CN105808240A - Method for realizing user isolation under online programming environment - Google Patents

Method for realizing user isolation under online programming environment Download PDF

Info

Publication number
CN105808240A
CN105808240A CN201610111429.7A CN201610111429A CN105808240A CN 105808240 A CN105808240 A CN 105808240A CN 201610111429 A CN201610111429 A CN 201610111429A CN 105808240 A CN105808240 A CN 105808240A
Authority
CN
China
Prior art keywords
user
docker
file
mirror image
environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610111429.7A
Other languages
Chinese (zh)
Inventor
冯永昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Quanttech Information Technology Co Ltd
Original Assignee
Beijing Quanttech Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Quanttech Information Technology Co Ltd filed Critical Beijing Quanttech Information Technology Co Ltd
Priority to CN201610111429.7A priority Critical patent/CN105808240A/en
Publication of CN105808240A publication Critical patent/CN105808240A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for realizing user isolation under online programming environment. The method comprises the following steps: setting a server cluster and remotely starting mirror images by using a docker container engine, wherein each user corresponds to a mirror image; carrying out starting during the using and carrying out stopping during the exiting; managing a docker cluster by using docker swarm, storing files by using nfs, and accessing to a same file system by a plurality of nodes so as to conveniently store user files, wherein each user owns a unique folder; mounting the folders when the container is started. Through above manner, a plurality of users can be spatially isolate to share one operation system, so that the restriction that one operation system only can have one programming environment is broken, the function of starting a plurality of programming environments by one operation system is realized, and deployment and thermal spreading can be simply and rapidly carried out.

Description

A kind of method realizing user isolation under online programming environment
One, technical field
The present invention relates to computer software fields, particularly relate to the use scene that Web online programming is relevant.
Two, background technology
At present, online programming website generally all adopts traditional B/S framework, the code write is passed to and processes on server by user, the resource of each user's shared server, share same processing environment, which results in operation and do not have mutually isolated, user can check mutually operation, and the privacy security for data and user profile and data is poor.Or, the file that oneself is finished writing can not be saved in oneself distinctive programmed environment by user.
Three, summary of the invention
Present invention mainly solves the problem that in online programming website, each user environment is mutually isolated, designing a kind of framework can allow multiple user's space keep apart a shared operating system, these user's spaces are isolated from one another, exclusive whole operating system seemingly, user so can be allowed properly to store data and file, can guarantee that again safety.
The technical solution used in the present invention is: set up a server cluster, uses docker container engine remote activation mirror image, the corresponding mirror image of each user.Start during use, stop when exiting.Use dockerswarm to manage docker cluster, use nfs to preserve file, and realize multiple node visit same file system, in order to preserve user file.Each user has unique file, and when container starts, carry this document presss from both sides.
Owing to adopting such scheme, the invention has the beneficial effects as follows:
(1) autgmentability is strong.Owing to adopting the framework of cluster, it is possible to achieve heat extension, and quantity is not had to limit.
(2) isolation is strong, and safety is good.Break an operating system and can only have the restriction of a programmed environment, it is achieved that the function of a multiple programmed environment of os starting.
(3) security function and deployment are simple.
Four, accompanying drawing explanation
Below in conjunction with drawings and Examples, the present invention is further described.
Fig. 1 is the architecture principle figure of the present invention.Fig. 2 is the program flow diagram of the present invention.
1.nginx reverse proxy in figure, 2. server cluster, 3.NFSServer, 4. clustered node, 5.Jupyterhub, 6.NFCclient, 7.Docker.
Five, detailed description of the invention
Below in conjunction with accompanying drawing, presently preferred embodiments of the present invention is described in detail, so that advantages and features of the invention are easier to be readily appreciated by one skilled in the art, thus protection scope of the present invention being made apparent clear and definite defining.
Fig. 2 is specific embodiment of the invention flow chart, shown in Fig. 1, for three nodes, step is described in detail.
In step 401, user's Website login, the page is finished writing programming code and submits to.
Nginx Reverse Proxy carries out load balancing in step 402, distributes the request on JupyterHub.JupyterHub is used for starting docker mirror image, in order to resolve personal code work.And docker allow developer can pack they application and rely on bag and be fabricated in the transplantable container of image file to, be then published on any popular Linux machine, it is also possible to realize virtualization.Container is to use sandbox mechanism completely, does not have any interface each other.It is here that code execution environments has been packed in docker, thus achieves user program environment and data isolation.
In 403 steps, it is necessary to if going to judge whether mirror image starts, entering step 405, if not actuated, entering step 404.
In step 404, docker startup mirror image is used as the processing environment of user.
In step 405, the code that user submits to is performed by processing environment.
In a step 406, the procedure result that user processes is preserved by NFS system, and returns result to user.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every equivalent structure utilizing description of the present invention and accompanying drawing content to do or equivalence flow change; or directly or indirectly it is used in other relevant technical fields, all in like manner include in the scope of patent protection of the present invention.

Claims (2)

1. the method realizing user isolation under an online programming environment.Set up a server cluster, use docker container engine remote activation mirror image, the corresponding mirror image of each user.Start during use, stop when exiting.Use dockerswarm to manage docker cluster, use nfs to preserve file, and realize multiple node visit same file system, in order to preserve user file.Each user has unique file, and when container starts, carry this document presss from both sides.
2. method according to claim 1, is characterized in that: utilize the mirror image of docker packing programmed environment, it is achieved allow user carry out online programming under the environment of isolation;And use nfs to carry out carry file, thus reach to preserve the purpose of user data.
CN201610111429.7A 2016-03-01 2016-03-01 Method for realizing user isolation under online programming environment Pending CN105808240A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610111429.7A CN105808240A (en) 2016-03-01 2016-03-01 Method for realizing user isolation under online programming environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610111429.7A CN105808240A (en) 2016-03-01 2016-03-01 Method for realizing user isolation under online programming environment

Publications (1)

Publication Number Publication Date
CN105808240A true CN105808240A (en) 2016-07-27

Family

ID=56465896

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610111429.7A Pending CN105808240A (en) 2016-03-01 2016-03-01 Method for realizing user isolation under online programming environment

Country Status (1)

Country Link
CN (1) CN105808240A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888708A (en) * 2017-12-25 2018-04-06 山大地纬软件股份有限公司 A kind of load-balancing algorithm based on Docker container clusters
CN108092936A (en) * 2016-11-22 2018-05-29 北京计算机技术及应用研究所 A kind of Host Supervision System based on plug-in architecture
CN109104467A (en) * 2018-07-25 2018-12-28 北京京东尚科信息技术有限公司 Develop environment construction method, apparatus and plateform system and storage medium
CN110493175A (en) * 2019-07-01 2019-11-22 联想(北京)有限公司 A kind of information processing method, electronic equipment and storage medium
CN110769025A (en) * 2019-09-06 2020-02-07 江苏中云科技有限公司 Method for accelerating data index of multi-tenant-oriented cloud storage system
CN111708732A (en) * 2020-05-07 2020-09-25 深圳震有科技股份有限公司 File reading and writing method, intelligent terminal and storage medium
CN112115492A (en) * 2020-08-21 2020-12-22 麒麟软件有限公司 User data encryption and isolation method and system based on Linux operating system
CN112115492B (en) * 2020-08-21 2024-06-11 麒麟软件有限公司 User data encryption and isolation method and system based on Linux operating system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103218175A (en) * 2013-04-01 2013-07-24 无锡成电科大科技发展有限公司 Multi-tenant cloud storage platform access control system
CN105187500A (en) * 2015-08-07 2015-12-23 浪潮(北京)电子信息产业有限公司 Container-based distributed storage system deployment method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103218175A (en) * 2013-04-01 2013-07-24 无锡成电科大科技发展有限公司 Multi-tenant cloud storage platform access control system
CN105187500A (en) * 2015-08-07 2015-12-23 浪潮(北京)电子信息产业有限公司 Container-based distributed storage system deployment method

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
DOCKER: "Docker介绍以及其相关术语、底层原理和技术", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1413190983463.HTML》 *
DOCKER: "DockOne技术分享(四十):用Docker和Git搭建在线开发环境", 《HTTP://DOCKONE.IO/ARTICLE/930》 *
DOCKER: "IFTTT在开发环境中使用Docker的经验", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1445474771663.HTML》 *
DOCKER: "浅析Docker架构、原理及实例配置演示", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1423626069295.HTML》 *
SWARM: "深入浅出Swarm,Docker集群的管理工具", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1422240440794.HTML》 *
卧雪SIRK: "使用docker搭建nfs实现容器间共享文件", 《HTTPS://WWW.CNBLOGS.COM/VIMSK/P/5193413.HTML》 *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108092936A (en) * 2016-11-22 2018-05-29 北京计算机技术及应用研究所 A kind of Host Supervision System based on plug-in architecture
CN107888708A (en) * 2017-12-25 2018-04-06 山大地纬软件股份有限公司 A kind of load-balancing algorithm based on Docker container clusters
CN109104467A (en) * 2018-07-25 2018-12-28 北京京东尚科信息技术有限公司 Develop environment construction method, apparatus and plateform system and storage medium
CN109104467B (en) * 2018-07-25 2021-07-30 北京京东尚科信息技术有限公司 Development environment construction method and device, platform system and storage medium
CN110493175A (en) * 2019-07-01 2019-11-22 联想(北京)有限公司 A kind of information processing method, electronic equipment and storage medium
CN110493175B (en) * 2019-07-01 2020-09-25 联想(北京)有限公司 Information processing method, electronic equipment and storage medium
CN110769025A (en) * 2019-09-06 2020-02-07 江苏中云科技有限公司 Method for accelerating data index of multi-tenant-oriented cloud storage system
CN110769025B (en) * 2019-09-06 2022-04-22 江苏中云科技有限公司 Method for accelerating data index of multi-tenant-oriented cloud storage system
CN111708732A (en) * 2020-05-07 2020-09-25 深圳震有科技股份有限公司 File reading and writing method, intelligent terminal and storage medium
CN112115492A (en) * 2020-08-21 2020-12-22 麒麟软件有限公司 User data encryption and isolation method and system based on Linux operating system
CN112115492B (en) * 2020-08-21 2024-06-11 麒麟软件有限公司 User data encryption and isolation method and system based on Linux operating system

Similar Documents

Publication Publication Date Title
CN105808240A (en) Method for realizing user isolation under online programming environment
EP3568777B1 (en) Data sharing in a multi-tenant database system
US11599545B2 (en) Stream retention in a data storage system
EP3204869B1 (en) Systems and methods to manage file access
US9934399B2 (en) Dynamic security policy generation
US9819609B2 (en) System and method for multitenant execution of OS programs invoked from a multitenant middleware application
EP2765508B1 (en) Installation method and installation device for application software
CN109983431B (en) System and method for list retrieval in a storage device
US20140019755A1 (en) Data storage in cloud computing
JP2016031762A5 (en)
US9882775B1 (en) Dependent network resources
de Bayser et al. Integrating MPI with Docker for HPC
Do et al. Enforcing file system permissions on android external storage: Android file system permissions (afp) prototype and owncloud
WO2019128984A1 (en) Container security policy handling method and related device
Burns et al. Managing Kubernetes: operating Kubernetes clusters in the real world
Sparks Enabling docker for HPC
Merzky et al. Application level interoperability between clouds and grids
JP6418419B2 (en) Method and apparatus for hard disk to execute application code
US11734122B2 (en) Backup task processing in a data storage system
Jang et al. Study on Hybrid Type Cloud System
CN114461290A (en) Data processing method, example and system
Gerofi et al. Toward full specialization of the HPC software stack: reconciling application containers and lightweight multi-kernels
Cohen et al. Google Compute Engine: Managing Secure and Scalable Cloud Computing
KR102559507B1 (en) System and method for multi-tenant execution of OS programs called from multi-tenant middleware applications
KR101709117B1 (en) Virtualizing method and apparatus for graphic offloading

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160727