CN116483509A - Operation method of operation and maintenance container, computing device and readable storage medium - Google Patents
Operation method of operation and maintenance container, computing device and readable storage medium Download PDFInfo
- Publication number
- CN116483509A CN116483509A CN202310216665.5A CN202310216665A CN116483509A CN 116483509 A CN116483509 A CN 116483509A CN 202310216665 A CN202310216665 A CN 202310216665A CN 116483509 A CN116483509 A CN 116483509A
- Authority
- CN
- China
- Prior art keywords
- maintenance container
- container
- key
- maintenance
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012423 maintenance Methods 0.000 title claims abstract description 148
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000009434 installation Methods 0.000 claims abstract description 22
- 230000015654 memory Effects 0.000 claims description 17
- 238000013507 mapping Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 5
- 241000282326 Felis catus Species 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an operation method of an operation and maintenance container, a computing device and a readable storage medium, wherein the method is executed in an operating system, the operating system installs mirror image installation through the operating system, and the method comprises the following steps: an operation and maintenance container mirror image An Zhuangyun dimension container encapsulated in an operation system installation mirror image; running the operation and maintenance container so as to set a key in the operation and maintenance container; the operation and maintenance container is logged in by a secure shell protocol using a key. According to the technical scheme, after the operating system is installed, the operation and maintenance container can be operated under the scene without a network without additionally downloading the container mirror image, and meanwhile, the security is improved by logging in the operation and maintenance container through the secret key.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an operation method of an operation and maintenance container, a computing device, and a readable storage medium.
Background
The lightweight server operating system is an operating system release customized for a container scene, represented by RHOS/FCOS, and is used as a read-only operating system, and when some tool packages need to be installed to analyze the faults of the operating system, an operation and maintenance container needs to be used.
In the existing scheme, the management of the operation and maintenance container in the lightweight server operating system is mainly realized through a Too l box tool, wherein the Too l box is a tool script for managing the operation and maintenance container commonly used in the industry. The operation and maintenance container is not operated by default, when the operation and maintenance container is needed, a Too l box tool is used for downloading a container mirror image and operating, and then the operation and maintenance container is entered. However, this existing solution requires the operating system to open a Secure shell protocol (SSH) service and requires the downloading of the dimension container from the remote end, which has the following drawbacks: 1. the operating system opens the SSH service, with possible security risks, such as risk of SSH password login; 2. an additional container image needs to be downloaded, and cannot be downloaded or run in a network isolation scene, so that the operation and maintenance cost is increased.
For this reason, there is a need for an operation scheme of an operation and maintenance container to solve the problems existing in the prior art scheme.
Disclosure of Invention
To this end, the present invention provides a method of operating an operation and maintenance container, a computing device and a readable storage medium to solve or at least alleviate the above-presented problems.
According to a first aspect of the present invention, there is provided a method of operating an operation and maintenance container, which is executed in an operating system, the operating system being installed by an operating system installation image, the method comprising: an operation and maintenance container mirror image An Zhuangyun dimension container encapsulated in an operation system installation mirror image; running the operation and maintenance container so as to set a key in the operation and maintenance container; the operation and maintenance container is logged in by a secure shell protocol using a key.
Optionally, in the operation method of the operation and maintenance container according to the present invention, the operation and maintenance container further includes: opening a privilege mode and mapping a predetermined port of an operating system into an operation and maintenance container; the received request is forwarded to the operation and maintenance container through the predetermined port.
Optionally, in the operation method of the operation and maintenance container according to the present invention, setting a key in the operation and maintenance container includes: public and private key pairs are generated in the operation and maintenance container.
Optionally, in the operation method of the operation and maintenance container according to the present invention, the public-private key pair is generated by an ssh-keygen command.
Optionally, in the operation method of the operation and maintenance container according to the present invention, setting a key in the operation and maintenance container includes: a public key is set in the operation and maintenance container.
Optionally, in the operation method of the operation and maintenance container according to the present invention, the public key is obtained through an ign profile.
Optionally, in the operation method of the operation and maintenance container according to the present invention, a security shell protocol software package is further encapsulated in the operation and maintenance container image, and a configuration file of the security shell protocol software package includes a mode of closing authentication through a password.
Optionally, in the operation method of the operation and maintenance container according to the present invention, the configuration file of the secure shell protocol software package further includes a mode of starting authentication by public key and a mode of starting authentication by RSA.
Optionally, in the operation method of the operation and maintenance container according to the present invention, the configuration file of the security shell protocol software package further includes a storage location of the authentication key file.
Optionally, in the operation method of the operation and maintenance container according to the present invention, the operation and maintenance container further includes: storing the public key of the key in a storage location of the authentication key file; wherein logging in the operation and maintenance container using the key comprises: the public key is obtained from the storage location of the authentication key file for logging into the operation and maintenance container.
Optionally, in the operation method of the operation and maintenance container according to the present invention, the predetermined port is the port 22.
According to a second aspect of the present invention there is provided a computing device comprising: at least one processor; a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method as described above.
According to a third aspect of the present invention there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method as described above.
According to the technical scheme of the invention, the operation and maintenance container mirror image is packaged in the operation system installation mirror image, and the operation and maintenance container after installation is integrated into the operation system, so that the operation and maintenance container can be operated under the scene without a network without additionally downloading the container mirror image after the operation system is installed. The security shell protocol is used for logging in by using the secret key arranged in the operation and maintenance container, so that the situation that the password is possibly cracked due to password logging in is avoided, and the security is improved.
Further, when the operation and maintenance container needs to be logged in, the connection request is forwarded to the operation and maintenance container and is not connected to the system. Because the operation and maintenance container is connected through the SSH, the operation and maintenance container is not directly connected into the operation system, the operation system is protected to a certain extent, and the safety of the operation system is improved.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which set forth the various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to fall within the scope of the claimed subject matter. The above, as well as additional objects, features, and advantages of the present disclosure will become more apparent from the following detailed description when read in conjunction with the accompanying drawings. Like reference numerals generally refer to like parts or elements throughout the present disclosure.
FIG. 1 is a schematic flow diagram of prior art operation and maintenance container management;
FIG. 2 illustrates a block diagram of the physical components (i.e., hardware) of a computing device 200;
FIG. 3 illustrates a flow chart of a method 300 of operating an operation and maintenance container according to one embodiment of the invention;
FIG. 4 illustrates a flow diagram for generating an operating system installation image according to one embodiment of the invention;
FIG. 5 illustrates a schematic diagram of setting keys in an operation and maintenance container according to one embodiment of the present invention;
FIG. 6 shows a schematic diagram of setting keys in an operation and maintenance container according to another embodiment of the present invention;
FIG. 7 illustrates a schematic diagram of logging onto an operation and maintenance container using a key through a secure shell protocol, according to one embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In the existing scheme, the management of the operation and maintenance container in the lightweight server operating system is mainly realized through a Too l box tool, wherein the Too l box is a tool script for managing the operation and maintenance container commonly used in the industry. The operation and maintenance container is not operated by default, when the operation and maintenance container is needed, a Too l box tool is used for downloading a container mirror image and operating, and then the operation and maintenance container is entered. Fig. 1 shows a schematic flow diagram of prior art operation and maintenance container management. As shown in fig. 1, after logging in the operating system through the SSH password, the user uses the toi box tool to download the container image from the container image warehouse, after the downloading is successful, uses the toi box to run the operation and maintenance container, enters the operation and maintenance container to perform operations such as troubleshooting on the operating system through the operation and maintenance container, and exits the operation and maintenance container and exits the SSH login after the operation is finished. However, this existing solution requires the operating system to open the SSH service and requires the downloading of the dimension container from the remote end, which has the following drawbacks: 1. the operating system opens the SSH service, with possible security risks, such as risk of SSH password login; 2. an additional container image needs to be downloaded, and cannot be downloaded or run in a network isolation scene, so that the operation and maintenance cost is increased. The invention provides an operation method of an operation and maintenance container for solving the problems in the prior art, and the technical scheme of the invention is described below.
Fig. 2 illustrates a block diagram of the physical components (i.e., hardware) of a computing device 200. In a basic configuration, computing device 200 includes at least one processing unit 202 and system memory 204. According to one aspect, the processing unit 202 may be implemented as a processor, depending on the configuration and type of computing device. The system memory 204 includes, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read only memory), flash memory, or any combination of such memories. According to one aspect, the system memory 204 includes an operating system 205 and program modules 206, with the operating system 205 including instructions 220 for performing the methods of operation of the operation and maintenance container of the present invention.
According to one aspect, operating system 205 is suitable for controlling the operation of computing device 200, for example. Further, examples are practiced in connection with a graphics library, other operating systems, or any other application program and are not limited to any particular application or system. This basic configuration is illustrated in fig. 2 by those components within dashed line 208. According to one aspect, computing device 200 has additional features or functionality. For example, according to one aspect, computing device 200 includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated in fig. 2 by removable storage device 209 and non-removable storage device 210.
As set forth hereinabove, according to one aspect, program modules 206 are stored in the system memory 204. According to one aspect, program modules 206 may include one or more applications, the invention is not limited in the type of application, for example, the application may include: email and contacts applications, word processing applications, spreadsheet applications, database applications, slide show applications, drawing or computer-aided application, web browser applications, etc.
According to one aspect, the examples may be practiced in a circuit comprising discrete electronic components, a packaged or integrated electronic chip containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic components or a microprocessor. For example, examples may be practiced via a system on a chip (SOC) in which each or many of the components shown in fig. 2 may be integrated on a single integrated circuit. According to one aspect, such SOC devices may include one or more processing units, graphics units, communication units, system virtualization units, and various application functions, all of which are integrated (or "burned") onto a chip substrate as a single integrated circuit. When operating via an SOC, the functionality described herein may be operated via dedicated logic integrated with other components of computing device 200 on a single integrated circuit (chip). Embodiments of the invention may also be practiced using other techniques capable of performing logical operations (e.g., AND, OR, AND NOT), including but NOT limited to mechanical, optical, fluidic, AND quantum techniques. In addition, embodiments of the invention may be practiced within a general purpose computer or in any other circuit or system.
According to one aspect, the computing device 200 may also have one or more input devices 212, such as a keyboard, mouse, pen, voice input device, touch input device, and the like. Output device(s) 214 such as a display, speakers, printer, etc. may also be included. The foregoing devices are examples and other devices may also be used. Computing device 200 may include one or more communication connections 216 that allow communication with other computing devices 218. Examples of suitable communication connections 216 include, but are not limited to: RF transmitter, receiver and/or transceiver circuitry; universal Serial Bus (USB), parallel and/or serial ports.
The term computer readable media as used herein includes computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information (e.g., computer readable instructions, data structures, or program modules). System memory 204, removable storage 209, and non-removable storage 210 are all examples of computer storage media (i.e., memory storage). Computer storage media may include Random Access Memory (RAM), read Only Memory (ROM), electrically erasable read only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other article of manufacture that can be used to store information and that can be accessed by computer device 200. According to one aspect, any such computer storage media may be part of computing device 200. Computer storage media does not include a carrier wave or other propagated data signal.
According to one aspect, communication media is embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal (e.g., carrier wave or other transport mechanism) and includes any information delivery media. According to one aspect, the term "modulated data signal" describes a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio Frequency (RF), infrared, and other wireless media.
In one embodiment of the invention, computing device 200 includes one or more processors and one or more readable storage media storing program instructions. The program instructions, when configured to be executed by one or more processors, cause a computing device to perform the method of operating an operation and maintenance container in embodiments of the present invention.
Fig. 3 shows a flow chart of a method 300 of operation of an operation and maintenance container according to one embodiment of the invention. The method 300 may be performed in an operating system, where the operating system is installed via an operating system installation image in which an operation and maintenance container image is packaged.
And in the manufacturing stage of the operating system installation mirror image, installing the software and the operation and maintenance container mirror image in the pre-package list, and carrying out I SO encapsulation. Wherein the software in the pre-package list is some of the underlying software of the operating system. In the software installation stage of the pre-package list, related software of the SSH is canceled, so that the operating system defaults to cancel the pre-package SSH service, and the operating system does not directly provide an SSH connection function to the outside, thereby reducing the security risk of the operating system and improving the security of the operating system. The software package of the security shell protocol is preloaded in the operation and maintenance container mirror image, the configuration file of the software package of the security shell protocol is modified, the SSH password login mode is canceled, and only the login is allowed through a secret key, so that the security of the operation of the container is improved. The installation of the SSH software package is canceled in the operating system, and the SSH software package is installed in the operation and maintenance container image, so that the operating system installed through the operating system installation image can not provide SSH service any more, but only provide SSH service in the operation and maintenance container, when a user needs to use the operation and maintenance container, a connection request can be forwarded to the operation and maintenance container by the operating system, the connection request can not be directly connected to the operating system, the operating system is protected, and the safety of the operating system is improved. The operation and maintenance container mirror image is packaged in the operation system installation mirror image, so that the operation and maintenance container is installed simultaneously when the operation system installation mirror image is installed through the operation system, the operation and maintenance container can be operated under the condition that the external network authority is not available, the operation and maintenance efficiency is improved, and the operation and maintenance cost is reduced.
As shown in fig. 3, method 300 begins at 310.
310. Mirror An Zhuangyun-dimensional containers are installed by the operating system.
According to the embodiment of the invention, the operation and maintenance container mirror image is packaged in the operation system installation mirror image, the operation system installation mirror image is used for installing the operation system, the operation and maintenance container is An Zhuangyun, the operation and maintenance container can be operated under the condition of no external network authority, the operation and maintenance efficiency is improved, and the operation and maintenance cost is reduced.
FIG. 4 illustrates a flow diagram for generating an operating system installation image according to one embodiment of the invention. As shown in fig. 4, at 410, software is installed in a pre-package list, wherein the installation of SSH software is canceled in the pre-package list. At 420, the container image is downloaded, optionally from a server that provides the container image. At 430, the software and container image installed in the preceding steps are packaged, optionally as an ISO file. The ISO is an operating system image packaging standard and method, and the operating system release board is usually released in this way, and can be packaged in other packaging manners in the market.
And the operation and maintenance container mirror image is also encapsulated with a software package of a security shell protocol, and the configuration file of the security shell protocol software package is modified, wherein the configuration file of the security shell protocol software package comprises a mode of closing authentication through a password, and only logging through a secret key is allowed to be carried out so as to improve the security of the operation of the container. Specifically, the configuration file of the secure shell protocol software package may further include a mode of starting authentication by a public key and a mode of starting authentication by RSA, may further include a mode of closing authentication by challenge response, and may further include a storage location of the authentication key file, so as to store the public key in the storage location. The following is a configuration file of an exemplary modified secure shell protocol software package:
#v im/etc/ssh/sshd_conf i g
PasswordAuthent i cat i on no// password authentication
Cha l l engeResponseAuthent i cat i on no// challenge-response authentication
RSAAuthent i cat i on yes// RSA authentication
PubkeyAuthent i cat i on yes// public key authentication
Author i zedKeysF i l e.ssh/author i zed_keys// authentication key file
In the configuration file in the above example, the password authentication mode is closed, the challenge response authentication mode is closed, the RSA asymmetric encryption authentication mode is opened, the public key authentication mode is opened, and the storage location of the authentication key file is set in the ssh/author i zed_keys.
320. The operation and maintenance container is operated so that a key is set in the operation and maintenance container.
According to an embodiment of the invention, the privileged mode is turned on to map a predetermined port of the operating system into the operation and maintenance container so as to forward a request of a user for processing the operation and maintenance container into the operation and maintenance container through the predetermined port of the operating system. The predetermined port may be, for example, the port 22, or may be another port.
According to one embodiment of the invention, a public-private key pair is generated in an operation and maintenance container. The public-private key pair includes a pair of public and private keys. Public-private key pairs may be generated by ssh-keygen commands. There are various ways to generate public-private key pairs, for example: public-private key pairs are generated by means of OpenSSL, by means of a hybrid encryption program of GNYU Pr i vacy Guard, etc. Fig. 5 shows a schematic diagram of setting keys in an operation and maintenance container according to an embodiment of the present invention. As shown in FIG. 5, at 510, an operation container is run, a privileged mode is turned on and a predetermined port of an operating system is mapped into the operation container. At 520, a public key and a private key are generated in the operation and maintenance container. In 530, the public key is stored in a storage location of the authentication key file.
According to another embodiment of the invention, a public key is set in the operation and maintenance container. Wherein the public key may be obtained from the ign profile. I gn it ion (I gn for short) is a configuration tool initialized by an operating system, and ssh public keys are recorded in an I gn configuration file. The following is an exemplary ign profile:
fig. 6 shows a schematic diagram of setting keys in an operation and maintenance container according to another embodiment of the present invention. As shown in fig. 6, at 610, an operation container is run, a privileged mode is turned on and a predetermined port of an operating system is mapped into the operation container. In 620, a public key is set in the operation and maintenance container, the public key being provided by the ign profile at the time of installation of the operating system. In 630, the public key is stored in a storage location of the authentication key file.
330. The operation and maintenance container is logged in by a secure shell protocol using a key.
According to one embodiment of the invention, a public key is obtained from a storage location of an authentication key file for logging into an operation and maintenance container. Specifically, the public key is stored in a storage location (ssh/author i zed_keys) of the authentication key file, when the client initiates login through the operating system, the operation and maintenance container sends a section of random character string to the client, the client encrypts the random character string by using the private key and then sends the encrypted random character string back to the operation and maintenance container, and after the operation and maintenance container decrypts the public key stored in the ssh/author i zed_keys, the decrypted content is compared with the random character string sent to the client before, if the encrypted content is the same, the authentication is successful, and the operation and maintenance container can be logged in. If the authentication is different, the authentication fails, and the login operation and maintenance container fails.
According to another embodiment of the present invention, after storing the public key in the storage location of the authentication key file ssh/author i zed_keys, the operation and maintenance container can be directly connected with ssh by adding a configuration in the local/. Ssh/conf i g.
FIG. 7 illustrates a schematic diagram of logging onto an operation and maintenance container using a key through a secure shell protocol, according to one embodiment of the invention. As shown in fig. 7, when a login is required, the login to the operation and maintenance container is initiated to the operation system through the SSH key in 710, and in 720, the operation system forwards a user request (for example, a login request, a connection request) to the operation and maintenance container through a predetermined port to the operation and maintenance container, so that the user is not connected to the operation system. After logging in the operation and maintenance container by using the secret key through the secure shell protocol, the operating system forwards various received requests to the operation and maintenance container through a preset port so as to execute various operations in the operation and maintenance container in the operating system. When the operation container needs to be retired, an operation is executed in the operation container at 730, and the operation system logs out of the SSH login after receiving the request to retire the operation container at 740. According to the operation method of the operation and maintenance container, when the operation and maintenance container is required to be logged in, the connection request is forwarded to the operation and maintenance container and cannot be connected to the system. Because the operation and maintenance container is connected through the SSH, the operation and maintenance container is not directly connected into the system, the operating system is protected to a certain extent, and the safety of the operating system is improved. The operation and maintenance container is integrated into the operation system, and the operation and maintenance container can be operated as a resident container without an additional program (such as a Too l box) for operating the operation and maintenance container.
According to the technical scheme of the invention, the operation and maintenance container mirror image is packaged in the operation system installation mirror image, and the operation and maintenance container after installation is integrated into the operation system, so that the operation and maintenance container can be operated under the scene without a network without additionally downloading the container mirror image after the operation system is installed. The security shell protocol is used for logging in by using the secret key arranged in the operation and maintenance container, so that the situation that the password is possibly cracked due to password logging in is avoided, and the security is improved.
Further, when the operation and maintenance container needs to be logged in, the connection request is forwarded to the operation and maintenance container and is not connected to the system. Because the operation and maintenance container is connected through the SSH, the operation and maintenance container is not directly connected into the operation system, the operation system is protected to a certain extent, and the safety of the operation system is improved.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions of the methods and apparatus of the present invention, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U-drives, floppy diskettes, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the mobile terminal will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the method of operation of the operation and maintenance container of the present invention according to the instructions in said program code stored in the memory.
By way of example, and not limitation, readable media comprise readable storage media and communication media. The readable storage medium stores information such as computer readable instructions, data structures, program modules, or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with examples of the invention. The required structure for a construction of such a system is apparent from the description above. In addition, the present invention is not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into a plurality of sub-modules.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Furthermore, some of the embodiments are described herein as methods or combinations of method elements that may be implemented by a processor of a computer system or by other means of performing the functions. Thus, a processor with the necessary instructions for implementing the described method or method element forms a means for implementing the method or method element. Furthermore, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is for carrying out the functions performed by the elements for carrying out the objects of the invention.
As used herein, unless otherwise specified the use of the ordinal terms "first," "second," "third," etc., to describe a general object merely denote different instances of like objects, and are not intended to imply that the objects so described must have a given order, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of the above description, will appreciate that other embodiments are contemplated within the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is defined by the appended claims.
Claims (10)
1. A method of operating an operation and maintenance container, executed in an operating system, the operating system being installed by an operating system installation image, the method comprising:
an operation and maintenance container mirror image An Zhuangyun dimension container encapsulated in the operation system installation mirror image;
operating the operation and maintenance container so as to set a key in the operation and maintenance container;
the operation and maintenance container is logged in through a secure shell protocol by using the key.
2. The method of claim 1, further comprising:
opening a privilege mode and mapping a predetermined port of the operating system into an operation and maintenance container;
and forwarding the received request to an operation and maintenance container through the preset port.
3. The method of claim 1 or 2, wherein said setting a key in said operation and maintenance container comprises:
and generating public and private key pairs in the operation and maintenance container.
4. The method of claim 1 or 2, wherein said setting a key in said operation and maintenance container comprises:
and setting a public key in the operation and maintenance container.
5. The method of any of claims 1 to 4, further comprising encapsulating a secure shell protocol software package in the operation and maintenance container image, the configuration file of the secure shell protocol software package comprising closing the manner of authentication by password.
6. The method of claim 5, wherein the configuration file of the secure shell protocol software package further includes means for opening authentication by public key and means for opening authentication by RSA.
7. The method of claim 5 or 6, the configuration file of the secure shell protocol software package further comprising a storage location for an authentication key file.
8. The method of claim 7, further comprising:
storing a public key of the keys in a storage location of the authentication key file;
wherein logging in the operation and maintenance container using the key comprises:
and obtaining a public key from the storage position of the authentication key file for logging in the operation and maintenance container.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be adapted to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any one of claims 1 to 8.
10. A readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310216665.5A CN116483509A (en) | 2023-03-07 | 2023-03-07 | Operation method of operation and maintenance container, computing device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310216665.5A CN116483509A (en) | 2023-03-07 | 2023-03-07 | Operation method of operation and maintenance container, computing device and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116483509A true CN116483509A (en) | 2023-07-25 |
Family
ID=87220324
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310216665.5A Pending CN116483509A (en) | 2023-03-07 | 2023-03-07 | Operation method of operation and maintenance container, computing device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116483509A (en) |
-
2023
- 2023-03-07 CN CN202310216665.5A patent/CN116483509A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505917B2 (en) | Secure device-to-device process for granting access to a physical space | |
| US7711960B2 (en) | Mechanisms to control access to cryptographic keys and to attest to the approved configurations of computer platforms | |
| EP2550768B1 (en) | System and method for remote maintenance of client systems in an electronic network using software testing by a virtual machine | |
| US8478973B2 (en) | System and method for providing a secure application fragmentation environment | |
| CN107292176A (en) | Method and system for accessing a trusted platform module of a computing device | |
| CN105612715A (en) | Security processing unit with configurable access control | |
| CN107430658A (en) | Fail-safe software certification and checking | |
| US10942750B2 (en) | System and method to securely load non-UEFI based file format as OEM based UEFI custom capsule format in UEFI loader | |
| US11190356B2 (en) | Secure policy ingestion into trusted execution environments | |
| EP3580650A1 (en) | Methods and apparatus for containerized secure computing resources | |
| CN109445705A (en) | Firmware authentication method and solid state hard disk | |
| US20240211601A1 (en) | Firmware policy enforcement via a security processor | |
| US20050133582A1 (en) | Method and apparatus for providing a trusted time stamp in an open platform | |
| US20230342472A1 (en) | Computer System, Trusted Function Component, and Running Method | |
| CN116522358A (en) | Data encryption method, device, computing equipment and storage medium | |
| CN115956243A (en) | Model protection device and method and computing device | |
| US20110145596A1 (en) | Secure Data Handling In A Computer System | |
| US9727740B2 (en) | Secure information access over network | |
| CN116483509A (en) | Operation method of operation and maintenance container, computing device and readable storage medium | |
| CN102833296A (en) | Method and equipment for constructing safe computing environment | |
| CN116208353A (en) | Method, device, network card, chip system and server for verifying firmware | |
| WO2022019910A1 (en) | Read protection for uefi variables | |
| US10318766B2 (en) | Method for the secured recording of data, corresponding device and program | |
| CN115037492B (en) | Method, system and computer storage medium for memory authentication | |
| WO2022068693A1 (en) | Preprocessing method, processing method, decrypting and reading methods, device, and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |