CN113158204A - Method and system for controlling host machine by accessing docker container - Google Patents
Method and system for controlling host machine by accessing docker container Download PDFInfo
- Publication number
- CN113158204A CN113158204A CN202110384612.5A CN202110384612A CN113158204A CN 113158204 A CN113158204 A CN 113158204A CN 202110384612 A CN202110384612 A CN 202110384612A CN 113158204 A CN113158204 A CN 113158204A
- Authority
- CN
- China
- Prior art keywords
- docker container
- description class
- namespace
- host machine
- name space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 99
- 230000008569 process Effects 0.000 claims abstract description 64
- 238000012545 processing Methods 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 abstract description 6
- 230000006870 function Effects 0.000 description 16
- 230000004044 response Effects 0.000 description 4
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a method and a system for controlling a host machine by accessing a docker container, wherein the method runs on a docker container application, the docker container application is installed on the host machine, and the method comprises the following steps: mounting a plurality of description class files; acquiring a command to be executed; entering a process name space of a host machine to execute the command to be executed; and the processing host machine executes the execution result returned by the command to be executed. The method directly eliminates the total client and server of the traditional method, simplifies the deployment mode, reduces unnecessary application deployment, does not depend on the network communication mode any more, and reduces the potential safety hazard of the host machine. The method can enable the application in the container environment to completely control and access the host machine as if the application is directly operated on the host machine program.
Description
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a method and a system for a docker container to access a control host.
Background
Docker is an open source application container engine, open source based on the Go language and compliant with the Apache2.0 protocol. Docker can enable developers to pack own applications and dependency packages into a lightweight and portable container, and then distribute the container to any popular Linux machine, and can also realize virtualization.
The Docker containers use the sandbox mechanism entirely and do not have any interfaces between each other. The application is deployed to run in the Docker container environment, and the running of the application is isolated from the operating system. If the application relates to a situation where the host is to be accessed or controlled, the application will not be able to operate on the host. For example, the monitoring or management application needs to monitor the use of host resources, manage hosts, monitor the operation of containers, and so on.
At present, a method for controlling access to a host by a Docker container mainly comprises the following steps: and installing a server on the host machine, installing a client in the container, and communicating the client and the server through a network protocol or a mounted unix domain socket file mode. The server is responsible for receiving the operation instruction sent by the client and executing the operation instruction; the client is responsible for sending instructions to the server and receiving information returned by the instructions executed by the server.
However, this method has the following drawbacks: a client and a server need to be installed and deployed, and the deployment process is complex; the method completely depends on network communication, and when the network communication is used, a server side is easy to attack, so that potential safety hazards exist; applications and tools in the Docker container environment cannot be used to manipulate the host machine.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides the method and the system for controlling the host machine by the access of the docker container, which are simple to deploy, reduce the dependence on network communication and reduce the potential safety hazard of the host machine.
In a first aspect, a method of a docker container access control host, the method running on a docker container application, the docker container application being installed on the host, the method comprising:
mounting a plurality of description class files;
acquiring a command to be executed;
entering a process name space of a host machine to execute the command to be executed;
and the processing host machine executes the execution result returned by the command to be executed.
Preferably, the description class file is in a proc system directory and includes a mounted namespace description class file, an ipc namespace description class file, an uts namespace description class file, a network namespace description class file, a pid namespace description class file, a user namespace description class file, and/or a cgroup namespace description class file.
Preferably, the mount namespace description class file is used for loading an independent mount file system on a process of the docker container application;
the ipc namespace description class file is used for loading an independent ipc space on a process of the docker container application;
the uts namespace description class file is used for loading independent host names on the process of the docker container application;
the network name space description class file is used for loading an independent network stack on a process of the docker container application;
the pid namespace description class file is used for loading an independent pid space on a process of the docker container application;
the user namespace description class file is used for loading an independent user space on a process of the docker container application;
the cgroup namespace description class file is used to load an independent cgroup control group in the process of the docker container application.
Preferably, the entering the process namespace of the host specifically includes:
opening the corresponding description file by using a preset opening function;
and entering a process name space of the host machine associated with the description class file by using a preset system call function.
In a second aspect, a system for docker container access control hosts, comprises:
docker vessel application: the docker container is applied and installed on the host machine; the docker container application is used for mounting a plurality of description files, acquiring a command to be executed and entering a process name space of a host machine; the docker container application is also used for processing the returned execution result;
host machine: and the execution module is used for executing the command to be executed in the process namespace and returning an obtained execution result to the docker container application.
Preferably, the description class file is in a proc system directory and includes a mounted namespace description class file, an ipc namespace description class file, an uts namespace description class file, a network namespace description class file, a pid namespace description class file, a user namespace description class file, and/or a cgroup namespace description class file.
Preferably, the mount namespace description class file is used for loading an independent mount file system on a process of the docker container application;
the ipc namespace description class file is used for loading an independent ipc space on a process of the docker container application;
the uts namespace description class file is used for loading independent host names on the process of the docker container application;
the network name space description class file is used for loading an independent network stack on a process of the docker container application;
the pid namespace description class file is used for loading an independent pid space on a process of the docker container application;
the user namespace description class file is used for loading an independent user space on a process of the docker container application;
the cgroup namespace description class file is used to load an independent cgroup control group in the process of the docker container application.
Preferably, said docker container application is particularly useful for:
opening the corresponding description file by using a preset opening function;
and entering a process name space of the host machine associated with the description class file by using a preset system call function.
According to the technical scheme, the method and the system for controlling the host machine by the docker container access directly remove the total client and the server in the traditional method, simplify the deployment mode, reduce unnecessary application deployment, do not depend on the network communication mode any more, and reduce the potential safety hazard of the host machine. The method can enable the application in the container environment to completely control and access the host machine as if the application is directly operated on the host machine program.
Drawings
In order to more clearly illustrate the detailed description of the invention or the technical solutions in the prior art, the drawings that are needed in the detailed description of the invention or the prior art will be briefly described below. Throughout the drawings, like elements or portions are generally identified by like reference numerals. In the drawings, elements or portions are not necessarily drawn to scale.
Fig. 1 is a flowchart of a method according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and therefore are only examples, and the protection scope of the present invention is not limited thereby. It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which the invention pertains.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
The first embodiment is as follows:
a method of access control of a docker container to a host, the method running on a docker container application, the docker container application being installed on the host, the method comprising the steps of, with reference to fig. 1:
s1: mounting a plurality of description class files;
the description class files are in a proc system directory and comprise mounted name space description class files, ipc name space description class files, uts name space description class files, network name space description class files, pid name space description class files, user name space description class files and/or cgroup name space description class files.
Specifically, in step S1, when the docker container application is started, the/proc/1/ns system directory is mounted as a mount volume in the docker container application. The proc system directory is a virtual file system directory, which is a mapping of the system memory. This directory can be accessed directly and system information obtained, pid in the following directory is denoted by xxx:
/proc/xxx/ns/mount: mounting a namespace, so that the application process of the docker container has an independent mounted file system;
/proc/xxx/ns/ipc: the method comprises the following steps that an ipc naming space is formed, so that a progress of docker container application has an independent ipc space which comprises a message queue, a shared memory, a semaphore and the like;
/proc/xxx/ns/uts: uts namespace, which makes the process of the docker container application have an independent host name hostname and domainname;
/proc/xxx/ns/net: a network naming space, so that a process of the docker container application has an independent network stack;
/proc/xxx/ns/pid: a pid naming space, which enables the process of the docker container application to have an independent pid space;
/proc/xxx/ns/user: a user naming space, so that the application process of the docker container has an independent user space;
/proc/xxx/ns/cgroup: the cgroup namespace enables a progress of the docker container application to have an independent cgroup control group, and the progress namespace (init process space) of the host can be entered to carry out command operation by matching with a setns () system call function.
S2: acquiring a command to be executed;
s3: entering a process name space of a host machine to execute the command to be executed;
wherein, the step of entering the process namespace comprises: opening the corresponding description file by using a preset opening function; and entering a process name space of the host machine associated with the description class file by using a preset system call function. The open function is the open function of the system. The system call function is a setns (int fd, int nstype) function of the system, the setns function can cut the current thread to the namespace corresponding to fd (namespace description class file corresponding to the process), and the new thread created in the thread context is also in the namespace.
Wherein the step of executing the command to be executed comprises: executing the command to be executed in the process name space; obtaining the execution result returned by the host machine; switch back to the Docker container application.
S4: and the processing host machine executes the execution result returned by the command to be executed.
Specifically, for example: assuming that a host is to be closed by a docker container application, firstly mounting a/proc/1/system directory as a mounting volume to a/root/1 directory corresponding to the docker container application, secondly opening a mounted/root/1/ns/pid file by using an open function, returning a description object file by the open, then calling the description object file by using a setns system calling function, entering a process space of a 1-process of the host, and finally executing a shutdown-h now in the 1-process space by the host to automatically close the host.
The method directly eliminates the total client and server of the traditional method, simplifies the deployment mode, reduces unnecessary application deployment, does not depend on the network communication mode any more, and reduces the potential safety hazard of the host machine. The method can enable the application in the container environment to completely control and access the host machine as if the application is directly operated on the host machine program.
Example two:
a system for docker container access control hosts, comprising:
docker vessel application: the docker container is applied and installed on the host machine; the docker container application is used for mounting a plurality of description files, acquiring a command to be executed and entering a process name space of a host machine; the docker container application is also used for processing the returned execution result;
host machine: and the execution module is used for executing the command to be executed in the process namespace and returning an obtained execution result to the docker container application.
Preferably, the description class file is in a proc system directory and includes a mounted namespace description class file, an ipc namespace description class file, an uts namespace description class file, a network namespace description class file, a pid namespace description class file, a user namespace description class file, and/or a cgroup namespace description class file.
Preferably, the mount namespace description class file is used for loading an independent mount file system on a process of the docker container application;
the ipc namespace description class file is used for loading an independent ipc space on a process of the docker container application;
the uts namespace description class file is used for loading independent host names on the process of the docker container application;
the network name space description class file is used for loading an independent network stack on a process of the docker container application;
the pid namespace description class file is used for loading an independent pid space on a process of the docker container application;
the user namespace description class file is used for loading an independent user space on a process of the docker container application;
the cgroup namespace description class file is used to load an independent cgroup control group in the process of the docker container application.
Preferably, said docker container application is particularly useful for:
opening the corresponding description file by using a preset opening function;
and entering a process name space of the host machine associated with the description class file by using a preset system call function.
For the sake of brief description, the system provided by the embodiment of the present invention may refer to the corresponding content in the foregoing embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (8)
1. A method of access control of a host by a docker container, the method running on a docker container application, the docker container application being installed on the host, the method comprising the steps of:
mounting a plurality of description class files;
acquiring a command to be executed;
entering a process name space of a host machine to execute the command to be executed;
and the processing host machine executes the execution result returned by the command to be executed.
2. The method of docker container access control hosts of claim 1,
the description class files are in a proc system directory and comprise mounted name space description class files, ipc name space description class files, uts name space description class files, network name space description class files, pid name space description class files, user name space description class files and/or cgroup name space description class files.
3. The method of docker container access control hosts of claim 2,
the mounting namespace description class file is used for loading an independent mounting file system on a process of the docker container application;
the ipc namespace description class file is used for loading an independent ipc space on a process of the docker container application;
the uts namespace description class file is used for loading independent host names on the process of the docker container application;
the network name space description class file is used for loading an independent network stack on a process of the docker container application;
the pid namespace description class file is used for loading an independent pid space on a process of the docker container application;
the user namespace description class file is used for loading an independent user space on a process of the docker container application;
the cgroup namespace description class file is used to load an independent cgroup control group in the process of the docker container application.
4. The method for docker container access control of a host machine as claimed in claim 1, wherein the entering of the process namespace of the host machine specifically comprises:
opening the corresponding description file by using a preset opening function;
and entering a process name space of the host machine associated with the description class file by using a preset system call function.
5. A system for docker container access control of a host, comprising:
docker vessel application: the docker container is applied and installed on the host machine; the docker container application is used for mounting a plurality of description files, acquiring a command to be executed and entering a process name space of a host machine; the docker container application is also used for processing the returned execution result;
host machine: and the execution module is used for executing the command to be executed in the process namespace and returning an obtained execution result to the docker container application.
6. The system of docker container access control hosts of claim 5,
the description class files are in a proc system directory and comprise mounted name space description class files, ipc name space description class files, uts name space description class files, network name space description class files, pid name space description class files, user name space description class files and/or cgroup name space description class files.
7. The system of docker container access control hosts of claim 6,
the mounting namespace description class file is used for loading an independent mounting file system on a process of the docker container application;
the ipc namespace description class file is used for loading an independent ipc space on a process of the docker container application;
the uts namespace description class file is used for loading independent host names on the process of the docker container application;
the network name space description class file is used for loading an independent network stack on a process of the docker container application;
the pid namespace description class file is used for loading an independent pid space on a process of the docker container application;
the user namespace description class file is used for loading an independent user space on a process of the docker container application;
the cgroup namespace description class file is used to load an independent cgroup control group in the process of the docker container application.
8. The system of a docker container access control host machine of claim 5, wherein the docker container application is specifically configured to:
opening the corresponding description file by using a preset opening function;
and entering a process name space of the host machine associated with the description class file by using a preset system call function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110384612.5A CN113158204A (en) | 2021-04-09 | 2021-04-09 | Method and system for controlling host machine by accessing docker container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110384612.5A CN113158204A (en) | 2021-04-09 | 2021-04-09 | Method and system for controlling host machine by accessing docker container |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113158204A true CN113158204A (en) | 2021-07-23 |
Family
ID=76889702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110384612.5A Pending CN113158204A (en) | 2021-04-09 | 2021-04-09 | Method and system for controlling host machine by accessing docker container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113158204A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114491557A (en) * | 2022-01-27 | 2022-05-13 | 北京小佑网络科技有限公司 | Java memory Trojan horse threat detection method based on container environment |
| CN114726901A (en) * | 2022-05-23 | 2022-07-08 | 安徽华云安科技有限公司 | Container access method, device, equipment and storage medium |
| CN116431292A (en) * | 2023-06-13 | 2023-07-14 | 中孚安全技术有限公司 | Method, system and device for isolating server resources and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5893107A (en) * | 1996-07-01 | 1999-04-06 | Microsoft Corporation | Method and system for uniformly accessing multiple directory services |
| CN101057228A (en) * | 2004-11-12 | 2007-10-17 | 佳思腾软件公司 | Server device and name space issuing method |
| CN102971706A (en) * | 2010-05-10 | 2013-03-13 | 思杰系统有限公司 | Redirection of information from secure virtual machines to unsecure virtual machines |
| CN111796904A (en) * | 2020-05-21 | 2020-10-20 | 北京中软华泰信息技术有限责任公司 | Docker file access control method based on namespace |
-
2021
- 2021-04-09 CN CN202110384612.5A patent/CN113158204A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5893107A (en) * | 1996-07-01 | 1999-04-06 | Microsoft Corporation | Method and system for uniformly accessing multiple directory services |
| CN101057228A (en) * | 2004-11-12 | 2007-10-17 | 佳思腾软件公司 | Server device and name space issuing method |
| CN102971706A (en) * | 2010-05-10 | 2013-03-13 | 思杰系统有限公司 | Redirection of information from secure virtual machines to unsecure virtual machines |
| CN111796904A (en) * | 2020-05-21 | 2020-10-20 | 北京中软华泰信息技术有限责任公司 | Docker file access control method based on namespace |
Non-Patent Citations (1)
| Title |
|---|
| 李平平;陈莉君;: "基于LSM的Docker访问控制机制研究", 信息技术, no. 11, 25 November 2016 (2016-11-25), pages 134 - 138 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114491557A (en) * | 2022-01-27 | 2022-05-13 | 北京小佑网络科技有限公司 | Java memory Trojan horse threat detection method based on container environment |
| CN114726901A (en) * | 2022-05-23 | 2022-07-08 | 安徽华云安科技有限公司 | Container access method, device, equipment and storage medium |
| CN116431292A (en) * | 2023-06-13 | 2023-07-14 | 中孚安全技术有限公司 | Method, system and device for isolating server resources and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113158204A (en) | Method and system for controlling host machine by accessing docker container | |
| US10061613B1 (en) | Idempotent task execution in on-demand network code execution systems | |
| US8762986B2 (en) | Advanced packaging and deployment of virtual appliances | |
| EP3347816B1 (en) | Extension of resource constraints for service-defined containers | |
| US10310878B2 (en) | Execution of an application in a runtime environment installed in a virtual appliance | |
| US8887158B2 (en) | Dynamic cluster expansion through virtualization-based live cloning | |
| US9081601B2 (en) | Virtual mobile infrastructure and its base platform | |
| US8683459B2 (en) | Automated virtual appliance sizing | |
| US8069362B2 (en) | Automated electrical power savings in virtualization environments | |
| US8972987B2 (en) | Managing software content in virtual desktop environments | |
| US10579412B2 (en) | Method for operating virtual machines on a virtualization platform and corresponding virtualization platform | |
| US9311163B2 (en) | Configuration data management system, and configuration data management method | |
| EP2019358A1 (en) | A method and a system for the creation and deployment of a virtual machine appliance on virtualised servers | |
| US20070180280A1 (en) | Controlling the allocation of power to a plurality of computers whose supply of power is managed by a common power manager | |
| CN110908753B (en) | Intelligent fusion cloud desktop server, client and system | |
| WO2001025949A9 (en) | Ip virtualization | |
| WO2009114758A1 (en) | Method and system for providing a program for execution without requiring installation | |
| EP3103016B1 (en) | Virtualized application cluster | |
| US6625641B1 (en) | Method and apparatus for providing client support without installation of server software | |
| US20100070552A1 (en) | Providing a Socket Connection between a Java Server and a Host Environment | |
| GB2508160A (en) | Avoiding conflicts between computing machines | |
| US7571221B2 (en) | Installation of network services in an embedded network server | |
| CN110427196B (en) | Installation method and device of Operating System (OS) | |
| US20050132084A1 (en) | Method and apparatus for providing server local SMBIOS table through out-of-band communication | |
| US20100070560A1 (en) | Implementing a Java Server in a Multiprocessor Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |