CN113312613A - Container creation method, container deletion method, device and equipment - Google Patents

Container creation method, container deletion method, device and equipment Download PDF

Info

Publication number
CN113312613A
CN113312613A CN202010414613.5A CN202010414613A CN113312613A CN 113312613 A CN113312613 A CN 113312613A CN 202010414613 A CN202010414613 A CN 202010414613A CN 113312613 A CN113312613 A CN 113312613A
Authority
CN
China
Prior art keywords
container
application
configuration information
protected
configuration file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010414613.5A
Other languages
Chinese (zh)
Inventor
张佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN202010414613.5A priority Critical patent/CN113312613A/en
Publication of CN113312613A publication Critical patent/CN113312613A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the application provides a container creating method, a container deleting method, a device and equipment, wherein the method comprises the following steps: acquiring a configuration file of a container mirror image of an application, wherein the configuration file comprises first configuration information and second configuration information; creating a base container of the application and running the base container based on the first configuration information; and based on the second configuration information, adopting a hardware environment isolation technology to create a container process for at least part of programs of the application in the basic container so as to create a protected container of the application. The application improves the safety of applications implemented based on container technology.

Description

Container creation method, container deletion method, device and equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a container creation method, a container deletion method, an apparatus, and a device.
Background
With the continuous development of computer technology, the application of container technology is more and more extensive.
A container is a lightweight, portable, self-contained software packaging technique that enables applications to run in the same manner almost anywhere. In a new cloud Platform as a Service (PaaS) Platform, a container technology can be adopted to realize the isolation of different software developers, and the container is used as a minimum unit for scheduling. Although the container technology can realize a certain degree of isolation to improve the safety of the application, with the continuous improvement of the attention degree of people on the safety of the application, how to further improve the safety of the application realized based on the container technology becomes a problem to be solved urgently at present.
Disclosure of Invention
The embodiment of the application provides a container creating method, a container deleting method, a device and equipment, which are used for solving the problem of how to further improve the safety of application realized based on a container technology in the prior art.
In a first aspect, an embodiment of the present application provides a container creation method, including:
acquiring a configuration file of a container mirror image of an application, wherein the configuration file comprises first configuration information and second configuration information;
creating a base container of the application and running the base container based on the first configuration information;
and based on the second configuration information, adopting a hardware environment isolation technology to create a container process for at least part of programs of the application in the basic container so as to create a protected container of the application.
In a second aspect, an embodiment of the present application provides a container deletion method, where the method includes:
determining to delete a protected container of an application, wherein the protected container is obtained by firstly creating a basic container of the application and running the basic container based on first configuration information in a configuration file of a container mirror image of the application, and then creating a container process for at least part of programs of the application in the basic container by adopting a hardware environment isolation technology based on second configuration information in the configuration file;
deleting the protected container.
In a third aspect, an embodiment of the present application provides a container creating apparatus, including:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a configuration file of a container mirror image of an application, and the configuration file comprises first configuration information and second configuration information;
a first creating module, configured to create a base container of the application and run the base container based on the first configuration information;
a second creating module, configured to create, based on the second configuration information, a container process for at least part of the programs of the application in the base container by using a hardware environment isolation technology, so as to create a protected container of the application.
In a fourth aspect, an embodiment of the present application provides a container deleting device, where the device includes:
a determining module, configured to determine to delete a protected container of an application, where the protected container is obtained by creating a base container of the application and running the base container based on first configuration information in a configuration file of a container image of the application, and then creating a container process for at least part of programs of the application in the base container by using a hardware environment isolation technology based on second configuration information in the configuration file;
a deletion module to delete the protected container.
In a fifth aspect, an embodiment of the present application provides a computer device, including: a memory, a processor; wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, implement the method of any of the first aspects.
In a sixth aspect, an embodiment of the present application provides a computer device, including: a memory, a processor; wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, implement the method of any of the second aspects.
Embodiments of the present application also provide a computer-readable storage medium storing a computer program, the computer program comprising at least one code, which is executable by a computer to control the computer to perform the method according to any one of the first aspect.
Embodiments of the present application also provide a computer-readable storage medium storing a computer program, the computer program comprising at least one code, which is executable by a computer to control the computer to perform the method according to any one of the second aspect.
Embodiments of the present application also provide a computer program, which is used to implement the method according to any one of the first aspect when the computer program is executed by a computer.
Embodiments of the present application also provide a computer program, which is used to implement the method according to any one of the second aspect when the computer program is executed by a computer.
In the container creating method, the container deleting method, the device and the equipment provided by the embodiment of the application, by acquiring the configuration file of the container image of the application, wherein the configuration file comprises the first configuration information and the second configuration information, creating the basic container of the application and running the basic container based on the first configuration information, creating the container process aiming at least part of the application program in the basic container by adopting the hardware environment isolation technology based on the second configuration information to create the protected container of the application, on the basis of being compatible with the current container protocol, the method realizes the combination of the container and the hardware environment isolation technology, based on the traditional container technology, the method further realizes that at least part of programs in the application are loaded into the protected hardware running environment, thereby ensuring confidentiality and integrity of code and data of the at least part of the program and thus improving security of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic view of a container provided in the conventional art;
FIG. 2 is a schematic view of a container provided in an embodiment of the present application;
fig. 3 is a schematic flow chart of a container creating method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of a container process provided in an embodiment of the present application;
FIG. 5 is a flow chart illustrating a response specification command according to an embodiment of the present application;
FIG. 6 is a flow chart illustrating a response creation command according to an embodiment of the present application;
FIG. 7 is a flowchart illustrating a process for responding to a delete command according to an embodiment of the present application;
fig. 8 is a schematic flowchart of a container deletion method according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a container creating apparatus according to an embodiment of the present application;
FIG. 10 is a schematic structural diagram of a computer device according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a container removing device according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a computer device according to another embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the examples of this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "a" and "an" typically include at least two, but do not exclude the presence of at least one.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a good or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such good or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a commodity or system that includes the element.
In addition, the sequence of steps in each method embodiment described below is only an example and is not strictly limited.
For the convenience of those skilled in the art to understand the technical solutions provided in the embodiments of the present application, a technical environment for implementing the technical solutions is described below.
The container technology in the related art can realize application isolation to a certain extent, but with the continuous improvement of the attention degree of people to application security, a container creation mode capable of further improving the security of the application realized based on the container technology is urgently needed in the related art.
Based on the actual technical requirements similar to those described above, the container creation method provided by the present application can improve the security of the application implemented based on the container technology by using a technical means.
The following describes a container creation method provided in various embodiments of the present application in detail through an exemplary application scenario.
As shown in fig. 1, in the conventional art, a container created in a computer device 10 may include a set of processes that need to run in a special software execution environment, which may be obtained based on a configuration file of a container image applied in the conventional art. The software operating environments of different containers created within the computer device 10 are isolated from each other, thereby achieving a certain degree of isolation between the containers to improve the security of the application. However, the isolation effect of isolating the software operating environments from each other is very limited, and thus the security provided for the application is also very limited. It should be noted that, since the container created by the embodiment of the present application is a further improvement on the container in the conventional art, the container in the conventional art is referred to as a base container.
In the embodiment of the present application, as shown in fig. 2, the base container created in the computer device 10 may include a set of processes, and the set of processes needs to run in a special software running environment, and the software running environment may be obtained based on the first configuration information in the configuration file of the container image of the application, and the role of the first configuration information is the same as the role of the configuration file of the container image in the conventional technology.
In addition, a part of processes in a group of processes of the base container are carrier processes for bearing a protected hardware execution environment, and the carrier processes are executed in the protected hardware execution environment to realize hardware isolation of at least part of programs loaded to the part of processes in the application.
Illustratively, the protected hardware runtime environment may be a protected runtime environment (enclave), such as Intel Software protection Extensions (SGX), Advanced reduced instruction set processor (Advanced RISC Machines, ARM) trusted zone (TrustZone), and the like. The hardware runtime environment may be derived based on second configuration information in the configuration file of the container image, the second configuration information being information that is not present in the configuration file of the conventional art. In order to distinguish from the basic container in the conventional art, the container created in the embodiment of the present application is referred to as a protected container.
Compared with the traditional container, the protected container created in the computer device 10 can further realize that at least part of programs in the application are loaded into the protected hardware running environment on the basis of the traditional container technology, thereby ensuring the confidentiality and integrity of the codes and data of the at least part of programs, and not allowing logic outside the hardware running environment to access the codes and data inside the hardware running environment, thereby improving the safety of the application.
It should be noted that the computer device 10 may specifically be a terminal or a server, and of course, in other embodiments, the computer device 10 may also be of other types, which is not limited in this application. The example of fig. 1 and 2 is that the number of containers created on a single computer device 10 is multiple.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Fig. 3 is a flowchart illustrating a container creating method according to an embodiment of the present application, where an execution subject of the embodiment may be the computer device 10 in fig. 1. As shown in fig. 3, the method of this embodiment may include:
step 31, acquiring a configuration file of a container mirror image of an application, wherein the configuration file comprises first configuration information and second configuration information;
step 32, based on the first configuration information, creating a basic container of the application and running the basic container;
step 33, based on the second configuration information, a container process is created in the base container for at least part of the programs of the application by using a hardware environment isolation technology, so as to create a protected container of the application.
In the embodiment of the application, the container mirror image of the application can obtain the mirror image file meeting a certain mirror image standard in a mode of packaging the application into a container. The mirror standard may specifically be an Open Container Initiative (OCI) Image specification.
First, a standard tool can be used to generate a bundle that conforms to the mirror standard based on the container mirror of the application. The bundle may be a directory tree structure obtained by converting a container mirror image according to an OCI standard, and a configuration file named config. Wherein the name of the subdirectory can be determined by the configuration item in config. It is understood that the configuration file converted from the container image does not include the first configuration information and the second configuration information.
Next, as shown in fig. 4, in step a, under the trigger of a specification (spec) command, a command line tool may be called to generate the first configuration information and the second configuration information in the configuration file config. It should be noted that the information in the configuration file is compatible with the OCI Runtime specification. And B, aiming at the configuration information generated in the step B, corresponding modification can be carried out according to user input so as to realize flexible modification of the information in the configuration file. It should be noted that, for a specific way for a user to modify configuration information, reference may be made to a relevant specification of the current OCI Runtime specification for modifying configuration information, and details are not described herein again.
Again, in step B, the command line tool may be invoked to create a container based on the configuration file under the bundle directory, triggered by a create command or a run command. The difference between the creating command and the running command is mainly that the protected container can be further run after the protected container is created under the trigger of the running command, which may specifically refer to the relevant specification of the current OCI Runtime specification on the running command, and is not described herein again.
Finally, after running the protected container, the command line tool may be invoked to delete the protected container created in step B in step C, triggered by a delete command. As shown in fig. 4, deleting a protected container may specifically include step C1 and step C2. The protected container may be stopped in step C1. After the protected container is stopped, further in step C2, the state information related to the protected container in the system may be deleted, which may be specifically referred to the relevant specification of the current OCI Runtime specification regarding the delete command, and is not described herein again.
It should be noted that, in fig. 4, the generation of the configuration file and the control of the protected container are realized by the command line tool, for example, so as to be compatible with the generation method of the configuration file and the control method of the container in the conventional technology. The generation of the configuration information in the configuration file in fig. 4 may be performed by the computer device 10, or the first configuration information and the second configuration information in the configuration file may be generated by other devices before the computer device 10.
Hereinafter, steps a to C shown in fig. 4 will be specifically described.
Step A
Assuming there is a bundle under the current path, the canonical command may not need to carry parameters. After the command line tool receives the specification command, as shown in fig. 5, in step 51, it may first determine whether the bundle meets a certain requirement, if not, the current flow is ended, and if so, the command line tool continues to execute step 52. In one embodiment, a subdirectory of the name specified in the configuration file exists under the bundle, for example, a rootfs subdirectory can indicate that certain requirements are met, and a subdirectory of the name specified in the configuration file does not exist under the bundle, for example, the rootfs subdirectory can indicate that the configuration file does not meet.
In step 52, it may be checked whether the current environment supports hardware environment isolation techniques, and if not, step 54 is performed, and if so, step 53 is performed. The hardware environment isolation technique may specifically be a protected execution environment (enclave) technique in one embodiment.
In step 53, hardware information for supporting the hardware environment isolation technology in the current environment is obtained. Taking SGX as an example, the hardware information may include, for example, a type of SGX, a maximum epc (envelope Page cache), and the like.
In step 54, configuration information in the configuration file config.
In the case of executing step 53, the configuration information includes first configuration information and second configuration information, where the first configuration information is used to create a base container, and the second configuration information is used to create a protected container based on the base container created based on the first configuration information. It should be noted that the first configuration information may be information contained in a field related to a configuration file defined in the current OCI Runtime specification.
The second configuration information may be generated based on the hardware information obtained in step 53, and may include a plurality of fields, where the information of the plurality of fields includes the hardware information obtained in step 53, and the information of the plurality of fields may also include software information, where the software information may be used to decide which specific software in the application needs to be protected through hardware isolation. The software information can be default information, and the software information can be modified by a user in a mode of modifying the configuration file.
In this case, the configuration file finally obtained in the embodiment of the present application is obtained by adding a plurality of fields on the basis of the fields of the configuration file specified in the current OCI Runtime specification, so that the configuration file may further include second configuration information for obtaining the protected container on the basis of the base container.
In a case where step 53 is not performed, since the hardware information for generating the second configuration information is not obtained, a field corresponding to the second configuration information in the generated configuration information may be null, and a container created based on a configuration file whose field corresponding to the second configuration information is null may be a base container, and a protected container cannot be created.
In fig. 5, the canonical command may be, for example, a command input by a user, or may be generated according to a first trigger operation input by the user, or may be generated according to a first trigger message received from the terminal. The first trigger operation may be, for example, a click operation on a first preset button, and of course, in other embodiments, the first operation may also be in other forms, which is not limited in this application. The first trigger message may be generated and sent by the terminal when the first trigger operation input by the user is obtained.
Step B
Assuming that there is no bundle in the current path, the create command may carry parameters of the path where the bundle is located. After the command line tool receives the create command, as shown in fig. 6, in step 61, the parameter of the create command may be analyzed first to obtain the path where the bundle is located. Then, in step 62, it may be determined whether the bundle meets a certain requirement, if not, the current flow is ended, and if yes, step 63 is continuously executed, which may be referred to in the detailed description of step 51, and is not described herein again.
Json is obtained in step 63. In an embodiment, since the config.json is under the root directory of the bundle, the configuration file can be obtained by finding the configuration file config.json based on the path where the bundle is located and then reading the configuration file config.json.
After the configuration file is obtained, in order to ensure the reasonableness of the configuration file for creating the container, the reasonableness of the configuration file may be checked before creating the container. Optionally, in step 64, it may be checked whether the configuration information configured in the configuration file is reasonable, if not reasonable, the current process is ended, and if reasonable, step 65 may be further performed. The rationality check for the configuration information may include the following mode 1 and/or mode 2.
Mode 1, a check can be made for the syntax of the configuration information. For example, a field should be non-empty, but the field in the configuration file is empty, which indicates that the configuration information configured in the configuration file is not reasonable. For another example, the type of a certain field should be a number type, but the type of the field in the configuration file is a character string type, which indicates that the configuration information configured in the configuration file is not reasonable. Of course, in other embodiments, the syntax check may be performed on the configuration information in other manners, which is not limited in this application.
Mode 2, the semantics of the configuration information can be checked. For example, the value range of a certain field should be a preset range, but the value of the field in the configuration file is outside the preset range, which indicates that the configuration information configured in the configuration file is unreasonable. For another example, a value of a certain field in the configuration file is a file path, but if the file path is found by checking to not really exist, it indicates that the configuration information configured in the configuration file is not reasonable. Of course, in other embodiments, semantic checking may be performed on the configuration information in other manners, which is not limited in this application.
In step 65, a base container is created and run based on the first configuration information in the configuration file.
It should be noted that the specific way for creating the base container is similar to the way for creating the container in the conventional technology, and the difference is only that the container is created based on the entire configuration file in the conventional technology, and the container is created based on the first configuration information in the configuration file in this application.
Since the container is process-dependent, after the base container is created and run, container process 1 of the base container can be obtained, and container process 1 is the main process of the base container. Wherein, the life cycle of the main process of the basic container can be equivalent to the life cycle of the basic container.
In step 66, a container process is created in the base container for at least part of the program of the application using a hardware environment isolation technique based on the second configuration information in the configuration file to create a protected container of the application.
Wherein the at least part of the program may specifically be a program that involves manipulating sensitive data.
In one embodiment, management of hardware isolation in the base container may be implemented by a manager. Based on this, step 66 may specifically include: creating, in the base container, a manager for supporting a hardware environment isolation technique; and running the manager to create a container process for at least part of the program of the application. The manager created in the base container is specifically a container process 2 in the base container, and the container process 2 is a child process of the base container. Further, a container process 3 is further created by the container process 2 for at least part of the program of the application, the container process 3 also being a child process of the base container.
Illustratively, the second configuration information includes: hardware information and software information; the creating, by using a hardware environment isolation technology, a container process in the base container for at least part of the application based on the second configuration information may specifically include: creating a container process in the base container, wherein the container process is used for bearing a protected hardware operating environment; allocating resources for the container process based on the hardware information; and acquiring at least part of the application program according to the software information, and loading the at least part of the application program to the container process.
The container process for carrying the protected hardware runtime environment may be understood as a carrier process of the protected hardware runtime environment, for example, a carrier process of enclave, and since the at least part of the program is a carrier process loaded into enclave, the at least part of the program may be run using the carrier process of enclave, or the at least part of the program may be run in the enclave environment of the enclave carrier process.
The software information may be, for example, storage path information of at least part of the program, and of course, in other embodiments, the software information may also be in other forms, which is not limited in this application.
For example, a manager-based implementation may run a manager to create container processes in the base container; the running manager allocates resources for the container process based on the hardware information; and the running manager acquires at least part of the application program according to the software information and loads the at least part of the application program to the container process.
In fig. 6, the creation command may be, for example, a command input by the user, or may be generated according to a second trigger operation input by the user, or may be generated according to a second trigger message received from the terminal. The second trigger operation may be, for example, a click operation on a second preset button, and of course, in other embodiments, the second trigger operation may also be in other forms, which is not limited in this application. The second trigger message may be generated and sent by the terminal when the second trigger operation input by the user is obtained.
After creating the protected container, further, the protected container may be run. In one embodiment, the final command may be run under the trigger of a start command. Similarly, after receiving the start command, the command line tool may analyze the parameter of the create command to obtain the path where the bundle is located. Then, whether bundle meets certain requirements can be judged, if not, the current flow is ended, and if yes, the protected container is operated.
Alternatively, step B may be triggered by a run command. Under the trigger of the run command, the protected container may be created and run, and the specific process may be similar to the create command + start command, which is not described herein again.
Step C
Assuming that there is no bundle in the current path, the path where the bundle is located may be specified in the command line of the delete command. After receiving the delete command, as shown in fig. 7, in step 71, the command line tool may first parse the parameter of the delete command to obtain the path where the bundle is located. Then, in step 72, it may be determined whether the bundle meets a certain requirement, if not, the current flow is ended, and if yes, step 73 is continuously executed, which may be referred to in the detailed description of step 51, and is not described herein again.
In step 73, the protected vessel is stopped from operating.
Since the container process for at least part of the program of the application is previously created in the base container by using the hardware environment isolation technology, the container process for at least part of the program created in the base container needs to be ended when the protected container is stopped running. In one embodiment, stopping the container process may specifically include: and stopping the container process and releasing the resources allocated to the container process.
For example, the container process 1 of the base container may notify the container process 2 that "the container is to be stopped", and the container process 2 may stop the container process 3 according to the notification of the container process 1, release the resource allocated by the container process 3, and then end the container process 2 first and then end the container process 1, thereby stopping running the protected container.
In fig. 7, the delete command may be, for example, a command input by the user, or the create command may be generated according to a third trigger operation input by the user, or the create command may be generated according to a third trigger message received from the terminal. The third triggering operation may be, for example, a click operation on a third preset button, and of course, in other embodiments, the third triggering operation may also be in other forms, which is not limited in this application. The third trigger message may be generated and sent by the terminal when the third trigger operation input by the user is obtained.
It will be appreciated that in addition to the deletion command triggering the stopping of the protected container, the stopping of the protected container may be triggered by other triggering conditions. Illustratively, the protected container is stopped under the trigger of a stop (kill) command to stop the host process of the base container; or stopping the protected container under the trigger of the system administrator executing the management command to stop the main process of the basic container; alternatively, the protected container is stopped under the trigger of an unexpected exit of the primary process of the base container.
According to the container creating method provided by the embodiment of the application, the configuration file of the container mirror image of the application is obtained, the configuration file comprises the first configuration information and the second configuration information, the basic container of the application is created and the basic container is operated based on the first configuration information, the container process is created in the basic container aiming at least part of the application program based on the second configuration information by adopting the hardware environment isolation technology, so that the protected container of the application is created, the combination of the container and the hardware environment isolation technology is realized on the basis of being compatible with the current container protocol, and on the basis of the traditional container technology, at least part of the application program is further loaded into the protected hardware operation environment, so that the confidentiality and the integrity of codes and data of at least part of the application program are ensured, and the safety of the application is improved.
Fig. 8 is a flowchart illustrating a container deletion method according to an embodiment of the present application, where an execution subject of the embodiment may be the computer device 10 in fig. 1. As shown in fig. 8, the method of this embodiment may include:
step 81, determining to delete a protected container of an application, where the protected container is obtained by creating a basic container of the application and running the basic container based on first configuration information in a configuration file of a container image of the application, and then creating a container process for at least part of programs of the application in the basic container by using a hardware environment isolation technology based on second configuration information in the configuration file;
step 82, delete the protected container.
In one embodiment, if a delete command is obtained for a protected container of an application, it may be determined to delete the protected container. For example, if a delete command sent by the terminal is received, it may be determined to delete the protected container of the application. For another example, if a user-entered delete designation is obtained, it may be determined to delete the protected container of the application. Of course, in other embodiments, the protected container of the application may be determined to be deleted in other ways, which is not limited in this application.
It should be noted that, for specific contents of the protected container in this embodiment, reference may be made to the related description of the embodiment shown in fig. 3, and details are not described herein again.
In one embodiment, deleting a protected container may specifically include step C1 and step C2. For specific contents of step C1 and step C2, reference may be made to the foregoing description of the embodiment shown in fig. 3, and details are not repeated here.
According to the container deleting method provided by the embodiment of the application, the protected container of the application is deleted under the condition that the protected container is determined to be deleted, wherein the protected container is obtained by firstly creating a basic container of the application and running the basic container based on first configuration information in a configuration file of a container mirror image of the application and then creating a container process for at least part of the program of the application in the basic container by adopting a hardware environment isolation technology based on second configuration information in the configuration file.
Fig. 9 is a schematic structural diagram of a container creating apparatus according to an embodiment of the present application; referring to fig. 9, the present embodiment provides a container creating apparatus, which may execute the container creating method described above, and specifically, the container creating apparatus may include:
an obtaining module 91, configured to obtain a configuration file of a container image of an application, where the configuration file includes first configuration information and second configuration information;
a first creating module 92, configured to create a base container of the application and run the base container based on the first configuration information;
a second creating module 93, configured to create, based on the second configuration information, a container process for at least part of the programs of the application in the base container by using a hardware environment isolation technology, so as to create a protected container of the application.
Optionally, the second configuration information includes: hardware information and software information;
a second creating module 93, configured to create a container process in the base container, where the container process is used to carry a protected hardware operating environment; allocating resources for the container process based on the hardware information; and acquiring at least part of the application program according to the software information, and loading the at least part of the application program to the container process.
A second creating module 93, specifically configured to create, in the base container, a manager for supporting a hardware environment isolation technology; and running the manager to create a container process for at least part of the program of the application.
Optionally, the apparatus may further include a checking module, configured to check that it is determined that the configuration information configured in the configuration file is reasonable.
Optionally, the obtaining module 91 is specifically configured to obtain the configuration file of the container image of the application under the trigger of a creation command or an operation command for the application.
Optionally, the obtaining module 91 is specifically configured to determine whether a bundle meets a certain requirement under the trigger of a creation command or an operation command for an application, where the bundle is a directory tree structure obtained by mirroring the container according to a preset container standard;
and if the bundle meets the requirement, acquiring a configuration file of the container image of the application.
Optionally, the apparatus further includes a generating module, configured to generate the second configuration information.
Optionally, the generating module is specifically configured to check whether the current environment supports the hardware environment isolation technology; and if the current environment supports the hardware environment isolation technology, acquiring hardware information used for supporting the hardware environment isolation technology in the current environment, and generating the second configuration information according to the hardware information.
Optionally, the generating module is specifically configured to generate the second configuration information under the trigger of a specification command for the application.
Optionally, the apparatus further includes an execution module, configured to execute the container process to execute the protected container.
Optionally, the apparatus further includes a stopping module, configured to stop running the protected container under the trigger of a delete command for the application.
Optionally, the stopping module is specifically configured to stop the container process and release the resource allocated to the container process.
Optionally, the hardware environment isolation technology includes a protected execution environment enclave technology.
The apparatus shown in fig. 9 can perform the method of the embodiment shown in fig. 3, and reference may be made to the related description of the embodiment shown in fig. 3 for a part of this embodiment that is not described in detail. The implementation process and technical effect of the technical solution refer to the description in the embodiment shown in fig. 3, and are not described herein again.
In one possible implementation, the structure of the container creation apparatus shown in FIG. 9 may be implemented as a computer device. As shown in fig. 10, the computer apparatus may include: a processor 101 and a memory 102. The memory 102 is used for storing a program that supports a computer device to execute the container creating method provided by the embodiment shown in fig. 3, and the processor 101 is configured to execute the program stored in the memory 102.
The program comprises one or more computer instructions, wherein the one or more computer instructions, when executed by the processor 101, are capable of performing the steps of:
acquiring a configuration file of a container mirror image of an application, wherein the configuration file comprises first configuration information and second configuration information;
creating a base container of the application and running the base container based on the first configuration information;
and based on the second configuration information, adopting a hardware environment isolation technology to create a container process for at least part of programs of the application in the basic container so as to create a protected container of the application.
Optionally, the processor 101 is further configured to perform all or part of the steps in the foregoing embodiment shown in fig. 3.
The structure of the computer device may further include a communication interface 103, which is used for the computer device to communicate with other devices or a communication network.
Fig. 11 is a schematic structural diagram of a container removing device according to an embodiment of the present application; referring to fig. 11, the present embodiment provides a container deleting device, which may perform the above-mentioned container deleting method, and specifically, the container deleting device may include:
a determining module 111, configured to determine to delete a protected container of an application, where the protected container is obtained by creating a base container of the application and running the base container based on first configuration information in a configuration file of a container image of the application, and then creating a container process for at least part of programs of the application in the base container by using a hardware environment isolation technology based on second configuration information in the configuration file;
a delete module 112 for deleting the protected container.
The apparatus shown in fig. 11 can execute the method of the embodiment shown in fig. 8, and reference may be made to the related description of the embodiment shown in fig. 8 for a part of this embodiment that is not described in detail. The implementation process and technical effect of the technical solution refer to the description in the embodiment shown in fig. 8, and are not described herein again.
In one possible implementation, the structure of the container deletion apparatus shown in fig. 11 may be implemented as a computer device. As shown in fig. 12, the computer apparatus may include: a processor 121 and a memory 122. The memory 122 is used for storing programs that support a computer device to execute the container deleting method provided in the embodiment shown in fig. 8, and the processor 121 is configured to execute the programs stored in the memory 122.
The program comprises one or more computer instructions which, when executed by the processor 121, are capable of performing the steps of:
determining to delete a protected container of an application, wherein the protected container is obtained by firstly creating a basic container of the application and running the basic container based on first configuration information in a configuration file of a container mirror image of the application, and then creating a container process for at least part of programs of the application in the basic container by adopting a hardware environment isolation technology based on second configuration information in the configuration file;
deleting the protected container.
Optionally, the processor 121 is further configured to perform all or part of the steps in the foregoing embodiment shown in fig. 8.
The structure of the computer device may further include a communication interface 123, which is used for the computer device to communicate with other devices or a communication network.
In addition, the present application provides a computer storage medium for storing computer software instructions for a computer device, which includes a program for executing the method embodiment shown in fig. 3.
The present application provides a computer storage medium for storing computer software instructions for a computer device, which includes a program for executing the method embodiment shown in fig. 8.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by adding a necessary general hardware platform, and of course, can also be implemented by a combination of hardware and software. With this understanding in mind, the above-described technical solutions and/or portions thereof that contribute to the prior art may be embodied in the form of a computer program product, which may be embodied on one or more computer-usable storage media having computer-usable program code embodied therein (including but not limited to disk storage, CD-ROM, optical storage, etc.).
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims (18)

1. A method of container creation, comprising:
acquiring a configuration file of a container mirror image of an application, wherein the configuration file comprises first configuration information and second configuration information;
creating a base container of the application and running the base container based on the first configuration information;
and based on the second configuration information, adopting a hardware environment isolation technology to create a container process for at least part of programs of the application in the basic container so as to create a protected container of the application.
2. The method of claim 1, wherein the second configuration information comprises: hardware information and software information;
the creating a container process in the base container for at least part of the program of the application by adopting a hardware environment isolation technology based on the second configuration information comprises:
creating a container process in the base container, wherein the container process is used for bearing a protected hardware operating environment;
allocating resources for the container process based on the hardware information;
and acquiring at least part of the application program according to the software information, and loading the at least part of the application program to the container process.
3. The method of claim 1, wherein creating a container process in the base container for at least part of the program of the application using a hardware environment isolation technique based on the second configuration information comprises:
creating, in the base container, a manager for supporting a hardware environment isolation technique;
and running the manager to create a container process for at least part of the application program.
4. The method of claim 1, wherein before creating a container process in the base container for at least part of the application using a hardware environment isolation technique based on the second configuration information, further comprising: checking to determine that the configuration information configured in the configuration file is reasonable.
5. The method of any of claims 1-4, wherein obtaining the configuration file of the container image of the application comprises:
acquiring a configuration file of a container image of an application under the trigger of a creation command or a running command for the application.
6. The method of claim 5, wherein obtaining the configuration file of the container image of the application under the trigger of a create command or a run command for the application comprises:
under the trigger of a creation command or an operation command aiming at an application, judging whether a bundle meets a certain requirement, wherein the bundle is a directory tree structure obtained by converting a container mirror image according to a preset container standard;
and if the bundle meets the requirement, acquiring a configuration file of the container image of the application.
7. The method of any of claims 1-4, wherein obtaining the configuration file of the container image of the application further comprises, prior to: generating the second configuration information.
8. The method of claim 7, wherein the generating the second configuration information comprises:
checking whether a current environment supports the hardware environment isolation technology;
if the current environment supports the hardware environment isolation technology, acquiring hardware information used for supporting the hardware environment isolation technology in the current environment, and generating the second configuration information according to the hardware information.
9. The method of claim 7, wherein the generating the second configuration information comprises: generating the second configuration information under the trigger of a specification command for the application.
10. The method according to any one of claims 1-4, further comprising: running the container process to run the protected container.
11. The method of claim 10, wherein after the executing the container process to execute the protected container, further comprising: stopping running the protected container under the trigger of a delete command for the application.
12. The method of claim 11, wherein the shutting down the protected vessel comprises:
and stopping the container process and releasing the resources allocated to the container process.
13. The method of any of claims 1-4, wherein the hardware environment isolation technique comprises a protected runtime environment enclave technique.
14. A method for container deletion, the method comprising:
determining to delete a protected container of an application, wherein the protected container is obtained by firstly creating a basic container of the application and running the basic container based on first configuration information in a configuration file of a container mirror image of the application, and then creating a container process for at least part of programs of the application in the basic container by adopting a hardware environment isolation technology based on second configuration information in the configuration file;
deleting the protected container.
15. A container creation apparatus, comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring a configuration file of a container mirror image of an application, and the configuration file comprises first configuration information and second configuration information;
a first creating module, configured to create a base container of the application and run the base container based on the first configuration information;
a second creating module, configured to create, based on the second configuration information, a container process for at least part of the programs of the application in the base container by using a hardware environment isolation technology, so as to create a protected container of the application.
16. A container deletion apparatus, the apparatus comprising:
a determining module, configured to determine to delete a protected container of an application, where the protected container is obtained by creating a base container of the application and running the base container based on first configuration information in a configuration file of a container image of the application, and then creating a container process for at least part of programs of the application in the base container by using a hardware environment isolation technology based on second configuration information in the configuration file;
a deletion module to delete the protected container.
17. A computer device, comprising: a memory, a processor; wherein the memory is to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, implement the method of any of claims 1 to 13.
18. A computer device, comprising: a memory, a processor; wherein the memory is to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, implement the method of claim 14.
CN202010414613.5A 2020-05-15 2020-05-15 Container creation method, container deletion method, device and equipment Pending CN113312613A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010414613.5A CN113312613A (en) 2020-05-15 2020-05-15 Container creation method, container deletion method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010414613.5A CN113312613A (en) 2020-05-15 2020-05-15 Container creation method, container deletion method, device and equipment

Publications (1)

Publication Number Publication Date
CN113312613A true CN113312613A (en) 2021-08-27

Family

ID=77370240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010414613.5A Pending CN113312613A (en) 2020-05-15 2020-05-15 Container creation method, container deletion method, device and equipment

Country Status (1)

Country Link
CN (1) CN113312613A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115202830A (en) * 2022-09-09 2022-10-18 统信软件技术有限公司 Root file system preparation method, system, computing device and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106970822A (en) * 2017-02-20 2017-07-21 阿里巴巴集团控股有限公司 A kind of container creation method and device
CN108733361A (en) * 2017-04-20 2018-11-02 北京京东尚科信息技术有限公司 A kind of method and apparatus for realizing concurrent container
US20180322299A1 (en) * 2017-05-04 2018-11-08 Dell Products L.P. Systems and methods for hardware-based security for inter-container communication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106970822A (en) * 2017-02-20 2017-07-21 阿里巴巴集团控股有限公司 A kind of container creation method and device
CN108733361A (en) * 2017-04-20 2018-11-02 北京京东尚科信息技术有限公司 A kind of method and apparatus for realizing concurrent container
US20180322299A1 (en) * 2017-05-04 2018-11-08 Dell Products L.P. Systems and methods for hardware-based security for inter-container communication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
石瑞生: "《网络空间安全专业规划教材 大数据安全与隐私保护》", 31 May 2019, 北京邮电大学出版社 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115202830A (en) * 2022-09-09 2022-10-18 统信软件技术有限公司 Root file system preparation method, system, computing device and readable storage medium

Similar Documents

Publication Publication Date Title
US11221780B2 (en) Size adjustable volumes for containers
CN110955431B (en) Processing method and device of compiling environment
CN110007980B (en) Method and device for realizing multi-service server
US11829470B2 (en) System and method of detecting file system modifications via multi-layer file system state
CN108021400B (en) Data processing method and device, computer storage medium and equipment
US11580199B2 (en) Correspondence of external operations to containers and mutation events
US11556655B2 (en) Automatic vulnerability mitigation
CN115335806A (en) Shadow stack violation enforcement at module granularity
CN107871077B (en) Capability management method and device for system service and capability management method and device
CN113312613A (en) Container creation method, container deletion method, device and equipment
US20110010754A1 (en) Access control system, access control method, and recording medium
US11556499B2 (en) Container image migration service
US20210216343A1 (en) Safely processing integrated flows of messages in a multi-tenant container
CN117215723A (en) Method, equipment and medium for realizing safety container based on industrial application
CN107301097B (en) Method and device for storing calling java object and reference address information of java object
CN114791884A (en) Test environment construction method and device, storage medium and electronic equipment
CN118056183A (en) Optimizing just-in-time compilation processes
CN115022198A (en) Resource information acquisition method, device and storage medium
CN113886004A (en) Secure container operation and mirror image data downloading method, device and storage medium
Satoh 5G-enabled edge computing for MapReduce-based data pre-processing
CN106844056B (en) Hadoop big data platform multi-tenant job management method and system
CN111124931B (en) Java code compliance checking method and device
CN117978554B (en) Configuration-based micro-service isolation operation method, device and medium
CN113687973B (en) Control method, equipment and medium for log dynamic output
CN113127140B (en) Resource management method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210827