CN116167044A

CN116167044A - Application container creation method, device and equipment

Info

Publication number: CN116167044A
Application number: CN202310185265.2A
Authority: CN
Inventors: 徐子腾
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2020-06-18
Filing date: 2020-06-18
Publication date: 2023-05-26
Also published as: CN111753291A; CN111753291B

Abstract

The embodiment of the specification discloses a method, a device and equipment for creating an application container, wherein the method comprises the following steps: receiving a first container creation request sent by user equipment, wherein the first container creation request carries the download address information of a mirror image required to be used for creating a target application container; acquiring a downloading authority certificate of a mirror image required to be used for creating a target application container according to the received first container creation request; generating target address information with the authority to download the mirror image required to be used for creating the target application container based on the download authority certificate and the download address information; and transmitting the target address information to a preset node so that the preset node acquires the mirror image required to be used for creating the target application container according to the target address information, and creating the target application container according to the acquired mirror image.

Description

Application container creation method, device and equipment

The application is a divisional application of China patent application with China patent office, application number 202010561376.5 and invention name of 'method, device and equipment for creating application container' filed by 18 months of 2020.

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for creating an application container.

Background

Under the current k8s (Kubernetes, linux container automation operation and maintenance platform with open source) and dock framework, a large account number of a mirror warehouse is configured in a dock/config.json file of each node in the process of creating an application container, and all mirrors in the mirror warehouse can be downloaded by the account number.

However, in the above method, since each node can download all the images in the image warehouse, an attacker only needs to obtain the authority of one node, and can download all the images in the image warehouse, which has a very large risk of data leakage. Therefore, it is necessary to provide a technical solution that can reduce the risk of data leakage and ensure that the entire image downloading process is safe and reliable, and the image cannot be hijacked and tampered.

Description of the embodiments

The embodiment of the specification aims to provide a method, a device and equipment for creating an application container, so as to provide a technical scheme capable of reducing the risk of data leakage and ensuring that the whole image downloading process is safe and reliable and the image cannot be hijacked and tampered.

In order to solve the above technical problems, the embodiments of the present specification are implemented as follows:

in a first aspect, an embodiment of the present disclosure provides a method for creating an application container, including: and receiving a first container creation request sent by user equipment, wherein the first container creation request carries the download address information of the mirror image required to be used for creating the target application container. And acquiring the downloading authority certificate of the mirror image required to be used for creating the target application container according to the received first container creation request. And generating target address information with the authority to download the mirror image required to be used for creating the target application container based on the download authority certificate and the download address information. And sending the target address information to a preset node so that the preset node obtains a mirror image required to be used for creating a target application container according to the target address information, and creating the target application container according to the obtained mirror image.

In a second aspect, embodiments of the present disclosure provide a method for creating an application container, including: and receiving a first container creation request sent by the management server, wherein the first container creation request carries the download address information of the mirror image required to be used for creating the target application container. And acquiring the downloading authority certificate of the mirror image required to be used for creating the target application container according to the received first container creation request. And sending the downloading permission certificate to a management server so that the management server generates target address information with permission of downloading and creating the mirror image required by the target application container based on the downloading permission certificate and the downloading address information, and sending the target address information to a preset node so that the preset node acquires the mirror image required by the target application container to be created according to the target address information, and creates the target application container according to the acquired mirror image.

In a third aspect, an embodiment of the present specification provides a creation apparatus for an application container, including: the first receiving module is used for receiving a first container creation request sent by the user equipment, wherein the first container creation request carries the download address information of the mirror image required to be used for creating the target application container. And the first acquisition module is used for acquiring the downloading permission certificate of the mirror image required to be used for creating the target application container according to the received first container creation request. And the generation module is used for generating target address information with the authority of downloading the mirror image required to be used for creating the target application container based on the downloading authority certificate and the downloading address information. And the first sending module is used for sending the target address information to a preset node so that the preset node can acquire a mirror image required to be used for creating a target application container according to the target address information, and the target application container is created according to the acquired mirror image.

In a fourth aspect, embodiments of the present disclosure provide an apparatus for creating an application container, including: the second receiving module is used for receiving a first container creation request sent by the management server, wherein the first container creation request carries the download address information of the mirror image required to be used for creating the target application container. And the second acquisition module is used for acquiring the downloading permission certificate of the mirror image required to be used for creating the target application container according to the received first container creation request. And the second sending module is used for sending the downloading permission certificate to a management server so that the management server generates target address information with permission of downloading and creating the mirror image required by the target application container based on the downloading permission certificate and the downloading address information, and sending the target address information to a preset node so that the preset node acquires the mirror image required by the target application container to be created according to the target address information, and creates the target application container according to the acquired mirror image.

In a fifth aspect, embodiments of the present specification provide an apparatus for creating an application container, including: a processor. And a memory arranged to store computer executable instructions that, when executed, cause the processor to: and receiving a first container creation request sent by user equipment, wherein the first container creation request carries the download address information of the mirror image required to be used for creating the target application container. And acquiring the downloading authority certificate of the mirror image required to be used for creating the target application container according to the received first container creation request. And generating target address information with the authority to download the mirror image required to be used for creating the target application container based on the download authority certificate and the download address information. And sending the target address information to a preset node so that the preset node obtains a mirror image required to be used for creating a target application container according to the target address information, and creating the target application container according to the obtained mirror image.

In a sixth aspect, embodiments of the present disclosure provide an apparatus for creating an application container, including: a processor. And a memory arranged to store computer executable instructions that, when executed, cause the processor to: and receiving a first container creation request sent by the management server, wherein the first container creation request carries the download address information of the mirror image required to be used for creating the target application container. And acquiring the downloading authority certificate of the mirror image required to be used for creating the target application container according to the received first container creation request. And sending the downloading permission certificate to a management server so that the management server generates target address information with permission of downloading and creating the mirror image required by the target application container based on the downloading permission certificate and the downloading address information, and sending the target address information to a preset node so that the preset node acquires the mirror image required by the target application container to be created according to the target address information, and creates the target application container according to the acquired mirror image.

Drawings

In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some of the embodiments described in the present description, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of a first method for creating an application container according to an embodiment of the present disclosure;

FIG. 2 is a second flowchart of a method for creating an application container according to an embodiment of the present disclosure;

fig. 3 is a third flowchart of a method for creating an application container according to an embodiment of the present disclosure;

fig. 4 is a fourth flowchart of a method for creating an application container according to an embodiment of the present disclosure;

fig. 5 is a fifth flowchart of a method for creating an application container according to an embodiment of the present disclosure;

fig. 6 is a sixth flowchart of a method for creating an application container according to an embodiment of the present disclosure;

fig. 7 is a schematic diagram of a first module composition of a creating apparatus for an application container according to an embodiment of the present disclosure;

FIG. 8 is a schematic diagram of a second module composition of a creation device of an application container according to an embodiment of the present disclosure;

fig. 9 is a first structural schematic diagram of the creation device of the application container provided in the embodiment of the present specification;

fig. 10 is a schematic diagram of a second structure of the creation device of the application container provided in the embodiment of the present disclosure.

Detailed Description

The embodiment of the specification provides a method, a device and equipment for creating an application container.

In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.

As shown in fig. 1, the embodiment of the present specification provides a method for creating an application container, and an execution subject of the method may be a K8s management server, wherein the K8s management server may be a server cluster composed of a plurality of servers, and the K8s management server may be used to generate target address information or the like having authority to download a mirror image required to be used to create a target application container. The method can be used for receiving a first container creation request sent by user equipment, generating target address information with the authority to download the mirror image required to be used for creating the target application container, and sending the target address information to a preset node so that the preset node creates the target application container. The method specifically comprises the following steps:

In step S102, a first container creation request sent by a user device is received, where the first container creation request carries download address information of a mirror image that needs to be used for creating a target application container.

The first container creation request may be a request for creating an application container, and because the mirror image required to be used by the application container to be created needs to be pulled up in the process of creating the application container, the first container creation request may carry the download address information of the mirror image required to be used by the target application container to be created. The target application container may be an application container that needs to be created by a user, the application container may manage code and application programs by means of virtualizing an operating system, the application container may contain a single-shared complete user environment space, and the running environment of other application containers may not be affected by the changes in the application container. The image may be a statement or description for creating a target application container, which may be an instance of the image, which needs to be pulled for creation when creating the target application container.

In practice, under the current open-source k8s and dock frameworks, a typical procedure for application container creation is as follows: the user submits a request to the k8s cluster to create a container, the request containing the mirrored download address used to create the container, e.g., 1.0 for the docker.io/test/test, the k8s cluster issues the request to the node, which goes to mirror the repository to download 1.0 for the docker.io/test/test, and then creates the application container from the downloaded content. In the process of downloading the image by the node, on one hand, because the image stores the program data of the user, the user sets the program data as the private authority, and only the node passing the authority verification can access the image. On the other hand, since it cannot be predicted which mirror images can be accessed by a node in the scenario of a large-scale hybrid cluster, in order to solve the above problem, the mainstream solution in the industry is to configure a large account number of a mirror image repository in a. Docker/config. Json file of each node, and the account number can download all the mirror images in the mirror image repository. However, in the above method, since each node can download all images in the image warehouse, an attacker only needs to obtain the authority of one node, and can download all images in the image warehouse, which has a very large risk of data leakage. Therefore, it is necessary to provide a technical solution capable of reducing the risk of data leakage and ensuring that the whole image downloading process is safe and reliable, and the image cannot be hijacked and tampered, and the following can be seen.

Specifically, taking the management server as a K8s management server as an example, when a user needs to create a target application container, a first container creation request may be sent to the K8s management server through a user device, where the first container creation request may carry download address information of a mirror image required to be used for creating the target application container, and the K8s management server may receive the first container creation request from the user device.

In step S104, according to the received first container creation request, a download authority credential of a mirror image to be used for creating the target application container is acquired.

The download authority credential of the image may be a download authority credential uniquely corresponding to the first container creation request received at the current time, where the download authority credential may only allow the current node to download the image corresponding to the download address information carried in the first container creation request. The download authority credential of the image may be generated after one or more of an image name, an image tag, an image check value, an image user, a timestamp, and the like of the image are encrypted. The mirrored download permission credential may be obtained through a mirrored database (may also be referred to as a mirrored repository), or may be generated by a mirrored download permission credential generation server, where the mirrored download permission credential generation server is configured to generate a mirrored download permission credential corresponding to the specified download address, and the download permission credential may be identified by the mirrored database.

In an implementation, after the K8S management server receives the first container creation request sent by the user equipment through the processing of S102, the first container creation request may be sent to a mirror database or a mirror download authority credential generation server, so that the mirror database or the mirror download authority credential generation server generates a mirror download authority credential for creating a target application container according to the received first container creation request sent by the K8S management server, thereby obtaining, by the mirror database or the mirror download authority credential generation server, a mirror download authority credential for creating the mirror required to be used by the target application container.

In step S106, target address information having authority to download the image to be used for creating the target application container is generated based on the download authority credential and the download address information.

The target address information may be obtained by splicing the download permission credential and the download address information, specifically, the download permission credential may be spliced in the download address information, so that the target address information obtained after the splicing may have the permission of downloading the mirror image required to be used for creating the target application container, or may also obtain corresponding parameter information based on the download permission credential, and may combine the parameter information with the download address information to generate target address information having the permission of downloading the mirror image required to be used for creating the target application container, which may be specifically set according to practical situations.

In the embodiment of the present disclosure, the download authority credentials may be spliced after the parameter name set in the download address information, and the parameter value corresponding to the parameter may be spliced in the download address information, or the download authority credentials may be spliced in the download address information in other manners, and the splice position and the splice manner of the download authority credentials in the download address information are not limited.

In an embodiment, the K8S management server may acquire the download authority credential of the image required for creating the target application container through the processing in S104, and then splice the acquired download authority credential to the download address information, thereby generating the target address information having the authority to download the image required for creating the target application container.

In step S108, the target address information is transmitted to the predetermined node, so that the predetermined node acquires a mirror image to be used for creating the target application container from the target address information, and creates the target application container from the acquired mirror image.

In an implementation, after the K8S management server generates the target address information with the authority to download the image required for creating the target application container through the processing of S106, the target address information may be sent to a predetermined node (e.g. node 1), and the predetermined node may store the image required for creating the target application container according to the target address information, and the image database may store the image required for creating the target application container, and the download authority credential of the image required for creating the target application container is stored in the image database in advance, so when the image database receives the container creation request with the target address information sent by the predetermined node, the target address information carried in the received container creation request may be verified, and if the verification is passed, the image database may return the image corresponding to the target address information to the predetermined node, so that the predetermined node may create the target application container according to the obtained image.

As can be seen from the technical solutions provided in the embodiments of the present disclosure, a first container creation request sent by a user device is received, where the first container creation request carries download address information of an image required to create a target application container, and according to the received first container creation request, a download permission credential of the image required to create the target application container is obtained, then, based on the download permission credential and the download address information, target address information with permission to download the image required to create the target application container is generated, and the target address information is sent to a predetermined node, so that the predetermined node obtains the image required to create the target application container according to the target address information, and creates the target application container according to the obtained image, and thus, by receiving the first container creation request sent by the user device, the target address information with permission to download the image required to create the target application container is generated, and each predetermined node can only download the image corresponding to the current first container creation request, but not download the image, thereby reducing the risk of hijacking data and ensuring that the whole image cannot be tampered.

As shown in fig. 2, the specific processing manner of S104 may be varied, and an alternative processing manner is provided below, and specific reference may be made to the processing of S1042-S1044 below.

In step S1042, a first container creation request is sent to the mirror database, so that the mirror database generates a download right credential for a mirror image to be used for creating the target application container according to the received first container creation request.

The mirror database may also be referred to as a mirror repository, and may be used to store mirrored data.

In an implementation, after receiving, by the K8S management server through the processing of S102, a first container creation request sent by a user device, the first container creation request may be sent to a mirror database, and then the mirror database may obtain download permission credential generation information according to download address information of a mirror image required to be used for creating a target application container carried in the first container creation request, where the download permission credential generation information includes one or more of the following: the identification of the mirror image (such as mirror name: dock. Io/X/X), the label of the mirror image (such as 1.0), the check value of the mirror image (such as the hash value of the mirror image), and the timestamp, then the mirror image database splices the elements composing the download authority credential generation information, and encrypts the spliced download authority credential generation information and the secret key of the mirror image warehouse by adopting an encryption algorithm, thereby generating the download authority credential.

It should be noted that, the timestamp may be generated by the mirror database when the first container creation request sent by the management server is received. The timestamp may be a basis for determining whether the download authority credential of the image is valid, and may delete the invalid download authority credential according to whether the download authority credential is valid. For example, the timestamp in the download authority credential is 10:00, the mirror database may preset the valid time of the download authority credential stored in the mirror database, if the valid time is 1 hour, when the mirror database detects that the current time is 11:01, the mirror data may set the timestamp as 10: and deleting the download authority certificate of 00.

The check value of the mirror image can be a hash value of the mirror image, can be used for uniquely identifying the mirror image corresponding to the current mirror image name, and can be used for preventing the mirror image content from being tampered. The check value of the mirror image may be a check value of the mirror image carried by the user equipment when the user equipment sends the first container creation request to the management server, or may be a check value of the mirror image obtained from the mirror image database. In this embodiment, the check value of the mirror image may be carried in the first container creation request when the user sends the first container creation request to the K8s management server, that is, the first container creation request carries the download address information of the mirror image required to be used for creating the target application container and the check value of the mirror image. If a user sends a first container creation request to a K8s management server through user equipment, when the first container creation request does not carry the check value of the mirror image, the mirror image database can acquire the content of the mirror image B according to the download address information of the mirror image required to be used for creating the target application container carried in the first container creation request when detecting that the first container creation request does not carry the check value of the mirror image after receiving the first container creation request.

In step S1044, the download authority credential sent by the mirror database is received.

The specific processing manner of S106 may be varied, and an alternative processing manner is provided below, as shown in fig. 3, and the processing of S1062 may be specifically described below.

In step S1062, according to a first preset splicing rule, the information of the download authority credential and the download address information are spliced to generate the target address information with the authority of downloading the mirror image required for creating the target application container.

The first preset splicing rule may splice the download authority credential after a parameter name set in the download address information, as a parameter value corresponding to the parameter, or splice the download authority credential in the download address information in other manners, for example, the download authority credential may be directly set in a position in front of, behind or in the download address information, etc., where the splicing position and the splicing manner of the download authority credential in the download address information are not limited in this embodiment of the present disclosure.

As can be seen from the technical solutions provided in the embodiments of the present disclosure, a first container creation request sent by a user device is received, where the first container creation request carries download address information of an image required to create a target application container, and according to the received first container creation request, a download permission credential of the image required to create the target application container is obtained, then, based on the download permission credential and the download address information, target address information with permission to download the image required to create the target application container is generated, and the target address information is sent to a predetermined node, so that the predetermined node obtains the image required to create the target application container according to the target address information, and creates the target application container according to the obtained image, and thus, by receiving the first container creation request sent by the user device, the target address information with permission to download the image required to create the target application container is generated, and each predetermined node can only download the image corresponding to the current first container creation request, but not download the image, thereby reducing the risk of hijacking data and ensuring that the whole image cannot be tampered. As shown in fig. 4, an embodiment of the present disclosure provides a method for creating an application container, where an execution subject of the method may be a server for carrying a mirror database, and the server may be a server cluster formed by a plurality of servers, and the method may be used for receiving a first container creation request sent by a management server, and obtaining, according to the received first container creation request, a download permission credential of a mirror image required to be used for creating a target application container. The method specifically comprises the following steps:

In step S202, a first container creation request sent by the management server is received, where the first container creation request carries download address information of a mirror image that needs to be used for creating a target application container.

This step is specifically step S102.

In step S204, according to the received first container creation request, a download authority credential of a mirror image to be used for creating a target application container is acquired.

In implementation, after the mirror database receives the first container creation request sent by the management server through the processing of S202, the download permission credential of the mirror needed to create the target application container may be generated according to the received first container creation request, or the mirror database may send the received first container creation request to the mirror download permission credential generating server, so that the mirror download permission credential generating server generates the download permission credential of the mirror needed to create the target application container according to the first container creation request, and returns the generated download permission credential to the mirror database, so that the mirror database obtains the download permission credential of the mirror needed to create the target application container. The image downloading permission credential generating server may be configured to generate, according to the received first container creation request, an image downloading permission credential that is required to be used for creating the target application container.

In step S206, the download authority credential is sent to the management server, so that the management server generates, based on the download authority credential and the download address information, target address information having authority to download the image to be used for creating the target application container, and sends the target address information to the predetermined node, so that the predetermined node obtains the image to be used for creating the target application container according to the target address information, and creates the target application container according to the obtained image.

The steps specifically include step S106 and step S108.

As can be seen from the technical solutions provided in the embodiments of the present disclosure, a first container creation request sent by a management server is received, where the first container creation request carries information about a download address of an image required to create a target application container, and according to the received first container creation request, a download permission credential of the image required to create the target application container is obtained, and then the download permission credential is sent to the management server, so that the management server generates, based on the download permission credential and the download address information, target address information having a permission to download the image required to create the target application container, and sends the target address information to a predetermined node, so that the predetermined node obtains the image required to create the target application container according to the target address information, and creates the target application container according to the obtained image.

As shown in fig. 5, the specific processing manner of S204 may be varied, and an alternative processing manner is provided below, and specific reference may be made to the processing of S2042 to S2044 below.

In step S2042, download right credential generation information is acquired according to the download address information of the image to be used for creating the target application container carried in the first container creation request, where the download right credential generation information includes one or more of the following: the identity of the image, the tag of the image, the check value of the image, and the timestamp.

This step is specifically referred to as step S1042.

It should be noted that, in order to ensure that the link of the image download of the specification can be traced quickly after the image download authority leaks, the image user identifier may be a K8s cluster identifier in the download authority credential generation information.

In step S2044, the download right credential generation information is encrypted to generate a mirrored download right credential to be used for creating the target application container.

In an implementation, if the download permission credential generation information may include one or more of an identifier of a mirror image, a tag of the mirror image, a check value of the mirror image, a time stamp, and an identifier of a party using the mirror image, the download permission credential generation information may be spliced according to a predetermined sequence when the download permission credential generation information includes a plurality of different information, and then the spliced download permission generation information is encrypted by using a predetermined encryption algorithm to generate the download permission credential of the mirror image required to be used for creating the target application container.

The predetermined splicing order may be a mirror image identifier, a mirror image tag, a mirror image verification value, a timestamp, and a mirror image user identifier, or may be spliced according to an order of the timestamp, the mirror image identifier, the mirror image tag, the mirror image verification value, and the mirror image user identifier, or may be spliced according to an order of the mirror image verification value, the mirror image identifier, the mirror image tag, the timestamp, and the mirror image user identifier, which is not specifically limited in the embodiment of the present disclosure.

The download authority credential generation information includes a plurality of different information, as shown in fig. 6, and the specific processing manner of S2044 may be various, and an optional processing manner is provided below, and in particular, see the following processing from S20442 to S20444.

In step S20442, the download right voucher generation information is spliced according to a second preset splicing rule, so as to generate spliced download right voucher generation information.

The second preset splicing rule may be that a plurality of information contained in the download authority credential generation information is sequenced according to a preset splicing sequence, and then a preset symbol is adopted to splice two pieces of information in the sequenced download authority credential generation information, so as to generate spliced download authority credential generation information, where the preset symbol may be comma, period, question mark, or semicolon, and the embodiment of the present specification does not specifically limit the preset symbol.

In an implementation, for example, the download permission credential generation information may include an identifier of the mirror image, a tag of the mirror image, a check value of the mirror image, a timestamp, and an identifier of a party using the mirror image, where the preset splicing order is the timestamp, the identifier of the mirror image, the tag of the mirror image, the check value of the mirror image, and the identifier of the party using the mirror image, and the predetermined symbol is a semicolon, and the generated spliced download permission credential generation information may be: "time stamp; identification of the mirror image; a mirrored tag; a mirrored check value; mirror user identification).

In step S20444, a predetermined encryption algorithm is adopted to encrypt the spliced download authority credential generation information, so as to generate a mirrored download authority credential required for creating a target application container.

The predetermined encryption algorithm may be an AES algorithm, after the mirror database generates the spliced download authority credential generating information through the processing in step S20442, the spliced download authority credential generating information and the acquired key may be encrypted by using a predetermined encryption algorithm (such as the AES algorithm), so as to generate a mirror download authority credential required for creating the target application container, where the key may be a key in the mirror database.

Furthermore, in order to alleviate the pressure of the data stored in the mirror database, the embodiment of the present disclosure further provides a scheme for automatically cleaning the download permission credential generated by the mirror database, with respect to the download permission credential generated by the mirror database.

Specifically, the method further includes the following processing manner, specifically, see the processing from step A2 to step A4 below.

And step A2, acquiring the current time, and judging whether the downloading right certificate is valid or not according to the current time and the valid period.

In implementation, the mirror database may determine whether the download authority credential is valid by acquiring the current time and detecting a timestamp in the download authority credential, for example, the validity period may be set to be one hour, and if the current time is detected to be 9:00, the timestamp in the download authority credential is 8:15, determining that the download authority credential does not exceed the valid period, wherein the download authority credential is a valid download authority credential, and the mirror database reserves the download authority credential.

And step A4, deleting the downloading permission certificate if the current time is not within the valid period.

In implementation, for example, if the current time is detected to be 9:00, the timestamp in the download authority credential is 7:55, it may be determined that the download authority credential has exceeded the validity period, the download authority credential is an invalid download authority credential, and the mirror database deletes the download authority credential.

Further, in order to further ensure the security of the image downloading process and ensure that the image is not tampered by hijacking, the method further includes the following processing method, specifically, see the following processing from step B2 to step B6.

And step B2, receiving a second container creation request sent by the preset node, wherein the second container creation request carries target address information.

The predetermined node may be any node, and the predetermined node may be a host machine used for creating a target application container in the K8s cluster, where the host machine may be a physical machine. The target address information may be address information carrying a download authority credential of a mirror image required to be used for creating the target application container.

And step B4, acquiring a downloading right certificate corresponding to the target address information based on the target address information, and verifying the acquired downloading right certificate.

In an implementation, after the mirror database receives the second container creation request sent by the predetermined node through the processing in the step B2, whether a download permission credential (such as token) exists in the target address information may be detected based on the target address information carried in the second container creation request, and if the download permission credential exists in the target address information, the download permission credential may be extracted, and the extracted download permission credential may be verified.

Specifically, the process of verifying the download authority credential may be a process of decrypting and verifying the download authority credential. Taking the AES algorithm adopted in the step S20444 to encrypt the spliced download authority credential generation information and the acquired key, to generate the download authority credential of the image required to be used for creating the target application container as an example, the specific process of decrypting the download authority credential may be: after the mirror image database extracts the downloading permission certificate from the target address information, a decryption algorithm (such as an AES decryption algorithm) can be adopted to decrypt the downloading permission certificate, after information such as a mirror image identifier, a mirror image tag, a time stamp, a mirror image check value, a mirror image user identifier and the like is obtained after decryption, the mirror image database compares the information such as the mirror image identifier, the mirror image tag, the time stamp, the mirror image check value, the mirror image user identifier and the like obtained after decryption with the information such as the mirror image identifier, the mirror image tag, the time stamp, the mirror image check value, the mirror image user identifier and the like in the target address information, and under the condition that the information comparison is consistent, the downloading permission certificate can be determined to be an accurate or true downloading permission certificate.

And step B6, if the verification of the acquired downloading authority certificate is passed, the mirror image corresponding to the target address information is sent to a preset node, so that the preset node creates a target application container according to the mirror image.

According to the method for creating an application container provided in the foregoing embodiment, based on the same technical concept, the embodiment of the present invention further provides an apparatus for creating an application container, and fig. 7 is a schematic diagram of a first module composition of the apparatus for creating an application container provided in the embodiment of the present invention, where the apparatus for creating an application container is used to execute the method for creating an application container described in fig. 1 to 3, and as shown in fig. 7, the apparatus for creating an application container includes:

a first receiving module 701, configured to receive a first container creation request sent by a user equipment, where the first container creation request carries download address information of a mirror image that needs to be used for creating a target application container;

a first obtaining module 702, configured to obtain, according to the received first container creation request, a download permission credential of a mirror image that is required to be used for creating a target application container;

a generating module 703, configured to generate, based on the download permission credential and the download address information, target address information having permission to download a mirror image that is required to be used for creating a target application container;

and a first sending module 704, configured to send the target address information to a predetermined node, so that the predetermined node obtains a mirror image required to be used for creating a target application container according to the target address information, and creates the target application container according to the obtained mirror image.

Optionally, the first obtaining module 702 includes:

the sending unit is used for sending the first container creation request to a mirror image database so that the mirror image database generates a mirror image downloading authority certificate which is required to be used for creating a target application container according to the received first container creation request;

and the receiving unit is used for receiving the downloading permission certificate sent by the mirror database.

Optionally, the generating module 703 is configured to:

and according to a first preset splicing rule, splicing the information of the downloading authority certificate and the downloading address information to generate target address information with the authority of downloading and creating the mirror image required by the target application container.

The device for creating an application container provided in the embodiments of the present disclosure can implement each process in the embodiments corresponding to the method for creating an application container, and in order to avoid repetition, a description is omitted here.

It should be noted that, the apparatus for creating an application container provided in the embodiment of the present disclosure and the method for creating an application container provided in the embodiment of the present disclosure are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the foregoing method for creating an application container, and the repetition is omitted.

According to the method for creating an application container provided by the foregoing embodiment, based on the same technical concept, the embodiment of the present invention further provides an apparatus for creating an application container, and fig. 8 is a schematic diagram of a second module composition of the apparatus for creating an application container provided by the embodiment of the present invention, where the apparatus for creating an application container is used to execute the method for creating an application container described in fig. 4 to 6, and as shown in fig. 8, the apparatus for creating an application container includes:

a second receiving module 801, configured to receive a first container creation request sent by a management server, where the first container creation request carries download address information of a mirror image that needs to be used for creating a target application container;

A second obtaining module 802, configured to obtain, according to the received first container creation request, a download permission credential of a mirror image that is required to be used for creating a target application container;

and a second sending module 803, configured to send the download permission credential to a management server, so that the management server generates, based on the download permission credential and the download address information, target address information having a right to download a mirror image required to be used for creating a target application container, and sends the target address information to a predetermined node, so that the predetermined node obtains the mirror image required to be used for creating the target application container according to the target address information, and creates the target application container according to the obtained mirror image.

Optionally, the second obtaining module 802 includes:

the obtaining unit is configured to obtain the download permission credential generation information according to the download address information of the image required to be used for creating the target application container, where the download permission credential generation information is carried in the first container creation request, and the download permission credential generation information includes one or more of the following: the identification of the mirror image, the label of the mirror image, the check value of the mirror image and the time stamp;

And the generation unit is used for carrying out encryption processing on the download permission credential generation information and generating a mirrored download permission credential required to be used for creating the target application container.

Optionally, the download authority credential generation information includes a plurality of different information, and the generation unit is configured to:

according to a second preset splicing rule, splicing the download right voucher generation information to generate spliced download right voucher generation information;

and adopting a preset encryption algorithm to encrypt the spliced download authority credential generation information to generate a mirrored download authority credential required to be used for creating a target application container.

Optionally, the download authority credential corresponds to a validity period, and the apparatus further includes:

the third acquisition module is used for acquiring the current time and judging whether the downloading right certificate is valid or not according to the current time and the valid period;

and the deleting module is used for deleting the downloading permission certificate if the current time is not within the valid period.

Optionally, the apparatus further comprises:

the third receiving module is used for receiving a second container creation request sent by a preset node, wherein the second container creation request carries target address information;

The fourth acquisition module is used for acquiring the downloading right certificate corresponding to the target address information based on the target address information and verifying the acquired downloading right certificate;

and the third sending module is used for sending the mirror image corresponding to the target address information to the preset node if the verification of the obtained downloading right certificate is passed, so that the preset node creates a target application container according to the mirror image.

The embodiment of the invention also provides a device for creating the application container, which is shown in fig. 9, based on the same technical concept. Fig. 9 is a schematic hardware structure of an application container creation device provided by an embodiment of the present invention, where the application container creation device is configured to execute the application container creation method described in fig. 1 to 3, and the application container creation device may be a K8s management server provided by the foregoing embodiment.

The creation device of the application container may have a relatively large difference due to different configurations or performances, and may include one or more processors 901 and a memory 902, where the memory 902 may store one or more stored applications or data. Wherein the memory 902 may be transient storage or persistent storage. The application programs stored in the memory 902 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in the device for distributing tasks. Still further, the processor 901 may be arranged to communicate with the memory 902 to execute a series of computer executable instructions in the memory 902 on the creation device of the application container. The creation device of the application container may also include one or more power supplies 903, one or more wired or wireless network interfaces 904, one or more input output interfaces 905, and one or more keyboards 906.

In particular, in this embodiment, the creation device of the application container includes a memory, and one or more programs, where the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer executable instructions in the distribution device of the task, and executing the one or more programs by the one or more processors includes computer executable instructions for:

receiving a first container creation request sent by user equipment, wherein the first container creation request carries the download address information of a mirror image required to be used for creating a target application container;

acquiring a downloading authority certificate of a mirror image required to be used for creating a target application container according to the received first container creation request;

generating target address information with the authority to download the mirror image required to be used for creating the target application container based on the download authority credential and the download address information;

and sending the target address information to a preset node so that the preset node obtains a mirror image required to be used for creating a target application container according to the target address information, and creating the target application container according to the obtained mirror image.

Optionally, the obtaining, according to the received first container creation request, a download permission credential of a mirror image required to be used for creating a target application container includes:

sending the first container creation request to a mirror database, so that the mirror database generates a mirror downloading authority certificate required to be used for creating a target application container according to the received first container creation request;

and receiving the downloading permission certificate sent by the mirror database.

Optionally, the generating, based on the download authority credential and the download address information, target address information having authority to download a mirror image required to be used for creating a target application container includes:

It should be noted that, the application container creation device provided in the embodiment of the present disclosure may implement each process implemented by the application container creation device in the embodiment of the application container creation method, and in order to avoid repetition, a description is omitted here.

The embodiment of the present invention further provides an application container creation device, as shown in fig. 10, based on the same technical concept, corresponding to the application container creation method provided in the foregoing embodiment. Fig. 10 is a schematic hardware structure of an apparatus for creating an application container according to an embodiment of the present invention, where the apparatus for creating an application container is used to perform the method for creating an application container described in fig. 4 to fig. 6, and the apparatus for creating an application container may be a data storage server provided in the foregoing embodiment, and the data storage server may be a server for carrying a mirror database (such as a mirror repository).

The creation device of the application container may have a relatively large difference due to different configurations or performances, and may include one or more processors 1001 and a memory 1002, where the memory 1002 may store one or more application programs or data. Wherein the memory 1002 may be transient storage or persistent storage. The application programs stored in the memory 1002 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in the distribution device for the tasks. Still further, the processor 1001 may be configured to communicate with the memory 1002 to execute a series of computer executable instructions in the memory 1002 on the creation device of the application container. The creation device of the application container may also include one or more power supplies 1003, one or more wired or wireless network interfaces 1004, one or more input/output interfaces 1005, and one or more keyboards 1006.

receiving a first container creation request sent by a management server, wherein the first container creation request carries the download address information of a mirror image required to be used for creating a target application container;

and sending the downloading permission certificate to a management server so that the management server generates target address information with permission of downloading and creating the mirror image required by the target application container based on the downloading permission certificate and the downloading address information, and sending the target address information to a preset node so that the preset node acquires the mirror image required by the target application container to be created according to the target address information, and creates the target application container according to the acquired mirror image.

obtaining the download permission credential generation information according to the download address information of the mirror image required to be used for creating the target application container, which is carried in the first container creation request, wherein the download permission credential generation information comprises one or more of the following: the identification of the mirror image, the label of the mirror image, the check value of the mirror image and the time stamp;

and encrypting the download permission credential generation information to generate a mirrored download permission credential required to be used for creating the target application container.

Optionally, the download permission credential generation information includes a plurality of different information, and the encrypting the download permission credential generation information generates a mirrored download permission credential required for creating the target application container, including:

Optionally, the download right credential corresponds to a valid period, and the method further includes:

acquiring current time, and judging whether the downloading right certificate is valid or not according to the current time and the valid period;

and if the current time is not within the valid period, deleting the downloading permission certificate.

Optionally, the method further comprises:

receiving a second container creation request sent by a preset node, wherein the second container creation request carries target address information;

based on the target address information, acquiring the downloading right certificate corresponding to the target address information, and verifying the acquired downloading right certificate;

and if the acquired download authority credentials pass the verification, sending the mirror image corresponding to the target address information to the preset node so that the preset node creates a target application container according to the mirror image.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing one or more embodiments of the present description.

It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Moreover, one or more embodiments of the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

Embodiments of the present description are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

One or more embodiments of the present specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present description may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present disclosure and is not intended to limit the disclosure. Various modifications and alterations to this specification will become apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present description, are intended to be included within the scope of the claims of the present description.

Claims

1. A method of creating an application container, the method comprising:

receiving a first container creation request sent by user equipment, wherein the first container creation request carries download address information of an image required to be used for creating a target application container, the target application container manages codes and application programs in a virtualized operating system mode, the target application container contains an exclusive complete user environment space, the running environment of other application containers is not affected by the change in the target application container, the image is a statement for creating the target application container, and the target application container is an instance of the image;

2. The method of claim 1, the obtaining, according to the received first container creation request, a download right credential of a mirror image to be used for creating a target application container, including:

3. The method of claim 1, the generating, based on the download right credential and the download address information, target address information having a right to download a mirror image to be used for creating a target application container, comprising:

4. A method of creating an application container, the method comprising:

receiving a first container creation request sent by a management server, wherein the first container creation request carries download address information of an image required to be used for creating a target application container, the target application container manages codes and application programs in a virtualized operating system mode, the target application container contains an exclusive complete user environment space, the running environment of other application containers is not affected by the change in the target application container, the image is a statement for creating the target application container, and the target application container is an instance of the image;

5. The method of claim 4, the obtaining, according to the received first container creation request, a download right credential of a mirror image to be used for creating a target application container, including:

6. The method according to claim 5, wherein the download right credential generation information includes a plurality of different information, the encrypting the download right credential generation information generates a download right credential of a mirror image to be used for creating the target application container, including:

7. The method of claim 5, the download right credential corresponding to a validity period, the method further comprising:

8. The method of claim 7, the method further comprising:

9. An application container creation apparatus, the apparatus comprising:

the first receiving module is used for receiving a first container creation request sent by user equipment, wherein the first container creation request carries download address information of a mirror image required to be used for creating a target application container, the target application container manages codes and application programs in a virtualized operating system mode, the target application container contains an exclusive complete user environment space, the running environment of other application containers is not affected by the change in the target application container, the mirror image is a statement for creating the target application container, and the target application container is an instance of the mirror image;

The first acquisition module is used for acquiring a downloading authority certificate of a mirror image required to be used for creating a target application container according to the received first container creation request;

the generation module is used for generating target address information with the authority of downloading the mirror image required to be used for creating the target application container based on the downloading authority certificate and the downloading address information;

and the first sending module is used for sending the target address information to a preset node so that the preset node can acquire a mirror image required to be used for creating a target application container according to the target address information, and the target application container is created according to the acquired mirror image.

10. An application container creation apparatus, the apparatus comprising:

the second receiving module is used for receiving a first container creation request sent by the management server, wherein the first container creation request carries download address information of an image required to be used for creating a target application container, the target application container manages codes and application programs in a virtualized operating system mode, the target application container contains an exclusive complete user environment space, the running environment of other application containers is not affected by the change in the target application container, the image is a statement for creating the target application container, and the target application container is an instance of the image;

The second acquisition module is used for acquiring a downloading authority certificate of the mirror image required to be used for creating the target application container according to the received first container creation request;

and the second sending module is used for sending the downloading permission certificate to a management server so that the management server generates target address information with permission of downloading and creating the mirror image required by the target application container based on the downloading permission certificate and the downloading address information, and sending the target address information to a preset node so that the preset node acquires the mirror image required by the target application container to be created according to the target address information, and creates the target application container according to the acquired mirror image.

11. A creation apparatus of an application container, the creation apparatus of an application container comprising:

a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to:

receiving a first container creation request sent by user equipment, wherein the first container creation request carries download address information of a mirror image required to be used for creating a target application container, the target application container manages codes and application programs in a virtualized operating system mode, the target application container contains an exclusive complete user environment space, the running environment of other application containers is not affected by the change in the target application container, the mirror image is a statement or description for creating the target application container, and the target application container is an example of the mirror image;

12. A creation apparatus of an application container, the creation apparatus of an application container comprising:

a processor; and