CN113608840B - Container migration method and device - Google Patents

Container migration method and device Download PDF

Info

Publication number
CN113608840B
CN113608840B CN202110913512.7A CN202110913512A CN113608840B CN 113608840 B CN113608840 B CN 113608840B CN 202110913512 A CN202110913512 A CN 202110913512A CN 113608840 B CN113608840 B CN 113608840B
Authority
CN
China
Prior art keywords
container
migrated
physical host
preset
containers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110913512.7A
Other languages
Chinese (zh)
Other versions
CN113608840A (en
Inventor
程筱彪
徐雷
张曼君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202110913512.7A priority Critical patent/CN113608840B/en
Publication of CN113608840A publication Critical patent/CN113608840A/en
Application granted granted Critical
Publication of CN113608840B publication Critical patent/CN113608840B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The application discloses a container migration method and device, and relates to the technical field of containers. The method comprises the following steps: acquiring attribute information of preset containers, the number of containers to be migrated and the attribute information of the containers to be migrated; predicting a survival time threshold value of the container to be migrated according to attribute information of a preset container and the number of the containers to be migrated; screening hosts in a preset physical host set according to attribute information of a container to be migrated to obtain a target physical host, wherein an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated; and migrating the data in the container to be migrated to the target physical host according to the survival time threshold value of the container to be migrated and the acquired actual survival time of the container to be migrated. By predicting the survival time threshold of the container to be migrated, the resources required by data migration can be prepared for the container to be migrated in advance; and migrating the data in the container to be migrated to a target physical host different from an operating system of the container to be migrated, thereby improving the data security.

Description

Container migration method and device
Technical Field
The application relates to the technical field of containers, in particular to a container migration method and device.
Background
The main attack modes for attacking the container include: based on various vulnerabilities of the operating systems of the servers carrying the containers, the containers are attacked, and because vulnerabilities of different operating systems are different, corresponding container security protection modes are different. The prior container security protection mainly comprises that when a security detection system detects malicious behaviors, attacks are prevented by changing the network configuration of the container; or, attacks are blocked by manually deleting the container and recreating a new container in the same phase.
However, the network configuration of the container is changed, the load balancing configuration information related to the container needs to be adjusted, the influence range is large, the same operating environment is still used after adjustment, an attacker can still attack the container by utilizing the loopholes of the original operating system, and protection against container attacks cannot be realized. However, the manual deletion of the attacked container is easy to reduce the number of usable containers, and reduces the data processing efficiency.
Disclosure of Invention
Therefore, the application provides a container migration method and device, which are used for solving the problems of safety protection of a container and improvement of data processing efficiency.
To achieve the above object, a first aspect of the present application provides a container migration method, including:
acquiring attribute information of preset containers, the number of containers to be migrated and the attribute information of the containers to be migrated;
predicting a survival time threshold value of the container to be migrated according to attribute information of a preset container and the number of the containers to be migrated;
screening hosts in a preset physical host set according to attribute information of a container to be migrated to obtain a target physical host, wherein an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated;
and migrating the data in the container to be migrated to the target physical host according to the survival time threshold value of the container to be migrated and the acquired actual survival time of the container to be migrated.
In some implementations, according to a survival time threshold value of a container to be migrated and the obtained actual survival time of the container to be migrated, migrating data in the container to be migrated to a target physical host includes:
under the condition that the actual survival time of the container to be migrated is determined to be greater than the survival time threshold value, acquiring a mirror image container, wherein the mirror image container is a preconfigured container with an operating system corresponding to a target physical host;
And migrating the data in the container to be migrated to a mirror image container of the target physical host.
In some implementations, presetting the attribute information of the container includes: average attack duration and first migration duration;
the average attack duration is the average duration of the preset containers under network attack obtained by counting all the preset containers in the preset container cluster,
the first migration duration is a duration obtained by migrating data in a preset container according to a preset processing capacity.
In some implementations, predicting the survival time of the container to be migrated according to the attribute information of the preset container and the number of containers to be migrated includes:
sequencing a plurality of containers to be migrated according to the number of the containers to be migrated to obtain the corresponding number of each container to be migrated;
predicting a second migration duration corresponding to each container to be migrated according to the first migration duration and the number corresponding to each container to be migrated;
and determining the survival time threshold value of each container to be migrated according to the average attack duration and each second migration duration.
In some implementations, the attribute information of the container to be migrated includes: the method comprises the steps that an operating system identifier to be searched and the number of resources to be matched are identified, wherein the operating system identifier to be searched is an identifier of an operating system corresponding to a physical host to which a container to be migrated belongs; the number of the resources to be matched is the number of the resources required by the container to be migrated in running;
Screening the hosts in the preset physical host set according to the attribute information of the container to be migrated to obtain a target physical host, wherein the method comprises the following steps:
searching a preset physical host set according to the identification of the operating system to be searched to obtain a primary screening host set;
counting the residual resources of each physical host in the primary screening host set in real time to obtain a resource counting result;
and determining the target physical host according to the resource statistical result and the number of the resources to be matched.
In some implementations, the resource statistics include: preliminarily screening the residual resource quantity corresponding to each physical host in the host set;
determining a target physical host according to the resource statistical result and the number of the resources to be matched, including:
the number of the resources to be matched is respectively compared with the number of the residual resources corresponding to each physical host in the primary screening host set, and a comparison result is obtained;
and under the condition that the comparison result is that the residual resource quantity of the target physical host meets the quantity of the resources to be matched, obtaining the target physical host.
In some embodiments, the comparing the number of the resources to be matched with the number of the remaining resources corresponding to each physical host in the primary screening host set, after obtaining the comparison result, further includes:
Generating alarm information under the condition that the comparison result is determined that the quantity of the residual resources corresponding to each physical host in the primary screening host set can not meet the quantity of the resources to be matched;
and sending an alarm message to the management equipment.
In some embodiments, the comparing the number of the resources to be matched with the number of the remaining resources corresponding to each physical host in the primary screening host set, after obtaining the comparison result, further includes:
acquiring the severity of network attack to which a container to be migrated is subjected;
judging whether the container reconstruction is needed or not according to the severity of the network attack to which the container to be migrated is subjected and a preset degree threshold;
and under the condition that the need of container reconstruction is determined, sending a container reconstruction message to the management equipment so that the management equipment creates a new container according to the identification of the operating system to be searched and the number of the resources to be matched, wherein the new container is used for bearing the data in the container to be migrated.
In some embodiments, the method includes screening hosts in a preset physical host set according to attribute information of a container to be migrated, and after obtaining a target physical host, further includes:
and under the condition that the container to be migrated is in an attacked state, migrating the data in the container to be migrated to the target physical host.
In some implementations, the attribute information of the container to be migrated further includes: the identity of the container to be migrated and/or the network address of the container to be migrated.
In order to achieve the above object, a second aspect of the present application provides a container transfer device, comprising:
the device comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is configured to acquire attribute information of preset containers, the number of containers to be migrated and the attribute information of the containers to be migrated;
the predicting module is configured to predict the survival time threshold value of the container to be migrated according to the attribute information of the preset container and the number of the containers to be migrated;
the determining module is configured to screen hosts in a preset physical host set according to the attribute information of the container to be migrated to obtain a target physical host, wherein an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated;
and the migration module is configured to migrate the data in the container to be migrated to the target physical host according to the survival time threshold value of the container to be migrated and the acquired actual survival time of the container to be migrated.
According to the container migration method and device, the survival time threshold value of the container to be migrated is predicted according to the attribute information of the preset container and the number of the containers to be migrated, resources required by data migration can be prepared for the container to be migrated in advance, the attacked container does not need to be deleted immediately, the number of the available containers is ensured to be in the preset range, and the data processing efficiency is improved; screening hosts in a preset physical host set according to attribute information of a container to be migrated to obtain a target physical host, wherein an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated, so that an attacker can be prevented from attacking the container to be migrated by utilizing a vulnerability of an original operating system, and the security of the container to be migrated is improved; according to the survival time threshold value of the container to be migrated and the obtained actual survival time of the container to be migrated, data in the container to be migrated are migrated to a target physical host, the safety protection level of the container to be migrated is improved, and leakage of key information is prevented.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the disclosure, and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure, without limitation to the disclosure. The above and other features and advantages will become more readily apparent to those skilled in the art by describing in detail exemplary embodiments with reference to the attached drawings, in which:
fig. 1 is a schematic flow chart of a container migration method according to an embodiment of the present application.
Fig. 2 is a flow chart of a container migration method according to another embodiment of the present application.
Fig. 3 shows a block diagram of the components of the container migration apparatus provided in the embodiment of the present application.
Fig. 4 shows a block diagram of the components of a container migration system provided in an embodiment of the present application.
Fig. 5 shows a flowchart of a working method of the container migration system provided in an embodiment of the present application.
In the drawings:
301: the acquisition module 302: prediction module
303: determination module 304: migration module
410: container transfer device 420: management apparatus
430: container to be migrated 440: target physical host
441: mirror image container
Detailed Description
The following detailed description of specific embodiments of the present application refers to the accompanying drawings. It should be understood that the detailed description is presented herein for purposes of illustration and explanation only and is not intended to limit the present application. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by showing examples of the present application.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a container migration method according to an embodiment of the present application. The method is applicable to a container transfer device. As shown in fig. 1, the container migration method includes the steps of:
step S101, obtaining attribute information of preset containers, the number of containers to be migrated and the attribute information of the containers to be migrated.
The attribute information of the container to be migrated is used for representing relevant parameters of the container to be migrated in running and relevant configuration information corresponding to the container to be migrated. The attribute information of the preset container is used for representing related parameter information obtained by the container migration device for preprocessing the container, for example, the average duration of the preset container under network attack and the like.
Step S102, predicting the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of the containers to be migrated.
Wherein the survival time threshold of the container to be migrated may be a predicted maximum length of survival time that the container to be migrated can survive. The time that the container to be migrated possibly receives network estimation can be estimated through the survival time threshold value, so that resources required by data migration are prepared for the container to be migrated in advance, and the safety of the data in the container to be migrated is guaranteed.
Step S103, screening the hosts in the preset physical host set according to the attribute information of the container to be migrated to obtain the target physical host.
The operating system corresponding to the target physical host is different from the operating system corresponding to the container to be migrated.
For example, the operating system corresponding to the container to be migrated is a first operating system, the operating system corresponding to the target physical host is a second operating system, and the two operating systems are different, so that an attacker can be prevented from attacking the container to be migrated by utilizing the loopholes of the original operating system (namely the first operating system), and the security of the container to be migrated is improved.
Step S104, according to the survival time threshold value of the container to be migrated and the obtained actual survival time of the container to be migrated, migrating the data in the container to be migrated to the target physical host.
The survival time threshold may be a preset time length, and the survival time threshold may ensure the integrity of data migration, and perform data migration on a container to be migrated, where a potential safety hazard may exist in advance.
For example, under the condition that the actual survival time of the container to be migrated is determined to be greater than the survival time threshold value, data in the container to be migrated is migrated to the target physical host, so that loss of the data in the container to be migrated can be avoided, and safety of the data in the container to be migrated is ensured.
In this embodiment, by predicting the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of containers to be migrated, resources required for data migration can be prepared for the container to be migrated in advance, the attacked container does not need to be deleted immediately, the number of available containers is ensured to be within the preset range, and the processing efficiency of the data is improved; screening hosts in a preset physical host set according to attribute information of a container to be migrated to obtain a target physical host, wherein an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated, so that an attacker can be prevented from attacking the container to be migrated by utilizing a vulnerability of an original operating system, and the security of the container to be migrated is improved; according to the survival time threshold value of the container to be migrated and the obtained actual survival time of the container to be migrated, data in the container to be migrated are migrated to a target physical host, the safety protection level of the container to be migrated is improved, and leakage of key information is prevented.
Fig. 2 is a flow chart illustrating a container migration method according to an embodiment of the present application. The method is applicable to a container transfer device. As shown in fig. 2, the container migration method includes the steps of:
step S201, obtaining attribute information of a preset container, the number of containers to be migrated, and attribute information of the containers to be migrated.
Wherein, the attribute information of the preset container comprises: average attack duration and first migration duration; the average attack duration is the average duration of network attack on each preset container in the preset container cluster, the average duration of network attack on the preset containers is obtained, and the first migration duration is the duration obtained by migrating data in the preset containers according to the preset processing capacity.
For example, statistics is performed on M preset containers in the preset container cluster, so as to obtain time periods from when the M preset containers are created to when the preset containers are first attacked by the network, and then a sum value obtained by adding the M time periods is divided by the M, so that an average time period of when the preset containers are attacked by the network can be obtained.
Wherein M is an integer greater than or equal to 1. The preset processing capacity is the processing capacity of the container migration device for data, the performance condition of the container migration device can be represented, the data in the preset container is migrated according to the preset processing capacity, the data is migrated, timing is started, and the timing is stopped under the condition that the fact that all the data in the preset container are migrated is determined to be completed, so that the first migration duration can be obtained.
The processing condition of the container migration device on the preset container can be represented through the average attack duration and the first migration duration, and the reference information is acquired so as to facilitate the subsequent processing of the container to be migrated.
In some implementations, the attribute information of the container to be migrated further includes: the identity of the container to be migrated and/or the network address of the container to be migrated.
For example, the network address of the container to be migrated may be an internet protocol address (Internet Protocol Address, IP address), or may be a private address or address information such as a private number allocated to the container to be migrated in a local area network. The above network addresses of the containers to be migrated are only exemplified, and may be specifically set according to actual situations, and other network addresses of the containers to be migrated that are not explained are also within the protection scope of the present application, which is not described herein.
In some implementations, the attribute information of the container to be migrated includes: any one or more of an operating system identification to be searched, the number of resources to be matched, an identification of a container to be migrated and a network address of the container to be migrated.
The attribute information of the container to be migrated is represented through multi-dimensional information, so that the performance of the container to be migrated can be comprehensively measured, preparation is made for data migration in the container to be migrated, and the safety of the data in the container to be migrated is ensured.
Step S202, predicting the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of the containers to be migrated.
Wherein, the attribute information of the container to be migrated includes: the method comprises the steps that an operating system identifier to be searched and the number of resources to be matched are identified, wherein the operating system identifier to be searched is an identifier of an operating system corresponding to a physical host to which a container to be migrated belongs; the number of resources to be matched is the number of resources required by the container to be migrated at run-time.
In some implementations, predicting the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of containers to be migrated includes: sequencing a plurality of containers to be migrated according to the number of the containers to be migrated to obtain the corresponding number of each container to be migrated; predicting a second migration duration corresponding to each container to be migrated according to the first migration duration and the number corresponding to each container to be migrated; and determining the survival time threshold value of each container to be migrated according to the average attack duration and each second migration duration.
For example, the containers to be migrated may be arranged in ascending order or descending order, and a number corresponding to each container to be migrated is obtained, where the number is used to represent the location information of the current container to be migrated in the containers to be migrated.
For example, the container number may be set to be proportional to the second migration duration, and if the container number is increased by one, the second migration duration is increased by one first migration duration, so that the survival time thresholds of the containers to be migrated are different, so that a plurality of containers to be migrated in the same service system are prevented from performing data migration at the same time, and the container migration device is ensured to be capable of processing.
Step S203, screening the hosts in the preset physical host set according to the attribute information of the container to be migrated to obtain the target physical host.
It should be noted that, step S203 in the present embodiment is the same as step S103 in the previous embodiment, and will not be described herein.
In step S204, in the case that it is determined that the actual survival time of the container to be migrated is greater than the survival time threshold, the mirrored container is acquired.
The mirror image container is a preconfigured container with an operating system corresponding to the target physical host.
For example, the target physical host may include a mirrored container, or the mirrored container may be some container in a mirrored repository.
The mirror image warehouse comprises a plurality of mirror image containers under different operating systems, and the mirror image warehouse is a preset backup container for the container to be migrated, so that the container to be migrated can continuously work after data migration is completed, and the safety of the data in the container to be migrated is ensured.
Step S205, data in the container to be migrated is migrated to the mirror container of the target physical host.
The mirror image container has a corresponding IP address, and the container migration device can acquire the IP address of the mirror image container and the IP address of the container to be migrated simultaneously through information interaction between the target physical host and the container migration device; then, the container migration device migrates the data in the container to be migrated into the mirror image container by taking the IP address of the container to be migrated as a source address and the IP address of the mirror image container as a target address, so that the data in the container to be migrated is prevented from being damaged or discarded, and the data security is improved.
The embodiment of the present application provides another possible implementation manner, in step S203, screening hosts in a preset physical host set according to attribute information of a container to be migrated to obtain a target physical host, including: searching a preset physical host set according to the identification of the operating system to be searched to obtain a primary screening host set; counting the residual resources of each physical host in the primary screening host set in real time to obtain a resource counting result; and determining the target physical host according to the resource statistical result and the number of the resources to be matched.
The preset physical host set comprises a plurality of preset physical hosts, and operating systems corresponding to the preset physical hosts are different. The operating system identifier to be searched can be used as a searching identifier, a preset physical host which is different from the operating system identifier to be searched in a preset physical host set is obtained, and the preset physical hosts which are different from the operating system identifier to be searched are used as the primary screening hosts in the primary screening host set.
The method and the device can delete the preset physical host with the same identification as the to-be-searched operating system, avoid an attacker from attacking the to-be-migrated container by utilizing the loopholes of the original operating system (namely, the to-be-searched operating system corresponding to the to-be-migrated container), and improve the safety of the to-be-migrated container.
In some implementations, the resource statistics include: preliminarily screening the residual resource quantity corresponding to each physical host in the host set; determining a target physical host according to the resource statistical result and the number of the resources to be matched, including: the number of the resources to be matched is respectively compared with the number of the residual resources corresponding to each physical host in the primary screening host set, and a comparison result is obtained; and under the condition that the comparison result is that the residual resource quantity of the target physical host meets the quantity of the resources to be matched, obtaining the target physical host.
For example, if the number of resources to be matched is 5, and if the number of the remaining resources of the target physical host is determined to be greater than or equal to 5, the number of the remaining resources of the target physical host is characterized to be capable of meeting the number of the resources to be matched when the container to be migrated performs data migration, so that the target physical host is obtained, and safe and accurate data migration is ensured.
The embodiment of the present application provides another possible implementation manner, where after comparing the number of resources to be matched with the number of remaining resources corresponding to each physical host in the primary screening host set, the method further includes:
generating alarm information under the condition that the comparison result is determined that the quantity of the residual resources corresponding to each physical host in the primary screening host set can not meet the quantity of the resources to be matched; and sending an alarm message to the management equipment.
The alarm information may include any one or more of an identifier of the container to be migrated that is under a network attack, an identifier of the container to be migrated, an IP address of the container to be migrated, and a severity of the network attack that the container to be migrated is under.
The method comprises the steps that the warning information comprising the multidimensional information is sent to the management equipment, so that the management equipment can comprehensively measure the current state of the container to be migrated, and timely process data in the container to be migrated according to the warning information, so that the safety of the data in the container to be migrated is ensured.
The embodiment of the present application provides another possible implementation manner, where after comparing the number of resources to be matched with the number of remaining resources corresponding to each physical host in the primary screening host set, the method further includes:
acquiring the severity of network attack to which a container to be migrated is subjected; judging whether the container reconstruction is needed or not according to the severity of the network attack to which the container to be migrated is subjected and a preset degree threshold; and under the condition that the need of container reconstruction is determined, sending a container reconstruction message to the management equipment so that the management equipment creates a new container according to the identification of the operating system to be searched and the number of the resources to be matched.
Wherein the new container is used for bearing data in the container to be migrated. The severity of a network attack to which a container is to be migrated may be divided into a number of levels, for example, the severity may include any one or more of a primary attack, a medium level attack, and a high level attack.
The primary attack characterizes that the network attack to which the container to be migrated is subjected is slight, the data in the container to be migrated cannot be damaged, the data migration is not needed, the protection of the container to be migrated is enhanced, and a related protection mode can be configured to perform data defense.
The medium-level attack characterizes that the network attack of the container to be migrated can cause the loss of partial data or destroy partial data; while advanced attacks characterize network attacks to which the container to be migrated is subject, either causing loss of all data or destroying all data.
The preset degree threshold may be set to 5, the attack value corresponding to the primary attack is 3, the attack value corresponding to the intermediate attack is 6, and the attack value corresponding to the advanced attack is 9. And under the condition that the severity of the network attack to be migrated is determined to be a medium-level attack or a high-level attack, namely, the attack value is larger than 5, and under the condition that the container reconstruction is required, sending a container reconstruction message to the management equipment, so that the management equipment creates a new container according to the identification of the operating system to be searched and the quantity of the resources to be matched.
Judging the severity of the network attack to be migrated by a preset degree threshold, protecting the to-be-migrated container in different grades according to the judging result, and creating a new container by using management equipment according to the identification of the operating system to be searched and the number of resources to be matched under the condition that the severity of the network attack to be migrated to be determined to be a medium-grade attack or a high-grade attack, so that the new container can bear data in the to-be-migrated container, the data is prevented from being damaged by an attacker, and the safety of the data is ensured.
In some embodiments, after the step S203 is performed, screening the hosts in the preset physical host set according to the attribute information of the container to be migrated, to obtain the target physical host, the method further includes:
and under the condition that the container to be migrated is in an attacked state, migrating the data in the container to be migrated to the target physical host.
It should be noted that, if the container to be migrated is already in an attacked state, the data in the container to be migrated needs to be migrated to the target physical host immediately, where the target physical host may be selected in advance and used as the physical host where the backup container of the container to be migrated is located. And ensuring the safety of the data in the container to be migrated in real time.
Fig. 3 shows a block diagram of the components of the container migration apparatus provided in the embodiment of the present application. As shown in fig. 3, the container migration apparatus specifically includes the following modules:
the obtaining module 301 is configured to obtain attribute information of a preset container, the number of containers to be migrated, and attribute information of the containers to be migrated.
The predicting module 302 is configured to predict the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of containers to be migrated.
The determining module 303 is configured to screen the hosts in the preset physical host set according to the attribute information of the container to be migrated to obtain a target physical host, where an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated.
The migration module 304 is configured to migrate the data in the container to be migrated to the target physical host according to the survival time threshold of the container to be migrated and the obtained actual survival time of the container to be migrated.
In this embodiment, the prediction module predicts the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of containers to be migrated, so that resources required for data migration can be prepared for the container to be migrated in advance, the attacked container does not need to be deleted immediately, the number of the available containers is ensured to be within the preset range, and the data processing efficiency is improved; the method comprises the steps that a determining module is used for screening hosts in a preset physical host set according to attribute information of a container to be migrated to obtain a target physical host, an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated, an attacker can be prevented from attacking the container to be migrated by utilizing loopholes of an original operating system, and safety of the container to be migrated is improved; and the migration module is used for migrating the data in the container to be migrated to the target physical host according to the survival time threshold value of the container to be migrated and the acquired actual survival time of the container to be migrated, so that the safety protection level of the container to be migrated is improved, and the leakage of key information is prevented.
It should be noted that each module in this embodiment is a logic module, and in practical application, one logic unit may be one physical unit, or may be a part of one physical unit, or may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present application, elements that are not so close to solving the technical problem presented in the present application are not introduced in the present embodiment, but it does not indicate that other elements are not present in the present embodiment.
Fig. 4 shows a block diagram of the components of a container migration system provided in an embodiment of the present application. As shown in fig. 4, the container migration system includes the following devices:
container migration apparatus 410, management device 420, container to be migrated 430 and target physical host 440; wherein the target physical host 440 includes: mirror image container 441.
The container migration device 410 is configured to migrate data in the container 430 to the mirror container 441 in the target physical host 440 according to the survival time threshold and the obtained actual survival time of the container 430 to be migrated, in case that it is determined that the container 430 to be migrated is under network attack.
The management device 420 is configured to respond to the alarm message and/or the container rebuild message sent by the container migration apparatus 410, so as to determine whether the container 430 to be migrated that receives the network attack needs to be deleted, or whether a new container needs to be created according to attribute information (for example, the identifier of the operating system to be searched and the number of resources to be matched) of the container to be migrated, so that the new container can carry the data in the container 430 to be migrated.
The container 430 to be migrated is a container that may or is under network attack, and in order to avoid the data in the container 430 to be migrated from being destroyed, the data in the container 430 to be migrated needs to be migrated. In particular, the container 430 to be migrated may be one container or may include multiple containers.
The operating system corresponding to the mirrored container 441 in the target physical host 440 is different from the operating system corresponding to the container 430 to be migrated.
It should be noted that, when creating a container cluster for a service system with a higher security requirement level, it is necessary to create not only the same mirror image container as the operating system corresponding to the container 430 to be migrated, but also mirror image containers under a plurality of different operating systems, where the mirror image containers under different operating systems form a mirror image repository. So that the container 430 to be migrated may have multiple backup containers, and ensure the security of the data in the container 430 to be migrated.
Fig. 5 shows a flowchart of a working method of the container migration system provided in an embodiment of the present application. As shown in fig. 5, the method of operating the container migration system includes the steps of:
in step S501, the target physical host 440 transmits the attribute information of the mirrored container 441 and the attribute information of the target physical host 440 to the container migration apparatus 410.
For example, the attribute information of the mirror container 441 may include: any one or more of the container number of the mirrored container 441, the number of the operating system of the physical host on which the mirrored container 441 is located, the maximum survival time of the mirrored container 441, the number of resources required by the mirrored container 441 at run-time, and the IP address of the mirrored container 441.
In the case where it is determined that the container cluster is successfully created, the container migration apparatus 410 may learn attribute information of each container in the container cluster. For example, the attribute information of the ith container may be expressed as: (N) i ,O i ,T i ,,R i ,IP i ) Wherein N is i Represents the number of the ith container, O i Indicating the number of the operating system of the physical host where the ith container is located, T i Indicating the maximum survival time of the ith container, R i Representation ofThe amount of resources required by the ith container in operation, IP i The IP address of the ith container is indicated.
The container migration apparatus 410 may also obtain attribute information of each physical host in the mirror repository. For example, attribute information of each physical host can be expressed as: (n) i ,o i ) Wherein n is i Number o representing i-th physical host i And the number of the operating system corresponding to the ith physical host computer is indicated.
In step S502, to avoid simultaneous data migration of multiple containers in the same service system, it is necessary to determine that different containers correspond to different initial durations.
For example, statistics is performed on M preset containers in the preset container cluster, so that the duration from the creation of the jth preset container to the first attack of the preset container by the network is a j The average duration of the network attack on the preset containers in the preset container cluster is shown by a formula (1):
Figure BDA0003204566350000141
wherein j is an integer greater than or equal to 1 and less than or equal to M, M being an integer greater than or equal to 1.
The average time length T 1 And then, migrating the data in the preset container according to the preset processing capacity to obtain a first migration duration delta t.
Sequencing a plurality of containers to be migrated according to the number N of the containers to be migrated to obtain a number i corresponding to each container to be migrated, and predicting the preset processing capacity to predictably obtain a second migration duration (i-1) deltat corresponding to the ith container to be migrated; maximum survival time T of ith container to be migrated i Expressed by the formula (2):
T i =T 1 +(i-1)Δt (2)
it should be noted that, for different containers 430 to be migrated, a corresponding security detection manner is configured, for example, in an intrusion detection system (Intrusion Detection Systems, IDS), an alarm policy is configured for each container 430 to be migrated, and in a case that it is determined that the container 430 to be migrated is under a malicious attack or abnormal message interaction, the container 430 to be migrated feeds back an alarm message to the container migration device 410, so that the container migration device 410 can process the container 430 to be migrated in time (for example, migrate data in the container 430 to the target physical host 440).
In some specific implementations, it may also be determined whether to migrate the data in the container to be migrated 430 according to the maximum survival time (e.g., the survival time threshold) of the container to be migrated and the time that the container to be migrated has survived, for example, in the case that it is determined that the container to be migrated 430 has survived for more than its maximum survival time, step S503 is performed.
In step S503, a data migration request is sent to the container migration apparatus 410.
In step S504, after receiving the data migration request, the container migration device 410 analyzes the data migration request to obtain the container number N of the container 430 to be migrated i Number O of the operating system of the physical host where the container 430 to be migrated is located i (i.e., the operating system identification to be looked up) and the number of resources R required by the container 430 to be migrated at runtime i . Then searching a preset physical host set according to the identification of the operating system to be searched to obtain a primary screening host set; the remaining resources of each physical host in the primary screening host set are counted in real time, the physical host with the largest remaining resources is selected as an alternative physical host, and then the remaining resources of the alternative physical host and the number R of the resources required by the container 430 to be migrated in operation are counted i And comparing, and obtaining the target physical host according to the comparison result.
For example, the number of resources R required by the container 430 to be migrated at runtime can be satisfied in determining that the remaining number of resources of the candidate physical host i In the case of (a), determining that the candidate physical host is a target physical host (e.g., target physical host 430), and performing steps S505 to S506; otherwise, step S507 is executed.
In step S505, the container migration apparatus 410 interacts with the target physical host 440 to obtain the mirrored container 441 in the target physical host 440.
For example, the container migration apparatus 410 sends an acquisition request to the target physical host 440 to acquire the IP address of the mirrored container 441 fed back by the target physical host 440.
In some implementations, the mirrored container 441 may also be a mirrored container in a mirrored repository, and the container migration device 410 may obtain the IP address of the mirrored container 441 by pulling the mirrored container 441 from the mirrored repository.
In step S506, after obtaining the IP address of the mirror container 441, the container migration apparatus 410 migrates the data in the container 430 to be migrated into the mirror container 441.
Step S507, when it is determined that the remaining resource amount of the candidate physical host cannot satisfy the resource amount R required by the container 430 to be migrated at runtime i In this case, the container migration device 410 needs to determine whether to reconstruct the container according to the obtained severity of the network attack and the preset threshold of the network attack to be migrated to the container 430; and in the event that it is determined that container rebuilding is required, sends a container rebuild message to the management apparatus 420.
In step S508, the management device 420 responds to the container rebuilding message sent by the container migration apparatus 410, according to the identification of the operating system to be searched (e.g. the number O of the operating system of the physical host in which the container 430 to be migrated is located i ) And the number of resources to be matched (e.g., the number of resources R required by the container 430 to be migrated at runtime i ) A new container (not shown in the figure) is created and the IP address of the new container is fed back to the container migration apparatus 410, so that the container migration apparatus 410 can migrate the data in the container 430 to be migrated into the new container.
It should be noted that the relevant references of the new container may be set as follows: updating container number N of new container with new number i And the number O of the operating system of the physical host in which the new container is located i The method comprises the steps of carrying out a first treatment on the surface of the At the same time, the maximum survival time of the new container and the maximum survival time T of the container 430 to be migrated are set i The same; setting the number of resources required by the new container at runtime and the number of resources R required by the container 430 to be migrated at runtime i The same; setting the IP address of the new container and the IP address IP of the container 430 to be migrated i The same applies.
In this embodiment, by predicting the maximum survival time of the containers to be migrated according to the attribute information of the preset containers and the number of the containers to be migrated, resources required for data migration can be prepared for the containers to be migrated in advance, the attacked containers do not need to be deleted immediately, the number of the available containers is ensured to be within a preset range, and the data processing efficiency is improved; screening hosts in a preset physical host set according to attribute information of a container to be migrated to obtain a target physical host, wherein an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated, so that an attacker can be prevented from attacking the container to be migrated by utilizing a vulnerability of an original operating system, and the security of the container to be migrated is improved; according to the survival time threshold value of the container to be migrated and the obtained actual survival time of the container to be migrated, data in the container to be migrated are migrated to a target physical host, the safety protection level of the container to be migrated is improved, and leakage of key information is prevented.
It is to be understood that the above embodiments are merely illustrative of the exemplary embodiments employed to illustrate the principles of the present application, however, the present application is not limited thereto. Various modifications and improvements may be made by those skilled in the art without departing from the spirit and substance of the application, and are also considered to be within the scope of the application.

Claims (9)

1. A method of container migration, the method comprising:
acquiring attribute information of preset containers, the number of containers to be migrated and the attribute information of the containers to be migrated;
predicting a survival time threshold value of the container to be migrated according to the attribute information of the preset container and the number of the containers to be migrated;
screening hosts in a preset physical host set according to the attribute information of the container to be migrated to obtain a target physical host, wherein an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated;
migrating the data in the container to be migrated to the target physical host according to the survival time threshold value of the container to be migrated and the acquired actual survival time of the container to be migrated;
The attribute information of the preset container comprises: average attack duration and first migration duration;
the average attack duration is obtained by counting all preset containers in a preset container cluster to obtain the average duration of the preset containers under network attack,
the first migration duration is a duration obtained by migrating the data in the preset container according to preset processing capacity;
and predicting the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of the containers to be migrated, including:
sorting a plurality of containers to be migrated according to the number of the containers to be migrated, and obtaining a corresponding number of each container to be migrated;
predicting a second migration duration corresponding to each container to be migrated according to the first migration duration and the number corresponding to each container to be migrated;
and determining a survival time threshold value of each container to be migrated according to the average attack duration and each second migration duration.
2. The method according to claim 1, wherein the migrating the data in the container to be migrated to the target physical host according to the survival time threshold of the container to be migrated and the obtained actual survival time of the container to be migrated includes:
Under the condition that the actual survival time of the container to be migrated is determined to be greater than the survival time threshold value, acquiring a mirror image container, wherein the mirror image container is a preconfigured container with an operating system corresponding to the target physical host;
and migrating the data in the container to be migrated to a mirror image container of the target physical host.
3. The method of claim 1, wherein the attribute information of the container to be migrated includes: an operating system identifier to be searched and the number of resources to be matched, wherein the operating system identifier to be searched is an identifier of an operating system corresponding to a physical host to which the container to be migrated belongs; the number of the resources to be matched is the number of the resources required by the container to be migrated in running;
screening the hosts in the preset physical host set according to the attribute information of the container to be migrated to obtain a target physical host, including:
searching the preset physical host set according to the to-be-searched operating system identifier to obtain a preliminary screening host set;
counting the residual resources of each physical host in the primary screening host set in real time to obtain a resource counting result;
And determining the target physical host according to the resource statistical result and the number of the resources to be matched.
4. A method according to claim 3, wherein the resource statistics comprise: the quantity of the residual resources corresponding to each physical host in the primary screening host set;
the determining the target physical host according to the resource statistical result and the number of the resources to be matched comprises:
the number of the resources to be matched is respectively compared with the number of the residual resources corresponding to each physical host in the primary screening host set, and a comparison result is obtained;
and under the condition that the comparison result is that the residual resource quantity of the target physical host meets the resource quantity to be matched, obtaining the target physical host.
5. The method of claim 4, wherein comparing the number of resources to be matched with the number of remaining resources corresponding to each physical host in the preliminary screening host set, respectively, and after obtaining the comparison result, further comprises:
generating alarm information under the condition that the comparison result is that the quantity of the residual resources corresponding to each physical host in the primary screening host set can not meet the quantity of the resources to be matched;
And sending the alarm information to the management equipment.
6. The method of claim 4, wherein comparing the number of resources to be matched with the number of remaining resources corresponding to each physical host in the preliminary screening host set, respectively, and after obtaining the comparison result, further comprises:
acquiring the severity of the network attack to which the container to be migrated is subjected;
judging whether the container reconstruction is needed or not according to the severity of the network attack to which the container to be migrated is subjected and a preset degree threshold;
and under the condition that the container reconstruction is determined to be needed, sending a container reconstruction message to a management device, so that the management device creates a new container according to the identifier of the operating system to be searched and the number of the resources to be matched, wherein the new container is used for bearing the data in the container to be migrated.
7. The method according to any one of claims 1 to 6, wherein the screening the hosts in the preset physical host set according to the attribute information of the container to be migrated, after obtaining the target physical host, further includes:
and under the condition that the container to be migrated is in an attacked state, migrating the data in the container to be migrated to the target physical host.
8. The method according to any one of claims 1 to 6, wherein the attribute information of the container to be migrated further comprises: the identification of the container to be migrated and/or the network address of the container to be migrated.
9. A container transfer device, comprising:
the device comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is configured to acquire attribute information of preset containers, the number of containers to be migrated and the attribute information of the containers to be migrated;
the predicting module is configured to predict a survival time threshold value of the container to be migrated according to the attribute information of the preset container and the number of the containers to be migrated;
the determining module is configured to screen hosts in a preset physical host set according to the attribute information of the container to be migrated to obtain a target physical host, and an operating system corresponding to the target physical host is different from an operating system corresponding to the container to be migrated;
the migration module is configured to migrate the data in the container to be migrated to the target physical host according to the survival time threshold value of the container to be migrated and the acquired actual survival time of the container to be migrated;
the attribute information of the preset container comprises: average attack duration and first migration duration;
The average attack duration is obtained by counting all preset containers in a preset container cluster to obtain the average duration of the preset containers under network attack,
the first migration duration is a duration obtained by migrating the data in the preset container according to preset processing capacity;
and predicting the survival time threshold of the container to be migrated according to the attribute information of the preset container and the number of the containers to be migrated, including:
sorting a plurality of containers to be migrated according to the number of the containers to be migrated, and obtaining a corresponding number of each container to be migrated;
predicting a second migration duration corresponding to each container to be migrated according to the first migration duration and the number corresponding to each container to be migrated;
and determining a survival time threshold value of each container to be migrated according to the average attack duration and each second migration duration.
CN202110913512.7A 2021-08-10 2021-08-10 Container migration method and device Active CN113608840B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110913512.7A CN113608840B (en) 2021-08-10 2021-08-10 Container migration method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110913512.7A CN113608840B (en) 2021-08-10 2021-08-10 Container migration method and device

Publications (2)

Publication Number Publication Date
CN113608840A CN113608840A (en) 2021-11-05
CN113608840B true CN113608840B (en) 2023-06-20

Family

ID=78307952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110913512.7A Active CN113608840B (en) 2021-08-10 2021-08-10 Container migration method and device

Country Status (1)

Country Link
CN (1) CN113608840B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107526626A (en) * 2017-08-24 2017-12-29 武汉大学 A kind of Docker containers thermomigration process and system based on CRIU
CN107580703A (en) * 2015-05-08 2018-01-12 瑞典爱立信有限公司 migration service method and module for software module
CN109101320A (en) * 2018-08-08 2018-12-28 中科边缘智慧信息科技(苏州)有限公司 Heterogeneous processor fusion of platforms management system
CN109309581A (en) * 2018-08-22 2019-02-05 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Container management system crossing hardware architecture
CN110119377A (en) * 2019-04-24 2019-08-13 华中科技大学 Online migratory system towards Docker container is realized and optimization method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11048551B2 (en) * 2018-04-25 2021-06-29 Dell Products, L.P. Secure delivery and deployment of a virtual environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107580703A (en) * 2015-05-08 2018-01-12 瑞典爱立信有限公司 migration service method and module for software module
CN107526626A (en) * 2017-08-24 2017-12-29 武汉大学 A kind of Docker containers thermomigration process and system based on CRIU
CN109101320A (en) * 2018-08-08 2018-12-28 中科边缘智慧信息科技(苏州)有限公司 Heterogeneous processor fusion of platforms management system
CN109309581A (en) * 2018-08-22 2019-02-05 华东计算技术研究所(中国电子科技集团公司第三十二研究所) Container management system crossing hardware architecture
CN110119377A (en) * 2019-04-24 2019-08-13 华中科技大学 Online migratory system towards Docker container is realized and optimization method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
RELOCATE: A Container Based Moving Target Defense Approach;Rui Huang等;《PROCEEDINGS OF SCIENCE》;第2-7页 *
sledge:: Towards Efficient Live Migration of Docker Containers;Bo Xu等;《2020 IEEE 13th International Conference on Cloud Computing (CLOUD)》;321-328 *
一种软件定义APT攻击移动目标防御网络架构;谭韧等;《山东大学学报(理学版)》;第53卷(第1期);38-45 *
容器云中基于Stackelberg博弈的动态异构调度方法;刘道清等;《网络与信息安全学报》;第7卷(第3期);95-104 *

Also Published As

Publication number Publication date
CN113608840A (en) 2021-11-05

Similar Documents

Publication Publication Date Title
JP6522707B2 (en) Method and apparatus for coping with malware
US9021595B2 (en) Asset risk analysis
US8495747B1 (en) Prioritizing asset remediations
US8739287B1 (en) Determining a security status of potentially malicious files
US8863284B1 (en) System and method for determining a security status of potentially malicious files
US20180189697A1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
KR20140033145A (en) System and method for non-signature based detection of malicious processes
US20130276122A1 (en) System and method for providing storage device-based advanced persistent threat (apt) protection
US9300684B2 (en) Methods and systems for statistical aberrant behavior detection of time-series data
Rupa et al. A machine learning driven threat intelligence system for malicious URL detection
US8392998B1 (en) Uniquely identifying attacked assets
US20220217160A1 (en) Web threat investigation using advanced web crawling
US10951645B2 (en) System and method for prevention of threat
CN113608840B (en) Container migration method and device
CN108429746B (en) Privacy data protection method and system for cloud tenants
CN113872959B (en) Method, device and equipment for judging risk asset level and dynamically degrading risk asset level
Meriah et al. A survey of quantitative security risk analysis models for computer systems
US11799880B2 (en) Network adaptive alert prioritization system
US11968222B2 (en) Supply chain attack detection
US20240015172A1 (en) Supply chain attack detection
US20230269256A1 (en) Agent prevention augmentation based on organizational learning
Ahmad et al. Implementation of a behavior driven methodology for insider threats detection of misuse of information in windows environment
CN108989320B (en) Method and device for detecting distributed denial of service (DDoS) attack target
KR102193330B1 (en) System and Method for Protecting Personal Information using High Speed Serching, Sanitization and Symbolic Link Based on File System
KR20230009307A (en) Method for identification iot devices, and network management apparatus implementing the method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant