CN108111469B - Method and device for establishing security channel in cluster - Google Patents
Method and device for establishing security channel in cluster Download PDFInfo
- Publication number
- CN108111469B CN108111469B CN201611052641.7A CN201611052641A CN108111469B CN 108111469 B CN108111469 B CN 108111469B CN 201611052641 A CN201611052641 A CN 201611052641A CN 108111469 B CN108111469 B CN 108111469B
- Authority
- CN
- China
- Prior art keywords
- key
- secure channel
- docker container
- designated
- user space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The application provides a method for establishing a secure channel in a cluster, which is characterized by comprising the following steps: acquiring a request for establishing a secure channel between each designated user space in a designated cluster; generating a key pair of a secure channel corresponding to the request, wherein the key pair comprises a public key and a private key; transmitting a key required by each designated user space to each designated user space in a form corresponding to the corresponding user space; storing the key corresponding to the corresponding form of the key to each appointed user space; establishing a secure channel between the respective designated user spaces using the key. The method provided by the application can play a role in reducing the complexity of establishing the safety channel and improving the efficiency of establishing the safety channel; the secret key is transmitted in a form corresponding to the user space, so that the workload of establishing the security channel in the cluster can be simplified, and the effect of improving the efficiency of establishing the security channel is achieved.
Description
Technical Field
The present application relates to a method for establishing a secure channel, and in particular, to a method and an apparatus for establishing a secure channel in a cluster, a method and an apparatus for deploying a docker container with a secure channel configuration, and a method and an apparatus for starting a docker container with a secure channel configuration.
Background
The cluster usually includes different user spaces, including containers (e.g., docker containers), virtual machines and physical machines, where communication and information exchange are required between different user spaces or between the same user spaces, and in order to ensure information security, a secure channel needs to be established between different user spaces or between the same user spaces for information exchange, where the secure channel usually adopts an asymmetric encryption manner to ensure information security.
The asymmetric encrypted secure channel comprises a source end and a destination end, wherein the source end is a user space where a source end user is located, and the destination end is a user space which the source end user wants to remotely access. The source end stores a public key and a private key, and the destination end stores a public key.
After the secure channel is established, the source user can access the destination by using the identity of the destination user (the authority is distributed by a system administrator of the destination), the channel is unidirectional, and only the source user can access the destination, otherwise, the channel is not established.
The following methods are generally used in the prior art to establish a secure channel between different user spaces or between the same user spaces in a cluster:
for a source end and a destination end of a secure channel, a pair of key pairs containing a public key and a private key is generated, the key pairs are stored in a file corresponding to the source end through the existing secure channel, and the public key is stored in a file corresponding to the destination end through the existing secure channel. Thus, there may be multiple key pairs in the cluster, each corresponding to a different secure channel. In particular, for a user space with a docker container, the file storing the key is deleted after the docker container is deleted. When the same docker container is redeployed, the host logged in the docker container through the secure channel is still required to retransmit and store the corresponding key.
The problems that the existing mode for establishing the security channel in the cluster has complex processes of key management and security channel establishment, large workload for establishing the security channel and low efficiency can be seen.
Disclosure of Invention
The application provides a method for establishing a secure channel in a cluster. The application also provides a device for establishing the safe channel in the cluster; a method for deploying the docker container with the secure channel configuration requirement is also provided, and a device for deploying the docker container with the secure channel configuration requirement is also provided; a method of starting a docker container with a secure tunnel configuration is also provided, as is a device for starting a docker container with a secure tunnel configuration.
The application provides a method for establishing a secure channel in a cluster, which comprises the following steps:
acquiring a request for establishing a secure channel between each designated user space in a designated cluster;
generating a key pair of a secure channel corresponding to the request, wherein the key pair comprises a public key and a private key;
transmitting a key required by each designated user space to each designated user space in a form corresponding to the corresponding user space;
storing the key corresponding to the corresponding form of the key to each appointed user space;
establishing a secure channel between the respective designated user spaces using the key.
Optionally, the user space comprises a docker container;
accordingly, the transmitting the key required for each designated user space to each designated user space in a form corresponding to the corresponding user space includes:
coding the key corresponding to the attribute of the secure channel of each designated docker container to obtain a coded text of the key corresponding to the attribute of the secure channel of each docker container;
putting the coded text of the key corresponding to the attribute of the secure channel of each docker container into the environment variable of the corresponding docker container;
deploying the designated docker containers with the environment variables to pre-designated host machines in the cluster;
the storing the key corresponding to the required corresponding form of the key to each designated user space includes:
after each appointed docker container is started, decoding the coded text of the key contained in the environment variable of each appointed docker container to obtain the key;
and storing the key obtained by decoding into a corresponding designated docker container.
Optionally, the attributes of the secure channel include: a source end of the secure channel;
accordingly, the encoded text of the key includes encoded text of a public key and encoded text of a private key.
Optionally, the attributes of the secure channel include: a destination end of the secure tunnel;
accordingly, the encoded text of the key comprises an encoded text of a public key.
Optionally, the user space comprises a virtual machine or a physical machine;
accordingly, the transmitting the key required for each designated user space to each designated user space in a form corresponding to the corresponding user space includes:
transmitting a key corresponding to the attribute of the secure channel of each designated virtual machine or physical machine to the corresponding virtual machine or physical machine;
the storing the key corresponding to the required corresponding form of the key to each designated user space includes:
and storing the key corresponding to the attribute of the secure channel of each specified virtual machine or physical machine to the corresponding virtual machine or physical machine.
Optionally, the secure channel comprises an SSH secure channel.
Optionally, the key pair is a key pair.
The application provides a method for deploying a docker container with a secure channel configuration requirement, which comprises the following steps:
acquiring a request for deploying a docker container with a secure channel configuration requirement;
coding the key corresponding to the attribute of the secure channel of the docker container to obtain a coded text of the key corresponding to the attribute of the secure channel of each docker container;
placing an encoding text of a key corresponding to the attribute of the secure channel of the docker container into an environment variable of the docker container;
and deploying the docker container with the environment variable to a pre-designated host.
Optionally, the attribute of the secure channel of the docker container comprises a source end of the secure channel,
accordingly, the encoded text of the key includes encoded text of a public key and encoded text of a private key.
Optionally, the attribute of the secure channel of the docker container includes a destination of the secure channel,
accordingly, the encoded text of the key comprises an encoded text of a public key.
Optionally, the secure channel comprises an SSH secure channel.
The application provides a method for starting a docker container with a safe channel configuration, which comprises the following steps:
starting the docker container;
decoding the coded text of the secret key contained in the environment variable of the docker container to obtain the secret key;
storing the key to the docker container.
The application provides a device for establishing a secure channel in a cluster, which comprises:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a request for establishing a secure channel between each appointed user space in an appointed cluster;
a key generation unit, configured to generate a key pair of a secure channel corresponding to the request, where the key pair includes a public key and a private key;
a transmitting unit for transmitting a key required for each designated user space to each designated user space in a form corresponding to the corresponding user space;
a storage unit, configured to store the key corresponding to the required key in the corresponding form to each of the designated user spaces;
and the establishing unit is used for establishing a secure channel between the designated user spaces by using the key.
Optionally, the user space comprises a docker container, and accordingly, the transfer unit comprises:
the coding subunit is used for coding the key corresponding to the attribute of the secure channel of each designated docker container to obtain a coded text of the key corresponding to the attribute of the secure channel of each docker container;
the placing subunit is used for placing the coded text of the key corresponding to the attribute of the secure channel of each docker container into the environment variable of the corresponding docker container;
the deployment subunit is used for deploying the designated docker containers with the environment variables to the pre-designated host machines in the cluster;
the memory cell includes:
the decoding subunit is used for decoding the coded text of the key contained in the environment variable of each appointed docker container to obtain the key after each appointed docker container is started;
and the storage subunit is used for storing the decoded key into a corresponding designated docker container.
Optionally, the key generation unit is specifically configured to generate a key pair of the secure channel corresponding to the request, where the key pair includes a public key and a private key.
The application provides a device for deploying a docker container with a secure channel configuration requirement, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a request for deploying a docker container with a secure channel configuration requirement;
the encoding unit is used for encoding the key corresponding to the attribute of the secure channel of each docker container to obtain an encoded text of the key corresponding to the attribute of the secure channel of each docker container;
the configuration unit is used for putting the coded text of the key corresponding to the attribute of the secure channel of the docker container into the environment variable of the docker container;
and the deployment unit is used for deploying the docker container with the environment variable to a pre-designated host.
The application provides a device for starting a docker container with a secure channel configuration, comprising:
the starting unit is used for starting the docker container;
the decoding unit is used for decoding the coded text of the key contained in the environment variable of the docker container to obtain the key;
and the storage unit is used for storing the secret key into the docker container.
Compared with the prior art, the method for establishing the secure channel in the cluster has the following advantages:
when a secure channel using a key pair is established between different user spaces and between the same user spaces in a cluster, the key pair is generated uniformly, so that the complexity of establishing the secure channel can be reduced, and the efficiency of establishing the secure channel can be improved; the secret key is transmitted in a form corresponding to the user space, so that the workload of establishing the security channel in the cluster can be simplified, and the effect of improving the efficiency of establishing the security channel is achieved.
Compared with the prior art, the method for deploying the docker container with the secure channel configuration requirement has the following advantages:
when the docker container is deployed, the secret key of the secure channel is transmitted by using the environment variable, so that the effect of simplifying the process of establishing the secure channel can be achieved, and the effect of improving the efficiency of establishing the secure channel is achieved.
Compared with the prior art, the method for starting the docker container with the safe channel configuration has the following advantages:
after the starting, the key of the secure channel is decoded and restored and stored, so that the effect of simplifying the process of establishing the secure channel can be achieved, and the effect of improving the efficiency of establishing the secure channel can be achieved.
Drawings
Fig. 1 is a schematic flowchart illustrating a method for establishing a secure channel in a cluster according to a first embodiment of the present application;
fig. 2 is a schematic diagram of a method for establishing a secure channel for a docker container in a cluster according to a first embodiment of the present application;
FIG. 3 is a flowchart illustrating a method for deploying a docker container with secure channel configuration requirements according to a second embodiment of the present application;
FIG. 4 is a schematic flow chart illustrating a method for starting a docker container with a secure channel configuration according to a third embodiment of the present application;
fig. 5 is a block diagram illustrating an apparatus for establishing a secure channel in a cluster according to a fourth embodiment of the present application;
FIG. 6 is a block diagram of an apparatus for deploying a docker container with secure channel configuration requirements according to a fifth embodiment of the present application;
fig. 7 is a block diagram of a device for actuating a docker container with a secure channel configuration according to a sixth embodiment of the present application.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. This application is capable of implementation in many different ways than those herein set forth and of similar import by those skilled in the art without departing from the spirit of this application and is therefore not limited to the specific implementations disclosed below.
A first embodiment of the present application provides a method for establishing a secure channel in a cluster, a flowchart of which is shown in fig. 1, and the embodiment includes the following steps:
step S101, a request for establishing a secure channel for each designated user space in a designated cluster is obtained.
This request is obtained when a secure communication channel needs to be established between different user spaces within the computer cluster. The user space may be a physical computer (physical machine for short), a virtual computer (virtual machine for short), or a container, such as a docker container (docker for short).
This embodiment takes the SSH secure channel established in the cluster as an example for explanation. SSH (Secure Shell) uses an asymmetric RSA encryption algorithm for Secure communication between computers for a security protocol built on an application layer and a transport layer basis. An SSH channel comprises four elements of a source end, a destination end, a source end user and a destination end user, wherein the source end user is an initiator for establishing the channel, the source end is a computer used by the source end user, the destination end is target equipment which the source end user wants to remotely control, after the channel is established, the source end user can operate the destination end by the identity (authority is distributed by a system administrator of the destination end) of the destination end user, the channel is unidirectional, the destination end can only be operated by the source end, otherwise, the channel is not established.
Step S102, generating a key pair of the secure channel corresponding to the request, where the key pair includes a public key and a private key.
In order to implement security of communication, it is usually necessary to encrypt a channel for communication by using asymmetric encryption, which requires a pair of keys consisting of a private key (called a private key for short) and a public key (called a public key for short). In this embodiment, a public key and a private key using the RSA algorithm are taken as an example to perform corresponding description.
For the situation of establishing the secure channel among a plurality of user spaces in the cluster, except that each channel adopts different key pairs, the same key pair can be adopted, namely only one key pair is adopted, so that the management of the secure channel can be simplified, the deployment is convenient, the deployment efficiency is improved, and the maintenance workload is reduced.
And after a request for establishing the secure channel is acquired, generating a pair of secret keys for the secure channel to be established by adopting an RSA algorithm. The key pair includes a public key and a private key.
For example, for the Unix operating system, an RSA algorithm private key with a length of 1024 bits may be generated and saved into a "privatekeyfile" file using the following commands:
openssl genrsa-3-out privatekeyfile 1024
after the private key is generated, a corresponding public key can be generated according to the generated private key by using the following commands, and the generated public key is stored in a publickeyfile:
ssh-keygen-f privatekeyfile–y>publickeyfile
step S103, transmitting the key required for each designated user space to each designated user space in a form corresponding to the corresponding user space.
Each user space is different as the attribute of the secure channel, and the required key is different, and as the user space of the source end of the secure channel, the required key is a complete key pair, namely, both the public key and the private key are required. The user space as the destination of the secure channel only needs the public key of the key pair.
And the key related to the attribute of the secure channel is transmitted to the corresponding user space, so that the security of the network can be ensured.
For the case that the user space is a docker container, the following steps are adopted to transmit the required keys to each designated docker container:
and coding the key corresponding to the attribute of the secure channel of each docker container by using a text coding tool according to the attribute of the secure channel of each docker container to obtain a coded text of the key.
For example, for the case where the operating system is Unix, the private key of the RSA algorithm generated in the previous step may be encoded with the following commands:
base64-i pkeyfile
for example, when the content of pkeyfile is "abcdefg", that is, the private key is "abcdefg", the command may be executed to obtain the encoded text "ywjzgvmzw ═ of the private key.
The way of encoding the public key is similar to the way of encoding the private key, and is not described herein.
For a docker container serving as a source end of the SSH secure channel, text coding is carried out on the generated public key and the generated private key to generate a coded text of the public key and a coded text of the private key; for the docker container only serving as the destination, text encoding may be performed only on the public key to generate the encoded text of the public key.
For the situation that each user space shares a pair of secret keys to establish a secure channel, only the public key or the private key of the secret key pair needs to be encoded once, and for other subsequent docker containers, only the encoding text of the secret key which is encoded before needs to be directly utilized.
And putting the key corresponding to the attribute of the secure channel of each docker container into the environment variable of the corresponding docker container. Namely, the coded text of the public key needs to be put into all to-be-deployed environment variables of the docker container which needs to establish the SSH secure channel, and the coded text of the private key only needs to be put into the to-be-deployed environment variables of the docker container which serves as the source end.
For the case of generating a docker container on the Unix operating system, the generated encoding text of the PRIVATE KEY of the RSA algorithm may be transmitted to the environment variable SSH _ prior _ KEY of the docker container in the following manner
Generating a docker container configuration file docker-composition.yml file by using a docker composition tool, and setting a value corresponding to a variable SSH _ PRIVATE _ KEY as an encoding text of a PRIVATE KEY of the generated RSA algorithm in an environment variable environment corresponding to a docker container needing to establish an SSH security channel:
environment:
SSH_PRIVATE_KEY:'YWJjZGVmZw=='
the setting conditions of the main parameters related to the key in the docker container configuration file docker-composition.yml file are only given here, and the complete docker container configuration file docker-composition.yml file is determined by referring to the relevant documents of the docker container tool.
The manner of adding the encoded text of the public key to the environment variable of the docker container is similar to the manner of adding the encoded text of the private key to the environment variable of the docker container, and is not described herein again.
And deploying the designated docker containers with the environment variables to the pre-designated host machines in the cluster. The host machine comprises a physical machine or even a virtual machine which needs to deploy a docker container in the cluster, and the docker container needs to establish a secure channel with other user spaces.
For the Unix operating system, in the case that a background daemon process dockedreamon running a docker container is already installed on a host, the docker container configured with environment variables can be deployed on the host in the following manner:
export DOCKER_HOST=tcp://10.1.1.1:4243
docker-compose up-d
the export command sets host information, the '10.1.1.1' is an IP address of a host, the '4243' is a port of a docker demamon of a docker container daemon process on the host, and the docker-composition command deploys the docker container remotely according to the description of a docker-composition. Yml contains the yellow static variables of the docker container, and the environment variables are coupled to the encoded text containing the key.
Only the main relevant parameters for deploying the docker container are given, and the complete command can be determined according to the actual condition of docker container deployment and the relevant description document of the docker container. In addition, the docker container may be deployed in other ways.
For the situation that the user space is a physical machine or a virtual machine, the secret key can be directly stored in the file, and then the file with the content as the secret key is sent to each corresponding user space, that is, the file with the content as the public key is sent to all the specified physical machines and virtual machines needing to establish the SSH secure channel, and the file with the content as the private key is sent to all the specified physical machines and virtual machines needing to establish the SSH secure channel and used as the specified physical machines and virtual machines of the source end of the SSH secure channel.
And step S104, storing the key corresponding to the corresponding form of the key to each appointed user space.
The corresponding processing is different for different user spaces.
For the condition that the user space is a docker container, after the docker container is deployed on each host, when the docker container is started, decoding the coded text of the secret key contained in the environment variable of each specified docker container to obtain the secret key.
For example, for a docker container deployed on a Unix operating system, the corresponding environment variables generated in the previous step may be decoded in the following manner:
first, the environment variable SSH _ prior _ KEY containing the encoded text of the KEY is output to the file PRIVATE _ KEY _ file using the following command:
SSH_PRIVATE_KEY>private_key_file
and then decoding the coded text of the private key contained in the private key file by using the following command:
base64-D private_key_file
if the content of the private _ key _ file is "ywjzgvmzw ═", the command is executed, and the value of the private key can be obtained by decoding: "abcdefg".
The manner of decoding the encoded text of the public key to obtain the public key is similar to the manner of decoding the encoded text of the private key to obtain the private key, and is not described herein again.
And storing the decoded key into a corresponding designated docker container in an appropriate form. If the private key obtained by decoding is stored in the ssh \ id _ rsa file under the user directory of the docker container serving as the source end, the public key obtained by decoding is stored in the ssh \ id _ rsa.pub file under the user directory of the docker container serving as the source end. For the docker container as the destination end, storing the public key obtained by decoding into the ssh \ id _ rsa.pub file under the user directory of the docker container as the destination end
And for the condition that the user space is a physical machine or a virtual machine, after the key file is transmitted to the specified physical machine or virtual machine, the file with the content as the corresponding key is stored to the corresponding position.
For example, for a physical machine or a virtual machine serving as the source end of the SSH secure channel, a file with public key content is saved as an SSH \ id _ rsa.pub file of a user using the secure channel, and a file with private key content is saved as an SSH \ id _ rsa file of the user using the secure channel. For a physical machine or a virtual machine serving as a destination of an SSH secure channel, a file with public key content is saved as a SSH \ zuthauthorized _ keys file of a user using the SSH secure channel.
After the key corresponding to the channel attribute of the user space is saved in the user space, authority management can be performed on the saved key, and only authorized users are allowed to access the key, so that the security is enhanced.
And step S105, establishing a secure channel between the designated user spaces by using the key.
After the key required for establishing the SSH secure channel is stored in the corresponding user space, the secure channel can be established for communication according to the corresponding secure protocol.
The following is a brief description of an example of establishing an SSH secure channel for a docker container in a cluster, as shown in fig. 2:
the RSA key required by the SSH secure channel to be established in the cluster is generated, and when the SSH secure channel needs to be established for a certain docker container in the cluster, the corresponding key is encoded according to the SSH secure channel attribute of the docker container. If the docker container needs to be used as a source end of an SSH (secure channel) in the cluster, encoding the public key and the private key to obtain an encoded text of the public key and an encoded text of the private key; and if the docker container needs to be used as a destination of the SSH secure channel in the cluster, encoding the public key to obtain an encoded text of the public key.
The encoded text of the corresponding key obtained is added to the environment variable of the docker container using the docker composition tool.
And deploying the docker container with the environment variables to a pre-designated host in the cluster. And after the docker container is started, decoding the coded text of the corresponding key in the environment variable to obtain the corresponding key. The corresponding key is stored in the corresponding file of the corresponding docker container. For example, if the docker container is a source end of an SSH secure channel, storing a public key into a SSH \ id _ rsa.pub file of a corresponding user of the docker container, and storing a private key into a SSH \ id _ rsa file of the corresponding user of the docker container; and if the docker container is the destination of the SSH secure channel, storing the public key into the SSH \ id _ rsa.pub file of the corresponding user of the docker container.
After storing the corresponding key in the corresponding file of the docker container, corresponding authority can be set for the key file, so that only authorized corresponding users can access the key file, and the security is improved.
And the key required by the SSH secure channel is successfully deployed to the docker container, and can establish a corresponding SSH secure channel with the docker container for communication.
The above is an embodiment of the method for establishing a secure channel in a cluster, and when the method establishes a secure channel between user spaces in a cluster, a secret key is generated uniformly, so that the method can play a role in reducing the complexity of establishing the secure channel and improving the efficiency of establishing the secure channel; the secret key is transmitted in a form corresponding to the user space, so that the workload of establishing the security channel in the cluster can be simplified, and the effect of improving the efficiency of establishing the security channel is achieved.
A second embodiment of the present application provides a method for deploying a docker container with a secure channel configuration requirement, where a schematic flow chart is shown in fig. 3, and the method includes the following steps:
step S201, a request for deploying a docker container with a secure channel configuration requirement is obtained.
When a secure channel needs to be established between different user spaces in a cluster, the user spaces include a docker container, that is, the docker container can be used as a source end and a destination end of the secure channel.
In the step, a request for deploying a docker container to a designated host in the cluster is obtained, and the docker container needs to establish a secure channel with other user spaces in the cluster. In this embodiment, an SSH secure channel is taken as an example for description. The key required by the SSH secure channel is an RSA key which is generated.
Step S202, a key corresponding to the attribute of the secure channel of the docker container is encoded, and an encoded text of the key corresponding to the attribute of the secure channel of each docker container is obtained.
In this step, for the docker container as the source end of the SSH secure channel, both the public key and the private key are encoded to obtain an encoded text of the public key and an encoded text of the private key. And for the docker container serving as the destination of the SSH secure channel, encoding the public key to obtain an encoded text of the public key. For specific operations, reference may be made to the description in step S103 in the first embodiment of the present application, which is not described herein again.
Step S203, the coded text of the key corresponding to the attribute of the secure channel of the docker container is put into the environment variable of the docker container.
The specific operation in this step may refer to the description in step S103 in the first embodiment of this application, which is not described herein again.
And step S204, deploying the docker container with the environment variable to a pre-designated host.
The specific operation in this step may refer to the description in step S103 in the first embodiment of this application, which is not described herein again.
A third embodiment of the present application provides a method for starting a docker container with a secure tunnel configuration, where a schematic flow chart is shown in fig. 4, and the method includes the following steps:
and S301, starting the docker container.
And after the Docker container with the safe channel configuration is deployed to a host, starting the Docker container. The secure channel configuration includes the required keys, which are present in the environment variables of the docker container in the form of encoded text. The secure channel is an SSH secure channel. The key is an RSA algorithm key.
Step S302, decoding the coded text of the secret key contained in the environment variable of the docker container to obtain the secret key.
And after the docker container with the safe channel configuration is started, decoding the coded text of the secret key carried in the yellow-static variable of the docker container to obtain the corresponding secret key.
For the specific operation in this step, reference may be made to the corresponding description in step S104 in the first embodiment of the present application, which is not described herein again.
Step S303, storing the secret key into the docker container.
And storing the key obtained by decoding into a corresponding file of the docker container. For a specific operation card, reference is made to the description related to step S104 in the first embodiment of the present application, which is not described herein again.
A fourth embodiment of the present application provides an apparatus for establishing a secure channel in a cluster, a block diagram of which is shown in fig. 5, including: an acquisition unit U401, a key generation unit U402, a transmission unit U403, a storage unit U404, and a creation unit U405.
The obtaining unit U401 is configured to obtain a request for establishing a secure channel between each designated user space in the designated cluster.
The user space includes a docker container.
The key generation unit U402 is configured to generate a key pair of the secure channel corresponding to the request, where the key pair includes a public key and a private key.
The key generation unit may be specifically configured to generate a key pair of the secure channel corresponding to the request, where the key pair includes a public key and a private key.
The transmitting unit U403 is configured to transmit the key required by each designated user space to each designated user space in a form corresponding to the corresponding user space.
For the case where the user space is a docker container, the transmitting unit may include: and the coding subunit is placed in the subunit and the deployment subunit.
The coding subunit is used for coding the key corresponding to the attribute of the secure channel of each designated docker container to obtain a coded text of the key corresponding to the attribute of the secure channel of each docker container;
the placing subunit is used for placing the coded text of the key corresponding to the attribute of the secure channel of each docker container into the environment variable of the corresponding docker container;
the deployment subunit is configured to deploy the designated docker containers with the environment variables to pre-designated host machines in the cluster;
the storage unit U404 is configured to store the key corresponding to the required key in the corresponding form to each designated user space.
For the case where the user space is a docker container, the storage unit may include: a decoding subunit and a storage subunit.
The decoding subunit is configured to decode, after the designated docker containers are started, encoded texts of the keys included in the environment variables of the designated docker containers to obtain keys;
and the storage subunit is used for storing the key obtained by decoding into a corresponding designated docker container.
The establishing unit U405 is configured to establish a secure channel between the respective designated user spaces by using the secret key.
A fifth embodiment of the present application provides an apparatus for deploying a docker container with a secure channel configuration requirement, where a block diagram of the apparatus is shown in fig. 6, and the apparatus includes: the device comprises an acquisition unit U501, an encoding unit U502, a configuration unit U503 and a deployment unit U504.
The obtaining unit U501 is configured to obtain a request for deploying a docker container with a secure channel configuration requirement.
The encoding unit U502 is configured to encode a key corresponding to an attribute of the secure channel of the docker container, to obtain an encoded text of the key corresponding to the attribute of the secure channel of each docker container.
The configuration unit U503 is configured to put an encoded text of a key corresponding to an attribute of the secure channel of the docker container into an environment variable of the docker container.
The deployment unit U504 is configured to deploy the docker container with the environment variable to a pre-designated host.
A sixth embodiment of the present application provides an apparatus for starting a docker container with a secure tunnel configuration, whose structural block diagram is shown in fig. 7, including: a start-up unit U601, a decoding unit U602 and a storage unit U603.
The starting unit U601 is used for starting the docker container;
the decoding unit U602 is configured to decode an encoded text of a key included in the environment variable of the docker container to obtain a key;
the storage unit U603 is configured to store the key in the docker container.
Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application, and those skilled in the art can make variations and modifications without departing from the spirit and scope of the present application, therefore, the scope of the present application should be determined by the claims that follow.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
1. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
2. As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Claims (17)
1. A method for establishing a secure channel in a cluster, comprising the steps of:
acquiring a request for establishing a secure channel between each designated user space in a designated cluster;
generating a key pair of a secure channel corresponding to the request, wherein the key pair comprises a public key and a private key;
transmitting a key required by each designated user space to each designated user space in a form corresponding to the corresponding user space;
storing the key corresponding to the corresponding form of the key to each appointed user space;
establishing a secure channel between the respective designated user spaces using the key.
2. The method of claim 1, wherein the user space comprises a docker container;
accordingly, the transmitting the key required for each designated user space to each designated user space in a form corresponding to the corresponding user space includes:
coding the key corresponding to the attribute of the secure channel of each designated docker container to obtain a coded text of the key corresponding to the attribute of the secure channel of each docker container;
putting the coded text of the key corresponding to the attribute of the secure channel of each docker container into the environment variable of the corresponding docker container;
deploying the designated docker containers with the environment variables to pre-designated host machines in the cluster;
the storing the key corresponding to the required corresponding form of the key to each designated user space includes:
after each appointed docker container is started, decoding the coded text of the key contained in the environment variable of each appointed docker container to obtain the key;
and storing the key obtained by decoding into a corresponding designated docker container.
3. The method of claim 2, wherein the attributes of the secure channel comprise: a source end of the secure channel;
accordingly, the encoded text of the key includes encoded text of a public key and encoded text of a private key.
4. The method of claim 2, wherein the attributes of the secure channel comprise: a destination end of the secure tunnel;
accordingly, the encoded text of the key comprises an encoded text of a public key.
5. The method of claim 1, wherein the user space comprises a virtual machine or a physical machine;
accordingly, the transmitting the key required for each designated user space to each designated user space in a form corresponding to the corresponding user space includes:
transmitting a key corresponding to the attribute of the secure channel of each designated virtual machine or physical machine to the corresponding virtual machine or physical machine;
the storing the key corresponding to the required corresponding form of the key to each designated user space includes:
and storing the key corresponding to the attribute of the secure channel of each specified virtual machine or physical machine to the corresponding virtual machine or physical machine.
6. The method of claim 1, wherein the secure channel comprises an SSH secure channel.
7. The method of claim 1, wherein the key pair is a key pair.
8. A method for deploying a docker container with secure channel configuration requirements, comprising the steps of:
acquiring a request for deploying a docker container with a secure channel configuration requirement;
coding the key corresponding to the attribute of the secure channel of the docker container to obtain a coded text of the key corresponding to the attribute of the secure channel of each docker container;
placing an encoding text of a key corresponding to the attribute of the secure channel of the docker container into an environment variable of the docker container;
and deploying the docker container with the environment variable to a pre-designated host.
9. The method of deploying a docker container with secure channel configuration requirements of claim 8, wherein the attributes of the secure channel of the docker container include a source end of the secure channel,
accordingly, the encoded text of the key includes encoded text of a public key and encoded text of a private key.
10. The method for deploying a docker container with secure channel configuration requirements of claim 8, wherein the attributes of the secure channel of the docker container include a destination of the secure channel,
accordingly, the encoded text of the key comprises an encoded text of a public key.
11. The method for deploying a docker container with secure channel configuration requirements of claim 8, wherein the secure channel comprises an SSH secure channel.
12. A method of starting a docker container with a secure tunnel configuration, comprising the steps of:
starting the docker container;
decoding the coded text of the secret key contained in the environment variable of the docker container to obtain the secret key;
storing the key to the docker container.
13. An apparatus for establishing a secure channel in a cluster, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a request for establishing a secure channel between each appointed user space in an appointed cluster;
a key generation unit, configured to generate a key pair of a secure channel corresponding to the request, where the key pair includes a public key and a private key;
a transmitting unit for transmitting a key required for each designated user space to each designated user space in a form corresponding to the corresponding user space;
a storage unit, configured to store the key corresponding to the required key in the corresponding form to each of the designated user spaces;
and the establishing unit is used for establishing a secure channel between the designated user spaces by using the key.
14. The apparatus of claim 13, wherein the user space comprises a docker container, and the transmitting unit comprises:
the coding subunit is used for coding the key corresponding to the attribute of the secure channel of each designated docker container to obtain a coded text of the key corresponding to the attribute of the secure channel of each docker container;
the placing subunit is used for placing the coded text of the key corresponding to the attribute of the secure channel of each docker container into the environment variable of the corresponding docker container;
the deployment subunit is used for deploying the designated docker containers with the environment variables to the pre-designated host machines in the cluster;
the memory cell includes:
the decoding subunit is used for decoding the coded text of the key contained in the environment variable of each appointed docker container to obtain the key after each appointed docker container is started;
and the storage subunit is used for storing the decoded key into a corresponding designated docker container.
15. The apparatus for establishing a secure channel in a cluster according to claim 13, wherein the key generation unit is specifically configured to generate a key pair of the secure channel corresponding to the request, and the key pair includes a public key and a private key.
16. An apparatus for deploying a docker container with secure channel configuration requirements, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a request for deploying a docker container with a secure channel configuration requirement;
the encoding unit is used for encoding the key corresponding to the attribute of the secure channel of each docker container to obtain an encoded text of the key corresponding to the attribute of the secure channel of each docker container;
the configuration unit is used for putting the coded text of the key corresponding to the attribute of the secure channel of the docker container into the environment variable of the docker container;
and the deployment unit is used for deploying the docker container with the environment variable to a pre-designated host.
17. A device for actuating a docker container with a secure channel configuration, comprising:
the starting unit is used for starting the docker container;
the decoding unit is used for decoding the coded text of the key contained in the environment variable of the docker container to obtain the key;
and the storage unit is used for storing the secret key into the docker container.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611052641.7A CN108111469B (en) | 2016-11-24 | 2016-11-24 | Method and device for establishing security channel in cluster |
| PCT/CN2017/110785 WO2018095240A1 (en) | 2016-11-24 | 2017-11-14 | Method and device for establishing secure channel in cluster |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611052641.7A CN108111469B (en) | 2016-11-24 | 2016-11-24 | Method and device for establishing security channel in cluster |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108111469A CN108111469A (en) | 2018-06-01 |
| CN108111469B true CN108111469B (en) | 2020-06-02 |
Family
ID=62195670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611052641.7A Active CN108111469B (en) | 2016-11-24 | 2016-11-24 | Method and device for establishing security channel in cluster |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108111469B (en) |
| WO (1) | WO2018095240A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109150684B (en) * | 2018-07-20 | 2021-04-06 | 新华三技术有限公司 | Message processing method and device, communication equipment and computer readable storage medium |
| CN117318970A (en) * | 2022-06-23 | 2023-12-29 | 中兴通讯股份有限公司 | Secure channel establishment method, system and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618108A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Safety communication system |
| CN105760167A (en) * | 2016-02-23 | 2016-07-13 | 浪潮软件集团有限公司 | Docker-based continuous integration method |
| CN106020930A (en) * | 2016-05-13 | 2016-10-12 | 深圳市中润四方信息技术有限公司 | Application container based application management method and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201663659U (en) * | 2009-11-27 | 2010-12-01 | 北京视博数字电视科技有限公司 | Front end of conditional access system and scriber management system |
| CN102333068B (en) * | 2011-03-18 | 2014-04-02 | 北京思特奇信息技术股份有限公司 | SSH and SFTP (Secure Shell and Ssh File Transfer Protocol)-based tunnel intelligent management and control system and method |
| US11496606B2 (en) * | 2014-09-30 | 2022-11-08 | Nicira, Inc. | Sticky service sessions in a datacenter |
| CN104506483A (en) * | 2014-10-21 | 2015-04-08 | 中兴通讯股份有限公司 | Method for encrypting and decrypting information and managing secret key as well as terminal and network server |
| US10516733B2 (en) * | 2014-11-25 | 2019-12-24 | Auth0, Inc. | Multi-tenancy via code encapsulated in server requests |
| US9665163B2 (en) * | 2015-05-06 | 2017-05-30 | Vmware, Inc. | Distributed power management with partial suspend mode for distributed storage systems |
-
2016
- 2016-11-24 CN CN201611052641.7A patent/CN108111469B/en active Active
-
2017
- 2017-11-14 WO PCT/CN2017/110785 patent/WO2018095240A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618108A (en) * | 2014-12-30 | 2015-05-13 | 北京奇虎科技有限公司 | Safety communication system |
| CN105760167A (en) * | 2016-02-23 | 2016-07-13 | 浪潮软件集团有限公司 | Docker-based continuous integration method |
| CN106020930A (en) * | 2016-05-13 | 2016-10-12 | 深圳市中润四方信息技术有限公司 | Application container based application management method and system |
Non-Patent Citations (1)
| Title |
|---|
| 基于Docker容器的Web集群设计与实现;刘熙 等;《电子设计工程》;20160430;第24卷(第8期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018095240A1 (en) | 2018-05-31 |
| CN108111469A (en) | 2018-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111460453B (en) | Machine learning training method, controller, device, server, terminal and medium | |
| US10721057B2 (en) | Dynamic channels in secure queries and analytics | |
| CN110391900B (en) | Private key processing method based on SM2 algorithm, terminal and key center | |
| EP3123657B1 (en) | Method and apparatus for cloud-assisted cryptography | |
| US10476664B2 (en) | Methods and systems for data protection | |
| CN111565107B (en) | Key processing method and device based on cloud service platform and computer equipment | |
| CN110661748B (en) | Log encryption method, log decryption method and log encryption device | |
| CN103885830A (en) | Data processing method used in cross-data-center live migration process of virtual machine | |
| CN108134673B (en) | Method and device for generating white box library file | |
| CN108111622B (en) | Method, device and system for downloading white box library file | |
| CN107947917A (en) | A kind of method and device for generating whitepack key | |
| CN105721156A (en) | General Encoding Functions For Modular Exponentiation Encryption Schemes | |
| CN110795747A (en) | Data encryption storage method, device, equipment and readable storage medium | |
| CN103745164A (en) | File secure storage method and system thereof based on environmental identification | |
| CN108111469B (en) | Method and device for establishing security channel in cluster | |
| CN104753870A (en) | Data transmission method and system | |
| CN113726517A (en) | Information sharing method and device | |
| US10432596B2 (en) | Systems and methods for cryptography having asymmetric to symmetric key agreement | |
| CN111798236B (en) | Transaction data encryption and decryption methods, devices and equipment | |
| CN115242413A (en) | Internet of things equipment firmware safety upgrading method and device, electronic equipment and medium | |
| CN107968793B (en) | Method, device and storage medium for downloading white box key | |
| CN115695003A (en) | Key exchange method, system, electronic device and storage medium | |
| CN101841353B (en) | Method and equipment for encrypting data through softdog | |
| KR101590351B1 (en) | Distributed network protocol based data transmission apparatus and data encryption method thereof | |
| KR102311340B1 (en) | Apparatus and methdo for encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |