TWI759863B - Method for executing docker images under protection - Google Patents

Method for executing docker images under protection Download PDF

Info

Publication number
TWI759863B
TWI759863B TW109131744A TW109131744A TWI759863B TW I759863 B TWI759863 B TW I759863B TW 109131744 A TW109131744 A TW 109131744A TW 109131744 A TW109131744 A TW 109131744A TW I759863 B TWI759863 B TW I759863B
Authority
TW
Taiwan
Prior art keywords
image file
docker
file
field
docker image
Prior art date
Application number
TW109131744A
Other languages
Chinese (zh)
Other versions
TW202213143A (en
Inventor
陳奕仲
Original Assignee
新漢股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 新漢股份有限公司 filed Critical 新漢股份有限公司
Priority to TW109131744A priority Critical patent/TWI759863B/en
Application granted granted Critical
Publication of TW202213143A publication Critical patent/TW202213143A/en
Publication of TWI759863B publication Critical patent/TWI759863B/en

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

A method for executing Docker images used by a modified Docker server and a Docker image having extended fields is disclosed and includes following steps: receiving a Docker container establishing command by the Docker server and obtaining a Docker image corresponding to the command; reading a protection column within the extended fields of the Docker image; determining whether the Docker image is an image under protection according to the content of the protection column; obtaining an actual environment requirement if the Docker image is determined under protection, and replacing the content of an environment column within an original fields of the Docker image with the obtained actual environment requirement; and, executing the Docker image based on the original column with the replaced environment column.

Description

Docker映像檔的保護執行方法Docker image file protection execution method

本發明涉及一種Docker映像檔的執行方法,尤其涉及一種可以保護Docker映像檔不被任意複製的執行方法。The invention relates to an execution method of a Docker image file, in particular to an execution method that can protect the Docker image file from being arbitrarily copied.

Docker是由Docker, Inc.公司所開發的一套開放原始碼軟體,其可用以製作Docker映像檔(Docker image),其中Docker映像檔內包含了在一台主機上執行程式所需的所有資源以及相關資料。Docker is a set of open source software developed by Docker, Inc., which can be used to create a Docker image file (Docker image), which contains all the resources required to execute a program on a host and Relevant information.

一般來說,程式開發者可以依據客戶需求製作一份Docker映像檔,並且將Docker映像檔佈署至客戶的主機中。當客戶藉由主機上運行的Docker守護行程(Docker daemon,為一種軟體伺服器)執行了Docker映像檔後,即可基於Docker映像檔的內容建立對應的Docker容器(Docker container),並且通過Docker容器來實現客戶需求。Generally speaking, program developers can create a Docker image file according to customer needs, and deploy the Docker image file to the customer's host. After the customer executes the Docker image file through the Docker daemon (a software server) running on the host, a corresponding Docker container can be created based on the content of the Docker image file, and the Docker container to achieve customer needs.

Docker是一種類似虛擬機器(Virtual Machine, VM)的應用軟體,但Docker可以讓所建立的各個容器彼此之間隔離而不互相影響,但又可以共用主機中的同一個基礎作業系統(Operation System)的服務。由於容器用只需要運用到很少量的資源,並且容易佈署又可快速啟動,因此相當受到程式開發者的喜愛。Docker is an application software similar to a virtual machine (VM), but Docker can isolate the established containers from each other without affecting each other, but can share the same basic operating system (Operation System) in the host. service. Because containers only need to use a small amount of resources, and are easy to deploy and quick to start, they are quite popular with program developers.

如上所述,Docker的主要目的之一就是要便於佈署,然而,當程式開發者提供一個Docker映像檔給客戶端下載使用後,客戶就可以輕易地在複數主機上任意複製、執行此份Docker映像檔。如此一來,將無法對程式開發者盡到有效的保護。As mentioned above, one of the main purposes of Docker is to facilitate deployment. However, after the developer provides a Docker image file for the client to download and use, the client can easily copy and execute this Docker image on multiple hosts. image file. As a result, it will not be able to achieve effective protection for program developers.

再者,部分硬體廠商為了令所生產的機器可以符合客戶的需求,常常會在生產時預先在機器中佈署自己開發的Docker映像檔。然而,當客戶購買了一台機器後,即可由機器中抽取出Docker映像檔,並且無限制地將此Docker映像檔佈署到從第三方取得的機器上使用,進而嚴重影響到硬體廠商的利益。Furthermore, in order to make the machines produced by some hardware manufacturers meet the needs of customers, they often deploy their own Docker image files in the machines in advance during production. However, when a customer purchases a machine, the Docker image file can be extracted from the machine, and the Docker image file can be deployed to the machine obtained from a third party without restrictions, which will seriously affect the hardware manufacturer's performance. Benefit.

本發明的主要目的,在於提供一種Docker映像檔的保護執行方法,係可避免Docker映像檔被任意地佈署到未經授權的主機上使用。The main purpose of the present invention is to provide a protection execution method for a Docker image file, which can prevent the Docker image file from being arbitrarily deployed to an unauthorized host for use.

為了達成上述的目的,本發明的Docker映像檔的保護執行方法主要是應用於改良後的一Docker伺服器及具有一擴展欄位的一映像檔,包括:由該伺服器接收一容器建立指令並取得對應的該映像檔;讀取該映像檔的該擴展欄位中的一保護欄位;基於該保護欄位的內容判斷該映像檔是否為受保護映像檔;於判斷該映像檔為受保護映像檔時,取得映像檔的真實環境需求以取代該映像檔的一原始欄位中的一環境欄位的內容;及,基於該原始欄位的內容執行該映像檔。In order to achieve the above-mentioned purpose, the protection execution method of the Docker image file of the present invention is mainly applied to an improved Docker server and an image file with an extension field, including: receiving a container creation instruction by the server and Obtain the corresponding image file; read a protection field in the extension field of the image file; determine whether the image file is a protected image file based on the content of the protection field; determine whether the image file is protected When mapping the file, the actual environment requirements of the image file are obtained to replace the content of an environment field in an original field of the image file; and the image file is executed based on the content of the original field.

本發明在建立Docker映像檔時,藉由修改Docker映像檔的資料結構而增加了擴展欄位,並於Docker映像檔的原始欄位中寫入錯誤的環境需求,並於執行Docker映像檔前再由改良後的Docker伺服器來取得映像檔的真實環境需求並取代原始欄位中記載的環境需求,藉此可有效避免Docker映像檔被任意地佈署至未授權的主機上使用。In the present invention, when the Docker image file is created, the expansion field is added by modifying the data structure of the Docker image file, and wrong environment requirements are written in the original field of the Docker image file, and the Docker image file is executed before executing the Docker image file. The improved Docker server obtains the real environment requirements of the image file and replaces the environment requirements recorded in the original field, thereby effectively preventing the Docker image file from being arbitrarily deployed to unauthorized hosts for use.

另,本發明係運用於改良後的Docker伺服器,其中Docker伺服器只有在判斷目前取得的Docker映像檔為擴展映像檔時才會讀取所述擴展欄位,而在判斷目前取得的Docker映像檔為通用映像檔時,將會依據正常程序來執行Docker映像檔。藉此,本發明中的Docker伺服器不但可以執行特殊的擴展映像檔,亦可以執行一般的通用映像檔,而可兼具保護性以及實用性。In addition, the present invention is applied to an improved Docker server, wherein the Docker server reads the extension field only when it determines that the currently acquired Docker image file is an extended image file, and the Docker server determines that the currently acquired Docker image file is an extended image file. When the file is a generic image file, the Docker image file will be executed according to the normal procedure. Thereby, the Docker server in the present invention can execute not only a special extended image file, but also a general general image file, which has both protection and practicability.

茲就本發明之一較佳實施例,配合圖式,詳細說明如後。Hereinafter, a preferred embodiment of the present invention will be described in detail in conjunction with the drawings.

本發明揭露了一種Docker映像檔的保護執行方法(下面將於說明書中簡稱為執行方法),所述執行方法主要應用於一種改良後的Docker守護行程(Docker daemon s,下面於說明書中稱為Docker伺服器),令Docker伺服器可以正確執行一個受到保護的Docker映像檔(Docker image,下面將於說明書中簡稱為擴展映像檔),以基於Docker映像檔來建立對應的Docker容器(Docker container,下面將於說明書中簡稱為容器)。 The invention discloses a protection execution method of a Docker image file (hereinafter referred to as an execution method in the specification), and the execution method is mainly applied to an improved Docker daemon process (Docker daemon). s, hereinafter referred to as the Docker server in the manual), so that the Docker server can correctly execute a protected Docker image file (Docker image, hereinafter referred to as the extended image file in the manual), to build based on the Docker image file Corresponding Docker container (Docker container, hereinafter referred to as container in the specification).

具體地,所述擴展映像檔,指的是一種資料結構遭到特殊修改的映像檔。除了一般的通用映像檔(即,資料結構未經修改的標準映像檔)所具備的多個原始欄位之外,本發明中的擴展映像檔還進一步包括了一或多個擴展欄位。本發明的其中一個技術特徵在於,程式開發者在製作擴展映像檔時,可以將部分正確資料記錄在擴展欄位中,並且在原始欄位中故意記錄錯誤資料。Specifically, the extended image file refers to an image file whose data structure is specially modified. In addition to the multiple original fields of the general general image file (ie, the standard image file whose data structure has not been modified), the extended image file in the present invention further includes one or more extended fields. One of the technical features of the present invention is that when creating an extended image file, the program developer can record part of the correct data in the extended field and intentionally record the wrong data in the original field.

當擴展映像檔被任意地佈署至其他主機中時,其他主機上安裝的Docker伺服器可能是未經擴展映像檔的提供者所特殊設定、改良的標準Docker伺服器。由於標準的Docker伺服器不知道擴展映像檔的原始欄位中記錄的是錯誤資料,因此將無法正確解讀此擴展映像檔,而無法正常建立容器,進而可以有效達到對擴展映像檔的保護。When the extension image is arbitrarily deployed to other hosts, the Docker server installed on the other host may be a standard Docker server specially configured and modified by the provider of the unextension image. Since the standard Docker server does not know that the original field of the extended image file contains incorrect data, it cannot correctly interpret the extended image file, and cannot create a container normally, thus effectively protecting the extended image file.

首請參閱圖1,為本發明的Docker系統的示意圖的第一具體實施例。如圖1所示,一台主機1可以基於其作業系統11的資源來安裝一套Docker系統,所述Docker系統主要包括Docker用戶端21、Docker伺服器22,以及令Docker用戶端21與Docker伺服器22進行溝通的表現層狀態轉換應用程式介面(Representational State Transfer Application Programming Interface, RESTful API)。於一實施例中,所述主機1可例如為個人電腦、筆記型電腦、伺服器、平板電腦等,所述作業系統11可例如為Windows、Linux或macOS等,但不加以限定。First, please refer to FIG. 1 , which is a first specific embodiment of a schematic diagram of a Docker system of the present invention. As shown in FIG. 1 , a host 1 can install a set of Docker system based on the resources of its operating system 11, and the Docker system mainly includes a Docker client 21, a Docker server 22, and a Docker client 21 and a Docker server. The Representational State Transfer Application Programming Interface (RESTful API) with which the server 22 communicates. In one embodiment, the host 1 may be, for example, a personal computer, a notebook computer, a server, a tablet computer, etc., and the operating system 11 may be, for example, Windows, Linux, or macOS, but not limited thereto.

值得一提的是,所述Docker系統為一套開放原始碼的軟體平台,換句話說,所述Docker用戶端21與Docker伺服器22係分別為安裝在主機11中的軟體用戶端以及軟體伺服器,而非獨立存在之硬體。It is worth mentioning that the Docker system is an open source software platform. In other words, the Docker client 21 and the Docker server 22 are respectively the software client and the software server installed in the host 11. devices, rather than independent hardware.

本發明中,所述Docker伺服器22為改良後的Docker伺服器,Docker伺服器22除了可以執行通用映像檔30以基於通用映像檔30的資料來建立對應的容器40之外,亦可執行本發明的擴展映像檔3,並且基於擴展映像檔3的資料來建立對應的容器4。In the present invention, the Docker server 22 is an improved Docker server. In addition to executing the general image file 30 to create the corresponding container 40 based on the data of the general image file 30, the Docker server 22 can also execute this The extended image file 3 of the invention is created, and a corresponding container 4 is created based on the data of the extended image file 3 .

於一實施例中,所述擴展映像檔3係可由使用者自行佈署至主機1。於另一實施例中,程式開發者在製作了擴展映像檔3後,可將擴展映像檔3上傳並儲存於註冊中心5。使用者可控制主機1通過網際網路連接註冊中心5,並於註冊中心5下載擴展映像檔3並佈署至主機1中,且經由註冊後取得授權。其中,上傳的位置與註冊的位置可以是不同的,例如程式開發者可以將製作完成的擴展映像檔3上載至公開的Docker Hub中儲存,而使用者可以向程式開發者所管理的機器進行註冊。惟,上述的上載動作、註冊動作及Docker Hub都是本技術領域中的常用技術手段,於此不再贅述。In one embodiment, the extension image file 3 can be deployed to the host 1 by the user. In another embodiment, after creating the extension image file 3 , the program developer can upload and store the extension image file 3 in the registration center 5 . The user can control the host 1 to connect to the registration center 5 through the Internet, download the extended image file 3 in the registration center 5 and deploy it to the host 1, and obtain authorization after registration. The upload location and the registration location can be different. For example, the program developer can upload the completed extension image file 3 to the public Docker Hub for storage, and the user can register with the machine managed by the program developer. . However, the above uploading action, registration action and Docker Hub are all common technical means in the technical field, and will not be repeated here.

值得一提的是,若主機1中安裝的Docker伺服器並非是採用本發明的執行方法的Docker伺服器22,則所述Docker伺服器將無法正確執行本發明中的擴展映像檔3(容後詳述)。It is worth mentioning that, if the Docker server installed in the host 1 is not the Docker server 22 that adopts the execution method of the present invention, the Docker server will not be able to correctly execute the extended image file 3 in the present invention (after the content). details).

參閱圖2,為本發明的映像檔的資料結構的第一具體實施例。本發明中的擴展映像檔3除了具有通用映像檔(即,資料結構未經任何擴展的標準映像檔)所具備的多原始欄位31之外,同時還經過修改而於資料結構中增加了一或多個擴展欄位32。如圖2所示,所述原始欄位31至少包含了環境欄位311與資料欄位312,而於圖2的實施例中,所述擴展欄位32可以包含保護欄位321及真實環境欄位322。Referring to FIG. 2, it is a first specific embodiment of the data structure of the image file of the present invention. The extended image file 3 in the present invention not only has the multi-original fields 31 of the general image file (that is, the standard image file whose data structure is not extended in any way), but also has been modified to add a new field to the data structure. or more expansion fields 32. As shown in FIG. 2 , the original field 31 includes at least an environment field 311 and a data field 312 , and in the embodiment of FIG. 2 , the extended field 32 may include a protection field 321 and a real environment field bit 322.

本實施例中,所述保護欄位321記錄擴展映像檔3是否為受保護映像檔,即,保護欄位321的內容用來指出此擴展映像檔3是否只有使用改良後的Docker伺服器22才能夠執行。所述真實環境欄位322與環境欄位311記錄擴展映像檔3可支援的作業系統,即,真實環境欄位322/環境欄位311的內容用來指出主機1要使用哪套作業系統才能夠執行此擴展映像檔3。In this embodiment, the protection field 321 records whether the extended image file 3 is a protected image file, that is, the content of the protection field 321 is used to indicate whether the extended image file 3 is only available by using the improved Docker server 22 able to execute. The real environment field 322 and the environment field 311 record the operating systems supported by the extended image file 3, that is, the content of the real environment field 322/environment field 311 is used to indicate which operating system the host 1 needs to use to be able to Execute this extension image 3.

於一實施例中,若擴展映像檔3不是受保護映像檔,則由環境欄位311來記錄擴展映像檔3真正可支援的作業系統,而真實環境欄位322的內容可為空白;於另一實施例中,若擴展映像檔3為受保護映像檔,則由真實環境欄位322來記錄擴展映像檔3真正可支援的作業系統,而環境欄位311則記錄錯誤的資訊。In one embodiment, if the extended image file 3 is not a protected image file, the operating system that the extended image file 3 can actually support is recorded by the environment field 311, and the content of the real environment field 322 can be blank; in another In one embodiment, if the extended image file 3 is a protected image file, the real environment field 322 records the actual supported operating system of the extended image file 3, and the environment field 311 records wrong information.

於又一實施例中,擴展欄位32中可以不必包括所述真實環境欄位322。於此情況下,若擴展映像檔3不是受保護映像檔,則環境欄位311直接記錄擴展映像檔3真正可支援的作業系統;若擴展映像檔3為受保護映像檔,則環境欄位311中記錄錯誤的環境需求(即,錯誤的可支援作業系統,例如”HyperX”、”HyperM”等),並且於程式執行時再依據環境欄位311的內容查詢一組預設的對照表,以藉由錯誤的環境需求來獲得擴展映像檔3真正可支援的作業系統。惟,上述皆僅為本發明的部分實施範例,但並不以上述者為限。In yet another embodiment, the real environment field 322 may not necessarily be included in the extension field 32 . In this case, if the extended image file 3 is not a protected image file, the environment field 311 directly records the operating system that the extended image file 3 can actually support; if the extended image file 3 is a protected image file, the environment field 311 Incorrect environment requirements (ie, incorrect supported operating systems, such as "HyperX", "HyperM", etc.) are recorded in the program, and a set of default comparison tables are queried according to the content of the environment field 311 when the program is executed, to A truly supportable operating system for the extended image file 3 is obtained by erroneous environment requirements. However, the above are only some embodiments of the present invention, but are not limited to the above.

藉由上述手段,可以防止受到保護的擴展映像檔3被未經擴展映像檔3的提供者所授權的Docker伺服器所執行(所述未經授權的Docker伺服器不會知道環境欄位311中記錄的為錯誤資訊,並且也不會知道真實環境欄位322/對照表的存在)。By the above means, the protected extension image file 3 can be prevented from being executed by a Docker server not authorized by the provider of the extension image file 3 (the unauthorized Docker server will not know the environment field 311). Wrong information is recorded, and the existence of the real environment field 322/correspondence table will not be known).

本實施例中,所述資料欄位312記錄擴展映像檔3的具體資料,Docker伺服器22可基於資料欄位312中的資料來執行擴展映像檔3,進而建立對應的容器4。Docker伺服器如何基於資料欄位312的內容來建立容器4,屬於本技術領域中的通常知識,於此不再贅述。In this embodiment, the data field 312 records the specific data of the extended image file 3 , and the Docker server 22 can execute the extended image file 3 based on the data in the data field 312 , and then create the corresponding container 4 . How the Docker server creates the container 4 based on the content of the data field 312 belongs to the common knowledge in the technical field, and will not be repeated here.

請同時參閱圖3,為本發明的映像檔執行流程圖的第一具體實施例。首先,當Docker伺服器22要建立一個容器4時,主要需先接收一組容器建立指令(步驟S10),並且取得對應的Docker映像檔(步驟S12)。於一實施例中,Docker伺服器22主要是經由所述RESTful API接收使用者藉由Docker客戶端21所發出的容器建立指令,所述容器建立指令可例如為“docker run”。然而,上述僅為本發明的其中一種實施方式,任何能夠觸發Docker伺服器22去尋找並執行Docker映像檔以建立容器4的指令或命令,皆屬於本發明之保護範疇,而不以上述者為限。Please also refer to FIG. 3 , which is a first specific embodiment of an image file execution flowchart of the present invention. First, when the Docker server 22 wants to create a container 4, it mainly needs to receive a set of container creation instructions (step S10), and obtain a corresponding Docker image file (step S12). In one embodiment, the Docker server 22 mainly receives a container creation command sent by the user through the Docker client 21 via the RESTful API, and the container creation command may be, for example, "docker run". However, the above is only one embodiment of the present invention, any instruction or command that can trigger the Docker server 22 to find and execute the Docker image file to create the container 4 belongs to the protection scope of the present invention, and the above is not regarded as limit.

步驟S12後,Docker伺服器22判斷所取得的Docker映像檔是否為資料結構經過修改的擴展映像檔3(步驟S14)。於一實施例中,Docker伺服器22在步驟S12中是依據Docker映像檔是否具有所述擴展欄位32及/或擴展欄位32的內容是否表示為受保護狀態,以判斷Docker映像檔是否為擴展映像檔3。若當前取得的Docker映像檔僅為採用標準資料結構的通用映像檔30,而非本發明中具有擴展欄位32的擴展映像檔3,則Docker伺服器22直接依照正常程序來執行此通用映像檔30以建立對應的容器40(步驟S24)。After step S12, the Docker server 22 determines whether the obtained Docker image file is the extended image file 3 whose data structure has been modified (step S14). In one embodiment, in step S12, the Docker server 22 determines whether the Docker image file is in a protected state according to whether the Docker image file has the extension field 32 and/or whether the content of the extension field 32 is in a protected state. Extended image file 3. If the currently obtained Docker image file is only the general image file 30 using the standard data structure, rather than the extended image file 3 with the extension field 32 in the present invention, the Docker server 22 directly executes the general image file according to the normal procedure 30 to create the corresponding container 40 (step S24).

具體地,上述所指的正常程序,主要包括下列步驟:Specifically, the normal procedure referred to above mainly includes the following steps:

步驟一:讀取Docker映像檔中的原始欄位31的環境欄位311,以取得此Docker映像檔可以支援的作業系統;Step 1: Read the environment field 311 of the original field 31 in the Docker image file to obtain the operating system that the Docker image file can support;

步驟二:判斷目前運行此Docker伺服器22的主機1的作業系統11是否符合Docker映像檔的環境欄位311的內容;Step 2: judging whether the operating system 11 of the host 1 currently running the Docker server 22 conforms to the content of the environment field 311 of the Docker image file;

步驟三:於判斷主機1的作業系統11不符合環境欄位311的內容時,不允許執行此Docker映像檔(例如,若主機1的作業系統11為windows,而環境欄位311中記錄“Linux”,則判斷兩者不符合);及Step 3: When it is judged that the operating system 11 of the host 1 does not conform to the content of the environment field 311, the Docker image file is not allowed to be executed (for example, if the operating system 11 of the host 1 is windows, and the environment field 311 records "Linux" ”, then it is judged that the two do not conform); and

步驟四:於判斷主機1的作業系統11符合環境欄位311的內容時,允許基於此Docker映像檔中的原始欄位31的資料欄位312中的資料來執行此Docker映像檔,以建立對應的容器40。Step 4: When judging that the operating system 11 of the host 1 complies with the content of the environment field 311, allow the Docker image file to be executed based on the data in the data field 312 of the original field 31 in the Docker image file to create a corresponding container 40.

具體地說,若當前取得的Docker映像檔僅為通用映像檔30,則因為通用映像檔30不具有擴展欄位32,並且通用映像檔30真正可支援的作業系統被記錄於環境欄位311中,因此Docker伺服器22可以直接依據上述之正常程序來執行此通用映檔30。Specifically, if the currently obtained Docker image file is only the general image file 30, because the general image file 30 does not have the extension field 32, and the operating system that the general image file 30 can really support is recorded in the environment field 311 , so the Docker server 22 can directly execute the general image file 30 according to the above-mentioned normal procedure.

值得一提的是,藉由本發明的上述執行方法,若目前取得的Docker映像檔為通用映像檔30,則無論是未經授權的Docker伺服器或是本發明中改良後的Docker伺服器22,都可以基於原始欄位31的內容來正確執行此Docker映像檔。It is worth mentioning that, with the above-mentioned execution method of the present invention, if the currently obtained Docker image file is the general image file 30, then whether it is an unauthorized Docker server or the improved Docker server 22 in the present invention, Both execute this Docker image correctly based on the contents of the original field 31.

若Docker伺服器22於步驟S14中判斷當前取得的Docker映像檔為資料結構經過修改的擴展映像檔3,則Docker伺服器22先讀取此擴展映像檔3中的擴展欄位32中的保護欄位321(步驟S16),並且基於保護欄位321的內容來判斷此擴展映像檔3是否為受保護映像檔(步驟S18)。若此擴展映像檔3不是受保護映像檔,則Docker伺服器22可直接依照前述之步驟,藉由正常程序來執行此擴展映像檔3以建立對應的容器4(步驟S24)。If the Docker server 22 determines in step S14 that the currently obtained Docker image file is the extended image file 3 whose data structure has been modified, the Docker server 22 first reads the protection field in the extended field 32 in the extended image file 3 bit 321 (step S16 ), and based on the content of the protection field 321 , it is determined whether the extended image file 3 is a protected image file (step S18 ). If the extended image file 3 is not a protected image file, the Docker server 22 can directly follow the aforementioned steps to execute the extended image file 3 through normal procedures to create a corresponding container 4 (step S24 ).

於一實施例中,程式開發者可在所述保護欄位321中寫入的是足供辨識的一個特殊ID。具體地,若擴展映像檔3本身為一個根映像檔(Root Image),則所述特殊ID可例如為”RootExtendedImage”或類似的標示內容;若擴展映像檔3不是根映像檔,則上述特殊ID可為此擴展映像檔3的根映像檔的映像檔ID。值得一提的是,無論是標準的映像檔或是擴展映像檔3,其原始欄位31中原本就具有一個用來記錄自身的映像檔ID的欄位(圖未標示),於此不再贅述。In one embodiment, the program developer can write a special ID sufficient for identification in the protection field 321 . Specifically, if the extended image file 3 itself is a root image file (Root Image), the special ID may be, for example, "RootExtendedImage" or similar marking content; if the extended image file 3 is not a root image file, the above-mentioned special ID The image ID of the root image that can be used for this extension image 3. It is worth mentioning that, whether it is a standard image file or an extended image file 3, the original field 31 originally has a field for recording its own image file ID (not shown in the figure), which is not shown here. Repeat.

於上述步驟S18中,Docker伺服器22是在保護欄位321中記錄有所述特殊ID時,判斷此擴展映像檔3為受保護映像檔,並且,於保護欄位321的內容為空白,即,沒有記錄所述特殊ID時,判斷此擴展映像檔不是受保護映像檔。惟,上述說明僅為本發明的多種具體實施範例之一,但並不以上述判斷方式為限。In the above step S18, when the special ID is recorded in the protection field 321, the Docker server 22 determines that the extended image file 3 is a protected image file, and the content in the protection field 321 is blank, that is, , when the special ID is not recorded, it is determined that the extended image file is not a protected image file. However, the above description is only one of various specific embodiments of the present invention, but is not limited to the above judgment method.

若於步驟S18中判斷此擴展映像檔3為受保護映像檔,代表擴展映像檔3的環境欄位311中被故意寫入了錯誤的資訊。舉例來說,擴展映像檔3真正可支援的作業系統可能是windows,但是程式開發者在製作擴展映像檔3時,故意在環境欄位311中記錄了“macOS”。再例如,程式開發者直接在環境欄位311中記錄如“HyperX”、“HyperM”等虛構的作業系統的名稱。於此情況下,Docker伺服器22需先取得擴展映像檔3真正可支援的作業系統(步驟S20),接著,以所取得的真正可支援的作業系統取代環境欄位311的內容(步驟S22)。最後,再依照前述之步驟,藉由正常程序來執行環境欄位311的內容被取代後的擴展映像檔3(步驟S24)。If it is determined in step S18 that the extended image file 3 is a protected image file, it means that the environment field 311 of the extended image file 3 has intentionally written wrong information. For example, the actual supported operating system of the extended image file 3 may be windows, but the program developer deliberately recorded "macOS" in the environment field 311 when making the extended image file 3. For another example, the program developer directly records the names of fictitious operating systems such as "HyperX" and "HyperM" in the environment field 311 . In this case, the Docker server 22 needs to first obtain a truly supportable operating system of the extended image file 3 (step S20 ), and then replace the content of the environment field 311 with the obtained truly supportable operating system (step S22 ) . Finally, according to the above-mentioned steps, the extended image file 3 in which the content of the environment field 311 is replaced is executed by the normal procedure (step S24 ).

於一實施例中,擴展映像檔3的擴展欄位32包含了真實環境欄位322,並且程式開發者將擴展映像檔3真正可支援的作業系統寫入真實環境欄位322中。於步驟S20中,Docker伺服器22係讀取擴展映像檔3的真實環境欄位322,以取得所述真正可支援的作業系統。In one embodiment, the extension field 32 of the extension image file 3 includes the real environment field 322 , and the program developer writes the actual supportable operating system of the extension image file 3 into the real environment field 322 . In step S20, the Docker server 22 reads the real environment field 322 of the extended image file 3 to obtain the real supportable operating system.

於另一實施例中,擴展映像檔3的擴展欄位32不包括所述真實環境欄位322。程式開發者可於程式中預先建立一組對照表(圖未標示),所述對照表記錄了環境欄位311的內容(即,錯誤的資訊)與所述真正可支援的作業系統的對應關係,例如“HyperX”對應至“macOS”、“HyperM”對應至“Windows”等。於步驟S20中,Docker伺服器22係先讀取環境欄位311,並且以環境欄位311的內容(例如上述的HyperX、HyperM等)查詢所述對照表,藉此獲得擴展映像檔3的真正可支援的作業系統。In another embodiment, the extension field 32 of the extension image file 3 does not include the real environment field 322 . The program developer can pre-create a set of comparison tables (not shown in the figure) in the program, the comparison table records the corresponding relationship between the content of the environment field 311 (that is, the wrong information) and the truly supported operating system For example, "HyperX" corresponds to "macOS", "HyperM" corresponds to "Windows", etc. In step S20, the Docker server 22 first reads the environment field 311, and queries the comparison table with the content of the environment field 311 (for example, the above-mentioned HyperX, HyperM, etc.), thereby obtaining the true value of the extended image file 3. Supported operating systems.

具體地,雖然擴展映像檔3的環境欄位311中被故意寫入了錯誤的資訊,以藉此保護擴展映像檔3無法被未經授權的Docker伺服器所執行,然而藉由上述的步驟S20與步驟S22,本發明中的Docker伺服器22已使用了正確的資訊(即,真實環境欄位322/對照表的內容)來取代錯誤的資訊(即,環境欄位311的內容),因此在執行了步驟S20與步驟S22後,本發明的Docker伺服器22可以在步驟S24中藉由正常程序來執行擴展映像檔3,而不會產生任何錯誤。Specifically, although the environment field 311 of the extension image file 3 is intentionally written with wrong information, so as to protect the extension image file 3 from being executed by an unauthorized Docker server, through the above step S20 In step S22, the Docker server 22 in the present invention has replaced the wrong information (ie, the content of the environment After steps S20 and S22 are performed, the Docker server 22 of the present invention can execute the extended image file 3 in step S24 through normal procedures without generating any errors.

通過上述技術手段,可以有效保護程序開發者所製作的Docker映像檔(即,上述之擴展映像檔3)無法被任意地佈署到其他主機中執行。並且,上述技術手段還可確保本發明的Docker伺服器22可以正確執行資料結構未經修改的通用映像檔30以及資料結構經過特殊修改的擴展映像檔3。Through the above technical means, the Docker image file (ie, the above-mentioned extended image file 3) created by the program developer can be effectively protected from being arbitrarily deployed to other hosts for execution. Moreover, the above technical means can also ensure that the Docker server 22 of the present invention can correctly execute the general image file 30 whose data structure is not modified and the extended image file 3 whose data structure is specially modified.

值得一提的是,基於Docker的特性,即使使用者藉由Docker客戶端21使用諸如docker build、docker commit等指令來將本發明中的擴展映像檔3儲存為新映像檔,擴展映像檔3的資料結構仍然會被繼承到新映像檔。因此,若做為基礎的擴展映像檔3屬於受保護映像檔,則使用者自行產生的新映像檔將同樣無法被未經授權的Docker伺服器22所正確執行。It is worth mentioning that, based on the characteristics of Docker, even if the user uses the Docker client 21 to use commands such as docker build, docker commit, etc. to store the extended image file 3 in the present invention as a new image file, the extended image file 3 The data structure will still be inherited to the new image. Therefore, if the base extension image file 3 is a protected image file, the new image file generated by the user will also not be able to be properly executed by the unauthorized Docker server 22 .

於一實施例中,程式開發者可以在所述擴展映像檔3製作完成後,於遠端的註冊中心5對擴展映像檔3進行註冊,並可將擴展映像檔3上傳至註冊中心5中存放。基於上述註冊動作,本發明進一步避免使用者擅自將擴展映像檔3以及改良後的Docker伺服器22同時佈署至其他未經授權的主機(例如,非向具有權利的硬體廠商所購買的主機),並於未經授權的主機上執行(容後詳述)。In one embodiment, the program developer can register the extended image file 3 in the remote registration center 5 after the extended image file 3 is created, and can upload the extended image file 3 to the registration center 5 for storage. . Based on the above-mentioned registration actions, the present invention further prevents the user from deploying the extended image file 3 and the improved Docker server 22 to other unauthorized hosts (for example, hosts not purchased from authorized hardware manufacturers) without authorization. ), and execute on unauthorized hosts (more on this later).

參閱圖4,為本發明的註冊示意圖的第一具體實施例。如圖4所示,當要對一個擴展映像檔3進行註冊時,主要是由Docker伺服器22取得擴展映像檔3的映像檔ID,並且同時取得可供辨識的硬體資訊13。具體地,所述硬體資訊13指的是經過授權的主機(例如當前執行Docker伺服器22的主機1,或是被允許執行擴展映像檔3的其他主機)的內部硬體的識別碼,例如中央處理器(Central Processing Unit, CPU)的ID、硬碟的序號(Serial Number)或網路卡的媒體存取控制位址(Media Access Control Address, MAC Address)等,但不加以限定。Referring to FIG. 4 , it is the first specific embodiment of the registration schematic diagram of the present invention. As shown in FIG. 4 , when an extension image file 3 is to be registered, the image file ID of the extension image file 3 is mainly obtained by the Docker server 22 , and the identifiable hardware information 13 is obtained at the same time. Specifically, the hardware information 13 refers to the identification code of the internal hardware of an authorized host (such as the host 1 currently executing the Docker server 22, or other hosts allowed to execute the extended image file 3), such as The ID of the central processing unit (Central Processing Unit, CPU), the serial number (Serial Number) of the hard disk, or the media access control address (Media Access Control Address, MAC Address) of the network card, etc., are not limited.

本實施例中,Docker伺服器22主要是將上述映像檔ID與硬體資訊13進行串接(concatenate)以保證資訊的唯一性後,藉由網際網路將此串接資訊連同必要註冊資料一起傳送至註冊中心5中,以進行註冊。In this embodiment, the Docker server 22 mainly concatenates the above-mentioned image file ID and the hardware information 13 to ensure the uniqueness of the information, and then uses the Internet to combine the concatenated information with the necessary registration information. It is sent to the registration center 5 for registration.

於收到註冊中心5的註冊成功訊息後,Docker伺服器22於主機1的檔案系統(File System)12中建立一個註冊檔案121,並將所述必要註冊資料儲存在註冊檔案121中。本實施例中,Docker伺服器22藉由雜湊函數(Hash Function)來計算所述映像檔ID與硬體資訊13的串接資訊,以得到一筆第一雜湊值,並Docker伺服器22會將第一雜湊值做為所述註冊檔案121的檔名。After receiving the registration success message from the registration center 5 , the Docker server 22 creates a registration file 121 in the File System 12 of the host 1 , and stores the necessary registration data in the registration file 121 . In this embodiment, the Docker server 22 calculates the concatenation information of the image file ID and the hardware information 13 by using a hash function, so as to obtain a first hash value, and the Docker server 22 will calculate the first hash value. A hash value is used as the file name of the registration file 121 .

為避免註冊檔案121被使用者竄改,於另一實施例中,Docker伺服器22進一步於檔案系統12中建立一個檢查檔案122,並且藉由雜湊函數來計算註冊檔案121的內容(即,所述必要註冊資料)以得到一筆第二雜湊值,並將第二雜湊值做為所述檢查檔案122的檔名。In order to prevent the registration file 121 from being tampered by the user, in another embodiment, the Docker server 22 further creates a check file 122 in the file system 12, and uses a hash function to calculate the content of the registration file 121 (ie, the necessary registration information) to obtain a second hash value, and use the second hash value as the file name of the check file 122 .

上述註冊檔案121是用來確認一個擴展映像檔3是否有經過註冊,以及是否被允許在目前的主機1上執行。上述檢查檔案122則是用來於註冊檔案121存在時(代表擴展映像檔3有經過註冊),確認擴展映像檔3的必要註冊資料是否經過竄改(容後詳述)。The above-mentioned registration file 121 is used to confirm whether an extension image file 3 has been registered and whether it is allowed to execute on the current host 1 . The above-mentioned check file 122 is used to confirm whether the necessary registration data of the extension image file 3 has been tampered with when the registration file 121 exists (representing that the extension image file 3 has been registered) (details will be described later).

參閱圖5,為本發明的映像檔執行流程圖的第二具體實施例。本實施例中,Docker伺服器22在要執行一個Docker映像檔前,會與圖3所示者近似,先接收一筆容器建立指令(步驟S30),並且取得對應的Docker映像檔(步驟S32)。接著,Docker伺服器22在確認了目前取得的Docker映像檔為擴展映像檔3後,先從擴展映像檔3的保護欄位321中讀取所述特殊ID(步驟S34),並且同時取得目前運行Docker伺服器22的主機1的硬體資訊13(步驟S36)。如前文所述,硬體資訊13可例如為主機1的CPU ID、硬碟的序號或網路卡的MAC地址等,不加以限定。Referring to FIG. 5 , it is a second specific embodiment of the image file execution flowchart of the present invention. In this embodiment, before executing a Docker image file, the Docker server 22 receives a container creation instruction (step S30 ), and obtains the corresponding Docker image file (step S32 ), similar to that shown in FIG. 3 . Next, after confirming that the currently obtained Docker image file is the extended image file 3, the Docker server 22 first reads the special ID from the protection field 321 of the extended image file 3 (step S34), and simultaneously obtains the currently running image file 3. Hardware information 13 of the host 1 of the Docker server 22 (step S36). As mentioned above, the hardware information 13 can be, for example, the CPU ID of the host 1 , the serial number of the hard disk, or the MAC address of the network card, etc., which are not limited.

步驟S36後,Docker伺服器22基於所取得的映像檔ID以及硬體資訊13來產生一筆第一索引資料(步驟S38),並且依據第一索引資料搜尋主機1的檔案系統12(步驟S40),以判斷檔案系統12中是否存在著檔名與第一索引資料相符的註冊檔案121(步驟S42)。After step S36, the Docker server 22 generates a first index data based on the obtained image file ID and the hardware information 13 (step S38), and searches the file system 12 of the host 1 according to the first index data (step S40), To determine whether there is a registration file 121 whose file name matches the first index data in the file system 12 (step S42).

具體地,於上述步驟S38中,Docker伺服器22主要是與註冊時相同,將映像檔ID以及硬體資訊13進行串接,並且藉由雜湊函數計算此串接資訊以產生所述第一索引資料。換句話說,若擴展映像檔3的映像檔ID與用來註冊的擴展映像檔3的映像檔ID相同,且主機1的硬體資訊13也與用來註冊的硬體資訊13相同,則由雜湊函數所產生的第一索引資料將會相同於同一個雜湊函數所產生的註冊檔案121的檔名。Specifically, in the above step S38, the Docker server 22 concatenates the image file ID and the hardware information 13 in the same way as the registration, and calculates the concatenated information by a hash function to generate the first index material. In other words, if the image file ID of the extended image file 3 is the same as the image file ID of the extended image file 3 used for registration, and the hardware information 13 of the host 1 is also the same as the hardware information 13 used for registration, then The first index data generated by the hash function will be the same as the file name of the registration file 121 generated by the same hash function.

如上所述,若於步驟S42中無法找到檔名與第一索引資料相符的註冊檔案121,代表此擴展映像檔3沒有經過註冊,或是目前使用的主機1與註冊時的主機不同。於此情況下,Docker伺服器22將不被允許執行此擴展映像檔3(步驟S44)。As described above, if the registration file 121 whose file name matches the first index data cannot be found in step S42, it means that the extended image file 3 has not been registered, or the host 1 currently used is different from the host at the time of registration. In this case, the Docker server 22 will not be allowed to execute the extended image file 3 (step S44).

通過上述技術手段,可以同時對擴展映像檔3以及改良後的Docker伺服器22達到保護效果。換句話說,即使使用者不法將擴展映像檔3以及改良後的Docker伺服器22皆佈署到未經授權的其他主機上,但因為此主機的硬體資訊與用來註冊的主機1的硬體資訊13不相符,因此雖然這台主機上安裝的是改良後的Docker伺服器22,但是Docker伺服器22仍然無法正確執行擴展映像檔3。Through the above technical means, the extended image file 3 and the improved Docker server 22 can be protected at the same time. In other words, even if the user cannot deploy the extended image file 3 and the modified Docker server 22 to other unauthorized hosts, because the hardware information of this host and the hardware of the host 1 used to register The body information 13 does not match, so although the modified Docker server 22 is installed on this host, the Docker server 22 still cannot execute the extended image file 3 correctly.

若於步驟S42中找到了檔名與第一索引資料相符的註冊檔案121,代表此擴展映像檔3已經經過註冊,並且目前使用的主機1與註冊時使用的主機相同。於此情況下,Docker伺服器22可以藉由圖3所示的步驟S20、步驟S22與步驟S24來執行擴展映像檔3。即,Docker伺服器22先讀取擴展映像檔3的真實環境欄位322/對照表的內容、以真實環境欄位322/對照表的內容取代環境欄位311的內容、接著再依照正常程序,基於原始欄位31的內容執行擴展映像檔3。If the registration file 121 whose file name matches the first index data is found in step S42, it means that the extended image file 3 has been registered, and the host 1 currently used is the same as the host used for registration. In this case, the Docker server 22 can execute the extended image file 3 through steps S20 , S22 and S24 shown in FIG. 3 . That is, the Docker server 22 first reads the content of the real environment field 322/comparison table of the extended image file 3, replaces the content of the environment field 311 with the content of the real environment field 322/comparison table, and then follows the normal procedure, The extended image file 3 is executed based on the content of the original field 31 .

於另一實施例中,若Docker伺服器22在對擴展映像檔3進行註冊後同時建立了所述檢查檔案122,則在步驟S42中找到了檔名與第一索引資料相符的註冊檔案121後,Docker伺服器22可進一步讀取註冊檔案121中記錄的必要註冊資料(步驟S46)。In another embodiment, if the Docker server 22 creates the check file 122 after registering the extended image file 3, then in step S42, the registration file 121 whose file name matches the first index data is found. , the Docker server 22 can further read the necessary registration data recorded in the registration file 121 (step S46 ).

步驟S46後,Docker伺服器22可基於必要註冊資料產生第二索引資料(步驟S48),例如,藉由雜湊函數計算必要註冊資料,以產生所述第二索引資料。並且,Docker伺服器22依據第二索引資料搜尋主機1的檔案系統12(步驟S50),以判斷檔案系統12中是否存在著檔名與第二索引資料相符的所述檢查檔案122(步驟S52)。After step S46, the Docker server 22 may generate the second index data based on the necessary registration data (step S48). For example, the necessary registration data is calculated by a hash function to generate the second index data. In addition, the Docker server 22 searches the file system 12 of the host 1 according to the second index data (step S50 ) to determine whether the check file 122 whose file name matches the second index data exists in the file system 12 (step S52 ) .

如前文所述,檢查檔案122的檔名是基於所述必要註冊資料所產生的,因此若於步驟S52中無法找到檔名與第二索引資料相符的檢查檔案122,代表註冊檔案121中記錄的必要註冊資料已經遭到竄改。於此情況下,Docker伺服器22將不被允許執行此擴展映像檔3(步驟S44)。如此一來,可以對擴展映像檔3盡到更進一步的保護作用。As mentioned above, the file name of the check file 122 is generated based on the necessary registration data. Therefore, if the check file 122 whose file name matches the second index data cannot be found in step S52, it means that the file name of the check file 121 is recorded in the registration file 121. Required registration information has been tampered with. In this case, the Docker server 22 will not be allowed to execute the extended image file 3 (step S44). In this way, the extended image file 3 can be further protected.

本實施例中,若於步驟S52中找到了檔名與第二索引資料相符的檢查檔案122,則Docker伺服器22可進一步藉由圖3所示的步驟S20、步驟S22與步驟S24來執行擴展映像檔3。即,Docker伺服器22先讀取擴展映像檔3的真實環境欄位322/對照表的內容、以真實環境欄位322/對照表的內容取代環境欄位311的內容、接著再依照正常程序,基於原始欄位31的內容執行擴展映像檔3。In this embodiment, if the check file 122 whose file name matches the second index data is found in step S52, the Docker server 22 can further perform the expansion through steps S20, S22 and S24 shown in FIG. 3 . Image file 3. That is, the Docker server 22 first reads the content of the real environment field 322/comparison table of the extended image file 3, replaces the content of the environment field 311 with the content of the real environment field 322/comparison table, and then follows the normal procedure, The extended image file 3 is executed based on the content of the original field 31 .

值得一提的是,當使用者通過Docker用戶端21來使用諸如docker build或docker commit等指令,以將所述擴展映像檔3做為基礎並產生新的子映像檔時,基於Docker的特性,擴展映像檔3記錄於保護欄位321中的特殊ID也將會被繼承到子映像檔中。更甚者,當使用者將子映像檔做為基礎並且進一步產生新的孫映像檔時,所述擴展映像檔3的特殊ID同樣也會被繼承到孫映像檔中。不管做為基礎的擴展映像檔3被繼承了幾代,新產生的映像檔的資料結構中永遠都會留存做為根的擴展映像檔3的所述特殊ID。因此,藉由上述技術手段,可以有效防止擴展映像檔3被不當地複製。並且,藉由上述技術手段,一個新的映像檔內不需要記錄所有袓先的映像檔ID,就可以藉由所繼承的特殊ID來追溯到根映像檔的身份。It is worth mentioning that when the user uses commands such as docker build or docker commit through the Docker client 21 to use the extended image file 3 as a basis and generate a new sub-image file, based on the characteristics of Docker, The special ID recorded in the protection field 321 of the extended image file 3 will also be inherited into the sub-image file. What's more, when the user uses the sub-image as a base and further generates a new grand-image, the special ID of the extended image 3 will also be inherited into the grand-image. No matter how many generations the extended image file 3 as the base is inherited, the special ID of the extended image file 3 as the root will always be kept in the data structure of the newly generated image file. Therefore, by the above technical means, the extension image file 3 can be effectively prevented from being copied improperly. Moreover, with the above technical means, a new image file does not need to record all the previous image file IDs, and the identity of the root image file can be traced back to the inherited special ID.

上述之實施例主要是在無法於主機1的檔案系統15中找到註冊檔案121時,不允許Docker伺服器22執行擴展映像檔3。然而,考量到Docker映像檔的佈署便利性,於部分情況下,程式開發者仍然可以藉由調整擴展映像檔3的資料結構,以在主機1的檔案系統15中不存在對應的註冊檔案121時,例外允許Docker伺服器2執行擴展映像檔3(容後詳述)。The above-mentioned embodiment mainly does not allow the Docker server 22 to execute the extended image file 3 when the registration file 121 cannot be found in the file system 15 of the host 1 . However, considering the convenience of deploying Docker image files, in some cases, the program developer can adjust the data structure of the extended image file 3 so that the corresponding registration file 121 does not exist in the file system 15 of the host 1 , the exception allows Docker server 2 to execute extended image file 3 (more on that later).

請同時參閱圖6及圖7,分別為本發明的映像檔的資料結構的第二具體實施例,以及本發明的映像檔執行流程圖的第三具體實施例。圖6的實施例揭露了具有另一擴展映像檔6。圖6所示的擴展映像檔6的資料結構與圖2所示的擴展映像檔3的資料結構相似,同樣具有的原始欄位61與擴展欄位62。原始欄位61包括了環境欄位611與資料欄位612,並且環境欄位611與資料欄位612係與圖2所示的擴展映像檔3中的環境欄位311與資料欄位312相似,於此不再贅述。Please refer to FIG. 6 and FIG. 7 at the same time, which are respectively the second embodiment of the data structure of the image file of the present invention and the third embodiment of the execution flowchart of the image file of the present invention. The embodiment of FIG. 6 discloses having another extended image file 6 . The data structure of the extended image file 6 shown in FIG. 6 is similar to the data structure of the extended image file 3 shown in FIG. 2 , and has the same original field 61 and extended field 62 . The original field 61 includes an environment field 611 and a data field 612, and the environment field 611 and the data field 612 are similar to the environment field 311 and the data field 312 in the extended image file 3 shown in FIG. 2, It will not be repeated here.

擴展欄位62包括了保護欄位621、真實環境欄位622以及試用期欄位623,其中,保護欄位621與真實環境欄位622係與圖2所示的擴展映像檔3中的保護欄位321與真實環境欄位322相似,於此不再贅述。The extension field 62 includes a protection field 621, a real environment field 622 and a trial period field 623, wherein the protection field 621 and the real environment field 622 are the same as the protection fields in the extension image file 3 shown in FIG. 2 . The bit 321 is similar to the real environment field 322 and will not be repeated here.

擴展映像檔6與前述擴展映像檔3的差異在於,擴展映像檔6中的擴展欄位62進一步包括了所述試用期欄位623,所述試用期欄位623用以記錄擴展映像檔6的試用期限。The difference between the extended image file 6 and the aforementioned extended image file 3 is that the extended field 62 in the extended image file 6 further includes the trial period field 623, and the trial period field 623 is used to record the Trial period.

本實施例中,當Docker伺服器22要執行擴展映像檔6前,係與圖3所示者相同,需先接收一筆容器建立指令(步驟S60),並且取得對應的擴展映像檔6(步驟S62)。In this embodiment, before the Docker server 22 wants to execute the extended image file 6 , it is the same as the one shown in FIG. 3 , it needs to receive a container creation instruction (step S60 ), and obtain the corresponding extended image file 6 (step S62 ) ).

在Docker伺服器22確認了擴展映像檔6為受保護映像檔後,會如同圖5所示的技術方案,基於擴展映像檔6的映像檔ID以及當前運行Docker伺服器22的主機1的硬體資訊13來產生一筆第一索引資料,並且Docker伺服器22會依據第一索引資料搜尋主機1的檔案系統12,以判斷檔案系統12中是否存在檔名與第一索引資料相符的註冊檔案121(步驟S64)。After the Docker server 22 confirms that the extended image file 6 is a protected image file, the technical solution shown in FIG. 5 will be based on the image file ID of the extended image file 6 and the hardware of the host 1 currently running the Docker server 22 information 13 to generate a first index data, and the Docker server 22 searches the file system 12 of the host 1 according to the first index data to determine whether there is a registration file 121 ( step S64).

與圖5所示的技術方案相同,若於步驟S64中找到了檔名與第一索引資料相符的註冊檔案121,則Docker伺服器22進一步依據註冊檔案121的內容產生一筆第二索引資料,並依據第二索引資料搜尋主機1的檔案系統12,以判斷檔案系統12中是否存在檔名與第二索引資料相符的檢查檔案122(步驟S66)。若檔案系統12中不存在檔名與第二索引資料相符的檢查檔案122,則Docker伺服器22同樣不被允許執行此擴展映像檔6(步驟S68)。Similar to the technical solution shown in FIG. 5 , if the registration file 121 whose file name is consistent with the first index data is found in step S64, the Docker server 22 further generates a second index data according to the content of the registration file 121, and The file system 12 of the host computer 1 is searched according to the second index data to determine whether there is a check file 122 whose file name matches the second index data in the file system 12 (step S66 ). If the check file 122 whose file name matches the second index data does not exist in the file system 12, the Docker server 22 is also not allowed to execute the extended image file 6 (step S68).

若於步驟S66中找到了檔名與第二索引資料相符的檢查檔案122,Docker伺服器22即可藉由圖3所示的步驟S20、步驟S22與步驟S24來執行擴展映像檔6。If the check file 122 whose file name matches the second index data is found in step S66 , the Docker server 22 can execute the extended image file 6 through steps S20 , S22 and S24 shown in FIG. 3 .

本實施例中,當Docker伺服器22在步驟S64中判斷檔案系統12中不存在所述註冊檔案121時,將會進一步讀取擴展映像檔6中的試用期欄位623,以取得試用期欄位623中記錄的試用期限(步驟S70)。接著,Docker伺服器22判斷擴展映像檔6的試用期限是否已經過期(步驟S72)。於一實施例中,Docker伺服器22於試用期欄位623的內容為空白,或是試用期欄位623中記錄的日期已經經過時,判斷擴展映像檔6的試用期限是否已經過期,但是並不以此為限。In this embodiment, when the Docker server 22 determines in step S64 that the registration file 121 does not exist in the file system 12, it will further read the trial period field 623 in the extended image file 6 to obtain the trial period field The trial period recorded in bit 623 (step S70). Next, the Docker server 22 determines whether the trial period of the extended image file 6 has expired (step S72). In one embodiment, the Docker server 22 determines whether the trial period of the extended image file 6 has expired when the content of the trial period field 623 is blank, or the date recorded in the trial period field 623 has passed, but not Not limited to this.

於一實施例中,Docker伺服器22是在擴展映像檔6於主機1上第一次被執行時,將目前時間(例如系統時間)視為擴展映像檔6的開始試用時間並且加以記錄。當擴展映像檔6下一次於主機1上被執行卻尚未註冊時,Docker伺服器22便依據所記錄的開始試用時間以及記錄在擴展映像檔6的試用期欄位623中的試用期限,計算擴展映像檔6的試用期限是否過期。惟,上述僅為本發明的其中一種實施範例,但並不以上述方式為限。In one embodiment, the Docker server 22 regards the current time (eg system time) as the trial start time of the extended image file 6 and records it when the extended image file 6 is executed on the host 1 for the first time. When the extension image file 6 is executed on the host 1 next time but has not yet been registered, the Docker server 22 calculates the extension according to the recorded trial start time and the trial period recorded in the trial period field 623 of the extension image file 6 Whether the trial period of image file 6 has expired. However, the above is only one of the embodiments of the present invention, but is not limited to the above method.

若於步驟S72中判斷擴展映像檔6的試用期限已經過期,則Docker伺服器22不被允許執行此擴展映像檔6(步驟S68)。反之,若於步驟S72中判斷擴展映像檔6的試用期限尚未過期,則Docker伺服器22可被例外允許藉由圖3所示的步驟S20、步驟S22與步驟S24來執行擴展映像檔6。If it is determined in step S72 that the trial period of the extended image file 6 has expired, the Docker server 22 is not allowed to execute the extended image file 6 (step S68 ). On the contrary, if it is determined in step S72 that the trial period of the extended image file 6 has not expired, the Docker server 22 can be exceptionally allowed to execute the extended image file 6 through steps S20, S22 and S24 shown in FIG. 3 .

通過本發明的執行方法,可以保護擴展映像檔3、6不會被任意複製或被佈署到未經授權的主機上執行,並且令改良後的Docker伺服器22不但可執行通用映像檔30,亦可執行擴展映像檔3、6。藉此,在提高了對於智慧財產的保護效果的前提下,保留了Docker伺服器22的使用便利性。Through the execution method of the present invention, the extended image files 3 and 6 can be protected from being arbitrarily copied or deployed on unauthorized hosts for execution, and the improved Docker server 22 can not only execute the general image file 30, Extended image files 3 and 6 can also be executed. Thereby, on the premise of improving the protection effect for intellectual property, the convenience of using the Docker server 22 is preserved.

以上所述僅為本發明之較佳具體實例,非因此即侷限本發明之專利範圍,故舉凡運用本發明內容所為之等效變化,均同理皆包含於本發明之範圍內,合予陳明。The above description is only a preferred specific example of the present invention, and therefore does not limit the scope of the patent of the present invention. Therefore, all equivalent changes made by using the content of the present invention are all included in the scope of the present invention. bright.

1…主機1…Host

11…作業系統11…Operating System

12…檔案系統12…File System

121…註冊檔案121…Registration Archives

122…檢查檔案122…Check Archives

13…硬體資訊13…Hardware information

21…Docker用戶端21…Docker Client

22…Docker伺服器22…Docker server

30…通用映像檔30…generic image file

3、6…擴展映像檔3, 6...Extended image file

31、61…原始欄位31, 61...original fields

311、611…環境欄位311, 611...Environment field

312、612…資料欄位312, 612...data fields

32、62…擴展欄位32, 62...Extended fields

321、621…保護欄位321, 621…protection fields

322、622…真實環境欄位322, 622…Real environment fields

623…試用期欄位623…trial period field

4、40…容器4, 40… Containers

5…Docker註冊中心5…Docker registry

S10~S24…執行步驟S10~S24...Execution steps

S30~S52…執行步驟S30~S52...Execution steps

S60~S72…執行步驟S60~S72...Execution steps

圖1為本發明的Docker系統的示意圖的第一具體實施例。FIG. 1 is a first specific embodiment of a schematic diagram of a Docker system of the present invention.

圖2為本發明的映像檔的資料結構的第一具體實施例。FIG. 2 is a first specific embodiment of the data structure of the image file of the present invention.

圖3為本發明的映像檔執行流程圖的第一具體實施例。FIG. 3 is a first specific embodiment of an image file execution flow chart of the present invention.

圖4為本發明的註冊示意圖的第一具體實施例。FIG. 4 is a first specific embodiment of a schematic diagram of registration of the present invention.

圖5為本發明的映像檔執行流程圖的第二具體實施例。FIG. 5 is a second specific embodiment of an image file execution flowchart of the present invention.

圖6為本發明的映像檔的資料結構的第二具體實施例。FIG. 6 is a second specific embodiment of the data structure of the image file of the present invention.

圖7為本發明的映像檔執行流程圖的第三具體實施例。FIG. 7 is a third specific embodiment of an image file execution flowchart of the present invention.

S10~S24…執行步驟S10~S24...Execution steps

Claims (11)

一種Docker映像檔的保護執行方法,應用於改良後的一Docker伺服器及一Docker映像檔,包括: a)該Docker伺服器接收一容器建立指令並取得對應的該Docker映像檔; b)判斷該Docker映像檔是否為一擴展映像檔,其中該擴展映像檔同時具有一擴展欄位以及一原始欄位; c)於判斷該Docker映像檔為該擴展映像檔時讀取該Docker映像檔的該擴展欄位中的一保護欄位; d)基於該保護欄位的內容判斷該Docker映像檔是否為受保護映像檔; e)於判斷該Docker映像檔為受保護映像檔時取得該Docker映像檔的一真正可支援的作業系統; f)以該真正可支援的作業系統取代該Docker映像檔的該原始欄位中的一環境欄位的內容;及 g)步驟f)後,基於該原始欄位的內容執行該Docker映像檔以建立對應的一Docker容器。 A protection execution method for a Docker image file, applied to an improved Docker server and a Docker image file, comprising: a) the Docker server receives a container establishment instruction and obtains the corresponding Docker image file; b) judging whether the Docker image file is an extended image file, wherein the extended image file has an extended field and an original field at the same time; c) when judging that the Docker image file is the extension image file, read a protection field in the extension field of the Docker image file; d) Judging whether the Docker image file is a protected image file based on the content of the protection field; e) Obtaining a truly supportable operating system of the Docker image file when judging that the Docker image file is a protected image file; f) replace the contents of an environment field in the original field of the Docker image with the truly supported operating system; and g) After step f), execute the Docker image file based on the content of the original field to create a corresponding Docker container. 如請求項1所述的Docker映像檔的保護執行方法,其中該步驟d)是於該保護欄位中記錄有該Docker映像檔的一特殊ID時判斷該Docker映像檔為受保護映像檔,並且於該保護欄位中沒有記錄該特殊ID時判斷該Docker映像檔不是受保護映像檔。The protection execution method of a Docker image file as claimed in claim 1, wherein the step d) is to determine that the Docker image file is a protected image file when a special ID of the Docker image file is recorded in the protection field, and When the special ID is not recorded in the protection field, it is determined that the Docker image file is not a protected image file. 如請求項2所述的Docker映像檔的保護執行方法,其中該步驟e)是於判斷該Docker映像檔為受保護映像檔時讀取該擴展欄位中的一真實環境欄位的內容,其中該真實環境欄位中記錄該Docker映像檔的該真正可支援的作業系統。The protection execution method of a Docker image file as claimed in claim 2, wherein the step e) is to read the content of a real environment field in the extension field when judging that the Docker image file is a protected image file, wherein The real supportable operating system of the Docker image is recorded in the real environment field. 如請求項2所述的Docker映像檔的保護執行方法,其中該步驟e)是於判斷該Docker映像檔為受保護映像檔時讀取該原始欄位中的該環境欄位的內容,並且以該環境欄位的內容查詢一對照表以取得該真正可支援的作業系統,其中該環境欄位中記錄錯誤的可支援作業系統。The protection execution method of a Docker image file as claimed in claim 2, wherein the step e) is to read the content of the environment field in the original field when it is determined that the Docker image file is a protected image file, and use The content of the environment field queries a comparison table to obtain the truly supportable operating system, wherein an incorrect supportable operating system is recorded in the environment field. 如請求項2所述的Docker映像檔的保護執行方法,其中更包括一步驟d1):於判斷該Docker映像檔不是受保護映像檔時直接執行該步驟g)。The protection execution method for a Docker image file according to claim 2, further comprising a step d1): directly executing the step g) when it is determined that the Docker image file is not a protected image file. 如請求項2所述的Docker映像檔的保護執行方法,其中該歩驟e)包括下列歩驟: e1)於判斷該Docker映像檔為受保護映像檔時讀取該Docker映像檔的一映像檔ID; e2)取得目前運行該Docker伺服器的一主機的硬體資訊; e3)依據該映像檔ID及該硬體資訊產生一第一索引資料; e4)基於該第一索引資料對該主機的一檔案系統進行搜尋; e5)於該檔案系統中不存在檔名與該第一索引資料相符的一註冊檔案時,不執行該Docker映像檔;及 e6)於該檔案系統中存在檔名與該第一索引資料相符的該註冊檔案時,讀取該Docker映像檔中的該真實環境欄位。 The protection execution method of a Docker image file as claimed in claim 2, wherein the step e) comprises the following steps: e1) when judging that the Docker image file is a protected image file, read an image file ID of the Docker image file; e2) obtain hardware information of a host currently running the Docker server; e3) generating a first index data according to the image file ID and the hardware information; e4) searching a file system of the host based on the first index data; e5) when there is no registered file whose file name matches the first index data in the file system, do not execute the Docker image file; and e6) When the registration file whose file name matches the first index data exists in the file system, read the real environment field in the Docker image file. 如請求項6所述的Docker映像檔的保護執行方法,其中該歩驟e3)是藉由雜湊函數計算該映像檔ID及該硬體資訊的串接資訊以產生該第一索引資料。The protection execution method of a Docker image file according to claim 6, wherein the step e3) is to calculate the concatenation information of the image file ID and the hardware information by a hash function to generate the first index data. 如請求項6所述的Docker映像檔的保護執行方法,其中該硬體資訊包括該主機的一中央處理器(Central Processing Unit, CPU)的ID、該主機的一硬碟的硬碟序號或該主機的一網路卡的媒體存取控制位址(Media Access Control Address, MAC Address)。The protected execution method of a Docker image file according to claim 6, wherein the hardware information includes an ID of a central processing unit (CPU) of the host, a hard disk serial number of a hard disk of the host, or the The Media Access Control Address (MAC Address) of a network card of the host. 如請求項6所述的Docker映像檔的保護執行方法,其中該步驟e6)包括下列步驟: e61)於該檔案系統中存在檔名與該第一索引資料相符的該註冊檔案時,讀取該註冊檔案中記錄的一必要註冊資料; e62)藉由雜湊函數計算該必要註冊資料以產生一第二索引資料; e63)基於該第二索引資料對該檔案系統進行搜尋; e64)於該檔案系統中不存在檔名與該第二索引資料相符的一檢查檔案時,不執行該Docker映像檔;及 e65)於該檔案系統中存在檔名與該第二索引資料相符的該檢查檔案時,讀取該Docker映像檔中的該真實環境欄位。 The protection execution method for a Docker image file according to claim 6, wherein the step e6) includes the following steps: e61) When the registration file whose file name matches the first index data exists in the file system, read a necessary registration data recorded in the registration file; e62) calculating the necessary registration data by a hash function to generate a second index data; e63) searching the file system based on the second index data; e64) when there is no check file whose file name matches the second index data in the file system, do not execute the Docker image file; and e65) When the check file whose file name matches the second index data exists in the file system, read the real environment field in the Docker image file. 如請求項6所述的Docker映像檔的保護執行方法,其中該Docker映像檔的該擴展欄位中更包括記錄該Docker映像檔的一試用期限的一試用期欄位,並且該步驟e5)包括: e51)於該檔案系統中不存在檔名與該第一索引資料相符的該註冊檔案時,讀取該Docker映像檔中的該試用期欄位以取得該試用期限; e52)於該試用期限已經過期時不執行該Docker映像檔;及 e53)於該試用期限尚未過期時讀取該真實環境欄位。 The protection execution method of a Docker image file according to claim 6, wherein the extension field of the Docker image file further includes a trial period field for recording a trial period of the Docker image file, and the step e5) includes : e51) when the registration file whose file name matches the first index data does not exist in the file system, read the trial period field in the Docker image file to obtain the trial period; e52) do not execute the Docker image when the trial period has expired; and e53) Read the real environment field when the trial period has not expired. 如請求項1所述的Docker映像檔的保護執行方法,其中該步驟g)包括下列步驟: g1)讀取該Docker映像檔中的該環境欄位,其中該環境欄位的內容被取代為該真正可支援的作業系統; g2)判斷目前運行該Docker伺服器的一主機的作業系統是符合該環境欄位的內容; g3)於判斷該主機的作業系統不符合該環境欄位的內容時不執行該Docker映像檔;及 g4)於判斷該主機的作業系統符合該環境欄位的內容時,基於該Docker映像檔的該原始欄位中的一資料欄位執行該Docker映像檔,以建立對應的該Docker容器。 The protection execution method for a Docker image file according to claim 1, wherein step g) includes the following steps: g1) read the environment field in the Docker image file, wherein the content of the environment field is replaced by the truly supportable operating system; g2) judging that the operating system of a host currently running the Docker server is in line with the content of the environment field; g3) do not execute the Docker image file when it is determined that the operating system of the host does not conform to the contents of the environment field; and g4) When judging that the operating system of the host complies with the content of the environment field, execute the Docker image file based on a data field in the original field of the Docker image file to create the corresponding Docker container.
TW109131744A 2020-09-15 2020-09-15 Method for executing docker images under protection TWI759863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW109131744A TWI759863B (en) 2020-09-15 2020-09-15 Method for executing docker images under protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW109131744A TWI759863B (en) 2020-09-15 2020-09-15 Method for executing docker images under protection

Publications (2)

Publication Number Publication Date
TW202213143A TW202213143A (en) 2022-04-01
TWI759863B true TWI759863B (en) 2022-04-01

Family

ID=82197386

Family Applications (1)

Application Number Title Priority Date Filing Date
TW109131744A TWI759863B (en) 2020-09-15 2020-09-15 Method for executing docker images under protection

Country Status (1)

Country Link
TW (1) TWI759863B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10002247B2 (en) * 2015-12-18 2018-06-19 Amazon Technologies, Inc. Software container registry container image deployment
CN110727547A (en) * 2019-09-11 2020-01-24 上海爱数信息技术股份有限公司 System and method for protecting Docker application container
US10601807B2 (en) * 2011-08-09 2020-03-24 CloudPassage, Inc. Systems and methods for providing container security
CN111510423A (en) * 2019-01-31 2020-08-07 百度(美国)有限责任公司 Token-based secure multi-party computing framework using restricted operating environments

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10601807B2 (en) * 2011-08-09 2020-03-24 CloudPassage, Inc. Systems and methods for providing container security
US10002247B2 (en) * 2015-12-18 2018-06-19 Amazon Technologies, Inc. Software container registry container image deployment
CN111510423A (en) * 2019-01-31 2020-08-07 百度(美国)有限责任公司 Token-based secure multi-party computing framework using restricted operating environments
CN110727547A (en) * 2019-09-11 2020-01-24 上海爱数信息技术股份有限公司 System and method for protecting Docker application container

Also Published As

Publication number Publication date
TW202213143A (en) 2022-04-01

Similar Documents

Publication Publication Date Title
JP7177576B2 (en) Runtime self-modification for blockchain ledgers
US7770165B2 (en) Providing firmware updates to portable media devices
JP5403771B2 (en) System and method for providing secure updates to firmware
US8782407B2 (en) Information processing device, information processing method, and program
US20090240717A1 (en) Method and apparatus for verifying archived data integrity in integrated storage systems
TW200525358A (en) Method and apparatus for smart memory pass-through communication
US9311956B2 (en) Information processing device, information processing method, and program
CN107479823B (en) Data verification method and device in random read-write file test
IL268348A (en) Remote administration of initial computer operating system setup options
JP2013131015A (en) License management program and information processing device
US10020019B2 (en) Information processing device and information processing method
TWI759863B (en) Method for executing docker images under protection
CN112632517A (en) Authentication method, system and device of USB storage equipment
US11409787B2 (en) Method for executing Docker image under protection
JP5482793B2 (en) Digital content management system, digital watermark embedding device, digital watermark detection device, program, and digital content management method
CN114329351A (en) Protection execution method of Docker mirror image file
JP2006215665A (en) Data management device, data management system, data processor, data management method, program, and storage medium
JP4597651B2 (en) Information processing unit, method and program for controlling ripping of data in media
JP2000259476A (en) File management system and server computer
CN116541124A (en) Virtual computing instance creation method, server cluster and server
JP5397617B2 (en) Management system, information processing apparatus, management apparatus, management method, and program
CN116431164A (en) Application installation method and device, electronic equipment and storage medium
CN116127500A (en) File management and control method, system and medium for mobile storage medium under Linux
CN110968559A (en) Atlas generation method and apparatus
JP2004362507A (en) Information processing unit and information processing method