CN115840946A

CN115840946A - Cross-cloud container mirror image deployment method and device, computer equipment and storage medium

Info

Publication number: CN115840946A
Application number: CN202211459607.7A
Authority: CN
Inventors: 易山; 常磊; 闫益; 任长龙; 梁万山; 纳颖泉
Original assignee: Merchants Union Consumer Finance Co Ltd
Current assignee: Merchants Union Consumer Finance Co Ltd
Priority date: 2022-11-16
Filing date: 2022-11-16
Publication date: 2023-03-24

Abstract

The application relates to a cross-cloud container mirror image deployment method and device, computer equipment and a storage medium. The method comprises the following steps: acquiring a target basic mirror image warehouse, and pulling out a target basic mirror image from the target basic mirror image warehouse; acquiring a target service code, and constructing and generating an intermediate application mirror image based on a target basic mirror image and the target service code; performing signature verification on the intermediate application mirror image to obtain a first signature verification result; transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result and a security file transmission protocol; acquiring a target script, pulling out a target application mirror image from a target cloud container mirror image warehouse by a target cluster based on the target script, and performing signature verification on the target application mirror image to obtain a second signature verification result; and deploying the target application mirror image to the target cloud server based on the second signature verification result. By adopting the method, the safety of the container mirror image from the construction to the deployment link can be improved.

Description

Cross-cloud-container mirror image deployment method and device, computer equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for deploying a cross-cloud container mirror image, a computer device, and a storage medium.

Background

As computer technology has evolved, container technology has emerged that effectively partitions the resources of a single operating system into isolated groups in order to better balance conflicting resource usage requirements among the isolated groups. Based on the container technology, a cross-cloud container mirror image safety system can be constructed, and the cross-cloud container mirror image safety system solves the problem of multi-cloud environment safety scanning inspection, so that the safety of a container mirror image from construction to deployment of a link is improved.

However, in the conventional technology, the operation of security check is lacking in the process of the container image from the build to the deployment, thereby resulting in low security of the container image from the build to the deployment link.

Disclosure of Invention

Based on this, it is necessary to provide a cross-cloud container mirror image deployment method, an apparatus, a computer device, and a storage medium, which can check the security of a container mirror image from a build link to a deployment link in a multi-cloud environment, and improve the security of the container mirror image from the build link to the deployment link.

A cross-cloud container mirror deployment method, the method comprising:

acquiring a target basic mirror image warehouse, and pulling out a target basic mirror image from the target basic mirror image warehouse;

acquiring a target service code, and constructing and generating an intermediate application mirror image based on the target basic mirror image and the target service code;

performing signature verification on the intermediate application mirror image to obtain a first signature verification result;

transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result and a secure file transmission protocol;

acquiring a target script, pulling out a target application mirror image from the target cloud container mirror image warehouse by a target cluster based on the target script, and performing signature verification on the target application mirror image to acquire a second signature verification result;

and deploying the target application image to a target cloud server based on the second signature verification result.

In one embodiment, obtaining a target base image repository, before pulling out a target base image from the target base image repository, further includes:

acquiring an original basic mirror image;

carrying out security baseline reinforcement on the original basic mirror image through an automatic reinforcement script to obtain a first basic mirror image;

pushing the first basic mirror image to an original basic mirror image warehouse for security scanning to obtain a security scanning result;

when the safety scanning result indicates that high-risk vulnerability risk exists, repeating the operation of reconstructing and modifying the first basic mirror image until the first basic mirror image obtained by modifying does not have the high-risk vulnerability risk any more, and taking the first basic mirror image obtained by modifying as a basic mirror image to be stored;

when the security scanning result indicates that no high-risk vulnerability risk exists, taking the first basic mirror image as a basic mirror image to be stored;

and adding the basic mirror image to be stored into an original basic mirror image warehouse, and constructing and generating the target basic mirror image warehouse.

In one embodiment, the obtaining the target business code, and the building and generating the intermediate application image based on the target basic image and the target business code comprises:

the method comprises the steps of constructing a file compliance checking component, obtaining an original service code, and carrying out security scanning on the original service code based on the file compliance checking component to obtain a first security scanning result;

performing file compliance modification on the original service code based on the first security scanning result to obtain a target service code;

fusing the target service code into the target basic mirror image to obtain a first application mirror image;

pushing the first application mirror image to an application mirror image warehouse for security scanning to obtain a second security scanning result;

when the second security scanning result indicates that the high-risk vulnerability risk exists, repeating the operation of reconstructing the first application mirror image until the first application mirror image obtained by rectification does not have the high-risk vulnerability risk any more, and taking the first application mirror image obtained by rectification as the application mirror image to be signed;

when the second security scanning result indicates that no high-risk vulnerability risk exists, taking the first application mirror image as an application mirror image to be signed;

and performing signature operation on the application mirror image to be signed to obtain the intermediate application mirror image.

In one embodiment, the signing operation is performed on the application image to be signed, and obtaining the intermediate application image includes:

calculating abstract information corresponding to the application mirror image to be signed;

and encrypting the digest information based on a public key to obtain an encrypted digest corresponding to the application mirror to be signed, and finishing the signature operation of the application mirror to be signed to obtain the intermediate application mirror.

In one embodiment, the signature verification of the intermediate application image, and obtaining the first signature verification result includes:

acquiring an encrypted abstract corresponding to the intermediate application mirror image;

calculating abstract information corresponding to the intermediate application mirror image;

decrypting the encrypted digest corresponding to the intermediate application image based on the private key to obtain a decrypted digest;

and comparing the abstract information corresponding to the intermediate application mirror image with the decryption abstract to obtain the first signature verification result.

In one embodiment, deploying the target application image to a target cloud server based on the second signature verification result comprises:

when the second signature verification result indicates that the target application mirror image is the signature application mirror image, starting the target application mirror image based on the target script, and completing the deployment of the target application mirror image in a target cloud server;

and when the second signature verification result is that the target application image is a non-signature application image, stopping deploying the target application image to a target cloud server.

An apparatus for deploying an image across a cloud container, the apparatus comprising:

the target basic mirror image acquisition module is used for acquiring a target basic mirror image warehouse and pulling out a target basic mirror image from the target basic mirror image warehouse;

the intermediate application mirror image generation module is used for acquiring a target service code and constructing and generating an intermediate application mirror image based on the target basic mirror image and the target service code;

the first signature verification result determining module is used for performing signature verification on the intermediate application mirror image to obtain a first signature verification result;

the intermediate application mirror image transmission module is used for transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result and a security file transmission protocol;

the second signature verification result determining module is used for acquiring a target script, pulling out a target application mirror image from the target cloud container mirror image warehouse by the target cluster based on the target script, and performing signature verification on the target application mirror image to acquire a second signature verification result;

and the target application image deployment module is used for deploying the target application image to a target cloud server based on the second signature verification result.

In one embodiment, the deploying the device across cloud container images further comprises:

the target base mirror image warehouse generation module is used for acquiring an original base mirror image; carrying out security baseline reinforcement on the original basic mirror image through an automatic reinforcement script to obtain a first basic mirror image; pushing the first basic mirror image to an original basic mirror image warehouse for security scanning to obtain a security scanning result; when the safety scanning result indicates that high-risk vulnerability risk exists, repeating the operation of reconstructing and modifying the first basic mirror image until the first basic mirror image obtained by modifying does not have the high-risk vulnerability risk any more, and taking the first basic mirror image obtained by modifying as a basic mirror image to be stored; when the security scanning result indicates that no high-risk vulnerability risk exists, taking the first basic mirror image as a basic mirror image to be stored; and adding the basic mirror image to be stored into an original basic mirror image warehouse, and constructing and generating the target basic mirror image warehouse.

A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:

A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:

acquiring a target script, pulling out a target application mirror image from the target cloud container mirror image warehouse by a target cluster based on the target script, and performing signature verification on the target application mirror image to obtain a second signature verification result;

According to the cross-cloud-container mirror image deployment method, the device, the computer equipment and the storage medium, the target base mirror image is pulled out from the target base mirror image warehouse by acquiring the target base mirror image warehouse; acquiring a target service code, and constructing and generating an intermediate application mirror image based on the target basic mirror image and the target service code; performing signature verification on the intermediate application mirror image to obtain a first signature verification result; transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result and a secure file transmission protocol; acquiring a target script, pulling out a target application mirror image from the target cloud container mirror image warehouse by a target cluster based on the target script, and performing signature verification on the target application mirror image to obtain a second signature verification result; and deploying the target application image to a target cloud server based on the second signature verification result. The method comprises the steps of pulling out a target basic mirror image from a target basic mirror image warehouse, obtaining a target service code, constructing and generating an intermediate application mirror image based on the target basic mirror image and the target service code, carrying out signature verification on the intermediate application mirror image to obtain a first signature verification result, transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result, obtaining a target script, pulling out the target application mirror image from the target cloud container mirror image warehouse based on the target script, carrying out signature verification on the target application mirror image to obtain a second signature verification result, deploying the target application mirror image to a target cloud server based on the second signature verification result and the target script, and carrying out multiple times of security scanning and signature verification in the process from construction to deployment of the target application mirror image, so that the security of the container mirror image from construction to deployment link is improved.

Drawings

FIG. 1 is a diagram of an application environment for a cross-cloud container mirror deployment method in one embodiment;

FIG. 2 is a schematic flow diagram of a method for mirror image deployment across cloud containers in one embodiment;

FIG. 3 is a general flow diagram of an application image instance from build to deployment;

FIG. 4 is a schematic flow diagram that illustrates the generation of a target base mirror repository in one embodiment;

FIG. 5 is a flow diagram that illustrates the generation of an intermediate application image, according to one embodiment;

FIG. 6 is a functional schematic of a document compliance checking assembly;

FIG. 7 is a flow diagram that illustrates the flow of an intermediate application image signature in one embodiment;

FIG. 8 is a flow diagram illustrating the determination of a first signature verification result in one embodiment;

FIG. 9 is a flowchart of a target application image deployment in one embodiment;

FIG. 10 is a block diagram that illustrates the architecture of a device deployed across cloud container mirrors in one embodiment;

FIG. 11 is a diagram of the internal structure of a computer device in one embodiment;

FIG. 12 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The method for deploying the mirror images across the cloud containers, provided by the embodiment of the application, can be applied to an application environment as shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be located on the cloud or other network server. The terminal 102 is used to input the image. The server 104 is used for constructing a target application image and deploying the target application image to a target cloud server. The terminal 102 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices. The server 104 may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.

In one embodiment, as shown in fig. 2, a method for deploying a mirror image across cloud containers is provided, which is described by taking the method as an example applied to the server in fig. 1, and includes the following steps:

and step S200, acquiring a target basic mirror image warehouse, and pulling out a target basic mirror image from the target basic mirror image warehouse.

The mirror image is a file storage form, is a lightweight executable independent software package, is used for packaging a software running environment and software developed based on the running environment, and comprises all contents required by running certain software, including codes, a running state, a library, environment variables and configuration files. A base image refers to an image on which customization is performed on an image basis. The target basic mirror image warehouse refers to a warehouse for storing basic mirror images, and the basic mirror images are obtained after the original basic mirror images are downloaded from the official mirror image warehouse and then the original basic mirror images are subjected to security baseline reinforcement and security scanning. The official image repository refers to an image repository of some official platform that provides basic image downloads, including original Docker images such as centros, ubuntu, python, etc. The target base image refers to a base image for constructing an application image in a corresponding service scene.

Specifically, a plurality of basic images exist in the target basic image warehouse, wherein the basic images are stored after being downloaded from the official image warehouse and subjected to security baseline reinforcement and security scanning, and when relevant basic images are needed, the needed basic images, namely the target basic images, can be pulled from the target basic image warehouse. When the target basic mirror image is not stored in the target basic mirror image warehouse, after the basic mirror image is downloaded from the official mirror image warehouse, operations such as security baseline reinforcement and security scanning are carried out on the basic mirror image to obtain the target basic mirror image, then the target basic mirror image is stored in the target basic mirror image warehouse, and when a subsequent process is carried out, the target basic mirror image is pulled from the target basic mirror image warehouse.

Step S202, acquiring a target service code, and constructing and generating an intermediate application mirror image based on the target basic mirror image and the target service code.

The target business code refers to development code which is submitted by a developer and is related to the application. The intermediate application mirror image is an application mirror image obtained by packaging the target code into the target basic mirror image and performing digital signature.

Specifically, when a relevant application mirror needs to be deployed and generated, a product library code, that is, an original service code needs to be pulled from a gitlab, in order to ensure file compliance, file compliance check needs to be performed on files such as Dockerfile, hellm and the like in the original service code, then a corresponding target service code is obtained, the compiled target service code is packaged into a target basic mirror image, and digital signature operation is performed to obtain an intermediate application mirror image. Wherein, gitlab is a self-managed Git repository management system, which can maintain the privacy of user code and can easily deploy the change of code. Digital signature refers to a trusted authority signing certain data with its own private key (often called private key encryption as signature) to prove that the data can be trusted. Dockerfile is a text file that creates all commands mirrored, containing a single instruction and description, each instruction building a layer. Helm is a software package management tool in a Kubernets ecosystem, is similar to apt of ubuntu and pip of python, is specially responsible for managing Kubernets application resources, and can be used for uniformly packaging, distributing, installing, upgrading, rolling back and the like the Kubernets application. Kubernets, K8s for short, is an abbreviation formed by replacing 8 characters "ubernet" in the middle of a word with 8, is an open source system for automatically deploying, scaling and managing containerized applications, manages containerized applications on multiple hosts in a cloud platform, aims to make deploying containerized applications simple and efficient, and also provides a mechanism for application deployment, planning, updating and maintenance.

Step S204, signature verification is carried out on the intermediate application mirror image, and a first signature verification result is obtained.

Wherein, the signature check refers to checking whether the application image is an image which is subjected to asymmetric key digital signature, and the signature can prove the identity of the application image. The first signature verification result refers to a verification result obtained by performing first signature verification on the intermediate application image.

Specifically, in order to prevent problems such as unauthorized application deployment, hacking prevention, and the like and ensure that the deployed application images correspond to the corresponding parties, signature verification needs to be performed on each application image to be deployed to obtain a corresponding signature verification result, and whether the corresponding application image is deployed on the corresponding cloud server is determined according to the signature verification result.

And step S206, transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result and a security file transmission protocol.

The Secure File Transfer Protocol refers to SFTP Protocol, which is totally called Secure File Transfer Protocol, is a Secure File Transfer Protocol, and is an encryption method for providing a Secure network for transferring files. The target cloud container image repository refers to a storage repository for storing application images to be deployed.

Specifically, when the first signature verification result is that the intermediate application image is the signature image, the intermediate application image is transmitted to a corresponding cloud container image warehouse based on a secure file transmission protocol, namely a target cloud container image warehouse, and when the target application image is deployed, the target application image is pulled out from the target cloud container image warehouse and is deployed. The application mirror image warehouse for storing the intermediate application mirror image and the cloud container mirror image warehouse to which the intermediate application mirror image is transmitted may be in the same cloud environment, and when the application mirror image warehouse and the cloud container mirror image warehouse are not in the same cloud environment, cross-cloud transmission of the application mirror image is achieved. The application image repository refers to an application image used for storing the digital signature operation. A cloud environment refers to an internet or big data environment that can provide computing power, storage power, or virtual machine services, etc., as needed, to users or various application systems from a dynamically virtualized resource pool.

And step S208, acquiring a target script, pulling out a target application mirror image from the target cloud container mirror image warehouse by the target cluster based on the target script, and performing signature verification on the target application mirror image to obtain a second signature verification result.

Wherein the target script refers to an executable file for writing a deployment target application image configuration command. The target cluster refers to a Kubernetes cluster, wherein the Kubernetes cluster is a group of nodes for running containerized applications, and consists of a main node and a plurality of working nodes, the nodes can be physical computers or virtual machines, the main node is a source for distributing all tasks, and the main node controls the state of the cluster, such as which applications are running and container images corresponding to the applications; a worker node is a component that runs an application, which may be a virtual machine or a physical computer, that performs the tasks assigned by the master node. The target application image refers to an application image which needs to be deployed on a cloud server to provide services to the outside. And the second signature verification result refers to a verification result for verifying the party to which the target application mirror image belongs before the target application mirror image is deployed so as to judge whether the application mirror image can enter a deployment stage.

Specifically, a target script is written, the target cluster pulls out a target application mirror image configured in the target script from a target cloud mirror image warehouse according to the target script, signature verification is carried out on the target application mirror image, and a judgment result of whether the target application mirror image is a signature mirror image is obtained so as to determine whether the target application mirror image is deployed on a corresponding cloud server.

Step S210, based on the second signature verification result, deploying the target application mirror image to a target cloud server.

The target cloud server refers to a cloud server to which a target application image belongs and the target application image is required to be deployed, and the cloud server is selected in a variety of ways instead of being unique.

Specifically, when the target application image is the signature image, the target application image is configured based on the configuration parameters in the target script, and then the target application image with the configured parameters is started according to the corresponding command line in the target script, so that the target application image is deployed on the target cloud server to obtain the application corresponding to the target image, and the application can provide services to the outside, that is, the application can be accessed from the outside. Fig. 3 shows a general flow of an application image instance from building to deployment, in which an aristoloc ACR (alimba Cloud Container Registry) and a Tencent Cloud TCR (Tencent Cloud Container Registry) are Cloud-based security hosting and efficient distribution platforms that are oriented to Container images, helm Chart, and the like and conform to the OCI (Open Container Initiative) standard. The container image contains a packaged application, its dependencies, and process information that it runs at startup. The mirror image is a read-only template and an independent file system, comprises data required by the operation of the container and can be used for creating a new container; containers are running instances of image creation, which can support operations including start, stop, delete, etc., each container is separated from each other, and a specific application, including code of the specific application and required dependent files, are run in the container. In fig. 3, the continuous deployment refers to that, on the basis of an original delivered application image, a developer or an operation and maintenance person periodically deploys a high-quality application image construction version to a production environment (i.e., a cloud environment) in a self-service manner, when the developer submits a code change, an automatic deployment is triggered, the automatic deployment is performed on an automatic deployment platform of a corresponding company, the automatic deployment platform can automatically package and compile the development code, so as to generate an updated application image, and then the updated application image is automatically deployed to a corresponding cluster environment, so that an application corresponding to the updated application image can provide services to the outside, that is, the application can be accessed from the outside.

According to the cross-cloud-container mirror image deployment method, the cross-cloud-container mirror image deployment device, the computer equipment and the storage medium, the target base mirror image is pulled out from the target base mirror image warehouse by acquiring the target base mirror image warehouse; acquiring a target service code, and constructing and generating an intermediate application mirror image based on the target basic mirror image and the target service code; performing signature verification on the intermediate application mirror image to obtain a first signature verification result; transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result and a secure file transmission protocol; acquiring a target script, pulling out a target application mirror image from the target cloud container mirror image warehouse by a target cluster based on the target script, and performing signature verification on the target application mirror image to obtain a second signature verification result; and deploying the target application image to a target cloud server based on the second signature verification result. The method comprises the steps of pulling out a target basic mirror image from a target basic mirror image warehouse, obtaining a target service code, constructing and generating an intermediate application mirror image based on the target basic mirror image and the target service code, carrying out signature verification on the intermediate application mirror image to obtain a first signature verification result, transmitting the intermediate application mirror image to a target cloud container mirror image warehouse based on the first signature verification result, obtaining a target script, pulling out the target application mirror image from the target cloud container mirror image warehouse based on the target script, carrying out signature verification on the target application mirror image to obtain a second signature verification result, deploying the target application mirror image to a target cloud server based on the second signature verification result and the target script, and carrying out multiple times of security scanning and signature verification in the process from construction to deployment of the target application mirror image, so that the security of the container mirror image from construction to deployment link is improved.

In one embodiment, as shown in fig. 4, before step S200, the method further includes:

step S400, acquiring the original basic mirror image.

The original base image refers to a base image downloaded from an official image repository, and includes, but is not limited to, original Docker images such as centros, ubuntu, python, and the like. The Docker image is a special file system that, in addition to providing files such as programs, libraries, resources, and configurations required by the container runtime, contains configuration parameters (such as anonymous volumes, environment variables, users, etc.) prepared for the runtime, which does not contain any dynamic data and whose contents do not change after the build.

Specifically, the basic mirror image downloaded from the official mirror image warehouse, that is, the original basic mirror image, cannot be directly applied to the construction of the target application mirror image, and the original basic mirror image needs to be subjected to security baseline reinforcement and security scanning operation, so that the problems of system holes, application holes, viruses, trojans and the like in the original basic mirror image are prevented.

And S402, carrying out security baseline reinforcement on the original basic mirror image through an automatic reinforcement script to obtain a first basic mirror image.

The automatic strengthening script refers to an executable file which stores security baseline strengthening contents, wherein the security baseline strengthening contents mainly adopt system configuration including but not limited to password complexity, document authority and the like, and the automatic strengthening script adopts a Dockerfile script. The first basic mirror image is a basic mirror image obtained after the original basic mirror image is subjected to security baseline reinforcement.

Specifically, after the original basic mirror image is downloaded from the official mirror image warehouse, the automatic reinforcing script is executed, the security baseline reinforcement of the original basic mirror image is completed, and the first basic mirror image is obtained. The standard for reinforcing the Security baseline adopts an international standard CIS (Center for Internet Security), and the execution of the automatic reinforcing script realizes the automation of system configuration.

Step S404, the first basic mirror image is pushed to an original basic mirror image warehouse for security scanning, and a security scanning result is obtained.

The safety scanning refers to checking whether high-risk risks such as system bugs, application bugs and virus trojans exist in the first basic mirror image. The safety scanning result refers to high-risk information obtained after safety scanning is performed on the first basic mirror image.

Specifically, after the original base image is subjected to security baseline reinforcement to obtain a first base image, the first base image needs to be pushed into a security scanning assembly of an original base image warehouse to perform security scanning operation to find out the high-risk in the first base image, the high-risk is used as an alarm and is notified to an operation and maintenance person, and after the operation and maintenance person receives the alarm notification, the first base image is subjected to corresponding security rectification reinforcement based on the alarm, for example, when a scan finds that a low-version tomcat middleware leak exists in a container, the operation and maintenance person performs upgrade repair processing on the low-version tomcat; or when the scan detects a tomcat middleware weak password, the operation and maintenance personnel can reinforce the tomcat and set a strong password.

And S406, when the security scanning result indicates that the high-risk vulnerability risk exists, repeating the operation of reconstructing the modified first basic mirror image until the modified first basic mirror image does not have the high-risk vulnerability risk any more, and taking the modified first basic mirror image as the basic mirror image to be stored.

The high-risk vulnerability risk refers to high-risk information obtained after the first basic mirror image is subjected to the security scanning operation. The reconstruction and correction means that the first base mirror image is modified or rebuilt based on the high-risk information corresponding to the high-risk vulnerability risk. The to-be-stored basic mirror image refers to a basic mirror image which has no high risk and is to be stored in an original basic mirror image warehouse so as to obtain a target basic mirror image warehouse.

Specifically, after the first base image is subjected to security scanning, if the first base image is found to have the high-risk vulnerability, the high-risk vulnerability is used as a warning to be notified to operation and maintenance personnel, the operation and maintenance personnel modify and rebuild the first base image based on the warning, and perform security scanning on the modified and rebuilt base image until the modified or rebuilt base image does not have the high-risk vulnerability, and then the modified or rebuilt base image without the high-risk vulnerability is used as the base image to be stored.

Step S408, when the security scanning result indicates that no high-risk vulnerability risk exists, taking the first basic mirror image as a basic mirror image to be stored.

Specifically, after the first basic mirror image is subjected to security scanning, if no medium-high risk is found, the first basic mirror image is directly used as a basic mirror image to be stored, and the basic mirror image to be stored is stored in an original basic mirror image warehouse subsequently, so that a target basic mirror image warehouse is obtained.

And step S410, adding the basic mirror image to be stored into an original basic mirror image warehouse, and constructing and generating the target basic mirror image warehouse.

The target base mirror image warehouse refers to a mirror image storage warehouse which stores a corresponding target base mirror image when a target application mirror image is constructed.

Specifically, the base image to be stored may be used as a target base image corresponding to a subsequently constructed target application image, and therefore, a corresponding original base image needs to be downloaded from an official image repository in advance, and corresponding processing operations including but not limited to security scanning, modification of the original base image and the like are performed on the original base image, so as to obtain the base image to be stored corresponding to the constructed target application image, and store the base image to be stored in the target base image repository.

In the embodiment, the original basic mirror image is downloaded from the official mirror image warehouse, and then the security baseline reinforcement and the security scanning operation are performed on the original basic mirror image, so that the interference of possible problems of system bugs, application bugs, viruses, trojans and the like in the original basic mirror image on the construction of the target application mirror image is effectively prevented, and the safety of the construction of the target application mirror image is improved.

In one embodiment, as shown in fig. 5, step S202 includes:

step S500, a file compliance checking component is built, an original service code is obtained, and safety scanning is carried out on the original service code based on the file compliance checking component, so that a first safety scanning result is obtained.

The file compliance checking component is a security scanning component used for checking the compliance of the original service code, can scan the original service code or security risks existing in the process of constructing an application mirror image, and is also a Dockerfile scanning component. The original service code refers to a product library code pulled from the gitlab. The first security scan result refers to a result obtained after the original service code is subjected to the file compliance check by the file compliance check component.

In the process of constructing the application mirror image, the file compliance checking component is used for checking the compliance of the file in the original service code, finding out the high and high risk in the original service code, and the operation and maintenance personnel or the development personnel can modify the original business code based on the high and medium risk, so that the damage of the high and medium risk in the original business code to the construction of the target application mirror image is reduced. The functions of the document compliance checking component are shown in fig. 6 (a) (b) (c), the functions of the document compliance checking component include, but are not limited to, the functions shown in fig. 6 (a) (b) (c), after the security scan is performed in fig. 6, the scan result is divided into four levels of ignore, error, information and warning, wherein the security normalization degree of the levels is ignore > information > warning > error, and when the scan result of the error and warning occurs, the document corresponding to the error and warning has non-compliance with the document compliance. In addition, the information is used for announcing the safety knowledge of the container, does not make a mandatory requirement, and is used for prompting the developer. Ignoring certain information for the hint file can be ignored with little impact on the construction of the target application image.

Step S502, based on the first security scanning result, file compliance modification is carried out on the original service code to obtain a target service code.

The target service code refers to a service code obtained after the original service code is subjected to file compliance inspection and operation and maintenance personnel or developers modify the original service code based on the result obtained by the compliance inspection.

Specifically, the first security scanning result is a basis for judging whether the original service code has a high-risk, that is, a security vulnerability or a virus trojan and the like, and when the first security scanning result indicates that the original service code has a security risk, a developer or an operation and maintenance person modifies the original service code based on the security risk to obtain a target service code, so that the security of the target service code for constructing a target application mirror image is improved.

Step S504, the target service code is fused into the target basic mirror image to obtain a first application mirror image.

The first application mirror image is to package the compiled target service code into a target basic mirror image, and construct a generated application mirror image, which is to say simply that the target basic mirror image + the target service code = the first application mirror image.

Specifically, the process of constructing the first application mirror image is a process of packaging compiled target application codes into a target basic mirror image, when the first application mirror image is constructed, the first application mirror image obtained by construction can be safely scanned through a Dockerfile script scanning component, namely the file compliance inspection component, so as to inspect whether the obtained first application mirror image has a safety risk, when the safety risk exists, the safety risk is used as a warning to notify an operation and maintenance person or a developer, and the operation and maintenance person and the developer modify the first application mirror image according to the warning prompt to obtain the first application mirror image with safety change.

Step S506, the first application image is pushed to an application image warehouse for security scanning, so as to obtain a second security scanning result.

Wherein, the application image warehouse refers to an image storage warehouse for storing application images. The second security scanning result refers to information obtained after the first application image is pushed to the application image warehouse for security scanning, and whether the first application image has security risks or not.

Specifically, in order to improve the security of the first application image, the first application image needs to be subjected to security scanning, whether the first application image has problems such as application bugs and virus trojans is detected through the security scanning, and the result obtained through the security scanning, that is, the result of the second security scanning, determines the next step of executing the first application image.

And step S508, when the second security scanning result indicates that the high-risk vulnerability risk exists, repeating the operation of reconstructing the first application mirror image until the first application mirror image obtained through rectification does not have the high-risk vulnerability risk any more, and taking the first application mirror image obtained through rectification as the application mirror image to be signed.

The application image to be signed refers to an application image which is not subjected to the signature operation of the digital signature, and here refers to an application image which is not subjected to the signature operation of the completely modified first application image.

Specifically, the second security scanning result may be used to determine whether the asymmetric key digital signature operation may be directly performed on the first application image, and when the second security scanning result finds that there is a risk of a high-risk vulnerability in the first application image, that is, there are various vulnerabilities and viruses, the vulnerabilities and viruses are notified to the operation and maintenance staff, and the operation and maintenance staff modifies or reconstructs the first application image according to the vulnerabilities and viruses until the modified or reconstructed first application image does not check the vulnerability or virus or other risk problems having a large hazard.

Step S510, when the second security scanning result indicates that no high-risk vulnerability risk exists, the first application mirror image is used as an application mirror image to be signed.

The application image to be signed refers to an application image which is not subjected to the signature operation of digital signature, and here refers to an application image which is not subjected to the signature operation on the first application image without the risk of the high-risk vulnerability.

Specifically, after the first application image is subjected to security scanning, risk problems such as a bug or a virus with a large harm do not exist in the first application image according to the second security scanning result, and the first application image is directly used as the application image to be signed to prepare for entering a process of performing digital signature on the application image to be signed.

Step S512, the application mirror image to be signed is signed to obtain the intermediate application mirror image.

The intermediate application mirror image refers to an application mirror image which is not transmitted to a corresponding cloud container mirror image warehouse but still stored in the application mirror image warehouse after the signature operation of digital signature is performed on the proxy signature application mirror image.

Specifically, in order to prevent the intermediate application images from being tampered in the transmission process and prevent the situation of 'mining trojans' in the application image deployment process, the container environment risk is controlled from the source by performing digital signature and verification operations on each application image to be transmitted to the corresponding cloud server for deployment. The 'mining trojan' refers to the fact that an attacker implants a 'mining trojan' program into a computer of a victim through various means, under the condition that the victim does not know, virtual currency is obtained by utilizing computer resources of the victim, and the trojan program is 'mining trojan' virus.

In the embodiment, the original service code is subjected to file compliance check in the process of constructing the first application mirror image, and the first application mirror image obtained by construction is subjected to security scanning, so that the influence of security risks existing in the original service code on the construction of the first application mirror image is prevented, and the security of the first application mirror image is improved. In addition, the first application mirror image is subjected to security scanning and asymmetric key digital signature operation, so that more security risks are eliminated for the subsequent deployment of the target application mirror image, and the security of the subsequent intermediate application mirror image transmission and the target application mirror image deployment is improved.

In one embodiment, as shown in fig. 7, step S512 includes:

step S700, calculating the summary information corresponding to the application mirror image to be signed.

The summary information refers to data information obtained by calculating the application mirror image to be signed based on a hash algorithm. The hash algorithm is also called as a hash algorithm, is a cryptographic algorithm which can only encrypt and can not decrypt, can convert information with any length into a string with a fixed length, and has the following three characteristics: the information is the same, and the character strings are the same; the similarity of information does not influence the identity of character strings; there is no rule between the input value and the output value, so the input value cannot be calculated through the output value, and only the input value can be continuously changed to find the output value meeting the condition if the specified output value is to be found.

Specifically, when the application image to be signed is subjected to a digital signature signing process, summary information corresponding to the application image to be signed is calculated based on a hash algorithm, and the summary information is used as data required by the execution of a subsequent process.

Step S702, encrypting the digest information based on a public key to obtain an encrypted digest corresponding to the application mirror to be signed, and completing the signature operation of the application mirror to be signed to obtain the intermediate application mirror.

The public key refers to a key which is externally disclosed by an information receiver. The encrypted digest is a ciphertext obtained after the digest information corresponding to the application mirror image to be signed is encrypted based on the public key of the receiver. The intermediate application mirror refers to an application mirror obtained after a signature process of asymmetric key digital signature is carried out on the application mirror to be signed. The sender refers to the cloud environment where the application image to be signed is located. The recipient refers to the cloud environment to which the intermediate application image is transferred.

Specifically, in order to ensure the security of the intermediate application image in the process of transmitting the intermediate application image to the corresponding cloud container image warehouse, the application image to be signed needs to be signed by the asymmetric key first, so that the security of the intermediate application image in the transmission process is improved. The asymmetric key is an asymmetric encryption algorithm, and is a secret key encryption method, which needs two keys, namely a public key (a public key in this case, called a public key for short) and a private key (a private key in this case, called a private key for short), wherein the public key and the private key are a pair, and if the public key is used for encrypting data, only the corresponding private key is used for decrypting the data.

In the embodiment, the application mirror image to be signed is signed based on the asymmetric key, so that the security of the intermediate application mirror image in the subsequent process in the process of transmitting the intermediate application mirror image to the corresponding cloud container mirror image warehouse is improved, the belonged party of the application mirror image can be confirmed through the signature of the intermediate application mirror image, the attack of a hacker on the intermediate application mirror image is effectively avoided, and the application mirror image to be signed is prevented from being deployed to an unauthorized application mirror image.

In one embodiment, as shown in fig. 8, step S204 includes:

step S800, acquiring the encrypted abstract corresponding to the intermediate application mirror image.

And the encrypted abstract is a ciphertext which is sent and received from the original cloud environment of the intermediate application mirror image.

Specifically, after the sender calculates the intermediate application mirror image by using a hash algorithm in the original cloud environment of the intermediate application mirror image to obtain the digest information, the encrypted digest obtained by encrypting the digest information based on the public key of the receiver and the original message corresponding to the encrypted digest are sent to the corresponding cloud environment. The message refers to a data unit exchanged and transmitted in the network, that is, a data block to be sent by a station at a time, which contains complete data information to be sent, where the complete data information sent is data information of an intermediate application image.

Step S802, calculating the summary information corresponding to the intermediate application mirror image.

The summary information is obtained by the receiver through calculating the received original message by adopting a Hash algorithm consistent with the sender.

Specifically, the receiver needs to calculate the summary information from the received original message by using the same hash algorithm as the sender, and the summary information is used for verifying the signature condition of the intermediate application image in the subsequent process.

Step S804, the encrypted digest corresponding to the intermediate application image is decrypted based on the private key to obtain a decrypted digest.

Wherein, the private key refers to a key which is not disclosed to the outside and is only held by the intermediate application image receiver. The decryption digest refers to data information obtained by a receiver decrypting the encryption digest through a private key.

Specifically, the receiver decrypts the received encrypted digest by using the private key to obtain a decrypted digest, and provides an information basis for a subsequent verification process.

Step S806, comparing the digest information corresponding to the intermediate application image with the decryption digest to obtain the first signature verification result.

The first signature verification result refers to a result obtained by performing an asymmetric key digital signature verification operation after the corresponding intermediate application image is pulled from the application image repository, in order to ensure that the pulled application image is the application image to be transmitted and deployed.

In this embodiment, the intermediate application image to be transmitted is ensured to be the application image to be deployed by performing the verification operation of the digital signature of the asymmetric key, that is, the signature verification operation, on the intermediate application image, thereby avoiding the occurrence of the problems of impersonation or tampering and the like in the subsequent transmission process of the intermediate application image, protecting the integrity of the intermediate application image, and improving the security of the intermediate application image.

In one embodiment, as shown in fig. 9, step S210 includes:

step S900, when the second signature verification result is that the target application image is the signature application image, starting the target application image based on the target script, and completing the deployment of the target application image on a target cloud server.

Wherein, the signature application mirror refers to the application mirror signed by the target application mirror through the asymmetric key.

Specifically, after the target application image is pulled out from the target cloud container image repository, a signature check operation of the image is performed on the target application image to ensure that the application image to be deployed is an authorized application image. And when the target application image is the corresponding signature application image, continuing to execute a command for deploying the target application image according to the written target script, so as to start the target application image and complete the deployment of the target application image on the target cloud server. In addition, when a new version of application needs to be released each time, a developer or operation and maintenance personnel deploys a high-quality built version to a corresponding production environment regularly in a self-service manner on the basis of original delivery of the application mirror image, when a code submitted by the developer is changed, automatic deployment is triggered once, the automatic deployment is performed on an automatic deployment platform of a company corresponding to an intermediate application mirror image, the automatic deployment platform can automatically pack and compile development codes to generate a new application mirror image, then the newly generated application mirror image is automatically deployed to a corresponding cluster environment, the deployment of the newly generated application mirror image on a target cloud server is completed, so that the outside can access the application corresponding to the newly generated application mirror image, and the continuous deployment of the application mirror image is realized.

Step S902, when the second signature verification result is that the target application image is a non-signature application image, stopping deploying the target application image to a target cloud server.

Wherein, the non-signed application image refers to the application image of which the target application image is not signed by the asymmetric key.

Specifically, if the target application image obtained by pulling from the target cloud container image repository is a non-signed image, the subsequent operation of deploying the target application image to the target cloud server is no longer performed.

In the embodiment, the signature verification is performed on the target application mirror image, and then the target application mirror image is deployed on the target server based on the signature verification result, so that the application service is improved for the user, the application corresponding to the target application mirror image can be accessed from the outside, the influence of the problems of mining trojans and the like on the deployment of the target application mirror image in the deployment process is prevented, and the safety of the container mirror image deployment process is effectively improved.

In one embodiment, an original base image is downloaded from an official image warehouse, security baseline reinforcement is conducted on the original base image through an automatic reinforcement script to obtain a first base image, security scanning is conducted on the first base image, and the first base image which passes the security scanning is stored in an Aliyun base image warehouse. When a certain company needs to deploy production application, a product library code is pulled out from a gitlab, namely an original service code corresponding to the application is generated, a target basic mirror image is pulled out from an Array cloud basic mirror image warehouse, a file compliance checking component is used for carrying out security scanning on the original code to obtain a target service code, the target service code is packaged into the target basic mirror image, and a first application mirror image is constructed and generated. In the process of building and generating the first application mirror image, the file compliance component also carries out security scanning operation on the first application mirror image so as to find and timely clear security risks existing in the first application mirror image, then carries out signature operation on the first application mirror image through an asymmetric key to obtain an intermediate application mirror image, stores the intermediate application mirror image in an Aliyun application mirror image warehouse, transmits the signed target application mirror image pulled out from the Aliyun application mirror image warehouse to the Aliyun container mirror image warehouse or Tengcin cloud container mirror image warehouse based on a security file transmission protocol (namely SFTP protocol), pulls out the signed target application mirror image from the Aliyun container mirror image warehouse or Tengcin cloud container mirror image warehouse when the target application mirror image needs to be deployed, and deploys the target application mirror image to an Aliyun server or Tengcin cloud server based on an execution command of a target script. In the process from constructing the target application mirror image to deploying the target application mirror image, the influence of system loopholes, application loopholes, trojan horse viruses, tampering and other problems on the construction to the deployment of the target application mirror image is effectively prevented through multiple times of security scanning and signature verification, and therefore the security of the link from the construction to the deployment of the target application mirror image is improved to a great extent.

Based on the same inventive concept, the embodiment of the application also provides a cross-cloud container mirror image deployment device for realizing the cross-cloud container mirror image deployment method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so that specific limitations in one or more embodiments of the cloud container mirror deployment device provided below may refer to the above limitations on the cloud container mirror deployment method, and details are not described here.

In one embodiment, as shown in fig. 10, there is provided a cross-cloud container mirror deployment apparatus, comprising: a target base image acquisition module 1000, an intermediate application image generation module 1002, a first signature check result determination module 1004, an intermediate application image transmission module 1006, a second signature check result determination module 1008, and a target application image deployment module 1010, wherein:

a target base mirror image obtaining module 1000, configured to obtain a target base mirror image warehouse, and pull a target base mirror image from the target base mirror image warehouse;

the intermediate application mirror image generation module 1002 is configured to obtain a target service code, and construct and generate an intermediate application mirror image based on the target basic mirror image and the target service code;

a first signature verification result determining module 1004, configured to perform signature verification on the intermediate application image to obtain a first signature verification result;

an intermediate application image transmission module 1006, configured to transmit the intermediate application image to a target cloud container image repository based on the first signature verification result and a secure file transfer protocol;

a second signature verification result determining module 1008, configured to obtain a target script, where the target cluster pulls out a target application mirror from the target cloud container mirror warehouse based on the target script, and performs signature verification on the target application mirror to obtain a second signature verification result;

and a target application image deployment module 1010, configured to deploy the target application image to a target cloud server based on the second signature verification result.

In one embodiment, the cross-cloud container mirror deployment apparatus further comprises a target base mirror repository generating module 1012, configured to obtain an original base mirror; carrying out security baseline reinforcement on the original basic mirror image through an automatic reinforcement script to obtain a first basic mirror image; pushing the first basic mirror image to an original basic mirror image warehouse for security scanning to obtain a security scanning result; when the security scanning result indicates that high-risk vulnerability risks exist, repeating the operation of reconstructing and modifying the first basic mirror image until the first basic mirror image obtained by modification no longer has the high-risk vulnerability risks, and taking the first basic mirror image obtained by modification as a basic mirror image to be stored; when the security scanning result indicates that no high-risk vulnerability risk exists, taking the first basic mirror image as a basic mirror image to be stored; and adding the basic mirror image to be stored into an original basic mirror image warehouse, and constructing and generating the target basic mirror image warehouse.

In one embodiment, the intermediate application image generation module 1002 is further configured to construct a file compliance check component, obtain an original service code, and perform security scanning on the original service code based on the file compliance check component to obtain a first security scanning result; performing file compliance modification on the original service code based on the first security scanning result to obtain a target service code; fusing the target service code into the target basic mirror image to obtain a first application mirror image; pushing the first application mirror image to an application mirror image warehouse for security scanning to obtain a second security scanning result; when the second security scanning result indicates that the high-risk vulnerability risk exists, repeating the operation of reconstructing the first application mirror image until the first application mirror image obtained by rectification does not have the high-risk vulnerability risk any more, and taking the first application mirror image obtained by rectification as the application mirror image to be signed; when the second security scanning result indicates that no high-risk vulnerability risk exists, taking the first application mirror image as an application mirror image to be signed; and performing signature operation on the application mirror image to be signed to obtain the intermediate application mirror image.

In one embodiment, the cross-cloud container mirror image deployment apparatus further includes an intermediate application mirror image signature module 1014, configured to calculate digest information corresponding to the application mirror image to be signed; and encrypting the digest information based on the private key corresponding to the application mirror image to be signed to obtain an encrypted digest corresponding to the application mirror image to be signed, and finishing the signature operation of the application mirror image to be signed to obtain the intermediate application mirror image.

In one embodiment, the first signature verification result determining module 1004 is further configured to obtain a cryptographic digest corresponding to the intermediate application image; calculating abstract information corresponding to the intermediate application mirror image; decrypting the encrypted digest corresponding to the intermediate application mirror image based on the public key of the intermediate application mirror image to obtain a decrypted digest; and comparing the abstract information corresponding to the intermediate application mirror image with the decryption abstract to obtain the first signature verification result.

In one embodiment, the target application image deployment module 1010 is further configured to start the target application image based on the target script when the second signature verification result indicates that the target application image is a signed application image, and complete deployment of the target application image on a target cloud server; and when the second signature verification result is that the target application image is a non-signature application image, stopping deploying the target application image to a target cloud server.

The modules in the cross-cloud container mirror image deployment apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 11. The computer device includes a processor, a memory, an Input/Output interface (I/O for short), and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing resource data required in the process of deploying the application image. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for connecting and communicating with an external terminal through a network. The computer program when executed by a processor implements a cross-cloud container mirror deployment method.

In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 12. The computer apparatus includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input device. The processor, the memory and the input/output interface are connected by a system bus, and the communication interface, the display unit and the input device are connected by the input/output interface to the system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program when executed by a processor implements a cross-cloud container mirror deployment method. The display unit of the computer device is used for forming a visual visible picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.

Those skilled in the art will appreciate that the configurations shown in fig. 11 and 12 are merely block diagrams of portions of configurations related to aspects of the present application, and do not constitute limitations on the computing devices to which aspects of the present application may be applied, as particular computing devices may include more or less components than shown, or combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.

In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.

In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The computer instructions are read by a processor of a computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the steps in the above-mentioned method embodiments.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the various embodiments provided herein may be, without limitation, general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, or the like.

All possible combinations of the technical features in the above embodiments may not be described for the sake of brevity, but should be considered as being within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application should be subject to the appended claims.

Claims

1. A cross-cloud container mirror deployment method, the method comprising:

2. The method of claim 1, wherein prior to obtaining the target base mirror repository, further comprising:

acquiring an original basic mirror image;

when the security scanning result indicates that high-risk vulnerability risks exist, repeating the operation of reconstructing and modifying the first basic mirror image until the first basic mirror image obtained by modification no longer has the high-risk vulnerability risks, and taking the first basic mirror image obtained by modification as a basic mirror image to be stored;

3. The method of claim 1, wherein obtaining the target business code and building the generated intermediate application image based on the target base image and the target business code comprises:

4. The method of claim 3, wherein the signing the application image to be signed to obtain the intermediate application image comprises:

5. The method of claim 1, wherein the signature checking the intermediate application image, and obtaining a first signature check result comprises:

6. The method of claim 1, wherein deploying the target application image to a target cloud server based on the second signature verification result comprises:

7. An apparatus for deploying an image across cloud containers, the apparatus comprising:

8. The apparatus of claim 2, further comprising a target base image repository generation module configured to obtain an original base image; carrying out security baseline reinforcement on the original basic mirror image through an automatic reinforcement script to obtain a first basic mirror image; pushing the first basic mirror image to an original basic mirror image warehouse for security scanning to obtain a security scanning result; when the security scanning result indicates that high-risk vulnerability risks exist, repeating the operation of reconstructing and modifying the first basic mirror image until the first basic mirror image obtained by modification no longer has the high-risk vulnerability risks, and taking the first basic mirror image obtained by modification as a basic mirror image to be stored; when the security scanning result indicates that no high-risk vulnerability risk exists, taking the first basic mirror image as a basic mirror image to be stored; and adding the basic mirror image to be stored into an original basic mirror image warehouse, and constructing and generating the target basic mirror image warehouse.

9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 6.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.