CN108205623B - Method and apparatus for sharing a directory - Google Patents

Method and apparatus for sharing a directory Download PDF

Info

Publication number
CN108205623B
CN108205623B CN201611166297.4A CN201611166297A CN108205623B CN 108205623 B CN108205623 B CN 108205623B CN 201611166297 A CN201611166297 A CN 201611166297A CN 108205623 B CN108205623 B CN 108205623B
Authority
CN
China
Prior art keywords
container
directory
information
category
shared
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611166297.4A
Other languages
Chinese (zh)
Other versions
CN108205623A (en
Inventor
杨书奎
黄强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201611166297.4A priority Critical patent/CN108205623B/en
Publication of CN108205623A publication Critical patent/CN108205623A/en
Application granted granted Critical
Publication of CN108205623B publication Critical patent/CN108205623B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

The embodiment of the invention provides a method and a device for sharing a directory. The method comprises the following steps: obtaining sharing parameter information, wherein the sharing parameter information comprises a sharing classification category set and sharing directory information, the sharing category set comprises at least one category, and the sharing directory information is used for indicating that each container in a plurality of containers mounts a target directory in a target host; updating the category information in the security context of the target directory into the shared category set according to the shared directory information; and creating each container in the plurality of containers according to the shared parameter information, wherein the category information in the created security context of each container comprises the shared category set so as to facilitate each container in the plurality of containers to mount and access the target directory. The invention can realize that a plurality of containers share and access the directory in the target host.

Description

Method and apparatus for sharing a directory
Technical Field
The embodiment of the invention relates to the field of computers, in particular to a method and a device for sharing a directory.
Background
The container is similar to a virtual machine, is a software sandbox, and is a security mechanism, which mainly provides an isolation environment for running programs and strictly controls the resources that can be accessed by the programs in the container.
The Linux namespace (namespace) isolation mechanism provides a good foundation for implementing container-based virtualization technology. After the container technology uses namespaces for isolation, system resources such as Unix time-sharing operating systems, inter-process communication, file systems, process control symbols and the like in a host except a kernel are not global but belong to specific namespaces, the resources in each namespace are transparent to other namespaces, the container realizes the isolation of the resources by using the characteristic, and the processes in different containers belong to different namespaces, are transparent to each other and do not interfere with each other.
In addition, Security-Enhanced Linux (SELinux) is adapted to Docker, that is, SELinux acts on Docker containers, so that isolation of namespace between the containers can be Enhanced.
However, when multiple containers share the same kernel, isolation and security deficiencies can result, and in this fact, users are faced with many security issues, for example, a process running in one container can obtain information or user rights of processes running in other containers.
The existing Docker may have the container mount the target directory on the target host through the-v interface, that is, the/host directory of the target host is mounted on the/tmp directory of the container through the-v/host:/tmp, so that only the target directory of the target host is mounted and the container including the category of the target directory in the category information of the security context can access the target host.
In addition, Docker can mount the target directory on the target host by adding Z parameter on the basis of-v interface, namely, mount the/host directory of the target host on the/tmp directory of the container through-v/host:/tmp: c12, c13, and update the category information of the security context of the/host directory to c12, c 13.
However, if there are multiple containers mounting the directory, the security context of the/host directory is determined by the Z parameter of the last container mounting it, so that the/host directory can only be accessed by the last container mounting it, and multiple containers sharing access/host directory cannot be realized.
Disclosure of Invention
The application provides a method and a device for sharing a directory, which can realize that a plurality of containers share and access the directory in a target host.
In a first aspect, the present application provides a method for sharing a directory, the method comprising:
obtaining sharing parameter information, wherein the sharing parameter information comprises a sharing classification category set and sharing directory information, the sharing category set comprises at least one category, and the sharing directory information is used for indicating that each container in a plurality of containers mounts a target directory in a target host;
updating the category information in the security context of the target directory into the shared category set according to the shared directory information;
and creating each container in the plurality of containers according to the shared parameter information, wherein the category information in the created security context of each container comprises the shared category set so as to facilitate each container in the plurality of containers to mount and access the target directory.
According to the method for sharing the directory, the sharing parameter information is obtained, the sharing parameter information comprises a sharing category set composed of at least one category and sharing directory information used for each container in a plurality of containers to mount a target directory in a target host, the category information of the target directory is updated to the sharing category set, the plurality of containers are created according to the sharing parameter information, the category information of each container in the plurality of containers comprises the sharing category set, and the plurality of containers can access and mount the target directory.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the creating each container in the multiple containers according to the shared category set, where the category information in the created security context of each container includes the shared category set, includes: obtaining an initial category set randomly generated by a daemon for a first container in the plurality of containers, wherein the initial category set comprises at least one category; determining category information in the security context of the first container according to the shared category set and the initial category set, wherein the category information in the security context of the first container comprises the shared category set and the initial category set; the first container is created according to category information in the security context of the first container.
Optionally, the SELinux module may update the category information in the security context of the first container to the shared category set or include the category set, and create the first container according to the updated security context of the first container, which is not limited in this application.
It should be understood that the first container may be any one of a plurality of containers created by the daemon.
It should also be understood that when creating a container, the daemon will randomly generate at least one category for the container, and typically will randomly generate two categories for the container.
As an alternative embodiment, the SELinux module may obtain a target category set by taking a union of the initial category set and the shared category set, update the category information in the security context of the first container to the target category set, and create the first container according to the target category set in the security context of the first container.
According to the method for sharing the directory, when the plurality of containers are created, the category information of each container in the plurality of containers is updated to the target category set, so that the plurality of containers can commonly access the target directory, and the plurality of containers still have security isolation and are high in security performance.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the creating each container in the multiple containers according to the shared category set, where the category information in the created security context of each container includes the shared category set, includes: updating the category information in the security context of each of the plurality of containers to the shared category set; each container of the plurality of containers is created according to category information in a security context of each container of the plurality of containers.
As an alternative embodiment, the SELinux module may directly update the category information in the security context of each of the multiple containers to a shared category set in the security context of the target directory, and create each of the multiple containers according to the shared category set.
According to the method for sharing the directory, when the plurality of containers are created, the category information of each container in the plurality of containers is updated to the category information of the target directory, so that the plurality of containers can commonly access the target directory.
With reference to the first aspect, the first or second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the obtaining shared parameter information includes: and receiving a shared directory request sent by a client, wherein the shared directory request carries the shared parameter information.
Optionally, the shared parameter information may be preconfigured in the SELinux module, or acquired from other units or devices when the daemon creates a container, which is not limited in this application.
As an alternative embodiment, the target host may pre-configure the shared parameter information used when creating the container and use the pre-configured shared parameter information when creating the container.
As another optional embodiment, the target host may receive a shared directory request sent by a client or other device for requesting multiple containers to simultaneously access a target directory in the target host, and carry the shared parameter information in the shared directory request, and create the multiple containers according to the shared directory request.
The method for sharing the directory can flexibly achieve the purpose that the target directory is shared by the multiple containers according to the requirements of the client.
With reference to the first aspect and any one possible implementation manner of the first to third possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, the shared directory information includes an identifier of the target directory and interface information used by each of the plurality of containers to mount the target directory; or, the shared directory information includes an identifier of the target directory, interface information used by each of the plurality of containers to mount the target directory, and an identifier of a mount directory in each of the plurality of containers to mount the target directory.
Optionally, each container in the plurality of containers may mount the target directory in the target host through a-v interface and a Z parameter indicated in the interface information.
Alternatively, the target directory in the target host may be mounted to a/host directory of each container in the multiple containers, or may specify the mounted directory of the container as/mount, that is, the target directory in the target host may be mounted to a/mount directory of each container, which is not limited in this embodiment of the present application.
According to the method for sharing the directory, the target directory in the target host, the mounting directory in the container and the interface information which is passed by the container and the target directory during mounting can be specified through the shared directory information, and the flexibility is high.
In a second aspect, the present application provides an apparatus for sharing a directory, configured to perform the method of the first aspect or any possible implementation manner of the first aspect. In particular, the apparatus comprises means for performing the method of the first aspect described above or any possible implementation manner of the first aspect.
In a third aspect, the present application provides an apparatus for sharing a directory, the apparatus comprising: a memory, a processor, an input/output interface, and a communication interface. Wherein, the memory, the processor, the input/output interface and the communication interface communicate with each other through the internal connection path to transmit control and/or data signals, the memory is used for storing instructions, the processor is used for executing the instructions stored by the memory, when the instructions are executed, the processor executes the method of the first aspect through the communication interface and controls the input/output interface to receive input data and information and output data such as operation results.
In a fourth aspect, the present application provides a computer-readable medium for storing a computer program comprising instructions for performing the method of the first aspect or any possible implementation manner of the first aspect.
Drawings
FIG. 1 illustrates an example Docker system architecture for a method of sharing a directory according to an embodiment of the present invention;
FIG. 2 illustrates an example of a Docker system architecture for another method of sharing a directory according to an embodiment of the present invention;
FIG. 3 shows a schematic flow chart of a method for sharing a directory according to an embodiment of the invention;
FIG. 4 shows a schematic flow chart diagram of another method for sharing a directory according to an embodiment of the present invention;
FIG. 5 shows a schematic block diagram of an apparatus for sharing a directory according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram illustrating another apparatus for sharing a directory according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.
Fig. 1 shows an example of a Docker system architecture of a method for sharing a directory according to an embodiment of the present invention, where the system architecture includes a client 110, a daemon 120, a SELinux module 130, a target directory 140 in a target host, and multiple containers (a container 150 and a container 160 are shown in the figure).
The Client 110 may be, for example, a Docker Client; the Daemon 120 may be, for example, a dockerd aeson, and the SELinux module 130 may be coupled in the Docker Daemon, and may be a module in the Docker Daemon capable of writing to the security context of the container and creating the container, which is not limited in the embodiment of the present invention.
It should be understood that in the Docker architecture shown in fig. 1, the Docker Daemon, the container, and the target directory of the host may be on one physical host, or may be on one virtual machine. The Docker Client and Docker Daemon may be on one physical host or virtual machine, or may be on different physical hosts or virtual machines, which is not specifically limited in this embodiment of the present invention.
The user usage may establish communication with Docker Daemon via Docker Client and send a request to Docker Daemon, which may include a container access request, a container operation request, etc. The Docker Daemon is used as a main body part in a Docker system architecture and can receive a request sent by a Docker Client; and then sending the request to an SElinux module in the Docker Daemon, wherein the SELinux module can respectively write a target directory in the target host and security contexts of a plurality of containers according to the shared parameter information in the Docker Client request, and create the containers.
After SELinux writes the security context of the container according to the sharing parameter information, the container can be created, and the container can have an independent file system, an independent and relatively secure execution environment.
It should be further understood that fig. 1 only shows various modules related to the embodiment of the present invention in a Docker system architecture for sharing a directory, and the system architecture shown in fig. 1 may further include other modules in the Docker system architecture, which is not specifically limited by the embodiment of the present invention.
It should be noted that, the SElinux module may sequentially update the security context of each container and the target directory of the target host in the multiple containers by using a method of performing write operation on the security context of the container and the target directory of the target host in the prior art, or may simultaneously update the security context of the multiple containers and the target directory of the target host in other manners, which is not specifically limited in the embodiment of the present invention.
Fig. 2 is a schematic block diagram illustrating a Docker system architecture of another method for accessing a container according to an embodiment of the present invention. It should be understood that the functions of each module in the Docker architecture shown in fig. 2 are the same as those of each module shown in fig. 1, and only the portion of the Docker architecture related to the embodiment of the present invention is also shown, and other functional modules not shown may be the same as those in the current Docker architecture. For brevity, reference may be made to the description above, which is not repeated here.
As can be seen from the Docker architecture shown in fig. 2, SELinux module 240 may be decoupled from daemon 220, i.e., independent from daemon 220, and included in other runtime, e.g., may be located in runc (runtime 230 is shown).
It should be understood that the architectures shown in fig. 1 and fig. 2 may be modified, for example, the daemon and runtime may be two independent processes, but a specific SElinux module may be used as a piece of logic in the runtime process. The Docker architecture shown in fig. 1 and fig. 2 is not specifically limited in the embodiment of the present invention.
Fig. 3 shows a schematic flow chart of a method for accessing a container provided by an embodiment of the present invention. The method shown in fig. 3 may be performed by the SELinux module in fig. 1 or fig. 2.
S310, obtaining sharing parameter information, wherein the sharing parameter information comprises a sharing classification category set and sharing directory information, the sharing category set comprises at least one category, and the sharing directory information is used for indicating that each container in a plurality of containers mounts a target directory in a target host.
S320, updating the category information in the security context of the target directory into the shared category set according to the shared directory information.
S330, creating each container in the multiple containers according to the sharing parameter information, wherein the category information in the created security context of each container comprises the sharing category set, so that each container in the multiple containers is mounted and accesses the target directory.
In the method for sharing a directory provided in the embodiment of the present invention, by obtaining sharing parameter information, where the sharing parameter information includes a sharing category set composed of at least one category and sharing directory information for each container in a plurality of containers to mount a target directory in a target host, the category information of the target directory is updated to the sharing category set, and a plurality of containers are created according to the sharing parameter information, so that the category information of each container in the plurality of containers includes the sharing category set, and the plurality of containers can access and mount the target directory.
It should be understood that in SELinux each container can run one or more processes and files simultaneously, all of which have their own SELinux security context. The security context format is: user (user) role (role) type (level) classification (category), wherein the user is similar to User Identity (UID) in Linux system for providing identification and recording identity; group Identity (GID) in role-like system refers to the identity of the user of the shared resource system, and different roles have different rights; types are used to provide a lowest privilege environment for process execution, and when a type is associated with an executing process, the type is also called a domain; level represents a security level, the currently defined security level is s0-s15, and the level is higher and higher; category stands for category, which is optional, and forms an unordered, unassociated list of intervals, which is currently defined as category c0-c 1023.
For example, category may be described as "c 12, c 34" or "c 0.c 1023", where "," denotes a simple combination, "-" denotes a range, i.e. "c 12, c 34" denotes a combination of c12 and c34, and "c 0.c 2013" denotes a range, i.e. c0, c1, c2, …, c 1023.
It should also be understood that the category information of Docker Daemon is "c0.c1023". The category of the newly created container security context is in the form "cx, cy", where the values of x and y are randomly assigned, and different containers will be assigned different x and y.
It should also be understood that if user in the security context of both containers: role: level is the same, SELinux guarantees from the level of the kernel that process p can access processes (or files) whose category is a subset of the category of process p, and vice versa.
For example, since "c 12, c 34" is a subset of "c 0.c 1023", a process with a category of "c 0.c 1023" can access a process with a category of "c 12, c 34".
For another example, since "c 12, c 34" and "c 11, c 22" are not mutually exclusive, the process with category "c 12, c 34" and the process with category "c 0.c 1023" cannot access each other, but the embodiment of the invention is not limited thereto.
Specifically, in the S310, the SELinux module may update the category information in the security context of each container in the multiple containers to the shared category set; each container of the plurality of containers is created according to category information in a security context of each container of the plurality of containers.
As an alternative embodiment, the SELinux module may directly update the category information in the security context of the first container in the plurality of containers to the shared category set, and create the first container according to the shared category set.
It should be understood that the first container may be any one of a plurality of containers created by the daemon.
According to the method for sharing the directory provided by the embodiment of the invention, the category information of each container in the plurality of containers is updated to the category information of the target directory, so that the plurality of containers can commonly access the target directory.
Specifically, in the S310, the SELinux module may further obtain an initial category set randomly generated by the daemon for a first container in the multiple containers, where the initial category set includes at least one category; determining category information in the security context of the first container according to the shared category set and the initial category set, wherein the category information in the security context of the first container comprises the shared category set and the initial category set; the first container is created according to category information in the security context of the first container.
Optionally, the SELinux module may update the category information of the security context of the first container to the shared category set or include the category set, which is not limited in this embodiment of the present invention.
It should be understood that when creating a container, the daemon will randomly generate at least one category for the container, and typically will randomly generate two categories for the container.
As an alternative embodiment, the SELinux module may merge the initial category set and the shared category set to obtain a target category set, update the category information in the security context of the first container to the target category set, and create the first container according to the target category set.
According to the method for sharing the directory provided by the embodiment of the invention, the category information of each container in the plurality of containers is updated to the target category set, so that the plurality of containers can commonly access the target directory, and the plurality of containers still have security isolation and higher security performance.
Optionally, in S320, the shared parameter information may be preconfigured in the SELinux module, or acquired from another unit or device when the daemon creates a container, which is not limited in this embodiment of the present invention.
As an alternative embodiment, the target host may pre-configure the shared parameter information used when creating the container and use the pre-configured shared parameter information when creating the container.
As another alternative embodiment, the target host may receive a shared directory request sent by a client or other device for requesting multiple containers to simultaneously access a target directory in the target host, and carry the shared parameter information in the shared directory request, which is not limited in this embodiment of the present invention.
The method for sharing the directory provided by the embodiment of the invention can flexibly realize that a plurality of containers share the target directory according to the requirements of the client.
Optionally, in S330, the shared directory information includes an identifier of the target directory and interface information used by each container in the plurality of containers to mount the target directory; or, the shared directory information includes an identifier of the target directory, interface information used by each of the plurality of containers to mount the target directory, and an identifier of a mount directory in each of the plurality of containers to mount the target directory.
Optionally, each container in the plurality of containers may mount the target directory in the target host through a-v interface and a Z parameter indicated in the interface information.
Alternatively, the target directory in the target host may be mounted to a/host directory of each container in the multiple containers, or may specify the mounted directory of the container as/mount, that is, the target directory in the target host may be mounted to a/mount directory of each container, which is not limited in this embodiment of the present invention.
The method for sharing the directory provided by the embodiment of the invention can specify the target directory in the target host, the mount directory in the container and the interface information passing through the container and the target directory when the container and the target directory are mounted through the shared directory information, and has higher flexibility.
Fig. 4 is a schematic flow chart diagram illustrating another method for accessing a container according to an embodiment of the present invention. The method shown in fig. 4 is applied to the system architecture shown in fig. 1 or fig. 2. It should be understood that fig. 4 shows detailed steps or operations of a method for sharing a directory, but the steps or operations are only examples, and other operations may be performed by embodiments of the present invention, or variations of the operations in fig. 4. Moreover, the various steps in FIG. 4 may be performed in a different order presented in FIG. 4, and it is possible that not all of the operations in FIG. 4 may be performed. The method steps shown in fig. 4 are described in detail below.
S410, a client sends a shared directory request to a SELinux module, wherein the shared directory request carries shared parameter information, the shared parameter information comprises a first category set and shared directory information, the first category set comprises 'c 11, c 22', and the shared directory information is a host directory for mounting a target host through a-v interface and Z parameters.
Optionally, the shared directory information may further include a mount directory in the first container and the second container, for mounting the target directory in the target host, and may be/temp, for example.
Alternatively, the shared directory information may be represented as-v/dir 1:/dir2: Z, where/dir 1 represents the name of the shared directory in the target host and/dir 2 represents the name of the mounted directory in the container, such as the/temp directory in the target host may be mounted to the container via-v/host:/temp: Z via-v interface and Z parameters.
Optionally, the shared parameter information may be represented by v/dir1:/dir2: Z: cx, cy, where/dir 1 represents the name of the shared directory in the target host,/dir 2 represents the name of the mounted directory in the container, cx, cy represents the shared category set, and may be represented by, for example,/v/host:/temp: Z: c11, c12 represents the mounted/host directory in the target host into the container via a-v interface and Z parameter, and the shared category set is c11, c12, which is not limited by the embodiments of the present invention.
S420, the SELinux module updates the category information of the security context of the first container to the union of the first initial category set and "c 11, c 22" according to the shared directory request, and creates the first container according to the security context of the first container.
Wherein the first initial category set includes two categories randomly generated by the SELinux module for the first container, and if the two categories are "c 6, c 8", the category information in the security context of the first container after creation is "c 6, c8, c11, c 22".
S430, the SELinux module updates the category information of the security context of the second container to the union of the second initial category set and "c 11, c 22" according to the shared directory request, and creates the second container according to the security context of the second container.
And the second initial category set comprises two categories randomly generated by the SELinux module for the second container, and if the two categories are "c 5, c 7", the category information in the current security context of the second container after creation is "c 5, c7, c11, c 22".
S440, the SELinux module changes the category information of the security context of the/host directory in the target host from 'c 0.c 1023' to 'c 11, c 22' according to the shared directory request;
it should be understood that the execution of S420, S430 and S440 is not sequential.
It should also be understood that after the SELinux module completes S420, S430 and S440, the category information of the security context of the/host directory is "c 11, c 22", the category information of the security context of the first container is "c 6, c8, c11, c 22", the category information of the security context of the second container is "c 5, c7, c11, c 22", that is, the category information in the security context of the/host directory after updating is a subset of the category information of the first container and is a subset of the category information of the second container.
S450, the first container accesses the target directory according to the shared directory information.
S460, the second container accesses the target directory according to the shared directory information.
Specifically, the first container and the second container may mount the target directory according to the target directory, the mount directory, and the mount manner indicated in the shared directory information.
The method for sharing the directory according to the embodiment of the present invention is described in detail above with reference to fig. 3 and 4, and the apparatus for sharing the directory according to the embodiment of the present invention will be described below with reference to fig. 5.
Fig. 5 illustrates an apparatus 500 for sharing a directory according to an embodiment of the present invention, where the apparatus 500 includes:
an obtaining unit 510, configured to obtain shared parameter information, where the shared parameter information includes a shared category set and shared directory information, where the shared category set includes at least one category, and the shared directory information is used to indicate that each of a plurality of containers mounts a target directory in a target host;
an updating unit 520, configured to update the category information in the security context of the target directory into the shared category set according to the shared directory information acquired by the acquiring unit 510;
a creating unit 530, configured to create each container in the multiple containers according to the sharing parameter information acquired by the acquiring unit 510, where the category information in the security context of each container after creation includes the sharing category set, so as to facilitate each container in the multiple containers to mount and access the target directory.
As an alternative embodiment, the creating unit is specifically configured to: obtaining an initial category set randomly generated by a daemon for a first container in the plurality of containers, wherein the initial category set comprises at least one category; determining category information in the security context of the first container according to the shared category set and the initial category set, wherein the category information in the security context of the first container comprises the shared category set and the initial category set; the first container is created according to category information in the security context of the first container.
As another alternative embodiment, the creating unit is specifically configured to: updating the category information in the security context of each of the plurality of containers to the shared category set; each container of the plurality of containers is created according to category information in a security context of each container of the plurality of containers.
Optionally, the obtaining unit is specifically configured to: and receiving a shared directory request sent by a client, wherein the shared directory request carries the shared parameter information.
Optionally, the shared directory information includes an identifier of the target directory and interface information used by each of the plurality of containers to mount the target directory; or, the shared directory information includes an identifier of the target directory, interface information used by each of the plurality of containers to mount the target directory, and an identifier of a mount directory in each of the plurality of containers to mount the target directory.
Fig. 6 is a schematic block diagram of another apparatus 600 for sharing a directory provided in accordance with an embodiment of the present invention. The apparatus 600 shown in fig. 6 comprises: memory 610, processor 620, input/output interface 630, and communications interface 640. The memory 610, the processor 620, the input/output interface 630 and the communication interface 640 communicate with each other through internal connection paths to transmit control and/or data signals, the memory 610 is used for storing instructions, and the processor 620 is used for executing the instructions stored in the memory 610 to control the input/output interface 630 to receive input data and information, output data such as operation results, and control the communication interface 640 to transmit signals.
An input/output interface 630, configured to obtain shared parameter information, where the shared parameter information includes a shared category set and shared directory information, where the shared category set includes at least one category, and the shared directory information is used to indicate that each of a plurality of containers mounts a target directory in a target host;
a processor 620, configured to update the category information in the security context of the target directory into the shared category set according to the shared directory information; creating each container in the plurality of containers according to the shared parameter information, wherein the category information in the created security context of each container comprises the shared category set, so that each container in the plurality of containers is mounted and accesses the target directory.
It should be understood that, in the embodiment of the present invention, the processor 620 may adopt a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, for executing related programs to implement the technical solutions provided by the embodiments of the present invention.
It should also be appreciated that the communication interface 640 enables communication between the mobile terminal 600 and other devices or communication networks using transceiver means, such as, but not limited to, transceivers.
The memory 610 may include a read-only memory and a random access memory, and provides instructions and data to the processor 620. A portion of processor 620 may also include non-volatile random access memory. For example, the processor 620 may also store information of the device type.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 620. The method for accessing the container disclosed in the embodiment of the present invention can be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 610, and the processor 620 reads the information in the memory 610 and performs the steps of the above method in combination with the hardware thereof. To avoid repetition, it is not described in detail here.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of the processes should be determined by their functions and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method for sharing a directory, comprising:
obtaining sharing parameter information, wherein the sharing parameter information comprises a sharing classification category set and sharing directory information, the sharing classification category set comprises at least one category, and the sharing directory information is used for indicating each container in a plurality of containers to mount a target directory in a target host;
updating the category information in the security context of the target directory into the sharing classification category set according to the sharing directory information;
creating each container in the plurality of containers according to the shared parameter information, wherein the category information in the created security context of each container comprises the shared classification category set, so that each container in the plurality of containers is mounted and accesses the target directory.
2. The method according to claim 1, wherein the creating each container of the plurality of containers according to the shared category set, the category information in the created security context of each container including the shared category set, comprises:
obtaining an initial category set randomly generated by a daemon for a first container in the plurality of containers, wherein the initial category set comprises at least one category;
determining category information in a security context of the first container according to the shared category set and the initial category set, the category information in the security context of the first container including the shared category set and the initial category set;
creating the first container according to category information in a security context of the first container.
3. The method according to claim 1, wherein the creating each container of the plurality of containers according to the shared category set, the category information in the created security context of each container including the shared category set, comprises:
updating category information in a security context of each container of the plurality of containers to the shared classification category set;
creating each container of the plurality of containers according to category information in a security context of each container of the plurality of containers.
4. The method according to any one of claims 1 to 3, wherein the obtaining shared parameter information comprises:
and receiving a shared directory request sent by a client, wherein the shared directory request carries the shared parameter information.
5. The method according to any one of claims 1 to 3,
the shared directory information comprises an identification of the target directory and interface information used by each container in the plurality of containers to mount the target directory;
alternatively, the first and second electrodes may be,
the shared directory information includes an identifier of the target directory, interface information used by each container of the plurality of containers to mount the target directory, and an identifier of a mount directory in each container to mount the target directory.
6. An apparatus for sharing a directory, comprising:
the system comprises an obtaining unit, a sharing unit and a processing unit, wherein the obtaining unit is used for obtaining sharing parameter information which comprises a sharing classification category set and sharing directory information, the sharing classification category set comprises at least one category, and the sharing directory information is used for indicating each container in a plurality of containers to mount a target directory in a target host;
the updating unit is used for updating the category information in the security context of the target directory into the sharing classification category set according to the sharing directory information acquired by the acquiring unit;
a creating unit, configured to create each container in the multiple containers according to the sharing parameter information acquired by the acquiring unit, where the category information in the security context of each created container includes the sharing classification category set, so that each container in the multiple containers is mounted and accesses the target directory.
7. The apparatus according to claim 6, wherein the creating unit is specifically configured to:
obtaining an initial category set randomly generated by a daemon for a first container in the plurality of containers, wherein the initial category set comprises at least one category;
determining category information in a security context of the first container according to the shared category set and the initial category set, the category information in the security context of the first container including the shared category set and the initial category set;
creating the first container according to category information in a security context of the first container.
8. The apparatus according to claim 6, wherein the creating unit is specifically configured to:
updating category information in a security context of each container of the plurality of containers to the shared classification category set;
creating each container of the plurality of containers according to category information in a security context of each container of the plurality of containers.
9. The apparatus according to any one of claims 6 to 8, wherein the obtaining unit is specifically configured to:
and receiving a shared directory request sent by a client, wherein the shared directory request carries the shared parameter information.
10. The apparatus according to any one of claims 6 to 8,
the shared directory information comprises an identification of the target directory and interface information used by each container in the plurality of containers to mount the target directory;
alternatively, the first and second electrodes may be,
the shared directory information includes an identifier of the target directory, interface information used by each container of the plurality of containers to mount the target directory, and an identifier of a mount directory in each container to mount the target directory.
CN201611166297.4A 2016-12-16 2016-12-16 Method and apparatus for sharing a directory Active CN108205623B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611166297.4A CN108205623B (en) 2016-12-16 2016-12-16 Method and apparatus for sharing a directory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611166297.4A CN108205623B (en) 2016-12-16 2016-12-16 Method and apparatus for sharing a directory

Publications (2)

Publication Number Publication Date
CN108205623A CN108205623A (en) 2018-06-26
CN108205623B true CN108205623B (en) 2020-04-03

Family

ID=62601561

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611166297.4A Active CN108205623B (en) 2016-12-16 2016-12-16 Method and apparatus for sharing a directory

Country Status (1)

Country Link
CN (1) CN108205623B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110737926B (en) * 2018-07-19 2022-03-25 华为技术有限公司 Display method, device and storage medium
CN109165204B (en) * 2018-08-15 2022-02-18 郑州云海信息技术有限公司 Method for detecting NFS double-client directory display based on script
CN109062770A (en) * 2018-08-23 2018-12-21 郑州云海信息技术有限公司 A kind of disk monitoring method and device
CN111045834B (en) * 2018-10-15 2023-08-08 中兴通讯股份有限公司 Method, device and storage medium for accessing USB storage device under cloud desktop
CN112799740B (en) * 2021-02-08 2022-07-26 联想(北京)有限公司 Control method and device and electronic equipment
CN113377499B (en) * 2021-08-11 2021-11-19 苏州浪潮智能科技有限公司 Virtual machine management method, device, equipment and readable storage medium
CN114064594B (en) * 2021-11-22 2023-09-22 马上消费金融股份有限公司 Data processing method and device
CN116150116B (en) * 2023-04-12 2023-07-04 阿里云计算有限公司 File system sharing method and device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103886270A (en) * 2014-03-31 2014-06-25 宇龙计算机通信科技(深圳)有限公司 Terminal and method for improving system safety
CN105550576B (en) * 2015-12-11 2018-09-11 华为技术服务有限公司 The method and apparatus communicated between container

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8381278B2 (en) * 2008-10-30 2013-02-19 Oracle America, Inc. Method and apparatus for establishing security inflow contracts

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103886270A (en) * 2014-03-31 2014-06-25 宇龙计算机通信科技(深圳)有限公司 Terminal and method for improving system safety
CN105550576B (en) * 2015-12-11 2018-09-11 华为技术服务有限公司 The method and apparatus communicated between container

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《基于Docker技术的容器隔离性研究》;刘第尧,李强,李斌;《软件》;20150415;第36卷(第4期);110-113 *

Also Published As

Publication number Publication date
CN108205623A (en) 2018-06-26

Similar Documents

Publication Publication Date Title
CN108205623B (en) Method and apparatus for sharing a directory
CN108632074B (en) Service configuration file issuing method and device
US10505982B2 (en) Managing security agents in a distributed environment
CN106575305B (en) Services within a reverse proxy server
KR102132504B1 (en) Secure identification of computing device and secure identification methods
CN108881228B (en) Cloud registration activation method, device, equipment and storage medium
CN109922106B (en) Cloud mobile phone system realized based on Docker container
JP2021512380A (en) Asset management methods and equipment, as well as electronic devices
JP7026216B2 (en) Virtual machine management
US11799644B2 (en) Default password removal
US10356155B2 (en) Service onboarding
US10938573B2 (en) Distributed transaction processing
CN110334297A (en) Loading method, terminal, server and the storage medium of terminal page
US20230275783A1 (en) Techniques for utilizing multiple network interfaces for a cloud shell
US20190319843A1 (en) Trusted Platform Module-Based Prepaid Access Token for Commercial IoT Online Services
CN111177703B (en) Method and device for determining data integrity of operating system
KR20130077433A (en) System and method for authority management in the mobile cloud service
CN103885784B (en) Method for establishing Android platform with security module and plugging function
CN107018140B (en) Authority control method and system
CN116028455A (en) Data processing method and device, storage medium and electronic equipment
US11936798B2 (en) Securing a provable resource possession
US11568078B2 (en) Obfuscation of queries and responses in a security data search system
US11277434B2 (en) Reducing attack surface by selectively collocating applications on host computers
US10911371B1 (en) Policy-based allocation of provider network resources
US10757095B1 (en) Unix password replication to a set of computers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20200415

Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee after: HUAWEI TECHNOLOGIES Co.,Ltd.

Address before: 301, A building, room 3, building 301, foreshore Road, No. 310052, Binjiang District, Zhejiang, Hangzhou

Patentee before: Huawei Technologies Co.,Ltd.