CN113901442A - Container control method, container control device, electronic apparatus, and storage medium - Google Patents

Container control method, container control device, electronic apparatus, and storage medium Download PDF

Info

Publication number
CN113901442A
CN113901442A CN202111267441.4A CN202111267441A CN113901442A CN 113901442 A CN113901442 A CN 113901442A CN 202111267441 A CN202111267441 A CN 202111267441A CN 113901442 A CN113901442 A CN 113901442A
Authority
CN
China
Prior art keywords
container
configuration information
target
system component
present disclosure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111267441.4A
Other languages
Chinese (zh)
Inventor
高灵杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111267441.4A priority Critical patent/CN113901442A/en
Publication of CN113901442A publication Critical patent/CN113901442A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present disclosure provides a container control method, which may be used in the field of computer technology, financial field, or other fields. The method comprises the following steps: in response to a starting instruction of a user for a target container, determining a target system component required when the target container is started from one or more system components; acquiring a configuration information ciphertext of a target system component; decrypting the configuration information ciphertext through the invasive script to obtain a configuration information plaintext of the target system component; filling a configuration information plaintext into a container starting script; and executing the container starting script to realize the starting of the target container. In addition, the present disclosure also provides a container control apparatus, an electronic device, a readable storage medium, and a computer program product.

Description

Container control method, container control device, electronic apparatus, and storage medium
Technical Field
The present disclosure relates to the field of computer technology and the field of finance, and more particularly, to a container control method, a container control apparatus, an electronic device, a readable storage medium, and a computer program product.
Background
With the expansion of the business scale of enterprises and the aggravation of market competition, numerous enterprises begin to build container cloud platforms to realize containerization of business applications, so that the enterprises can concentrate on business logic development, the online period of business iteration is shortened, the resource utilization rate is optimized, and the service response efficiency is improved.
In carrying out the disclosed concept, the inventors discovered that there is a security risk in the related art that configuration information of system components related to a container is leaked.
Disclosure of Invention
In view of the above, the present disclosure provides a container control method, a container control apparatus, an electronic device, a readable storage medium, and a computer program product.
One aspect of the present disclosure provides a container control method including: in response to a starting instruction of a user for a target container, determining a target system component required when the target container is started from one or more system components; acquiring a configuration information ciphertext of the target system component; decrypting the configuration information ciphertext through the invasive script to obtain a configuration information plaintext of the target system component; filling the configuration information plaintext into a container starting script; and executing the container starting script to realize the starting of the target container.
According to an embodiment of the present disclosure, the method further includes: verifying the management authority of the user based on a container authority association table, wherein the container authority association table records the relationship between the management authority of the container and the identity information of the user; and under the condition that the user is determined to have the management authority of the target container, determining a target system component required when the target container is started from one or more system components.
According to an embodiment of the present disclosure, the verifying the management authority of the user based on the container authority association table includes: determining a manageable container corresponding to the identity information of the user based on the container authority association table; judging whether the target container is contained in the manageable container or not; and determining that the user has the management authority of the target container when the target container is determined to be contained in the manageable container.
According to an embodiment of the present disclosure, the method further includes: acquiring the data length of the configuration information ciphertext; comparing the data length of the configuration information ciphertext with a preset length value to obtain a comparison result; and decrypting the configuration information ciphertext through the invasive script under the condition that the comparison result shows that the data length of the configuration information ciphertext is equal to the preset length value.
According to the embodiment of the disclosure, the configuration information ciphertext of the system component is obtained by encrypting the configuration information of the system component by a preset encryption method; the method further comprises the following steps: and modifying the configuration information of the target system component according to a preset period.
According to an embodiment of the present disclosure, the system component includes a database and a runtime environment component; the configuration information of the system component includes an access username and a password of the system component.
Another aspect of the present disclosure provides a container control apparatus including a first obtaining module, a second obtaining module, a first processing module, a second processing module, and a third processing module. The system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for responding to a starting instruction of a user for a target container and determining a target system component required when the target container is started from one or more system components; the second acquisition module is used for acquiring the configuration information ciphertext of the target system component; the first processing module is used for decrypting the configuration information ciphertext through the invasive script to obtain the configuration information plaintext of the target system component; the second processing module is used for filling the configuration information plaintext into a container starting script; and the third processing module is used for executing the container starting script so as to realize the starting of the target container.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory to store one or more instructions, wherein the one or more instructions, when executed by the one or more processors, cause the one or more processors to implement a method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program product comprising computer executable instructions for implementing the method as described above when executed.
According to the embodiment of the disclosure, when the target container is started, the configuration information ciphertext of the target system component corresponding to the target container is obtained, the configuration information ciphertext is decrypted by using the invasive script, the decrypted configuration information plaintext is filled into the container starting script, and then the container starting script is executed, so that the target container is started. By the technical means, direct contact between operation and maintenance personnel and configuration information of the system component and direct storage of the configuration information of the system component by the container platform are avoided, the technical problem that the configuration information of the system component is leaked in the related technology is at least partially solved, information safety is effectively guaranteed, and operation and maintenance cost is reduced.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an exemplary system architecture 100 to which a container control method may be applied, according to an embodiment of the disclosure.
Fig. 2 schematically illustrates a flow chart of a container control method according to an embodiment of the present disclosure.
Fig. 3 schematically illustrates a flow chart of a container control method according to another embodiment of the present disclosure.
FIG. 4 schematically illustrates a schematic diagram of a container control system according to an embodiment of the disclosure.
Fig. 5 schematically illustrates a block diagram of a container control device according to an embodiment of the present disclosure.
Fig. 6 schematically shows a block diagram of an electronic device adapted to implement a container control method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the related technology, when an enterprise-level PaaS (Platform as a Service) container is started, an operating environment is needed and database connection is established, and generally, a technical scheme adopted is that configuration information required by starting of the container, such as a database password, is set on a PaaS Platform by production maintenance personnel, the PaaS Platform automatically fills the configuration information into a configuration file, and finally starting of the PaaS container is completed.
In the process, security risks of password leakage of production maintenance personnel, database password leakage caused by attack of the PaaS platform and leakage of other application security configuration information exist, and great loss is caused to enterprises due to password leakage of components such as the database and the like and leakage of other security configuration information.
In view of this, the embodiment of the present disclosure provides a container control method for solving the technical problem of a risk of configuration information leakage in a PaaS container operation and maintenance process based on a liberty data source, so as to avoid an application based on a PaaS operation and maintenance platform from being attacked to a certain extent, reduce a risk of security configuration information leakage of an important system component, and improve an application automation level based on the PaaS container operation and maintenance.
In particular, embodiments of the present disclosure provide a container control method, a container control apparatus, an electronic device, a readable storage medium, and a computer program product. The method comprises the steps of responding to a starting instruction of a user aiming at a target container, and determining target system components needed when the target container is started from one or more system components; acquiring a configuration information ciphertext of a target system component; decrypting the configuration information ciphertext through the invasive script to obtain a configuration information plaintext of the target system component; filling a configuration information plaintext into a container starting script; and executing the container starting script to realize the starting of the target container.
It should be noted that the container control method and apparatus determined by the embodiments of the present disclosure may be used in the field of computer technology or in the field of finance, for example, may be applied in a background server of a bank. The container control method and device determined by the embodiments of the present disclosure may also be used in any fields other than the computer technology field and the financial field, and the application fields of the container control method and device determined by the embodiments of the present disclosure are not limited.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
Fig. 1 schematically illustrates an exemplary system architecture 100 to which a container control method may be applied, according to an embodiment of the disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting data communication, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The terminal devices 101, 102, 103 may be installed with any kind of operating system including, but not limited to, Windows, Unix, Lunix, Mac OS, etc.
Various client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, and/or social platform software, etc., may be installed on the terminal devices 101, 102, 103.
The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired and/or wireless communication links, and so forth.
The server 105 may be a server providing various services, for example, the server 105 may carry a PaaS container cloud platform to store configuration information of a container.
When installing a client application to the terminal devices 101, 102, 103, a user may load container configuration information stored in the server 105 through the network 104, load a source code of the client application into a container, and start the container using the container configuration information to implement installation of the client application.
It should be noted that the container control method provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the container control apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The container control method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the container control apparatus provided in the embodiments of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Alternatively, the container control method provided by the embodiment of the present disclosure may also be executed by the terminal device 101, 102, or 103, or may also be executed by another terminal device different from the terminal device 101, 102, or 103. Accordingly, the container control apparatus provided in the embodiments of the present disclosure may also be disposed in the terminal device 101, 102, or 103, or in another terminal device different from the terminal device 101, 102, or 103.
For example, the container configuration information may be originally stored in any one of the terminal devices 101, 102, or 103 (e.g., the terminal device 101, but not limited thereto), or stored on an external storage device and may be imported into the terminal device 101. Then, the terminal device 101 may locally execute the container control method provided by the embodiment of the present disclosure, or send the container configuration information to another terminal device, a server, or a server cluster, and execute the container control method provided by the embodiment of the present disclosure by another terminal device, a server, or a server cluster that receives the container configuration information.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically illustrates a flow chart of a container control method according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S201 to S205.
In operation S201, in response to a start instruction for a target container by a user, a target system component required when the target container is started is determined from one or more system components.
In operation S202, a configuration information ciphertext of the target system component is obtained.
In operation S203, the configuration information ciphertext is decrypted by the intrusion script, so as to obtain a configuration information plaintext of the target system component.
In operation S204, the configuration information is filled in plaintext into the container start script.
In operation S205, a container start script is executed to implement the start of the target container.
According to the embodiment of the present disclosure, the container may contain an environment in which the application program runs, in addition to the application program itself, so that, when the container is started, the container needs to establish contact with the system component to construct a necessary running environment.
According to an embodiment of the disclosure, the configuration information ciphertext of the system component may be obtained by encrypting the configuration information by using an encryption algorithm. The encryption algorithm may be selected from any encryption algorithm, such as SM4, MD5, SHA256, and the like.
According to the embodiment of the disclosure, the functions which can be realized by the intrusion script can be added to the system by using the intrusion script without modifying the original system structural framework.
According to an embodiment of the present disclosure, the intrusive script may include a bash script.
According to embodiments of the present disclosure, the container initiation script may be any script containing batch instructions, such as a bat script, a shell script, and the like.
According to embodiments of the present disclosure, the execution order of the intrusive script and the container launch script may be specified in the Dockerfile.
According to the embodiment of the disclosure, after the container start script is executed, the configuration information of the target system component can be used to pass the verification of the target system component so as to load the target system component, thereby completing the construction of the running environment and realizing the start of the target container.
According to the embodiment of the disclosure, when the target container is started, the configuration information ciphertext of the target system component corresponding to the target container is obtained, the configuration information ciphertext is decrypted by using the invasive script, the decrypted configuration information plaintext is filled into the container starting script, and then the container starting script is executed, so that the target container is started. By the technical means, direct contact between operation and maintenance personnel and configuration information of the system component and direct storage of the configuration information of the system component by the container platform are avoided, the technical problem that the configuration information of the system component is leaked in the related technology is at least partially solved, information safety is effectively guaranteed, and operation and maintenance cost is reduced.
Fig. 3 schematically illustrates a flow chart of a container control method according to another embodiment of the present disclosure.
As shown in fig. 3, the method includes operations S301 to S309.
It should be noted that, unless explicitly stated that there is an execution sequence between different operations or there is an execution sequence between different operations in technical implementation, the execution sequence between multiple operations may not be sequential, or multiple operations may be executed simultaneously in the flowchart in this disclosure.
In operation S301, a start instruction of a user for a target container is received.
In operation S302, it is determined whether the user has the management authority of the target container. In a case where it is determined that the user does not have the management authority of the target container, operation S303 is performed; in case that it is determined that the user has the management authority of the target container, operation S304 is performed.
In operation S303, a response to a user' S start instruction for the target container is rejected.
In operation S304, a configuration information ciphertext of a target system component related to the target container launch is obtained.
In operation S305, it is determined whether the data format of the configuration information ciphertext is correct. In case it is determined that the data format of the configuration information ciphertext is erroneous, performing operation S306; in a case where it is determined that the data format of the configuration information ciphertext is correct, operation S307 is performed.
In operation S306, feedback information of the configuration information format error is transmitted to the user. After completing operation S306, operation S304 is continuously performed.
In operation S307, the configuration information ciphertext is decrypted by the intrusion script to obtain a configuration information plaintext.
In operation S308, the configuration information is filled in plain text into the container start script.
In operation S309, a container start script is executed.
According to the embodiment of the disclosure, the user may be an operation and maintenance person, and there may be a plurality of operation and maintenance persons in the operation and maintenance service, which are respectively responsible for managing different containers.
According to the embodiment of the disclosure, the management authority of the container can be determined through the identity information of the user and the container authority association table. The relationship between the management authority of the container and the identity information of the user can be recorded in the container authority association table.
For example, after acquiring a start instruction of a user for a target container, the identity information of an account used when the user issues the instruction may be acquired; based on the identity information, a manageable container corresponding to the identity information can be determined from the container authority association table, and the manageable container can be one or more containers; thereafter, a determination may be made as to whether the user has administrative rights for the target container based on the determination of whether the target container is contained in the manageable container.
According to embodiments of the present disclosure, target system components related to target container launching may be determined through a container association table. Wherein, the system components required when the container is started can be recorded in the container association table.
According to embodiments of the present disclosure, the system components may include databases, runtime environment components (FTP), and the like.
According to an embodiment of the present disclosure, the configuration information ciphertext may be the configuration information generated by an encryption algorithm.
According to embodiments of the present disclosure, the configuration information may include a username and password required to access or use the system component.
According to an embodiment of the present disclosure, the configuration information may be modified at a preset period. For example, the configuration information stored in the database may be modified every 90 days.
According to embodiments of the present disclosure, the configuration information ciphertext generated by the encryption algorithm may have a fixed number of data bits.
According to the embodiment of the disclosure, the judgment of the data format of the configuration information ciphertext can be realized by judging the data bit number of the configuration information ciphertext.
For example, if the employed encryption algorithm is the 32-bit MD5 algorithm, the generated configuration information ciphertext should be a 32-bit character string, and if the ciphertext of the configuration information is greater than or less than 32 bits, it may be considered that the configuration information ciphertext has an error or the encryption algorithm used in generating the configuration information ciphertext has an error, and at this time, the method of operation S304 may be executed again to obtain the configuration information ciphertext again.
According to an embodiment of the present disclosure, operations S307 to S309 may be implemented by the methods of operations S203 to S205, which are not described herein again.
FIG. 4 schematically illustrates a schematic diagram of a container control system according to an embodiment of the disclosure.
As shown in fig. 4, the container control system may include a resource management module 410, a configuration module 420, and a control module 430. The functions of the container control system may be implemented by the methods of operations S201 to S205 or operations S301 to S309.
According to the embodiment of the disclosure, the resource management module 410 may manage configuration information of the system component 411 such as a database and an FTP, and may periodically and automatically update configuration information of the system component 411 such as a user name and a password according to a component configuration information management policy.
According to embodiments of the present disclosure, the resource management module 410 may record the system components 411 required for the container 431 to boot, thereby forming a container association table.
According to the embodiment of the present disclosure, according to the container association table, the resource management module 410 may further identify and obtain a list of system components that are not included in the management, and feed back the list to the user, so as to remind the user to include the system components in the list into the resource management module 410 for management.
According to the embodiment of the disclosure, the resource management module 410 may further dynamically adjust the management authority of the operation and maintenance personnel, and record the management authority as a container authority association table.
According to an embodiment of the present disclosure, according to the container authority association table, the resource management module 410 may verify the identity information of the user to prevent the container 431 from being maliciously started.
According to an embodiment of the present disclosure, the configuration module 420 may receive an HTTP request for obtaining configuration information of the system component 411, and in response to the request, obtain the configuration information of the system component 411 from the resource management module 410, encrypt the configuration information into a configuration information ciphertext through an encryption algorithm, and push the configuration information ciphertext to the control module.
According to the embodiment of the disclosure, the control module 430 may read the configuration information ciphertext set by the configuration module 420 by requesting openapi, then complete decryption and security check of the configuration information ciphertext before the container 431 is started through the invasive script, and automatically fill the decrypted configuration information plaintext into the container configuration file, so as to realize secure start of the container 431.
In other embodiments of the present disclosure, the resource management module 410 may further encrypt the configuration information of the managed system component 411 with a key, and when the container 431 is started, the configuration module 420 may encrypt the configuration information for the second time, and the key used in the first encryption and the algorithm used in the second encryption are deployed in the intrusion script.
According to the embodiment of the present disclosure, the resource management module 410, the configuration module 420 and the control module 430 may be disposed in different electronic devices, and communication connection is established between the different electronic devices.
Fig. 5 schematically illustrates a block diagram of a container control device according to an embodiment of the present disclosure.
As shown in fig. 5, the container control apparatus includes a first acquiring module 510, a second acquiring module 520, a first processing module 530, a second processing module 540, and a third processing module 550.
The first obtaining module 510 is configured to determine, in response to a start instruction of a target container by a user, a target system component required when the target container is started from the one or more system components.
The second obtaining module 520 is configured to obtain a configuration information ciphertext of the target system component.
The first processing module 530 is configured to decrypt the configuration information ciphertext through the intrusion script to obtain a configuration information plaintext of the target system component.
And the second processing module 540 is configured to fill the configuration information into the container start script in clear text.
And a third processing module 550, configured to execute the container start script to start the target container.
According to the embodiment of the disclosure, when the target container is started, the configuration information ciphertext of the target system component corresponding to the target container is obtained, the configuration information ciphertext is decrypted by using the invasive script, the decrypted configuration information plaintext is filled into the container starting script, and then the container starting script is executed, so that the target container is started. By the technical means, direct contact between operation and maintenance personnel and configuration information of the system component and direct storage of the configuration information of the system component by the container platform are avoided, the technical problem that the configuration information of the system component is leaked in the related technology is at least partially solved, information safety is effectively guaranteed, and operation and maintenance cost is reduced.
According to an embodiment of the present disclosure, the apparatus further includes a first authentication module. The first authentication module includes a first authentication unit and a second authentication unit.
The first verification unit is used for verifying the management authority of the user based on a container authority association table, wherein the container authority association table records the relationship between the management authority of the container and the identity information of the user.
And the second verification unit is used for determining the target system component required when the target container is started from the one or more system components under the condition that the user is determined to have the management authority of the target container.
According to an embodiment of the present disclosure, the first authentication unit includes a first authentication subunit, a second authentication subunit, and a third authentication subunit.
And the first verification subunit is used for determining a manageable container corresponding to the identity information of the user based on the container authority association table.
And a second verifying subunit, configured to determine whether the target container is contained in the manageable container.
And the third verification subunit is used for determining that the user has the management authority of the target container under the condition that the target container is determined to be contained in the manageable container.
According to an embodiment of the present disclosure, the apparatus further comprises a second authentication module. The second verification module includes a third verification unit, a fourth verification unit, and a fifth verification unit.
And the third verification unit is used for acquiring the data length of the configuration information ciphertext.
And the fourth verification unit is used for comparing the data length of the configuration information ciphertext with the preset length value to obtain a comparison result.
And the fifth verification unit is used for decrypting the configuration information ciphertext through the invasive script under the condition that the comparison result shows that the data length of the configuration information ciphertext is equal to the preset length value.
According to the embodiment of the disclosure, the configuration information ciphertext of the system component is obtained by encrypting the configuration information of the system component by a preset encryption method.
According to an embodiment of the present disclosure, the apparatus further comprises an adjustment module.
And the adjusting module is used for modifying the configuration information of the target system component according to a preset period.
According to an embodiment of the present disclosure, a system component includes a database and a runtime environment component; the configuration information for the system component includes an access username and password for the system component.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any plurality of the first obtaining module 510, the second obtaining module 520, the first processing module 530, the second processing module 540 and the third processing module 550 may be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the first obtaining module 510, the second obtaining module 520, the first processing module 530, the second processing module 540, and the third processing module 550 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or by a suitable combination of any several of them. Alternatively, at least one of the first acquiring module 510, the second acquiring module 520, the first processing module 530, the second processing module 540 and the third processing module 550 may be at least partially implemented as a computer program module, which, when executed, may perform a corresponding function.
It should be noted that the container control device portion in the embodiment of the present disclosure corresponds to the container control method portion in the embodiment of the present disclosure, and the description of the container control device portion specifically refers to the container control method portion, which is not described herein again.
Fig. 6 schematically shows a block diagram of an electronic device adapted to implement a container control method according to an embodiment of the present disclosure. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, a computer electronic device 600 according to an embodiment of the present disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include onboard memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM 602 and RAM 603. The processor 601 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 600 may also include input/output (I/O) interface 605, input/output (I/O) interface 605 also connected to bus 604, according to an embodiment of the disclosure. The electronic device 600 may also include one or more of the following components connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 602 and/or RAM 603 described above and/or one or more memories other than the ROM 602 and RAM 603.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method provided by the embodiments of the present disclosure, when the computer program product is run on an electronic device, the program code being adapted to cause the electronic device to carry out the container control method provided by the embodiments of the present disclosure.
The computer program, when executed by the processor 601, performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, downloaded and installed through the communication section 609, and/or installed from the removable medium 611. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (10)

1. A container control method comprising:
in response to a starting instruction of a user for a target container, determining a target system component required by the target container when the target container is started from one or more system components;
acquiring a configuration information ciphertext of the target system component;
decrypting the configuration information ciphertext through the invasive script to obtain a configuration information plaintext of the target system component;
filling the configuration information plaintext into a container starting script; and
and executing the container starting script to realize the starting of the target container.
2. The method of claim 1, further comprising:
verifying the management authority of the user based on a container authority association table, wherein the container authority association table records the relationship between the management authority of the container and the identity information of the user; and
and under the condition that the user is determined to have the management authority of the target container, determining the target system component required when the target container is started from one or more system components.
3. The method of claim 2, wherein the verifying the administrative rights of the user based on the container rights association table comprises:
determining a manageable container corresponding to the identity information of the user based on the container authority association table;
determining whether the target container is contained within the manageable container; and
in an instance in which it is determined that the target container is contained within the manageable container, it is determined that the user has administrative rights for the target container.
4. The method of claim 1, further comprising:
acquiring the data length of the configuration information ciphertext;
comparing the data length of the configuration information ciphertext with a preset length value to obtain a comparison result; and
and decrypting the configuration information ciphertext through the invasive script under the condition that the comparison result shows that the data length of the configuration information ciphertext is equal to the preset length value.
5. The method of claim 1, wherein the configuration information ciphertext of the system component is obtained by encrypting the configuration information of the system component by a preset encryption method;
the method further comprises the following steps:
and modifying the configuration information of the target system component according to a preset period.
6. The method according to any one of claims 1 to 5,
the system component comprises a database and a running environment component;
the configuration information of the system component includes an access username and password of the system component.
7. A container control apparatus comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for responding to a starting instruction of a user for a target container and determining a target system component required when the target container is started from one or more system components;
the second acquisition module is used for acquiring the configuration information ciphertext of the target system component;
the first processing module is used for decrypting the configuration information ciphertext through the invasive script to obtain the configuration information plaintext of the target system component;
the second processing module is used for filling the configuration information plaintext into a container starting script; and
and the third processing module is used for executing the container starting script so as to realize the starting of the target container.
8. An electronic device, comprising:
one or more processors;
a memory to store one or more instructions that,
wherein the one or more instructions, when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 6.
10. A computer program product comprising computer executable instructions for implementing the method of any one of claims 1 to 6 when executed.
CN202111267441.4A 2021-10-28 2021-10-28 Container control method, container control device, electronic apparatus, and storage medium Pending CN113901442A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111267441.4A CN113901442A (en) 2021-10-28 2021-10-28 Container control method, container control device, electronic apparatus, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111267441.4A CN113901442A (en) 2021-10-28 2021-10-28 Container control method, container control device, electronic apparatus, and storage medium

Publications (1)

Publication Number Publication Date
CN113901442A true CN113901442A (en) 2022-01-07

Family

ID=79026819

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111267441.4A Pending CN113901442A (en) 2021-10-28 2021-10-28 Container control method, container control device, electronic apparatus, and storage medium

Country Status (1)

Country Link
CN (1) CN113901442A (en)

Similar Documents

Publication Publication Date Title
US11520912B2 (en) Methods, media, apparatuses and computing devices of user data authorization based on blockchain
US11720410B2 (en) Secure service isolation between instances of cloud products using a SaaS model
CN112019493B (en) Identity authentication method, identity authentication device, computer equipment and medium
US8874922B2 (en) Systems and methods for multi-layered authentication/verification of trusted platform updates
US10833859B2 (en) Automating verification using secure encrypted phone verification
US9294479B1 (en) Client-side authentication
US9553855B2 (en) Storing a key to an encrypted file in kernel memory
WO2022237123A1 (en) Method and apparatus for acquiring blockchain data, electronic device, and storage medium
CN111262889A (en) Authority authentication method, device, equipment and medium for cloud service
US10587411B2 (en) Zero-knowledge verifiably attestable transaction containers using secure processors
CN112948900A (en) Method and device for acquiring data under link applied to block chain system
US10389685B2 (en) Systems and methods for securely transferring selective datasets between terminals
US11936784B2 (en) Attested end-to-end encryption for transporting sensitive data
CN113034118B (en) Business auditing method, system, readable storage medium and computer program product
CN111400760B (en) Method, device, server and storage medium for web application to access database
US20220292174A1 (en) Verifiability for execution in trusted execution environment
CN113901442A (en) Container control method, container control device, electronic apparatus, and storage medium
CN113472737B (en) Data processing method and device of edge equipment and electronic equipment
CN114491489A (en) Request response method and device, electronic equipment and storage medium
CN114785560B (en) Information processing method, device, equipment and medium
CN114844694B (en) Information processing method, apparatus, device and storage medium
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
CN113448612A (en) Plug-in updating method, device, electronic equipment, medium and program product
CN114386073A (en) Method and device for creating security certificate, electronic equipment and storage medium
CN113132321A (en) Method, device and storage medium for establishing communication connection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination