CN117215713A - Method, device, equipment and storage medium for executing instruction information through container - Google Patents
Method, device, equipment and storage medium for executing instruction information through container Download PDFInfo
- Publication number
- CN117215713A CN117215713A CN202310101962.5A CN202310101962A CN117215713A CN 117215713 A CN117215713 A CN 117215713A CN 202310101962 A CN202310101962 A CN 202310101962A CN 117215713 A CN117215713 A CN 117215713A
- Authority
- CN
- China
- Prior art keywords
- instruction information
- container
- target
- information
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 84
- 238000003860 storage Methods 0.000 title claims description 36
- 238000001514 detection method Methods 0.000 claims abstract description 76
- 230000010365 information processing Effects 0.000 claims description 40
- 238000012545 processing Methods 0.000 claims description 19
- 230000006399 behavior Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012216 screening Methods 0.000 claims description 8
- 230000008520 organization Effects 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000013473 artificial intelligence Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 52
- 230000008569 process Effects 0.000 description 31
- 238000010586 diagram Methods 0.000 description 24
- 230000006870 function Effects 0.000 description 19
- 238000011161 development Methods 0.000 description 14
- 230000018109 developmental process Effects 0.000 description 14
- 239000008186 active pharmaceutical agent Substances 0.000 description 11
- 230000000694 effects Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 11
- 238000012360 testing method Methods 0.000 description 10
- 238000012986 modification Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 7
- 238000012550 audit Methods 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 5
- 238000012423 maintenance Methods 0.000 description 5
- 238000013515 script Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 235000019800 disodium phosphate Nutrition 0.000 description 3
- 241000282326 Felis catus Species 0.000 description 2
- 206010047289 Ventricular extrasystoles Diseases 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000004549 pulsed laser deposition Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000005096 rolling process Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000005129 volume perturbation calorimetry Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000003064 k means clustering Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method, a device, electronic equipment and a medium for executing instruction information through a container, wherein the method comprises the following steps: authenticating the target object according to the identification information; when the authentication of the target object is passed, logging in the target container through a container cluster management system, and receiving instruction information through the target container; double detection is carried out on the safety of the instruction information, and a safety detection result of the instruction information is obtained; according to the security detection result, the instruction information is processed to obtain an execution result of the instruction information, so that a user can log in the container quickly and safely without providing other credential information, the user logs in the container more simply and safely, and after logging in the container, the instruction information with high risk degree can be intercepted by identifying the instruction information input by the user, and the security of the system during remote operation is improved.
Description
Technical Field
The present invention relates to a technique for processing information in a container, and more particularly, to a method, apparatus, system, device, and storage medium for executing instruction information in a container.
Background
In the related technology, a cloud native micro-service development platform provides management capability of a micro-service full life cycle, built-in highly optimized compiling construction, container deployment, service discovery, automatic capacity expansion, detection and alarm and other capabilities, and through the container arrangement management based on a Kubernetes system at an abstract bottom layer, the flow management of envoy and the metrecs acquisition and detection of promethues, the service has a cross-regional and cross-cloud manufacturer consistency deployment architecture, but whether a protocol ssh based on a login linux system is used for remote login or a user is used for directly logging in a host, and then the security of remote login and the security of executing instruction information are difficult to ensure through a container entering a docker exec command.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, an electronic device, and a storage medium for executing instruction information through a container, which can enable a user to log in to the container quickly and safely, without requiring the user to provide other credential information, so that the user can log in to the container more simply and safely, and at the same time, after logging in to the container, identify instruction information input by the user, so as to intercept instruction information with a high risk level, and improve security of a system during remote operation.
The technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a method for executing instruction information through a container, which comprises the following steps:
acquiring identification information of a target container input by a target object;
authenticating the target object according to the identification information;
logging in the target container through a container cluster management system when the authentication of the target object is passed;
receiving instruction information through the target container;
double detection is carried out on the safety of the instruction information, and a safety detection result of the instruction information is obtained;
and processing the instruction information according to the security detection result to obtain an execution result of the instruction information.
The embodiment of the invention also provides a device for executing instruction information through the container, which comprises:
the information transmission module is used for acquiring the identification information of the target container input by the target object; the method comprises the steps of carrying out a first treatment on the surface of the
The information processing module is used for authenticating the target object according to the identification information;
the information processing module is used for logging in the target container through the container cluster management system when the authentication of the target object is passed;
The information processing module is used for receiving instruction information through the target container;
the information processing module is used for carrying out double detection on the safety of the instruction information to obtain a safety detection result of the instruction information;
and the information processing module is used for processing the instruction information according to the security detection result to obtain an execution result of the instruction information.
In the above-described arrangement, the first and second embodiments,
the information processing module is used for detecting the uniqueness of the target container according to the identification information;
the information processing module is used for determining a corresponding controller of the target container when the target container is determined to be unique;
and the information processing module is used for authenticating the target object according to the user list of the controller to obtain an authentication result of the target object.
In the above-described arrangement, the first and second embodiments,
the information processing module is used for determining a login interface corresponding to the target container in the container cluster management system when the authentication of the target object is passed;
the information processing module is used for accessing the login interface through a container cluster management system;
The information processing module is used for logging in the target container through the login interface.
In the above-described arrangement, the first and second embodiments,
the information processing module is used for carrying out regular matching on the instruction information to obtain a regular matching result;
and the information processing module is used for carrying out artificial intelligent recognition on the regular matching result to obtain a security detection result of the instruction information.
In the above-described arrangement, the first and second embodiments,
the information processing module is configured to obtain a regular matching rule of the regular matching, where the regular matching rule includes at least one of the following:
screening completely read-only commands, eliminating dangerous commands, screening complete and safe parameters, eliminating dangerous parameters and eliminating shell keywords;
the information processing module is used for filtering the instruction information according to a common instruction list to obtain instruction information to be matched;
the information processing module is used for carrying out regular matching on the instruction information to be matched according to the regular matching rule to obtain a regular matching result.
In the above scheme, the information processing module is configured to obtain a security detection model matched with the target container;
The information processing module is used for carrying out artificial intelligent recognition on the regular matching result through the safety detection model to obtain a classification result of the regular matching result;
the information processing module is used for marking the classification result according to the safety threshold value of the target container to obtain the safety detection result of the instruction information.
In the above scheme, the information processing module is configured to execute the instruction information through the target container when determining that the instruction information is security instruction information according to the security detection result, so as to obtain an execution result of the instruction information;
and the information processing module is used for refusing to execute the instruction information when the instruction information is determined to be dangerous instruction information according to the security detection result.
In the above scheme, the information processing module is configured to determine corresponding firmware configuration information according to a use environment of the container cluster management system;
the information processing module is used for acquiring matched target system images from the target system image cloud server according to the firmware configuration information, wherein the target system images support target system structures of different organization frameworks;
The information processing module is used for creating a collection container in the target system and creating a target collection system supporting different organization structures through the collection container;
the information processing module is used for deploying the target collection system in the container cluster management system;
the information processing module is used for capturing the dangerous instruction information through the target collecting system.
In the above scheme, the information processing module is configured to capture, when determining that the instruction information is dangerous instruction information, a record of access service of the dangerous instruction information based on the dangerous instruction information;
the information processing module is used for acquiring and analyzing a network data packet carried by the dangerous instruction information based on the record of the access service of the dangerous instruction information;
the information processing module is used for determining and detecting the connection behavior of the dangerous instruction information invading the container cluster management system after logging on based on the network data packet.
The embodiment of the invention also provides electronic equipment, which comprises:
a memory for storing executable instructions;
and the processor is used for realizing the method for executing the instruction information through the container when executing the executable instructions stored in the memory.
The embodiment of the invention also provides a computer program product, which comprises a computer program or instructions, and is characterized in that the computer program or instructions, when being executed by a processor, realize the method for executing instruction information through a container.
The embodiment of the invention also provides a computer readable storage medium which stores executable instructions which when executed by a processor realize the method for executing instruction information through a container.
The embodiment of the invention has the following beneficial effects:
1) The identification information of the target container input by the target object is acquired; authenticating the target object according to the identification information; when the authentication of the target object passes, the target container is logged in through the container cluster management system, so that the user can be quickly and safely logged in the container without providing other credential information, and the user can log in the container more conveniently and safely.
2) Meanwhile, receiving instruction information through the target container; double detection is carried out on the safety of the instruction information, and a safety detection result of the instruction information is obtained; and processing the instruction information according to the security detection result to obtain an execution result of the instruction information. Therefore, after logging in the container, the instruction information with large danger degree can be intercepted by identifying the instruction information input by the user, and the safety of the system during remote operation is improved.
Drawings
FIG. 1 is a schematic view of a usage environment of a method for executing instruction information via a container according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a composition structure of an apparatus for executing instruction information through a container according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating an alternative method for executing instruction information via a container according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a process for authenticating a target object in the practice of the present invention;
FIG. 5 is a schematic diagram of a game micro-service development platform according to an embodiment of the present invention;
FIG. 6 is a schematic diagram illustrating a process of double detection of security of instruction information according to an embodiment of the present invention;
FIG. 7A is a schematic diagram of a typical linux shell command rule;
FIG. 7B is a diagram of a class 5 security test result from artificial intelligence recognition of the result;
FIG. 8 is an exemplary diagram of an integrated development environment for the writing of automated test scripts for auxiliary games;
FIG. 9 is a schematic diagram illustrating a process of a method for executing instruction information through a container according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of the input effect of identification information according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of an authentication effect of a target object in an embodiment of the present invention;
FIG. 12 is a schematic view showing the selection effect of a target container according to an embodiment of the present invention;
FIG. 13 is a schematic diagram showing the positioning effect of a target container according to an embodiment of the present invention;
fig. 14 is a schematic diagram illustrating an effect of intercepting a service data modification instruction according to an embodiment of the present invention.
Detailed Description
The present invention will be further described in detail with reference to the accompanying drawings, for the purpose of making the objects, technical solutions and advantages of the present invention more apparent, and the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by those skilled in the art without making any inventive effort are within the scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
Before describing embodiments of the present invention in further detail, the terms and terminology involved in the embodiments of the present invention will be described, and the terms and terminology involved in the embodiments of the present invention will be used in the following explanation.
1) Workload: a workload is a class of application programs that may contain multiple instances of copies.
2) Terminals, including but not limited to: the device comprises a common terminal and a special terminal, wherein the common terminal is in long connection and/or short connection with a sending channel, and the special terminal is in long connection with the sending channel.
3) A client, a carrier in a terminal that implements a specific function, for example, a mobile client (APP), is a carrier of a specific function in a mobile terminal, for example, a function of performing live video on line or a play function of video on line.
4) In response to a condition or state that is used to represent the condition or state upon which the performed operation depends, the performed operation or operations may be in real-time or with a set delay when the condition or state upon which it depends is satisfied; without being specifically described, there is no limitation in the execution sequence of the plurality of operations performed.
5) A Server cluster (Server cluster) refers to a cluster of many servers that together perform the same service, and appears to a client as if there is only one Server. The server cluster can use a plurality of computers to perform parallel computation so as to obtain high computation speed, and can also use a plurality of computers to perform backup, so that any machine breaks the whole system or can normally operate. The method for executing instruction information through the container provided by the application can be applied to cloud server use scenes and distributed server use scenes to realize state detection and fault restoration of the server hard disk in different use scenes, and particularly, the cloud server (CVM Cloud Virtual Machine) is a simple, efficient, safe and reliable computing service with elastically scalable processing capacity. The management mode is simpler and more efficient than the traditional single physical server. The user can quickly create or release any plurality of cloud servers for the business process of the user without purchasing hardware in advance, and store the data of the cloud server user. The data and the program of the user in the use environment of the distributed server can be distributed in a plurality of servers instead of being located on one server, and similarly, the use environment of the distributed server also needs to be provided with a large number of hard disks, and the method for executing the instruction information through the container provided by the application also needs to realize quick logging in the container and detect the security of the instruction information.
6) The container cluster management system Kubernetes, which can be called K8S, is an open-source container operation platform, can realize the functions of combining a plurality of containers into one service, dynamically distributing the host machines for container operation and the like, and provides great convenience for users to use the containers. The application can be rapidly deployed, rapidly expanded, seamlessly docked with new application functions and the use of hardware resources can be optimized through the Kubernetes.
Nodes are the basic elements of a container cluster. The nodes depend on the traffic, and can be virtual machines or physical machines. Each node contains the basic components required to run the container group Pod, including Kubelet, kubeproxy, etc.
The Master node (Master node) refers to a cluster control node, which manages and controls the entire cluster, and to which all control commands of k8s are issued, which is responsible for the specific execution process. Kube-apiserver (resource access component), kube-controller-manger (operation management controller component) and kube-schedule (scheduling component) running on the Master Node maintain the healthy operating state of the entire cluster by constantly communicating with kubelet and kube-proxy on the working Node (Node). If the service of the Master Node cannot access a certain Node, the Node is marked as unavailable, and a newly built Pod (container group) is not scheduled to the Node. However, additional detection is required for the Master itself, so that the Master is not a single failure point of the cluster, and therefore high availability deployment is also required for Master services.
Nodes other than a Master are referred to as nodes or Worker nodes (working nodes), and Node nodes in the cluster can be viewed in the Master using a Node view command (kubectl get nodes). Each Node is assigned with some workload (Docker container) by the Master Node, and when a Node is down, the workload on the Node is automatically transferred to other nodes by the Master Node.
7) Pod (container group): the smallest/simplest basic unit of kubernetes creation or deployment-container group, one Pod represents a micro-service process running on the cluster, and one micro-service process encapsulates an edge container (there may also be multiple edge containers) that provides micro-service applications, storage resources, an independent network IP, and policy options that govern the way the containers run.
8) And (5) copy: the instance unit of the workload, each replica instance is a separate container.
9) A container: referring to a program process that has independent namespaces, typically one ip per container. Ip may repeat between different containers.
10 Ssh): at present, protocols mainly used for logging in a linux system are convenient to deploy in a container environment
11 Security audit): the security audit referred to herein refers to recording all operation behaviors of a user according to a certain security policy, and making corresponding behaviors, such as interception, on the operation behaviors.
12 Springboard machine: the system is a network device which can be used as a gangboard for operating remote devices in batches, and is one of the common operation platforms for system administrators or operation and maintenance personnel.
13 Host machine: device for operating containers
Before explaining the method for executing instruction information through a container provided by the present application, firstly, a remote login mode of a container cluster management system Kubernetes in the related art is explained, in the related art, kubernetes is an open source system which can be used for automatically deploying, expanding and managing a "containerized" application program, generally, a Kubernetes cluster of a production environment will contain a plurality of containers, but when remote login is performed, even if ip addresses of the containers are known, there is no way to log in the containers directly through an ssh mode, which is not beneficial to the convenience of users.
To solve this problem, the related art provides three login modes, 1) let the user log in the host directly, and then enter the target container through a docker exec command. The disadvantage of this solution is that hybrid deployment is not possible, because if the containers of each service are allowed to be placed on one physical machine, the login permission of the physical machine needs to be opened, and the potential safety hazard is increased, so that the physical opportunity is subjected to more attacks.
2): and a webshell login mode is used, namely SSH is installed in the container, and a webpage end simulates a shell terminal. The biggest shortcoming of this scheme is that the potential safety hazard of system has been increased, and webshell equals to open a back door outward and logs in the container, and the security is difficult to ensure.
2) The user can obtain cluster login credentials and login the container by adding the container name through kubecl exec, and the scheme has the defects that the user is required to obtain the login credentials, the user is required to input the container name with poor readability, and the inexperienced user is easy to input the wrong container name, so that the login efficiency is affected. At the same time, the user is required to bear additional cluster management costs, so that the cost of the container cluster management system is increased.
In order to overcome the above-mentioned drawbacks, the present application provides a method, an apparatus, a software program, an electronic device, and a storage medium for executing instruction information through a container, and fig. 1 is a schematic view of a usage scenario of the method for executing instruction information through a container according to an embodiment of the present application, and referring to fig. 1, with the continuous development of computer technology, a cloud server (Cloud Virtual Machine, CVM) may provide a secure and reliable elastic computing service, and may also provide different instance types to meet a user specific usage scenario. The terminals (including the terminal 10-1 and the terminal 10-2) are provided with corresponding clients capable of executing different functions, wherein the clients are terminals (including the terminal 10-1 and the terminal 10-2) and acquire different information from the corresponding cloud servers 200 through the network 300, and can deploy different services in the cloud servers. The terminal is connected to the server 200 through the network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two, and uses a wireless link to implement data transmission. The instance types provided by the cloud server consist of different combinations of CPU, memory, storage and network, and the service data of the user is stored in the hard disk of the cloud server. The different cloud servers in fig. 1 can be managed by the container cluster management system Kubernetes, the smallest/simplest basic unit created or deployed by kubernetes—the container group, one Pod represents a micro-service process running on the cluster, and one micro-service process encapsulates an edge container (there may also be multiple edge containers) that provides micro-service applications, storage resources, an independent network IP, and policy options that govern how the containers run. When logging in, acquiring the identification information of a target container input by a target object; authenticating the target object according to the identification information; when the authentication of the target object is passed, logging in the target container through the container cluster management system; receiving instruction information through a target container when the instruction information is processed; double detection is carried out on the safety of the instruction information, and a safety detection result of the instruction information is obtained; and processing the instruction information according to the security detection result to obtain an execution result of the instruction information.
In the embodiment provided by the present application, the cloud server application running in the cloud server 200 may be written in software code environments of different programming languages, and the code objects may be different types of code entities. For example, in software code in the C language, a code object may be a function. In software code in JAVA language, a code object may be a class, and in IOS side OC language may be a piece of object code. In the software code in the c++ language, a code object may be a class or a function to execute processing instructions from different terminals. Wherein the sources of the compiling environments of the name cloud server are not distinguished any more in the application.
The following describes in detail the structure of the device for executing instruction information through a container according to the embodiment of the present application, the device for executing instruction information through a container may be implemented in various forms, such as a dedicated terminal with a device processing function for executing instruction information through a container, or may be a server provided with a device processing function for executing instruction information through a container, such as the server 200 in fig. 1. Fig. 2 is a schematic diagram of a composition structure of an apparatus for executing instruction information through a container according to an embodiment of the present application, and it will be understood that fig. 2 only shows an exemplary structure of the apparatus for executing instruction information through a container, but not all the structure, and part or all of the structure shown in fig. 2 may be implemented as required.
The device for executing instruction information through the container provided by the embodiment of the invention comprises the following components: at least one processor 201, a memory 202, a user interface 203, and at least one network interface 204. The various components in the device that execute instruction information via the container are coupled together by bus system 205. It is understood that the bus system 205 is used to enable connected communications between these components. The bus system 205 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration the various buses are labeled as bus system 205 in fig. 2.
The user interface 203 may include, among other things, a display, keyboard, mouse, trackball, click wheel, keys, buttons, touch pad, or touch screen, etc.
It will be appreciated that the memory 202 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The memory 202 in embodiments of the present invention is capable of storing data to support operation of the terminal (e.g., 10-1). Examples of such data include: any computer program, such as an operating system and application programs, for operation on the terminal (e.g., 10-1). The operating system includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, for implementing various basic services and processing hardware-based tasks. The application may comprise various applications.
In some embodiments, the apparatus for executing instruction information through a container provided by the embodiment of the present invention may be implemented by combining software and hardware, and by way of example, the apparatus for executing instruction information through a container provided by the embodiment of the present invention may be a processor in the form of a hardware decoding processor, which is programmed to execute the method for executing instruction information through a container provided by the embodiment of the present invention. For example, a processor in the form of a hardware decoding processor may employ one or more application specific integrated circuits (ASICs, application Specific Integrated Circuit), DSPs, programmable logic devices (PLDs, programmable Logic Device), complex programmable logic devices (CPLDs, complex Programmable Logic Device), field programmable gate arrays (FPGAs, field-Programmable Gate Array), or other electronic components.
As an example of implementation of the apparatus for executing instruction information through a container according to the embodiment of the present invention by using a combination of hardware and software, the apparatus for executing instruction information through a container according to the embodiment of the present invention may be directly embodied as a combination of software modules executed by the processor 201, the software modules may be located in a storage medium, the storage medium is located in the memory 202, and the processor 201 reads executable instructions included in the software modules in the memory 202, and performs the method for executing instruction information through a container according to the embodiment of the present invention by combining necessary hardware (including, for example, the processor 201 and other components connected to the bus 205).
By way of example, the processor 201 may be an integrated circuit chip having signal processing capabilities such as a general purpose processor, such as a microprocessor or any conventional processor, a digital signal processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
As an example of implementation of the apparatus for executing instruction information through a container provided by the embodiments of the present invention by hardware, the apparatus provided by the embodiments of the present invention may be implemented directly by the processor 201 in the form of a hardware decoding processor, for example, by one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSPs, programmable logic devices (PLD, programmable Logic Device), complex programmable logic devices (CPLD, complex Programmable Logic Device), field programmable gate arrays (FPGA, field-Programmable Gate Array), or other electronic components.
The memory 202 in embodiments of the present invention is used to store various types of data to support the operation of the apparatus for executing instruction information via the container. Examples of such data include: any executable instructions, such as executable instructions, for operation on a device executing instruction information via a container, a program implementing a method of executing instruction information from a container according to embodiments of the present invention may be contained in the executable instructions.
In other embodiments, the apparatus for executing instruction information through a container according to the embodiments of the present invention may be implemented in software, and fig. 2 shows the apparatus for executing instruction information through a container stored in the memory 202, which may be software in the form of a program, a plug-in unit, or the like, and includes a series of modules, and as an example of the program stored in the memory 202, may include the apparatus for executing instruction information through a container, where the apparatus for executing instruction information through a container includes the following software module information transmission module 2081 and information processing module 2082. When a software module in a device for executing instruction information through a container is read into a RAM by the processor 201 and executed, the method for executing instruction information through a container provided by the embodiment of the present invention is implemented, where functions of each software module in the device for executing instruction information through a container include:
the information transmission module 2081 is configured to obtain identification information of a target container input by a target object; the method comprises the steps of carrying out a first treatment on the surface of the
An information processing module 2082, configured to authenticate the target object according to the identification information;
an information processing module 2082 for logging in the target container through the container cluster management system when the authentication of the target object is passed;
An information processing module 2082 for receiving instruction information through the target container;
the information processing module 2082 is configured to perform double detection on the security of the instruction information, so as to obtain a security detection result of the instruction information;
the information processing module 2082 is configured to process the instruction information according to the security detection result, so as to obtain an execution result of the instruction information.
According to the electronic device shown in fig. 2, in one aspect of the application, the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium and executes the computer instructions to cause the electronic device to perform the different embodiments and combinations of embodiments provided in various alternative implementations of the method of executing instruction information through a container described above.
The embodiment of the application can also realize the login of the target containers in different cloud server clusters based on cloud technology. Cloud technology (Cloudtechnology) is a generic term of network technology, information technology, integration technology, management platform technology, application technology and the like based on cloud computing business model application, can form a resource pool, is used as required, is flexible and convenient, and becomes an important support. Cloud computing (closed computing) refers to the delivery and usage mode of an IT infrastructure, meaning that required resources are obtained in an on-demand, easily scalable manner through a network; generalized cloud computing refers to the delivery and usage patterns of services, meaning that the required services are obtained in an on-demand, easily scalable manner over a network. Such services may be IT, software, internet related, or other services. Cloud Computing is a product of fusion of traditional computer and network technology developments such as Grid Computing (Grid Computing), distributed Computing (distributed Computing), parallel Computing (ParallelComputing), utility Computing (Utility Computing), network storage (Network StorageTechnologies), virtualization (Virtualization), load balancing (Load balancing), and the like. With the development of the internet, real-time data flow and diversification of connected devices, and the promotion of demands of search services, social networks, mobile commerce, open collaboration and the like, cloud computing is rapidly developed. Unlike the previous parallel distributed computing, the generation of cloud computing will promote the revolutionary transformation of the whole internet mode and enterprise management mode in concept.
Cloud storage (cloud storage) is a new concept that extends and develops in the concept of cloud computing, and a distributed cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed storage file system, so as to provide data storage and service access functions for the outside. At present, the storage method of the storage system is as follows: when creating logical volumes, each logical volume is allocated a physical storage space, which may be a disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as a data Identification (ID) and the like, the file system writes each object into a physical storage space of the logical volume, and the file system records storage position information of each object, so that when the client requests to access the data, the file system can enable the client to access the data according to the storage position information of each object. The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided into stripes in advance according to the set of capacity measures for objects stored on a logical volume (which measures tend to have a large margin with respect to the capacity of the object actually to be stored) and redundant array of independent disks (RAID, redundant Array of Independent Disk), and a logical volume can be understood as a stripe, whereby physical storage space is allocated for the logical volume.
When the method is applied to cloud products, the front end of the cloud products can be a Web UI component, and the Web UI component is used for receiving Spark related parameters filled by users and generating job data according to the Spark related parameters. The Cluster Manager (Cluster Manager) may be an open source Cluster resource scheduling platform such as YARN, mesos or Kubernetes. Spark itself has supported that these open source platforms, i.e., the protocols between Spark and clusterimanager components, are compatible. Driver is a job Driver, work Node is a Work Node, executor is a task execution component, and task is the smallest execution unit. Further, a structured data package (Spark SQL) is a package used by Spark to manipulate structured data, through which the data can be queried using the SQL language, which supports a variety of data sources such as data warehouse tools (Hive) tables, and the like. The streaming component is a Spark provided component that streams real-time data, providing an application programming interface (API Application Programming Interface) for manipulating the data stream.
Referring to fig. 3, fig. 3 is an optional flowchart of a method for executing instruction information through a container according to an embodiment of the present invention, where the method is shown in fig. 2, and it is understood that the steps shown in fig. 3 may be executed by a cloud server or a cloud server cluster. The following is a description of the steps shown in fig. 3.
Step 301: and acquiring the identification information of the target container input by the target object through the container execution instruction information device.
Among them, the user creates a controller of the container cluster management system, which may be a deviyment or StatefulSet, statefulSet and deviyment as a controller (workload) commonly used in k8s, and manages Pod in different ways. Typically, statefulSet is used to deploy stateful applications, and depoyment is used to deploy stateless applications. Taking game micro-service development platform (GDP) as an example, when creating a controller, the GDP system will let the user select a list of users who have permission to log in to the controller and store the list in the permission list database. Whenever a container is created by Kubernetes, the GDP will write the information of the container (including but not limited to container ip, container name, kubernetes cluster name, controller name) to the container list database.
Step 302: the device executing the instruction information through the container authenticates the target object according to the identification information.
Referring to fig. 4, fig. 4 is a schematic diagram of a process for authenticating a target object in the implementation of the present invention, which specifically includes:
Step 401: and detecting the uniqueness of the target container according to the identification information.
The user can input ip information of the target container through a Jump board machine, and the Jump board machine (Jump Server) is also called a fort machine, is network equipment capable of being used as a Jump board to operate remote equipment in batches, and is one of operation platforms commonly used by system administrators or operation and maintenance personnel. In order to better illustrate the application process of the method for executing instruction information through a container provided by the present application, reference is made to fig. 5, and fig. 5 is a schematic structural diagram of a game micro service development platform in an embodiment of the present application, where a service plane of a remote access service may also be referred to as a service plane of a fort service. As an example, a cloud fort console (cloud bastionhost console, CBH control) is the operational interface for this business surface. It should be appreciated that CBH control is the various functions of the external presentation of the fort machine by invoking application program interfaces (application programming interface, APIs) for the various microservices in the unified management module.
In the structure shown in fig. 5, the unified management module includes a user management micro service API, a resource management micro service API, an access management (policy management) micro service API, and a public management micro service API. Such micro services may include, for example, but are not limited to: user management microservices, resource management microservices, access management (policy management) microservices, public management microservices, multi-vendor channel microservices, and the like.
In the structure shown in fig. 5, a user may call the user management micro service API through CBH policy to obtain user data, which may include data for confirming the identity of an access entity of the access system, for example, user identification (username), authentication factor (password, passcode, fingerprint, etc.), and the like. The user may also obtain resource data by calling the resource management micro-service API through the CBH policy, where the resource data may include data necessary for remote access to the login target device, such as a resource address, a port, an access protocol, an account number and a credential of the login target host, and so on. The user may also obtain access policy data by using the CBH policy to invoke an access management (policy management) micro-service API, where the access policy data may include an access policy of the user to the target device, for example, the access policy data may be a control policy of when, where, how and which target hosts are accessed by the user, and which operation rights are available to the target device (file upload and download, clipboard sticky-in and sticky-out, character command blacklist, etc.).
In the architecture shown in fig. 5, the channel creation module may provide the user with a multi-vendor channel microservice that creates multiple channels that are heterogeneous. By way of example, depicted in FIG. 5 as a 4 vendor channel creation component, a user may also create a channel to a target device by calling the APIs of the channel creation component of a vendor through a CBH control.
Meanwhile, the channel creation component of each vendor may include a channel server and one or more channel agents. The channel server (channel server) is responsible for realizing a channel micro service API interface, mainly for processing channel creation, channel closing, starting a playback session and closing the playback session. The channel microservice stores metadata about each channel session, including session ID, session start time, session end time, user information to open the session, resource information of the session, and rights information. These data are associated with specific session audit data by session ID. The channel proxy (tunnel proxy) is deployed independently for each network, is used as a springboard machine for accessing a target network (target equipment), is also a proxy server when an actual channel is established, and is responsible for real-time audit record of a session.
In the architecture shown in fig. 5, the operational plane of the remote access service may also be referred to as the operational plane of the fort service. The remote access service is used for the operation and maintenance work such as opening, closing, paying, renewing and upgrading of the remote access service. Mainly comprises a cloud fort server console (cloud bastion serverconsole, CBS Console), CBS and CBS clients (CBS agents) installed on each channel agent.
The CBS policy is an operation interface, where a user may select which manufacturer's channels are opened to which own virtual private cloud (virtual private cloud, VPC) to access services. That is, the user may choose which vendor's channel creation component to use to open channels to which VPCs of his own.
After the user logs in the fort system, the user can acquire a target device list which is authorized to be accessed by the user. For example, the user may obtain, through the operation interface CBH policy of the service plane, a list of target devices that have permission to access. For example, in the structure shown in fig. 5, a target device list with access permission and one or more channels corresponding to the target device are obtained by a user, where the one or more channels may be a channel access service selected by the user through the operation interface CBS control and opened to which target devices of the user. As shown in fig. 5, some target devices may have multiple channels available for selection by the user, the user may select only one of the created channels, or may select to create all of the alternative channels, which is not specifically limited by the embodiments of the present application. The channels created by the user to different target devices may be the same or may be different, and embodiments of the present application are not particularly limited in this regard.
Step 402: when the target container is determined to be unique, a corresponding controller of the target container is determined.
Step 403: when the target container is determined to be unique, a corresponding controller of the target container is determined in response to a selection instruction of a user.
In the uniqueness determining process shown in step 402 and step 403, when a user needs to log in a target container, after the user inputs the container ip, by the method for executing instruction information through the container provided by the application, the container information corresponding to the container ip can be searched in the container list database, when a plurality of containers accord with the result, one of the containers needs to be selected by the user, after the container uniqueness determination is completed, the controller identifier corresponding to the container is obtained, and then whether the user has permission to log in the container is searched in the permission list database.
Meanwhile, the permission list can be updated according to the instruction of the user, and also can be updated at regular time according to a preset time threshold, for example, the permission list can be updated every day according to the time threshold of 24 hours, so that the security of logging in the target container is ensured, and the permission of a certain target object to log in a fixed target container is prevented from being acquired for a long time.
Step 404: and authenticating the target object according to the user list of the controller to obtain an authentication result of the target object.
Step 303: the means for executing instruction information by the container logs in to the target container by the container cluster management system when the authentication of the target object is passed.
In some embodiments of the present application, logging in to a target container through a container cluster management system may be accomplished by:
when the authentication of the target object passes, determining a login interface corresponding to the target container in the container cluster management system; accessing a login interface through a container cluster management system; the target container is logged in through the login interface. For example, when 3 speech recognition engines A, B and C are deployed in the cloud server network, three containers A1, A2, and A3 are deployed in the speech recognition engine a, three containers B1, B2, and B3 are deployed in the speech recognition engine B, and three containers C1, C2, and C3 are deployed in the speech recognition engine C. When the authentication of the target object passes, if a voice recognition task request S1 is currently scheduled, whether idle voice recognition engines exist in the service list of 3 voice recognition engines is required to be judged, at this time, if service processes are all running in 3 containers of the voice recognition engine A, the voice recognition engine A is indicated to be a non-idle voice recognition engine, if service processes are running in containers B1 and B2 in the voice recognition engine B and service processes are not running in the container B3, the voice recognition engine B is indicated to be an idle voice recognition engine, and if service processes are running in a container C1 in the voice recognition engine C and service processes are not running in containers C2 and C3, the voice recognition engine C is indicated to be an idle voice recognition engine. Thus, the system accesses the Kubernetes api interface and logs in to the corresponding target container according to the acquired container information (idle information), for example: an appropriate one of the speech recognition engines B and C may be selected as the target speech recognition engine and the speech recognition task request S1 is run in an idle container in the target speech recognition engine. Further, since the speech recognition environments corresponding to the 3 speech recognition engines A, B and C may be different, the corresponding engine service list is traversed by the engine parameters carried by the recognition task in the recognition queue, and the speech recognition engine B is selected as the speech recognition engine for receiving the target task, so that the waiting time of the user is reduced. One or more service processes may be scheduled at a time during this determination of the speech recognition engine being in an idle state, and when multiple service processes are scheduled at a time, the multiple service processes may be run in different containers, i.e., one service process in each container. The different service processes can be run in a plurality of containers in the same speech recognition engine, or can be run in a plurality of containers in a speech recognition engine, and the login target container can be realized by accessing the corresponding login interface through the container cluster management system.
Through the processing from step 301 to step 303, the user can be quickly and safely logged in the container, other credential information is not required to be provided by the user, so that the user can log in the container more simply, conveniently and safely, after logging in the target container, the target container can receive the instruction information input by the user, and the safe instruction information is executed in the container, so that the running safety of the program can be ensured.
Step 304: the means for executing instruction information via the container receives instruction information via the target container.
Step 305: and double detection is carried out on the safety of the instruction information through a device for executing the instruction information by the container, so that a safety detection result of the instruction information is obtained.
Referring to fig. 6, fig. 6 is a schematic diagram illustrating a process of double detection of security of instruction information in an embodiment of the present invention, where the double detection process shown in fig. 6 may specifically include two parts: 1) Regular matching, 2) artificial intelligent recognition, wherein instruction information is subjected to regular matching, and a regular matching result can be obtained; artificial intelligent recognition is carried out on the regular matching result to obtain a security detection result of the instruction information, and the double detection process specifically comprises the following steps:
step 601: and acquiring a regular matching rule of regular matching.
The safety detection model is used alone for artificial intelligent recognition, and although the recognition accuracy is high, the method has the defects of low speed and high cost, so that the defects of low speed and high cost of the safety detection model are overcome. Before the security detection model detects, a regular operation expression is pre-arranged as a regular matching rule to filter some common commands, and fig. 7A is a schematic diagram of a typical linux shell command rule, including: commands, options, parameters, redirection, and pipes.
Step 602: and filtering the instruction information according to the common instruction list to obtain the instruction information to be matched.
In some embodiments of the invention, the common instruction list may include information for the following shell commands: 1) The sort command orders the file contents in units of rows, and can also order the file contents according to different data types; 2) uniq commands, used to report or ignore consecutive repeated lines in a file, are often used in conjunction with the sort command;
3) tr command, replacing, compressing and deleting the standard input characters; 4) The cut command, the common option options and the corresponding interpretations are respectively: -f using "TAB" as a default field separator by specifying which character to extract; -d "TAB" is a default separator, with which other separators can be changed; -complexnet this option is used to exclude the specified character; output-separator alters the delimiter of the output content. 5) splitting a large file into a plurality of small files under a split command and a linux; 6) eval command, when elva is added before the command word, shell scans it twice before executing the command; elva commands will first scan the command for the permutations used and then execute the command; the command is applicable to some variables for which scanning cannot achieve the function; the command scans the variables twice.
Step 603: and carrying out regular matching on the instruction information to be matched according to the regular matching rule to obtain a regular matching result.
Wherein, in some embodiments of the invention, the regular matching rules include at least one of: screening completely read-only commands, eliminating dangerous commands, screening complete security parameters, eliminating dangerous parameters and eliminating shell keywords. Specifically, taking a game micro-service development platform (GDP) as an example, the regular matching rules of the game micro-service development platform may be:
1. screening command commands which are completely read-only, wherein the command commands comprise ls, cat, top, echo, history, head and tail;
2. excluding the hazard command dd alias fsck rm;
3. screening complete and safe parameters/tmp;
4. parameters excluding hazards/dev/;
5. the shell key while for if is excluded.
After the regular expression is formulated, after each time a user input command is received, the complete command input by the user is screened by using a regular matching mode, the command danger degree of the user is judged, if the command input by the user does not hit the regular expression (such as but not limited to a command which is not recognized, a parameter which is not recognized), the safety detection model is used for judging the command danger degree, so that the processing speed of double detection on the safety of command information can be effectively improved, the detection accuracy is ensured, and meanwhile, the use cost of the safety detection model is reduced.
Step 604: and carrying out artificial intelligent recognition on the regular matching result through the safety detection model to obtain a classification result of the regular matching result.
Before step 604 is executed, a security detection model matched with the target container needs to be acquired, wherein the security detection model used in the present application is two models of machine learning and deep learning, and an algorithm model with an optimal result is adopted to measure the risk level for each instruction.
Using the machine learning model may include: 1. k-means clustering to detect outliers; 2. classifying by a random forest algorithm plus svm; 3. recall and Precision metrics; using the deep learning model may include: 1. a convolutional neural network CNN; 2. a loss function model; 3. recall and Precision metrics.
Step 605: labeling the classification result according to the safety threshold value of the target container to obtain the safety detection result of the instruction information.
The safety threshold of the target container can be flexibly adjusted according to the use requirements of different target containers, the safety detection results of the instruction information can be divided into 5 types according to the safety threshold of the target container, the dangers are sequentially reduced, and the 5 types of safety detection results are sequentially: the risk level 4, the risk level 3, the risk level 2, the risk level 1, and the risk level 0, taking a game micro service development platform (GDP) as an example, fig. 7B is a schematic diagram of 5 types of security detection results obtained by result artificial intelligence recognition, and the 5 types of security detection results shown in fig. 7B may include:
1) "alias cd= 'rm-rf'" 4 deletes all files under the current directory with a degree of risk of 4.
2) "ddif=/dev/zero of=/dev/sda" 4 clears a piece of disk data to a hazard level of 4.
3) "for i in {1..10}; do dd if=/dev/urandom of=/dev/sda; done "4 clears a block of disk data to a hazard level of 4.
4) "gitreset- -hard"4 rolls back the git to the last commit hazard level 4.
5) "tar-czvf/path/to/file archive.tgz"4 is filled with an example risk level 4 of tar packing compressed file command parameters.
6) "chmod-R777/" 4 changes the rights of all files to 777 hazard level 4.
7) "chown-R root/"4 changes the owner of all files to root hazard level 4.
8) "ls"0 lists the current directory file hazard level 0.
9) "mkdir/home/data"1 creates a directory risk level of 1.
10 "ldd opencv.s0.4.4.0"0 to print a library file.
11 "ldconfig"3 reloads all dynamically linked libraries risk level 3.
12 "vim config. Conf"3 edit profile risk level 3.
13 "cat spp.log"0 print log hazard level 0.
14 The) tcpdump-Xpls 0-ieth 0"1, and the packet capturing risk degree 1 is carried out on the network card.
15 "gdb spp.so 12345"4 debug risk level 4 for one library.
16 "gdb spp.so core.12345"1 debug risk 4 for core files.
Step 306: and processing the instruction information according to the security detection result by the device for executing the instruction information through the container to obtain an execution result of the instruction information.
When the instruction information is determined to be the safety instruction information according to the safety detection result, the instruction information is executed through the target container, and an execution result of the instruction information is obtained; and refusing to execute the instruction information when the instruction information is determined to be dangerous instruction information according to the security detection result.
In some embodiments of the present invention, to improve the protection capability of each container, corresponding firmware configuration information may be determined according to the usage environment of the container cluster management system; according to the firmware configuration information, a matched target system image is obtained from a target system image cloud server, wherein the target system image supports target system structures of different organization frameworks; creating a collection container in the target system, and creating a target collection system supporting different organization architectures through the collection container; deploying the target collection system in a container cluster management system; dangerous instruction information is captured by a target collection system. From this, utilize target collection system to collect dangerous instruction, dangerous instruction that gathers can be used to the training of safety inspection model, promotes the safety protection ability of every container to promote the holistic safety protection ability of system.
In some embodiments of the present invention, in order to enhance the detection capability of each container, when the instruction information is determined to be dangerous instruction information, capturing a record of access services of the dangerous instruction information based on the dangerous instruction information; acquiring and analyzing a network data packet carried by the dangerous instruction information based on the record of the access service of the dangerous instruction information; and determining and detecting connection behaviors after the dangerous instruction information invades the container cluster management system based on the network data packet. Therefore, the connection behavior of the dangerous instruction information can be detected uninterruptedly, and the safety of each container is ensured. Meanwhile, by detecting the connection behavior, whether the user performs dangerous operations such as library deletion, table deletion, sensitive data access and the like can be judged, if the user is found to try to perform dangerous operations, instruction information can be intercepted continuously, the intercepted instruction information cannot be abandoned, and the intercepted instruction information can be put into an instruction cache of a database for manual verification. If the verification is not passed, the request message of the instruction information can be abandoned, and the request blocking is realized. All database operation and maintenance instructions are collected and recorded in a centralized way through soft switching, so that subsequent security audit is facilitated.
In order to better illustrate the working process of the method for executing instruction information through a container provided by the present application, taking development of a game program as an example, the method for executing instruction information through a container provided by the present application is described below, and referring to fig. 8, fig. 8 is an exemplary diagram of an integrated development environment for writing an automated test script for assisting in a game, which is an integrated development environment attached to a game automation test framework Airtest, and can develop and test game actions in the game environment. After logging in the target container, the main interface of the environment is roughly divided into three columns, and the upper half part of the left column displays a common operation shortcut menu which can be called when a test script is compiled. The lower half of the left column is used to display the tree structure of the user interface of the test object. The upper half of the middle column displays a test script editing area where test developers can enter written scripts. The off-shift portion of the middle column is the log output area. The right column shows the user interface of the test object. And provide some menus and icons of regular operations (e.g., create, open, save as, run, stop running, and view reports) over the entire main interface.
The open environment shown in fig. 8 may be run in a target Container of a Container cluster management system, where, taking K8S as an example, a Kubernetes cluster generally includes a Master Node (Master) and a plurality of computing nodes (nodes) communicatively connected to the Master Node, respectively, where the Master Node is used to manage and control the plurality of computing nodes, the computing nodes are workload nodes, and include an original application directly deployed in the nodes and a plurality of Container groups (Pod), each of which encapsulates one or more containers (containers) for carrying the application, where Pod is a basic operating unit of Kubernetes and is a minimal deployment unit that can be created, debugged, and managed. The types of the working copies are resource types (replyment types), the types of tasks can be deployed, the replyment integrates the functions of online Deployment, rolling upgrading, creating copies, suspending the online tasks, recovering the online tasks, rolling back to a previous replyment of a certain version (success/stability) and the like, the replyment can realize unattended online to a certain extent, the complex communication and operation risks in the online process are greatly reduced, for the working copies of the replyment types, a replyment object list associated with the replyment types can be firstly determined, and then the associated Pod list is found from a cache through a duplicate controller, wherein the replyment is one type of duplicate controllers in kuubenes and the main function is to control the Pod managed by the replyment so that the number of the Pod copies is always maintained at a preset number.
Referring to fig. 9, fig. 9 is a schematic diagram of a process of a method for executing instruction information through a container according to an embodiment of the present application, including the following steps:
step 901: and acquiring the identification information of the target container input by the developer through the trigger, and authenticating the developer.
Fig. 10 is a schematic diagram of an input effect of identification information in an embodiment of the present application, where a command tool called gdpconsole is provided by the method for executing instruction information through a container, after a user or service operation and maintenance enters a trigger, a command "gdpconsole exec+container ip" is input, and a container cluster management system can automatically check authority to detect whether the user has authority to log on a target container, so that it is more convenient for the user to log on the target container without requiring the user to manage cluster login credentials, where an occlusion part shown before @ VM in fig. 10 is a linux login user name, and an occlusion part after 11.150 is the input container ip.
Step 902: when authentication is passed, the target container is logged in through the container cluster management system, and a service data modification instruction is received.
11-13, where FIG. 11 is a schematic diagram of an authentication effect of a target object in an embodiment of the present application, when a user needs to log in a target container, after inputting a container ip, the user may search for container information corresponding to the container ip in a container list database by using the method for executing instruction information through the container provided by the present application, when a plurality of containers conform to a result, the user needs to select one of the containers, after the container uniqueness determination is completed, a controller identifier corresponding to the container is obtained, and then whether the user has permission to log in the container is searched in the permission list database. In fig. 11, the blocking part shown before @ VM is a linux login user name, the blocking part after permission is the input container ip, the blocking part after id7396 and the blocking part before @ VM-253 are the linux login user name. Fig. 12 is a schematic view of a selection effect of a target container in an embodiment of the present application, in fig. 12, when ip input by a user belongs to a plurality of Kubernetes clusters, a user may select, where an occlusion part after 9.1166 is a linux login user name, an occlusion part after cls-ch is the input container ip, and the remaining occlusion parts are ids of Kubernetes clusters. Fig. 13 is a schematic diagram of a positioning effect of a target container according to an embodiment of the present application, where an occlusion part before @ VM-253 is a linux login user name, an occlusion part after 9.143 is an input container ip, and the remaining occlusion parts are an id (first column occlusion part) of a cluster of Kubernetes and the input container ip (second column occlusion part).
Step 903: and double detection is carried out on the security of the business data modification instruction.
Step 904: and responding to the service data modification instruction, and modifying the original service data through the container to obtain target service data.
Step 904 may be executed when the security dual detection is passed, and the service data modification instruction may be intercepted when the security dual detection is not passed. Fig. 14 is a schematic diagram showing the effect of intercepting a service data modification instruction according to an embodiment of the present invention, where if a developer triggers an alarm, a designated administrator of the container cluster management system receives the alarm.
The beneficial technical effects are as follows:
1) The identification information of the target container input by the target object is acquired; authenticating the target object according to the identification information; when the authentication of the target object passes, the target container is logged in through the container cluster management system, so that the user can log in the container quickly and safely without providing other credential information, and the user can log in the container more simply, conveniently and safely.
2) Meanwhile, receiving instruction information through a target container; double detection is carried out on the safety of the instruction information, and a safety detection result of the instruction information is obtained; and processing the instruction information according to the security detection result to obtain an execution result of the instruction information. Therefore, after logging in the container, the instruction information with large danger degree can be intercepted by identifying the instruction information input by the user, and the safety of the system during remote operation is improved.
3) Various dangerous instructions can be collected by using the deployed target collection system, and the collected dangerous instructions can be used for training a safety detection model, so that the safety protection capability of each container is improved, and the overall safety protection capability of the system is improved.
The above embodiments are merely examples of the present invention, and are not intended to limit the scope of the present invention, so any modifications, equivalent substitutions and improvements made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (13)
1. A method of executing instruction information through a container, the method comprising:
acquiring identification information of a target container input by a target object;
authenticating the target object according to the identification information;
logging in the target container through a container cluster management system when the authentication of the target object is passed;
receiving instruction information through the target container;
double detection is carried out on the safety of the instruction information, and a safety detection result of the instruction information is obtained;
and processing the instruction information according to the security detection result to obtain an execution result of the instruction information.
2. The method of claim 1, wherein authenticating the target object based on the identification information comprises:
detecting the uniqueness of the target container according to the identification information;
when the target container is determined to be unique, determining a corresponding controller of the target container;
and authenticating the target object according to the user list of the controller to obtain an authentication result of the target object.
3. The method of claim 1, wherein logging into the target container through a container cluster management system when the authentication of the target object is passed comprises:
when the authentication of the target object is passed, determining a login interface corresponding to the target container in the container cluster management system;
accessing the login interface through a container cluster management system;
and logging in the target container through the login interface.
4. The method according to claim 1, wherein the double detecting the security of the instruction information to obtain a security detection result of the instruction information includes:
performing regular matching on the instruction information to obtain a regular matching result;
And carrying out artificial intelligent recognition on the regular matching result to obtain a security detection result of the instruction information.
5. The method of claim 4, wherein performing a canonical match on the instruction information to obtain a canonical match result comprises:
acquiring a regular matching rule of the regular matching, wherein the regular matching rule comprises at least one of the following:
screening completely read-only commands, eliminating dangerous commands, screening complete and safe parameters, eliminating dangerous parameters and eliminating shell keywords;
filtering the instruction information according to a common instruction list to obtain instruction information to be matched;
and carrying out regular matching on the instruction information to be matched according to the regular matching rule to obtain a regular matching result.
6. The method of claim 4, wherein performing artificial intelligence recognition on the canonical matching result to obtain a security detection result of the instruction information comprises:
acquiring a safety detection model matched with the target container;
performing artificial intelligent recognition on the regular matching result through the safety detection model to obtain a classification result of the regular matching result;
And marking the classification result according to the safety threshold value of the target container to obtain the safety detection result of the instruction information.
7. The method according to claim 1, wherein the processing the instruction information according to the security detection result to obtain an execution result of the instruction information includes:
according to the security detection result, when the instruction information is determined to be the security instruction information, executing the instruction information through the target container to obtain an execution result of the instruction information;
and refusing to execute the instruction information when the instruction information is determined to be dangerous instruction information according to the security detection result.
8. The method of claim 7, wherein the method further comprises:
determining corresponding firmware configuration information according to the use environment of the container cluster management system;
according to the firmware configuration information, a matched target system image is obtained from a target system image cloud server, wherein the target system image supports target system structures of different organization frameworks;
creating a collection container in a target system, and creating a target collection system supporting different organization architectures through the collection container;
Deploying the target collection system in the container cluster management system;
and capturing the dangerous instruction information through the target collecting system.
9. The method of claim 7, wherein the method further comprises:
when the instruction information is determined to be dangerous instruction information, capturing a record of access service of the dangerous instruction information based on the dangerous instruction information;
acquiring and analyzing a network data packet carried by the dangerous instruction information based on the record of the access service of the dangerous instruction information;
and determining and detecting the connection behavior of the dangerous instruction information invading the container cluster management system after logging on based on the network data packet.
10. An apparatus for executing instruction information via a container, the apparatus comprising:
the information transmission module is used for acquiring the identification information of the target container input by the target object; the method comprises the steps of carrying out a first treatment on the surface of the
The information processing module is used for authenticating the target object according to the identification information;
the information processing module is used for logging in the target container through the container cluster management system when the authentication of the target object is passed;
the information processing module is used for receiving instruction information through the target container;
The information processing module is used for carrying out double detection on the safety of the instruction information to obtain a safety detection result of the instruction information;
and the information processing module is used for processing the instruction information according to the security detection result to obtain an execution result of the instruction information.
11. An electronic device, the electronic device comprising:
a memory for storing executable instructions;
a processor for implementing the method of executing instruction information through a container according to any one of claims 1 to 9 when executing executable instructions stored in said memory.
12. A computer program product comprising a computer program or instructions which, when executed by a processor, implements the method of executing instruction information through a container as claimed in any one of claims 1 to 9.
13. A computer readable storage medium storing executable instructions which when executed by a processor implement the method of executing instruction information through a container of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310101962.5A CN117215713A (en) | 2023-02-02 | 2023-02-02 | Method, device, equipment and storage medium for executing instruction information through container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310101962.5A CN117215713A (en) | 2023-02-02 | 2023-02-02 | Method, device, equipment and storage medium for executing instruction information through container |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117215713A true CN117215713A (en) | 2023-12-12 |
Family
ID=89049765
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310101962.5A Pending CN117215713A (en) | 2023-02-02 | 2023-02-02 | Method, device, equipment and storage medium for executing instruction information through container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117215713A (en) |
-
2023
- 2023-02-02 CN CN202310101962.5A patent/CN117215713A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210311858A1 (en) | System and method for providing a test manager for use with a mainframe rehosting platform | |
| US11665183B2 (en) | Secure incident investigation event capture | |
| WO2021051878A1 (en) | Cloud resource acquisition method and apparatus based on user permission, and computer device | |
| US9727439B2 (en) | Tracking application deployment errors via cloud logs | |
| US9129058B2 (en) | Application monitoring through continuous record and replay | |
| US9218231B2 (en) | Diagnosing a problem of a software product running in a cloud environment | |
| CN106294151B (en) | Log test method and device | |
| WO2018120720A1 (en) | Method for locating test error of client program, electronic device, and storage medium | |
| CN110764871A (en) | Cloud platform-based mimicry application packaging and control system and method | |
| KR101751515B1 (en) | Apparatus, method, and computer program for testing | |
| CN114816894B (en) | Chip testing system, method, equipment and medium | |
| CN113364631B (en) | Network topology management method, device, equipment and computer storage medium | |
| CN113836237A (en) | Method and device for auditing data operation of database | |
| US9781220B2 (en) | Identity management in a networked computing environment | |
| CN108776611B (en) | Cloud host management method and device based on cloud management platform | |
| CN117215713A (en) | Method, device, equipment and storage medium for executing instruction information through container | |
| US10572805B2 (en) | Service modeling and execution | |
| Thakurratan | Google Cloud Platform Administration: Design highly available, scalable, and secure cloud solutions on GCP | |
| Cao et al. | Research on reliability evaluation of big data system | |
| JP6382705B2 (en) | Virtual device test apparatus, virtual device test method, and virtual device test program | |
| US9178867B1 (en) | Interacting with restricted environments | |
| CN113656378A (en) | Server management method, device and medium | |
| CN113676354A (en) | Hybrid cloud operation and maintenance management method and system | |
| CN114070856A (en) | Data processing method, device and system, operation and maintenance auditing equipment and storage medium | |
| US20150242220A1 (en) | Massive virtual desktop providing method and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |