CN107480509A - O&M safety auditing system logs in vessel process, system, equipment and storage medium - Google Patents

O&M safety auditing system logs in vessel process, system, equipment and storage medium Download PDF

Info

Publication number
CN107480509A
CN107480509A CN201710863832.XA CN201710863832A CN107480509A CN 107480509 A CN107480509 A CN 107480509A CN 201710863832 A CN201710863832 A CN 201710863832A CN 107480509 A CN107480509 A CN 107480509A
Authority
CN
China
Prior art keywords
container
host
auditing system
safety auditing
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710863832.XA
Other languages
Chinese (zh)
Inventor
徐楷
雷兵
凌云
江榕
余本华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ctrip Travel Network Technology Shanghai Co Ltd
Original Assignee
Ctrip Travel Network Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ctrip Travel Network Technology Shanghai Co Ltd filed Critical Ctrip Travel Network Technology Shanghai Co Ltd
Priority to CN201710863832.XA priority Critical patent/CN107480509A/en
Publication of CN107480509A publication Critical patent/CN107480509A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • G06F16/2448Query languages for particular applications; for extensibility, e.g. user defined types
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention provides a kind of O&M safety auditing system to log in vessel process, system, equipment and storage medium, this method includes the container access request that O&M safety auditing system obtains user, and container access request includes the first identification information of the container that user accesses;O&M safety auditing system obtained from container information storage database user ask access container corresponding to host's machine information and in corresponding host container the second identification information;O&M safety auditing system passes through SSH protocol entries to host;The host logs on to corresponding container according to the second identification information authorized user of container.Using technical scheme, container mirror image need not manage key and private key, so as to avoid unnecessary management of process and encapsulation, reduce the management cost of container in itself without encapsulating SSHD services, container again;The mandate of container simultaneously, the security control logged in, operation audit are all completed by O&M safety auditing system, the safety of full-scope safeguards container in use.

Description

O&M safety auditing system logs in vessel process, system, equipment and storage medium
Technical field
The present invention relates to image identification technical field, more particularly to one kind to reduce container maintenance cost and ensure that container logs in The O&M safety auditing system of security logs in vessel process, system, equipment and storage medium.
Background technology
With developing rapidly for Internet information technique, various information system and networking products emerge in an endless stream.Especially exist In big-and-middle-sized physical mechanism, the IT system of Fast Construction is just from the operation system of former tradition closing to large-scale key business system System extension, involved application type also increase increasingly, and application of the large enterprise to container also increasingly turns into development trend.At present More common technology is docker in container, and docker is an engine increased income, and easily can create one for any application Individual lightweight, transplantable, self-centered container.Container is to use sandbox mechanism completely, is not had between each other any Interface.
Docker types are mainly docker linux at present, in order that the login control of container meets enterprise's production service Device safety management standard, prior art are to service container content SSHD, and user logs in container by key to request, and container is again Serviced using SSHD to key to verifying, so as to determine whether that user logs in.SSHD services are to be based on SSH The service of (Secure Sheel, security service agreement), it is reliable at present, aims at telnet session and other networks clothes Business provides the agreement of safeguard protection.Docker containers are created by Docker mirror images.When therefore, using this kind of mode, container It is also required to encapsulate corresponding SSHD services in mirror image.
However, during using this kind of technology, container needs maintenance key pair and SSHD process services, the login mode of container and Common linux servers are identical, therefore add container cost taken by themselves, and login mode is dumb.
The content of the invention
For the problems of the prior art, it is an object of the invention to provide a kind of O&M safety auditing system to log in container Method, system, equipment and storage medium, reduce the cost of container maintenance key pair and SSHD services, while make it that container is compatible O&M safety auditing system logs in.
The embodiment of the present invention provides a kind of appearance safe login method, and methods described comprises the following steps:
O&M safety auditing system obtains the container access request of user, and the container access request includes what user accessed First identification information of container;
O&M safety auditing system sends data inquiry request to information of container data storage storehouse, is deposited from the information of container Store up and host's machine information corresponding to the container that user's request accesses and the container in corresponding host are obtained in database Second identification information;
O&M safety auditing system passes through SSH protocol entries to the host;
Authorized user's log on command is performed in the host, it is corresponding that authorized user logs on to second identification information Container.
Alternatively, the first identification information of the container is the IP address of container;Second identification information of the container is The ID number of container;Obtained in the information of container data storage storehouse.
Alternatively, SSHD services are provided with the host;
The O&M safety auditing system, to the host, is comprised the following steps by SSH protocol entries:
The O&M safety auditing system sends logging request by SSH agreements to the host;
The host verifies the key or password in the logging request of the O&M safety auditing system;
If the verification passes, then the host allows the O&M safety auditing system to log in;
If authentication failed, the host is refused the O&M safety auditing system and logged in.
Alternatively, the host performs docker exec orders according to the second identification information of the container, authorizes and uses Family logs on to corresponding container.
Alternatively, after user exits the login of the container, that is, the login of the host is exited.
Alternatively, the host logs in the shell process of the process replacement host of container using user.
Alternatively, the host increases exec before authorized user logs in the order of container so that user logs in container Process substitute the shell process of the host.
Alternatively, also comprise the following steps:
The O&M safety auditing system carries out authentication to the user for sending container access request;
If the verification passes, then sending data query to information of container data storage storehouse into O&M safety auditing system please The step of asking;
If authentication failed, O&M safety auditing system refuses the container access request of user.
Alternatively, the O&M safety auditing system is accessed by the application program in the information of container data storage storehouse and connect Mouth carries out data interaction with the information of container data storage storehouse.
Alternatively, the corresponding relation of host and container in the information of container data storage storehouse, and container is in host The second identification information in machine real-time update with the Real-Time Scheduling of container;
The O&M safety auditing system is obtained by the application program access interface in the information of container data storage storehouse Current time user ask access container corresponding to host's machine information and in corresponding host container second mark Know information.
Alternatively, the operation data of the O&M safety auditing system record and audit user in a reservoir.
The embodiment of the present invention also provides a kind of O&M safety auditing system and logs in containment system, for realizing described O&M Safety auditing system logs in vessel process, and the system includes information of container thesaurus, for reservoir host's machine and pair of container It should be related to, and the second identification information of each container that each host includes;O&M safety auditing system, bag Include:Access request acquisition module, for obtaining the container access request of user, the container access request includes what user accessed First identification information of container;Information of container enquiry module, for sending data inquiry request to information of container data storage storehouse, Host's machine information corresponding to the container that user asks to access is obtained from the information of container data storage storehouse and is being corresponded to Host in container the second identification information;Host login module, for by SSH protocol entries to the host, Authorized user's log on command is performed in host, authorized user logs on to container corresponding to second identification information.
Alternatively, the O&M safety auditing system also includes SIM, for accessing sending container The user of request carries out authentication;If the verification passes, then into O&M safety auditing system to information of container data storage Storehouse sends the step of data inquiry request;If authentication failed, the container of O&M safety auditing system refusal user accesses please Ask.
Alternatively, the host logs in the shell process of the process replacement host of container using user, to cause After user exits the login of the container, that is, exit the login of the host.
The embodiment of the present invention also provides a kind of O&M safety auditing system and logs in tankage, including processor;Memory, Wherein it is stored with the executable instruction of the processor;
Wherein, the processor is configured to perform described O&M security audit system via the executable instruction is performed System logs in the step of vessel process.
The embodiment of the present invention also provides a kind of computer-readable recording medium, for storage program, it is characterised in that described The step of described O&M safety auditing system logs in vessel process is realized when program is performed.
It should be appreciated that the general description and following detailed description of the above are only exemplary and explanatory, not The disclosure can be limited.
Under O&M safety auditing system login vessel process, system, equipment and storage medium provided by the present invention have Row advantage:
By setting SSHD to service in host, O&M safety auditing system first logs into corresponding to container the present invention Host, then allow user to log on to container by host again, container mirror image without encapsulate SSHD services again, container in itself without Key and private key need to be managed, so as to avoid unnecessary management of process and encapsulation, reduces the management cost of container;This hair simultaneously It is bright so that container compatibility O&M safety auditing system logs in, the mandate of container, the security control logged in, operation audit are all by transporting Dimension safety auditing system is completed, the safety of full-scope safeguards container in use.
Brief description of the drawings
The detailed description made by reading with reference to the following drawings to non-limiting example, further feature of the invention, Objects and advantages will become more apparent upon.
Fig. 1 is that the O&M safety auditing system of one embodiment of the invention logs in the flow chart of vessel process;
Fig. 2 be one embodiment of the invention information of container data storage storehouse in relation signal corresponding to host and container Figure;
Fig. 3 is that the O&M safety auditing system of one embodiment of the invention signs in the flow chart of host;
Fig. 4 is that the O&M safety auditing system of an instantiation of the invention logs in the timing diagram of vessel process;
Fig. 5 is that the O&M safety auditing system of one embodiment of the invention logs in the structural representation of containment system;
Fig. 6 is the structural representation of the O&M safety auditing system of one embodiment of the invention;
Fig. 7 is that the O&M safety auditing system of one embodiment of the invention logs in the structural representation of tankage;
Fig. 8 is the structural representation of the computer-readable recording medium of one embodiment of the invention.
Embodiment
Example embodiment is described more fully with referring now to accompanying drawing.However, example embodiment can be with a variety of shapes Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, these embodiments are provided so that the disclosure will more Fully and completely, and by the design of example embodiment comprehensively it is communicated to those skilled in the art.Described feature, knot Structure or characteristic can be incorporated in one or more embodiments in any suitable manner.
In addition, accompanying drawing is only the schematic illustrations of the disclosure, it is not necessarily drawn to scale.Identical accompanying drawing mark in figure Note represents same or similar part, thus will omit repetition thereof.Some block diagrams shown in accompanying drawing are work( Can entity, not necessarily must be corresponding with physically or logically independent entity.These work(can be realized using software form Energy entity, or these functional entitys are realized in one or more hardware modules or integrated circuit, or at heterogeneous networks and/or place These functional entitys are realized in reason device device and/or microcontroller device.
In order to solve the problems, such as that O&M safety auditing system is docked in docker lightweights, SSHD is not encapsulated in container mirror image, The maintenance cost to logging in key and SSH services is reduced, compatible O&M is logged in based on container parametersization the invention provides one kind The scheme of safety auditing system.
As shown in figure 1, log in the flow chart of vessel process for the O&M safety auditing system of one embodiment of the invention.It is described O&M safety auditing system logs in vessel process and comprised the following steps:
S100:O&M safety auditing system obtains the container access request of user, and the container access request includes user First identification information of the container of access;
S200:O&M safety auditing system sends data inquiry request to information of container data storage storehouse, from the container In information storage database obtain user ask access container corresponding to host's machine information and in corresponding host Second identification information of container;
S300:O&M safety auditing system passes through SSH protocol entries to the host;
SSH is Secure Shell abbreviation, made by IETF network group (Network Working Group) It is fixed;SSH is the security protocol established on the basis of application layer.SSH is relatively reliable at present, aims at telnet session and other nets Network service provides the agreement of security.The information leakage problem in remote management procedures can be effectively prevented using SSH agreements.It is logical Cross and use SSH, the data of all transmission can be encrypted in user, and so " go-between " this attack pattern is impossible to reality It is existing, and DNS deceptions and IP spoofing can be prevented.Using SSH, an also extra benefit is exactly that the data transmitted are Through overcompression, it is possible to accelerate the speed of transmission.SSH has many functions, and it can both replace Telnet, can be again FTP, PoP, even PPP provides " passage " of a safety.
S400:Authorized user's log on command is performed in the host, authorized user logs on to second identification information Corresponding container.
Further, the first identification information of the container can be the IP address of container;Second mark of the container Information can be the ID number of container;Corresponding to the O&M safety auditing system obtains from the information of container data storage storehouse The IP address of host.I.e. user is that the IP address based on container makes requests on, O&M is examined safely when request logs in container Meter systems go information of container data storage after the access request of the IP address comprising container is received according to the IP address of container Inquired about in storehouse, the information of each host is stored with information of container data storage storehouse and container that each host includes Information, can inquire about to obtain the appearance of the IP address and container of host in the host from container information storage database Device ID.Therefore, O&M safety auditing system can ask to log in host according to the IP of host, can be with after logging in host The order of authorized user's login is run according to Container ID so that user can enter in container to be operated accordingly.
Therefore, by using technical scheme, it is only necessary to SSHD services are disposed in host, and need not in container SSHD services are disposed, container mirror image is also just without encapsulating installation SSHD services, and without managing key and private key, it is unnecessary to avoid Management of process and encapsulation, reduce the management cost of container.
As shown in Fig. 2 show the corresponding relation of the container stored in information of container data storage storehouse and host.Wherein It can include multiple containers in each host.And the container that each host includes may not be fixed.Such as User can realize the scheduling of container by Mesos (a kind of general cluster manager dual system).Same container can be same Dynamically floated on the different hosts machine of stored reservoir, such as dotted line direction is dispatched along figure.Alternatively, information of container data storage storehouse Application programming interface (API) can be provided, it is allowed to which O&M safety auditing system inquires about newest record information.Application program DLL, it is exactly the agreement of software systems difference part linking.Because the scale of software in recent years is increasingly huge, usually The system complexity is needed to be divided into small part, the design of DLL is particularly significant.Good Interface design can be with Interdepending for system components is reduced, improves the cohesion of component units, the degree of coupling between component units is reduced, so as to carry The maintainability and autgmentability of high system.That is second identification information (such as Container ID, but not limited to this) of the container in host Can with the Real-Time Scheduling of container real-time update;The O&M safety auditing system can store number by the information of container According to storehouse application program access interface obtain current time user ask access container corresponding to host's machine information and Second identification information of container in corresponding host.
As shown in figure 3, further, due to being provided with SSHD services in the host;The O&M security audit system System, to the host, is comprised the following steps by SSH protocol entries:
S310:The O&M safety auditing system sends logging request by SSH agreements to the host;Logging request It is middle to need to include SSH keys or password that the O&M safety auditing system is held;Can effectively it be prevented remotely using SSH agreements Information leakage problem during management.
S320:The host verifies the key or password in the logging request of the O&M safety auditing system;Due to SSHD services are provided with the host, therefore host can carry out verification of correctness to key or password, judge with this Whether O&M safety auditing system has permission login;
S330:If the verification passes, then the host allows the O&M safety auditing system to log in, further O&M The order that authorized user logs in container can be performed in safety auditing system;
S340:If authentication failed, the host is refused the O&M safety auditing system and logged in, then user is also It can not log on in container, realize the security protection logged in user.
Further, the host performs docker exec orders according to the second identification information of the container, authorizes User logs on to corresponding container.
In actual applications, the host can perform exec docker exec-ti<Container ID>-- User root sh orders.Wherein:
Before docker orders plus exec is in order to prevent user from obtaining the authority of host after exiting from container, to host The safety of machine is ensured.I.e. described host uses docker exec-ti<Container ID>-- user root sh's Process substitutes the shell process of the host.So that after user exits the login of the container, that is, exit stepping on for the host Record.
-- ti corresponds to the second identification information of container, and this is sentenced exemplified by Container ID.
-- user is used to specify the account into the user of container.
O&M safety auditing system, i.e., under a specific network environment, in order to Logistics networks and data not by from Internal validated user does not conform to the rule system failure brought of operation and leaking data, and use various technological means real-time collectings and The system mode of each part, security incident, network activity in network environment are monitored, so as to concentrated alarm, record, is divided Analysis, a kind of technological means of processing.Its functionally, it combines two big trunk of core system O&M and security audit management and control Function, realized from technology, by cutting off direct access of the terminal computer to network and server resource, and use agreement The mode of agency, access of the terminal computer to network and server is taken over.Therefore, using technical scheme, hold The login of device compatibility O&M safety auditing system, the mandate of container, the security control logged in and operation audit can be all by transporting Dimension safety auditing system is completed.
Further, O&M safety auditing system of the invention logs in vessel process and can also comprised the following steps:
The O&M safety auditing system carries out authentication to the user for sending container access request;
If the verification passes, then sending data query to information of container data storage storehouse into O&M safety auditing system please The step of asking;As long as O&M safety auditing system has also passed through the checking of host, user, which can be signed in in container, to be performed Operation;
If authentication failed, O&M safety auditing system refuses the container access request of user, and user can not log in Operation is performed into container.
I.e. in the embodiment, the checking and management and control of user identity are carried out in O&M safety auditing system, convenient system One management, and the checking of user identity need not be carried out in host and container end, alleviate the burden of host and container.
Further, O&M safety auditing system of the invention logs in vessel process and can also examined safely including the O&M Meter systems record and the step of audit user's operation datas in a reservoir, further ensure the security of user's operation.
As shown in figure 4, log in the timing diagram of vessel process for the O&M safety auditing system of an instantiation of the invention.Should Instantiation is only a citing, can also there is some other deformations in actual applications, belongs to the protection model of the present invention Within enclosing.
Specifically, the O&M safety auditing system of the specific example logs in vessel process and comprised the following steps:
(1) user logs in O&M safety auditing system, during O&M safety auditing system is signed in, O&M safety Auditing system needs to verify the identity of user, is proved to be successful, and continues subsequent step, authentication failed, then refuses user's Log in;
After user logs in the success of O&M safety auditing system, ask to access appearances of the container IP as 1.1.1.1 using root authority Device;Root authority, one kind of System Privileges, is also root authority, can be understood as a concept with SYSTEM authorities, but be higher than Administrator right, root are the super keepe user accounts in Linux and unix systems, and this account possesses entirely The sovereign power of system, all objects he can operate.Obtain root authority after mean that have been obtained for be The highest authority of system, at this time you can perform to any file (including system file) in system all increase, deletes, changes, looks into Operation.It is only for example herein, not limited to this in practical application.
(2) O&M safety auditing system calls the application programming interface inquiry 1.1.1.1 of information of container thesaurus to work as Host and Container ID corresponding to preceding;
(3) O&M safety auditing system signs in host using franchise account SSH;
(4) exec docker exec-ti are performed in host<Container ID>-- user root sh orders, award Power user is signed in in container.
(5) the shell process of container is successfully got, user can be signed in in container, perform corresponding operation.
Therefore, vessel process is logged in by using the O&M safety auditing system of the present invention, container mirror image is pacified without encapsulating Fill SSHD services, container need not manage key and private key, avoid unnecessary management of process and encapsulation, reduce the management of container into This, while container compatibility O&M safety auditing system is logged in, the mandate of container, the security control logged in, operation audit are complete Completed by O&M safety auditing system in portion.In addition, different from prior art, container of the invention independently forms a kind equipment OS types, linux docker, rather than container login mode in the prior art and common linux server logs mode phase Together.The present invention takes full advantage of the particularity of the different and container of container and common linux servers in itself, by container and host The login of machine combines well.
As shown in figure 5, the embodiment of the present invention, which also provides a kind of O&M safety auditing system, logs in containment system, for realizing Described O&M safety auditing system logs in vessel process, and the system includes information of container thesaurus 100 and O&M is examined safely Meter systems 200, wherein the information of container thesaurus 100 is stored with the corresponding relation of host 300 and container 400, and respectively Second identification information of each container that the individual host includes;O&M safety auditing system 200 is the login of container, peace Full control, access, log audit is authorized to provide support.
As shown in fig. 6, show the structure of the O&M safety auditing system of one embodiment of the invention.The O&M peace Full auditing system includes access request acquisition module 210, and for obtaining the container access request of user 500, the container accesses Request includes the first identification information of the container of user's access;Information of container enquiry module 220, for storing number to information of container Data inquiry request is sent according to storehouse 100, user is obtained from the information of container data storage storehouse and asks the container institute of access right Host's machine information for answering and in corresponding host container the second identification information;And host login module 230, use In by SSH protocol entries to the host 300, authorized user's log on command is performed in host 300, authorized user 500 Log on to container 400 corresponding to second identification information.
Further, the O&M safety auditing system 200 can also include SIM 240, for pair The user for sending container access request carries out authentication;If the verification passes, then into O&M safety auditing system 200 to appearance Device information storage database 100 sends the step of data inquiry request;If authentication failed, O&M safety auditing system 200 Refuse the container access request of user 500.I.e. O&M safety auditing system 200 except as user log in container bridge it Outside, it is also necessary to the identity of user is verified, ensures the security that container logs in.
Further, the host 300 is entered using the shell of the process replacement host 300 of user's login container Journey so that after user 500 exits the login of the container 400, that is, exit the login of the host 300.Concrete mode, can So that by using as described above before docker orders in a manner of increase exec, user to be logged in the process substituted host of container The shell process of machine, when user exits the login of container, i.e., at the end of user logs in the process of container, also exit host simultaneously Machine, user is avoided to get the authority of host after exiting from container, to the peace of other containers on host and host Full property is protected.
Containment system is logged in by using the O&M safety auditing system of the present invention, passes through the He of information of container thesaurus 100 The matching relationship of O&M safety auditing system 200, O&M safety auditing system 200 is it is to be understood that the IP address of target container, just The IP address of host and the ID of container where target container can be got;Pass through O&M safety auditing system 200 and place The cooperation of main frame 300, host 300 can be verified to O&M safety auditing system 200, after being verified, host 200 The order of authorized user's login can be performed, so as to allow a user to log into target container, to realize the purpose of container login. User identity is verified by O&M safety auditing system 200, by host 200 to O&M safety auditing system 200 Itself verified, ensure that the security that container logs in.And in container mirror image without encapsulate again SSHD service, container also without Key and private key need to be managed, reduces the management cost of container.
The embodiment of the present invention also provides a kind of O&M safety auditing system and logs in tankage, including processor;Memory, Wherein it is stored with the executable instruction of the processor;Wherein, the processor is configured to via the execution executable instruction To perform the step of described O&M safety auditing system logs in vessel process.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or Program product.Therefore, various aspects of the invention can be implemented as following form, i.e.,:It is complete hardware embodiment, complete The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.), or hardware and software, can unite here Referred to as " circuit ", " module " or " platform ".
The electronic equipment 600 according to the embodiment of the invention is described referring to Fig. 7.The electronics that Fig. 7 is shown Equipment 600 is only an example, should not bring any restrictions to the function and use range of the embodiment of the present invention.
As shown in fig. 7, electronic equipment 600 is showed in the form of universal computing device.The component of electronic equipment 600 can wrap Include but be not limited to:At least one processing unit 610, at least one memory cell 620, (including the storage of connection different platform component Unit 620 and processing unit 610) bus 630, display unit 640 etc..
Wherein, the memory cell is had program stored therein code, and described program code can be held by the processing unit 610 OK so that the processing unit 610 perform described in the above-mentioned electronic prescription circulation processing method part of this specification according to this The step of inventing various illustrative embodiments.For example, the step of processing unit 610 can perform as shown in fig. 1.
The memory cell 620 can include the computer-readable recording medium of volatile memory cell form, such as random access memory Unit (RAM) 6201 and/or cache memory unit 6202, it can further include read-only memory unit (ROM) 6203.
The memory cell 620 can also include program/practical work with one group of (at least one) program module 6205 Tool 6204, such program module 6205 includes but is not limited to:Operating system, one or more application program, other programs Module and routine data, the realization of network environment may be included in each or certain combination in these examples.
Bus 630 can be to represent the one or more in a few class bus structures, including memory cell bus or storage Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures Local bus.
Electronic equipment 600 can also be with one or more external equipments 700 (such as keyboard, sensing equipment, bluetooth equipment Deng) communication, the equipment communication interacted with the electronic equipment 600 can be also enabled a user to one or more, and/or with causing Any equipment that the electronic equipment 600 can be communicated with one or more of the other computing device (such as router, modulation /demodulation Device etc.) communication.This communication can be carried out by input/output (I/O) interface 650.Also, electronic equipment 600 can be with By network adapter 660 and one or more network (such as LAN (LAN), wide area network (WAN) and/or public network, Such as internet) communication.Network adapter 660 can be communicated by bus 630 with other modules of electronic equipment 600.Should Understand, although not shown in the drawings, can combine electronic equipment 600 uses other hardware and/or software module, including it is but unlimited In:Microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and number According to backup storage platform etc..
As described above, logging in tankage by the O&M safety auditing system of the present invention performs above-mentioned O&M security audit During system login vessel process, container mirror image need not manage key and private key, avoid not without encapsulating installation SSHD services, container Necessary management of process and encapsulation, reduce the management cost of container, while container compatibility O&M safety auditing system logged in, The mandate of container, the security control logged in, operation audit are all completed by O&M safety auditing system, and full-scope safeguards container logs in Security.
The embodiment of the present invention also provides a kind of computer-readable recording medium, and for storage program, described program is performed The step of O&M safety auditing system described in Shi Shixian logs in vessel process.In some possible embodiments, the present invention Various aspects be also implemented as a kind of form of program product, it includes program code, when described program product is in terminal When being run in equipment, described program code is used to make the terminal device perform the above-mentioned electronic prescription circulation processing side of this specification Described in method part according to the step of various illustrative embodiments of the invention.
With reference to shown in figure 8, the program product for being used to realize the above method according to the embodiment of the present invention is described 800, it can use portable compact disc read only memory (CD-ROM) and including program code, and can in terminal device, Such as run on PC.However, the program product not limited to this of the present invention, in this document, readable storage medium storing program for executing can be with Be it is any include or the tangible medium of storage program, the program can be commanded execution system, device either device use or It is in connection.
Described program product can use any combination of one or more computer-readable recording mediums.Computer-readable recording medium can be readable letter Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example can be but be not limited to electricity, magnetic, optical, electromagnetic, infrared ray or System, device or the device of semiconductor, or any combination above.The more specifically example of readable storage medium storing program for executing is (non exhaustive List) include:It is electrical connection, portable disc, hard disk, random access memory (RAM) with one or more wires, read-only Memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read only memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
The computer-readable recording medium can include believing in a base band or as the data that a carrier wave part is propagated Number, wherein carrying readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetism Signal, optical signal or above-mentioned any appropriate combination.Readable storage medium storing program for executing can also be any beyond readable storage medium storing program for executing Computer-readable recording medium, the computer-readable recording medium can send, propagate either transmit for being used by instruction execution system, device or device or Person's program in connection.The program code included on readable storage medium storing program for executing can be transmitted with any appropriate medium, bag Include but be not limited to wireless, wired, optical cable, RF etc., or above-mentioned any appropriate combination.
Can being combined to write the program operated for performing the present invention with one or more programming languages Code, described program design language include object oriented program language-Java, C++ etc., include routine Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user Perform on computing device, partly perform on a user device, the software kit independent as one performs, is partly calculated in user Its upper side point is performed or performed completely in remote computing device or server on a remote computing.It is remote being related to In the situation of journey computing device, remote computing device can pass through the network of any kind, including LAN (LAN) or wide area network (WAN) user calculating equipment, is connected to, or, it may be connected to external computing device (such as utilize ISP To pass through Internet connection).
As described above, when running the program in the computer-readable recording medium using external equipment, can also realize Reduce the management cost of container, and the purpose of the login safety of full-scope safeguards container.
Under O&M safety auditing system login vessel process, system, equipment and storage medium provided by the present invention have Row advantage:
By setting SSHD to service in host, O&M safety auditing system first logs into corresponding to container the present invention Host, then allow user to log on to container by host again, container mirror image without encapsulate SSHD services again, container in itself without Key and private key need to be managed, so as to avoid unnecessary management of process and encapsulation, reduces the management cost of container;This hair simultaneously It is bright so that container compatibility O&M safety auditing system logs in, the mandate of container, the security control logged in, operation audit are all by transporting Dimension safety auditing system is completed, the safety of full-scope safeguards container in use.
Above content is to combine specific preferred embodiment further description made for the present invention, it is impossible to is assert The specific implementation of the present invention is confined to these explanations.For general technical staff of the technical field of the invention, On the premise of not departing from present inventive concept, some simple deduction or replace can also be made, should all be considered as belonging to the present invention's Protection domain.

Claims (16)

1. a kind of O&M safety auditing system logs in vessel process, it is characterised in that comprises the following steps:
O&M safety auditing system obtains the container access request of user, and the container access request includes the container that user accesses The first identification information;
O&M safety auditing system sends data inquiry request to information of container data storage storehouse, and number is stored from the information of container According in storehouse obtain user ask access container corresponding to host's machine information and in corresponding host container second Identification information;
O&M safety auditing system passes through SSH protocol entries to the host;
Authorized user's log on command is performed in the host, authorized user logs on to appearance corresponding to second identification information Device.
2. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that the of the container One identification information is the IP address of container;Second identification information of the container is the ID number of container;The O&M security audit System obtained from the information of container data storage storehouse corresponding to host IP address.
3. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that in the host It is provided with SSHD services;
The O&M safety auditing system, to the host, is comprised the following steps by SSH protocol entries:
The O&M safety auditing system sends logging request by SSH agreements to the host;
The host verifies the key or password in the logging request of the O&M safety auditing system;
If the verification passes, then the host allows the O&M safety auditing system to log in;
If authentication failed, the host is refused the O&M safety auditing system and logged in.
4. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that the host root Docker exec orders are performed according to the second identification information of the container, authorized user logs on to corresponding container.
5. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that user exits described After the login of container, that is, exit the login of the host.
6. O&M safety auditing system according to claim 5 logs in vessel process, it is characterised in that the host is adopted The shell process of the process replacement host of container is logged in user.
7. O&M safety auditing system according to claim 6 logs in vessel process, it is characterised in that the host exists Authorized user increases exec before logging in the order of container so that the shell that user logs in the process replacement host of container enters Journey.
8. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that also includes following step Suddenly:
The O&M safety auditing system carries out authentication to the user for sending container access request;
If the verification passes, then data inquiry request is sent into O&M safety auditing system to information of container data storage storehouse Step;
If authentication failed, O&M safety auditing system refuses the container access request of user.
9. O&M safety auditing system according to claim 1 logs in vessel process, it is characterised in that the O&M safety Application program access interface and the information of container data storage storehouse of the auditing system by the information of container data storage storehouse Carry out data interaction.
10. O&M safety auditing system according to claim 9 logs in vessel process, it is characterised in that the container letter The corresponding relation of host and container in data storage storehouse is ceased, and second identification information of the container in host is with container Real-Time Scheduling and real-time update;
The O&M safety auditing system is obtained current by the application program access interface in the information of container data storage storehouse Moment user ask access container corresponding to host's machine information and in corresponding host container second mark letter Breath.
11. O&M safety auditing system according to claim 10 logs in vessel process, it is characterised in that also includes:
The operation data of the O&M safety auditing system record and audit user in a reservoir.
12. a kind of O&M safety auditing system logs in containment system, for realizing the fortune any one of claim 1 to 11 Dimension safety auditing system logs in vessel process, it is characterised in that the system includes:
Information of container thesaurus, for reservoir host's machine and the corresponding relation of container, and each host includes Second identification information of each container;
O&M safety auditing system, including:
Access request acquisition module, for obtaining the container access request of user, the container access request accesses including user Container the first identification information;
Information of container enquiry module, for sending data inquiry request to information of container data storage storehouse, from the information of container User is obtained in data storage storehouse and asks host's machine information corresponding to the container of access and the container in corresponding host The second identification information;
Host login module, for being believed by SSH protocol entries to the host, and according to the second of the container the mark Breath authorized user logs on to corresponding container;Authorized user's log on command is performed in host, authorized user logs on to described the Container corresponding to two identification informations.
13. O&M safety auditing system according to claim 12 logs in containment system, it is characterised in that the O&M peace Full auditing system also includes:
SIM, for carrying out authentication to the user for sending container access request;
If the verification passes, then data inquiry request is sent into O&M safety auditing system to information of container data storage storehouse Step;
If authentication failed, O&M safety auditing system refuses the container access request of user.
14. O&M safety auditing system according to claim 13 logs in containment system, it is characterised in that the host The process that container is logged in using user substitutes the shell process of the host so that after user exits the login of the container, Exit the login of the host.
15. a kind of O&M safety auditing system logs in tankage, it is characterised in that including:
Processor;
Memory, wherein being stored with the executable instruction of the processor;
Wherein, the processor is configured to come any one of 1 to 11 institute of perform claim requirement via the execution executable instruction The O&M safety auditing system stated logs in the step of vessel process.
16. a kind of computer-readable recording medium, for storage program, it is characterised in that power is realized when described program is performed Profit requires the step of O&M safety auditing system any one of 1 to 11 logs in vessel process.
CN201710863832.XA 2017-09-22 2017-09-22 O&M safety auditing system logs in vessel process, system, equipment and storage medium Pending CN107480509A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710863832.XA CN107480509A (en) 2017-09-22 2017-09-22 O&M safety auditing system logs in vessel process, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710863832.XA CN107480509A (en) 2017-09-22 2017-09-22 O&M safety auditing system logs in vessel process, system, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN107480509A true CN107480509A (en) 2017-12-15

Family

ID=60586736

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710863832.XA Pending CN107480509A (en) 2017-09-22 2017-09-22 O&M safety auditing system logs in vessel process, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107480509A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108076063A (en) * 2017-12-25 2018-05-25 天津理工大学 Network O&M auditing method, server terminal and client based on block chain
CN108429638A (en) * 2018-02-22 2018-08-21 北京奇艺世纪科技有限公司 A kind of server O&M method, apparatus, system and electronic equipment
CN108958892A (en) * 2018-08-14 2018-12-07 郑州云海信息技术有限公司 A kind of method and apparatus creating the container for deep learning operation
CN110278127A (en) * 2019-07-02 2019-09-24 成都安恒信息技术有限公司 A kind of Agent dispositions method and system based on secure transfer protocol
CN111125759A (en) * 2019-12-19 2020-05-08 上海上讯信息技术股份有限公司 Database login account shielding method and device and electronic equipment
CN111125039A (en) * 2018-10-30 2020-05-08 华为技术有限公司 Method and device for generating operation log
CN111526189A (en) * 2020-04-13 2020-08-11 恒安嘉新(北京)科技股份公司 Equipment monitoring method and device, computer equipment and storage medium
CN112350870A (en) * 2020-11-11 2021-02-09 杭州飞致云信息科技有限公司 Operation and maintenance safety auditing method and device for container cluster system
CN113468579A (en) * 2021-07-23 2021-10-01 挂号网(杭州)科技有限公司 Data access method, device, equipment and storage medium
CN114050911A (en) * 2021-09-27 2022-02-15 度小满科技(北京)有限公司 Container remote login method and system
CN114070856A (en) * 2020-07-29 2022-02-18 顺丰科技有限公司 Data processing method, device and system, operation and maintenance auditing equipment and storage medium
US11394533B2 (en) 2019-12-25 2022-07-19 General Data Technology Co., Ltd. Method for storing database security audit records
WO2022237447A1 (en) * 2021-05-10 2022-11-17 中兴通讯股份有限公司 Operation and maintenance method, apparatus, and system, server, electronic device, and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105872019A (en) * 2016-03-23 2016-08-17 北京搜狐新媒体信息技术有限公司 Method and device for logging in Docker container by Web end
CN106383852A (en) * 2016-08-30 2017-02-08 中国民生银行股份有限公司 Docker container-based log acquisition method and apparatus
CN106685949A (en) * 2016-12-24 2017-05-17 上海七牛信息技术有限公司 Container access method, container access device and container access system
CN106844489A (en) * 2016-12-24 2017-06-13 上海七牛信息技术有限公司 A kind of file operation method, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105872019A (en) * 2016-03-23 2016-08-17 北京搜狐新媒体信息技术有限公司 Method and device for logging in Docker container by Web end
CN106383852A (en) * 2016-08-30 2017-02-08 中国民生银行股份有限公司 Docker container-based log acquisition method and apparatus
CN106685949A (en) * 2016-12-24 2017-05-17 上海七牛信息技术有限公司 Container access method, container access device and container access system
CN106844489A (en) * 2016-12-24 2017-06-13 上海七牛信息技术有限公司 A kind of file operation method, device and system

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108076063A (en) * 2017-12-25 2018-05-25 天津理工大学 Network O&M auditing method, server terminal and client based on block chain
CN108429638A (en) * 2018-02-22 2018-08-21 北京奇艺世纪科技有限公司 A kind of server O&M method, apparatus, system and electronic equipment
CN108429638B (en) * 2018-02-22 2021-12-10 北京奇艺世纪科技有限公司 Server operation and maintenance method, device and system and electronic equipment
CN108958892A (en) * 2018-08-14 2018-12-07 郑州云海信息技术有限公司 A kind of method and apparatus creating the container for deep learning operation
CN111125039A (en) * 2018-10-30 2020-05-08 华为技术有限公司 Method and device for generating operation log
CN111125039B (en) * 2018-10-30 2022-06-10 华为技术有限公司 Method and device for generating operation log
CN110278127A (en) * 2019-07-02 2019-09-24 成都安恒信息技术有限公司 A kind of Agent dispositions method and system based on secure transfer protocol
CN110278127B (en) * 2019-07-02 2020-12-01 成都安恒信息技术有限公司 Agent deployment method and system based on secure transmission protocol
CN111125759A (en) * 2019-12-19 2020-05-08 上海上讯信息技术股份有限公司 Database login account shielding method and device and electronic equipment
US11394533B2 (en) 2019-12-25 2022-07-19 General Data Technology Co., Ltd. Method for storing database security audit records
CN111526189A (en) * 2020-04-13 2020-08-11 恒安嘉新(北京)科技股份公司 Equipment monitoring method and device, computer equipment and storage medium
CN114070856A (en) * 2020-07-29 2022-02-18 顺丰科技有限公司 Data processing method, device and system, operation and maintenance auditing equipment and storage medium
CN114070856B (en) * 2020-07-29 2023-11-28 顺丰科技有限公司 Data processing method, device, system, operation and maintenance auditing equipment and storage medium
CN112350870A (en) * 2020-11-11 2021-02-09 杭州飞致云信息科技有限公司 Operation and maintenance safety auditing method and device for container cluster system
WO2022237447A1 (en) * 2021-05-10 2022-11-17 中兴通讯股份有限公司 Operation and maintenance method, apparatus, and system, server, electronic device, and medium
CN113468579A (en) * 2021-07-23 2021-10-01 挂号网(杭州)科技有限公司 Data access method, device, equipment and storage medium
CN114050911A (en) * 2021-09-27 2022-02-15 度小满科技(北京)有限公司 Container remote login method and system
CN114050911B (en) * 2021-09-27 2023-05-16 度小满科技(北京)有限公司 Remote login method and system for container

Similar Documents

Publication Publication Date Title
CN107480509A (en) O&M safety auditing system logs in vessel process, system, equipment and storage medium
CN107634951A (en) Docker vessel safeties management method, system, equipment and storage medium
US20200021615A1 (en) Container authorization policies for network trust
US10833949B2 (en) Extension resource groups of provider network services
CN105991734B (en) A kind of cloud platform management method and system
US9491183B1 (en) Geographic location-based policy
US11764961B2 (en) Techniques for using signed nonces to secure cloud shells
CN107533608A (en) Credible renewal
CN104718526A (en) Secure mobile framework
US10762193B2 (en) Dynamically generating and injecting trusted root certificates
CN110197058A (en) Unified internal control method for managing security, system, medium and electronic equipment
CN110463163A (en) For providing the on-demand method and system for waking up access to conversation server
US11374792B2 (en) Techniques for utilizing multiple network interfaces for a cloud shell
US20200159555A1 (en) Provider network service extensions
CN110036385A (en) Mixed mode cloud On-premise (ON-PREMISE) secure communication
US11170080B2 (en) Enforcing primary and secondary authorization controls using change control record identifier and information
CN106537873A (en) Establishing secure computing devices for virtualization and administration
WO2023132997A1 (en) Quorum-based authorization
CN116018580B (en) Techniques for instance persistence data across cloud shells
CN115314257A (en) Authentication method and device of file system, electronic equipment and computer storage medium
US20240007465A1 (en) Controlling access to components of a software-defined data center in a hybrid environment
US11722489B2 (en) Management of shared authentication credentials
CN111683053B (en) Cloud platform security network architecture
US20230109109A1 (en) Applications as resource principals or service principals
WO2023055734A1 (en) Applications as resource principals or service principals

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171215