A kind of method preventing mirror image to be tampered in desktop virtual
Technical field
The present invention relates to applying virtual technical field, be specifically related to a kind of method preventing mirror image to be tampered in desktop virtual.
Background technology
Under the tide of cloud computing development, desktop virtual technology have also been obtained to be applied widely.Increasing unit choice for use virtual desktop carrys out the pattern of alternative traditional physical machine add operation system because virtual desktop have can the plurality of advantages such as unified management, low energy consumption, cost be low.We enjoy that desktop virtual brings simultaneously easily, safety problem also can not be ignored.
Each virtual machine creates according to the ISO mirror image of operating system or template mirror image, if ISO mirror image or template mirror image are maliciously tampered, consequence is catastrophic.In order to prevent the generation of problems, we need the solution preventing mirror image to be tampered of complete set.
Summary of the invention
Object of the present invention is exactly to solve the problem; propose a kind of method preventing mirror image to be tampered in desktop virtual, the method adopt authority to be separated to add the duplicate protection of MD5 checking to greatly reduce risk that mirror image is tampered and can Timeliness coverage mirror image abnormal.
To achieve these goals, the present invention adopts following technical scheme:
The method preventing mirror image to be tampered in desktop virtual, comprises the following steps:
(1) for ISO image file creates independently storage domain, the access limit of user under this storage domain is set;
(2) create two system users, one of them user is used for uploading of image file, namely has write permission; Another user is used for carrying out read operation when establishment virtual machine, namely has read right;
(3), when image file is uploaded, the user uploading image file is verified;
(4) for each image file of uploading generates MD5 code and stored in the database of turnkey console, the one-to-one relationship of establish mirror image in a database filename and its MD5 code;
(5) first verify whether its MD5 value changes before each use image file, if changed, represent that image file is tampered.
Described step (3) proof procedure to user is specially:
If system client login user is not the user with upload permissions specified, then cannot operate the storage domain of ISO image file, ISO file cannot be uploaded, return log-in interface; User just can operate ISO storage domain by after client user's log-in interface of specifying, and uploads image file.
The concrete grammar of described step (5) is:
A. create virtual machine by turnkey console, specify the ISO image file needed for this virtual machine;
B. determine whether that designated user operates this ISO image file storage domain, if not then ejecting corresponding prompting;
C. calculate the MD5 value of this ISO mirror image, and compare with the value in database, if consistent, illustrate that ISO image file is preserved complete, virtual machine creating success, otherwise illustrate that this ISO file is tampered, eject miscue, virtual machine creating failure.
In described step (2), each is with arranging independently password per family.
The invention has the beneficial effects as follows:
The present invention utilizes multi-user's characteristic of linux to create independently two user's responsible read and writes to image file respectively, and the method adopting authority to be separated, effectively can improve overall security, reduces risk.This storage domain only has these two users specified to access, and its authority is tightly controlled.
The method calculating MD5 value is adopted to judge whether file is tampered; Message Digest Algorithm MD5 (Chinese Message Digest Algorithm 5 by name) is the widely used a kind of hash function of computer safety field, in order to provide the integrity protection of message.Main flow programming language generally existing MD5 realizes, and makes it have good versatility.
The present invention is simple to operate, highly versatile, and flow process is simple and clear, and MD5 is the widely used a kind of hash function of computer safety field, highly versatile.Adopt authority to be separated to add the duplicate protection of MD5 checking to greatly reduce risk that mirror image is tampered and can Timeliness coverage mirror image abnormal, security intensity is high.
Accompanying drawing explanation
Fig. 1 is the method flow diagram that the present invention prevents mirror image to be tampered;
Fig. 2 is the process flow diagram that the present invention uploads mirror image;
Fig. 3 is mirror image proof procedure process flow diagram of the present invention.
Embodiment:
Below in conjunction with accompanying drawing and embodiment, the present invention will be further described:
A kind of method preventing mirror image to be tampered in desktop virtual as shown in Figure 1, comprises the following steps:
(1) for ISO image file creates independently storage domain, the access limit of user under this storage domain is set;
(2) create two system users, one of them user is used for uploading of image file, namely has write permission; Another user is used for carrying out read operation when establishment virtual machine, namely has read right;
(3), when image file is uploaded, the user uploading image file is verified;
(4) for each image file of uploading generates MD5 code and stored in database, the one-to-one relationship of establish mirror image in a database filename and its MD5 code;
(5) first verify whether its MD5 value changes before each use image file, if changed, represent that image file is tampered.
1, for ISO image file creates independently storage domain, the access limit of user under this storage domain is set; The method mainly opens up independently storage space for image file, and we can arrange the user writable authority of this catalogue like this.
2, create two system users, be respectively used to the read and write to mirrored storage territory; The method is mainly separated to the access limit in mirrored storage territory, and a user is used for uploading of mirror image, namely has write permission.Another user is used for carrying out read operation when establishment virtual machine, namely has read right.Each user sets up independently password, protects as first.
3, for each image file generates MD5 code; The method is mainly that each image file generates identity code, because MD5 value calculates according to file content and forms, whether when its content changes, its MD5 value also can change, be tampered so we can carry out detection image file with the following method.
4, mirror image calculates its MD5 value and stored in database, the name of each image file must be unique immediately after uploading, because under they leave same catalogue in, we can establish mirror image the one-to-one relationship of name and its MD5 value in a database like this.
5. first verify whether its MD5 value changes before each use mirror image; The method is the integrality in order to verify mirror image, when the MD5 value of mirror image changes, can eject information to user, and prompting mirror image is tampered.
Wherein, upload mirror image process flow diagram as shown in Figure 2, main operation steps is as follows:
1) user is by ssh client login system, if login user is not the storage domain that the user with upload permissions specified cannot operate ISO, cannot uploads ISO file, return and log in.
2) after user is logged in by the user specified, just can operate ISO storage domain and upload mirror image.
3) upload mirror image complete after the MD5 value write into Databasce of this mirror image of calculating.
4) operated.
As shown in Figure 3, main operation steps is as follows for mirror image checking process flow diagram:
1) create virtual machine by turnkey console, specify the ISO file needed for this virtual machine.
2) determine whether that designated user operates this ISO storage domain, if not then ejecting corresponding prompting.
3) calculate the MD5 value of this ISO mirror image, and compare with the value in database, if consistent, illustrate that ISO mirror image is preserved complete, virtual machine creating success, otherwise illustrate that this ISO file is tampered, eject miscue, virtual machine creating failure.
By reference to the accompanying drawings the specific embodiment of the present invention is described although above-mentioned; but not limiting the scope of the invention; one of ordinary skill in the art should be understood that; on the basis of technical scheme of the present invention, those skilled in the art do not need to pay various amendment or distortion that creative work can make still within protection scope of the present invention.