CN115469965A - Container access method and device, electronic equipment and readable storage medium - Google Patents

Container access method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN115469965A
CN115469965A CN202210996913.8A CN202210996913A CN115469965A CN 115469965 A CN115469965 A CN 115469965A CN 202210996913 A CN202210996913 A CN 202210996913A CN 115469965 A CN115469965 A CN 115469965A
Authority
CN
China
Prior art keywords
access
container
target
authority
temporary
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210996913.8A
Other languages
Chinese (zh)
Inventor
郭川磊
胡凌绚
郭威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN202210996913.8A priority Critical patent/CN115469965A/en
Publication of CN115469965A publication Critical patent/CN115469965A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The disclosure provides a container access method, a container access device, electronic equipment and a readable storage medium, and relates to the technical field of artificial intelligence such as cloud computing and big data. The container access method comprises the following steps: receiving an access request; determining an access right and a target access container according to the access request; and under the condition that the access right is determined to be the read-only right, a temporary access container is created according to the target access container, the access request is forwarded to the temporary access container to finish the access, and otherwise, the access request is forwarded to the target access container to finish the access. The method and the device enable the container cluster to simultaneously support the access of the container with the read-only permission or the read-write permission, thereby improving the flexibility of the access of the container and enhancing the operation stability of the container cluster.

Description

Container access method and device, electronic equipment and readable storage medium
Technical Field
The present disclosure relates to the field of computer technology, and in particular, to the field of artificial intelligence technologies such as cloud computing and big data. A container access method, a device, an electronic device and a readable storage medium are provided.
Background
In the prior art, when the container is accessed, the access of the container can be completed only by using default authority. The default permission is preset when the container is created, and after the container is created, the default permission cannot be modified, so that the technical problems of poor flexibility of container access and the like exist.
Disclosure of Invention
According to a first aspect of the present disclosure, there is provided a container access method, including: receiving an access request; determining an access right and a target access container according to the access request; and under the condition that the access right is determined to be the read-only right, a temporary access container is created according to the target access container, the access request is forwarded to the temporary access container to finish the access, and otherwise, the access request is forwarded to the target access container to finish the access.
According to a second aspect of the present disclosure, there is provided a container access device comprising: a receiving unit configured to receive an access request; the determining unit is used for determining the access authority and the target access container according to the access request; and the access unit is used for creating a temporary access container according to the target access container under the condition that the access authority is determined to be the read-only authority, forwarding the access request to the temporary access container to finish the access, and otherwise forwarding the access request to the target access container to finish the access.
According to a third aspect of the present disclosure, there is provided an electronic device comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method as described above.
According to a fifth aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method as described above.
According to the technical scheme, the separation of the read-only permission and the read-write permission is realized when the container is accessed, so that the container cluster can simultaneously support the access of the container with the read-only permission or the read-write permission, the flexibility of the container access is improved, and the operation stability of the container cluster is enhanced.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
FIG. 1 is a schematic diagram according to a first embodiment of the present disclosure;
FIG. 2 is a schematic diagram according to a second embodiment of the present disclosure;
FIG. 3 is a schematic diagram according to a third embodiment of the present disclosure;
fig. 4 is a block diagram of an electronic device for implementing a container access method of an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram according to a first embodiment of the present disclosure. As shown in fig. 1, the method for accessing a container in this embodiment specifically includes the following steps:
s101, receiving an access request;
s102, determining an access right and a target access container according to the access request;
s103, under the condition that the access authority is determined to be the read-only authority, a temporary access container is created according to the target access container, the access request is forwarded to the temporary access container to complete access, and otherwise, the access request is forwarded to the target access container to complete access.
The execution main body of the container access method is a container cluster running on a container cloud platform, after the container cluster receives an access request, firstly, an access right and a target access container are determined according to the access request, then, the access request is forwarded to the target access container or a temporary access container according to the difference of the access rights, so that container access is completed.
In this embodiment, the container cluster running on the container cloud platform may be a kubernets (k 8 s) cluster, a k3s cluster, or another type of cluster.
In the present embodiment, the container cluster executes the access request received by S101, and includes the identification information and the container access information; the identification information corresponds to the input end sending the access request and can be at least one of information such as an input end ID, an input end name and a user group to which the input end belongs; the container access information corresponds to a target access container to be accessed by the input terminal, and may be information such as an IP address of the container, a domain name of the container, and the like.
When S101 receives an access request, the container cluster of this embodiment may receive the access request directly sent by an input end, or may receive an access request forwarded by a cluster agent; after receiving an access request sent by an input end, the cluster agent determines a container cluster to be accessed by the input end according to container access information in the access request, and then forwards the access request to the determined container cluster.
It can be understood that, when the input terminal in this embodiment sends an access request to the container cluster or the cluster agent (for example, the input terminal sends the access request through a Web page or a command line terminal environment), the input terminal may first authenticate by using an authentication method such as secondary authentication to obtain the identification information, and then add the obtained identification information to the access request to send.
In the access request received by the container cluster executing step S101 of this embodiment, besides the identification information and the container access information, the container cluster may further include an expected right; the expected permission is the permission which is automatically input or selected by the input end when the access request is sent by a Web page or a command line terminal environment.
After executing S101 to receive the access request, the container cluster of this embodiment executes S102 to determine an access right and a target access container according to the access request; the access right determined by the container cluster in this embodiment is one of a read-only right and a read-write right.
When the container cluster of this embodiment determines the access right according to the access request in step S102, an optional implementation manner that may be adopted is as follows: acquiring identification information from the access request; taking a preset authority corresponding to the acquired identification information as an access authority; the container cluster of this embodiment may determine the preset authority corresponding to the identification information according to a preset relationship table, where the preset relationship table includes correspondence between different identification information and different preset authorities.
That is to say, the container cluster of this embodiment determines an access right according to the received access request, and compared with a manner in which, after the container cluster receives the access request, a default right is used as the access right in the prior art, this embodiment can obtain different access rights according to different received access requests, thereby simultaneously supporting access with a read-only right or access with a read-write right, improving the accuracy of the determined access right, and enhancing the comprehensiveness of container access.
It can be understood that, the container cluster of this embodiment may also update the preset relationship table periodically, specifically, at preset time intervals, update the identification information included in the preset relationship table and/or the preset authority corresponding to the identification information.
When the container cluster of this embodiment executes S102 and uses the preset right corresponding to the acquired identification information as an access right, the container cluster may further include the following contents: acquiring expected authority from the access request; and under the condition that the expected authority is determined to be the same as the preset authority, taking the expected authority as the access authority, otherwise, taking the preset authority as the access authority.
That is to say, the container cluster of this embodiment may also determine the access right in combination with the desired right in the access request, so as to improve the accuracy and the reasonableness of the determined access right.
When the container cluster of this embodiment executes S102 to determine a target access container according to the access request, the optional implementation manner that may be adopted is as follows: acquiring container access information from the access request; and taking the container corresponding to the acquired container access information as a target access container.
In addition, since the target access container is located in a certain container group (pod) in a certain node (node) in the container cluster, after the container cluster of this embodiment executes S102 to obtain the container access information, the node and/or the container group where the target access container is located may be further determined according to the container access information.
After the container cluster of this embodiment executes S102 to determine the access right and the target access container, execute S103, when determining that the access right is a read-only right, create a temporary access container according to the target access container, and forward the access request to the temporary access container to complete the access, otherwise forward the access request to the target access container to complete the access.
That is to say, the container cluster of this embodiment forwards the access request to the temporary access container or the target access container according to the difference of the access permissions, so that the purpose of separating the read-only permission from the read-write permission during the container access is achieved, the problem that only the container can be accessed according to the default permission of the container in the prior art is avoided, and the function of the container access is expanded.
Specifically, when S103 is executed to create the temporary access container according to the target access container, the container cluster of this embodiment may adopt an optional implementation manner as follows: determining a target container group according to the target access container; creating a temporary container in the determined target container group; acquiring a target name space and a target root directory of a target access container; and adding a target name space into the created temporary container, and mounting a target root directory to obtain a temporary access container.
That is to say, the temporary access container created in the target container group by the container cluster of this embodiment adds the target namespace of the target access container and mounts the target root directory of the target access container, so that the input end can view the same content as the target access container in the temporary access container, thereby achieving the purpose that the input end accesses the container with read-only right.
In addition, when the temporary access container is obtained by executing S103, the container cluster of this embodiment may further add the identification information included in the access request to the temporary access container, so as to more clearly display which input end currently accesses the temporary access container.
When the container cluster of this embodiment executes S103 to determine the target container group according to the target access container, the optional implementation manner that may be adopted is: taking the node where the target access container is located as a target node; and taking the container group meeting the preset requirement in the target node as a target container group.
In the container cluster of this embodiment, when S103 is executed to set, as a target container group, a container group that meets a preset requirement in a target node, a container group in which a target access container in the target node is located may be set as the target container group, and a container group with a lowest load in the target node may also be set as the target container group.
When the container cluster of this embodiment executes S103 to create a temporary container in the determined target container group, it may also allocate preset computing resources (e.g., preset CPUs, preset memories, etc.) to the created temporary container, so as to improve the accuracy of allocating computing resources and avoid the waste of computing resources.
When S103 is executed to forward the access request to the temporary access container or the target access container, the container cluster of this embodiment may first establish a communication connection (e.g., a communication connection based on the Websocket protocol) with the temporary access container or the target access container, and then forward the access request to the temporary access container or the target access container through the established communication connection.
In order to avoid the waste of computing resources, the container cluster of this embodiment may further include the following after executing S103 to forward the access request to the temporary access container: deleting the temporary access container in the case that it is determined that the container access has been completed; the container cluster of this embodiment may determine that container access is completed when the input end exits the temporary access container, or may determine that container access is completed when it is determined that the creation time length of the temporary access container exceeds the time length threshold.
Fig. 2 is a schematic diagram according to a second embodiment of the present disclosure. Fig. 2 shows a flow chart of the present embodiment for accessing containers in a kubernets cluster: the input end initiates container access operation at a Web end or a command line, and after secondary authentication, identification information of the input end is acquired; the input end sends an access request containing identification information and container access information to the cluster agent; after the cluster agent determines the Kubernetes cluster where the container to be accessed is located according to the container access information, the cluster agent forwards the access request to k8s-APIServer in the Kubernetes cluster; after the k8s-APIServer determines the access right according to the access request, the determined access right and the access request are forwarded to an Exec-Server (the Exec-Server is an API Server additionally extended in a Kubernetes cluster); the Exec-Server sends the access request to an Exec-Agent (a resident single machine) of a node where a target access container is located under the condition that the access right is determined to be read-only right, and sends the access request to the node where the target access container is located under the condition that the access right is determined to be read-write right, so that the node calls a Kubelet service to directly forward the access request to the target access container; the Execkd-Agent creates a temporary access Container (Exec Container) in the Target Container group (Target Pod) according to the Target access Container (Target Container), and the Execkd-Agent can allocate preset computing resources for the temporary access Container according to the Cgroups mechanism.
Fig. 3 is a schematic diagram according to a third embodiment of the present disclosure. As shown in fig. 3, the container access apparatus 300 of the present embodiment, located in a container cluster, includes:
a receiving unit 301 configured to receive an access request;
a determining unit 302, configured to determine an access right and a target access container according to the access request;
the access unit 303 is configured to, when it is determined that the access right is a read-only right, create a temporary access container according to the target access container, forward the access request to the temporary access container to complete access, and otherwise forward the access request to the target access container to complete access.
In this embodiment, the container cluster running on the container cloud platform may be a kubernets (k 8 s) cluster, a k3s cluster, or another type of cluster.
The access request received by the receiving unit 301 includes identification information and container access information; the identification information corresponds to the input end sending the access request and can be at least one of information such as an input end ID, an input end name and a user group to which the input end belongs; the container access information corresponds to a target access container to be accessed by the input terminal, and may be information such as an IP address of the container, a domain name of the container, and the like.
When receiving an access request, the receiving unit 301 may receive the access request directly sent by the input terminal, or may receive an access request forwarded by the cluster agent; after receiving the access request sent by the input end, the cluster agent determines a container cluster to be accessed by the input end according to container access information in the access request, and further forwards the access request to the receiving unit 301 in the determined container cluster.
It can be understood that, when the input terminal in this embodiment sends an access request to a container cluster or a cluster agent, the input terminal may first authenticate in an authentication manner such as secondary authentication to obtain identification information, and then add the obtained identification information to the access request to send.
The access request received by the receiving unit 301 may further include a desired right in addition to the identification information and the container access information; the expected permission is the permission which is automatically input or selected by the input end when the access request is sent by a Web page or a command line terminal environment.
After the receiving unit 301 receives the access request, the determining unit 302 determines the access right and the target access container according to the access request; the access right determined by the determining unit 302 is one of a read-only right and a read-write right.
When determining the access right according to the access request, the determining unit 302 may adopt the following optional implementation manners: acquiring identification information from the access request; taking a preset authority corresponding to the acquired identification information as an access authority; the determining unit 302 may determine the preset authority corresponding to the identification information according to a preset relationship table, where the preset relationship table includes correspondence between different identification information and different preset authorities.
That is to say, the determining unit 302 determines the access right according to the received access request, and compared with a manner in the prior art that the container cluster takes the default right as the access right after receiving the access request, the present embodiment can obtain different access rights according to different received access requests, thereby simultaneously supporting access with a read-only right or access with a read-write right, improving the accuracy of the determined access right, and enhancing the comprehensiveness of container access.
It can be understood that the determining unit 302 may also perform periodic updating on the preset relationship table, specifically, at preset time intervals, updating the identification information included in the preset relationship table and/or the preset authority corresponding to the identification information.
When the preset right corresponding to the acquired identification information is taken as the access right, the determining unit 302 may further include the following: acquiring expected authority from the access request; and under the condition that the expected authority is determined to be the same as the preset authority, taking the expected authority as the access authority, otherwise, taking the preset authority as the access authority.
That is, the determining unit 302 may also determine the access right in combination with the desired right in the access request, thereby improving the accuracy and reasonableness of the determined access right.
When determining the target access container according to the access request, the determining unit 302 may adopt the following optional implementation manners: acquiring container access information from the access request; and taking the container corresponding to the acquired container access information as a target access container.
In addition, since the target access container is located in a certain container group (pod) in a certain node (node) in the container cluster, after acquiring the container access information, the determining unit 302 may further determine the node and/or the container group where the target access container is located according to the container access information.
After the determining unit 302 determines the access right and the target access container, the accessing unit 303 creates a temporary access container according to the target access container and forwards the access request to the temporary access container to complete the access if the access right is determined to be a read-only right, otherwise forwards the access request to the target access container to complete the access.
That is to say, the access unit 303 forwards the access request to the temporary access container or the target access container according to the difference of the access permissions, so that the purpose of separating the read-only permission from the read-write permission during the container access is achieved, the problem that the container can only be accessed according to the default permission of the container in the prior art is avoided, and the function of the container access is expanded.
Specifically, when the access unit 303 creates the temporary access container according to the target access container, the optional implementation manners that can be adopted are as follows: determining a target container group according to the target access container; creating a temporary container in the determined target container group; acquiring a target name space and a target root directory of a target access container; and adding a target name space into the created temporary container, and mounting a target root directory to obtain a temporary access container.
That is to say, the temporary access container created in the target container group by the access unit 303 enables the input end to view the same content as the target access container in the temporary access container because the temporary access container adds the target namespace of the target access container and mounts the target root directory of the target access container, thereby achieving the purpose that the input end accesses the container with read-only rights.
In addition, when the access unit 303 obtains the temporary access container, the identification information included in the access request may be added to the temporary access container, so as to more clearly display which input terminal currently accesses the temporary access container.
When determining the target container group according to the target access container, the access unit 303 may adopt the following optional implementation manners: taking the node where the target access container is located as a target node; and taking the container group meeting the preset requirement in the target node as a target container group.
When the container group satisfying the preset requirement in the target node is set as the target container group, the access unit 303 may set, as the target container group, a container group in which the target access container in the target node is located, or may set, as the target container group, a container group with the lowest load in the target node.
When creating a temporary container in the determined target container group, the access unit 303 may also allocate a preset computing resource (e.g., a preset CPU, a preset memory, etc.) to the created temporary container, thereby improving the accuracy of allocating the computing resource and avoiding the waste of the computing resource.
The accessing unit 303 may first establish a communication connection with the temporary access container or the target access container when forwarding the access request to the temporary access container or the target access container, and then forward the access request to the temporary access container or the target access container through the established communication connection.
The container access apparatus 300 of this embodiment may further include a deleting unit 304, configured to execute the following: deleting the temporary access container in the case that it is determined that the container access has been completed; the deleting unit 304 may determine that the container access is completed when the input end exits the temporary access container, or may determine that the container access is completed when it is determined that the creation time length of the temporary access container exceeds the time length threshold.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, and do not violate the good customs of the public order.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
As shown in fig. 4, is a block diagram of an electronic device of a container access method according to an embodiment of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not intended to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 4, the device 400 comprises a computing unit 401, which may perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM403, various programs and data required for the operation of the device 400 can also be stored. The computing unit 401, ROM402, and RAM403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
A number of components in device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of exhibitors, speakers, etc.; a storage unit 408 such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
Computing unit 401 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 401 executes the respective methods and processes described above, such as the container access method. For example, in some embodiments, the container access method may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 408.
In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM402 and/or the communication unit 409. When the computer program is loaded into RAM403 and executed by computing unit 401, one or more steps of the container access method described above may be performed. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the container access method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here can be realized in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable container access device, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a presentation device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for presenting information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The Server can be a cloud Server, also called a cloud computing Server or a cloud host, and is a host product in a cloud computing service system, so as to solve the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service ("Virtual Private Server", or simply "VPS"). The server may also be a server of a distributed system, or a server incorporating a blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel or sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.

Claims (15)

1. A container access method, comprising:
receiving an access request;
determining an access right and a target access container according to the access request;
and under the condition that the access authority is determined to be the read-only authority, creating a temporary access container according to the target access container, forwarding the access request to the temporary access container to finish the access, and otherwise, forwarding the access request to the target access container to finish the access.
2. The method of claim 1, wherein the determining access rights from the access request comprises:
acquiring identification information from the access request;
and taking the preset authority corresponding to the identification information as the access authority.
3. The method of claim 2, wherein the regarding a preset right corresponding to the identification information as the access right comprises:
obtaining expected authority from the access request;
and under the condition that the expected authority is determined to be the same as the preset authority, taking the expected authority as the access authority, otherwise, taking the preset authority as the access authority.
4. The method of any of claims 1-3, wherein the creating a temporary access container from the target access container comprises:
determining a target container group according to the target access container;
creating a temporary container in the target container group;
acquiring a target name space and a target root directory of the target access container;
and adding the target name space into the temporary container, and mounting the target root directory to obtain the temporary access container.
5. The method of claim 4, wherein the determining a target set of containers from the target access container comprises:
taking the node where the target access container is located as a target node;
and taking the container group meeting the preset requirement in the target node as the target container group.
6. The method of any of claims 1-5, further comprising,
in the event that it is determined that container access is complete, deleting the temporary access container.
7. A container access device, comprising:
a receiving unit configured to receive an access request;
the determining unit is used for determining the access authority and the target access container according to the access request;
and the access unit is used for creating a temporary access container according to the target access container under the condition that the access authority is determined to be the read-only authority, forwarding the access request to the temporary access container to finish the access, and otherwise forwarding the access request to the target access container to finish the access.
8. The apparatus according to claim 7, wherein the determining unit, when determining the access right according to the access request, specifically performs:
acquiring identification information from the access request;
and taking the preset authority corresponding to the identification information as the access authority.
9. The apparatus according to claim 8, wherein the determining unit, when taking a preset right corresponding to the identification information as the access right, specifically performs:
acquiring expected authority from the access request;
and under the condition that the expected authority is determined to be the same as the preset authority, taking the expected authority as the access authority, otherwise, taking the preset authority as the access authority.
10. The apparatus according to any one of claims 7-9, wherein the access unit, when creating a temporary access container from the target access container, specifically performs:
determining a target container group according to the target access container;
creating a temporary container in the target container group;
acquiring a target name space and a target root directory of the target access container;
and adding the target name space into the temporary container, and mounting the target root directory to obtain the temporary access container.
11. The apparatus according to claim 10, wherein the access unit, when determining the target container group from the target access container, specifically performs:
taking the node where the target access container is located as a target node;
and taking the container group meeting the preset requirement in the target node as the target container group.
12. The apparatus according to any one of claims 7-10, further comprising a deletion unit for performing:
in the event that it is determined that container access is complete, deleting the temporary access container.
13. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
14. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-6.
15. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1-6.
CN202210996913.8A 2022-08-19 2022-08-19 Container access method and device, electronic equipment and readable storage medium Pending CN115469965A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210996913.8A CN115469965A (en) 2022-08-19 2022-08-19 Container access method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210996913.8A CN115469965A (en) 2022-08-19 2022-08-19 Container access method and device, electronic equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN115469965A true CN115469965A (en) 2022-12-13

Family

ID=84365754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210996913.8A Pending CN115469965A (en) 2022-08-19 2022-08-19 Container access method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN115469965A (en)

Similar Documents

Publication Publication Date Title
CN111787126B (en) Container creation method, server, and storage medium
CN113641457A (en) Container creation method, device, apparatus, medium, and program product
CN113961510B (en) File processing method, device, equipment and storage medium
US20170153909A1 (en) Methods and Devices for Acquiring Data Using Virtual Machine and Host Machine
KR20210040864A (en) File directory traversal method, apparatus, device, and medium
US20200371827A1 (en) Method, Apparatus, Device and Medium for Processing Data
CN112783887A (en) Data processing method and device based on data warehouse
CN109391658B (en) Account data synchronization method and equipment, storage medium and terminal thereof
CN115562871A (en) Memory allocation management method and device
CN115469965A (en) Container access method and device, electronic equipment and readable storage medium
CN115840956A (en) File processing method, device, server and medium
CN115617800A (en) Data reading method and device, electronic equipment and storage medium
US20140359072A1 (en) Maintaining state synchronization of an application between computing devices as well as maintaining state synchronization of common information between different applications without requiring perioidic synchronization
CN112711572B (en) Online capacity expansion method and device suitable for database and table division
CN114443910A (en) Data storage method, searching device and electronic equipment
CN109213815B (en) Method, device, server terminal and readable medium for controlling execution times
CN110058790B (en) Method, apparatus and computer program product for storing data
CN112783914A (en) Statement optimization method and device
CN114615273B (en) Data transmission method, device and equipment based on load balancing system
CN113220282B (en) Development processing method, device and storage medium for applet
CN114650251B (en) Routing table construction method, device, equipment and medium
US11379147B2 (en) Method, device, and computer program product for managing storage system
CN114924826A (en) Page fusion method, device and equipment based on different code platforms
CN115080229A (en) Resource object management method and device
CN117997740A (en) Container configuration information updating method and device, electronic equipment and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination