CN110007933A - One kind running terminal and storage medium towards multi-tenant container mirror-image safety configuration method, system - Google Patents
One kind running terminal and storage medium towards multi-tenant container mirror-image safety configuration method, system Download PDFInfo
- Publication number
- CN110007933A CN110007933A CN201910231947.6A CN201910231947A CN110007933A CN 110007933 A CN110007933 A CN 110007933A CN 201910231947 A CN201910231947 A CN 201910231947A CN 110007933 A CN110007933 A CN 110007933A
- Authority
- CN
- China
- Prior art keywords
- tenant
- container
- image
- image planes
- mirror
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000004422 calculation algorithm Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 9
- 238000012546 transfer Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 abstract description 9
- 238000013461 design Methods 0.000 abstract description 6
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 238000012423 maintenance Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009885 systemic effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
- G06F8/63—Image based installation; Cloning; Build to order
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides one kind towards multi-tenant container mirror-image safety configuration method, and system runs terminal and storage medium, and tenant uses digital certificate private key, encrypts to Image Planes security information;Security information ciphertext and tenant's information are stored in Image Planes;Start container, layer each in mirror image is verified;After each layer of container is verified, container start-up course is completed.Based on the hierarchical design of container mirror image, shared resource may be implemented, multiple mirror images can share the same bottom Image Planes, can reduce transmission time, reduce storage occupied space.Invention prevents the risks of mirror image Tampering attack.Digital signature technology and Vulnerability-scanning technology are mainly utilized, the process that container mirror image is generated and used is transformed, and enhances the safety of container mirror image, and the risk for preventing container mirror image from distorting in this way improves the safety of container under cloud environment.
Description
Technical field
The present invention relates to cloud computing data security fields, more particularly to one kind is towards multi-tenant container mirror-image safety configuration side
Method, system run terminal and storage medium.
Background technique
Docker is an advanced container engine based on LXC of PaaS provider dotCloud open source, source code trustship
On Github, based on go language and Apache2.0 agreement open source is deferred to.
Docker imagination is to deliver running environment such as sea-freight, and for example same cargo ship of operating system, each is in operation
All such as the same container, user can freely assemble running environment by standardized instrument, collect simultaneously software on the basis of system
The content of vanning can be customized by the user, and can also be manufactured by professional.It is exactly a series of in this way, delivering a software
The intersection of sets of modular unit is paid, the prototype of this namely PaaS platform product based on docker.
Docker relies on linux container technology and carrys out isolated process, it is allowed to think oneself to operate in an individually operation system
It in system, and actually still operates in the same operating system, shares the same kernel, resource utilization is much higher than virtualization
Technology runs quickly quick (starting stopped all as unit of second even millisecond).These are essentially all that linux kernel provides
Ability, Docker only continued to use these characteristics, the maximum innovative point of Docker is the design of Docker mirror image, and provides
A whole set of mirrored storage scheme (Docker Registry).
The design of the mirror image of Docker container can be improved mirror image building, storage and distribution efficiency, save the time and
Memory space, can be from the hundreds and thousands of a containers of the same image starting.Docker container be by Docker image starting,
If mirror image itself contains security breaches or the well-designed wooden horse of attacker, bring harm may be fast such as virus
Speed is propagated.Therefore, how to guarantee that mirror-image safety is technical problem urgently to be resolved in the Docker ecosystem.
Summary of the invention
In order to overcome the deficiencies in the prior art described above, the present invention protects container mirror-image safety using cryptographic technique, prevents
Container mirror image is distorted, and the safety of container under cloud environment is improved.
The present invention provides four aspect contents thus, and first aspect content is related to one kind and matches towards multi-tenant container mirror-image safety
Method is set, method includes:
Tenant uses digital certificate private key, encrypts to Image Planes security information;
Security information ciphertext and tenant's information are stored in Image Planes;
Start container, layer each in mirror image is verified;
After each layer of container is verified, container start-up course is completed.
Explanation is needed further exist for, step verifies layer each in mirror image further include:
Public key decryptions security information based on tenant verifies Image Planes signing messages;
If signature verification fails, container starting is terminated;
It returns to container and starts error message.
Explanation is needed further exist for, step verifies layer each in mirror image further include:
Tenant generates Image Planes synopsis by hash algorithm;
Transfer the preset content abstract in system security information;
Image Planes synopsis and preset content abstract are compared;
If comparison is inconsistent, Image Planes content has been tampered, and is terminated container starting, is returned to error message.
Explanation is needed further exist for, step verifies layer each in mirror image further include:
When tenant modifies or creates new container Image Planes, using the vulnerability scanning service of cloud computing environment in Image Planes
Appearance is scanned, and generates scanning abstract;
Tenant verifies scanning abstract;
If loophole danger classes is more than tenant's setting value in scanning abstract, container starting is terminated, error message is returned.
Explanation is needed further exist for, step tenant uses digital certificate private key, encrypts to Image Planes security information
Before further include:
It is that each tenant distributes a digital certificate based on cloud computing environment, tenant is signed using digital certificate;
When tenant edits to container Image Planes or creates new, the vulnerability scanning service based on cloud computing environment is to container
Image Planes content is scanned, and generates scanning abstract;
Tenant calculates container Image Planes content using hash algorithm, generates synopsis;
The synopsis of generation and scanning abstract are configured to Image Planes security information together.
The present invention provides second aspect content and is related to one kind towards multi-tenant container mirror-image safety configuration system, comprising: mirror
As layer encrypting module, secure information storage module and Image Planes authentication module;
Image Planes encrypting module is used to use digital certificate private key based on tenant, encrypts to Image Planes security information;
Secure information storage module is for security information ciphertext and tenant's information to be stored in Image Planes;
Image Planes authentication module verifies layer each in mirror image for starting container;The each layer of container is verified logical
Later, container start-up course is completed.
Need further exist for explanation be, further includes: digital certificate distribution module, scan summarization generation module, synopsis
Generation module and Image Planes information collocation module;
Digital certificate distribution module is used to be that each tenant distributes a digital certificate based on cloud computing environment, and tenant makes
It is signed with digital certificate;
Summarization generation module is scanned for tenant when container Image Planes are edited or create new, based on cloud computing environment
Vulnerability scanning service container Image Planes content is scanned, generate scanning abstract;
Synopsis generation module calculates container Image Planes content using hash algorithm for tenant, generates content
Abstract;
Image Planes information collocation module is used to the synopsis of generation and scanning abstract being configured to Image Planes safety together
Information.
Explanation is needed further exist for, Image Planes authentication module is also used to the public key decryptions security information based on tenant, tests
Demonstrate,prove Image Planes signing messages;If signature verification fails, container starting is terminated;It returns to container and starts error message;
It is also used to transfer the preset content abstract in system security information;Image Planes synopsis and preset content are made a summary
It compares;If comparison is inconsistent, Image Planes content has been tampered, and is terminated container starting, is returned to error message;
It is also used to verify scanning abstract;If loophole danger classes is more than tenant's setting value in scanning abstract, eventually
Only container starts, and returns to error message.
The present invention provides third aspect content and is related to a kind of operation end towards multi-tenant container mirror-image safety configuration method
End, comprising:
Memory, for storing computer program and towards multi-tenant container mirror-image safety configuration method;
Processor, for executing the computer program and towards multi-tenant container mirror-image safety configuration method, to realize
The step of towards multi-tenant container mirror-image safety configuration method.
Present invention offer fourth aspect content is related to a kind of with the meter towards multi-tenant container mirror-image safety configuration method
Calculation machine readable storage medium storing program for executing is stored with computer program on the computer readable storage medium, and the computer program is located
Manage the step of device is executed to realize towards multi-tenant container mirror-image safety configuration method.
As can be seen from the above technical solutions, the invention has the following advantages that
The present invention is based on the hierarchical designs of container mirror image, and shared resource may be implemented, and multiple mirror images can share same
Bottom Image Planes can reduce transmission time, reduce storage occupied space.Invention prevents the risks of mirror image Tampering attack.It is main
Digital signature technology and Vulnerability-scanning technology are utilized, the process that container mirror image is generated and used is transformed, and enhances container
The safety of mirror image, the risk for preventing container mirror image from distorting in this way improve the safety of container under cloud environment.
Detailed description of the invention
In order to illustrate more clearly of technical solution of the present invention, attached drawing needed in description will be made below simple
Ground introduction, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ordinary skill
For personnel, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is towards multi-tenant container mirror-image safety configuration method flow chart;
Fig. 2 is towards multi-tenant container mirror-image safety configuration method embodiment flow chart;
Fig. 3 is towards multi-tenant container mirror-image safety configuration method embodiment flow chart;
Fig. 4 is towards multi-tenant container mirror-image safety configuration method embodiment flow chart;
Fig. 5 is to configure system schematic towards multi-tenant container mirror-image safety;
Fig. 6 is to configure system embodiment schematic diagram towards multi-tenant container mirror-image safety.
Specific embodiment
The present invention provides one kind towards multi-tenant container mirror-image safety configuration method, as shown in Figure 1, method includes:
S1, tenant use digital certificate private key, encrypt to Image Planes security information;
Tenant can be the user terminal used based on user perhaps operating side or the calculate node of system etc..Tenant
It is the port used for developer, tester, operation maintenance personnel.
It is that each tenant distributes a digital certificate that system, which is based on cloud computing environment, and tenant is signed using digital certificate
Name;
When tenant edits to container Image Planes or creates new, the vulnerability scanning service based on cloud computing environment is to container
Image Planes content is scanned, and generates scanning abstract;Tenant calculates container Image Planes content using hash algorithm, generates
Synopsis;The synopsis of generation and scanning abstract are configured to Image Planes security information together.
Docker mirror image uses hierarchical design, and lowermost end is guidance a file system, i.e. bootfs.Docker user is not
There can be direct interaction with guidance file system.The second layer of Docker mirror image is root file system rootfs, usually one
Kind or several operation systems, such as ubuntu etc..Third layer or more is user file system, stores application program and attached
Configuration file, dynamic base etc..Container is from image starting, and container utilizes joint carry technology, each layer of mirror image is successively hung
It carries, finally loads a read-write layer in top layer, form the final file system of container.
The design of Docker mirror image ensure that Docker mirror image can be run on all kinds of (SuSE) Linux OS, and guarantee
There is absolute compatibility.The environment that application program is relied on can be on desktop, virtual machine, data center server, the basis IaaS
Indiscriminate strange land operation on facility and do not have to worry configuration variance, this is a big Gospel for developer, allows exploitation
Personnel attentively focus on application code, and the mirror image that operation maintenance personnel is then focused on to build is deployed to running environment, greatly
The interworking of code administration and version publication between exploitation, test, operation maintenance personnel is simplified greatly.
Digital certificate private key is that each tenant is preset, can be the preset rules based on system, is advised based on systemic presupposition
The then preset digital certificate private key of each tenant.
Security information ciphertext and tenant's information are stored in Image Planes by S2;
S3 starts container, verifies to layer each in mirror image;
Multilayer mirror image involved in container.
S4, after each layer of container is verified, container start-up course is completed.
Namely each Image Planes of container are verified, just carry out container starting after being all verified.
It in order to make the invention's purpose, features and advantages of the invention more obvious and easy to understand, below will be with specific
Examples and drawings, the technical solution protected to the present invention are clearly and completely described, it is clear that implementation disclosed below
Example is only a part of the embodiment of the present invention, and not all embodiment.Based on the embodiment in this patent, the common skill in this field
Art personnel all other embodiment obtained without making creative work belongs to the model of this patent protection
It encloses.
The present invention also provides one embodiment, as shown in Fig. 2,
S11, tenant use digital certificate private key, encrypt to Image Planes security information;
Security information ciphertext and tenant's information are stored in Image Planes by S12;
S13 starts container, verifies to layer each in mirror image;
S14, the public key decryptions security information based on tenant verify Image Planes signing messages;
Here according to the public key decryptions security information of tenant, each Image Planes of container are verified, verify Image Planes
Signing messages.
S15 terminates container starting if signature verification fails;Illustrate that container mirror image is tampered, there is security risk.
S16 returns to container and starts error message.
If signature verification all passes through, container start-up course is completed.
If realized within hardware, the present invention relates to a kind of devices, such as can be used as processor or integrated circuit dress
It sets, such as IC chip or chipset.Alternatively or additionally, if realized in software or firmware, the technology can
Realize at least partly by computer-readable data storage medium, including instruction, when implemented, make processor execute one or
More above methods.For example, computer-readable data storage medium can store the instruction such as executed by processor.
It includes that one or more processors execute that the code or instruction, which can be software and/or firmware by processing circuit,
Such as one or more digital signal processors (DSP), general purpose microprocessor, application-specific integrated circuit (ASICs), scene can be compiled
Journey gate array (FPGA) or other equivalents are integrated circuit or discrete logic.Therefore, term " processor, " due to
It can refer to that any aforementioned structure or any other structure are more suitable for the technology as described herein realized as used herein.Separately
Outside, in some respects, function described in the disclosure can be provided in software module and hardware module.
The present invention also provides one embodiment, as shown in figure 3,
S21, tenant use digital certificate private key, encrypt to Image Planes security information;
Security information ciphertext and tenant's information are stored in Image Planes by S22;
S23 starts container, verifies to layer each in mirror image;
S24, tenant generate Image Planes synopsis by hash algorithm;
Hash algorithm is that system is each tenant's preset configuration, and tenant generates Image Planes content by hash algorithm and plucks
It wants.
S25 transfers the preset content abstract in system security information;
S26 compares Image Planes synopsis and preset content abstract;
S27, if comparison is inconsistent, Image Planes content has been tampered, and is terminated container starting, is returned to error message.
If comparison is consistent, container normally starts.
The present invention also provides one embodiment, as shown in figure 4,
S31, tenant use digital certificate private key, encrypt to Image Planes security information;
Security information ciphertext and tenant's information are stored in Image Planes by S32;
S33 starts container, verifies to layer each in mirror image;
S34, when tenant modifies or creates new container Image Planes, using the vulnerability scanning service of cloud computing environment to mirror image
Layer content is scanned, and generates scanning abstract;
S35, tenant verify scanning abstract;
S36 terminates container starting if loophole danger classes is more than tenant's setting value in scanning abstract, returns to mistake letter
Breath.In abstract loophole danger classes is by systemic presupposition, and is bound with specific number.
If loophole danger classes is less than tenant's setting value, container starting in scanning abstract.
Above three embodiments realize three kinds of different verification modes, and above-mentioned three kinds of different verification modes can be simultaneously
It uses, a use can also be selected, can also select two uses, specifically used mode, without limitation using order.
The present invention also provides one kind to configure system towards multi-tenant container mirror-image safety, as shown in Figure 5, comprising: Image Planes
Encrypting module 1, secure information storage module 2 and Image Planes authentication module 3;
Image Planes encrypting module 1 is used to use digital certificate private key based on tenant, encrypts to Image Planes security information;
Secure information storage module 2 is for security information ciphertext and tenant's information to be stored in Image Planes;Image Planes authentication module 3 is used
In starting container, layer each in mirror image is verified;After each layer of container is verified, container start-up course is completed.
Method and device of the invention may be achieved in many ways.For example, can by software, hardware, firmware or
Person's software, hardware, firmware any combination realize method and device of the invention.The step of for the method it is above-mentioned
Sequence is merely to be illustrated, and the step of method of the invention is not limited to sequence described in detail above, unless with other sides
Formula illustrates.In addition, in some embodiments, the present invention can be also embodied as recording program in the recording medium, these
Program includes for realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executing
The recording medium of program according to the method for the present invention.
Wherein, system further include: digital certificate distribution module, scan summarization generation module, synopsis generation module with
And Image Planes information collocation module;
Digital certificate distribution module is used to be that each tenant distributes a digital certificate based on cloud computing environment, and tenant makes
It is signed with digital certificate;
Summarization generation module is scanned for tenant when container Image Planes are edited or create new, based on cloud computing environment
Vulnerability scanning service container Image Planes content is scanned, generate scanning abstract;
Synopsis generation module calculates container Image Planes content using hash algorithm for tenant, generates content
Abstract;
Image Planes information collocation module is used to the synopsis of generation and scanning abstract being configured to Image Planes safety together
Information.
In system provided by the invention, preferred embodiment are as follows: as shown in fig. 6, distributing number for the tenant in cloud system
Word certificate, transformation tenant establish the process of container mirror image, when tenant's modification or newly-built Image Planes, can enter addition security information stream
Journey;
Addition security information process calls shared vulnerability scanning service first, is scanned to Image Planes content, scans
After generate vulnerability scanning abstract;
Addition security information process can call hash algorithm, calculate Image Planes synopsis;
Addition security information process can call signature algorithm, using tenant's digital certificate, to vulnerability scanning abstract and content
Abstract is signed, and signature contents are attached in Image Planes, is saved together.
Container start-up course is transformed, increases the process of verifying container mirror-image safety information;
When tenant starts container, container automatically verifies layer each in mirror image, first with the public key decryptions of tenant
Security information verifies Image Planes signing messages, if signature verification fails, terminates container, returns to error message;
It calls hash algorithm to calculate Image Planes synopsis, and is compared with the synopsis in security information, if right
Than failure, then Image Planes content has been tampered, and is terminated container starting, is returned to error message;
Verifying scanning abstract terminates container starting, returns if loophole danger classes is more than tenant's setting value in scanning abstract
Return error message.After each layer of container is verified, continues container start-up course, finally start container.
The present invention utilizes digital signature technology and Vulnerability-scanning technology, and the process that container mirror image is generated and used changes
It makes, enhances the safety of container mirror image, the risk for preventing container mirror image from distorting.
The present invention also provides a kind of operation terminals towards multi-tenant container mirror-image safety configuration method, comprising:
Memory, for storing computer program and towards multi-tenant container mirror-image safety configuration method;
Processor, for executing the computer program and towards multi-tenant container mirror-image safety configuration method, to realize
The step of towards multi-tenant container mirror-image safety configuration method.
The present invention also provides a kind of with the computer-readable storage medium towards multi-tenant container mirror-image safety configuration method
Matter, computer program is stored on the computer readable storage medium, and the computer program is executed by processor to realize
The step of towards multi-tenant container mirror-image safety configuration method.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (10)
1. one kind is towards multi-tenant container mirror-image safety configuration method, which is characterized in that method includes:
Tenant uses digital certificate private key, encrypts to Image Planes security information;
Security information ciphertext and tenant's information are stored in Image Planes;
Start container, layer each in mirror image is verified;
After each layer of container is verified, container start-up course is completed.
2. according to claim 1 towards multi-tenant container mirror-image safety configuration method, which is characterized in that step is to mirror image
In each layer verified further include:
Public key decryptions security information based on tenant verifies Image Planes signing messages;
If signature verification fails, container starting is terminated;
It returns to container and starts error message.
3. according to claim 1 or 2 towards multi-tenant container mirror-image safety configuration method, which is characterized in that step pair
Each layer is verified in mirror image further include:
Tenant generates Image Planes synopsis by hash algorithm;
Transfer the preset content abstract in system security information;
Image Planes synopsis and preset content abstract are compared;
If comparison is inconsistent, Image Planes content has been tampered, and is terminated container starting, is returned to error message.
4. according to claim 1 or 2 towards multi-tenant container mirror-image safety configuration method, which is characterized in that step pair
Each layer is verified in mirror image further include:
Tenant modifies or when creating new container Image Planes, using cloud computing environment vulnerability scanning service to Image Planes content into
Row scanning generates scanning abstract;
Tenant verifies scanning abstract;
If loophole danger classes is more than tenant's setting value in scanning abstract, container starting is terminated, error message is returned.
5. according to claim 4 towards multi-tenant container mirror-image safety configuration method, which is characterized in that step tenant makes
With digital certificate private key, before being encrypted to Image Planes security information further include:
It is that each tenant distributes a digital certificate based on cloud computing environment, tenant is signed using digital certificate;
When tenant edits to container Image Planes or creates new, the vulnerability scanning service based on cloud computing environment is to container mirror image
Layer content is scanned, and generates scanning abstract;
Tenant calculates container Image Planes content using hash algorithm, generates synopsis;
The synopsis of generation and scanning abstract are configured to Image Planes security information together.
6. a kind of configure system towards multi-tenant container mirror-image safety characterized by comprising Image Planes encrypting module, safety
Information storage module and Image Planes authentication module;
Image Planes encrypting module is used to use digital certificate private key based on tenant, encrypts to Image Planes security information;
Secure information storage module is for security information ciphertext and tenant's information to be stored in Image Planes;
Image Planes authentication module verifies layer each in mirror image for starting container;After each layer of container is verified,
Container start-up course is completed.
7. according to claim 6 configure system towards multi-tenant container mirror-image safety, which is characterized in that further include: number
Word certificate distribution module scans summarization generation module, synopsis generation module and Image Planes information collocation module;
Digital certificate distribution module is used to be that each tenant distributes a digital certificate based on cloud computing environment, and tenant uses number
Word certificate is signed;
Summarization generation module is scanned for tenant when container Image Planes are edited or create new, the leakage based on cloud computing environment
Hole scan service is scanned container Image Planes content, generates scanning abstract;
Synopsis generation module calculates container Image Planes content using hash algorithm for tenant, generates content and plucks
It wants;
Image Planes information collocation module is used to the synopsis of generation and scanning abstract being configured to Image Planes security information together.
8. according to claim 7 configure system towards multi-tenant container mirror-image safety, which is characterized in that Image Planes verifying
Module is also used to the public key decryptions security information based on tenant, verifies Image Planes signing messages;If signature verification fails, terminate
Container starting;It returns to container and starts error message;
It is also used to transfer the preset content abstract in system security information;Image Planes synopsis and preset content abstract are carried out
Comparison;If comparison is inconsistent, Image Planes content has been tampered, and is terminated container starting, is returned to error message;
It is also used to verify scanning abstract;If loophole danger classes is more than tenant's setting value in scanning abstract, appearance is terminated
Device starting, returns to error message.
9. a kind of operation terminal towards multi-tenant container mirror-image safety configuration method characterized by comprising
Memory, for storing computer program and towards multi-tenant container mirror-image safety configuration method;
Processor, for executing the computer program and towards multi-tenant container mirror-image safety configuration method, to realize as weighed
Benefit requires described in 1 to 5 any one the step of towards multi-tenant container mirror-image safety configuration method.
10. a kind of with the computer readable storage medium towards multi-tenant container mirror-image safety configuration method, which is characterized in that
Computer program is stored on the computer readable storage medium, the computer program is executed by processor to realize as weighed
Benefit requires described in 1 to 5 any one the step of towards multi-tenant container mirror-image safety configuration method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910231947.6A CN110007933A (en) | 2019-03-26 | 2019-03-26 | One kind running terminal and storage medium towards multi-tenant container mirror-image safety configuration method, system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910231947.6A CN110007933A (en) | 2019-03-26 | 2019-03-26 | One kind running terminal and storage medium towards multi-tenant container mirror-image safety configuration method, system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110007933A true CN110007933A (en) | 2019-07-12 |
Family
ID=67168199
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910231947.6A Pending CN110007933A (en) | 2019-03-26 | 2019-03-26 | One kind running terminal and storage medium towards multi-tenant container mirror-image safety configuration method, system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110007933A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111562970A (en) * | 2020-07-15 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Container instance creating method and device, electronic equipment and storage medium |
| WO2021064493A1 (en) * | 2019-09-30 | 2021-04-08 | International Business Machines Corporation | Protecting workloads in kubernetes |
| CN113032736A (en) * | 2021-03-05 | 2021-06-25 | 海能达通信股份有限公司 | Encryption and decryption method of Docker layered mirror image and related device |
| CN113391880A (en) * | 2021-06-21 | 2021-09-14 | 西安超越申泰信息科技有限公司 | Trusted mirror image transmission method for layered double hash verification |
| CN114765606A (en) * | 2020-12-30 | 2022-07-19 | 中国联合网络通信集团有限公司 | Container mirror image transmission method, device, equipment and storage medium |
| CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
| CN117353922A (en) * | 2023-12-06 | 2024-01-05 | 南京中孚信息技术有限公司 | Method, system, equipment and medium for verifying container mirror image signature in off-line state |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9703611B1 (en) * | 2014-03-21 | 2017-07-11 | Amazon Technologies, Inc. | Isolating resources for utilization by tenants executing in multi-tenant software containers |
| CN107172100A (en) * | 2017-07-13 | 2017-09-15 | 浪潮(北京)电子信息产业有限公司 | A kind of local security updates the method and device of BIOS mirror images |
| CN107256168A (en) * | 2017-06-12 | 2017-10-17 | 郑州云海信息技术有限公司 | A kind of design method of UEFI BIOS safety upgrade mechanism |
| CN108628658A (en) * | 2017-03-17 | 2018-10-09 | 华为技术有限公司 | A kind of licence managing method and device of container |
-
2019
- 2019-03-26 CN CN201910231947.6A patent/CN110007933A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9703611B1 (en) * | 2014-03-21 | 2017-07-11 | Amazon Technologies, Inc. | Isolating resources for utilization by tenants executing in multi-tenant software containers |
| CN108628658A (en) * | 2017-03-17 | 2018-10-09 | 华为技术有限公司 | A kind of licence managing method and device of container |
| CN107256168A (en) * | 2017-06-12 | 2017-10-17 | 郑州云海信息技术有限公司 | A kind of design method of UEFI BIOS safety upgrade mechanism |
| CN107172100A (en) * | 2017-07-13 | 2017-09-15 | 浪潮(北京)电子信息产业有限公司 | A kind of local security updates the method and device of BIOS mirror images |
Non-Patent Citations (2)
| Title |
|---|
| (美)常著,ISBN号 :978-7-118-07796-4: "《转型中的企业云服务》", 31 January 2012, 北京:国防工业出版社 * |
| 蒋迪,ISBN号 :978-7-313-16654-8: "《KVM私有云架构设计与实践》", 30 April 2017, 上海:上海交通大学出版社 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021064493A1 (en) * | 2019-09-30 | 2021-04-08 | International Business Machines Corporation | Protecting workloads in kubernetes |
| GB2603710B (en) * | 2019-09-30 | 2022-11-23 | Ibm | Protecting workloads in kubernetes |
| GB2603710A (en) * | 2019-09-30 | 2022-08-10 | Ibm | Protecting workloads in kubernetes |
| US11176245B2 (en) | 2019-09-30 | 2021-11-16 | International Business Machines Corporation | Protecting workloads in Kubernetes |
| CN111562970A (en) * | 2020-07-15 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Container instance creating method and device, electronic equipment and storage medium |
| CN111562970B (en) * | 2020-07-15 | 2020-10-27 | 腾讯科技(深圳)有限公司 | Container instance creating method and device, electronic equipment and storage medium |
| CN114765606A (en) * | 2020-12-30 | 2022-07-19 | 中国联合网络通信集团有限公司 | Container mirror image transmission method, device, equipment and storage medium |
| CN114765606B (en) * | 2020-12-30 | 2023-07-25 | 中国联合网络通信集团有限公司 | Container mirror image transmission method, device, equipment and storage medium |
| CN113032736A (en) * | 2021-03-05 | 2021-06-25 | 海能达通信股份有限公司 | Encryption and decryption method of Docker layered mirror image and related device |
| CN113391880A (en) * | 2021-06-21 | 2021-09-14 | 西安超越申泰信息科技有限公司 | Trusted mirror image transmission method for layered double hash verification |
| CN114780168A (en) * | 2022-03-30 | 2022-07-22 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
| CN114780168B (en) * | 2022-03-30 | 2023-04-28 | 全球能源互联网研究院有限公司南京分公司 | Method and device for dynamically changing security policy of intelligent terminal container and electronic equipment |
| CN117353922A (en) * | 2023-12-06 | 2024-01-05 | 南京中孚信息技术有限公司 | Method, system, equipment and medium for verifying container mirror image signature in off-line state |
| CN117353922B (en) * | 2023-12-06 | 2024-03-22 | 南京中孚信息技术有限公司 | Method, system, equipment and medium for verifying container mirror image signature in off-line state |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110007933A (en) | One kind running terminal and storage medium towards multi-tenant container mirror-image safety configuration method, system | |
| CN111181720B (en) | Service processing method and device based on trusted execution environment | |
| US11921911B2 (en) | Peripheral device | |
| CN110580413B (en) | Private data query method and device based on down-link authorization | |
| van Oorschot | Computer Security and the Internet | |
| CN110287654B (en) | Media client device authentication using hardware trust root | |
| CN110580412B (en) | Permission query configuration method and device based on chain codes | |
| CN110120869A (en) | Key management system and cipher key service node | |
| CN107743133A (en) | Mobile terminal and its access control method and system based on trustable security environment | |
| CN109075976A (en) | Certificate depending on key authentication is issued | |
| CN108898389A (en) | Based on the content verification method and device of block chain, electronic equipment | |
| Delaune et al. | A formal analysis of authentication in the TPM | |
| CN109636411A (en) | There is provided and obtain the method and device of secure identity information | |
| US10211985B1 (en) | Validating using an offload device security component | |
| KR20070122502A (en) | Hardware functionality scan for device authentication | |
| Patel et al. | DAuth: A decentralized web authentication system using Ethereum based blockchain | |
| Bergquist | Blockchain technology and smart contracts: privacy-preserving tools | |
| CN108595983A (en) | A kind of hardware structure and application context integrity measurement method based on hardware security isolated execution environment | |
| JP2023513848A (en) | Computing services for blockchain-related service platforms | |
| Cairns et al. | Security analysis of the W3C web cryptography API | |
| US20200244441A1 (en) | One-time password with unpredictable moving factor | |
| Kaufman | DASS-distributed authentication security service | |
| CN109670289A (en) | A kind of method and system identifying background server legitimacy | |
| WO2022205959A1 (en) | Method and apparatus for sending transaction in blockchain, and method and apparatus for executing transaction in blockchain | |
| KR20190128534A (en) | Method for combining trusted execution environments for functional extension and method for applying fido u2f for supporting business process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190712 |
|
| RJ01 | Rejection of invention patent application after publication |