses an SM4 algorithm to initialize to obtain an SM4 key, and encrypts an output result by using the SM4 key to obtain an encrypted output result;
(3) The model development module obtains an SM2 public key, encrypts an SM4 key by using the SM2 public key, and obtains an encrypted SM4 key block;
(4) The model development module encapsulates the SM4 key block and the encrypted output result into an encrypted data block, and outputs the encrypted data block as a result of the model to provide data for compiling.
Preferably, the Gateway performs model decryption:
(1) The model use module requests a model service interface through Gateway service;
(2) After intercepting the request, the Gateway forwards the request to a corresponding model service;
(3) Executing output by the model prototype according to parameters input by a user, encrypting an output result required to be encrypted after the model output global interception service intercepts an output interface, and outputting the output result to a Gateway;
(4) The Gateway receives the encrypted data block, and obtains an SM4 key block and an encrypted output result through analysis;
(5) The Gateway acquires an SM2 private key from the model resource management platform, and decrypts the SM4 key block by using the SM2 private key to obtain an SM4 key;
(6) And the Gateway decrypts the output result by using the obtained SM4 key to obtain a decrypted model output result, and sends the decrypted model output result to a user of the model.
Preferably, the model usage module also creates a data structure for holding model routing information.
Preferably, the routing information includes access prefix, routing ID, routing name, forwarding URL information.
The invention also provides application of the system in the technical field of computer application.
(III) beneficial effects
According to the invention, by means of innovating the model container deployment flow and automatically recommending node port numbers, automatic deployment of the model containers is realized, management difficulty of a model manager is reduced, and deployment speed of a large number of model containers is improved; meanwhile, the security of a model in a container is ensured by using an SM2 and SM4 mixed encryption mode, wherein the SM4 encryption algorithm has high encryption speed, low security and complex key management, the SM2 is an asymmetric encryption algorithm, the security is high, the key management is simple, but the encryption and decryption speed of massive data are slower, and the quick and high-security model encryption mode can be realized by using the two mixed encryption algorithms; the decryption mode of Gateway ensures that the model container developed by the model producer can only operate in the K8s cluster of the model manager, thereby protecting the intellectual property of the model producer.
According to the system, the model containers submitted by the model producer and the documents are stored in the model resource management platform, so that the management of model resources can be realized, and the automatic deployment of the model containers can be realized in a mode of pulling the configuration files provided by the model producer, thereby solving the problem that the deployment speed of a large number of model containers by the model manager is slow; the mode of encrypting the model by using the SM2 and SM4 mixed encryption algorithm also ensures that the model of the model generator can only run in the K8s cluster of the model manager, and ensures the safety of the model.
Drawings
FIG. 1 is a diagram of a system primary implementation of the present invention;
FIG. 2 is a schematic diagram of a model encryption algorithm of the present invention;
fig. 3 is a schematic diagram of a model output decryption algorithm according to the present invention.
Detailed Description
For the purposes of clarity, content, and advantages of the present invention, a detailed description of the embodiments of the present invention will be described in detail below with reference to the drawings and examples.
As shown in fig. 1, the encryption and deployment system for model containers provided by the invention comprises a model development module of a model developer, a model management module of a model manager, a model use module and a Gateway, wherein the model development module is used for:
(1) Encrypting the output result of the model by using an SM2 and SM4 mixed encryption method, and compiling the output result into an executable file according to the used programming language;
(2) Converting the model into Web service capable of being called Remotely (RPC) by adopting different frameworks according to the programming language of the model, and packaging the model and the dependent file of the model into a container;
(3) And writing configuration files required by the deployment of the model container, wherein the configuration files comprise: model name, mirror grabbing strategy, container port number, running command, environment variable, container copy number, hardware resource required by container running, data volume and other information, ensuring that model manager can automatically deploy model container through the configuration file. Meanwhile, the model development party needs to provide files such as design documents, use instructions, test documents and the like of the model for the model management party;
(4) Providing the resources in the step 3 to a model manager through a visual interface and storing the resources in a model resource management platform, wherein in the invention, the following data structure is created:
the model development module information comprises the basic information of the model development module such as names, addresses, contact phones, development services and the like;
model information: the method is used for recording information such as the name, main function, programming language, version number, configuration file address, mirror image name, mirror image address and the like of the model;
configuration file library: a storage address for recording a model deployment configuration file;
model mirror library: the method is used for saving the name and the storage address of the model image file.
The model management module of the model management side is used for searching model information in a model resource library, deploying a corresponding model through a visual interface according to service requirements, and automatically recommending the node port number of the model container according to available node port numbers (nodePort), used node port numbers and the number of required ports by a system to realize automatic deployment of the container, wherein the invention creates the following data structure:
available node port numbers: the node port number is used for storing and updating the node port number of the K8s cluster, which can provide services to the outside;
node port numbers have been used: for storing and updating the node port numbers already used in the K8s cluster.
The model using module accesses the deployed model instance in the K8s cluster through the Gateway, and the model decrypting algorithm in the Gateway automatically decrypts the output result of the model and sends the result to a user of the model.
Fig. 2 is a schematic diagram of a model encryption algorithm in the present invention, a model development module adopts a method of SM2 and SM4 mixed encryption, uses a symmetric encryption SM4 algorithm to encrypt a model output result to obtain an encrypted output result, uses an asymmetric encryption SM2 algorithm to encrypt an SM4 key to obtain an encrypted key string, and encapsulates and outputs the output result encrypted by SM4 and the key string encrypted by SM2, and the model encryption method provided by the present invention includes the following steps:
(1) The model management module initializes an SM2 key pair, a private key is stored in a Gateway, and a public key is issued to the model development module;
(2) The model development module uses an SM4 algorithm to initialize to obtain an SM4 key, and encrypts an output result by using the SM4 key to obtain an encrypted output result;
(3) The model development module obtains an SM2 public key, encrypts an SM4 key by using the SM2 public key, and obtains an encrypted SM4 key block;
(4) The model development module encapsulates the SM4 key block and the encryption output result into an encryption data block, and outputs the encryption data block as a result of the model.
Fig. 3 is a schematic diagram of a model output decryption algorithm in the present invention, and the model decryption method proposed in the present invention includes the following steps:
(1) The model use module requests the model service interface through Gateway service, in the invention, the following data structure is created:
routing information: the routing information for saving the model includes information such as access prefix, routing ID, routing name, forwarding URL, and the like.
(2) After intercepting the request, the Gateway forwards the request to a corresponding model service;
(3) Executing output by the model prototype according to parameters input by a user, encrypting an output result required to be encrypted after the model output global interception service intercepts an output interface, and outputting the output result to a gateway;
(4) The Gateway receives the encrypted data block, and obtains an SM4 key block and an encrypted output result through analysis;
(5) The Gateway acquires an SM2 private key from the model resource management platform, and decrypts the SM4 key block by using the SM2 private key to obtain an SM4 key;
(6) And the Gateway decrypts the output result by using the obtained SM4 key to obtain a decrypted model output result, and sends the decrypted model output result to the model using module.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (10)
1. A model container encryption and deployment system, comprising a model development module and a model management module, wherein the model development module is configured to:
encrypting the output result of the model by using an SM2 and SM4 mixed encryption method, and compiling the output result into an executable file according to the used programming language;
converting the model into Web service capable of being called remotely by adopting different frameworks according to the programming language of the model, and packaging the model and the dependent files of the model into a container;
and writing configuration files required by the deployment of the model container, wherein the configuration files comprise: the information such as model names, mirror grabbing strategies, container port numbers, running commands, environment variables, container copy numbers, hardware resources required by container running and data volumes ensures that a container management module can automatically deploy model containers through the configuration files, and meanwhile, a model developer needs to provide design documents, use instructions and test document files of models for the model management module;
providing the hardware resources to a model management module through a visual interface, and storing the hardware resources in a model resource management platform; the information of the model development module comprises the information of the name, address, contact telephone and development business of the model development module;
the model management module is used for searching model information in a model resource library, deploying a corresponding model through a visual interface according to service requirements, and automatically recommending the node port number of a model container according to the available node port number, the used node port number and the required port number to realize automatic deployment of the container; the model information comprises the information of the name, the function, the programming language, the version number, the configuration file address, the mirror name and the mirror address of the model.
2. The system of claim 1, wherein the available node port numbers comprise an out-of-service node port number of the stored and updated K8s cluster.
3. The system of claim 1, wherein the used node port number comprises a node port number already used in a stored and updated K8s cluster.
4. The system of claim 1, further comprising a model usage module, a Gateway, for accessing model instances already deployed in the K8s cluster through the Gateway, a model decryption algorithm in the Gateway automatically decrypts and sends model output results to the model usage module.
5. The system of claim 1, wherein in the SM2 and SM4 hybrid encryption method employed by the model development module, the output result of the model is encrypted using a symmetric encryption SM4 algorithm to obtain an encrypted output result, the SM4 key is encrypted using an asymmetric encryption SM2 algorithm to obtain an encrypted key string, and the output result encrypted by SM4 and the key string encrypted by SM2 are packaged and output to provide data for compilation.
6. The system of claim 1, wherein the model development module employs a SM2 and SM4 hybrid encryption method specifically comprising:
(1) The model management module initializes an SM2 key pair, a private key is stored in a Gateway, and a public key is issued to the model development module;
(2) The model development module uses an SM4 algorithm to initialize to obtain an SM4 key, and encrypts an output result by using the SM4 key to obtain an encrypted output result;
(3) The model development module obtains an SM2 public key, encrypts an SM4 key by using the SM2 public key, and obtains an encrypted SM4 key block;
(4) The model development module encapsulates the SM4 key block and the encrypted output result into an encrypted data block, and outputs the encrypted data block as a result of the model to provide data for compiling.
7. The system of claim 4, wherein the Gateway performs model decryption:
(1) The model use module requests a model service interface through Gateway service;
(2) After intercepting the request, the Gateway forwards the request to a corresponding model service;
(3) Executing output by the model prototype according to parameters input by a user, encrypting an output result required to be encrypted after the model output global interception service intercepts an output interface, and outputting the output result to a Gateway;
(4) The Gateway receives the encrypted data block, and obtains an SM4 key block and an encrypted output result through analysis;
(5) The Gateway acquires an SM2 private key from the model resource management platform, and decrypts the SM4 key block by using the SM2 private key to obtain an SM4 key;
(6) And the Gateway decrypts the output result by using the obtained SM4 key to obtain a decrypted model output result, and sends the decrypted model output result to a user of the model.
8. The system of claim 1, the model usage module further creates a data structure for holding model routing information.
9. The system of claim 8, wherein the routing information includes an access prefix, a routing ID, a routing name, forwarding URL information.
10. Use of a system according to any one of claims 1 to 9 in the field of computer application technology.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111624762.5A CN114282250B (en) | 2021-12-28 | 2021-12-28 | Model container encryption and deployment system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111624762.5A CN114282250B (en) | 2021-12-28 | 2021-12-28 | Model container encryption and deployment system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114282250A CN114282250A (en) | 2022-04-05 |
| CN114282250B true CN114282250B (en) | 2024-04-09 |
Family
ID=80877573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111624762.5A Active CN114282250B (en) | 2021-12-28 | 2021-12-28 | Model container encryption and deployment system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114282250B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20020079349A (en) * | 2001-04-09 | 2002-10-19 | 피닉스 테크놀로지 리미티드 | Systems and methods for computer device authentication |
| WO2019199813A2 (en) * | 2018-04-09 | 2019-10-17 | Daniel Maurice Lerner | Managed high integrity blockchain and blockchain communications that utilize containers |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040255137A1 (en) * | 2003-01-09 | 2004-12-16 | Shuqian Ying | Defending the name space |
| US10263966B2 (en) * | 2016-04-14 | 2019-04-16 | Sophos Limited | Perimeter enforcement of encryption rules |
| US10791097B2 (en) * | 2016-04-14 | 2020-09-29 | Sophos Limited | Portable encryption format |
| US11645632B2 (en) * | 2020-05-26 | 2023-05-09 | Derek Norman La Salle | System and method for a decentralized portable information container supporting privacy protected digital information credentialing, remote administration, local validation, access control and remote instruction signaling utilizing blockchain distributed ledger and container wallet technologies |
-
2021
- 2021-12-28 CN CN202111624762.5A patent/CN114282250B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20020079349A (en) * | 2001-04-09 | 2002-10-19 | 피닉스 테크놀로지 리미티드 | Systems and methods for computer device authentication |
| WO2019199813A2 (en) * | 2018-04-09 | 2019-10-17 | Daniel Maurice Lerner | Managed high integrity blockchain and blockchain communications that utilize containers |
Non-Patent Citations (1)
| Title |
|---|
| 面向容器的集群资源管理***研究;李英华;;无线互联科技;20170410(07);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114282250A (en) | 2022-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766722B (en) | Method for constructing intelligent contract in block chain | |
| CN103595730B (en) | A kind of ciphertext cloud storage method and system | |
| US20210044647A1 (en) | Implementing a blockchain-based web service | |
| CN113438289A (en) | Block chain data processing method and device based on cloud computing | |
| EP2656248B1 (en) | Bulk initial download of mobile databases | |
| CN107528865B (en) | File downloading method and system | |
| US20200293677A1 (en) | File packaging and unpackaging methods, apparatuses, and network devices | |
| US20140245025A1 (en) | System and method for storing data securely | |
| WO2022237123A1 (en) | Method and apparatus for acquiring blockchain data, electronic device, and storage medium | |
| CN103677948B (en) | A kind of trigger and startup method | |
| US11301222B2 (en) | Method for executing smart contract, blockchain node, and storage medium | |
| WO2024032660A1 (en) | Method and apparatus for changing account data, computer device, and storage medium | |
| CN114266060B (en) | Model container encryption and deployment method | |
| CN113568643A (en) | Resource acquisition method and device, electronic equipment and computer readable medium | |
| CN113900772A (en) | Mirror image file transmission method, device, equipment and storage medium | |
| CN115242644A (en) | Micro-service development and management system | |
| US20160342788A1 (en) | Generating packages for managed applications | |
| US11327732B2 (en) | Method for executing smart contract, blockchain node, and storage medium | |
| US11163902B1 (en) | Systems and methods for encrypted container image management, deployment, and execution | |
| CN113919003A (en) | Information security protection method and system based on urban rail PaaS platform | |
| CN114282250B (en) | Model container encryption and deployment system | |
| US11431727B2 (en) | Security of code between code generator and compiler | |
| CN111639349B (en) | Data encryption processing method and device and storage medium | |
| CN110430046B (en) | Cloud environment-oriented trusted platform module two-stage key copying method | |
| US20170213042A1 (en) | Data encryption method and encryption apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |