CN105893849B - Method for distributing patch under a kind of virtual platform - Google Patents
Method for distributing patch under a kind of virtual platform Download PDFInfo
- Publication number
- CN105893849B CN105893849B CN201610192909.0A CN201610192909A CN105893849B CN 105893849 B CN105893849 B CN 105893849B CN 201610192909 A CN201610192909 A CN 201610192909A CN 105893849 B CN105893849 B CN 105893849B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- patch
- server
- secure
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses method for distributing patch under a kind of virtual platform, virtual platform is constructed on host, virtual machine is installed in virtual platform, this method further includes following steps, S1: secure virtual machine is installed on host, nginx server is built on secure virtual machine, configures the reverse proxy module and cache module of nginx server, and nginx server is connect with patch server;S2: virtual machine requests patch data to secure virtual machine by TSM Security Agent;S3: secure virtual machine distributes patch data to virtual machine by nginx server.In virtualized environment, the present invention is used to provide comprehensive, fast and efficiently method for distributing patch for the virtual machine under Windows operating system, reduce influence of the patch distribution to network load, the occupancy to network bandwidth is reduced, bring security risk due to patch distribution can not carry out loophole reparation not in time is avoided.
Description
Technical field
The present invention relates to the virtual machine techniques under virtual platform, specifically for, be related under a kind of virtual platform
Method for distributing patch.
Background technique
Under virtualized environment, such as Windows system, to the reparations of the virtual machine known bugs of Windows system according to
It is so security protection and the important link that virtual machine is reinforced, and patch distribution is the premise of loophole reparation.
Currently, the loophole reparation of virtualized environment is still the repair mode for continuing to use traditional physical computer system, that is,
Centralized management of the loophole reparation of Windows system terminal dependent on control end, under the agency's cooperation being deployed in terminal, by
One carries out patch distribution to terminal, then completes the repair of loophole.But tradition is continued to use in the loophole reparation of virtualized environment
Mode there are problems.
Under virtual platform, a physics host can dispose multiple virtual machines, may under entire production environment
Dispose up to ten million a virtual machines.Therefore, traditional loophole repair mode does not make full use of the characteristics of virtualization technology not only
And advantage, and be easy to influence the usage experience of virtual machine, or even there are security risks.It is mainly shown as following two points:
One, control end is that a large amount of virtual machine carries out patch distribution one by one, occupies a large amount of network bandwidths, this can be seriously affected
Network performance, or even network storm is generated, influence the usage experience of virtual machine;
Two, traditional loophole repair mode can not be mended for the virtual machine or virtual machine template for being in off-mode
Fourth distribution, so that these do not obtain the virtual machine of patch or virtual machine template, there are security risks.
Therefore, how to avoid influence of patch when distributing to virtual machine usage experience, how to avoid patch distribution can energy band
The security risk come, becomes the emphasis of those skilled in the art's urgent problem to be solved and research.
Summary of the invention
A large amount of network bandwidth, possible security risk etc. are occupied to solve patch distribution in existing virtualized environment
Problem avoids occupying network bandwidth in large quantities the invention discloses method for distributing patch under a kind of virtual platform, improves network
Performance, possible security risk when patch being avoided to distribute.
To realize the above-mentioned technical purpose, the invention discloses method for distributing patch under a kind of virtual platform, in host
Upper building virtual platform is equipped with virtual machine in virtual platform, and this method further includes following steps,
S1: installing secure virtual machine on host, and nginx server, configuration nginx clothes are built on secure virtual machine
The reverse proxy module and cache module of business device, nginx server are connect with patch server;
S2: virtual machine requests patch data to secure virtual machine by TSM Security Agent;
S3: secure virtual machine distributes patch data to virtual machine by nginx server.
By above-mentioned method for distributing patch, the present invention will distribute patch to a large amount of virtual machine by control end simultaneously and turn
Become distributing patch to the virtual machine being deployed on same host by secure virtual machine, each secure virtual machine
Nginx server is merely responsible for several virtual machines, and all secure virtual machines complete patch and distribute work.The present invention passes through host
Internal data exchange, instead of the data exchange mostly relied on physical network, so that it is negative to significantly reduce network
It carries, greatly reduce consumption of the patch distribution to network performance.
Further, in step S2, if virtual machine is in virtual machine template state, secure virtual machine passes through virtualization
Technology remotely converts virtual machine for virtual machine template, and is allowed in open state, then virtual machine by TSM Security Agent to
Secure virtual machine requests patch data.
The present invention is by virtualization technology, convenient for remotely controlling the conversion between template and virtual machine, to complete patch point
Send out work, make protect gap it is controllable, avoid because virtual machine is converted into template can not carry out patch distribution bring it is hidden safely
Suffer from.
Further, in step S2, if virtual machine is in off-mode, secure virtual machine is carried out by virtualization technology
Remote opening operation, then virtual machine requests patch data to secure virtual machine by TSM Security Agent.
The present invention is by virtualization technology, convenient for remotely carrying out switching on and shutting down operation to virtual machine, to complete patch distribution work
Make, make to protect gap controllable, avoids that patch distribution bring safety can not be carried out because virtual machine is in off-mode for a long time
Hidden danger.
Further, in step S3, if the cache module of nginx server is stored with patch data, secure virtual
Machine distributes patch to virtual machine;If the cache module of nginx server passes through the anti-of nginx server without patch data
Patch data is requested to proxy module to patch server, and patch data is stored to cache module.
If secure virtual machine is cached with corresponding patch data, directly progress patch distribution;If secure virtual machine is still
Uncached corresponding patch data, patch data request, which is redirected to storage, by the reverse proxy function of nginx patch
The patch server of data, and cache the patch data downloaded from patch server.Virtual machine can pass through its internal generation configured
It manages module and issues patch request to secure virtual machine, secure virtual machine receives after requesting and nginx server buffer mould thereon
It is stored with patch data in block, then distributes patch to virtual machine.
Further, if the cache module of nginx server is stored with patch data, secure virtual machine passes through host
The mode of internal exchange of data distributes patch data to virtual machine.
Further, patch data is stored in the cache module of nginx server.
Further, in step S2, the TSM Security Agent module of virtual machine is configured, virtual machine passes through TSM Security Agent module to peace
Full virtual machine requests patch data.
Further, every host installs a secure virtual machine.
Further, at least two virtual machines on host, a secure virtual machine are the distribution of at least two virtual machines
Patch.
Further, the network server or the server in virtual platform that patch server is external network platform.
The invention has the benefit that the present invention is used to be virtual under Windows operating system in virtualized environment
Machine provide comprehensively, fast and efficiently method for distributing patch, reduce influence of the patch distribution to network load, to network bandwidth
It occupies, avoids bring security risk due to patch distribution can not carry out loophole reparation not in time.
Detailed description of the invention
Fig. 1 is the flow chart of method for distributing patch under virtual platform.
Fig. 2 is the schematic diagram of method for distributing patch under virtual platform.
Specific embodiment
Detailed explanation is carried out to method for distributing patch under virtual platform of the present invention with reference to the accompanying drawings of the specification and is said
It is bright.
As shown in Figure 1, 2, the present invention provides method for distributing patch under a kind of virtual platform, dispose on host empty
Quasi-ization platform, virtual machine, at least two virtual machines on host are equipped in virtual platform, and a secure virtual machine is extremely
Few two virtual machines distribute patch.This method further includes following steps:
S1: the separately installed secure virtual machine on host builds nginx server on the secure virtual machine, install,
Nginx server is configured, main includes the reverse proxy module and cache module of configuration nginx server, makes nginx server
With reverse proxy and caching function, nginx server is connect with patch server, disposes secure virtual machine generation in virtual machine
Module is managed, realizes secure virtual machine agent functionality;In the present embodiment, every host installs a secure virtual machine, configuration
It is stored with patch data in the cache module of nginx server, which can first pass through patch server acquisition in advance, can also
Patch data is stored in cache module by other means.
S2: virtual machine requests patch data to secure virtual machine by TSM Security Agent;More specifically, the present invention configures empty
The TSM Security Agent module of quasi- machine, virtual machine request patch data to secure virtual machine by TSM Security Agent module.
It is considered as following situation at this time:
If virtual machine is in virtual machine template state, void is remotely converted for virtual machine template by secure virtual machine
Intend machine, and be allowed in open state, then virtual machine is divided by its internal proxy module configured to secure virtual machine request
Patch data is sent out, finally, secure virtual machine distributes patch to virtual machine by nginx server.
If virtual machine is in off-mode, secure virtual machine carries out remote opening operation by virtualization technology, then
Virtual machine requests distribution patch data to secure virtual machine by its internal proxy module configured, then nginx server to
Virtual machine distributes patch.
S3: secure virtual machine distributes patch data to virtual machine by nginx server, and nginx server passes through reversed
Proxy module issues patch request to patch server, and the patch storage that will acquire is in cache module, be considered as at this time as
Lower situation:
If the cache module of secure virtual machine is stored with patch data, nginx server is directly distributed to virtual machine
Patch;Nginx server of the present invention eliminates the reliance on physical network to the patch distribution of virtual machine, directly passes through number inside host
It is distributed according to exchange, avoids the occupancy to network bandwidth, improve network speed, improve user experience.
If cache module is asked by the reverse proxy module of nginx server to patch server without patch data
Patch data is sought, and patch data is stored to cache module.
The innovation of the invention consists in that passing through the reverse proxy of nginx using the secure virtual machine of installation nginx server
Function and caching function reduce network load, make to protect gap controllable by virtualization technology.Secure virtual machine of the invention is answered
Being not understood as one can be by virtual machine or template under virtualization technology remote control virtual platform, and is mainly used for patch point
The virtual machine of hair, host are interpreted as disposing virtual platform, have configuration Windows or other operating system virtual machines
Physical computer or a physical node, patch server as storage patch data server, the server may
For the network server of external network platform, it is also possible to for the server under virtual environment.Secure virtual machine of the invention is one
Interior a certain amount of patch data of storage of fixing time can be asked to patch server again after patch data is all distributed away
Seek patch data.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Made any modification, equivalent replacement and simple modifications etc., should all be included in the protection scope of the present invention in content.
Claims (5)
1. method for distributing patch under a kind of virtual platform constructs virtual platform, installation in virtual platform on host
There is virtual machine, it is characterised in that: this method further includes following steps,
S1: installing a secure virtual machine on every host, nginx server built on secure virtual machine, configures
The reverse proxy module and cache module of nginx server, nginx server are connect with patch server;
S2: configuring the TSM Security Agent module of virtual machine, and virtual machine requests patch data, packet to secure virtual machine by TSM Security Agent
Include: when virtual machine is in virtual machine template state, secure virtual machine is remotely converted virtual machine template by virtualization technology
It for virtual machine, and is allowed in open state, then virtual machine requests patch data to secure virtual machine by TSM Security Agent;When
Virtual machine is in off-mode, and secure virtual machine carries out remote opening operation by virtualization technology, and then virtual machine passes through peace
Full Proxy requests patch data to secure virtual machine;
S3: secure virtual machine distributes patch data to virtual machine by nginx server.
2. method for distributing patch under virtual platform according to claim 1, it is characterised in that: in step S3, if
The cache module of nginx server is stored with patch data, then secure virtual machine distributes patch to virtual machine;If nginx takes
The cache module of business device then requests patch to patch server by the reverse proxy module of nginx server without patch data
Data, and patch data is stored to cache module.
3. method for distributing patch under virtual platform according to claim 2, it is characterised in that: if nginx server
Cache module be stored with patch data, secure virtual machine, which is distributed by way of host internal exchange of data to virtual machine, to be mended
Fourth data.
4. method for distributing patch under virtual platform according to claim 1, it is characterised in that: at least two on host
A virtual machine, a secure virtual machine are that at least two virtual machines distribute patch.
5. method for distributing patch under virtual platform according to claim 1, it is characterised in that: patch server is outside
The network server or the server in virtual platform of the network platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610192909.0A CN105893849B (en) | 2016-03-30 | 2016-03-30 | Method for distributing patch under a kind of virtual platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610192909.0A CN105893849B (en) | 2016-03-30 | 2016-03-30 | Method for distributing patch under a kind of virtual platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105893849A CN105893849A (en) | 2016-08-24 |
| CN105893849B true CN105893849B (en) | 2019-06-21 |
Family
ID=57014443
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610192909.0A Active CN105893849B (en) | 2016-03-30 | 2016-03-30 | Method for distributing patch under a kind of virtual platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105893849B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110266822B (en) * | 2019-07-23 | 2022-02-25 | 浪潮云信息技术股份公司 | Shared load balancing implementation method based on nginx |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102999369A (en) * | 2012-12-25 | 2013-03-27 | 杭州华三通信技术有限公司 | Method and device for upgrading virtual machines |
| CN104504339A (en) * | 2014-12-24 | 2015-04-08 | 北京奇虎科技有限公司 | Virtualization security detection method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8412945B2 (en) * | 2011-08-09 | 2013-04-02 | CloudPassage, Inc. | Systems and methods for implementing security in a cloud computing environment |
-
2016
- 2016-03-30 CN CN201610192909.0A patent/CN105893849B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102999369A (en) * | 2012-12-25 | 2013-03-27 | 杭州华三通信技术有限公司 | Method and device for upgrading virtual machines |
| CN104504339A (en) * | 2014-12-24 | 2015-04-08 | 北京奇虎科技有限公司 | Virtualization security detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105893849A (en) | 2016-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11909649B2 (en) | Efficiently managing network traffic | |
| US10884806B1 (en) | Systems and methods of optimized tuning of resources | |
| US20190065278A1 (en) | Tenant-specific policy generation and enforcement within containers | |
| CN101950253B (en) | Method for upgrading optical module firmware in optical network unit by utilizing WEB webpage interface | |
| CN105553741A (en) | Automatic deployment method for application system based on cloud computing | |
| CN105323282A (en) | Enterprise application deployment and management system for multiple tenants | |
| CN104537119B (en) | A kind of data cached update method, data use end and system | |
| CN105359459A (en) | Method, apparatus and system for virtualizing network management system | |
| CN104216741A (en) | Android plug-in implementation method and device based on APK (Android Package) dynamic loading and interaction method | |
| CN102158853A (en) | Method and device for managing download of mobile communication equipment terminal browser | |
| CN102195798B (en) | A kind of method and system of optical network unit of upgrading | |
| CN104219329A (en) | Method for deploying service through content distribution in cluster server | |
| CN103209189A (en) | Distributed file system-based mobile cloud storage safety access control method | |
| CN106528207A (en) | Program updating method for vehicle-mounted device of train and vehicle-mounted device of train | |
| CN103810444A (en) | Method and system for multi-tenant application isolation in cloud computing platform | |
| CN102981888A (en) | Virtualization implementing method for Power server | |
| CN107484226A (en) | Airborne wireless access server | |
| CN105893849B (en) | Method for distributing patch under a kind of virtual platform | |
| CN103077061A (en) | Installing method of application software in Android equipment and system | |
| CN106020906A (en) | Client side hot updating method based on Cordova | |
| CN104571930A (en) | Management method and management system of security domain storage spaces as well as multi-application open platform device | |
| US20180270133A1 (en) | Assuring policy impact before application of policy on current flowing traffic | |
| CN107517126B (en) | Method for installing network equipment in batches | |
| CN105357056A (en) | Strategy-based EOC central office end equipment upgrading method | |
| CN102420870A (en) | Network file storage method for thin client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |