CN114942771B - Operating system security deployment method, device, equipment and storage medium - Google Patents
Operating system security deployment method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114942771B CN114942771B CN202210546853.XA CN202210546853A CN114942771B CN 114942771 B CN114942771 B CN 114942771B CN 202210546853 A CN202210546853 A CN 202210546853A CN 114942771 B CN114942771 B CN 114942771B
- Authority
- CN
- China
- Prior art keywords
- vpn
- firmware
- detection result
- ipxe
- deployment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method, a device, equipment and a storage medium for safely deploying an operating system. The method specifically comprises the steps that an edge node sends an iPXE request to a deployment server to obtain and execute an iPXE script returned by the deployment server; checking and judging whether the execution chain of the iPXE script is finished or not; when the iPXE script executes the chain link, sending a VPN firmware operation request to a deployment server, and loading and operating the VPN firmware by the deployment server based on the operation request; detecting the hardware security module through VPN firmware to obtain a detection result of the hardware security module; and establishing a VPN connection based on the obtained detection result, and downloading configuration information of a target operating system and an operating environment through the VPN connection.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a storage medium for secure deployment of an operating system.
Background
A Preboot eXecution Environment (PXE, also referred to as a Preboot eXecution Environment) provides a mechanism for booting a computer using a Network Interface (Network Interface). This mechanism allows the computer to boot without relying on a local data storage device (e.g., hard disk) or a locally installed operating system. PXE carries out initial handshake protocol through DHCP protocol, and then carries out file transmission through TFTP, provides operating system software for client. In practice, PXE is typically used for diskless workstations and fast system installation. Compared with the traditional USB or optical disk installation mode, PXE has incomparable efficiency advantage. The PXE is generally implemented by a firmware of the network card, is built in the network card, is widely popular with hardware manufacturers and users due to technical advantages of the PXE, and a network card without the PXE firmware can hardly be found in the market at present.
The PXE/iPXE and related technologies are undoubtedly a significant innovation in operating system automation deployment. Due to limited firmware environment resources, PXE defaults to its operating environment being trusted and secure, and does not provide any security mechanisms. iPXE provides some security mechanisms such as support for the encryption protocol HTTPS, support for simple username and password authentication, support for simple VLANs, etc. Although the safety intensity is not satisfactory, the safety of the pre-operation is at least ensured. The iPXE still cannot guarantee a secure switch from pre-run to formal environment.
To address this problem, conventional deployment solutions have pre-configured VPNs between the central deployment server and the client's gateway either manually or with auxiliary software.
However, the deployment schemes in the prior art cannot perform full-scale automated deployment, require VPN pre-establishment, and often require additional gateway devices.
Disclosure of Invention
Based on this, the embodiment of the application provides an operating system security deployment method, an operating system security deployment device, an electronic device and a storage medium, and a VPN automatic connection and deployment firmware module is keyed in a system pre-execution node by adopting an iPXE execution chain mechanism, so that secure cloud platform automatic deployment is realized in an untrusted complex network environment, and the future large-scale application and deployment of edge computing such as the internet of things are strongly supported.
In a first aspect, an operating system security deployment method is provided, which is applied to an edge node, and includes:
the method comprises the steps that an iPXE request is sent to a deployment server, an iPXE script returned by the deployment server is obtained and executed, and the iPXE request further comprises an edge node identifier;
checking and judging whether the execution chain of the iPXE script is finished or not; when an iPXE script executes a chain, sending a VPN firmware operation request to a deployment server, and loading and operating the VPN firmware by the deployment server based on the operation request;
detecting a hardware security module through the VPN firmware to obtain a detection result of the hardware security module, and storing the detection result;
and creating a VPN connection based on the obtained detection result, and downloading configuration information of a target operating system and an operating environment through the VPN connection, wherein the VPN connection is used for connecting an edge node and a cloud platform management server, and the VPN connection is created based on a cryptographic algorithm.
Optionally, the detecting a hardware security module by the VPN firmware to obtain a detection result of the hardware security module includes:
detecting a hardware security module through the VPN firmware to obtain a first detection result and a second detection result of the hardware security module; the first detection result is used for representing that the VPN firmware detects the hardware security module, and the second detection result is used for representing that the VPN firmware does not detect the hardware security module.
Optionally, when the hardware security module detection is performed by the VPN firmware to obtain a first detection result of the hardware security module, the creating a VPN connection based on the obtained detection result includes:
and creating VPN connection through hard decoding VPN information, wherein the hard decoding VPN information comprises directly decoding the configuration information through a hardware security module to obtain VPN information.
Optionally, when the hardware security module detection is performed by the VPN firmware to obtain a second detection result of the hardware security module, the creating a VPN connection based on the obtained detection result includes:
and creating the VPN connection through soft decoding VPN information, wherein the soft decoding VPN information comprises inquiring an administrator to input a decoding token to obtain the VPN information.
Optionally, the method further comprises:
writing an operating system and configuration information into a local hard disk;
when the operating system is started, the operating system is connected with the cloud platform management server through the VPN, node information is registered, and deployment is completed.
In a second aspect, an operating system security deployment method is applied to a deployment server, and the method includes:
responding to an iPXE request sent by an edge node, and returning an iPXE script to the edge node, wherein the iPXE request also comprises an edge node identifier;
acquiring a VPN firmware operation request sent by the edge node, and loading and operating the VPN firmware based on the operation request, wherein the VPN firmware operation request is sent when an iPXE script execution chain is finished by checking and judging whether an iPXE script execution chain is finished through the edge node;
performing hardware security module detection on the edge node through the VPN firmware to obtain a detection result of the hardware security module, and storing the detection result; the detection result is used for enabling the edge node to establish VPN connection, configuration information of a target operating system and a running environment is downloaded through the VPN connection, the VPN connection is used for connecting the edge node and the cloud platform management server, and the VPN connection is established based on a cryptographic algorithm.
Optionally, performing, by the VPN firmware, hardware security module detection on the edge node to obtain a detection result of the hardware security module, where the detection result includes:
performing hardware security module detection on the edge node through the VPN firmware to obtain a first detection result and a second detection result of the hardware security module; the first detection result is used for representing that the VPN firmware detects the hardware security module, and the second detection result is used for representing that the VPN firmware does not detect the hardware security module.
In a third aspect, an operating system security deployment apparatus is provided, the apparatus including:
the acquisition module is used for acquiring and executing the iPXE script returned by the deployment server by sending an iPXE request to the deployment server, wherein the iPXE request also comprises an edge node identifier;
the judging module is used for checking and judging whether the iPXE script execution chain is finished or not; when an iPXE script executes a chain, sending a VPN firmware operation request to a deployment server, and loading and operating the VPN firmware by the deployment server based on the operation request;
the detection module is used for detecting the hardware security module through the VPN firmware to obtain a detection result of the hardware security module and storing the detection result;
and the connection module is used for establishing VPN connection based on the obtained detection result and downloading configuration information of a target operating system and an operating environment through VPN connection, wherein the VPN connection is used for connecting an edge node and a cloud platform management server, and the VPN connection is established based on a cryptographic algorithm.
In a fourth aspect, an electronic device is provided, which includes a memory and a processor, wherein the memory stores a computer program, and the processor implements the operating system security deployment method according to any one of the first aspect when executing the computer program.
In a fifth aspect, there is provided a computer readable storage medium having a computer program stored thereon, the computer program, when executed by a processor, implementing the operating system security deployment method of any of the first aspects.
In the technical scheme provided by the embodiment of the application, the edge node sends the iPXE request to the deployment server to obtain and execute the iPXE script returned by the deployment server; checking and judging whether the execution chain of the iPXE script is finished or not; when the iPXE script executes the chain bundle, sending a VPN firmware operation request to a deployment server, and loading and operating VPN firmware by the deployment server based on the operation request; detecting the hardware security module through the VPN firmware to obtain a detection result of the hardware security module; and creating a VPN connection based on the obtained detection result, and downloading configuration information of the target operating system and the running environment through the VPN connection. It can be seen that the technical solution provided by the embodiment of the present application brings beneficial effects at least including:
1. and through a state-encrypted VPN (virtual private network) and in combination with a security gateway, the trusted computing environment and the untrusted computing environment are isolated.
2. The automatic iPXE deployment is realized in a complex network environment, and the deployment time of each edge node is reduced from hours to minutes. Considering the condition that large-scale parallel processing can be realized by automatic deployment, the invention can realize tens of times of operation and maintenance efficiency and powerfully support an operation and calculation platform of mass equipment such as the Internet of things.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
FIG. 1 is a flowchart illustrating steps of a method for deploying operating system security according to an embodiment of the present application;
fig. 2 is a flowchart of a process for performing secure deployment of an operating system according to an embodiment of the present application;
fig. 3 is a signaling interaction diagram of an operating system security deployment process provided in an embodiment of the present application;
fig. 4 is a block diagram of an operating system security deployment apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
In the description of the present invention, "a plurality" means two or more unless otherwise specified. The terms "first," "second," "third," "fourth," and the like in the description and claims of the present invention and in the above-described drawings (if any) are intended to distinguish between referenced items. For a scheme with a time sequence flow, the expression of the terms is not necessarily understood to describe a specific sequence or order, and for a scheme with a device structure, the expression of the terms does not have distinction of importance degree, position relation and the like.
Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements specifically listed, but may include other steps or elements not expressly listed that are inherent to such process, method, article, or apparatus or that are added to a further optimization scheme based on the present inventive concept.
The iPXE is an open source product, and is further developed on the basis of the PXE, so that the automatic deployment is promoted. Its main contributions are:
(1) Supporting more communication protocols, such as HTTP/HTTPs, ISCSI, IPSAN, etc., allows clients to obtain operating system software from a wider range.
(2) Pre-start scripts are supported, thereby supporting more complex automation scenarios.
(3) The execution chain (chain) concept is introduced, which combines with the script, and allows the system to switch the firmware many times during the starting process until the target operating system starts running.
(4) The method is mainly used for solving the problems that large-scale deployment is facilitated, cross-network deployment is supported by iPXE, and PXE can be deployed only within the range of a local area network.
However, since the firmware environment has limited resources, PXE defaults to having its operating environment trusted and secure, and does not provide any security mechanism. iPXE provides some security mechanisms such as support for the encryption protocol HTTPS, support for simple username and password authentication, support for simple VLANs, etc. Although the safety intensity is not satisfactory, the safety of the pre-operation is at least ensured. The iPXE still cannot guarantee a secure switch from pre-run to formal environment. To address this problem, conventional deployment schemes pre-configure VPNs between the central deployment server and the client's gateway either manually or with auxiliary software. The disadvantages of this approach are evident: comprehensive automatic deployment cannot be carried out, and VPN needs to be established in advance; additional gateway devices are often required. These two drawbacks have caused edge computing and internet of things applications to be very limited.
According to the method, an execution chain mechanism of iPXE is adopted, and a VPN automatic connection and firmware deployment module is keyed in a system pre-execution node, so that safe cloud platform automatic deployment is realized in an untrusted complex network environment, and the future large-scale application and deployment of edge computing such as the Internet of things are powerfully supported. For the understanding of the present embodiment, a method for deploying operating system security disclosed in the embodiments of the present application will be first described in detail.
Referring to fig. 1, a flowchart of an operating system security deployment method provided in an embodiment of the present application is shown, where the method is applied to an edge node, and may include the following steps:
In the embodiment of the present application, before step 101, first, the following steps are included:
step 1011, the user powers on to start the edge node;
step 1012, after the edge node is initialized in a series, the edge node network card firmware sends an iPXE request to the deployment server (providing the deployment service), where the iPXE request further includes an edge node identifier, and the edge node identifier may be an edge node number.
In step 101, specifically, the edge node network card firmware executes the iPXE script returned from the deployment server.
In the embodiment of the present application, the edge node network card firmware checks whether the script executes the link bundle. When execution is finished, the edge node usually enters a loading system kernel phase, and downloads the operating system and configuration information from the deployment server. Unlike the traditional iPXE starting, the method introduces a preprocessing kernel module at the step, and the module is provided with VPN firmware (in a deployment server, the module needs to be operated in the deployment server). When the execution is not finished, step 101 is re-implemented.
And 103, detecting the hardware security module through the VPN firmware to obtain a detection result of the hardware security module.
In the embodiment of the application, the detection result of the hardware security module is obtained and then stored, for example, uploaded to a cloud server for storage; detecting the hardware security module through the VPN firmware to obtain a first detection result and a second detection result of the hardware security module; the first detection result is used for representing that the VPN firmware detects the hardware security module, and the second detection result is used for representing that the VPN firmware does not detect the hardware security module.
Specifically, the VPN firmware checks if the edge node has a Hardware Security Module (HSM).
If so, acquiring VPN information through hard decoding to establish VPN connection, wherein the hard decoding of the VPN information comprises decoding configuration information directly through a hardware security module to obtain a VPN server address, an edge node VPN network address, possibly routing information, a key of VPN link and the like;
if not, a VPN connection is created by soft decoding the VPN information, specifically by asking the administrator to enter a decode token (soft decode).
And 104, creating a VPN connection based on the obtained detection result, and downloading configuration information of the target operating system and the running environment through the VPN connection.
In the embodiment of the application, a VPN connection is created through firmware, and the edge node and the cloud platform management server are connected, wherein the VPN connection is used for connecting the edge node and the cloud platform management server.
And the edge node downloads the configuration information of the target operating system and the running environment from the deployment server through the VPN. The server writes the operating system and configuration information to the local hard disk. (including VPN information so that when the formal system is started and loaded, it will be connected to the central cloud system directly through VPN). And starting the operating system, registering node information through the VPN connection center cloud system, and finishing deployment.
It can be seen that in the automatic PXE deployment process, the present invention advances the VPN automatic deployment to the point before the operating system and sensitive configuration are loaded, ensuring that any sensitive information is transmitted through the VPN, thereby providing a secure edge computing automation secure deployment scheme.
The method for deploying the operating system security corresponds to the method for deploying the operating system security provided by the edge node, and further comprises a method for deploying the operating system security provided by the deployment server. The method specifically comprises the following steps:
step 201, responding to the iPXE request sent by the edge node, and returning an iPXE script to the edge node.
Step 202, acquiring a VPN firmware operation request sent by an edge node, and loading and operating VPN firmware based on the operation request.
The VPN firmware operation request is to check and judge whether an iPXE script execution chain is finished or not through an edge node, and is sent when the iPXE script execution chain is bound.
And 203, detecting the hardware security module of the edge node through the VPN firmware to obtain a detection result of the hardware security module.
And the detection result is used for enabling the edge node to establish VPN connection, and downloading configuration information of a target operating system and an operating environment through the VPN connection, wherein the VPN connection is used for connecting the edge node and the cloud platform management server.
Specifically, the method comprises the steps of detecting a hardware security module on an edge node through VPN firmware to obtain a first detection result and a second detection result of the hardware security module; the first detection result is used for representing that the VPN firmware detects the hardware security module, and the second detection result is used for representing that the VPN firmware does not detect the hardware security module.
For specific limitations of the os security deployment method applied to the deployment server, reference may be made to the above limitations of the os security deployment method applied to the edge node, and details thereof are not repeated here.
Fig. 2 shows a process flow of operating system security deployment performed by the method.
An alternative embodiment using the present method is given below:
in this embodiment, the center side is composed of a Kuberetes cluster, a VPN management module deployed in the cluster, and an automated service deployment module. And an execution chain mechanism of iPXE is adopted at the edge, and a VPN automatic connection and deployment firmware module is input into a system pre-execution node, so that safe cloud platform automatic deployment is realized in an untrusted complex network environment, and the large-scale application and deployment of edge computing such as the future Internet of things are powerfully supported. The VPN of the system adopts a customized VPN technology of a cryptographic algorithm. As shown in fig. 3, a signaling interaction diagram for performing secure deployment processing of an operating system in this embodiment is provided, where nodes for signaling interaction specifically include:
1. an administrator submits a request to create a VPN network through a system operating interface. An administrator may create any number of VPNs as desired.
And 2, the VPN management server stores the newly-built network information into a k8s database.
And 3.k8s returns success information to the management server.
4. The management server returns success information to the administrator. The administrator can now add nodes to the network.
5. The administrator creates a network node through the operation interface.
And 6, the VPN server generates a public key and a secret key for the node.
7. And generating a complete node data by combining the input of a system administrator, and storing the complete node data into a k8s database.
8. And returning the registration token of the node to the administrator, wherein the token has effectiveness.
9. The administrator powers up the startup edge compute node.
10. The edge node sends a load system request to the deployment server through the PXE.
11. The deployment server requests the VPN information of the node from the VPN server.
The VPN server returns encrypted VPN information.
13. And the deployment server transfers the encrypted VPN information to the edge node as a kernel starting parameter.
14. The administrator enters the token and decodes the VPN information (this step can be skipped if the HSM module is used).
15. And the edge node activates the VPN link according to the returned information. The link is used for further system installation and configuration. This is a key link of the present invention, and the specific technical implementation process is described in the following section. (where a new edge node is created by repeating the implementation steps 5-15)
16. The edge node communicates securely under VPN protection.
Referring to fig. 4, a block diagram of an operating system security deployment apparatus 300 according to an embodiment of the present application is shown, where as shown in fig. 4, the apparatus 300 may include: an obtaining module 301, a judging module 302, a detecting module 303 and a connecting module 304.
The obtaining module 301 obtains and executes an iPXE script returned by the deployment server by sending an iPXE request to the deployment server;
a judging module 302, configured to check and judge whether an iPXE script execution chain is finished; when the iPXE script executes the chain link, sending a VPN firmware operation request to a deployment server, and loading and operating the VPN firmware by the deployment server based on the operation request;
the detection module 303 is configured to perform hardware security module detection through the VPN firmware to obtain a detection result of the hardware security module;
and a connection module 304, configured to create a VPN connection based on the obtained detection result, and download configuration information of the target operating system and the operating environment through the VPN connection, where the VPN connection is used to connect the edge node and the cloud platform management server.
For specific definition of the os security deployment apparatus, reference may be made to the above definition of the os security deployment method, which is not described herein again. The modules in the os security deployment apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, an electronic device is provided, which may be a computer. The electronic device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the device is configured to provide computing and control capabilities. The memory of the device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for operating system secure deployment data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of operating system security deployment.
In one embodiment of the present application, a computer-readable storage medium is provided, on which a computer program is stored, which, when executed by a processor, implements the steps of the operating system security deployment method described above.
The implementation principle and technical effect of the computer-readable storage medium provided by this embodiment are similar to those of the above-described method embodiment, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in M forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SyMchliMk) DRAM (SLDRAM), raMbus (RaMus) direct RAM (RDRAM), direct RaMbus Dynamic RAM (DRDRAM), and RaMbus Dynamic RAM (RDRAM), among others.
All the technical features of the above embodiments can be arbitrarily combined (as long as there is no contradiction between the combinations of the technical features), and for the sake of brevity, all the possible combinations of the technical features in the above embodiments are not described; such non-explicitly written embodiments should be considered as being within the scope of the present description.
The present application has been described in considerable detail with reference to the foregoing general description and specific examples. It should be understood that several general adaptations or further innovations of these specific embodiments can also be made based on the technical idea of the present application; however, such conventional modifications and further innovations can also fall into the scope of the claims of the present application as long as they do not depart from the technical idea of the present application.
Claims (9)
1. An operating system security deployment method applied to an edge node, the method comprising:
the method comprises the steps that an iPXE request is sent to a deployment server, an iPXE script returned by the deployment server is obtained and executed, and the iPXE request further comprises an edge node identifier;
checking and judging whether the iPXE script execution chain is finished or not; when an iPXE script executes a chain, sending a VPN firmware operation request to a deployment server, and loading and operating the VPN firmware by the deployment server based on the operation request;
detecting a hardware security module through the VPN firmware to obtain a detection result of the hardware security module, and storing the detection result;
creating VPN connection based on the obtained detection result, wherein an iPXE execution chain mechanism is adopted, and a VPN automatic connection and deployment firmware module is input into a system pre-execution node; downloading configuration information of a target operating system and an operating environment through VPN connection, wherein the VPN connection is used for connecting an edge node and a cloud platform management server, and is established based on a cryptographic algorithm;
wherein, the method further comprises: writing the operating system and the configuration information into a local hard disk; when the operating system is started, the operating system is connected with the cloud platform management server through the VPN, node information is registered, and deployment is completed.
2. The method according to claim 1, wherein performing hardware security module detection by the VPN firmware to obtain a detection result of the hardware security module comprises:
detecting a hardware security module through the VPN firmware to obtain a first detection result and a second detection result of the hardware security module; the first detection result is used for representing that the VPN firmware detects the hardware security module, and the second detection result is used for representing that the VPN firmware does not detect the hardware security module.
3. The method of claim 2, wherein when a hardware security module detection is performed by the VPN firmware to obtain a first detection result of the hardware security module, the creating a VPN connection based on the obtained detection result comprises:
and creating VPN connection through hard decoding VPN information, wherein the hard decoding VPN information comprises directly decoding the configuration information through a hardware security module to obtain VPN information.
4. The method according to claim 2, wherein when the second detection result of the hardware security module is obtained by performing hardware security module detection by the VPN firmware, the creating a VPN connection based on the obtained detection result comprises:
and creating the VPN connection through soft decoding VPN information, wherein the soft decoding VPN information comprises inquiring an administrator to input a decoding token to obtain the VPN information.
5. An operating system security deployment method applied to a deployment server is characterized by comprising the following steps:
responding to an iPXE request sent by an edge node, and returning an iPXE script to the edge node, wherein the iPXE request also comprises an edge node identifier;
acquiring a VPN firmware operation request sent by the edge node, loading and operating the VPN firmware based on the operation request, wherein the VPN firmware operation request is sent when an iPXE script execution chain is finished or not is judged through the edge node check;
performing hardware security module detection on the edge node through the VPN firmware to obtain a detection result of the hardware security module, and storing the detection result; the detection result is used for enabling the edge node to establish VPN connection, wherein an iPXE execution chain mechanism is adopted, and a VPN automatic connection and firmware deployment module is input into a system pre-execution node; downloading configuration information of a target operating system and an operating environment through VPN connection, wherein the VPN connection is used for connecting an edge node and a cloud platform management server, and is established based on a cryptographic algorithm;
wherein, the method further comprises: writing the operating system and the configuration information into a local hard disk; when the operating system is started, the operating system is connected with the cloud platform management server through the VPN, node information is registered, and deployment is completed.
6. The method according to claim 5, wherein performing, by the VPN firmware, hardware security module detection on the edge node to obtain a detection result of the hardware security module includes:
performing hardware security module detection on the edge node through the VPN firmware to obtain a first detection result and a second detection result of the hardware security module; the first detection result is used for representing that the VPN firmware detects the hardware security module, and the second detection result is used for representing that the VPN firmware does not detect the hardware security module.
7. An operating system security deployment apparatus, the apparatus comprising:
the acquisition module is used for acquiring and executing the iPXE script returned by the deployment server by sending an iPXE request to the deployment server, wherein the iPXE request also comprises an edge node identifier;
the judging module is used for checking and judging whether the iPXE script execution chain is finished or not; when the iPXE script executes the chain bundle, sending a VPN firmware operation request to a deployment server, and loading and operating the VPN firmware by the deployment server based on the operation request;
the detection module is used for detecting the hardware security module through the VPN firmware to obtain a detection result of the hardware security module and storing the detection result;
the connection module is used for establishing VPN connection based on the obtained detection result, wherein an iPXE execution chain mechanism is adopted, and a VPN automatic connection and firmware deployment module is input into a system pre-execution node; downloading configuration information of a target operating system and an operating environment through VPN connection, wherein the VPN connection is used for connecting an edge node and a cloud platform management server, and is established based on a cryptographic algorithm;
wherein, the connection module still includes: writing the operating system and the configuration information into a local hard disk; when the operating system is started, the operating system is connected with the cloud platform management server through the VPN, node information is registered, and deployment is completed.
8. An electronic device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, implements the operating system security deployment method of any of claims 1 to 4.
9. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the operating system security deployment method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210546853.XA CN114942771B (en) | 2022-05-19 | 2022-05-19 | Operating system security deployment method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210546853.XA CN114942771B (en) | 2022-05-19 | 2022-05-19 | Operating system security deployment method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114942771A CN114942771A (en) | 2022-08-26 |
| CN114942771B true CN114942771B (en) | 2022-12-06 |
Family
ID=82907164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210546853.XA Active CN114942771B (en) | 2022-05-19 | 2022-05-19 | Operating system security deployment method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114942771B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101089826A (en) * | 2006-06-12 | 2007-12-19 | 国际商业机器公司 | Method and system for creating error tolerant and adaptive graphical user interface test automation |
| CN102571948A (en) * | 2011-12-29 | 2012-07-11 | 国云科技股份有限公司 | Cloud-computing-based platform as a service (PaaS) platform system and implementation method thereof |
| CN104158882A (en) * | 2014-08-20 | 2014-11-19 | 信雅达系统工程股份有限公司 | POS (Point Of Sale) system based on cloud middleware |
| CN104303151A (en) * | 2011-05-20 | 2015-01-21 | 西里克斯系统公司 | Shell integration for an application executing remotely on a server |
| US10855674B1 (en) * | 2018-05-10 | 2020-12-01 | Microstrategy Incorporated | Pre-boot network-based authentication |
| CN114363295A (en) * | 2020-09-28 | 2022-04-15 | 华为云计算技术有限公司 | Tenant server management method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11748143B2 (en) * | 2020-05-15 | 2023-09-05 | Commvault Systems, Inc. | Live mount of virtual machines in a public cloud computing environment |
-
2022
- 2022-05-19 CN CN202210546853.XA patent/CN114942771B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101089826A (en) * | 2006-06-12 | 2007-12-19 | 国际商业机器公司 | Method and system for creating error tolerant and adaptive graphical user interface test automation |
| CN104303151A (en) * | 2011-05-20 | 2015-01-21 | 西里克斯系统公司 | Shell integration for an application executing remotely on a server |
| CN102571948A (en) * | 2011-12-29 | 2012-07-11 | 国云科技股份有限公司 | Cloud-computing-based platform as a service (PaaS) platform system and implementation method thereof |
| CN104158882A (en) * | 2014-08-20 | 2014-11-19 | 信雅达系统工程股份有限公司 | POS (Point Of Sale) system based on cloud middleware |
| US10855674B1 (en) * | 2018-05-10 | 2020-12-01 | Microstrategy Incorporated | Pre-boot network-based authentication |
| CN114363295A (en) * | 2020-09-28 | 2022-04-15 | 华为云计算技术有限公司 | Tenant server management method and device |
Non-Patent Citations (2)
| Title |
|---|
| "Universal remote boot and administration service";Sebastian Schmelzer;《2011 7th Latin American Network Operations and Management Symposium》;20111011;第1-6页 * |
| "基于 OpenStack 云平台虚拟集群环境的部署";张新朝;《闽南师范大学学报(自然科学版)》;20150320(第1期);第1-6页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114942771A (en) | 2022-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10871953B2 (en) | Application update method and apparatus | |
| CN109788032B (en) | Method and device for acquiring mirror image file, computer equipment and storage medium | |
| US9894090B2 (en) | Penetration test attack tree generator | |
| US9432392B2 (en) | System and method for performing remote security assessment of firewalled computer | |
| US10205750B2 (en) | Policy-based secure web boot | |
| CN112130871B (en) | Method and device for remotely deploying middleware, computer equipment and storage medium | |
| CN111970116A (en) | Virtual delivery device and system with remote authentication and related methods | |
| CN111159700A (en) | Computer remote safe starting method and system based on UEFI system | |
| US11265702B1 (en) | Securing private wireless gateways | |
| US20170329739A1 (en) | Methods and systems for loading a boot agent on a router network device | |
| US10621335B2 (en) | Method and device for verifying security of application | |
| US9928082B1 (en) | Methods and systems for remote device configuration | |
| US20240272913A1 (en) | Cloud-based provisioning of uefi-enabled systems | |
| CN104796255A (en) | A safety certification method, device and system for a client end | |
| WO2015184878A1 (en) | Method and device for processing unified login to mobile application | |
| CN113672403A (en) | Interface calling method and interface calling device in information system and management information system | |
| CN114942771B (en) | Operating system security deployment method, device, equipment and storage medium | |
| CN117032908A (en) | Integrated computing device deployment operation method and system based on redundancy architecture | |
| US11392700B1 (en) | System and method for supporting cross-platform data verification | |
| CN111782447A (en) | Batch test updating method and device based on SSH service and computer equipment | |
| CN113114464A (en) | Unified security management system and identity authentication method | |
| US11016852B1 (en) | Guarded mode boot up and/or recovery of a network device | |
| CN112181436A (en) | Service deployment method, device, server and readable storage medium | |
| US10375056B2 (en) | Providing a secure communication channel during active directory disaster recovery | |
| CN112217693B (en) | Controller testing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |