CN115061777A - Starting method and device of safety container, electronic equipment and storage medium - Google Patents
Starting method and device of safety container, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115061777A CN115061777A CN202210674345.XA CN202210674345A CN115061777A CN 115061777 A CN115061777 A CN 115061777A CN 202210674345 A CN202210674345 A CN 202210674345A CN 115061777 A CN115061777 A CN 115061777A
- Authority
- CN
- China
- Prior art keywords
- container
- starting
- template
- virtual machine
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45583—Memory management, e.g. access or allocation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
One or more embodiments of the present specification provide a method, an apparatus, an electronic device, and a storage medium for starting a secure container. The method is applied to a container engine on a host machine; the method comprises the following steps: in response to a container starting template establishing request corresponding to a target micro virtual machine, establishing a universal container starting template for starting a safety container deployed on the target micro virtual machine in a file system supporting large-page storage; storing the universal container starting template to the memory space of the target micro virtual machine in a memory mapping mode; and responding to a container starting request aiming at a target safety container deployed on the target micro virtual machine, acquiring the universal container starting template from a memory space of the target micro virtual machine, and starting the target safety container based on the acquired universal container starting template.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of container technologies, and in particular, to a method and an apparatus for starting a secure container, an electronic device, and a machine-readable storage medium.
Background
With the advent of the cloud-native era, more and more users began using containers (containers); the container is a kernel virtualization technology of a Linux system, and can be used for isolating processes.
The conventional container, such as a runc container, is based on an operating system virtualization technology, and may use an operating system of the host to share a kernel (kernel) with other programs on the host. Container isolation can be achieved through cgroups (control groups, Linux control group) and Namespace mechanisms.
The security container is based on a hardware virtualization technology, and can use an operating system of a micro virtual machine (micro VM) carried by a host machine; the micro virtual machine is a light-weight virtual machine and can be used as a running environment of user workload in a safe container. Because each micro virtual machine has an independent kernel, the security container deployed in a certain micro virtual machine can use the kernel of the micro virtual machine, and thus the container isolation is realized through different micro virtual machines carried by the host machine.
Therefore, compared with the traditional container, the safety container has better isolation and is safer, but the starting speed of the safety container is slower, and the expenses of a CPU and a memory are higher.
Disclosure of Invention
In view of the above, one or more embodiments of the present disclosure provide a method, an apparatus, an electronic device, and a machine-readable storage medium for starting a secure container.
According to a first aspect of the present description, there is provided a method for starting a secure container, the method being applied to a container engine on a host; the host machine comprises a container engine and at least one micro virtual machine, wherein the container engine is used for managing a security container running on the host machine; at least one secure container is deployed on the micro virtual machine; the method comprises the following steps:
in response to a container starting template establishing request corresponding to a target micro virtual machine, establishing a universal container starting template for starting a safety container deployed on the target micro virtual machine in a file system supporting large-page storage;
storing the universal container starting template to the memory space of the target micro virtual machine in a memory mapping mode;
and responding to a container starting request aiming at a target safety container deployed on the target micro virtual machine, acquiring the universal container starting template from a memory space of the target micro virtual machine, and starting the target safety container based on the acquired universal container starting template.
Optionally, the storing the generic container start template to the memory space of the target micro virtual machine in a memory mapping manner includes:
performing memory mapping on a template file used for storing the universal container starting template in the file system in a memory space of the target micro virtual machine so as to map the template file to a target memory address space in the memory space of the target micro virtual machine;
and writing the universal container starting template into the target memory address space.
Optionally, before performing memory mapping on the template file in the file system, where the template file is used to store the generic container start template, in the memory space of the target microvirmer, the method further includes:
and under the subdirectory of the entry directory of the file system, creating a template file for storing the universal container starting template.
Optionally, the performing, in the memory space of the target microvirm machine, memory mapping on a template file in the file system, where the template file is used to store the generic container start template, so as to map the template file to a target memory address space in the memory space of the target microvirm machine, includes:
and in the memory space of the target micro virtual machine, carrying out private memory mapping on a template file which is used for storing the universal container starting template in the file system so as to map the template file to a target private memory address space in the memory space of the target micro virtual machine.
Optionally, the obtaining the generic container starting template from the memory space of the target micro virtual machine includes:
determining a template file for storing the generic container start template in the file system;
determining the target memory address space to which the template file is mapped in the memory space of the target micro virtual machine;
and reading the universal container starting template from the target memory address space.
Optionally, the creating a generic container starting template for starting the secure container deployed on the target micro virtual machine includes:
cold starting the target micro virtual machine to trigger the target micro virtual machine after cold starting to further start an agent program used for starting a secure container in an operating system of the target micro virtual machine;
and responding to the detection of the agent program starting, and performing snapshot saving on the runtime state of the target micro virtual machine to generate the universal container starting template.
Optionally, the generic container starting template includes first starting information for starting any secure container deployed on the target micro virtual machine; the container starting request carries second starting information for starting the target security container;
the starting the target secure container based on the acquired generic container starting template includes:
detecting whether first starting information included in the acquired universal container starting template is matched with second starting information carried by the container starting request or not;
if yes, starting the target safety container according to the obtained general container starting template;
if not, updating the first starting information included in the universal container starting template according to the second starting information, and starting the target safety container according to the updated universal container starting template.
Optionally, the first start information includes: micro virtual machine configuration information used for starting the target micro virtual machine, and container configuration information used for starting any safety container deployed on the target micro virtual machine;
the starting the target secure container according to the acquired general container starting template or the updated general container starting template includes:
starting the target micro virtual machine according to the micro virtual machine configuration information included in the acquired general container starting template or the updated general container starting template;
switching the target micro virtual machine to a running state of the agent program stored in the universal container starting template after running so as to enable the target micro virtual machine to run the agent program in the running state;
and starting the target safety container deployed on the target micro virtual machine according to the acquired container configuration information included in the universal container starting template or the updated universal container starting template.
Optionally, the file system supporting the large-page storage is a Linux Hugetlbfs file system.
According to a second aspect of the present description, there is provided a secure container starting apparatus, the apparatus being applied to a container engine on a host; the host machine comprises a container engine and at least one micro virtual machine, wherein the container engine is used for managing a security container running on the host machine; at least one secure container is deployed on the micro virtual machine; the device comprises:
the system comprises a template creating unit, a storage unit and a storage unit, wherein the template creating unit is used for responding to a container starting template creating request corresponding to a target micro virtual machine and creating a universal container starting template used for starting a safety container deployed on the target micro virtual machine in a file system supporting large-page storage;
the memory mapping unit is used for storing the universal container starting template to the memory space of the target micro virtual machine in a memory mapping mode;
and the container starting unit is used for responding to a container starting request aiming at a target safety container deployed on the target micro virtual machine, acquiring the universal container starting template from the memory space of the target micro virtual machine, and starting the target safety container based on the acquired universal container starting template.
According to a third aspect of the present specification, there is provided an electronic device comprising a communication interface, a processor, a memory, and a bus, the communication interface, the processor, and the memory being interconnected via the bus;
the memory stores machine-readable instructions, and the processor executes the method by calling the machine-readable instructions.
According to a fourth aspect of the present specification, there is provided a machine-readable storage medium having stored thereon machine-readable instructions which, when invoked and executed by a processor, carry out the above-mentioned method.
In the above embodiment, by means of memory mapping, a universal container starting template created in a file system supporting large-page storage may be first stored in a memory space of a target micro virtual machine, and then the universal container starting template is obtained from the memory space of the target micro virtual machine, so as to start a target secure container deployed on the target micro virtual machine; therefore, the problem that a file system supporting large-page storage in the related art does not support read/write system call is solved, and the target security container is started based on the universal container starting template established in the file system supporting large-page storage.
Compared with a template starting scheme based on THP, the security container is started based on a universal container starting template established in a file system supporting large-page storage, on one hand, the starting speed of the security container can be accelerated because a larger memory is not required to be hot-plugged; on the other hand, because the universal container starting template for starting the target secure container is created in the file system supporting the large-page storage, the memory allocated for the target secure container can be ensured to completely use the large-page memory, and the problems of table entry missing (TLB miss), missing page interruption and the like are reduced, so that the container performance is improved; in another aspect, the generic container start template may be shared by at least one microviscer included in the host, that is, may be shared by a secure container deployed in a different microviscer, thereby saving memory overhead in the file system for storing the generic container start template.
Drawings
FIG. 1 is a flow chart illustrating a method for starting a secure container in accordance with an exemplary embodiment;
fig. 2 is a schematic structural diagram of an electronic device in which an activation device of a secure container is located according to an exemplary embodiment;
fig. 3 is a block diagram of an activation device for a secure container, according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims which follow.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present disclosure, the related art of the safety container according to the embodiments of the present disclosure will be briefly described below.
With the advent of the cloud-native era, more and more users began using containers (containers); the container is a kernel virtualization technology of a Linux system, and can be used for isolating processes.
The conventional container, such as a runc container, is based on an operating system virtualization technology, and may use an operating system of a host to share a kernel (kernel) with other programs on the host. Container isolation can be achieved through cgroups (control groups, Linux control group) and Namespace mechanisms.
The security container is based on a hardware virtualization technology, and can use an operating system of a micro virtual machine (microVM) carried by a host machine; the micro virtual machine is a light-weight virtual machine and can be used as a running environment of user workload in a safe container. Because each micro virtual machine has an independent kernel, the safety container deployed in a certain micro virtual machine can use the kernel of the micro virtual machine, so that the container isolation is realized through different micro virtual machines carried by the host machine, and the isolation is better and safer.
In practical applications, compared with the conventional container, the secure container has a slow start speed and a large overhead of a CPU and a memory. In order to increase the starting speed of the secure container and reduce the CPU overhead and the memory overhead, a template starting scheme may be adopted, that is, the secure container is started based on the created container template. Further, to improve performance at runtime, the secure container needs to use a large page memory (hugpage) in the host.
For example, a template start scheme based on THP (Transparent pages) may be employed; specifically, the secure container may be started based on a container template created in a storage medium such as a disk in a small-page storage manner, and then the larger memory may be hot-plugged (the small-page memory or the large-page memory may be hot-plugged as needed) after the start.
In the page type virtual memory, the virtual memory space and the physical memory space are usually divided into a plurality of fixed-size pages (pages), and the memory space is allocated to each thread in units of pages. The size of the "small page" may be set to 4K in general; the size of the "large page" may be set to 2MB, 1GB, or even larger in general.
It can be seen that in the above illustrated embodiment, when the THP-based template start scheme is adopted, on one hand, the start speed of the secure container becomes slow due to the need to hot plug a larger memory; on the other hand, it cannot be guaranteed that the memory allocated to the secure container completely uses a large-page memory, and the performance cannot be improved to the greatest extent; on the other hand, the container template created in the small page storage manner may not be shared by the secure containers deployed in different virtual machines, thereby increasing memory overhead.
In view of the above, the present specification aims to propose a technical solution for starting a secure container based on a generic container starting template created in a file system supporting large-page storage.
When the method is implemented, the host machine can comprise: a container engine and at least one micro-virtual machine for managing a secure container running on the host; wherein, at least one safety container can be deployed on each micro virtual machine; the container engine may create, in response to a container start template creation request corresponding to a target micro virtual machine, a generic container start template for starting a secure container deployed on the target micro virtual machine in a file system supporting large-page storage; further, the container engine may store the generic container start template in a memory mapping manner to a memory space of the target micro virtual machine; further, the container engine may obtain, in response to a container start request for a target secure container deployed on the target micro virtual machine, the generic container start template from a memory space of the target micro virtual machine, and start the target secure container based on the obtained generic container start template.
Therefore, in the technical solution in this specification, a general container starting template created in a file system supporting large page storage may be stored in a memory space of a target micro virtual machine in a memory mapping manner, and then the general container starting template is obtained from the memory space of the target micro virtual machine to start a target secure container deployed on the target micro virtual machine; therefore, the problem that a file system supporting large-page storage in the related art does not support read/write system call is solved, and the target security container is started based on the universal container starting template established in the file system supporting large-page storage.
Compared with a template starting scheme based on THP, the security container is started based on a universal container starting template established in a file system supporting large-page storage, on one hand, the starting speed of the security container can be accelerated because a larger memory is not required to be hot-plugged; on the other hand, because the universal container starting template for starting the target secure container is created in the file system supporting the large-page storage, the memory allocated for the target secure container can be ensured to completely use the large-page memory, and the problems of table entry missing (TLB miss), missing page interruption and the like are reduced, so that the container performance is improved; in another aspect, the generic container start template may be shared by at least one microviscer included in the host, that is, may be shared by a secure container deployed in a different microviscer, thereby saving memory overhead in the file system for storing the generic container start template.
The present application is described below with reference to specific embodiments and specific application scenarios.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for starting a secure container according to an exemplary embodiment of the present disclosure. The method may be applied to a container engine on a host; the host machine can comprise a container engine and at least one micro virtual machine for managing a security container running on the host machine; at least one secure container may be deployed on the micro-virtual machine. The method may perform the steps of:
step 102: in response to a container starting template establishing request corresponding to a target micro virtual machine, establishing a universal container starting template for starting a safety container deployed on the target micro virtual machine in a file system supporting large-page storage;
step 104: storing the universal container starting template to the memory space of the target micro virtual machine in a memory mapping mode;
step 106: and responding to a container starting request aiming at a target safety container deployed on the target micro virtual machine, acquiring the universal container starting template from a memory space of the target micro virtual machine, and starting the target safety container based on the acquired universal container starting template.
In this specification, the target micro virtual machine may be any micro virtual machine included on the host machine for deploying the target secure container; the target secure container may be any secure container to be started, deployed on the target micro virtual machine.
For example, the container starting template creation request and/or the container starting request received by the container engine may carry the micro virtual machine identifier of the target micro virtual machine and/or the container identifier of the target secure container; in response to receiving the container start template creation request and/or the container start request, the micro virtual machine indicated by the carried micro virtual machine identifier may be taken as the target micro virtual machine, and/or the micro virtual machine indicated by the carried container identifier may be taken as the target micro virtual machine.
In this specification, in response to a container start template creation request corresponding to the target micro virtual machine, a generic container start template for starting a secure container deployed on the target micro virtual machine may be created in a file system supporting a large page storage.
The common container starting template may be understood as a container starting template that can be shared by different micro virtual machines. The universal container starting template stored in the file system supporting the large-page storage can be stored in the memory spaces of different micro virtual machines in a memory mapping mode, and then one or more safety containers deployed on the micro virtual machine can be started based on the universal container starting template stored in the memory spaces of the different micro virtual machines, so that the universal container template can be shared by the different micro virtual machines. In addition, because the generic container starting template is created in a file system supporting large-page storage, and a large-page memory is completely adopted, the target secure container is started based on the generic container template, and the memory allocated to the target secure container can completely use the large-page memory.
For example, the file system supporting large-page storage may be a Linux Hugetlbfs file system; the container engine may receive a container start template creation request corresponding to the target micro-virtual machine; in response to the container launch template creation request, a generic container launch template may be created in the Linux Hugetlbfs file system, which may be used to launch one or more secure containers deployed on the target micro-virtual machine.
In one embodiment, the universal container start template may be generated by using a snapshot technique and stored in a file system supporting large-page storage. In implementation, the creating a generic container starting template for starting the secure container deployed on the target micro virtual machine may specifically include: cold starting the target micro virtual machine to trigger the target micro virtual machine after cold starting to further start an agent program used for starting a secure container in an operating system of the target micro virtual machine; and responding to the detection of the agent program starting, and performing snapshot saving on the runtime state of the target micro virtual machine to generate the universal container starting template.
For example, in response to a container start template creation request corresponding to a target micro virtual machine, micro virtual machine configuration information of the target micro virtual machine to be started may be determined according to current container configuration information, where the current container configuration information may include resources, such as storage resources, network resources, and the like, on which the target micro virtual machine is started in a current operating environment; the storage resource may include a back-end file path of the analog device in the target micro virtual machine, a file name of the storage file, and the like, and the network resource may include a network port, and the like; further, according to the determined micro virtual machine configuration information of the target micro virtual machine to be started, the target micro virtual machine can be cold started to trigger the target micro virtual machine after cold start to further start an agent program used for starting a secure container in an operating system of the target micro virtual machine; in response to detecting the agent launch, a snapshot save may be performed of a runtime state (runtime state) of the target micro-virtual machine to generate the generic container launch template.
The process of detecting whether the agent is started may specifically include: after the target micro virtual machine is cold started, periodically trying to connect to the agent program by adopting a polling mechanism, and determining that the agent program is started if the connection is successful; or, in response to receiving a notification message that is actively sent to the container engine after the agent is started, determining that the agent is started.
The universal container starting template can comprise first starting information used for starting any safety container deployed on the target micro virtual machine; the first start information may specifically include: micro virtual machine configuration information used for starting the target micro virtual machine, and container configuration information used for starting any safety container deployed on the target micro virtual machine; the generic container start template may also be configured to store a runtime state of the target micro virtual machine after the agent is started. The container configuration information may specifically include, but is not limited to, a container specification, user address information corresponding to an application in the container, a timestamp for starting the container, a container ID, and the like.
It should be noted that, in the above illustrated embodiment, after the agent program in the operating system of the target micro virtual machine is successfully started, a snapshot of the runtime state of the target micro virtual machine may be saved, so as to obtain the universal container starting template; because the starting processes of the operating system and the agent program of the client virtual machine of each secure container instance are similar, when the secure container is started based on the universal container starting template, the operating system and the agent program of the client virtual machine do not need to be restarted, and the target micro virtual machine can be switched to the running state after the agent program stored in the universal container starting template runs, so that the target micro virtual machine runs the agent program in the running state, the starting speed of the secure container is accelerated, and the CPU overhead when the secure container is started is saved.
In this specification, after the generic container start template is created in a file system supporting large-page storage, the generic container start template may be stored in a memory mapping manner in a memory space of the target micro virtual machine.
For example, after the universal container startup template is created in the Linux Hugetlbfs file system, the universal container startup template may be stored in the memory space of the target micro-virtual machine in a memory mapping manner.
It should be noted that, in the related art, the file system supporting the large page storage generally does not support a read/write system call, that is, the container engine cannot directly access the file system by means of the read/write system call. Based on this, in the technical solution of this specification, a general container starting template created in a file system supporting large page storage may be stored in a memory space of a target microvirtual machine in a memory mapping manner, and then the general container starting template is acquired from the memory space of the target microvirtual machine, so that the container engine may acquire the general container starting template created in the file system.
In one embodiment shown, before storing the generic container launch template in a memory-mapped manner into the memory space of the target microvia machine, the method may further include: and under the subdirectory of the entry directory of the file system, creating a template file for storing the universal container starting template.
For example, the container engine may create a template file for storing the generic container launch template under a subdirectory of an entry directory (i.e., a mount point) of the Linux Hugetlbfs file system, and may further use a system call such as truncate/ftruncate to set the file length of the template file to be consistent with the guest memory size.
In this case, the process of storing the generic container start-up template in a memory mapping manner to the memory space of the target micro-virtual machine may specifically include: performing memory mapping on a template file used for storing the universal container starting template in the file system in a memory space of the target micro virtual machine so as to map the template file to a target memory address space in the memory space of the target micro virtual machine; and writing the universal container starting template into the target memory address space.
For example, the generic container start template created in the Linux Hugetlbfs file system may be stored in a corresponding template file; applying for a target memory address space in the memory space of the target micro virtual machine, establishing a corresponding relation between the template file and the target memory address space, performing memory mapping, and mapping the template file to the target memory address space in the memory space of the target micro virtual machine; further, the generic container launch template may be written to the target memory address space by a memcpy () function.
It should be noted that, because the generic container starting template is created in a file system supporting large-page storage, and a large-page memory is completely used, in the memory space of the target microvirmer, a large-page memory is also allocated for the target memory address space for storing the generic container starting template.
In a possible embodiment, in order to further save the memory used for storing the generic container start template in the target micro virtual machine, the generic container start template may be stored in the memory space of the target micro virtual machine in a private memory mapping manner, and then a plurality of secure containers deployed on the target micro virtual machine may be started based on the same generic container start template stored in the memory space of the target micro virtual machine.
In this implementation, the process of performing memory mapping on the template file used for storing the generic container start template in the file system in the memory space of the target micro virtual machine to map the template file to the target memory address space in the memory space of the target micro virtual machine may specifically include: and in the memory space of the target micro virtual machine, carrying out private memory mapping on a template file which is used for storing the universal container starting template in the file system so as to map the template file to a target private memory address space in the memory space of the target micro virtual machine.
For example, in the memory space of the target microvirmer, a MAP _ PRIVATE ate flag may be used to perform PRIVATE memory mapping on a template file in the file system, where the template file is used to store the generic container start template, so as to MAP the template file to a target PRIVATE memory address space in the memory space of the target microvirmer. It should be noted that, through private memory mapping, when each microvia machine modifies a template file in a target private memory address space mapped to its memory space, it will not cause a change in a data source (i.e., the generic container start template stored in the file system), nor will it synchronize the modified content to memories of other secure container instances, thereby avoiding an error occurring in all secure container instances started based on the generic container start template.
In this specification, since the file system does not support a read/write system call, the container engine cannot directly obtain the generic container starting template from the file system to start the target container, and therefore, in response to a container starting request for a target secure container deployed on the target micro virtual machine, the container engine may obtain the generic container starting template from a memory space of the target micro virtual machine, and start the target secure container based on the obtained generic container starting template.
For example, after creating the generic container starting template in a file system supporting large-page storage and storing the generic container starting template in a memory mapping manner to a memory space of the target micro virtual machine, in response to receiving a container starting request for a target secure container deployed on the target micro virtual machine, the container engine may obtain the generic container starting template from the memory space of the target micro virtual machine, and start the target secure container based on the obtained generic container starting template.
In an embodiment shown in the present invention, after mapping a template file in the file system, where the template file is used to store the generic container starting template, to a target memory address space in a memory space of the target micro virtual machine, and writing the generic container starting template into the target memory address space, the process of obtaining the generic container starting template from the memory space of the target micro virtual machine may specifically include: determining a template file for storing the generic container start template in the file system; determining the target memory address space to which the template file is mapped in the memory space of the target micro virtual machine; and reading the universal container starting template from the target memory address space.
For example, after mapping a template file for storing the generic container startup template in the Linux Hugetlbfs file system to a target memory address space in a memory space of the target micro-virtual machine and writing the generic container startup template into the target memory address space, in response to a container startup request for a target secure container deployed on the target micro-virtual machine, a template file for storing the generic container startup template may be determined in the Linux Hugetlbfs file system; further, the target memory address space to which the template file is mapped may be determined in the memory space of the target micro virtual machine, and the generic container start template may be read from the target memory address space; further, the target secure container may be started based on the obtained generic container start template.
In practical application, the starting information carried in the container starting request and used for starting the target secure container is not necessarily completely adapted to the starting information included in the generic container starting template acquired by the container engine; if the two are adaptive, the target secure container can be started directly based on the starting information included in the universal container starting template; and if the two are not adaptive, updating the starting information included in the universal container starting template.
In one embodiment shown, the generic container launch template includes first launch information for launching any secure container deployed on the target micro-virtual machine; the container starting request carries second starting information for starting the target safety container; the process of starting the target secure container based on the acquired generic container starting template may specifically include: detecting whether first starting information included in the acquired universal container starting template is matched with second starting information carried by the container starting request or not; if yes, starting the target safety container according to the obtained general container starting template; if not, updating the first starting information included in the universal container starting template according to the second starting information, and starting the target safety container according to the updated universal container starting template.
For example, in response to a container launch request for a target secure container deployed on the target micro-virtual machine, the container engine may obtain the generic container launch template from a memory space of the target micro-virtual machine; further, the container engine may detect whether first start information included in the acquired generic container start template is adapted to second start information carried by the container start request; if yes, starting the target safety container according to the obtained universal container starting template; if not, updating the first starting information included in the universal container starting template according to the second starting information, and starting the target safety container according to the updated universal container starting template.
The process of detecting whether the first start-up information and the second start-up information are adapted may specifically include: determining whether the micro virtual machine configuration information included in the first starting information is consistent with the micro virtual machine configuration information included in the second starting information; determining whether the container configuration information included in the first starting information is consistent with the container configuration information included in the second starting information; if the first starting information and the second starting information are consistent, the first starting information and the second starting information are adapted; and if at least one of the first starting information and the second starting information is inconsistent, the first starting information is not adapted to the second starting information, and the first starting information is updated according to the second starting information.
Wherein, regarding to the specific implementation manner of starting the target secure container based on the generic container starting template, the following is:
in a possible embodiment, the starting the target secure container according to the obtained generic container starting template may specifically include: starting the target micro virtual machine according to the micro virtual machine configuration information included in the acquired general container starting template; switching the target micro virtual machine to a running state of the agent program stored in the universal container starting template after running so as to enable the target micro virtual machine to run the agent program in the running state; and starting the target security container deployed on the target micro virtual machine according to the container configuration information included in the acquired general container starting template.
In another possible embodiment, the starting the target secure container according to the updated generic container start template may specifically include: starting the target micro virtual machine according to the micro virtual machine configuration information included in the updated general container starting template; switching the target micro virtual machine to a running state after the agent program stored in the universal container starting template runs so as to enable the target micro virtual machine to run the agent program in the running state; and starting the target security container deployed on the target micro virtual machine according to the container configuration information included in the updated general container starting template.
In an embodiment shown, a plurality of generic container start templates may be created in the file system, and the generic container start templates are stored in a memory mapping manner to a memory space of the target micro virtual machine; in response to a container start request for a target security container deployed on the target micro virtual machine, the container engine may parse, by using a security container process, container configuration information of a security container instance (that is, container configuration information carried in the second start information), where the container configuration information of the security container instance may include a container specification of the security container instance, network configuration information, and the like; further, the container engine may obtain, according to the container specification of the secure container instance indicated by the container start request, one generic container start template that meets the container specification from the plurality of generic container start templates in the memory space of the target micro virtual machine, and start the target secure container based on the obtained generic container start template.
In the above illustrated embodiment, the universal container starting template is obtained according to the container specification corresponding to the container starting request, and the target secure container may be started based on the universal container starting template that matches the container specification preferentially; because the universal container starting template comprises a complete micro virtual machine which is successfully started, and the container specification corresponding to the micro virtual machine is consistent with the container specification of the target safety container which is requested to be started by the user, after the target safety container is started based on the universal container starting template, the container rule of the target safety container does not need to be adjusted, and the starting efficiency of the safety container is further improved. If a universal container starting template which is consistent with the container specification of the target safety container requested to be started by the user does not exist currently, a universal container starting template with the smallest difference between the container specification and the requested container specification can be selected, so that the container specification requested by the user can be quickly reached through fine adjustment after the target safety container is quickly started based on the universal container starting template.
Further, after the target secure container is launched, the container engine may also create a user's workload in the target secure container for implementing the user's application using the agent.
According to the technical scheme, the universal container starting template established in the file system supporting large-page storage can be stored in the memory space of the target micro virtual machine in a memory mapping mode, and then the universal container starting template is obtained from the memory space of the target micro virtual machine so as to start the target secure container deployed on the target micro virtual machine; therefore, the problem that a file system supporting large-page storage in the related art does not support read/write system call is solved, and the target security container is started based on the universal container starting template established in the file system supporting large-page storage.
Compared with a template starting scheme based on THP, the security container is started based on a universal container starting template established in a file system supporting large-page storage, on one hand, the starting speed of the security container can be accelerated because a larger memory is not required to be hot-plugged; on the other hand, because the universal container starting template for starting the target secure container is created in the file system supporting the large-page storage, the memory allocated for the target secure container can be ensured to completely use the large-page memory, and the problems of table entry missing (TLB miss), missing page interruption and the like are reduced, so that the container performance is improved; in another aspect, the generic container start template may be shared by at least one microviscer included in the host, that is, may be shared by a secure container deployed in a different microviscer, thereby saving memory overhead in the file system for storing the generic container start template.
Corresponding to the embodiment of the starting method of the safety container, the specification also provides an embodiment of a starting device of the safety container.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an electronic device where an activation apparatus of a secure container is located according to an exemplary embodiment of the present disclosure. At the hardware level, the device includes a processor 202, an internal bus 204, a network interface 206, a memory 208, and a non-volatile memory 210, although other hardware required by the application may be included. One or more embodiments of the present description may be implemented in software, such as by processor 202 reading a corresponding computer program from non-volatile storage 210 into memory 208 and then running. Of course, besides software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combinations of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 3, fig. 3 is a block diagram of an actuating device for a safety container according to an exemplary embodiment of the present disclosure. The starting device of the safety container can be applied to the electronic equipment shown in fig. 2 to realize the technical scheme of the specification.
Wherein the actuating means of the safety container may comprise:
a template creating unit 302, configured to create, in response to a container start template creation request corresponding to a target micro virtual machine, a generic container start template for starting a secure container deployed on the target micro virtual machine in a file system supporting large-page storage;
a memory mapping unit 304, configured to store the generic container start template in a memory mapping manner to a memory space of the target micro virtual machine;
a container starting unit 306, configured to, in response to a container starting request for a target secure container deployed on the target micro virtual machine, obtain the generic container starting template from a memory space of the target micro virtual machine, and start the target secure container based on the obtained generic container starting template.
In this embodiment, the memory mapping unit 304 is specifically configured to:
performing memory mapping on a template file used for storing the universal container starting template in the file system in a memory space of the target micro virtual machine so as to map the template file to a target memory address space in the memory space of the target micro virtual machine;
and writing the universal container starting template into the target memory address space.
In this embodiment, the template creating unit 302 is specifically configured to:
and under the subdirectory of the entry directory of the file system, creating a template file for storing the universal container starting template.
In this embodiment, the memory mapping unit 304 is specifically configured to:
and in the memory space of the target micro virtual machine, carrying out private memory mapping on a template file which is used for storing the universal container starting template in the file system so as to map the template file to a target private memory address space in the memory space of the target micro virtual machine.
In this embodiment, the container activating unit 306 is specifically configured to:
determining a template file for storing the generic container start template in the file system;
determining the target memory address space to which the template file is mapped in the memory space of the target micro virtual machine;
and reading the universal container starting template from the target memory address space.
In this embodiment, the template creating unit 302 is specifically configured to:
cold starting the target micro virtual machine to trigger the target micro virtual machine after cold starting to further start an agent program used for starting a secure container in an operating system of the target micro virtual machine;
and responding to the detection of the agent program starting, and performing snapshot saving on the runtime state of the target micro virtual machine to generate the universal container starting template.
In this embodiment, the generic container start template includes first start information for starting any secure container deployed on the target micro virtual machine; the container starting request carries second starting information for starting the target safety container;
the container starting unit 306 is specifically configured to:
detecting whether first starting information included in the acquired universal container starting template is matched with second starting information carried by the container starting request or not;
if yes, starting the target safety container according to the obtained general container starting template;
if not, updating the first starting information included in the universal container starting template according to the second starting information, and starting the target safety container according to the updated universal container starting template.
In this embodiment, the first start-up information includes: micro virtual machine configuration information used for starting the target micro virtual machine, and container configuration information used for starting any safety container deployed on the target micro virtual machine;
the container starting unit 306 is specifically configured to:
starting the target micro virtual machine according to the micro virtual machine configuration information included in the acquired general container starting template or the updated general container starting template;
switching the target micro virtual machine to a running state of the agent program stored in the universal container starting template after running so as to enable the target micro virtual machine to run the agent program in the running state;
and starting the target safety container deployed on the target micro virtual machine according to the acquired container configuration information included in the universal container starting template or the updated universal container starting template.
In this embodiment, the file system supporting the large-page storage is a Linux Hugetlbfs file system.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein in one or more embodiments to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments herein. The word "if," as used herein, may be interpreted as "at … …" or "when … …" or "in response to a determination," depending on the context.
The above description is only for the purpose of illustrating the preferred embodiments of the one or more embodiments of the present disclosure, and is not intended to limit the scope of the one or more embodiments of the present disclosure, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the one or more embodiments of the present disclosure should be included in the scope of the one or more embodiments of the present disclosure.
Claims (12)
1. A starting method of a security container is applied to a container engine on a host machine; the host machine comprises a container engine and at least one micro virtual machine, wherein the container engine is used for managing a security container running on the host machine; at least one secure container is deployed on the micro virtual machine; the method comprises the following steps:
in response to a container starting template establishing request corresponding to a target micro virtual machine, establishing a universal container starting template for starting a safety container deployed on the target micro virtual machine in a file system supporting large-page storage;
storing the universal container starting template to the memory space of the target micro virtual machine in a memory mapping mode;
and responding to a container starting request aiming at a target secure container deployed on the target micro virtual machine, acquiring the universal container starting template from a memory space of the target micro virtual machine, and starting the target secure container based on the acquired universal container starting template.
2. The method of claim 1, wherein storing the generic container launch template in a memory mapped manner to a memory space of the target microvia machine comprises:
performing memory mapping on a template file used for storing the universal container starting template in the file system in a memory space of the target micro virtual machine so as to map the template file to a target memory address space in the memory space of the target micro virtual machine;
and writing the universal container starting template into the target memory address space.
3. The method of claim 2, prior to memory mapping, in the memory space of the target micro-virtual machine, a template file in the file system for storing the generic container launch template, the method further comprising:
and under the subdirectory of the entry directory of the file system, creating a template file for storing the universal container starting template.
4. The method of claim 2, wherein the performing memory mapping on a template file in the file system for storing the generic container launch template in the memory space of the target micro-virtual machine to map the template file to a target memory address space in the memory space of the target micro-virtual machine comprises:
and in the memory space of the target micro virtual machine, carrying out private memory mapping on a template file which is used for storing the universal container starting template in the file system so as to map the template file to a target private memory address space in the memory space of the target micro virtual machine.
5. The method of claim 2, wherein said obtaining the generic container launch template from the memory space of the target micro-virtual machine comprises:
determining a template file for storing the generic container start template in the file system;
determining the target memory address space to which the template file is mapped in the memory space of the target micro virtual machine;
and reading the universal container starting template from the target memory address space.
6. The method of claim 1, the creating a generic container launch template for launching a secure container deployed on the target micro-virtual machine, comprising:
cold starting the target micro virtual machine to trigger the target micro virtual machine after cold starting to further start an agent program used for starting a secure container in an operating system of the target micro virtual machine;
and responding to the detection of the starting of the agent program, and performing snapshot saving on the runtime state of the target micro virtual machine to generate the universal container starting template.
7. The method of claim 6, the generic container launch template comprising first launch information for launching any secure container deployed on the target micro-virtual machine; the container starting request carries second starting information for starting the target security container;
the starting the target secure container based on the acquired generic container starting template includes:
detecting whether first starting information included in the acquired universal container starting template is matched with second starting information carried by the container starting request or not;
if yes, starting the target safety container according to the obtained universal container starting template;
if not, updating the first starting information included in the universal container starting template according to the second starting information, and starting the target safety container according to the updated universal container starting template.
8. The method of claim 7, the first initiation information, comprising: micro virtual machine configuration information used for starting the target micro virtual machine, and container configuration information used for starting any safety container deployed on the target micro virtual machine;
the starting the target secure container according to the obtained general container starting template or the updated general container starting template includes:
starting the target micro virtual machine according to the micro virtual machine configuration information included in the acquired general container starting template or the updated general container starting template;
switching the target micro virtual machine to a running state of the agent program stored in the universal container starting template after running so as to enable the target micro virtual machine to run the agent program in the running state;
and starting the target safety container deployed on the target micro virtual machine according to the acquired container configuration information included in the universal container starting template or the updated universal container starting template.
9. The method of claim 1, the file system supporting large page storage being a Linux Hugetlbfs file system.
10. A starting device of a safety container, which is applied to a container engine on a host machine; the host machine comprises a container engine and at least one micro virtual machine, wherein the container engine is used for managing a security container running on the host machine; at least one secure container is deployed on the micro virtual machine; the device comprises:
the system comprises a template creating unit, a storage unit and a storage unit, wherein the template creating unit is used for responding to a container starting template creating request corresponding to a target micro virtual machine and creating a universal container starting template used for starting a safety container deployed on the target micro virtual machine in a file system supporting large-page storage;
the memory mapping unit is used for storing the universal container starting template to the memory space of the target micro virtual machine in a memory mapping mode;
and the container starting unit is used for responding to a container starting request aiming at a target safety container deployed on the target micro virtual machine, acquiring the universal container starting template from the memory space of the target micro virtual machine, and starting the target safety container based on the acquired universal container starting template.
11. An electronic device comprises a communication interface, a processor, a memory and a bus, wherein the communication interface, the processor and the memory are connected with each other through the bus;
the memory has stored therein machine-readable instructions, the processor executing the method of any of claims 1-9 by calling the machine-readable instructions.
12. A machine readable storage medium having stored thereon machine readable instructions which, when invoked and executed by a processor, implement the method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210674345.XA CN115061777A (en) | 2022-06-14 | 2022-06-14 | Starting method and device of safety container, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210674345.XA CN115061777A (en) | 2022-06-14 | 2022-06-14 | Starting method and device of safety container, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115061777A true CN115061777A (en) | 2022-09-16 |
Family
ID=83199426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210674345.XA Pending CN115061777A (en) | 2022-06-14 | 2022-06-14 | Starting method and device of safety container, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115061777A (en) |
-
2022
- 2022-06-14 CN CN202210674345.XA patent/CN115061777A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10455003B2 (en) | Method, server, and system for sharing resource data | |
| US8261267B2 (en) | Virtual machine monitor having mapping data generator for mapping virtual page of the virtual memory to a physical memory | |
| US8954697B2 (en) | Access to shared memory segments by multiple application processes | |
| US20190370113A1 (en) | Group-based container checkpoint generation | |
| US20200387480A1 (en) | Path resolver for client access to distributed file systems | |
| US11010355B2 (en) | Layer-based file access method and apparatus of virtualization instance | |
| US20160162302A1 (en) | Fast initiation of workloads using memory-resident post-boot snapshots | |
| CN107807839B (en) | Method and device for modifying memory data of virtual machine and electronic equipment | |
| US20190095220A1 (en) | Multicore framework for use in pre-boot environment of a system-on-chip | |
| WO2015081308A2 (en) | Dynamic i/o virtualization | |
| CN107239319B (en) | Data storage method and device of virtual machine | |
| WO2019061352A1 (en) | Data loading method and device | |
| CN110457261B (en) | Data access method, device and server | |
| US20210334210A1 (en) | Method and network device for processing service data | |
| CN110554911A (en) | Memory access and allocation method, memory controller and system | |
| US8751724B2 (en) | Dynamic memory reconfiguration to delay performance overhead | |
| CN114995948A (en) | Method, device, equipment and system for downloading secure container mirror image file | |
| CN109189480B (en) | File system starting method and device | |
| CN116680233A (en) | File access method, system, electronic equipment and machine-readable storage medium | |
| US10248449B1 (en) | Application containers running inside virtual machine | |
| WO2023155694A1 (en) | Memory paging method and system, and storage medium | |
| CN115774701B (en) | Data sharing method and device, electronic equipment and storage medium | |
| CN115061777A (en) | Starting method and device of safety container, electronic equipment and storage medium | |
| CN108196945B (en) | Inter-core communication method and device and virtualization equipment | |
| US11526358B2 (en) | Deterministic execution replay for multicore systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |