CN112231045A - Method for detecting health of safety container, electronic device and medium - Google Patents
Method for detecting health of safety container, electronic device and medium Download PDFInfo
- Publication number
- CN112231045A CN112231045A CN202010923878.8A CN202010923878A CN112231045A CN 112231045 A CN112231045 A CN 112231045A CN 202010923878 A CN202010923878 A CN 202010923878A CN 112231045 A CN112231045 A CN 112231045A
- Authority
- CN
- China
- Prior art keywords
- container
- health detection
- virtual
- communication mode
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000036541 health Effects 0.000 title claims abstract description 128
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000001514 detection method Methods 0.000 claims abstract description 112
- 238000004891 communication Methods 0.000 claims abstract description 53
- 239000003795 chemical substances by application Substances 0.000 description 24
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 238000007726 management method Methods 0.000 description 7
- 238000002955 isolation Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 239000000835 fiber Substances 0.000 description 2
- 239000003999 initiator Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the specification discloses a health detection method for a safety container, an electronic device and a medium. The security container is arranged in a virtual private network of a user and is encapsulated in a virtual machine, a proxy end is arranged in the virtual machine, the method is applied to a host of the security container, and the method comprises the following steps: sending a container health detection instruction to the agent terminal based on a virtual port communication mode so as to call the agent terminal to perform health detection on the safety container; and receiving the health detection result returned by the agent terminal based on the virtual port communication mode.
Description
Technical Field
The present disclosure relates to cloud technologies, and more particularly, to a method of health detection for a secure container, an electronic device, and a medium.
Background
The container technology is a lightweight virtualization mode, and packages an application and a necessary execution environment into a container mirror image, so that the application program can directly run in a host machine relatively independently. Referring to fig. 1, in the conventional container technology, a container directly runs on a host (the container runs as a container process), and may be isolated by using a technique such as Namespace (Namespace), and the like, and an operating system kernel of the host is still shared between the containers, which is weak in isolation and security. Referring to fig. 2, in the secure container technology, a container is placed in a lightweight Virtual Machine (light Virtual Machine), and isolation is provided by using techniques such as hardware virtualization, so that the security of the container and a host can be improved.
In public Cloud services provided by Cloud service providers, a Virtual Private network (also referred to as Virtual Private Cloud) is a Private network belonging to a user, which defines a logically isolated network space on the public Cloud through a network virtualization technology.
Container health detection is an important function of container ecology, and container security detection can be initiated to a container by a management component running on a host. When the security container is set in the private network, the host cannot access the port of the security container due to the isolation between the host network and the private network, which results in the failure of normal container health detection.
Therefore, there is a need to provide a container health detection scheme, which can be applied to health detection of a container running in a virtual private network.
Disclosure of Invention
The present disclosure provides a method, an electronic device, and a medium for health detection of a secure container, which may be suitable for health detection of a secure container operating in a virtual private network.
According to a first aspect of the embodiments of the present disclosure, there is provided a method for detecting health of a secure container, where the secure container is disposed in a virtual private network of a user and is encapsulated in a virtual machine, and a proxy end is disposed in the virtual machine, and the method is applied to a host of the secure container, and the method includes:
sending a container health detection instruction to the agent terminal based on a virtual port communication mode so as to call the agent terminal to perform health detection on the safety container; and the number of the first and second groups,
and receiving a health detection result returned by the agent terminal based on a virtual port communication mode.
Optionally, the virtual port communication mode includes a virtual port communication mode or a virtual serial port communication mode based on a Vhost specification.
Optionally, the container health detection instruction includes an identifier of the secure container and a port number of a port to be detected of the secure container.
Optionally, the port to be detected includes a TCP port and/or an HTTP port.
Optionally, the sending a container health detection instruction to the agent terminal based on the virtual port communication mode includes:
and sending a container health detection request to a container runtime component to trigger the container runtime component to send the container health detection instruction to the agent terminal based on a virtual port communication mode.
According to a second aspect of the embodiments of the present disclosure, there is provided a method for detecting health of a secure container, where the secure container is disposed in a virtual private network of a user and is encapsulated in a virtual machine, and a proxy is disposed in the virtual machine, and the method is applied to the proxy, and the method includes:
receiving a container health detection instruction sent by a host machine of the safety container based on a virtual port communication mode;
carrying out health detection on the safety container according to the container health detection instruction;
and returning the health detection result to the host machine based on a virtual port communication mode.
Optionally, the virtual port communication mode includes a virtual port communication mode or a virtual serial port communication mode based on a Vhost specification.
Optionally, the container health detection instruction includes an identifier of the secure container and a port number of a port to be detected of the secure container.
Optionally, the port to be detected includes a TCP port and/or an HTTP port.
According to a third aspect of the embodiments of the present disclosure, there is provided an electronic device, including a processor and a memory, where computer instructions are stored in the memory, and when the computer instructions are executed by the processor, the method provided by the first aspect of the embodiments of the present disclosure is implemented.
According to a fourth aspect disclosed in the present specification, there is provided an electronic device comprising a processor and a memory, wherein computer instructions are stored in the memory, and when executed by the processor, the computer instructions implement the method provided by the second aspect of the embodiments of the present disclosure.
According to a fifth aspect disclosed in the present specification, there is provided a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method provided by the first aspect of the embodiments of the present disclosure.
According to a sixth aspect disclosed in the present specification, there is provided a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method provided by the second aspect of the embodiments of the present disclosure.
The health detection method, the electronic device and the medium for the security container provided by the embodiment of the disclosure can be used for performing health detection on the security container running in the virtual private cloud.
Features of embodiments of the present specification and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description, serve to explain the principles of the embodiments of the specification.
FIG. 1 is a schematic diagram of conventional safety container technology;
FIG. 2 is a schematic diagram of a secure container technique;
FIG. 3 is a schematic diagram of a host machine failing to perform a security container health check;
FIG. 4 is a flow chart of a method of health detection of a secure container provided by an embodiment of the present disclosure;
FIG. 5 is a flow chart of a method of health detection of a secure container provided by an embodiment of the present disclosure;
fig. 6 is a schematic diagram of a method for health detection of a safety container according to an embodiment of the present disclosure.
Detailed Description
Various exemplary embodiments of the present specification will now be described in detail with reference to the accompanying drawings.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the embodiments, their application, or uses.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
The noun explains:
VPC, which is called Virtual Private Cloud, is usually translated into a Virtual Private network, and also translated into a Virtual Private Cloud, which is a network space defined on a public Cloud by a network virtualization technology and logically isolated, and belongs to a Private network of a user.
The OCI, which is called Open Container Initiative, is an Open Container standard that defines the specifications of Container runtime and mirror image.
Docker, an application container engine, can package applications and distribute them into a portable image, and then distribute them to Linux or Windows machines.
Kubernets, a container orchestration engine, can be used for managing containerized applications on multiple hosts in a cloud platform, and provides a mechanism for deploying, planning, updating, and maintaining containers.
The Kubelet component is a container lifecycle management component.
The Runtime component is a container Runtime component and is responsible for image management and real operation of the container.
< method for health monitoring of safety Container example >
In the container health detection function, a management component running on the host initiates container health detection. Taking the Kubernetes container system as an example, in the Kubernetes container system, container health detection is implemented by a Kubelet component running on a host. That is, the initiator of the health detection is the Kubelet component, and the source address is the IP address of the host. The health detection targets a container, and the destination address is composed of a container address and a port of the container.
The principle of TCP port health detection is that for a container providing TCP services, a management component periodically establishes a TCP connection to the container, and if the connection is successful, the TCP port is considered healthy, otherwise the TCP port is considered unhealthy.
The HTTP port health detection aims at a container providing HTTP or HTTPS service, the management component periodically initiates HTTP/HTTPS requests to the container, if the range of the return code of the HTTP/HTTPS response is within a normal range (generally 200-399), the HTTP port is considered to be healthy, otherwise, the HTTP port is considered to be unhealthy.
The safety container is formed by encapsulating the container in a virtual machine through a hardware virtualization technology, and provides isolation of computing resources. Through network virtualization technology, the security container can be incorporated into a virtual private network to achieve network isolation. By providing a container runtime component that conforms to the OCI standard, the secure container is enabled to access both the Docker container ecosystem and the kubernets container ecosystem.
The virtual private network belongs to a private network of a user, the host machine network belongs to a management network of a cloud service provider, and the host machine network and the virtual private network need to be isolated and cannot be in direct communication due to safety considerations. When the security container is set in the user's vpn, direct communication between the host network and the user's vpn is not possible due to the isolation between the two. Referring to the example shown in FIG. 3, for example, a segment of a host computer 10.0.0.0/16, the IP address of the host computer where the Kubelet component is located is 10.0.0.1. The security container is arranged in the user's virtual private network, and the user can set itself for the network segment of his virtual private network, which may be 192.168.0.0/16, for example, and the IP address of the security container is 192.168.0.1. It can be seen that the Kubelet component and the security container belong to different networks isolated from each other, and the Kubelet component running on the host cannot directly access the HTTP port and the TCP port of the security container, so that the health detection function cannot be completed.
Referring to fig. 4, an embodiment of the present disclosure provides a method for detecting health of a secure container, which may be suitable for performing health detection on a secure container operating in a virtual private network.
The secure container may be a secure container, which is disposed in a virtual private network of a user and is encapsulated in a virtual machine, in which a proxy end is disposed.
The method is applied to a host of the safety container and comprises steps S102-S104.
S102, sending a container health detection instruction to the agent terminal based on the virtual port communication mode so as to call the agent terminal to perform health detection on the safety container.
By using the virtual port communication mode, the virtual machine and the host machine of the virtual machine can communicate without using an IP address, that is, the communication between the virtual machine and the host machine of the virtual machine can be realized under the condition that the virtual machine and the host machine of the virtual machine belong to two networks which are isolated from each other. In a specific example, the virtual port communication method may include a virtual port communication method based on the Vhost specification. The Vhost is a virtualized device abstraction interface specification, and based on the Vhost specification, a buffer area can be shared between the host and the virtual machine, and the shared buffer area is used for receiving and sending data packets. In a specific example, the virtual port communication mode may also include a virtual serial port communication mode, so that the virtual machine and the host of the virtual machine may communicate with each other based on a serial port communication protocol.
In a specific example, the container health detection instruction includes an identifier of the secure container and a port number of the port to be detected. After receiving the container health detection instruction, the proxy end can read the identifier of the secure container and the port number of the port to be detected from the container health detection instruction, and determine the object of health detection according to the identifier of the secure container and the port number of the port to be detected, that is, determine which ports of which secure containers need to be subjected to health detection.
In a specific example, the host machine triggers the container Runtime component (Runtime) to send a container health detection instruction to the agent side by sending a container health detection request to the container Runtime component (Runtime) running on the host machine. The container health check request includes the identifier of the secure container and the port number of the port to be checked, that is, the container health check request specifies the object of the health check, that is, specifies which ports of which secure containers are to be subjected to the health check.
And S104, receiving a health detection result returned by the agent terminal based on the virtual port communication mode.
And after the agent terminal carries out health detection on the safety container, returning a health detection result to the host machine based on the virtual port communication mode. In a specific example, the agent side performs health detection on the secure container, returns a return code sent by the secure container as a health detection result to the host, and the host determines whether the port of the secure container is healthy according to the return code. Or, in a specific example, the agent end determines whether the port to be detected of the secure container is healthy according to the return code sent by the secure container, and returns the determination result as a health detection result to the host.
For example, the health detection object is a TCP port of the secure container, and the performing health detection on the agent side includes: the proxy side requests to establish a TCP connection with the secure container. If the TCP connection is successful, the TCP port is judged to be healthy, and if the TCP connection is unsuccessful, the TCP port is judged to be unhealthy.
For example, the health detection object is an HTTP port of the secure container, and the performing health detection on the proxy side includes: an HTTP/HTTPS get request is initiated for the secure container. If the range of the HTTP/HTTPS response return code of the secure container is between 200 and 399, judging that the HTTP port of the secure container is healthy, otherwise, judging that the HTTP port of the secure container is unhealthy.
Referring to fig. 5, an embodiment of the present disclosure provides a method for detecting health of a secure container, which may be suitable for performing health detection on a secure container operating in a virtual private network.
The security container is arranged in a virtual private network of a user and is encapsulated in a virtual machine, and an agent end is arranged in the virtual machine.
The method is applied to the agent terminal and comprises steps S202-S206.
S202, receiving a container health detection instruction sent by a host machine of the safety container based on a virtual port communication mode.
By using the virtual port communication mode, the virtual machine and the host machine of the virtual machine can communicate without using an IP address, that is, the communication between the virtual machine and the host machine of the virtual machine can be realized under the condition that the virtual machine and the host machine of the virtual machine belong to two networks which are isolated from each other. In a specific example, the virtual port communication method may include a virtual port communication method based on the Vhost specification. The Vhost is a virtualized device abstraction interface specification, and based on the Vhost specification, a buffer area can be shared between the host and the virtual machine, and the shared buffer area is used for receiving and sending data packets. In a specific example, the virtual port communication mode may also include a virtual serial port communication mode, so that the virtual machine and the host of the virtual machine may communicate with each other based on a serial port communication protocol.
And S204, carrying out health detection on the safety container according to the container health detection instruction.
In a specific example, the container health detection instruction includes an identifier of the secure container and a port number of the port to be detected. After receiving the container health detection instruction, the proxy end can read the identifier of the secure container and the port number of the port to be detected from the container health detection instruction, and determine the object of health detection according to the identifier of the secure container and the port number of the port to be detected, that is, determine which ports of which secure containers in the virtual machine need to be subjected to health detection.
And S206, returning the health detection result to the host machine based on the virtual port communication mode.
And after the agent terminal carries out health detection on the safety container, returning a health detection result to the host machine based on the virtual port communication mode. In a specific example, the agent side performs health detection on the secure container, returns a return code sent by the secure container as a health detection result to the host, and the host determines whether the port of the secure container is healthy according to the return code. Or, in a specific example, the agent end determines whether the port to be detected of the secure container is healthy according to the return code sent by the secure container, and returns the determination result as a health detection result to the host.
For example, the health detection object is a TCP port of the secure container, and the performing health detection on the agent side includes: the proxy side requests to establish a TCP connection with the secure container. If the TCP connection is successful, the TCP port is judged to be healthy, and if the TCP connection is unsuccessful, the TCP port is judged to be unhealthy.
For example, the health detection object is an HTTP port of the secure container, and the performing health detection on the proxy side includes: an HTTP/HTTPS get request is initiated for the secure container. If the range of the HTTP/HTTPS response return code of the secure container is between 200 and 399, judging that the HTTP port of the secure container is healthy, otherwise, judging that the HTTP port of the secure container is unhealthy.
Referring now to fig. 6, a kubernets container system is used as an example to illustrate the method of health detection of a safety container according to embodiments of the present disclosure.
The secure container is disposed in a user's virtual private network and encapsulated within a virtual machine.
The Kubelet component is the initiator of the health detection and may invoke a container Runtime component (Runtime).
Adding a first health check interface in a container Runtime component (Runtime), wherein the accepted parameters are as follows: a secure container identification and a port number. The first health check interface functions to: and receiving the call of the Kubelet component, namely calling the proxy terminal to perform health detection based on a virtual port communication mode when receiving a container health detection request of the Kubelet component, and returning a detection result to the Kubelet component.
Adding a second health check interface in the agent end of the virtual machine, wherein the accepted parameters are as follows: a secure container identification and a port number. The second health check interface functions as: and (3) receiving the call of the container Runtime component (Runtime), namely when receiving a container health detection instruction of the container Runtime component (Runtime), performing health detection on a port to be detected specified by the container health detection instruction, and returning a health detection result to the container Runtime component (Runtime) based on a virtual port communication mode.
The method for health detection of a secure container includes steps S302-310.
S302, the Kubelet component sends a container health detection request to a container Runtime component (Runtime).
S304, after receiving the container health detection request, the container Runtime component (Runtime) sends a container health detection instruction to the agent terminal based on the virtual port communication mode.
And S306, after receiving the container health detection instruction, the agent end performs health detection on the port to be detected specified by the container health detection instruction to obtain a health detection result.
S308, the agent end returns the health detection result to the container Runtime component (Runtime) based on the virtual port communication mode.
S310, the container Runtime component (Runtime) returns the health detection result to the Kubelet component.
According to the health detection method for the safety container, the host machine and the agent end can communicate in a virtual port communication mode, and the host machine utilizes the path to carry out health detection on the safety container running in the virtual private cloud, so that the health state detection can be carried out on the safety container under the condition that the host machine and the safety container belong to different networks which are isolated from each other.
< electronic device embodiment >
The embodiment of the present disclosure provides an electronic device, which includes a processor and a memory, where the memory stores computer instructions, and when the computer instructions are executed by the processor, the method for detecting health of a security container provided in any of the foregoing embodiments is implemented.
< group of computer-readable storage media >
The embodiment of the invention provides a computer-readable storage medium, on which computer instructions are stored, and when the computer instructions are executed by a processor, the method for detecting health of a security container provided in any one of the foregoing embodiments is implemented.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the system and apparatus embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Embodiments of the present description may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement aspects of embodiments of the specification.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
Computer program instructions for carrying out operations for embodiments of the present description may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine related instructions, microcode, firmware instructions, state setting data, or source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, an electronic circuit, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), can execute computer-readable program instructions to implement various aspects of embodiments of the present specification by utilizing state information of the computer-readable program instructions to personalize the electronic circuit.
Aspects of embodiments of the present specification are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present description. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. It is well known to those skilled in the art that implementation by hardware, by software, and by a combination of software and hardware are equivalent.
The foregoing description of the embodiments of the present specification has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope of the described embodiments. The terms used herein were chosen in order to best explain the principles of the embodiments, the practical application, or technical improvements to the techniques in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (12)
1. A health detection method for a secure container, wherein the secure container is arranged in a virtual private network of a user and is encapsulated in a virtual machine, a proxy end is arranged in the virtual machine, and the method is applied to a host of the secure container, and comprises the following steps:
sending a container health detection instruction to the agent terminal based on a virtual port communication mode so as to call the agent terminal to perform health detection on the safety container; and the number of the first and second groups,
and receiving a health detection result returned by the agent terminal based on a virtual port communication mode.
2. The method of claim 1, wherein the virtual port communication mode comprises a virtual port communication mode or a virtual serial port communication mode based on a Vhost specification.
3. The method according to claim 1, wherein the container health detection instruction includes an identifier of the secure container and a port number of a port to be detected of the secure container.
4. The method according to claim 3, wherein the ports to be detected comprise TCP ports and/or HTTP ports.
5. The method according to claim 1, wherein the sending the container health detection instruction to the agent terminal based on the virtual port communication manner includes:
and sending a container health detection request to a container runtime component to trigger the container runtime component to send the container health detection instruction to the agent terminal based on a virtual port communication mode.
6. A health detection method for a secure container, wherein the secure container is arranged in a virtual private network of a user and is encapsulated in a virtual machine, a proxy end is arranged in the virtual machine, and the method is applied to the proxy end, and comprises the following steps:
receiving a container health detection instruction sent by a host machine of the safety container based on a virtual port communication mode;
carrying out health detection on the safety container according to the container health detection instruction;
and returning the health detection result to the host machine based on a virtual port communication mode.
7. The method of claim 6, wherein the virtual port communication mode comprises a Vhost specification-based virtual port communication mode or a virtual serial port communication mode.
8. The method according to claim 6, wherein the container health detection instruction includes an identifier of the secure container and a port number of a port to be detected of the secure container.
9. The method according to claim 8, wherein the port to be detected comprises a TCP port and/or an HTTP port.
10. An electronic device comprising a processor and a memory, the memory having stored therein computer instructions that, when executed by the processor, implement the method of any of claims 1-5.
11. An electronic device comprising a processor and a memory, the memory having stored therein computer instructions that, when executed by the processor, implement the method of any of claims 6-9.
12. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the method of any one of claims 1-9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010923878.8A CN112231045A (en) | 2020-09-04 | 2020-09-04 | Method for detecting health of safety container, electronic device and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010923878.8A CN112231045A (en) | 2020-09-04 | 2020-09-04 | Method for detecting health of safety container, electronic device and medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112231045A true CN112231045A (en) | 2021-01-15 |
Family
ID=74116022
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010923878.8A Pending CN112231045A (en) | 2020-09-04 | 2020-09-04 | Method for detecting health of safety container, electronic device and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112231045A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113051035A (en) * | 2021-03-31 | 2021-06-29 | 杭州海康威视系统技术有限公司 | Remote control method, device and system and host machine |
CN114780211A (en) * | 2022-06-16 | 2022-07-22 | 阿里巴巴(中国)有限公司 | Method for managing a secure container and system based on a secure container |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106357432A (en) * | 2016-08-30 | 2017-01-25 | 厦门鑫点击网络科技股份有限公司 | Hybrid virtual host management platform based on web servers |
US20170093923A1 (en) * | 2015-09-29 | 2017-03-30 | NeuVector, Inc. | Creating Additional Security Containers For Transparent Network Security For Application Containers Based On Conditions |
CN108737215A (en) * | 2018-05-29 | 2018-11-02 | 郑州云海信息技术有限公司 | A kind of method and apparatus of cloud data center Kubernetes clusters container health examination |
CN110177028A (en) * | 2019-05-30 | 2019-08-27 | 北京字节跳动网络技术有限公司 | Distributed health examination method and device |
US20190354675A1 (en) * | 2018-05-18 | 2019-11-21 | International Business Machines Corporation | Automated virtual machine integrity checks |
CN110825490A (en) * | 2019-10-25 | 2020-02-21 | 桂林东信云科技有限公司 | Kubernetes container-based application health check method and system |
-
2020
- 2020-09-04 CN CN202010923878.8A patent/CN112231045A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170093923A1 (en) * | 2015-09-29 | 2017-03-30 | NeuVector, Inc. | Creating Additional Security Containers For Transparent Network Security For Application Containers Based On Conditions |
CN106357432A (en) * | 2016-08-30 | 2017-01-25 | 厦门鑫点击网络科技股份有限公司 | Hybrid virtual host management platform based on web servers |
US20190354675A1 (en) * | 2018-05-18 | 2019-11-21 | International Business Machines Corporation | Automated virtual machine integrity checks |
CN108737215A (en) * | 2018-05-29 | 2018-11-02 | 郑州云海信息技术有限公司 | A kind of method and apparatus of cloud data center Kubernetes clusters container health examination |
CN110177028A (en) * | 2019-05-30 | 2019-08-27 | 北京字节跳动网络技术有限公司 | Distributed health examination method and device |
CN110825490A (en) * | 2019-10-25 | 2020-02-21 | 桂林东信云科技有限公司 | Kubernetes container-based application health check method and system |
Non-Patent Citations (1)
Title |
---|
李伟东: "基于Kubrnetes的容器云平台强多租户模型关键技术研究", 《中国优秀硕士学位论文全文数据库(电子期刊)》, vol. 2019, no. 08, 15 August 2019 (2019-08-15) * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113051035A (en) * | 2021-03-31 | 2021-06-29 | 杭州海康威视系统技术有限公司 | Remote control method, device and system and host machine |
CN113051035B (en) * | 2021-03-31 | 2024-02-02 | 杭州海康威视系统技术有限公司 | Remote control method, device, system and host |
CN114780211A (en) * | 2022-06-16 | 2022-07-22 | 阿里巴巴(中国)有限公司 | Method for managing a secure container and system based on a secure container |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10356007B2 (en) | Dynamic service orchestration within PAAS platforms | |
US10812378B2 (en) | System and method for improved service chaining | |
US10320674B2 (en) | Independent network interfaces for virtual network environments | |
CN111614738B (en) | Service access method, device, equipment and storage medium based on Kubernetes cluster | |
US11522905B2 (en) | Malicious virtual machine detection | |
US10623242B2 (en) | Sharing a java virtual machine | |
US9628290B2 (en) | Traffic migration acceleration for overlay virtual environments | |
US9497165B2 (en) | Virtual firewall load balancer | |
US9374241B2 (en) | Tagging virtual overlay packets in a virtual networking system | |
US10038665B2 (en) | Reducing broadcast flooding in a software defined network of a cloud | |
US10769277B2 (en) | Malicious application detection and prevention system for stream computing applications deployed in cloud computing environments | |
US10127140B2 (en) | Automated problem determination for cooperating web services using debugging technology | |
CN107368339B (en) | Container entrance program operation method, system, device and storage medium | |
CN112231045A (en) | Method for detecting health of safety container, electronic device and medium | |
US10657255B2 (en) | Detecting malicious code based on conditional branch asymmetry | |
CN113595927A (en) | Method and device for processing mirror flow in bypass mode | |
US9626214B2 (en) | Establishing redundant connections for virtual machine | |
CN112231043A (en) | Method for detecting health of safety container, electronic device and medium | |
CN109756992A (en) | Create the methods, devices and systems of network connection | |
US11368459B2 (en) | Providing isolated containers for user request processing | |
US20170357614A1 (en) | Virtualizing tcp/ip services with shared memory transport | |
CN112231044A (en) | Method for detecting health of safety container, electronic device and medium | |
US9385935B2 (en) | Transparent message modification for diagnostics or testing | |
US20230070163A1 (en) | Prevention of race conditions in a dual-server storage system for generation of encryption key | |
CN109167714B (en) | Method, system, device and medium for terminal in IPV4 network to access IPV6 network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |