CN105808240A - Method for realizing user isolation under online programming environment - Google Patents
Method for realizing user isolation under online programming environment Download PDFInfo
- Publication number
- CN105808240A CN105808240A CN201610111429.7A CN201610111429A CN105808240A CN 105808240 A CN105808240 A CN 105808240A CN 201610111429 A CN201610111429 A CN 201610111429A CN 105808240 A CN105808240 A CN 105808240A
- Authority
- CN
- China
- Prior art keywords
- user
- docker
- file
- mirror image
- environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for realizing user isolation under online programming environment. The method comprises the following steps: setting a server cluster and remotely starting mirror images by using a docker container engine, wherein each user corresponds to a mirror image; carrying out starting during the using and carrying out stopping during the exiting; managing a docker cluster by using docker swarm, storing files by using nfs, and accessing to a same file system by a plurality of nodes so as to conveniently store user files, wherein each user owns a unique folder; mounting the folders when the container is started. Through above manner, a plurality of users can be spatially isolate to share one operation system, so that the restriction that one operation system only can have one programming environment is broken, the function of starting a plurality of programming environments by one operation system is realized, and deployment and thermal spreading can be simply and rapidly carried out.
Description
One, technical field
The present invention relates to computer software fields, particularly relate to the use scene that Web online programming is relevant.
Two, background technology
At present, online programming website generally all adopts traditional B/S framework, the code write is passed to and processes on server by user, the resource of each user's shared server, share same processing environment, which results in operation and do not have mutually isolated, user can check mutually operation, and the privacy security for data and user profile and data is poor.Or, the file that oneself is finished writing can not be saved in oneself distinctive programmed environment by user.
Three, summary of the invention
Present invention mainly solves the problem that in online programming website, each user environment is mutually isolated, designing a kind of framework can allow multiple user's space keep apart a shared operating system, these user's spaces are isolated from one another, exclusive whole operating system seemingly, user so can be allowed properly to store data and file, can guarantee that again safety.
The technical solution used in the present invention is: set up a server cluster, uses docker container engine remote activation mirror image, the corresponding mirror image of each user.Start during use, stop when exiting.Use dockerswarm to manage docker cluster, use nfs to preserve file, and realize multiple node visit same file system, in order to preserve user file.Each user has unique file, and when container starts, carry this document presss from both sides.
Owing to adopting such scheme, the invention has the beneficial effects as follows:
(1) autgmentability is strong.Owing to adopting the framework of cluster, it is possible to achieve heat extension, and quantity is not had to limit.
(2) isolation is strong, and safety is good.Break an operating system and can only have the restriction of a programmed environment, it is achieved that the function of a multiple programmed environment of os starting.
(3) security function and deployment are simple.
Four, accompanying drawing explanation
Below in conjunction with drawings and Examples, the present invention is further described.
Fig. 1 is the architecture principle figure of the present invention.Fig. 2 is the program flow diagram of the present invention.
1.nginx reverse proxy in figure, 2. server cluster, 3.NFSServer, 4. clustered node, 5.Jupyterhub, 6.NFCclient, 7.Docker.
Five, detailed description of the invention
Below in conjunction with accompanying drawing, presently preferred embodiments of the present invention is described in detail, so that advantages and features of the invention are easier to be readily appreciated by one skilled in the art, thus protection scope of the present invention being made apparent clear and definite defining.
Fig. 2 is specific embodiment of the invention flow chart, shown in Fig. 1, for three nodes, step is described in detail.
In step 401, user's Website login, the page is finished writing programming code and submits to.
Nginx Reverse Proxy carries out load balancing in step 402, distributes the request on JupyterHub.JupyterHub is used for starting docker mirror image, in order to resolve personal code work.And docker allow developer can pack they application and rely on bag and be fabricated in the transplantable container of image file to, be then published on any popular Linux machine, it is also possible to realize virtualization.Container is to use sandbox mechanism completely, does not have any interface each other.It is here that code execution environments has been packed in docker, thus achieves user program environment and data isolation.
In 403 steps, it is necessary to if going to judge whether mirror image starts, entering step 405, if not actuated, entering step 404.
In step 404, docker startup mirror image is used as the processing environment of user.
In step 405, the code that user submits to is performed by processing environment.
In a step 406, the procedure result that user processes is preserved by NFS system, and returns result to user.
The foregoing is only embodiments of the invention; not thereby the scope of the claims of the present invention is limited; every equivalent structure utilizing description of the present invention and accompanying drawing content to do or equivalence flow change; or directly or indirectly it is used in other relevant technical fields, all in like manner include in the scope of patent protection of the present invention.
Claims (2)
1. the method realizing user isolation under an online programming environment.Set up a server cluster, use docker container engine remote activation mirror image, the corresponding mirror image of each user.Start during use, stop when exiting.Use dockerswarm to manage docker cluster, use nfs to preserve file, and realize multiple node visit same file system, in order to preserve user file.Each user has unique file, and when container starts, carry this document presss from both sides.
2. method according to claim 1, is characterized in that: utilize the mirror image of docker packing programmed environment, it is achieved allow user carry out online programming under the environment of isolation;And use nfs to carry out carry file, thus reach to preserve the purpose of user data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610111429.7A CN105808240A (en) | 2016-03-01 | 2016-03-01 | Method for realizing user isolation under online programming environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610111429.7A CN105808240A (en) | 2016-03-01 | 2016-03-01 | Method for realizing user isolation under online programming environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105808240A true CN105808240A (en) | 2016-07-27 |
Family
ID=56465896
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610111429.7A Pending CN105808240A (en) | 2016-03-01 | 2016-03-01 | Method for realizing user isolation under online programming environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105808240A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888708A (en) * | 2017-12-25 | 2018-04-06 | 山大地纬软件股份有限公司 | A kind of load-balancing algorithm based on Docker container clusters |
CN108092936A (en) * | 2016-11-22 | 2018-05-29 | 北京计算机技术及应用研究所 | A kind of Host Supervision System based on plug-in architecture |
CN109104467A (en) * | 2018-07-25 | 2018-12-28 | 北京京东尚科信息技术有限公司 | Develop environment construction method, apparatus and plateform system and storage medium |
CN110493175A (en) * | 2019-07-01 | 2019-11-22 | 联想(北京)有限公司 | A kind of information processing method, electronic equipment and storage medium |
CN110769025A (en) * | 2019-09-06 | 2020-02-07 | 江苏中云科技有限公司 | Method for accelerating data index of multi-tenant-oriented cloud storage system |
CN111708732A (en) * | 2020-05-07 | 2020-09-25 | 深圳震有科技股份有限公司 | File reading and writing method, intelligent terminal and storage medium |
CN112115492A (en) * | 2020-08-21 | 2020-12-22 | 麒麟软件有限公司 | User data encryption and isolation method and system based on Linux operating system |
CN112115492B (en) * | 2020-08-21 | 2024-06-11 | 麒麟软件有限公司 | User data encryption and isolation method and system based on Linux operating system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103218175A (en) * | 2013-04-01 | 2013-07-24 | 无锡成电科大科技发展有限公司 | Multi-tenant cloud storage platform access control system |
CN105187500A (en) * | 2015-08-07 | 2015-12-23 | 浪潮(北京)电子信息产业有限公司 | Container-based distributed storage system deployment method |
-
2016
- 2016-03-01 CN CN201610111429.7A patent/CN105808240A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103218175A (en) * | 2013-04-01 | 2013-07-24 | 无锡成电科大科技发展有限公司 | Multi-tenant cloud storage platform access control system |
CN105187500A (en) * | 2015-08-07 | 2015-12-23 | 浪潮(北京)电子信息产业有限公司 | Container-based distributed storage system deployment method |
Non-Patent Citations (6)
Title |
---|
DOCKER: "Docker介绍以及其相关术语、底层原理和技术", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1413190983463.HTML》 * |
DOCKER: "DockOne技术分享(四十):用Docker和Git搭建在线开发环境", 《HTTP://DOCKONE.IO/ARTICLE/930》 * |
DOCKER: "IFTTT在开发环境中使用Docker的经验", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1445474771663.HTML》 * |
DOCKER: "浅析Docker架构、原理及实例配置演示", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1423626069295.HTML》 * |
SWARM: "深入浅出Swarm,Docker集群的管理工具", 《HTTP://WWW.OPENOPEN.COM/LIB/VIEW/OPEN1422240440794.HTML》 * |
卧雪SIRK: "使用docker搭建nfs实现容器间共享文件", 《HTTPS://WWW.CNBLOGS.COM/VIMSK/P/5193413.HTML》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108092936A (en) * | 2016-11-22 | 2018-05-29 | 北京计算机技术及应用研究所 | A kind of Host Supervision System based on plug-in architecture |
CN107888708A (en) * | 2017-12-25 | 2018-04-06 | 山大地纬软件股份有限公司 | A kind of load-balancing algorithm based on Docker container clusters |
CN109104467A (en) * | 2018-07-25 | 2018-12-28 | 北京京东尚科信息技术有限公司 | Develop environment construction method, apparatus and plateform system and storage medium |
CN109104467B (en) * | 2018-07-25 | 2021-07-30 | 北京京东尚科信息技术有限公司 | Development environment construction method and device, platform system and storage medium |
CN110493175A (en) * | 2019-07-01 | 2019-11-22 | 联想(北京)有限公司 | A kind of information processing method, electronic equipment and storage medium |
CN110493175B (en) * | 2019-07-01 | 2020-09-25 | 联想(北京)有限公司 | Information processing method, electronic equipment and storage medium |
CN110769025A (en) * | 2019-09-06 | 2020-02-07 | 江苏中云科技有限公司 | Method for accelerating data index of multi-tenant-oriented cloud storage system |
CN110769025B (en) * | 2019-09-06 | 2022-04-22 | 江苏中云科技有限公司 | Method for accelerating data index of multi-tenant-oriented cloud storage system |
CN111708732A (en) * | 2020-05-07 | 2020-09-25 | 深圳震有科技股份有限公司 | File reading and writing method, intelligent terminal and storage medium |
CN112115492A (en) * | 2020-08-21 | 2020-12-22 | 麒麟软件有限公司 | User data encryption and isolation method and system based on Linux operating system |
CN112115492B (en) * | 2020-08-21 | 2024-06-11 | 麒麟软件有限公司 | User data encryption and isolation method and system based on Linux operating system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105808240A (en) | Method for realizing user isolation under online programming environment | |
EP3568777B1 (en) | Data sharing in a multi-tenant database system | |
US11599545B2 (en) | Stream retention in a data storage system | |
EP3204869B1 (en) | Systems and methods to manage file access | |
US9934399B2 (en) | Dynamic security policy generation | |
US9819609B2 (en) | System and method for multitenant execution of OS programs invoked from a multitenant middleware application | |
EP2765508B1 (en) | Installation method and installation device for application software | |
CN109983431B (en) | System and method for list retrieval in a storage device | |
US20140019755A1 (en) | Data storage in cloud computing | |
JP2016031762A5 (en) | ||
US9882775B1 (en) | Dependent network resources | |
de Bayser et al. | Integrating MPI with Docker for HPC | |
Do et al. | Enforcing file system permissions on android external storage: Android file system permissions (afp) prototype and owncloud | |
WO2019128984A1 (en) | Container security policy handling method and related device | |
Burns et al. | Managing Kubernetes: operating Kubernetes clusters in the real world | |
Sparks | Enabling docker for HPC | |
Merzky et al. | Application level interoperability between clouds and grids | |
JP6418419B2 (en) | Method and apparatus for hard disk to execute application code | |
US11734122B2 (en) | Backup task processing in a data storage system | |
Jang et al. | Study on Hybrid Type Cloud System | |
CN114461290A (en) | Data processing method, example and system | |
Gerofi et al. | Toward full specialization of the HPC software stack: reconciling application containers and lightweight multi-kernels | |
Cohen et al. | Google Compute Engine: Managing Secure and Scalable Cloud Computing | |
KR102559507B1 (en) | System and method for multi-tenant execution of OS programs called from multi-tenant middleware applications | |
KR101709117B1 (en) | Virtualizing method and apparatus for graphic offloading |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160727 |