CN112104597A - Terminal data isolation method and device for one-end multi-network environment - Google Patents
Terminal data isolation method and device for one-end multi-network environment Download PDFInfo
- Publication number
- CN112104597A CN112104597A CN202010717052.6A CN202010717052A CN112104597A CN 112104597 A CN112104597 A CN 112104597A CN 202010717052 A CN202010717052 A CN 202010717052A CN 112104597 A CN112104597 A CN 112104597A
- Authority
- CN
- China
- Prior art keywords
- network
- container
- application software
- network container
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
- G06F8/63—Image based installation; Cloning; Build to order
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a terminal data isolation method and a terminal data isolation device in one-end multi-network environment, which are used for logging in a host machine for operation according to the authority of an administrator, making an application mirror image according to the office requirement of a unit, pushing the application mirror image to an application store, and setting the mirror image to allow the mirror image to run in a network container, wherein the method comprises the following steps: starting a network container corresponding to a network to be accessed, and starting a desktop process; the desktop process displays application software allowed to be used by the network container; when the network container runs, the host machine judges whether the application software, or the running program, or the data volume, or the network behavior in the network container conforms to the preset of the network container; if so, the network container operates normally; and if not, the network container refuses to operate. In the implementation of the invention, when a plurality of networks are accessed on one terminal system, the application data of the corresponding networks can be isolated from each other, and the safety of the data is ensured.
Description
Technical Field
The invention relates to the technical field of terminal data isolation, in particular to a terminal data isolation method and device in a one-end multi-network environment.
Background
In the current user environment, a plurality of networks with different security requirements, such as a government affair outer network, a government affair inner network, the internet, a production network and the like, exist, in order to meet the security requirements of each network and prevent risk infiltration and data leakage among different networks, service processing is basically realized in a one-end-one-network mode at present, that is, the same PC can only be accessed into one network, and a terminal user may use a plurality of PCs for office work at the same time. According to the requirements of relevant policies in the industry, isolation should be implemented between different networks, so that safety accidents of risk diffusion and data leakage are prevented. Therefore, at present, the method is basically realized in a terminal-specific manner, one terminal can only access one network, so that great waste of resources occurs, and the convenience of users is low.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a terminal data isolation method and device in one-end multi-network environment.
In order to solve the above technical problem, an embodiment of the present invention provides a terminal data isolation method in a one-end multi-network environment, which logs in a host to operate with the authority of an administrator, manufactures an application image according to office requirements of a unit, pushes the application image to an application store, and sets that the image is allowed to run in a network container, where the method includes:
starting a network container corresponding to a network to be accessed, and starting a desktop process;
the desktop process displays application software allowed to be used by the network container;
when the network container runs, the host machine judges whether the application software, or the running program, or the data volume, or the network behavior in the network container conforms to the preset of the network container;
if so, the network container operates normally;
and if not, the network container refuses to operate.
Optionally, the starting the network container corresponding to the network to be accessed includes: and initializing the LXC environment, constructing an isolated runtime environment, and loading the data volume corresponding to the network container.
Optionally, the LXC environment restricts the execution of the application software in the network container to always run in an isolated environment.
Optionally, the data volume is located in the host, and is used to store service data that needs to be persistently stored, or service data generated when the network container runs.
Optionally, the desktop process displays the application software allowed to be used by the network container, and the application software allowed to be used by the network container is installed from the application store.
Optionally, the method further includes:
the user installs the application software from the application store and installs the application software to the host machine;
judging whether the application software conforms to the network of the host machine;
if yes, the application software operates normally;
and if not, the application software refuses to run.
Optionally, the installing the application software to the host includes: and installing the application software to the host machine through an installation tool.
In addition, an embodiment of the present invention further provides a terminal data isolation device in an end-to-end multi-network environment, where the device includes:
a starting module: the system comprises a network container and a desktop process, wherein the network container is used for starting a network corresponding to a network to be accessed and starting the desktop process;
a display module: the desktop process is used for displaying the application software allowed to be used by the network container;
a judging module: when the network container runs, the host machine judges whether the application software, or the running program, or the data volume, or the network behavior in the network container conforms to the preset of the network container.
In the implementation of the invention, one terminal, including a mobile phone, a computer or other terminals, can safely and simultaneously access a plurality of networks with different security levels, thereby realizing the isolation of application data, ensuring the security of the data and saving the cost and the office space.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a terminal data isolation method in a one-end multi-network environment according to an embodiment of the present invention;
fig. 2 is a schematic structural composition diagram of a terminal data isolation device in a one-terminal multi-network environment in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Referring to fig. 1, fig. 1 is a flow chart illustrating a terminal data isolation method in a one-terminal multi-network environment according to an embodiment of the present invention.
As shown in fig. 1, a terminal data isolation method in one-end multi-network environment logs in a host to operate with the authority of an administrator, makes an application image according to the office requirement of a unit, pushes the application image to an application store, and sets the image to allow the image to run in a network container, wherein the method comprises the following steps:
s11: starting a network container corresponding to a network to be accessed, and starting a desktop process;
in a specific implementation process of the present invention, the starting a network container corresponding to a network to be accessed includes: and initializing the LXC environment, constructing an isolated runtime environment, and loading the data volume corresponding to the network container.
It should be noted that the LXC environment limits the execution of the application software in the network container, and runs in an isolated environment all the time, so that the file of the host is not damaged. All the actions of creating and modifying files are redirected to the data volume corresponding to the container, so that no data is diffused to the host machine in the operation process of the container. Wherein, LXC: the Linux Container is a kernel virtualization technology that can provide lightweight virtualization to isolate processes and resources.
It should be noted that the data volume is located in the host, and is used to store the service data that needs to be persisted or the service data generated when the network container runs. In a subdirectory located under a directory of the host, the container mounts it as a volume for data storage. Setting a security control strategy, and marking the data volume as { dataid, path, name }; wherein dataid is the ID of the data volume, each volume corresponds to an ID, and the container ID corresponds to; the path is a subdirectory of the data unit and stores isolated data inside; the name is the name of the data unit for management, and the name can be displayed on the UI interface. Each data unit can be allocated to only one container. And the APP armor limits the access of the container to the data according to the corresponding relation between the container and the volume, and only allows the container to access the volume corresponding to the APP armor. Meanwhile, the access of the application on the host machine to the data volume is limited, and data leakage is prevented. The strategy is as follows:
{ policyid, dataid, imagename, attr }; policyid is the id of each policy; the dataid is the data volume id needing to be managed; imagename is the mirror id loaded by the container that needs to use the data; attr is the access rights of the container to the data unit, including read (r), write (w), execute (x), etc., or a combination of these rights, such as read-write execute (rwx);
kernel access control: the data storage unit is subjected to authority control according to a security policy library; the policy loading process is as follows:
(1) obtaining a data table { path, dataid, attr } from the data volume and the security policy table;
(2) the kernel finds a mapping for each enabled container: { connected, imagename }
(3) An access control table { path, conteneid, attr } is formed from the mapping
(4) And for each access of the file, detecting whether the path of the file is in an access control table, if so, checking whether container connectivity is matched, if so, checking whether authority attr is matched, if all the rights attr are matched, releasing all the rights attr, and if not, rejecting the access. If the path of the file is not in the control table, access is passed.
Specifically, the network container starts different container images for different networks, and after the images are started, only the corresponding networks can be accessed; the container contains various applications, such as a browser, office software, etc., that access the corresponding network. The isolation among the containers realizes the isolation of networks, storage, users and the like by using the LXC, so that the containers of different networks are mutually transparent, and risks cannot permeate each other.
The mirror image of the application in the container is downloaded from a unified APP store by an APP installer and is installed in a host machine in a silent installation mode, an administrator of an organization can configure the application program to be used in different networks, so that the container of each network can dynamically map the APP mirror image in the host machine in an AUFS mode, and due to the mechanism of the LXC, after the APP mirror image mapping is passed, all modifications to the mirror image are copy-on-write, so that the mirror image on the host machine can be ensured not to be modified by the container and can be mapped by the containers in multiple networks. And when the application in the container executes, the intermediate data is copied during writing, so that the normal use of the application is not influenced.
S12: the desktop process displays application software allowed to be used by the network container;
in the implementation process of the invention, the desktop process displays the application software allowed to be used by the network container, and the application software allowed to be used by the network container is installed from the application store.
S13: when the network container runs, the host machine judges whether the application software, or the running program, or the data volume, or the network behavior in the network container conforms to the preset of the network container;
s14: if so, the network container operates normally;
s15: and if not, the network container refuses to operate.
In the specific implementation process of the invention, in the operation process of the network container, the host machine Apparmor judges whether the program operated in the network container is the program set by the administrator or not, and judges whether the program is allowed to operate in the network container or not, and if the program does not accord with the strategy, the program is refused to operate;
meanwhile, when the network container runs, the Apparmor judges the data volume accessed by the network container, and if the network container accesses the data volumes of other containers, the behavior is rejected.
Meanwhile, when the network container runs, the Apparmor monitors the network behavior of the network container, and if the network container accesses the network behavior outside the network where the container is located, the behavior is rejected.
In addition, the method further comprises: the user installs the application software from the application store and installs the application software to the host machine; judging whether the application software conforms to the network of the host machine; if yes, the application software operates normally; and if not, the application software refuses to run. It should be noted that the installing the application software to the host includes: the application software is installed to the host machine through an installation tool, namely the APP instiler.
Specifically, if the administrator sets that the installed application software can run on the network where the host computer is located, the user can run and use the installed application software, otherwise, the user is refused to be executed by the apparatus after executing the installed application software.
In the implementation of the invention, one terminal, including a mobile phone, a computer or other terminals, can safely and simultaneously access a plurality of networks with different security levels, thereby realizing the isolation of application data, ensuring the security of the data and saving the cost and the office space.
Example two
Referring to fig. 2, fig. 2 is a schematic structural composition diagram of a terminal data isolation device in a one-terminal multi-network environment according to an embodiment of the present invention.
As shown in fig. 2, a terminal data isolation apparatus for one-end multi-network environment, the apparatus comprising:
the starting module 11: the system comprises a network container and a desktop process, wherein the network container is used for starting a network corresponding to a network to be accessed and starting the desktop process;
the display module 12: the desktop process is used for displaying the application software allowed to be used by the network container;
the judging module 13: when the network container runs, the host machine judges whether the application software, or the running program, or the data volume, or the network behavior in the network container conforms to the preset of the network container.
Specifically, the working principle of the device related function module according to the embodiment of the present invention may refer to the description related to the first method embodiment, and is not described herein again.
In the implementation of the invention, one terminal, including a mobile phone, a computer or other terminals, can safely and simultaneously access a plurality of networks with different security levels, thereby realizing the isolation of application data, ensuring the security of the data and saving the cost and the office space.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
In addition, the method and the apparatus for isolating terminal data in one-end multi-network environment provided by the embodiment of the present invention are described in detail above, and a specific embodiment should be adopted herein to explain the principle and the implementation manner of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (8)
1. A terminal data isolation method of one-end multi-network environment logs in a host machine for operation according to the authority of an administrator, an application mirror image is manufactured according to the office requirement of a unit and is pushed to an application store, and the mirror image is set to be allowed to run in a network container, and the method is characterized by comprising the following steps:
starting a network container corresponding to a network to be accessed, and starting a desktop process;
the desktop process displays application software allowed to be used by the network container;
when the network container runs, the host machine judges whether the application software, or the running program, or the data volume, or the network behavior in the network container conforms to the preset of the network container;
if so, the network container operates normally;
and if not, the network container refuses to operate.
2. The method for isolating terminal data in one-end multi-network environment according to claim 1, wherein the starting the network container corresponding to the network to be accessed comprises: and initializing the LXC environment, constructing an isolated runtime environment, and loading the data volume corresponding to the network container.
3. The method for isolating terminal data in one-end multi-network environment according to claim 2, wherein the LXC environment restricts the execution of the application software in the network container to always run in an isolated environment.
4. The method for isolating terminal data in one-end multi-network environment according to claim 2, wherein the data volume is located in the host for storing the service data that needs to be persisted or the service data generated when the network container runs.
5. The method for terminal data isolation in one-end multi-network environment according to claim 1, wherein the desktop process displays the application software allowed to be used by the network container, and the application software allowed to be used by the network container is installed from the application store.
6. The method for isolating terminal data in one-end multi-network environment according to claim 1, further comprising:
the user installs the application software from the application store and installs the application software to the host machine;
judging whether the application software conforms to the network of the host machine;
if yes, the application software operates normally;
and if not, the application software refuses to run.
7. The method for isolating terminal data in one-end multi-network environment according to claim 6, wherein the installing the application software to a host comprises: and installing the application software to the host machine through an installation tool.
8. A terminal data isolation apparatus for one-end multi-network environment, the apparatus comprising:
a starting module: the system comprises a network container and a desktop process, wherein the network container is used for starting a network corresponding to a network to be accessed and starting the desktop process;
a display module: the desktop process is used for displaying the application software allowed to be used by the network container;
a judging module: when the network container runs, the host machine judges whether the application software, or the running program, or the data volume, or the network behavior in the network container conforms to the preset of the network container.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010717052.6A CN112104597B (en) | 2020-07-23 | 2020-07-23 | Terminal data isolation method and device for one-end multi-network environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010717052.6A CN112104597B (en) | 2020-07-23 | 2020-07-23 | Terminal data isolation method and device for one-end multi-network environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112104597A true CN112104597A (en) | 2020-12-18 |
CN112104597B CN112104597B (en) | 2023-04-07 |
Family
ID=73749938
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010717052.6A Active CN112104597B (en) | 2020-07-23 | 2020-07-23 | Terminal data isolation method and device for one-end multi-network environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112104597B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113076170A (en) * | 2021-06-03 | 2021-07-06 | 统信软件技术有限公司 | Remote assistance method, system, device, computing equipment and storage medium |
CN113434257A (en) * | 2021-07-07 | 2021-09-24 | 曙光信息产业(北京)有限公司 | Docker operation method, device, server and storage medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140130150A1 (en) * | 2012-11-02 | 2014-05-08 | Microsoft Corporation | Content-based isolation for computing device security |
CN105099706A (en) * | 2015-08-25 | 2015-11-25 | 华为技术有限公司 | Data communication method, user equipment and server |
CN107977572A (en) * | 2016-10-25 | 2018-05-01 | 中兴通讯股份有限公司 | A kind of application program operation method and device, intelligent terminal |
CN108446159A (en) * | 2017-02-16 | 2018-08-24 | 中标软件有限公司 | Mobile terminal dual system based on Docker containers realizes system and method |
CN108471420A (en) * | 2018-03-29 | 2018-08-31 | 上交所技术有限责任公司 | Based on network mode identification and matched vessel safety defence method and device |
CN109343974A (en) * | 2018-09-14 | 2019-02-15 | 珠海国芯云科技有限公司 | The inter-process communication methods and device of virtual desktop based on container |
CN109388454A (en) * | 2018-09-14 | 2019-02-26 | 珠海国芯云科技有限公司 | Virtual desktop method and system based on container |
CN109828824A (en) * | 2018-12-29 | 2019-05-31 | 东软集团股份有限公司 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
CN110535831A (en) * | 2019-07-30 | 2019-12-03 | 平安科技(深圳)有限公司 | Cluster safety management method, device and storage medium based on Kubernetes and network domains |
US10552639B1 (en) * | 2019-02-04 | 2020-02-04 | S2 Systems Corporation | Local isolator application with cohesive application-isolation interface |
CN111147450A (en) * | 2019-12-09 | 2020-05-12 | 江苏艾佳家居用品有限公司 | Container network isolation method based on macvlan mode |
-
2020
- 2020-07-23 CN CN202010717052.6A patent/CN112104597B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140130150A1 (en) * | 2012-11-02 | 2014-05-08 | Microsoft Corporation | Content-based isolation for computing device security |
CN105099706A (en) * | 2015-08-25 | 2015-11-25 | 华为技术有限公司 | Data communication method, user equipment and server |
CN107977572A (en) * | 2016-10-25 | 2018-05-01 | 中兴通讯股份有限公司 | A kind of application program operation method and device, intelligent terminal |
CN108446159A (en) * | 2017-02-16 | 2018-08-24 | 中标软件有限公司 | Mobile terminal dual system based on Docker containers realizes system and method |
CN108471420A (en) * | 2018-03-29 | 2018-08-31 | 上交所技术有限责任公司 | Based on network mode identification and matched vessel safety defence method and device |
CN109343974A (en) * | 2018-09-14 | 2019-02-15 | 珠海国芯云科技有限公司 | The inter-process communication methods and device of virtual desktop based on container |
CN109388454A (en) * | 2018-09-14 | 2019-02-26 | 珠海国芯云科技有限公司 | Virtual desktop method and system based on container |
CN109828824A (en) * | 2018-12-29 | 2019-05-31 | 东软集团股份有限公司 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
US10552639B1 (en) * | 2019-02-04 | 2020-02-04 | S2 Systems Corporation | Local isolator application with cohesive application-isolation interface |
CN110535831A (en) * | 2019-07-30 | 2019-12-03 | 平安科技(深圳)有限公司 | Cluster safety management method, device and storage medium based on Kubernetes and network domains |
CN111147450A (en) * | 2019-12-09 | 2020-05-12 | 江苏艾佳家居用品有限公司 | Container network isolation method based on macvlan mode |
Non-Patent Citations (1)
Title |
---|
蔡志强: "基于Docker技术的容器隔离性分析", 《电子世界》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113076170A (en) * | 2021-06-03 | 2021-07-06 | 统信软件技术有限公司 | Remote assistance method, system, device, computing equipment and storage medium |
CN113076170B (en) * | 2021-06-03 | 2021-09-17 | 统信软件技术有限公司 | Remote assistance method, system, device, computing equipment and storage medium |
CN113434257A (en) * | 2021-07-07 | 2021-09-24 | 曙光信息产业(北京)有限公司 | Docker operation method, device, server and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112104597B (en) | 2023-04-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10404708B2 (en) | System for secure file access | |
CN111338854B (en) | Kubernetes cluster-based method and system for quickly recovering data | |
CN102662741B (en) | Method, device and system for realizing virtual desktop | |
US9286098B1 (en) | Using master file template area to increase density of virtual machines in a computer system | |
EP2297632B1 (en) | Dynamic file system restriction for portable storage devices | |
CN112104597B (en) | Terminal data isolation method and device for one-end multi-network environment | |
US20060288034A1 (en) | Virtualized file system | |
US20120011513A1 (en) | Implementing a versioned virtualized application runtime environment | |
US10216510B2 (en) | Silent upgrade of software with dependencies | |
CN111475227B (en) | Business plug-in loading implementation method and device and terminal equipment | |
US20140297999A1 (en) | Computer system and method for controlling acpi information | |
US11709931B2 (en) | Shadow stack violation enforcement at module granularity | |
CN110780930A (en) | Method and device for starting Android system, electronic equipment and storage medium | |
US20150127916A1 (en) | Dynamic memory allocation | |
US20230035594A1 (en) | Managing peripherals in a containerized environment | |
CN113296891B (en) | Platform-based multi-scene knowledge graph processing method and device | |
US20210311740A1 (en) | Circular shadow stack in audit mode | |
CN110457925B (en) | Application data isolation method and device in internal and external storage, terminal and storage medium | |
CN109271792B (en) | Terminal peripheral control method and device based on Android local layer hook | |
CN113986858B (en) | Linux compatible android system shared file operation method and device | |
CN115129250A (en) | Object storage method and device and readable storage medium | |
CN114047933A (en) | Method, device, equipment and medium for multi-open Android application | |
CN111026452A (en) | Method and system for injecting remote 32-bit process into 64-bit process | |
CN112650713A (en) | File system operation method, device, equipment and storage medium | |
CN100424652C (en) | Had disk self-recovery protecting method based on embedded operation system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |