CN116049896A - Method, system, equipment and medium for realizing data isolation under linux system - Google Patents
Method, system, equipment and medium for realizing data isolation under linux system Download PDFInfo
- Publication number
- CN116049896A CN116049896A CN202310315839.3A CN202310315839A CN116049896A CN 116049896 A CN116049896 A CN 116049896A CN 202310315839 A CN202310315839 A CN 202310315839A CN 116049896 A CN116049896 A CN 116049896A
- Authority
- CN
- China
- Prior art keywords
- sub
- under
- directories
- linux system
- creating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 131
- 238000002955 isolation Methods 0.000 title claims abstract description 52
- 230000008569 process Effects 0.000 claims abstract description 29
- 230000006870 function Effects 0.000 claims description 8
- 230000001419 dependent effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 7
- 230000007547 defect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a method, a system, equipment and a medium for realizing data isolation under a linux system, which mainly relate to the technical field of data isolation and are used for solving the problem that the existing method cannot completely isolate data. Comprising the following steps: marking all sub-directories under a first preset directory as sharing under a linux system main process, and creating sub-processes; marking all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mounted file system to a second preset directory; mounting a private proc file system on the subprocess; creating a veth pair on a host; creating a network bridge on a host and adding the other end of the veth pair of the linux system into the network bridge; and configuring configuration information of the virtual network card of the linux system veth through the subprocesses.
Description
Technical Field
The present disclosure relates to the field of data isolation technologies, and in particular, to a method, a system, an apparatus, and a medium for implementing data isolation under a linux system.
Background
With the rapid development of computer technology, the functional complexity of computer systems is increasing, and the requirements on the security of computer systems are becoming more stringent, wherein data isolation is a common way. The data isolation mode commonly used under the linux system at present mainly comprises the technologies of virtualization, system call hijacking (redirection), naming space isolation and the like.
The virtualization technology is vmware, virtualBox, the system call hijacking is KataContainer, and the namespace isolation is Firejail. The virtualization technology has the advantages that the technology scheme of the mature virtual machine is good in isolation, complete isolation can be achieved, and software compatibility is good; but the defects are also obvious, the support of the hardware is required, in addition, the starting speed of the virtualization is lower than the minute level, the performance is relatively reduced, the memory demand is large, the use of the disk is GB level, in addition, the cross-platform migration difficulty is high, the commercial authorization risk is high, and the like. The system call hijacking (redirection) has the advantages of reduced system overhead, good isolation, strong dependence on the system and poor portability. The namespace isolation distance Firejail has the advantages of low implementation difficulty, low resource consumption and good cross-platform performance, and the defect that after the Firejail adopts an overlay FS, the files outside the security domain can still be accessed, so that complete isolation cannot be realized.
Therefore, a method, a system and a medium for realizing data isolation under a linux system are needed to customize a file system in a secure domain aiming at the problem that Firejail cannot be completely isolated, so that the independent file systems in and out of the secure domain can be realized, software packages can be independently installed and independently managed, and the purpose of file system isolation is achieved.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method, a system, equipment and a medium for realizing data isolation under a linux system, so as to solve the technical problems.
In a first aspect, the present application provides a method for implementing data isolation under a linux system, where the method includes: marking all sub-directories under a first preset directory as sharing under a linux system main process, and creating sub-processes; the sub-process at least comprises a network, a file system and a process isolation mark; marking all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mounted file system to a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process; creating a veth pair on the host and adding either end to the namespace of the sub-process; creating a network bridge on a host and adding the other end of the veth pair of the linux system into the network bridge; starting a forwarding function on a host and creating configuration forwarding rules using netfilters; and configuring configuration information of the virtual network card of the linux system veth through the subprocesses.
Further, after recursively marking all sub-directories corresponding to the sub-processes as dependent using-make-rslave, the mount file system mirrors down the second preset directory, the method further comprises: and mounting the/tmp directory under the second preset directory through a bind option in the linux system so as to realize supporting the graphical interface.
Further, marking all sub-directories under a first preset directory as sharing under a linux system main process, and creating sub-processes, wherein the method specifically comprises the following steps: and marking all sub-directories under the first preset directory as sharing by using-make-rshared under the linux system main process, and creating sub-processes.
Further, marking all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mount file system to a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process, wherein the method specifically comprises the following steps: using-make-rslave recursively to mark all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mount file system to a second preset directory; and switching root directories corresponding to all sub-directories by using the color, and mounting a private proc file system on the sub-process.
In a second aspect, the present application provides a system for implementing data isolation under a linux system, where the system includes: the creating module is used for marking all sub-directories under a first preset directory as sharing under the main process of the linux system and creating sub-processes; the sub-process at least comprises a network, a file system and a process isolation mark; the mounting module is used for marking all sub-directories corresponding to the sub-processes as subordinate, and the mounting file system is mirrored under a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process; the configuration module is used for creating a veth pair on the host computer and adding any one end into the naming space of the subprocess; creating a network bridge on a host and adding the other end of the veth pair of the linux system into the network bridge; starting a forwarding function on a host and creating configuration forwarding rules using netfilters; and configuring configuration information of the virtual network card of the linux system veth through the subprocesses.
Further, the mounting module further includes an interface unit, configured to mount the/tmp directory under the second preset directory through a-bind option in the linux system, so as to support a graphical interface.
Further, the creating module includes a creating unit configured to use-make-rshared to mark all sub-directories under the first preset directory as shared under the linux system main process, and create sub-processes.
Further, the mounting module further comprises a mounting unit; the method comprises the steps of recursively marking all sub-directories corresponding to sub-processes as subordinate by using-make-rslave, and mirroring the mounted file system to a second preset directory; and switching root directories corresponding to all sub-directories by using the color, and mounting a private proc file system on the sub-process.
In a third aspect, the present application provides a method and apparatus for implementing data isolation under a linux system, where the apparatus includes: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a method for data isolation under a linux system as in any of the above.
In a fourth aspect, the present application provides a non-volatile computer storage medium having stored thereon computer instructions which, when executed, implement a method of implementing data isolation under a linux system as in any of the above.
As will be appreciated by those skilled in the art, the present invention has at least the following beneficial effects:
by mounting the encrypted file system image and switching the encrypted file system image into the root directory in the subprocess, the subprocess can use the file system independent of the host, and the file system seen from the inside of the independent security domain is completely isolated from the host and supports most of the existing file system formats. The files created and modified in the independent security domain can be completely stored in the internal files, and cannot be checked on the host, so that data confidentiality is achieved.
In addition, the method and the device can realize functions of process space isolation (independent proc file system is mounted in a safety domain), network space isolation (technologies such as veth and netfilter are used), file system isolation (encrypted file system mirror image is mounted) and the like under the linux system on the premise that a kernel module is not added, and are relatively simple in implementation steps and low in subsequent maintenance cost. And a great guarantee is added for the data security of the user.
Drawings
Some embodiments of the present disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of a method for implementing data isolation under a linux system according to an embodiment of the present application.
Fig. 2 is a schematic diagram of an internal structure of a system for implementing data isolation under a linux system according to an embodiment of the present application.
Fig. 3 is a schematic diagram of an internal structure of a device for implementing data isolation under a linux system according to an embodiment of the present application.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not represent that the present disclosure can be realized only by the preferred embodiments, which are merely for explaining the technical principles of the present disclosure, not for limiting the scope of the present disclosure. Based on the preferred embodiments provided by the present disclosure, all other embodiments that may be obtained by one of ordinary skill in the art without inventive effort shall still fall within the scope of the present disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The following describes in detail the technical solution proposed in the embodiments of the present application through the accompanying drawings.
The embodiment of the application also provides a method for realizing data isolation under the linux system, as shown in fig. 1, and the method provided by the embodiment of the application mainly comprises the following steps:
and 110, marking all sub-directories under a first preset directory as sharing under a linux system main process, and creating sub-processes.
It should be noted that, the sub-process at least includes a network, a file system, and a process isolation flag. The specific content corresponding to the network, the file system and the process isolation mark can be determined by a person skilled in the art according to actual situations.
As an example, under the linux system main process-make-rshared is used to mark all sub-directories under the first preset directory as shared and create sub-processes. It should be noted that-make-rshaled is an existing mount command.
In addition, if the graphical interface needs to be supported, the/tmp directory under the second preset directory needs to be mounted through a bind option in the linux system so as to realize the support of the graphical interface. ( For example, mount- -bind/tmp root_fs/tmp. Wherein root_fs is the root_fs created by the sub-process )
The method comprises the following steps: using-make-rslave recursively to mark all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mount file system to a second preset directory; (e.g., main Process execution: mount- -make-rshared/; sub-Process execution: mkdir root_fs, root_fs is used for example, other names mount- -make-rslabemount-t fs-type root.img root_fs may be specified in the program) use the color to switch the root directories corresponding to all sub-directories, and mount the private proc file system on the sub-process.
It should be noted that the proc file system (procfs) is a special file system in a linux-like operating system for providing information about processes and other system information in a hierarchical file-like structure
In addition, fig. 2 is a system for implementing data isolation under a linux system provided in an embodiment of the present application. As shown in fig. 2, the system provided in the embodiment of the present application mainly includes:
the creating module 210 is configured to mark all sub-directories in the first preset directory as shared under the linux system main process, and create a sub-process; the sub-process at least comprises a network, a file system and a process isolation mark.
The creation module 210 includes a creation unit 211 for marking all sub-directories under the first preset directory as shared using-make-rshared under the linux system main process, and creating sub-processes.
The mounting module 220 is configured to mark all sub-directories corresponding to the sub-processes as subordinate, and mirror the mounting file system to a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process;
mounting module 220 also includes mounting unit 222; the method comprises the steps of recursively marking all sub-directories corresponding to sub-processes as subordinate by using-make-rslave, and mirroring the mounted file system to a second preset directory; and switching root directories corresponding to all sub-directories by using the color, and mounting a private proc file system on the sub-process.
The mounting module 220 further includes an interface unit 221, configured to mount the/tmp directory under the second preset directory through a-bind option in the linux system, so as to implement a supporting graphical interface.
A configuration module 230, configured to create a veth pair on the host and add either end to the namespace of the sub-process; creating a network bridge on a host and adding the other end of the veth pair of the linux system into the network bridge; starting a forwarding function on a host and creating configuration forwarding rules using netfilters; and configuring configuration information of the virtual network card of the linux system veth through the subprocesses.
The foregoing is an embodiment of a method in the present application, and based on the same inventive concept, the embodiment of the present application further provides a device for implementing data isolation under a linux system. As shown in fig. 3, the apparatus includes: a processor; and a memory having executable code stored thereon, which when executed causes the processor to perform a method of implementing data isolation under a linux system as in the above embodiments.
Specifically, the server marks all sub-directories under a first preset directory as sharing under a linux system main process, and creates sub-processes; the sub-process at least comprises a network, a file system and a process isolation mark; marking all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mounted file system to a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process; creating a veth pair on the host and adding either end to the namespace of the sub-process; creating a network bridge on a host and adding the other end of the veth pair of the linux system into the network bridge; starting a forwarding function on a host and creating configuration forwarding rules using netfilters; and configuring configuration information of the virtual network card of the linux system veth through the subprocesses.
In addition, the embodiment of the application also provides a nonvolatile computer storage medium, on which executable instructions are stored, and when the executable instructions are executed, the method for realizing data isolation under the linux system is realized.
Thus far, the technical solution of the present disclosure has been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the protective scope of the present disclosure is not limited to only these specific embodiments. The technical solutions in the above embodiments may be split and combined by those skilled in the art without departing from the technical principles of the present disclosure, and equivalent modifications or substitutions may be made to related technical features, which all fall within the scope of the present disclosure.
Claims (10)
1. A method for realizing data isolation under a linux system is characterized by comprising the following steps:
marking all sub-directories under a first preset directory as sharing under a linux system main process, and creating sub-processes; the sub-process at least comprises a network, a file system and a process isolation mark;
marking all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mounted file system to a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process;
creating a veth pair on the host and adding either end to the namespace of the sub-process; creating a network bridge on a host and adding the other end of the veth pair of the linux system into the network bridge; starting a forwarding function on a host and creating configuration forwarding rules using netfilters; and configuring configuration information of the virtual network card of the linux system veth through the subprocesses.
2. The method of claim 1, wherein after recursively marking all sub-directories corresponding to sub-processes as dependent using-make-rslave, the method further comprises, after mirroring the mount file system under a second preset directory:
and mounting the/tmp directory under the second preset directory through a bind option in the linux system so as to realize supporting the graphical interface.
3. The method for implementing data isolation under a linux system according to claim 1, wherein all sub-directories under a first preset directory are marked as shared under a main process of the linux system, and creating sub-processes specifically includes:
and marking all sub-directories under the first preset directory as sharing by using-make-rshared under the linux system main process, and creating sub-processes.
4. The method for realizing data isolation under a linux system according to claim 1, wherein all sub-directories corresponding to the sub-processes are marked as subordinate, and the mount file system is mirrored under a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process, wherein the method specifically comprises the following steps:
using-make-rslave recursively to mark all sub-directories corresponding to the sub-processes as subordinate, and mirroring the mount file system to a second preset directory;
and switching root directories corresponding to all sub-directories by using the color, and mounting a private proc file system on the sub-process.
5. A system for implementing data isolation in a linux system, the system comprising:
the creating module is used for marking all sub-directories under a first preset directory as sharing under the main process of the linux system and creating sub-processes; the sub-process at least comprises a network, a file system and a process isolation mark;
the mounting module is used for marking all sub-directories corresponding to the sub-processes as subordinate, and the mounting file system is mirrored under a second preset directory; switching root directories corresponding to all sub-directories, and mounting a private proc file system on a sub-process;
the configuration module is used for creating a veth pair on the host computer and adding any one end into the naming space of the subprocess; creating a network bridge on a host and adding the other end of the veth pair of the linux system into the network bridge; starting a forwarding function on a host and creating configuration forwarding rules using netfilters; and configuring configuration information of the virtual network card of the linux system veth through the subprocesses.
6. The system for realizing data isolation under a linux system according to claim 5, wherein the mounting module further comprises an interface unit,
and the method is used for mounting the/tmp directory under the second preset directory through a bind option in the linux system so as to realize the support of the graphical interface.
7. The system for realizing data isolation under a linux system according to claim 5, wherein the creation module comprises a creation unit,
for marking all sub-directories under the first preset directory as shared under the linux system main process using-make-rshared and creating sub-processes.
8. The system for realizing data isolation under a linux system according to claim 5, wherein the mounting module further comprises a mounting unit;
the method comprises the steps of recursively marking all sub-directories corresponding to sub-processes as subordinate by using-make-rslave, and mirroring the mounted file system to a second preset directory; and switching root directories corresponding to all sub-directories by using the color, and mounting a private proc file system on the sub-process.
9. A method and device for implementing data isolation in a linux system, the device comprising:
a processor;
and a memory having executable code stored thereon which, when executed, causes the processor to perform a method for data isolation under a linux system according to any of claims 1-4.
10. A non-transitory computer storage medium having stored thereon computer instructions which, when executed, implement a method of data isolation under a linux system according to any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310315839.3A CN116049896A (en) | 2023-03-29 | 2023-03-29 | Method, system, equipment and medium for realizing data isolation under linux system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310315839.3A CN116049896A (en) | 2023-03-29 | 2023-03-29 | Method, system, equipment and medium for realizing data isolation under linux system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116049896A true CN116049896A (en) | 2023-05-02 |
Family
ID=86122108
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310315839.3A Pending CN116049896A (en) | 2023-03-29 | 2023-03-29 | Method, system, equipment and medium for realizing data isolation under linux system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116049896A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116956331A (en) * | 2023-09-18 | 2023-10-27 | 中孚安全技术有限公司 | File system encryption isolation method, system, equipment and medium applied to Linux |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160266917A1 (en) * | 2013-11-26 | 2016-09-15 | Parallels | Method for targeted resource virtualization in containers |
| CN106095530A (en) * | 2016-06-08 | 2016-11-09 | 电子科技大学 | The container of a kind of many android system automatically creates and startup method |
| CN106506314A (en) * | 2016-09-30 | 2017-03-15 | 北京赢点科技有限公司 | Network high availability method and device based on docker |
| US20180129821A1 (en) * | 2016-11-04 | 2018-05-10 | Microsoft Technology Licensing, Llc | Storage Isolation for Containers |
| US20180365238A1 (en) * | 2017-06-20 | 2018-12-20 | Red Hat, Inc. | Sharing Filesystems Between Containers |
| CN110427248A (en) * | 2019-07-12 | 2019-11-08 | 中国人民解放军国防科技大学 | Container-based lightweight user environment construction method, system and medium |
| CN111782305A (en) * | 2020-07-21 | 2020-10-16 | 江苏荣泽信息科技股份有限公司 | Method for efficiently and safely operating environment of intelligent contract |
| CN112764823A (en) * | 2019-10-18 | 2021-05-07 | 杭州海康威视数字技术股份有限公司 | Starting method of NVR (network video recorder) system, host operating system and data communication method |
| CN113190325A (en) * | 2021-04-09 | 2021-07-30 | 大唐微电子技术有限公司 | Container creation method and device |
| CN113312311A (en) * | 2020-07-27 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Method and device for processing name space |
| CN113986515A (en) * | 2021-12-24 | 2022-01-28 | 统信软件技术有限公司 | Method and device for creating sandbox environment for plug-in operation and computing equipment |
| CN114047925A (en) * | 2021-11-24 | 2022-02-15 | 北京天融信网络安全技术有限公司 | Method, device, equipment and storage medium for constructing isolated compiling environment |
| CN114640554A (en) * | 2022-02-15 | 2022-06-17 | 阿里云计算有限公司 | Multi-tenant communication isolation method and hybrid networking method |
| CN115586872A (en) * | 2022-11-11 | 2023-01-10 | 浪潮电子信息产业股份有限公司 | Container mirror image management method, device, equipment and storage medium |
| CN115809116A (en) * | 2022-12-08 | 2023-03-17 | 杭州谐云科技有限公司 | Method and system for operating container mirror image under Linux system with incomplete kernel function |
-
2023
- 2023-03-29 CN CN202310315839.3A patent/CN116049896A/en active Pending
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160266917A1 (en) * | 2013-11-26 | 2016-09-15 | Parallels | Method for targeted resource virtualization in containers |
| CN106095530A (en) * | 2016-06-08 | 2016-11-09 | 电子科技大学 | The container of a kind of many android system automatically creates and startup method |
| CN106506314A (en) * | 2016-09-30 | 2017-03-15 | 北京赢点科技有限公司 | Network high availability method and device based on docker |
| US20180129821A1 (en) * | 2016-11-04 | 2018-05-10 | Microsoft Technology Licensing, Llc | Storage Isolation for Containers |
| US20180365238A1 (en) * | 2017-06-20 | 2018-12-20 | Red Hat, Inc. | Sharing Filesystems Between Containers |
| US20210011740A1 (en) * | 2019-07-12 | 2021-01-14 | National University of Defense Technology, People's Liberation Army of China | Method and system for constructing lightweight container-based user environment (cue), and medium |
| CN110427248A (en) * | 2019-07-12 | 2019-11-08 | 中国人民解放军国防科技大学 | Container-based lightweight user environment construction method, system and medium |
| CN112764823A (en) * | 2019-10-18 | 2021-05-07 | 杭州海康威视数字技术股份有限公司 | Starting method of NVR (network video recorder) system, host operating system and data communication method |
| CN111782305A (en) * | 2020-07-21 | 2020-10-16 | 江苏荣泽信息科技股份有限公司 | Method for efficiently and safely operating environment of intelligent contract |
| CN113312311A (en) * | 2020-07-27 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Method and device for processing name space |
| CN113190325A (en) * | 2021-04-09 | 2021-07-30 | 大唐微电子技术有限公司 | Container creation method and device |
| CN114047925A (en) * | 2021-11-24 | 2022-02-15 | 北京天融信网络安全技术有限公司 | Method, device, equipment and storage medium for constructing isolated compiling environment |
| CN113986515A (en) * | 2021-12-24 | 2022-01-28 | 统信软件技术有限公司 | Method and device for creating sandbox environment for plug-in operation and computing equipment |
| CN114640554A (en) * | 2022-02-15 | 2022-06-17 | 阿里云计算有限公司 | Multi-tenant communication isolation method and hybrid networking method |
| CN115586872A (en) * | 2022-11-11 | 2023-01-10 | 浪潮电子信息产业股份有限公司 | Container mirror image management method, device, equipment and storage medium |
| CN115809116A (en) * | 2022-12-08 | 2023-03-17 | 杭州谐云科技有限公司 | Method and system for operating container mirror image under Linux system with incomplete kernel function |
Non-Patent Citations (2)
| Title |
|---|
| 刘魁;: "Android平台的一种数据安全隔离方案", 科技创新与应用, no. 27 * |
| 陈轶阳等: "《面向高性能计算系统的容器技术综述》", 《计算机科学》, vol. 50, no. 2, pages 356 - 357 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116956331A (en) * | 2023-09-18 | 2023-10-27 | 中孚安全技术有限公司 | File system encryption isolation method, system, equipment and medium applied to Linux |
| CN116956331B (en) * | 2023-09-18 | 2023-12-19 | 中孚安全技术有限公司 | File system encryption isolation method, system, equipment and medium applied to Linux |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9348631B2 (en) | File mapping and converting for dynamic disk personalization for multiple platforms | |
| US6618736B1 (en) | Template-based creation and archival of file systems | |
| KR100960009B1 (en) | Localized read-only storage device for distributing files over a network | |
| US8924703B2 (en) | Secure virtualization environment bootable from an external media device | |
| US7305577B2 (en) | Data isolation system and method | |
| EP0679994B1 (en) | High availability computer system | |
| CN101551756B (en) | The virtual method and virtual device based on operating system layer | |
| US11003372B2 (en) | Protecting volume namespaces from corruption in a distributed container orchestrator | |
| US9135038B1 (en) | Mapping free memory pages maintained by a guest operating system to a shared zero page within a machine frame | |
| CA2896080C (en) | Interfacing with remote content management systems | |
| JP2008033483A (en) | Computer system, computer, and moving method of computer operating environment | |
| US9354906B1 (en) | Managing the eviction process | |
| CN116049896A (en) | Method, system, equipment and medium for realizing data isolation under linux system | |
| US9792131B1 (en) | Preparing a virtual machine for template creation | |
| CN113312155B (en) | Virtual machine creation method, device, equipment, system and computer program product | |
| KR20210118877A (en) | Security Interface Controls High-Level Page Management | |
| CN112804375B (en) | Configuration method for single network card and multiple IPs | |
| US20090006713A1 (en) | Dynamic virtualized volume | |
| CN106686123B (en) | Storage system suitable for multi-user scene | |
| US9104544B1 (en) | Mitigating eviction by maintaining mapping tables | |
| CN115543549B (en) | Container with application running effect consistent with host machine | |
| CN114168156A (en) | Multi-tenant data persistence method and device, storage medium and computer equipment | |
| Cisco | Serving Files with the TFTP Service | |
| Cisco | Serving Files with the TFTP Service | |
| Cisco | Preparing to Install CiscoWorks Blue SNA View |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230502 |