CN110795207A - Virtual container minimum resource unit mutual trust configuration method and device - Google Patents
Virtual container minimum resource unit mutual trust configuration method and device Download PDFInfo
- Publication number
- CN110795207A CN110795207A CN201910927283.7A CN201910927283A CN110795207A CN 110795207 A CN110795207 A CN 110795207A CN 201910927283 A CN201910927283 A CN 201910927283A CN 110795207 A CN110795207 A CN 110795207A
- Authority
- CN
- China
- Prior art keywords
- pod
- mutual trust
- configuration
- group
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000000977 initiatory effect Effects 0.000 claims abstract description 12
- 238000012795 verification Methods 0.000 claims description 21
- 238000001514 detection method Methods 0.000 claims description 14
- 238000011160 research Methods 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a virtual container minimum resource unit mutual trust configuration method and device. Mutual trust configuration starting parameters can be added in the creating instruction of the pod group; when a Kubernetes network creates an upper layer resource of a pod, it can be detected whether the creation instruction contains a mutually trusted configuration initiation parameter. When the mutual trust configuration starting parameter is included, a secret key pair can be generated, and the secret key pair, the mutual trust configuration starting parameter and a configuration file corresponding to the pod can be written in; when the pod needs to communicate with other pods or log in, mutual trust calibration is carried out; and the mutual trust calibration is regarded as the completion of the mutual trust configuration when passing. Through the technical means, research personnel can automatically complete the pod mutual trust configuration only by changing the creation instruction of the pod group without manually carrying out the mutual trust configuration on the pod, so that the cost is saved, and the use efficiency of the container is improved.
Description
Technical Field
The invention relates to the technical field of virtual containers, in particular to a virtual container minimum resource unit mutual trust configuration method and device.
Background
In the field of computers, a virtualization mode of a hardware abstraction layer based on hypervisor can provide flexibility of virtualization management to the greatest extent. Virtual machines of various operating systems can be derived, run, and destroyed by hypervisor (KVM, XEN, etc.). But for the hypervisor environment, each program requires a finished virtual machine with an operating system. Not only is the use complicated, but also a large amount of storage space is occupied.
To solve this problem, container technology has emerged. The container technology has a micro-operating system for each container. Applications may run in the operating system and provide services to outside users through an interface. Because the container is lighter than the virtual machine, the storage space can be saved, and the operation is simplified.
Among them, Kubernetes (k 8s for short) is a very widely used container management engine, and its minimum resource unit is pod. One or more containers may be contained in each pod. A series of complete functions such as deployment and operation, resource scheduling, service discovery, dynamic scaling and the like can be provided for containerized application, and convenience in large-scale container cluster management is improved. However, when k8s creates a set of copies of a pod using upper level resources, mutual trust of the pods cannot be automatically configured. When ssh mutual trust between the pods is required in some service scenarios, manual configuration is required by a user, and automation cannot be achieved.
Disclosure of Invention
In view of this, the present application provides a virtual container minimum resource unit mutual trust configuration method and apparatus. The method aims to expand the Kubernetes upper layer resource creating instruction and automatically realize mutual trust between pod groups under the condition of not directly operating pods.
In order to achieve the purpose, the invention provides the following technical scheme:
a virtual container minimum resource unit mutual trust configuration method, wherein the minimum resource unit is pod, the method comprises the following steps:
acquiring a creating instruction of the pod group; wherein, the creating instruction comprises a mutual trust configuration starting parameter, and the pod group comprises a plurality of pods;
when an upper layer resource of the pod group is created, adding the mutual trust configuration starting parameter contained in the creation instruction to a configuration file corresponding to the pod group;
and when the pod group runs, detecting the configuration file, and when the mutual trust configuration starting parameter is detected, carrying out mutual trust verification.
Optionally, the method further comprises:
when the upper-layer resource of the pod group is created, detecting the creation instruction, and when the creation instruction of the pod group is detected to contain the mutual trust configuration starting parameter, generating a key group according to an encryption algorithm and writing the key group into a configuration file corresponding to the pod group.
Optionally, the encryption algorithm is the rsa algorithm.
Optionally, the generating a key group and writing the configuration file corresponding to the pod includes:
generating a set of key pairs according to an rsa algorithm; wherein, the key pair comprises a private key and a public key;
and writing the key pair into a configuration file of one or more pods in the pod group according to the creation instruction.
Optionally, the detecting the configuration file, and when the mutual trust configuration starting parameter is detected, performing mutual trust verification includes:
when the pod group runs, detecting mutual trust configuration starting parameters in a configuration file corresponding to each pod in the pod group;
and when detecting that the configuration files corresponding to at least two of the pods contain mutually trusted configuration starting parameters, reading the key pair from the configuration files corresponding to the pods with the mutually trusted configuration starting parameters and matching.
Optionally, the matching comprises:
according to an rsa algorithm, judging whether any two key pairs in the obtained key pairs can be paired or not;
for any two pod that the key pair can pair, the mutual trust check passes.
An apparatus for virtual container minimum resource unit mutual trust configuration, the apparatus comprising:
an instruction acquisition unit configured to acquire a creation instruction of the pod group;
the parameter adding unit is used for adding the mutual trust configuration starting parameter contained in the creating instruction to a configuration file corresponding to the pod group when the pod group and the upper-layer resource are created;
and the operation detection unit is used for carrying out mutual trust verification when the pod operates.
Optionally, the parameter adding unit includes:
a parameter detecting unit, configured to detect, when the pod group and the upper-layer resource are created by the k8s, that the mutual trust configuration starting parameter included in the creation instruction is added to the mutual trust configuration starting parameter in the configuration file corresponding to the pod group when the creation instruction is used for creating the pod group and the upper-layer resource;
a key set generating unit for generating a key set according to rsa algorithm;
and the parameter writing unit is used for writing the mutual trust configuration starting parameter and the secret key set into a configuration file corresponding to the pod set.
Optionally, the operation detection unit includes:
the device comprises a parameter detection unit, a configuration file generation unit and a configuration file generation unit, wherein the parameter detection unit is used for detecting mutual trust configuration starting parameters from the configuration file corresponding to the pod when the pod runs;
and the parameter reading unit is used for reading the secret key group from the configuration file and inputting the secret key group into the mutual trust verification unit when detecting the mutual trust configuration starting parameter.
Optionally, the mutual trust verification includes:
rsa parsing unit, used for recovering the private key by rsa algorithm;
the key pairing unit is used for judging whether the restored private key and the restored public key are consistent;
and the notification unit is used for notifying the pod of mutual trust after the key pairing is successful.
The embodiment of the application provides a virtual container minimum resource unit mutual trust configuration method and device. Mutual trust configuration starting parameters can be added in the creating instruction of the pod group; when a Kubernetes network creates an upper layer resource of a pod, it can be detected whether the creation instruction contains a mutually trusted configuration initiation parameter. When the mutual trust configuration starting parameter is included, a secret key pair can be generated, and the secret key pair, the mutual trust configuration starting parameter and a configuration file corresponding to the pod can be written in; when the pod needs to communicate with other pods or log in, mutual trust calibration is carried out; and the mutual trust calibration is regarded as the completion of the mutual trust configuration when passing. Through the technical means, research personnel can automatically complete the pod mutual trust configuration only by changing the creation instruction of the pod group without manually carrying out the mutual trust configuration on the pod, so that the cost is saved, and the use efficiency of the container is improved.
Drawings
To illustrate the embodiments of the present invention or the technical solutions in the prior art more clearly, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
Fig. 1 is a diagram of a pod mutual trust configuration method based on Kubernetes according to an embodiment of the present application.
Fig. 2 is a diagram of a method for verifying a pod mutual trust according to an embodiment of the present application.
Fig. 3 is a flowchart of a pod mutual trust configuration according to an embodiment of the present application.
Fig. 4 is a diagram of a pod mutual trust configuration method based on Kubernetes according to an embodiment of the present application.
Detailed Description
With the development of computer technology, container technology virtualization technology has become a widely applied container technology server resource sharing mode, and can provide great flexibility for system administrators in the process of constructing container technology operating system instances on demand. The container technology can improve the problems of performance and resource use efficiency of the virtual machine monitor technology (hypervisor), and provides a method for efficiently using server resources for users.
Kubernetes (k 8s for short) is an open-source container editing engine, is written by linux language, and has complete cluster management capability, strong fault discovery and self-repairing capability, service rolling upgrade and online capacity expansion capability, an expandable resource automatic scheduling mechanism and multi-granularity resource quota management capability. Meanwhile, the k8s can also provide a perfect management tool, and covers various links including development, deployment test and operation and maintenance monitoring. Its minimum resource unit is pod. Each pod can contain one or more containers, a series of complete functions such as deployment and operation, resource scheduling, service discovery and dynamic scaling can be provided for containerized applications, and convenience of large-scale container cluster management is improved.
When a user needs to run multiple applications simultaneously, a set of pods can be created at a time and one application can be run in each pod. In some application scenarios, applications running at different pods may need to communicate information or log in with each other, which requires mutual trust configuration between the pods. In the prior art, pod mutual trust needs to be configured manually by research personnel, which not only occupies the resource of k8s, but also reduces the use efficiency of the container.
In order to provide an implementation scheme of pod automatic mutual trust configuration, embodiments of the present application provide a pod mutual trust method and apparatus based on Kubernetes, and a preferred embodiment of the present invention is described below with reference to the drawings of the specification.
It can be understood that the pod mutual trust configuration method provided by the present application can be applied to any processing device with data processing capability. In the embodiment of the present application, a server is described as an execution subject.
Fig. 1 is a flowchart of a pod mutual trust configuration provided in an embodiment of the present application, including:
101: a pod create instruction is fetched.
The minimum resource unit of the K8s network is pod, and one or more applications can run in each pod. The Pod may be created by a user through a create instruction as needed, and a plurality of pods created at a time may be referred to as a Pod group or a group of pods. Since k8s is an open source container orchestration engine, developers can add new instructions or parameters directly in k8 s. Therefore, the mutual trust configuration starting parameter can be added in the creating instruction of the pod group. In some implementations, the mutually trusted configuration initiation parameter is a non-variable parameter in the present application, independent of the pod or the application running in the pod. The "-configssh" parameter may be any other parameter.
In this embodiment, a pod creation instruction of the mutual trust configuration starting parameter can be obtained. Wherein the mutual trust configuration initiation parameter can be used for completing the mutual trust configuration of the pod in the subsequent step.
102: and when the pod group and the upper-layer resource are created, adding the mutual trust configuration starting parameter contained in the creation instruction into a configuration file corresponding to the pod group.
After receiving the pod creation command, the server will use the upper layer resources such as statfulset, deployment, etc. At this time, the server may perform scan detection on the pod creation instruction, and when the trusted configuration start parameter is not included therein, the native creation flow of k8s may be entered. When the creation instruction includes the mutually trusted configuration initiation parameter, the server may generate a key set and write the key set and the mutually trusted configuration initiation parameter into a configuration file corresponding to the pod. For a pod that needs to configure mutually trusted configuration, at least two pods with mutually trusted configuration initiation parameters should be included. And writing the mutual trust configuration parameter and the key pair into the configuration file corresponding to the pod. Completing creation of pod group
In some embodiments, the configuration file exists in the form of an environment variable.
In some embodiments, the order or correspondence of the key pair to write to the pod may be pre-designed by the user in the instruction to create the pod.
In this embodiment, a mutually trusted configuration starting parameter is added to a pod creation instruction, and the creation instruction is detected when an upper layer resource is created at k8s, so that the mutually trusted configuration starting parameter and a key pair are written in a configuration file corresponding to the mutually trusted configuration starting parameter pod. And a mutual trust configuration flow is added on the basis of k8s, and a key pair used for subsequent mutual trust verification is added in the generated configuration file.
103: and when the mutual trust check is passed, the mutual trust configuration is successful.
In this embodiment, when the pod group runs, the server may detect whether the configuration file corresponding to each pod has the mutual trust configuration start parameter. And entering mutual trust verification when detecting the mutual trust configuration starting parameter.
In this embodiment, the pod may actively scan the configuration file of the pod during operation, and detect whether the pod has the mutually trusted configuration start parameter. And performing mutual trust verification on the data with the mutual trust configuration starting parameter. The trusted configuration start parameter in the pod configuration file may be added to the configuration file corresponding to the pod when the k8s creates the pod group.
When two pods pass the mutual trust verification, any one of the pods can directly log in the other pod without a password. Mutual trust of two pods is achieved.
In step 102, the pod group and the pod configuration file are created, and further, the embodiment is directed to a case when a plurality of pods in the pod group need to log in each other during operation or use. The server can judge whether the pod corresponding to the configuration file needs to perform mutual trust verification according to the mutual trust configuration starting parameter written in the configuration file when the pod is established. Through the detection of the mutual trust configuration starting parameter, the mutual trust verification process can be entered when the pod mutual trust is needed.
The pod mutual trust method provided by the embodiment. Mutual trust configuration starting parameters can be added in the creating instruction of the pod group; when a Kubernetes network creates a pod and other upper layer resources, it can be detected whether the create instruction contains mutually trusted configuration initiation parameters. When the mutual trust configuration starting parameter is included, a secret key pair can be generated, and the secret key pair, the mutual trust configuration starting parameter and a configuration file corresponding to the pod can be written in; when the pod needs to communicate with other pods or log in, mutual trust calibration is carried out; and the mutual trust calibration is regarded as the completion of the mutual trust configuration when passing. Through the technical means, research personnel can automatically complete the pod mutual trust configuration only by changing the creation instruction of the pod group without manually carrying out mutual trust configuration on the pod, and the use efficiency of the container is improved.
For the purpose of explaining the mutual trust verification and related processes in the present application, a detailed description is provided below with reference to fig. 2 and another embodiment.
Fig. 2 is a diagram of a mutual trust verification method according to an embodiment of the present application, including:
201: and when the pod group runs, detecting whether a mutual trust configuration starting parameter exists in a configuration file corresponding to each pod in the pod group.
The minimum resource unit in the k8s network is pod. A pod, like a container, has a Linux operating system, and can run one or more applications. When a user needs to run a plurality of applications with different running environments at the same time, the applications with different environments can be run in different pods. In some cases, when applications running on different pods need to communicate or log in, mutual trust of the pod where the application is located needs to be configured. The method for configuring the pod mutual trust can add the mutual trust configuration starting parameter in the pod group creation command. When the pod group runs, the server may scan configuration files corresponding to all pods included in the pod group, and detect whether the configuration files include mutually trusted configuration start parameters.
Further, the server may detect all configuration files in the pod group when the pod starts to run, and may detect when an application in the pod needs to trust the configuration pod.
202: and when detecting that the configuration file corresponding to the pod contains the mutually trusted configuration starting parameter, reading the key pair from the configuration file corresponding to the pod with the mutually trusted configuration starting parameter and matching.
When detecting a plurality of configuration files corresponding to all the pods in the pod group, the server may detect that all the configuration files have mutually trusted configuration starting parameters, or may detect that configuration files corresponding to some pod files in the pod group have mutually trusted configuration starting parameters. In this embodiment, all the pods having mutual trust configuration starting parameters in the configuration file may be screened from the pod group, which is called to-be-mutually-trusted pods. After all the to-be-mutually-trusted pots in the pot group are determined, the server can read the key pair written into the configuration file during the creation of the pot group from the configuration file corresponding to the to-be-mutually-trusted pots for the subsequent matching process. Further, in this embodiment, when the mutually trusted configuration start parameter is detected, the key pair generated according to the creation instruction at the time of creating the pod group may be read from the configuration file having the mutually trusted matching start parameter and matched.
In this embodiment, configuration files corresponding to each pod in the pod group may be detected one by one, a configuration file having mutually trusted configuration starting parameters is selected from the configuration files, and a key pair in the configuration file is read for matching. And enabling the pod with the mutual trust configuration starting parameter to automatically enter the mutual trust verification process.
203: and judging whether the obtained key pair can be paired or not according to an rsa algorithm.
After obtaining the key pair, it can directly compare whether the key pairs of the respective pod match. The private key and the public key can also be decrypted according to the rsa algorithm to determine whether there is a match between the respective pod.
In this embodiment, whether the pod needs to configure mutual trust may be determined according to whether the configuration file corresponding to the pod includes the mutual trust configuration starting parameter. When mutual trust needs to be configured, the key pair can be read from the configuration file and matched. After the key pair is successfully matched, the application in the pod can directly access or log in the application in other pods without password, namely, the configuration of mutual trust of the pod is completed. Under the condition that research personnel do not need to participate, the mutual trust configuration starting parameters can be automatically detected and matched with the key pair, and the automatic configuration of the pod mutual trust is realized.
To better explain the pod mutual trust configuration method based on Kubernetes provided in the present application, fig. 3 provides a pod mutual trust configuration flowchart from the perspective of pod, including:
301: and writing the pod.
The developer may create a pod group using k8s and set a plurality of pods in the pod group to run one or more applications. In the process of creating the pod group, a developer needs to send requirements such as the name of the pod group, the number of pods included, and the pod attribute to the server in the form of parameters in advance in the form of a creation instruction. K8s may then create a pod and pod that meets the needs of the developer based on the creation instruction.
In this embodiment, a developer may additionally customize a parameter in the instruction for creating the pod group, and this parameter may be used for configuration of mutual trust of the pods. This parameter is therefore referred to as the "mutually trusted configuration initiation parameter". Since k8s is an open source container orchestration engine, developers can customize the mutually trusted configuration startup parameters therein.
Further, after writing the pod set creation instruction with the mutually trusted configuration starting parameter, the developer may send the pod set creation instruction to k8s for subsequent operations.
302: pod creation.
The K8s may create a satisfactory pod group and pod at a certain time after receiving the instruction to create the pod group. In particular, when k8s creates a group of pod, it needs to create ststeful et, deployment and other upper resources before creating a single pod. In fact, the process of creating the upper layer resource is equivalent to the process of dividing the pod group. Therefore, when creating the pod and the upper layer resource, the k8s may generate a plurality of key pairs according to the mutually trusted configuration initiation parameter included in the creation instruction, and write the key pairs and the mutually trusted configuration initiation parameter into the pod configuration file generated in the pod creation process.
303: and carrying out pod operation.
After the pod and the creation of the pod are completed, one or more applications may be run in the pod. When the application and the pod run, it may be detected whether the configuration file corresponding to the pod contains the mutually trusted configuration start parameter. When the configuration file contains the mutually trusted configuration starting parameter, the key pair in the configuration file can be read. And determines whether key pairs between different pods can be matched. The key pair can realize mutual communication and password-free access to the matched pod, and mutual trust configuration is completed.
Fig. 4 is a diagram of a pod mutual trust configuration method based on Kubernetes, which is provided in the present application, and includes:
401: an instruction acquisition unit configured to acquire a creation instruction of the pod group;
402: the parameter adding unit is used for adding the mutual trust configuration starting parameter contained in the creating instruction to a configuration file corresponding to the pod group when the pod group and the upper-layer resource are created;
403: and the operation detection unit is used for carrying out mutual trust verification when the pod operates.
In this embodiment, the instruction obtaining unit may be configured to obtain a creation instruction of a pod group; the parameter adding unit may be configured to add the mutual trust configuration starting parameter included in the creation instruction to a configuration file corresponding to the pod group when the pod group and the upper-layer resource are created; and the operation detection unit is used for carrying out mutual trust verification during the pod operation. Mutual trust configuration between the pods is realized through mutual cooperation among the three modules. Therefore, research personnel can automatically complete the pod mutual trust configuration only by changing the creation instruction of the pod group without manually carrying out the mutual trust configuration on the pod, the cost is saved, and the use efficiency of the container is improved.
In one embodiment, the obtaining unit includes:
a parameter detecting unit, configured to detect, when the pod group and the upper-layer resource are created by the k8s, that the mutual trust configuration starting parameter included in the creation instruction is added to the mutual trust configuration starting parameter in the configuration file corresponding to the pod group when the creation instruction is used to create the pod group and the upper-layer resource
And the key set generating unit is used for generating the key set according to the rsa algorithm.
And the parameter writing unit is used for writing the mutual trust configuration starting parameter and the secret key set into a configuration file corresponding to the pod set.
In one embodiment, the creating unit includes:
the device comprises a parameter detection unit, a configuration file generation unit and a configuration file generation unit, wherein the parameter detection unit is used for detecting mutual trust configuration starting parameters from the configuration file corresponding to the pod when the pod runs;
and the parameter reading unit is used for reading the secret key group from the configuration file and inputting the secret key group into the mutual trust verification unit when detecting the mutual trust configuration starting parameter.
In one embodiment, the mutual trust verification unit includes:
rsa parsing unit, used for recovering the private key by rsa algorithm;
and the key pairing unit is used for judging whether the restored private key and the restored public key are consistent.
And the notification unit is used for notifying the pod of mutual trust after the key pairing is successful.
In the names of "first user", "second user", and the like, the "first" in the embodiments of the present application is used only for name identification, and does not represent the first and second in sequence.
As can be seen from the above description of the embodiments, those skilled in the art can clearly understand that all or part of the steps in the above embodiment methods can be implemented by software plus a general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a read-only memory (ROM)/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network communication device such as a router) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described device and system embodiments are merely illustrative, in which the first user and the second user may or may not be physically separate, and the component that is the initial task template may or may not be a code template. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only an exemplary embodiment of the present application, and is not intended to limit the scope of the present application.
Claims (10)
1. A mutual trust configuration method for minimum resource units of a virtual container, wherein the minimum resource unit is a pod, the method comprising:
acquiring a creating instruction of the pod group; wherein, the creating instruction comprises a mutual trust configuration starting parameter, and the pod group comprises a plurality of pods;
when an upper layer resource of the pod group is created, adding the mutual trust configuration starting parameter contained in the creation instruction to a configuration file corresponding to the pod group;
and when the pod group runs, detecting the configuration file, and when the mutual trust configuration starting parameter is detected, carrying out mutual trust verification.
2. The method of claim 1, further comprising:
when the upper-layer resource of the pod group is created, detecting the creation instruction, and when the creation instruction of the pod group is detected to contain the mutual trust configuration starting parameter, generating a key group according to an encryption algorithm and writing the key group into a configuration file corresponding to the pod group.
3. The method of claim 2, wherein the encryption algorithm is the rsa algorithm.
4. The method of claim 3, wherein generating the key set and writing the configuration file corresponding to the pod comprises:
generating a set of key pairs according to an rsa algorithm; wherein, the key pair comprises a private key and a public key;
and writing the key pair into a configuration file of one or more pods in the pod group according to the creation instruction.
5. The method of claim 4, wherein the detecting the configuration file, and when the mutually trusted configuration initiation parameter is detected, performing a mutually trusted check comprises:
when the pod group runs, detecting mutual trust configuration starting parameters in a configuration file corresponding to each pod in the pod group;
and when detecting that the configuration files corresponding to at least two of the pods contain mutually trusted configuration starting parameters, reading the key pair from the configuration files corresponding to the pods with the mutually trusted configuration starting parameters and matching.
6. The method of claim 5, wherein the matching comprises:
according to an rsa algorithm, judging whether any two key pairs in the obtained key pairs can be paired or not;
for any two pod that the key pair can pair, the mutual trust check passes.
7. An apparatus for configuring a virtual container with minimum resource unit mutual trust, the apparatus comprising:
an instruction acquisition unit configured to acquire a creation instruction of the pod group;
the parameter adding unit is used for adding the mutual trust configuration starting parameter contained in the creating instruction to a configuration file corresponding to the pod group when the pod group and the upper-layer resource are created;
and the operation detection unit is used for carrying out mutual trust verification when the pod operates.
8. The apparatus of claim 7, wherein the parameter adding unit comprises:
a parameter detecting unit, configured to detect, when the pod group and the upper-layer resource are created by the k8s, that the mutual trust configuration starting parameter included in the creation instruction is added to the mutual trust configuration starting parameter in the configuration file corresponding to the pod group when the creation instruction is used for creating the pod group and the upper-layer resource;
a key set generating unit for generating a key set according to rsa algorithm;
and the parameter writing unit is used for writing the mutual trust configuration starting parameter and the secret key set into a configuration file corresponding to the pod set.
9. The apparatus of claim 7, wherein the operation detection unit comprises:
the device comprises a parameter detection unit, a configuration file generation unit and a configuration file generation unit, wherein the parameter detection unit is used for detecting mutual trust configuration starting parameters from the configuration file corresponding to the pod when the pod runs;
and the parameter reading unit is used for reading the secret key group from the configuration file and inputting the secret key group into the mutual trust verification unit when detecting the mutual trust configuration starting parameter.
10. The apparatus of claim 9, wherein the mutual trust check comprises:
rsa parsing unit, used for recovering the private key by rsa algorithm;
the key pairing unit is used for judging whether the restored private key and the restored public key are consistent;
and the notification unit is used for notifying the pod of mutual trust after the key pairing is successful.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910927283.7A CN110795207B (en) | 2019-09-27 | 2019-09-27 | Virtual container minimum resource unit mutual trust configuration method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910927283.7A CN110795207B (en) | 2019-09-27 | 2019-09-27 | Virtual container minimum resource unit mutual trust configuration method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110795207A true CN110795207A (en) | 2020-02-14 |
| CN110795207B CN110795207B (en) | 2022-08-12 |
Family
ID=69438627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910927283.7A Active CN110795207B (en) | 2019-09-27 | 2019-09-27 | Virtual container minimum resource unit mutual trust configuration method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110795207B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020111699A1 (en) * | 2001-02-09 | 2002-08-15 | Melli Bruno P. | Dynamically configurable generic container |
| US8429297B1 (en) * | 2005-09-28 | 2013-04-23 | Oracle America, Inc. | Web service invocation framework with integrated directory-based distributor |
| CN109947452A (en) * | 2019-03-26 | 2019-06-28 | 南京联创信息科技有限公司 | A kind of Kubernetes container platform application update method |
| CN110221910A (en) * | 2019-06-19 | 2019-09-10 | 北京百度网讯科技有限公司 | Method and apparatus for executing MPI operation |
-
2019
- 2019-09-27 CN CN201910927283.7A patent/CN110795207B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020111699A1 (en) * | 2001-02-09 | 2002-08-15 | Melli Bruno P. | Dynamically configurable generic container |
| US8429297B1 (en) * | 2005-09-28 | 2013-04-23 | Oracle America, Inc. | Web service invocation framework with integrated directory-based distributor |
| CN109947452A (en) * | 2019-03-26 | 2019-06-28 | 南京联创信息科技有限公司 | A kind of Kubernetes container platform application update method |
| CN110221910A (en) * | 2019-06-19 | 2019-09-10 | 北京百度网讯科技有限公司 | Method and apparatus for executing MPI operation |
Non-Patent Citations (2)
| Title |
|---|
| AARON.COM: "Kubernetes-Secret使用说明", 《CSDN,HTTPS://BLOG.CSDN.NET/IOV_AARON/ARTICLE/DETAILS/94442111》 * |
| WEIXIN_33759269: "Kubernetes Secret", 《CSDNHTTPS://BLOG.CSDN.NET/WEIXIN_33759269/ARTICLE/DETAILS/92504688》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110795207B (en) | 2022-08-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110622129B (en) | Method, system, and portal for accelerating aspects of data analysis application development and deployment using software containers | |
| US20200042328A1 (en) | Autonomous Creation of New Microservices and Modification of Existing Microservices | |
| US9734005B2 (en) | Log analytics for problem diagnosis | |
| US8938523B2 (en) | System and method for deploying and maintaining software applications | |
| JP6788178B2 (en) | Setting support program, setting support method and setting support device | |
| CN111026723B (en) | Big data cluster management control method and device, computer equipment and storage medium | |
| EP3442201B1 (en) | Cloud platform construction method and cloud platform | |
| US20130111473A1 (en) | Passive monitoring of virtual systems using extensible indexing | |
| CN111813495A (en) | Node testing method and device, storage medium and electronic device | |
| CN113296823A (en) | Method, device, equipment and storage medium for generating resource configuration file | |
| CN110727575B (en) | Information processing method, system, device and storage medium | |
| CN113330419A (en) | Equipment application installation method and device | |
| CN114006815B (en) | Automatic deployment method and device for cloud platform nodes, nodes and storage medium | |
| CN110795207B (en) | Virtual container minimum resource unit mutual trust configuration method and device | |
| CN112115060A (en) | Audio test method and system based on terminal | |
| EP3683675A1 (en) | System, apparatus and method of integrated deployment | |
| CN107451435B (en) | Management and control method, management and control machine and management and control system of hardware encryption machine | |
| CN114610443A (en) | Multi-service deployment method and device based on k8s container cluster and electronic equipment | |
| CN115051846A (en) | Deployment method of K8S cluster based on super fusion platform and electronic equipment | |
| CN102053862B (en) | Method and device for inspecting material files in instant messenger | |
| CN113297072A (en) | Container testing method and device | |
| US20210037046A1 (en) | Automated Threat Analysis of a System Design | |
| CN109408123A (en) | A kind of method and device that configuration file reloads | |
| CN116909584B (en) | Deployment method, device, equipment and storage medium of space-time big data engine | |
| US20170264495A1 (en) | Local consumption of remote services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |