CN113901469A - Container mirror image storage method, system, computer equipment and computer storage medium - Google Patents
Container mirror image storage method, system, computer equipment and computer storage medium Download PDFInfo
- Publication number
- CN113901469A CN113901469A CN202111203139.2A CN202111203139A CN113901469A CN 113901469 A CN113901469 A CN 113901469A CN 202111203139 A CN202111203139 A CN 202111203139A CN 113901469 A CN113901469 A CN 113901469A
- Authority
- CN
- China
- Prior art keywords
- container
- mirror image
- security
- image
- security level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000001514 detection method Methods 0.000 claims abstract description 130
- 238000013507 mapping Methods 0.000 claims description 18
- 241000700605 Viruses Species 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 12
- 238000010276 construction Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 5
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 229940060321 after-bug Drugs 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present disclosure provides a container mirror image storage method, system, computer device and computer readable storage medium, wherein the method comprises: constructing a safety detection identification chain for the container mirror image; determining a first security level category of the container image based on the security detection identification chain; and storing the container image in a corresponding image repository based on the first security level category. This is disclosed based on security detection identification chain divides the security level of container mirror image, in the mirror image warehouse of corresponding security level is saved according to the security level of container mirror image to at least, solve present container mirror image's storage security problem, when carrying out the mirror image deployment in the container, can use the mirror image warehouse that does not use according to the difference to the security level requirement, thereby when guaranteeing the security of all kinds of applications in the container, effectively improve the convenience of obtaining and using of container mirror image, promote user experience.
Description
Technical Field
The present disclosure relates to the field of container mirroring technologies, and in particular, to a container mirroring storage method, a container mirroring storage system, a computer device, and a computer-readable storage medium.
Background
The container technology is one of Cloud Native (Cloud Native) technologies, which is used in large quantities due to its characteristics of high speed, high efficiency, high portability, small resource occupation, etc., and the mirror image is used as the basis of the operation of the container, and various mirror images are also widely deployed in the container along with the large-scale use of the container. The mirror image warehouse (Docker Hub) is a position for storing mirror images and is also an important channel for obtaining the mirror images, at present, the main mirror image warehouse comprises a public warehouse and a private warehouse, wherein the public warehouse is largely used by users due to the characteristics of large number of mirror images, convenience in use, openness and the like, a plurality of safety problems are generated under the condition, relevant research reports show that more than 30% of official mirror images in the mirror image warehouse contain high-risk bugs, nearly 70% of mirror images have high-risk or middle-risk bugs, meanwhile, due to the characteristic of openness of the mirror image warehouse, the mirror image warehouse can be frequently utilized by hackers, malicious software such as trojans, backdoors and the like is implanted during mirror image manufacturing, and the malicious mirror images are uploaded to the mirror image warehouse.
The security problem of container mirroring has become one of the main security problems faced by cloud native technology container deployment, and how to effectively solve the problem of mirroring storage security becomes an important way to ensure container security.
Disclosure of Invention
The present disclosure provides a container mirror image storage method, system, computer device, and computer readable storage medium, to at least solve the storage security problem of the current container mirror image, thereby effectively ensuring the security of the container.
In order to achieve the above object, the present disclosure provides a container mirror storage method, including:
constructing a safety detection identification chain for the container mirror image;
determining a first security level category of the container image based on the security detection identification chain; and storing the container image in a corresponding image repository based on the first security level category.
In one embodiment, the building a security detection identification chain for a container image includes:
adding a detection identifier and a security level identifier for the container mirror image based on the security detection result of the container mirror image; and the number of the first and second groups,
and constructing a safety detection identification chain for the container mirror image based on the detection identification and the safety level identification.
In one embodiment, before adding a detection identifier and a security level identifier to a container image based on a security detection result of the container image, the method further includes:
carrying out safety detection on the container mirror image to obtain a safety detection result of the container mirror image;
the security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
In one embodiment, before determining the first security level category of the container image based on the security detection identification chain, the method further comprises:
pre-dividing a plurality of first security level categories about container images and a plurality of second security level categories about image warehouses;
establishing a mapping relationship between the first security level categories of the container images and the second security levels of the mirror image warehouses;
the storing the container image into a corresponding image repository based on the first security level category includes:
and storing the container mirror image into a mirror image warehouse corresponding to a second security level category according to the mapping relation based on the security level category.
To achieve the above object, the present disclosure also provides a container mirroring storage system, including:
an identification chain construction module configured to construct a security detection identification chain for the container mirror image;
the category determination module is arranged for determining a first security level category of the container mirror image based on the security detection identification chain; and the number of the first and second groups,
a storage module configured to store the container image in a corresponding image repository based on the first security level category.
In one embodiment, the building module for the identification chain includes:
the identification adding unit is arranged for adding a detection identification and a safety level identification to the container mirror image based on the safety detection result of the container mirror image; and the number of the first and second groups,
a building unit configured to build a security detection identification chain for the container mirror image based on the detection identification and the security level identification.
In one embodiment, the identification chain building module further comprises:
the safety detection unit is arranged for carrying out safety detection on the container mirror image to obtain a safety detection result of the container mirror image before the identification adding unit adds the detection identification and the safety level identification to the container mirror image;
the security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
In one embodiment, the system further comprises:
the classification module is arranged for pre-classifying a plurality of first security level categories about the container mirror image and a plurality of second security level categories about the mirror image warehouse before the identification and classification module determines the first security level categories about the container mirror image;
a mapping module configured to establish a mapping relationship between the first security level categories of the number of container images and the second security levels of the number of image repositories;
the storage module is specifically configured to store the container mirror image into a mirror image warehouse corresponding to a second security class based on the security class according to the mapping relationship.
In order to achieve the above object, the present disclosure also provides a computer device, which includes a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the container mirror storage method.
In order to achieve the above object, the present disclosure also provides a computer-readable storage medium having a computer program stored thereon, where when the computer program is executed by a processor, the processor executes the container mirror storage method.
According to the container mirror image storage method, the system, the computer device and the computer readable storage medium provided by the disclosure, a security detection identification chain is constructed for a container mirror image, then a first security level category of the container mirror image is determined based on the security detection identification chain, and the container mirror image is stored in a corresponding mirror image warehouse based on the first security level category. This is disclosed based on safety inspection identification chain divides the security level of container mirror image, and then guarantees the safety of container mirror image in the mirror image warehouse of corresponding security level of saving, when carrying out the mirror image deployment in the container, can use the mirror image warehouse that does not according to the difference to the security level requirement to the security level security of all kinds of applications in guaranteeing the container, and can effectively improve the convenience of acquireing and using of container mirror image, promote user experience.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the example serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a schematic flow chart of a container mirror storage method according to an embodiment of the present disclosure;
FIG. 2 is a schematic view of a scenario of a mirror repository in an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of another container mirror storage method according to an embodiment of the present disclosure;
fig. 4 is a schematic flow chart of another container mirror storage method according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a container mirroring storage system according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, specific embodiments of the present disclosure are described below in detail with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order; also, the embodiments and features of the embodiments in the present disclosure may be arbitrarily combined with each other without conflict.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of explanation of the present disclosure, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
With the wide use of Cloud computing and virtualization technologies, businesses are clouded to different degrees, but simply converting a host, a platform or an application into a virtualized form cannot solve the problems of slow upgrade, large framework, incapability of quick iteration and the like of the traditional application, and thus the concept of Cloud Native (Cloud Native) comes into force. The cloud native technology is represented by continuous delivery, DevOps (combination, cooperation and integration), containers, arrangement and micro-services, wherein the container technology can effectively divide resources of a single operating system into isolated groups so as to better balance conflicting resource use requirements between the isolated groups, and the container native technology is widely used due to the characteristics of high speed, high efficiency, high portability, less resource occupation and the like, and the images are used as the basis of container operation, and various images are widely deployed in the container along with the large use of the container.
In order to solve the above problems, in the embodiment of the present disclosure, a security detection identifier chain is established for a container mirror image, and then the security level of the container mirror image is divided based on the security detection identifier chain, and then the security level is stored in a corresponding security level container mirror image library to ensure the security of the container mirror image.
Referring to fig. 1, fig. 1 is a schematic flow chart illustrating a container mirror storage method according to an embodiment of the present disclosure, where the method includes steps S101 to S103.
In step S101, a security check identification chain is constructed for the container image.
In this embodiment, the security of the container mirror image is identified by constructing a security detection identification chain for the container mirror image that needs to be stored in the container mirror image repository. Specifically, the safety detection identification chain comprises safety identifications added to the container mirror images in each detection process, wherein the safety identifications can comprise detection identifications and safety level identifications, and the safety detection identification chain is constructed for the container mirror images, so that the safety detection of the container mirror images can be tracked in the whole process, and the container mirror images stored in the mirror image warehouse are ensured to have the safety detection traceability.
Take the example that the security detection identifier chain includes identifier 1-detection identifier and identifier 2-security level identifier, where the detection identifier is described in table 1 below and the security level identifier is shown in table 2 below.
TABLE 1
TABLE 2
In step S102, a first security level category of the container image is determined based on the security detection identification chain.
In this embodiment, the first SECURITY level category of the container image is determined based on the SECURITY level identifiers in the SECURITY check identifier chain, for example, images with SECURITY levels S1 and S2 are categorized as low SECURITY level images, images with SECURITY levels S3 and S4 are categorized as medium SECURITY level images, and images with SECURITY level S5 are categorized as high SECURITY level images. Taking multiple security checks on the container image as an example, the corresponding security check identification CHAIN S-CHAIN is formed to track the whole security check process of the image. The forming method of the security detection identification chain is exemplified as follows:
the first step is as follows: after viruses, trojans, malicious programs and the like are searched and killed, no threat exists, and the identification information is as follows:
| S-CHAIN | SECURITY |
| A | S1 |
the second step is that: after viruses, trojans, malicious programs and the like are searched and killed, no threat exists, meanwhile, no high-risk vulnerability exists after vulnerability scanning is completed, and the identification information is as follows:
| S-CHAIN | SECURITY |
| A-B01 | S2 |
the third step: there is not the threat after accomplishing virus, Trojan and malicious program etc. to search for and kill, accomplishes that the vulnerability scanning does not have the high-risk vulnerability, accomplishes once more that vulnerability scanning does not have well danger and high-risk vulnerability, and identification information is:
| S-CHAIN | SECURITY |
| A-B01-B02 | S3 |
the fourth step: there is not the threat after accomplishing virus, Trojan and malicious program etc. to look for and kill, accomplishes the vulnerability scanning and does not have the high-risk leak, accomplishes vulnerability scanning once more and does not have well danger and high-risk leak, accomplishes the vulnerability scanning for the third time and does not have low danger, well danger and high-risk leak, and identification information is:
| S-CHAIN | SECURITY |
| A-B01-B02-B03 | S4 |
the fifth step: there is not the threat after accomplishing virus, Trojan and malicious program etc. to look for and kill, accomplish leak scanning and do not have the high-risk leak, accomplish leak scanning once more and do not have well danger and high-risk leak, accomplish leak scanning for the third time and do not have low danger, well danger and high-risk leak, accomplish that the compliance item detects and does not have non-compliance item, and identification information is:
| S-CHAIN | SECURITY |
| A-B01-B02-B03-C | S5 |
it should be noted that, in some embodiments, the content of the security detection for container mirroring is not limited to the above security detection manner, and the above five steps do not need to be performed step by step, and a corresponding detection identifier and a security level identifier may be added after a certain step of detection is performed and a result is obtained. Further, to limit the total length of the security detection identifier CHAIN S-CHAIN, 15 identifiers added after detection may be limited, and when the number of identifiers exceeds 15, on the basis of keeping the 1 st identifier, the 2 nd or 3 rd identifier is deleted, and so on, it can be understood that the determination of the first security class of the container mirror image is obtained according to the latest security class identifier of the security detection identifier CHAIN.
In step S103, the container image is stored in the corresponding image repository based on the first security level category.
Specifically, a plurality of mirror image warehouses of different categories may be constructed according to different security levels of container mirror images, for example, three different mirror image warehouses of high, medium and low categories may be constructed for use in different environments, for example, a mirror image of a low security level may be used for convenience in case that a personal environment does not have a requirement for the security level; if the test environment has certain requirements on the security level, certain convenience can be sacrificed, and the mirror image of the security level can be used; if the requirement on the security level is high in the production environment, the network and the system must be ensured to be secure, and then the high-security-level mirror image must be used, as shown in fig. 2, the low-security-level mirror image warehouse is used for storing the container mirror images of S1 and S2, the medium-security-level mirror image warehouse is used for storing the container mirror images of S3 and S4, and the high-security-level mirror image is used for storing the container mirror image of S5.
In the related technology, aiming at the safety problem of container mirror images, a private mirror image warehouse is established, the insecurity problem existing in the mirror images is detected by using a safety detection technology for the mirror images downloaded from a public warehouse, and then the mirror images subjected to the safety detection are stored in the private mirror image warehouse. According to the scheme, all the mirror images are processed by simply depending on security detection, so that the security of mirror image storage is improved to a certain extent, but the security mirror image warehouses of different levels are not constructed according to actual use conditions, so that certain inconvenience is brought to actual service use; in addition, although security detection is performed, identification information is not added to the mirror image to form an identification chain, so that the security level of the mirror image cannot be intuitively judged while the mirror image is used, and the history of the mirror image cannot be judged. Compared with the related art, the embodiment realizes the identification of the safety detection process of the container mirror image in a mode of constructing a safety detection identification chain, determines the safety level of the container mirror image, and divides the container mirror image into the corresponding mirror image warehouses according to the safety level, thereby not only effectively ensuring the mirror image safety of different safety levels, but also improving the convenience of users for the use of the container mirror image.
Further, different from the related art, in the present embodiment, a private mirror REPOSITORY does not need to be CREATED, but an existing public REPOSITORY is divided, so that the mirror storage cost is reduced to a certain extent, specifically, information ubiquitous in the container mirror currently includes information such as REPOSITORY, TAG, IMAGE ID, create, and SIZE, in the present embodiment, based on the original information, S-CHAIN information is added to represent a SECURITY detection identifier CHAIN, and SECURITY is added to represent a SECURITY level, as shown in the following table:
the added identification information is described by taking an http mirror downloaded from a public repository as an example:
for example, viruses, trojans and malicious programs are searched and killed on the mirror image, no high-risk bugs exist after bug scanning is performed, and the specific information conditions are as follows:
if no middle-risk and high-risk vulnerability exists in vulnerability scanning of the mirror image, then baseline detection is performed, and the specific information conditions are as follows:
further, in this embodiment, after performing security detection on the container mirror image, based on the security detection result, adding a detection identifier and a security level identifier to the container mirror image, and then constructing a security detection identifier chain, so as to implement tracking of the security detection process of the container mirror image, where constructing the security detection identifier chain for the container mirror image (step S101), as shown in fig. 3, includes the following steps:
s101b, adding a detection identifier and a security level identifier for the container mirror image based on the security detection result of the container mirror image; and the number of the first and second groups,
s101c, constructing a security detection identification chain for the container mirror image based on the detection identification and the security level identification.
Further, before adding a detection flag and a security level flag to the container image based on the security detection result of the container image (step S101b), a step S101a is further included:
in step S101a, performing security detection on the container mirror image to obtain a security detection result of the container mirror image;
the security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
Specifically, three items of mirror image vulnerability scanning, mirror image virus detection and mirror image compliance detection are realized by carrying out security detection on a container mirror image, information such as vulnerability, virus, trojan, malicious program and non-compliance item of the mirror image can be found through scanning, and when the result of scanning the mirror image is completed, the result is output and a detection identifier and a security level identifier are added.
Referring to fig. 4, fig. 4 is a schematic flow chart of another container image storage method provided in the embodiment of the present disclosure, based on the previous embodiment, the present embodiment implements classification storage of container images by establishing a mapping relationship between the container images and an image repository about a security level, and facilitates users to download appropriate container images while guaranteeing security of the container images, so as to improve user experience, specifically, before determining a first security level category of the container images (step S102) based on the security detection identifier chain, the method further includes step S401 and step S402, and step S103 is further divided into step S103 a.
In step S401, several first security level categories regarding container mirroring and several second security level categories regarding mirroring warehouses are divided in advance.
In step S402, a mapping relationship between the first security level categories of the plurality of container images and the second security levels of the plurality of image warehouses is established.
In step S103a, the container image is stored in the image repository corresponding to the second security level category according to the mapping relationship based on the security level category.
For example, the security level category of the container mirror image and the security level of the mirror image warehouse are divided into a high security level, a medium security level and a low security level, wherein the high security level of the container mirror image and the high security level of the mirror image warehouse are mapped with each other, and by analogy, after the security level category of the container mirror image is determined, the container mirror image is stored in the corresponding mirror image warehouse based on the mapping relationship. In some embodiments, different security levels and mapping relationships may also be divided, which is not limited in this embodiment.
Based on the same technical concept, the embodiment of the present disclosure correspondingly further provides a container mirroring storage system, as shown in fig. 5, the system includes an identification chain building module 51, a category determining module 52, and a storage module 53, wherein,
the identification chain constructing module 51 is configured to construct a security detection identification chain for the container mirror image;
the category determination module 52 is configured to determine a first security level category of the container image based on the security detection identification chain; and the number of the first and second groups,
the storage module 53 is configured to store the container image in a corresponding image repository based on the first security level category.
In one embodiment, the module 51 for constructing the identification chain includes:
the identification adding unit is arranged for adding a detection identification and a safety level identification to the container mirror image based on the safety detection result of the container mirror image; and the number of the first and second groups,
a building unit configured to build a security detection identification chain for the container mirror image based on the detection identification and the security level identification.
In one embodiment, the identification chain building module further comprises:
the safety detection unit is arranged for carrying out safety detection on the container mirror image to obtain a safety detection result of the container mirror image before the identification adding unit adds the detection identification and the safety level identification to the container mirror image;
the security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
In one embodiment, the system further comprises:
the classification module is arranged for pre-classifying a plurality of first security level categories about the container mirror image and a plurality of second security level categories about the mirror image warehouse before the identification and classification module determines the first security level categories about the container mirror image;
a mapping module configured to establish a mapping relationship between the first security level categories of the number of container images and the second security levels of the number of image repositories;
the storage module is specifically configured to store the container mirror image into a mirror image warehouse corresponding to a second security class based on the security class according to the mapping relationship.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a computer device, as shown in fig. 6, the computer device includes a memory 61 and a processor 62, the memory 61 stores a computer program, and when the processor 62 runs the computer program stored in the memory 61, the processor 62 executes the container image storage method.
Based on the same technical concept, embodiments of the present disclosure correspondingly provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the processor executes the container mirror storage method.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present disclosure, and not for limiting the same; while the present disclosure has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.
Claims (10)
1. A container mirror storage method, comprising:
constructing a safety detection identification chain for the container mirror image;
determining a first security level category of the container image based on the security detection identification chain; and storing the container image in a corresponding image repository based on the first security level category.
2. The method of claim 1, wherein constructing a security check identification chain for a container image comprises:
adding a detection identifier and a security level identifier for the container mirror image based on the security detection result of the container mirror image; and the number of the first and second groups,
and constructing a safety detection identification chain for the container mirror image based on the detection identification and the safety level identification.
3. The method of claim 2, further comprising, before adding a detection identifier and a security level identifier to the container image based on the security detection result of the container image:
carrying out safety detection on the container mirror image to obtain a safety detection result of the container mirror image;
the security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
4. The method of claim 1, further comprising, prior to determining the first security level class of the container image based on the security detection identification chain:
pre-dividing a plurality of first security level categories about container images and a plurality of second security level categories about image warehouses;
establishing a mapping relationship between the first security level categories of the container images and the second security levels of the mirror image warehouses;
the storing the container image into a corresponding image repository based on the first security level category includes:
and storing the container mirror image into a mirror image warehouse corresponding to a second security level category according to the mapping relation based on the security level category.
5. A container mirroring storage system, comprising:
an identification chain construction module configured to construct a security detection identification chain for the container mirror image;
the category determination module is arranged for determining a first security level category of the container mirror image based on the security detection identification chain; and the number of the first and second groups,
a storage module configured to store the container image in a corresponding image repository based on the first security level category.
6. The system of claim 5, wherein the identification chain building module comprises:
the identification adding unit is arranged for adding a detection identification and a safety level identification to the container mirror image based on the safety detection result of the container mirror image; and the number of the first and second groups,
a building unit configured to build a security detection identification chain for the container mirror image based on the detection identification and the security level identification.
7. The system of claim 6, wherein the identification chain construction module further comprises:
the safety detection unit is arranged for carrying out safety detection on the container mirror image to obtain a safety detection result of the container mirror image before the identification adding unit adds the detection identification and the safety level identification to the container mirror image;
the security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
8. The system of claim 5, further comprising:
the classification module is arranged for pre-classifying a plurality of first security level categories about the container mirror image and a plurality of second security level categories about the mirror image warehouse before the identification and classification module determines the first security level categories about the container mirror image;
a mapping module configured to establish a mapping relationship between the first security level categories of the number of container images and the second security levels of the number of image repositories;
the storage module is specifically configured to store the container mirror image into a mirror image warehouse corresponding to a second security class based on the security class according to the mapping relationship.
9. A computer device comprising a memory and a processor, wherein the memory stores therein a computer program, and when the processor executes the computer program stored in the memory, the processor executes the container image storage method according to any one of claims 1 to 4.
10. A computer-readable storage medium, on which a computer program is stored, wherein when the computer program is executed by a processor, the processor performs the container image storage method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111203139.2A CN113901469A (en) | 2021-10-15 | 2021-10-15 | Container mirror image storage method, system, computer equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111203139.2A CN113901469A (en) | 2021-10-15 | 2021-10-15 | Container mirror image storage method, system, computer equipment and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113901469A true CN113901469A (en) | 2022-01-07 |
Family
ID=79192337
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111203139.2A Pending CN113901469A (en) | 2021-10-15 | 2021-10-15 | Container mirror image storage method, system, computer equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113901469A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140359708A1 (en) * | 2013-06-01 | 2014-12-04 | General Electric Company | Honeyport active network security |
| CN110263546A (en) * | 2019-05-24 | 2019-09-20 | 阿里巴巴集团控股有限公司 | A kind of pair of container mirror image carries out the method, apparatus and equipment of safety inspection |
| CN111859392A (en) * | 2020-07-14 | 2020-10-30 | 苏州浪潮智能科技有限公司 | Mirror image management and control method, device, equipment and storage medium |
-
2021
- 2021-10-15 CN CN202111203139.2A patent/CN113901469A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140359708A1 (en) * | 2013-06-01 | 2014-12-04 | General Electric Company | Honeyport active network security |
| CN110263546A (en) * | 2019-05-24 | 2019-09-20 | 阿里巴巴集团控股有限公司 | A kind of pair of container mirror image carries out the method, apparatus and equipment of safety inspection |
| CN111859392A (en) * | 2020-07-14 | 2020-10-30 | 苏州浪潮智能科技有限公司 | Mirror image management and control method, device, equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| CHAO‐CHUN CHEN等: "Docker and Kubernetes", 《IEEE》, 31 December 2022 (2022-12-31), pages 619 - 213 * |
| 丁攀等: "云原生中的容器技术及其安全配置规范", 《信息通信技术》, vol. 15, no. 04, 31 August 2021 (2021-08-31), pages 59 - 64 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11736530B2 (en) | Framework for coordination between endpoint security and network security services | |
| US11188650B2 (en) | Detection of malware using feature hashing | |
| US10462176B2 (en) | Method and apparatus for reducing security risk in a networked computer system architecture | |
| RU2680738C1 (en) | Cascade classifier for the computer security applications | |
| CN102332072B (en) | System and method for detection of malware and management of malware-related information | |
| US8806641B1 (en) | Systems and methods for detecting malware variants | |
| CN112422484B (en) | Method, apparatus, and storage medium for determining scenario for processing security event | |
| US8065731B1 (en) | System and method for malware containment in communication networks | |
| EP2784715B1 (en) | System and method for adaptive modification of antivirus databases | |
| US20220004643A1 (en) | Automated mapping for identifying known vulnerabilities in software products | |
| CN110688096B (en) | Method and device for constructing application program containing plug-in, medium and electronic equipment | |
| US11822659B2 (en) | Systems and methods for anti-malware scanning using automatically-created white lists | |
| US10262136B1 (en) | Cloud-based malware detection | |
| US20190102549A1 (en) | System and method of identifying a malicious intermediate language file | |
| CN113051571B (en) | Method and device for detecting false alarm vulnerability and computer equipment | |
| CN102915359A (en) | File management method and device | |
| CN110266719B (en) | Security policy issuing method, device, equipment and medium | |
| US11308212B1 (en) | Adjudicating files by classifying directories based on collected telemetry data | |
| CN105787359A (en) | Course guarding method and device | |
| CN113901469A (en) | Container mirror image storage method, system, computer equipment and computer storage medium | |
| CN116048554A (en) | Container mirror image security scanning method and device, electronic equipment and storage medium | |
| US11436319B2 (en) | Automated detection of user device security risks related to process threads and corresponding activity | |
| US11140183B2 (en) | Determining criticality of identified enterprise assets using network session information | |
| CN112560040A (en) | General detection method and device for computer infectious virus | |
| US20230325500A1 (en) | Anomalous activity detection in container images |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |