CN115202830A - Root file system preparation method, system, computing device and readable storage medium - Google Patents
Root file system preparation method, system, computing device and readable storage medium Download PDFInfo
- Publication number
- CN115202830A CN115202830A CN202211098762.0A CN202211098762A CN115202830A CN 115202830 A CN115202830 A CN 115202830A CN 202211098762 A CN202211098762 A CN 202211098762A CN 115202830 A CN115202830 A CN 115202830A
- Authority
- CN
- China
- Prior art keywords
- file system
- root file
- container
- root
- monitoring process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002360 preparation method Methods 0.000 title claims abstract description 93
- 238000003860 storage Methods 0.000 title claims abstract description 30
- 238000000034 method Methods 0.000 claims abstract description 152
- 238000012544 monitoring process Methods 0.000 claims abstract description 57
- 230000004044 response Effects 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims description 101
- 230000015654 memory Effects 0.000 claims description 19
- 230000010076 replication Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000009467 reduction Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/11—File system administration, e.g. details of archiving or snapshots
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45579—I/O management, e.g. providing access to device drivers or storage
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a root file system preparation method, a root file system preparation system, a computing device and a readable storage medium, and relates to the technical field of computers. The root file system is prepared by a container runtime program, the container runtime program including a command line interface, the method comprising: analyzing the configuration file of the container through a command line interface in response to the operation of a command for creating the container; if the configuration file is legal, a container monitoring process is established; creating a root file system preparation process through the container monitoring process; the root file system preparation process requests the container monitoring process to configure the user name space of the root file system according to the description in the configuration file; the container monitoring process configures a user namespace for the root file system. The preparation scheme of the root file system can prepare the root file system without root authority.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a root file system preparation method, a root file system preparation system, a computing device, and a readable storage medium.
Background
As the support for isolation of abstract resources between processes in Linux and other operating system kernels has matured, software development and distribution based on the concept of containers has become a very important technology. As container technology has been developed ecologically, container-related configurations become more complex, and starting and running of a container need to be configured through a series of complex systems, so that a system-based tool container runtime program (also called runtime) which is specially responsible for processing the container-related configurations is usually adopted in projects using the container. Currently, there are many runtime programs available on the market, for example: run and crun are mainly oriented to a scene of deploying Web application on a server, are widely applied in industry, and are well supported by Containerd and Podman.
In existing solutions, the required file system (rootfs) in the container is already ready before the container runtime program starts working. The process of preparing rootfs is done by other programs that call the container runtime program. And the container runtime program enters the file system through a system call after the container configuration is finished. In the prior art, the process of preparing root fs is completed by a program with root authority on a host, which results in the following defects in the prior art: when the user does not have root right on the host machine, preparing rootfs cannot be carried out; in the whole process of operating the container, a program which operates in root authority is determined, and certain challenge is brought to the behavior that a user operates an untrusted container; the mount table on the host computer expands, and has a certain influence on the speed of file indexing.
In addition, there is a solution to prepare rootfs by a user space file system framework fuse on a host, however, this solution has the following drawbacks: the performance of fuse is inferior to the file system realized in the kernel, and the operating efficiency of the application is influenced; the fuse depends on a program with a suid bit to realize the function, so that a user without root authority cannot install the framework by himself.
Therefore, a preparation scheme for a root file system is needed to solve the problems in the prior art.
Disclosure of Invention
To this end, the present invention provides a root file system preparation method, system, computing device and readable storage medium to solve or at least alleviate the above-identified problems.
According to a first aspect of the present invention, there is provided a method of preparing a root file system, the root file system being prepared by a container runtime program, the container runtime program comprising a command line interface, the method comprising: analyzing the configuration file of the container through a command line interface in response to the operation of a command for creating the container; if the configuration file is legal, a container monitoring process is established; creating a root file system preparation process through the container monitoring process; the root file system preparation process requests the container monitoring process to configure the user name space of the root file system according to the description in the configuration file; the container monitoring process configures a user namespace for the root file system.
Alternatively, in the root file system preparation method according to the present invention, the UID of the root file system preparation process in the configuration file is mapped to 0, so that the program run by the root file system preparation process mounts the root file system using a system call.
Optionally, in the method for preparing a root file system according to the present invention, the step of preparing the root file system, which requests the container monitoring process to configure the user namespace of the root file system according to the description in the configuration file, includes: in the root file system preparation process, an agent of unix domain socket is run.
Optionally, in the method for preparing a root file system according to the present invention, the method further includes: the root file system preparation process creates a copy process of the init process in a copy mode, and the configuration of a user namespace is carried out on the init process.
Optionally, in the method for preparing a root file system according to the present invention, after the configuration file is legal, the method further includes: the state of the container is updated as being created.
Alternatively, in the preparation method of the root file system according to the present invention, the agent program of the unix domain socket includes xdg-dbus-proxy program.
Alternatively, in the preparation method of the root file system according to the present invention, the container monitoring process is a child process of the main process.
Alternatively, in the preparation method of a root file system according to the present invention, the root file system preparation process is a replication process of the container monitoring process.
According to a second aspect of the present invention, there is provided a root file system preparing system comprising: the configuration file analysis module is suitable for responding to a command for operating and creating the container and analyzing the configuration file of the container through a command line interface; the container monitoring process creating module is suitable for creating a container monitoring process when the configuration file is legal; and the root file system preparation module is suitable for creating a root file system preparation process through the container monitoring process, the root file system preparation process requests the container monitoring process to configure the user name space of the root file system according to the description in the configuration file, and the container monitoring process configures the user name space of the root file system.
Alternatively, in the preparation system of the root file system according to the present invention, the UID of the root file system preparation process in the configuration file is mapped to 0, so that the program run by the root file system preparation process in the root file system preparation module mounts the root file system using a system call.
Optionally, in the preparation system of the root file system according to the present invention, further comprising: and the container configuration module is suitable for creating the init process in a copying mode through the root file system preparation process and configuring the user namespace for the init process.
According to a third aspect of the present invention, there is provided a computing device comprising: at least one processor; a memory storing program instructions configured to be suitable for execution by the at least one processor, the program instructions comprising instructions for performing the method as described above.
According to a fourth aspect of the present invention, there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method as described above.
According to the technical scheme of the invention, the preparation operation is executed on the root file system through the container running time program, so that any component in the execution flow of the container is not required to have root authority, a user without computer root authority can prepare the root file system used by the container through the scheme of the invention, and the container can be used without the root authority. In addition, the scheme of the invention configures the name space of the root file system, and the caller of the program does not need to configure the name space of the root file system by himself when the container runs, thereby improving the preparation efficiency of the root file system.
Furthermore, the root file system prepared by the scheme of the invention is completely invisible in the host environment, so that the mount table of the host environment is not lengthened to cause potential file index speed reduction.
The above description is only an overview of the technical solutions of the present invention, and the present invention can be implemented in accordance with the content of the description so as to make the technical means of the present invention more clearly understood, and the above and other objects, features, and advantages of the present invention will be more clearly understood.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 is a schematic diagram illustrating a prior art root file system preparation flow;
FIG. 2 shows a block diagram of the physical components (i.e., hardware) of a computing device 200;
FIG. 3 illustrates a flow diagram of a method 300 for preparing a root file system in accordance with one embodiment of the invention;
FIG. 4 illustrates a flow diagram of a method 400 for preparing a root file system in accordance with another embodiment of the invention;
FIG. 5 illustrates a flow diagram of a method 500 for preparing a root file system according to yet another embodiment of the invention;
FIG. 6 illustrates a schematic diagram of a root file system preparation system 600, according to one embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
With the ecological development of container technology, container-related configuration is increasingly complex, and in order to unify the behaviors of these configuration tools and facilitate developers to reuse such configuration tools among different projects, OCI defines a standard, namely OCI runtime-spec, in which such configuration tools are called runtime, and are referred to as container runtime programs in the invention. Fig. 1 is a schematic diagram illustrating a preparation flow of a root file system in the prior art. As shown in FIG. 1, when the create command is given, youki will load the configuration, socket, etc., and create an intermediate process using the clone system call. This process will set cgroups and permissions, and then fork gets the init process. The reason for creating this middle process is that the clone system call cannot enter the existing pid namespace created for the container. Therefore, it is first necessary to convert to the name space in an intermediate process and create a container process through the fork function. Then, the main youki process is requested to map the uid and gid, the intermediate process sets the uid and gid mapping after receiving the request, an init process is created through a fork function, and pid of the init process is returned to the main youki process before quitting. Then, the init process completely converts to the new namespace set for the container (the init process only converts the pid namespace). It uses the pivot _ root to change the root mount point of the process so that the container process can obtain that it has full root path access rights. Subsequently, the init process sets the authority and secure computing mode security mechanism (seccomp for short), and sends a seccomp notification file descriptor to the main youki process. When the seccomp proxy running on the host system sets the seccomp configuration file, the init process is notified and then the program that needs to be executed within the container is executed. Thus, the init process then sends a ready notification to the master youki process and waits for a start signal. The master youki process starts creating the container, and when a ready signal is received, updates the pid file of the container process and exits, which ends the creation of the container. If the container is to be started, this will be performed along with the container id when you start the container, the start signal will be sent to the init process of the waiting container, and you process already exists. When the init process receives the start signal, the program which needs to run in the container is executed, and then the process exits.
As shown in FIG. 1, the required file system (i.e., root file system, rootfs) in the container is ready before the container runtime begins to function, i.e., the you Ki create $ id command in FIG. 1 is called, and the process of preparing rootfs is completed by the other program calling the container runtime. And the container runtime program enters the file system through the pivot _ root system call after the container configuration is finished. In the prior art, the process of preparing root fs is completed by a program with root authority on a host, which results in the following defects in the prior art: when the user does not have root authority on the host machine, the preparation of the rootfs can not be carried out; in the whole process of operating the container, a program which operates in root authority is determined, and certain challenge is brought to the behavior that a user operates an untrusted container; the mount table on the host computer expands, and has certain influence on the speed of file indexing.
For a scenario running a Linux desktop application, there is a significant fraction of root privileges in an enterprise environment for machines that a user does not use at all. However, users often have actual needs for installing and running applications, which causes inconvenience in the prior art that the running container necessarily needs root authority in an actual application scenario.
Moreover, the application scenario of the application container technology on the Linux desktop operating system is greatly different from the scenario of the deployment of the Web service by the container technology which is widely applied at present: the latter needs to be created and run almost trustfully, while the desktop user of the former cannot actually trust the application to be run completely, which means that in the desktop application scenario, when the developer of the container runtime program needs to consider running the untrusted application, the application may attack the container start-up process.
In addition, in the existing scheme, a container pre-starting step of a root file system used in a container is prepared by other programs except for the container runtime, and the preparation operation of the root file system is executed in the container runtime program, so that no component in the execution flow of the container needs to have root authority, and the container can be used without having the root authority of a computer. The root file system prepared by the scheme of the invention is completely invisible in the host environment, so that the problem of potential file index speed reduction caused by the lengthening of the mount table of the host environment is solved.
The present invention provides a preparation scheme for a root file system to solve the problems in the prior art, and the following describes the technical scheme of the present invention.
Fig. 2 shows a block diagram of the physical components (i.e., hardware) of a computing device 200. In a basic configuration, computing device 200 includes at least one processing unit 202 and system memory 204. According to one aspect, the processing unit 202 may be implemented as a processor depending on the configuration and type of computing device. The system memory 204 includes, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read-only memory), flash memory, or any combination of such memories. According to one aspect, operating system 205 and program modules 206 are included in system memory 204, and preparation system 600 for executing the root file system of the present invention is included in program modules 206.
According to one aspect, the operating system 205 is, for example, adapted to control the operation of the computing device 200. Further, the examples are practiced in conjunction with a graphics library, other operating systems, or any other application program, and are not limited to any particular application or system. This basic configuration is illustrated in fig. 2 by those components within dashed line 208. According to one aspect, computing device 200 has additional features or functionality. For example, according to one aspect, computing device 200 includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated in FIG. 2 by a removable storage device 209 and a non-removable storage device 210.
As stated hereinabove, according to one aspect, program modules 206 are stored in system memory 204. According to one aspect, program modules 206 may include one or more applications, the invention not being limited to the type of application, for example, the applications may include: email and contacts applications, word processing applications, spreadsheet applications, database applications, slide show applications, drawing or computer-aided applications, web browser applications, and the like.
According to one aspect, examples may be practiced in a circuit comprising discrete electronic elements, a packaged or integrated electronic chip containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic elements or microprocessors. For example, an example may be practiced via a system on a chip (SOC) in which each or many of the components shown in fig. 2 may be integrated on a single integrated circuit. According to one aspect, such SOC devices may include one or more processing units, graphics units, communication units, system virtualization units, and various application functions, all integrated (or "burned") onto a chip substrate as a single integrated circuit. When operating via an SOC, the functions described herein may be operated via application-specific logic integrated with other components of the computing device 200 on a single integrated circuit (chip). Embodiments of the invention may also be practiced using other technologies capable of performing logical operations (e.g., AND, OR, AND NOT), including but NOT limited to mechanical, optical, fluidic, AND quantum technologies. In addition, embodiments of the invention may be practiced within a general purpose computer or in any other circuits or systems.
According to one aspect, computing device 200 may also have one or more input devices 212, such as a keyboard, mouse, pen, voice input device, touch input device, or the like. Output device(s) 214 such as a display, speakers, printer, etc. may also be included. The foregoing devices are examples and other devices may also be used. Computing device 200 may include one or more communication connections 216 that allow communication with other computing devices 218. Examples of suitable communication connections 216 include, but are not limited to: RF transmitter, receiver and/or transceiver circuitry; universal Serial Bus (USB), parallel, and/or serial ports.
The term computer readable media as used herein includes computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, or program modules. System memory 204, removable storage 209, and non-removable storage 210 are all examples of computer storage media (i.e., memory storage). Computer storage media may include Random Access Memory (RAM), read Only Memory (ROM), electrically erasable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other article of manufacture that can be used to store information and that can be accessed by the computer device 200. In accordance with one aspect, any such computer storage media may be part of computing device 200. Computer storage media does not include a carrier wave or other propagated data signal.
According to one aspect, communication media is embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal (e.g., a carrier wave or other transport mechanism) and includes any information delivery media. According to one aspect, the term "modulated data signal" describes a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio Frequency (RF), infrared, and other wireless media.
In one embodiment of the invention, computing device 200 includes one or more processors and one or more readable storage media storing program instructions. The program instructions, when configured to be executed by one or more processors, cause a computing device to perform a method of preparing a root file system in an embodiment of the invention.
FIG. 3 illustrates a flow diagram of a method 300 for preparing a root file system, according to one embodiment of the invention. The method 300 may be performed in a computing device (e.g., the computing device shown in fig. 2). The root file system involved in the method 300 may be prepared by a container runtime program, which includes a command line interface, a container monitoring process, a root file system preparation process, and may also include an init process in a container. As shown in fig. 3, method 300 begins at 310.
310. In response to executing a command to create a container, a configuration file for the container is parsed through a command line interface.
According to the embodiment of the invention, after the user of the container runtime program runs the container creating command, the command line interaction part in the container runtime program analyzes the container configuration file (config.
320. If the configuration file is legal, a container monitoring process is created.
In one embodiment, if the configuration file is legal, the state of the container is updated as being created and a container monitoring process is created. Optionally, a container monitoring process is created through a fork function, and specifically, the container monitoring process created through the fork function is a child process of a main process of the container monitoring process.
330. A root file system preparation process is created by the container monitoring process.
Optionally, the container monitoring process creates a root file system preparation process through a clone function. Specifically, the root file system preparation process created by the clone function monitors the replication process of the process for the container.
340. The root file system preparation process performs a root file system preparation operation based on the configuration file. Specifically, the root file system preparation process requests the container monitoring process to configure the user namespace of the root file system according to the description in the configuration file.
Optionally, the root file system preparation process is in addition to configuring a user namespace (user namespace) of the root file system, and the root file system preparation process may also prepare the root file system of the container according to other parts in the configuration file.
Optionally, in the configuration file, the UID of the root file system preparation process is mapped to 0, so that the child process run by the root file system preparation process obtains a CAP _ SYS _ ADMIN permission in the namespace of the root file system, where the CAP _ SYS _ ADMIN permission allows a system management task, such as loading or unloading a file system, and setting a disk quota, so that a program run by the root file system preparation process may use a system call to prepare the root file system of the container, for example, a program run by the root file system preparation process may use a mount system call to mount the root file system. Optionally, when a fuse is run in the current namespace (e.g. user namespace) of the root file system, since the UID of the root file system preparation process is mapped to 0, all the sub-processes run by the root file preparation process have CAP _ SYS _ ADMIN authority, even if the binary program with s bits is not installed in the operating system executing the method of the present invention, the use of the fuse can be performed by using the self-installed fuse program of the user under the condition of the fuse framework support in the kernel of the operating system.
Optionally, in the root file system preparation process, an agent running unix domain socket, such as xdg-dbus-proxy, prepares the root file system.
350. The container monitoring process configures a user namespace for the root file system.
According to the embodiment of the invention, the root file system preparation process creates the init process in a copying mode, and the init process is configured with the user namespace. Optionally, the root file system preparation process creates an init process through a clone function and configures the user namespace for the init process. Optionally, the root filesystem preparation process may also create an init process through fork and exec functions and configure it with user namespace.
In order to more clearly explain the preparation method of the root file system of the present invention, a specific embodiment is taken as an example to describe the technical solution of the present invention. Fig. 4 shows a flow diagram of a method 400 for preparing a root file system according to another embodiment of the invention. As shown in FIG. 4, in step 401, a user executes a command to create a container.
402. Json, the command line interface parses the configuration file of the container.
403. When the configuration file is legal, the state of the container is updated to be in creation.
404. Create a container monitoring process through fork.
405. A scope (system scope) for a system daemon management tool is created.
406. And setting the current process as a super process through a prctl PR _ SET _ CHILD _ SUBREAPER function.
407. The root filesystem preparation process is created through clone.
In steps 408-410, the user namespace for the root file system is configured.
408. The container monitoring process requests a write ID mapping from the root file system preparation process.
409. The container monitoring process sets the ID mapping.
410. The configuration is completed.
In steps 411-413, a root file system is prepared.
411. The root filesystem preparation process performs a native mount.
412. Optionally, the root file system preparation process sets a fuse in the namespace of the root file system.
413. The root file system preparation process sets up an agent of the unix domain socket to generate a file to prepare the root file system.
414. An init process is created through clone.
In steps 415-417, the user namespace for the container is configured.
415. The root file system preparation process requests the init process to write the ID map.
416. The root file system prepares a process to set an ID mapping.
417. The configuration is completed.
418. The init process sets the container.
419. And the init process feeds back the result of creating the container to the container monitoring process.
420. The container monitoring process feeds back the results of creating the container to the command line interface.
421. The status of the container is updated (e.g., creation is complete).
After the aforementioned method 300 or 400 is performed, a method for preparing a root file system according to still another embodiment of the present invention may also be performed. Fig. 5 shows a flow diagram of a method 500 for preparing a root file system according to yet another embodiment of the invention. As shown in FIG. 5, in step 501, the container monitoring process runs a pre-start hook (prestart).
502. The container monitoring process runs a creatertruntime hook.
503. The container monitoring process requests the init process to run hooks.
504. The init process runs the createContainer hook.
505. The init process uses the root file system directory of the pivot _ root switch process to isolate the root file system.
506. The init process feeds back the result of the hook operation to the container monitoring process. Subsequently, the init process waits for a start signal.
507. The container monitoring process feeds back the result of the execution of the hook to the command line interface.
508. And (4) finishing.
509. The user sends an activation signal to the command line interface.
510. The command line interface begins executing the process.
511. The init process runs a startContainer hook.
512. The init process creates an app process through fork and exec functions.
513. The init process requests the container monitor process to run a hook.
514. The container monitor process runs the poststart process.
515. The container monitor process sends the result of the running hook to the init process. Subsequently, the container monitor process clears the memory.
516. And the init process feeds back the results of starting and running the hook to the command line interface. Subsequently, the init process clears the memory.
517. The command line interface updates the state of the container.
518. The command line interface feeds back completion to the user.
519. The user performs a forced end (kill).
520. The command line interface sends a signal to the init process to force the end.
521. The command line interface feeds back completion to the user.
522. The init process signals the app process to force an end.
523. The app process terminates the process by exit.
524. The init process terminates the process by an exit.
525. The container monitoring process updates the state of the container.
FIG. 6 illustrates a schematic diagram of a preparation system 600 for a root file system, according to one embodiment of the invention. Root file system preparation system 600 resides in a computing device, such as computing device 200 described above, and is adapted to perform root file system preparation method 300 of the present invention.
As shown in fig. 6, the root file system preparation system 600 includes a configuration file parsing module 610, a container monitoring process creation module 620, and a root file system preparation module 630. Root file system preparation system 600 may also include a copy process configuration module 640.
The configuration file parsing module 610 is adapted to parse the configuration file of the container through a command line interface in response to executing a command to create the container.
A container monitoring process creation module 620 adapted to create a container monitoring process when the configuration file is legitimate.
The root file system preparing module 630 is adapted to create a root file system preparing process through the container monitoring process, the root file system preparing process requests the container monitoring process to configure the user namespace of the root file system according to the description in the configuration file, and the container monitoring process configures the user namespace of the root file system.
And the copy process configuration module 640 is adapted to create an init process in a copy manner through the root file system preparation process, and configure a user namespace for the init process.
It should be noted that the configuration file parsing module 610 is configured to perform the aforementioned step 310, the container monitoring process creation module 620 is configured to perform the aforementioned step 320, and the root file system preparation module 630 is configured to perform the aforementioned steps 330-350. Here, for specific execution logic of the configuration file parsing module 610, the container monitoring process creating module 620, and the root file system preparing module 630, reference is made to the description in the method 300 and the corresponding parts of the method 400, and details are not repeated here.
According to the preparation scheme of the root file system, the root file system is prepared through the container running time program, so that any component does not need to have root authority in the execution flow of the container, a user without computer root authority can prepare the root file system used by the container through the scheme of the invention, and the container can be used without the root authority. In addition, the scheme of the invention configures the name space of the root file system, and the caller of the program does not need to configure the name space of the root file system by himself when the container runs, thereby improving the preparation efficiency of the root file system.
Furthermore, the root file system prepared by the scheme of the invention is completely invisible in the host environment, so that the potential file index speed reduction caused by the lengthening of the mount table of the host environment is avoided.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the mobile terminal generally includes a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the root file system preparation method of the present invention according to instructions in said program code stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed to reflect the intent: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the device in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the means for performing the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter.
Claims (13)
1. A method of preparing a root file system, the root file system prepared by a container runtime program, the container runtime program including a command line interface, the method comprising:
in response to executing a command to create a container, parsing a configuration file for the container through the command line interface;
if the configuration file is legal, a container monitoring process is established;
creating a root file system preparation process by the container monitoring process;
the root file system preparation process requests the container monitoring process to configure the user namespace of the root file system according to the description in the configuration file;
the container monitoring process configures a user namespace of the root file system.
2. The method of claim 1, wherein the UID of a root file system preparation process in the configuration file maps to 0, such that a program run by the root file system preparation process mounts the root file system using a system call.
3. The method of claim 1 or 2, wherein the root file system preparation process requesting the container monitoring process to configure the user namespace of the root file system according to the description in the configuration file comprises:
in the root file system preparation process, an agent program of the unix domain socket is run.
4. The method of claim 1 or 2, further comprising:
the root file system preparation process creates an init process in a copying mode, and the init process is configured with a user namespace.
5. The method of claim 1 or 2, wherein after said if said profile is legal, further comprising:
the state of the container is updated as being created.
6. The method of claim 3, wherein said unix domain socket agent comprises xdg-dbus-proxy program.
7. A method according to claim 1 or 2, wherein the container monitoring process is a sub-process of a main process.
8. The method of claim 1 or 2, wherein the root file system preparation process is a replication process of the container monitoring process.
9. A preparation system for a root file system, comprising:
the configuration file analysis module is suitable for responding to a command for operating and creating the container and analyzing the configuration file of the container through a command line interface;
the container monitoring process creating module is suitable for creating a container monitoring process when the configuration file is legal;
and the root file system preparation module is suitable for creating a root file system preparation process through the container monitoring process, the root file system preparation process requests the container monitoring process to configure the user namespace of the root file system according to the description in the configuration file, and the container monitoring process configures the user namespace of the root file system.
10. The system of claim 9, wherein the UID of a root file system preparation process in the configuration file maps to 0 so that a program run by the root file system preparation process in a root file system preparation module mounts the root file system using a system call.
11. The system of claim 9 or 10, further comprising:
and the copy process configuration module is suitable for creating the init process by the root file system preparation process in a copy mode and configuring the user namespace for the init process.
12. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1 to 8.
13. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211098762.0A CN115202830B (en) | 2022-09-09 | 2022-09-09 | Root file system preparation method, system, computing device and readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211098762.0A CN115202830B (en) | 2022-09-09 | 2022-09-09 | Root file system preparation method, system, computing device and readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115202830A true CN115202830A (en) | 2022-10-18 |
CN115202830B CN115202830B (en) | 2022-12-30 |
Family
ID=83573417
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211098762.0A Active CN115202830B (en) | 2022-09-09 | 2022-09-09 | Root file system preparation method, system, computing device and readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115202830B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170153930A1 (en) * | 2015-11-30 | 2017-06-01 | Coreos, Inc. | Application container runtime |
CN106991321A (en) * | 2017-04-18 | 2017-07-28 | 北京元心科技有限公司 | Method and device for running application program in multi-container system without trace |
CN107025135A (en) * | 2017-03-03 | 2017-08-08 | 网易(杭州)网络有限公司 | Application process management method, device and medium in Docker containers |
CN108985086A (en) * | 2018-07-18 | 2018-12-11 | 中软信息系统工程有限公司 | Application program authority control method, device and electronic equipment |
CN111563024A (en) * | 2020-07-15 | 2020-08-21 | 北京升鑫网络科技有限公司 | Method and device for monitoring container process on host machine and computing equipment |
CN111596930A (en) * | 2020-05-22 | 2020-08-28 | 深圳创新奇智科技有限公司 | Root file system mirror image manufacturing method and device, storage medium and embedded device |
CN111782339A (en) * | 2020-06-28 | 2020-10-16 | 京东数字科技控股有限公司 | Container creation method and device, electronic equipment and storage medium |
US20200341821A1 (en) * | 2019-04-24 | 2020-10-29 | Red Hat, Inc. | Uid and gid shifting for containers in user namespaces |
CN113312613A (en) * | 2020-05-15 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Container creation method, container deletion method, device and equipment |
-
2022
- 2022-09-09 CN CN202211098762.0A patent/CN115202830B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170153930A1 (en) * | 2015-11-30 | 2017-06-01 | Coreos, Inc. | Application container runtime |
CN107025135A (en) * | 2017-03-03 | 2017-08-08 | 网易(杭州)网络有限公司 | Application process management method, device and medium in Docker containers |
CN106991321A (en) * | 2017-04-18 | 2017-07-28 | 北京元心科技有限公司 | Method and device for running application program in multi-container system without trace |
CN108985086A (en) * | 2018-07-18 | 2018-12-11 | 中软信息系统工程有限公司 | Application program authority control method, device and electronic equipment |
US20200341821A1 (en) * | 2019-04-24 | 2020-10-29 | Red Hat, Inc. | Uid and gid shifting for containers in user namespaces |
CN113312613A (en) * | 2020-05-15 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Container creation method, container deletion method, device and equipment |
CN111596930A (en) * | 2020-05-22 | 2020-08-28 | 深圳创新奇智科技有限公司 | Root file system mirror image manufacturing method and device, storage medium and embedded device |
CN111782339A (en) * | 2020-06-28 | 2020-10-16 | 京东数字科技控股有限公司 | Container creation method and device, electronic equipment and storage medium |
CN111563024A (en) * | 2020-07-15 | 2020-08-21 | 北京升鑫网络科技有限公司 | Method and device for monitoring container process on host machine and computing equipment |
Non-Patent Citations (1)
Title |
---|
孙思凯: "嵌入式Linux系统下根文件系统的构建", 《科技信息》 * |
Also Published As
Publication number | Publication date |
---|---|
CN115202830B (en) | 2022-12-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107896162B (en) | Deployment method and device of monitoring system, computer equipment and storage medium | |
WO2021022713A1 (en) | Distributed module update method, device, and storage medium | |
US11281768B1 (en) | Firmware security vulnerability verification service | |
CN112333096A (en) | Micro-service traffic scheduling method and related components | |
US9734311B1 (en) | Secure authentication of firmware configuration updates | |
CN111414391A (en) | Method and system for accessing multiple data sources | |
US12014170B2 (en) | Mini program batch processing method and apparatus, electronic device, and readable storage medium | |
CN115150392B (en) | Remote file copying method, system, computing equipment and storage medium | |
CN114860272A (en) | Operating system installation method, computing device and storage medium | |
CN116541085B (en) | Android/Linux fusion method, device, equipment and storage medium | |
CN115357257B (en) | Installation file generation method, system, computing device and storage medium | |
CN115202830B (en) | Root file system preparation method, system, computing device and readable storage medium | |
CN115617489B (en) | Operating system migration method, migration application and migration application deployment method | |
CN116450165A (en) | Method, system, terminal and storage medium for quickly building environment and deploying program | |
CN113986858B (en) | Linux compatible android system shared file operation method and device | |
CN113032004A (en) | Method, apparatus and program product for managing development jobs in a development environment | |
CN115309491A (en) | Logic algorithm of platform system | |
CN115016862A (en) | Kubernetes cluster-based software starting method, device, server and storage medium | |
CN113687908A (en) | PMEM virtual machine creation method, device, equipment and readable storage medium | |
CN113064698A (en) | Method for providing product environment and corresponding device, system, equipment and medium | |
CN108363614B (en) | Application service module management method and device and server | |
CN114756291B (en) | Hardware self-adaption method and device | |
CN113312661B (en) | User authorization system, method and device and electronic equipment | |
CN115185634A (en) | Subsystem implementation method and computing device | |
CN116089020B (en) | Virtual machine operation method, capacity expansion method and capacity expansion system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |