WO2017101252A1 - Procédé, serveur et système de connexion à un conteneur docker - Google Patents

Procédé, serveur et système de connexion à un conteneur docker Download PDF

Info

Publication number
WO2017101252A1
WO2017101252A1 PCT/CN2016/082406 CN2016082406W WO2017101252A1 WO 2017101252 A1 WO2017101252 A1 WO 2017101252A1 CN 2016082406 W CN2016082406 W CN 2016082406W WO 2017101252 A1 WO2017101252 A1 WO 2017101252A1
Authority
WO
WIPO (PCT)
Prior art keywords
container
login
server
docker
command
Prior art date
Application number
PCT/CN2016/082406
Other languages
English (en)
Chinese (zh)
Inventor
梅平
杨帝海
伍宏先
赵亮
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2017101252A1 publication Critical patent/WO2017101252A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • the present invention relates to the field of security technologies, and in particular, to a Docker-based container login method, server, and system.
  • Docker is an open source application container engine that allows developers to package applications and dependencies into a portable container and then publish them to any popular Linux. Virtualization can also be implemented on the machine. After the business program is deployed in the Docker container, the IP address of the container is usually invisible to the outside world. There is no way to log in directly.
  • Some of the existing login methods are to log in directly to the Docker physical machine and then enter the container through commands.
  • the containers of each service are placed on a Docker physical machine, and the physical machine login permission is opened, which poses a great security risk.
  • a Docker based container login method, server, and system are provided.
  • a Docker-based container login method that includes:
  • the virtual terminal is connected to the Docker physical machine corresponding to the login information by using a command of the SSH protocol;
  • a first server includes a memory and a processor, the memory storing instructions that, when executed by the processor, cause the processor to perform the following steps:
  • the virtual terminal is connected to the Docker physical machine corresponding to the login information by using a command of the SSH protocol;
  • a Docker-based container login system that includes:
  • a first server configured to receive a container entry command, where the container entry command includes login information
  • the first server is further configured to open a virtual terminal connection and a Docker physical machine corresponding to the login information by using a command of the SSH protocol;
  • the first server is further configured to enter a container corresponding to the login information by using the virtual terminal.
  • FIG. 1 is an application environment diagram of a Docker-based container login method in an embodiment
  • Figure 2 is a diagram showing the internal structure of the first server of Figure 1 in an embodiment
  • FIG. 3 is a flow chart of a Docker-based container login method in one embodiment
  • FIG. 4 is a flow chart of a Docker-based container login method in another embodiment
  • FIG. 5 is a structural block diagram of a Docker-based container login system in one embodiment
  • FIG. 6 is a structural block diagram of a Docker-based container login system in another embodiment
  • FIG. 7 is a structural block diagram of a Docker-based container login device in one embodiment
  • FIG. 8 is a structural block diagram of a Docker-based container login device in another embodiment
  • FIG. 9 is a structural block diagram of a Docker-based container login apparatus in still another embodiment.
  • FIG. 1 is an application environment diagram of a Docker-based container login method in an embodiment.
  • the application environment includes a first server 110 and a Docker physical machine 120, wherein the first server 110 and the Docker physical machine 120 communicate over a network.
  • the first server 110 is generally the starting machine of the login server, and can be a springboard.
  • the Docker physical machine 120 can run multiple containers, each of which corresponds to a different service.
  • the first server 110 establishes a connection with the Docker physical machine 120 according to the received command and enters the corresponding container on the Docker physical machine through the virtual terminal.
  • the internal structure of the first server 110 of FIG. 1 is as shown in FIG. 2.
  • the first server 110 includes a processor, an internal memory, a non-volatile storage medium, and a network interface connected by a system bus.
  • the non-volatile storage medium of the first server 110 stores an operating system and a Docker-based container login device, and the Docker-based container login device is used to implement a Docker-based container login method suitable for the first server 110.
  • the processor of the first server 110 is configured to provide computing and control capabilities configured to perform a Docker based container login method.
  • the network interface of the first server 110 is used to communicate with the Docker physical machine 120 over a network connection, such as a container entering the Docker physical machine 120.
  • a Docker-based container login method is provided to be applied to the first server 110 in the application environment, and the following steps are included:
  • Step S210 receiving a container entry command, and the container entry command includes login information.
  • a container access command tool is provided to receive the container entry command, and the container access command tool is installed in the first server 110, and the container access command can be directly received through the first server 110, or can be accessed through the terminal first and through the SSH command.
  • a server 110 then receives the container entry command.
  • SSH Secure Shell , the security shell protocol
  • SSH Secure Shell , the security shell protocol
  • the container enters the command, increasing the security of the receipt of the container into the command.
  • the login information can be customized as needed. For example, the login information is the container name, and the container name needs to be determined by the container name. If the received container enters the command as "go container name".
  • step S220 the virtual terminal is connected to the Docker physical machine corresponding to the login information by using the command of the SSH protocol.
  • the -t command of the SSH protocol is used to open a virtual terminal connection to the Docker physical machine corresponding to the login information.
  • the Docker physical machine corresponding to the login information can be obtained by the container name, such as determining the IP of the container by the container name, and then obtaining the corresponding Docker physical machine through the IP.
  • the container name such as determining the IP of the container by the container name
  • the login permission of the Docker physical machine is not required to be opened, thereby improving the security of the login.
  • the SSH protocol command will be automatically executed to open the virtual terminal and connect to the Docker physical machine. No need to manually input any information, which improves the convenience of login. And this method of connecting to the Docker physical machine through the virtual terminal to log in through the subsequent steps is mandatory and cannot be changed, and the security of the login is ensured.
  • Step S230 the container corresponding to the login information is entered through the virtual terminal.
  • step S220 and step S230 the command executed in step S220 and step S230 is “ssh -t 192.168.0.1”.
  • step S220 and step S230 the command executed in step S220 and step S230 is “ssh -t 192.168.0.1”.
  • step S230 the command executed in step S220 and step S230 is “ssh -t 192.168.0.1”.
  • "docker exec -ti my_container Bash” where 192.168.0.1 is the IP address of the container, and my_container is the name of the container received.
  • the container entry command by receiving the container entry command, the container entry command includes login information, and the Docker physical machine corresponding to the login information is opened by the SSH protocol command, and the virtual terminal enters the container corresponding to the login information, and passes through the virtual terminal. Connect to the Docker physical machine, without logging in to the Docker physical machine, without opening the login permissions of the Docker physical machine, improving the security of the login.
  • a Docker-based container login method is provided.
  • the login information includes the container name, including the following steps:
  • Step S310 receiving a container entry command, and the container entry command includes login information.
  • Step S320 Acquire a currently logged-in user, and send an authentication request to the second server.
  • the authentication request includes the container name and the information of the user, so that the second server determines the login right according to the authentication request.
  • the user currently logged in is the user who logs in to the first server, and obtains the information of the currently logged-in user.
  • the information of the user may include one or more of the user name, the level information, the time information, and the like, and the user information and the user information are carried.
  • the authentication request of the container name is sent to the second server, and the second server stores the login authority corresponding to the user information and the container, and determines whether the user has the permission to log in to the container according to the user information and the container name, and if there is permission, returns The authentication result of the login permission, otherwise the authentication result without the login permission is returned.
  • Step S330 receiving the authentication result returned by the second server. If the authentication result is that there is login authority, the process proceeds to step S340, otherwise the login cannot be performed.
  • the container can be accessed through the subsequent steps. If there is no login permission, the login cannot be performed.
  • the authentication of the login authority further improves the security of the login. Even if the container name is stolen and the user information does not match, the container cannot be accessed.
  • Step S340 the virtual terminal is connected to the Docker physical machine corresponding to the login information by using the command of the SSH protocol.
  • step S350 the container corresponding to the login information is entered through the virtual terminal.
  • the method further comprises: when the container executes the exit instruction, exiting the container and directly returning to the local machine.
  • the exit container when the container executes the "exit" exit command, the exit container will immediately return to the first server, and will not stay on the Docker physical machine, so that the user can not operate the Docker physical machine, thereby improving security.
  • a Docker-based container login system including:
  • the first server 410 is configured to receive a container entry command, and the container entry command includes login information.
  • the first server 410 is installed with a container access command tool to receive the container entry command, and may directly receive the container entry command through the first server 110, or may be connected to the first server 110 through the SSH command and then received by the terminal.
  • the container enters the command.
  • SSH Secure Shell , the security shell protocol
  • SSH Secure Shell , the security shell protocol
  • the login information can be customized as needed. For example, the login information is the container name, and the container name needs to be determined by the container name. If the received container enters the command as "go Container name.”
  • the first server 410 is further configured to open a virtual terminal connection with a Docker physical machine corresponding to the login information by using a command of the SSH protocol.
  • the first server 410 opens a virtual terminal connection to the Docker physical machine corresponding to the login information by using the -t command of the SSH protocol.
  • the Docker physical machine corresponding to the login information can be obtained by the container name, such as determining the IP of the container by the container name, and then obtaining the corresponding Docker physical machine through the IP.
  • the container name such as determining the IP of the container by the container name
  • the login permission of the Docker physical machine is not required to be opened, thereby improving the security of the login.
  • the SSH protocol command will be automatically executed to open the virtual terminal and connect to the Docker physical machine. No need to manually input any information, which improves the convenience of login. And this method of connecting to the Docker physical machine through the virtual terminal to log in through the subsequent steps is mandatory and cannot be changed, and the security of the login is ensured.
  • a Docker physical machine 420 can run one or more containers. In one embodiment, there are multiple containers, each corresponding to a different service.
  • the first server 410 is further configured to enter a container corresponding to the login information by using the virtual terminal.
  • the first server 410 executes the exec command of the docker to enter the inside of the container through the virtual terminal, and the command executed in step S220 and step S230 is “ssh-t”. 192.168.0.1 "docker exec -ti my_container Bash”, where 192.168.0.1 is the IP address of the container, and my_container is the name of the container received.
  • the system consisting of the first server 410 and the Docker physical machine 420 receives the container entry command through the first server 410.
  • the container entry command includes login information, and the Docker physics corresponding to the login information is opened by the SSH protocol command.
  • the machine enters the container corresponding to the login information through the virtual terminal, and connects to the Docker physical machine through the virtual terminal, without logging in the Docker physical machine, and does not need to open the login right of the Docker physical machine, thereby improving the security of the login.
  • the login information includes a container name.
  • the system further includes a second server 430.
  • the first server is further configured to acquire a currently logged-in user, send an authentication request to the second server 430, and perform authentication.
  • the request includes information about the container name and the user.
  • the currently logged-in user is a user who logs in to the first server, and obtains information of the currently logged-in user, such as a user name, and sends an authentication request carrying the user information and the container name to the second server.
  • the second server 430 is configured to determine the login authority according to the authentication request, and return an authentication result to the first server.
  • the second server stores the corresponding login permission between the user information and the container, and determines, according to the user information and the container name, whether the user has the permission to log in to the container, and if there is permission, returns the authentication result with the login permission, otherwise Returns the authentication result without login privileges.
  • the first server 410 is further configured to open the Docker physical machine corresponding to the login information by using the SSH protocol command if the authentication result is the login permission, otherwise the login cannot be performed.
  • the first server 410 can open the Docker physical machine corresponding to the login information by using the SSH protocol command if the returned authentication result is the login permission. If the login permission is not available, the first server 410 cannot log in. The authentication of the login authority further improves the security of the login. Even if the container name is stolen and the user information does not match, the container cannot be accessed.
  • the container is configured to exit and return directly to the first server when the exit instruction is executed.
  • the container when the container executes the "exit" exit command, the container will be immediately returned to the first server and will not stay on the Docker physical machine, so that the user cannot operate the Docker physical machine, which improves the security.
  • a Docker-based container login device including:
  • the receiving module 510 is configured to receive a container entry command, and the container entry command includes login information.
  • the virtual terminal connection module 520 is configured to open a virtual terminal connection and a Docker physical machine corresponding to the login information by using a command of the SSH protocol.
  • the module 530 is configured to enter a container corresponding to the login information through the virtual terminal.
  • the login information includes a container name
  • the device further includes:
  • the authentication module 540 is configured to obtain the currently logged-in user, and send an authentication request to the second server.
  • the authentication request includes the container name and the user information, so that the second server determines the login permission according to the authentication request, and receives the second server to return. If the authentication result is that there is login permission, the virtual terminal connection module is entered, otherwise the login cannot be performed.
  • the device further includes:
  • the return module 550 is configured to exit the container and directly return to the local machine when the container executes the exit instruction.
  • the storage medium may be a magnetic disk, an optical disk, or a read-only storage memory (Read-Only)
  • a nonvolatile storage medium such as a memory or a ROM, or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Telephonic Communication Services (AREA)
  • Information Transfer Between Computers (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

L'invention concerne un procédé de connexion à un conteneur Docker comprenant les étapes suivantes : recevoir une commande d'entrée de conteneur, où la commande d'entrée de conteneur comprend des informations de connexion ; ouvrir un terminal virtuel grâce à une commande d'un protocole SSH, et connecter celui-ci à une machine physique Docker correspondant aux informations de connexion ; et entrer, grâce au terminal virtuel, dans un conteneur correspondant aux informations de connexion.
PCT/CN2016/082406 2015-12-17 2016-05-17 Procédé, serveur et système de connexion à un conteneur docker WO2017101252A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510955719.5 2015-12-17
CN201510955719.5A CN106899544B (zh) 2015-12-17 2015-12-17 基于Docker的容器登录方法、装置和系统

Publications (1)

Publication Number Publication Date
WO2017101252A1 true WO2017101252A1 (fr) 2017-06-22

Family

ID=59055645

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/082406 WO2017101252A1 (fr) 2015-12-17 2016-05-17 Procédé, serveur et système de connexion à un conteneur docker

Country Status (2)

Country Link
CN (1) CN106899544B (fr)
WO (1) WO2017101252A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110719303A (zh) * 2018-07-11 2020-01-21 大唐移动通信设备有限公司 一种容器化nrf的方法及系统
CN113162806A (zh) * 2021-04-23 2021-07-23 华上(天津)信息科技发展有限公司 一种远程运维方法
CN113434257A (zh) * 2021-07-07 2021-09-24 曙光信息产业(北京)有限公司 一种Docker的操作方法、装置、服务器和存储介质
CN113765963A (zh) * 2020-07-24 2021-12-07 北京沃东天骏信息技术有限公司 数据处理方法、装置、设备及计算机可读存储介质
CN116107715A (zh) * 2023-02-02 2023-05-12 北京天云融创软件技术有限公司 一种运行Docker容器任务的方法和任务调度器

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109525624B (zh) * 2017-09-20 2022-01-04 腾讯科技(深圳)有限公司 一种容器登录方法、装置及存储介质
CN107948203B (zh) * 2017-12-29 2019-09-13 平安科技(深圳)有限公司 一种容器登录方法、应用服务器、系统及存储介质
CN111176794B (zh) * 2020-01-02 2024-05-14 腾讯科技(深圳)有限公司 一种容器管理方法、装置及可读存储介质
CN111479084B (zh) * 2020-03-04 2023-07-28 视联动力信息技术股份有限公司 一种视联网会议建立方法、装置、系统和存储介质
CN111367573B (zh) * 2020-03-12 2021-10-22 腾讯科技(深圳)有限公司 设备登陆方法、装置、存储介质和计算机设备
CN111639314B (zh) * 2020-05-15 2024-01-12 京东科技控股股份有限公司 容器登录系统、方法、服务器及存储介质
CN113051035B (zh) * 2021-03-31 2024-02-02 杭州海康威视系统技术有限公司 一种远程控制方法、装置、系统及宿主机

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015126292A1 (fr) * 2014-02-20 2015-08-27 Telefonaktiebolaget L M Ericsson (Publ) Procédés, appareils et produits de programme informatique permettant de déployer et de gérer des conteneurs logiciels
CN104951308A (zh) * 2015-06-30 2015-09-30 北京奇虎科技有限公司 Docker Registry的管理优化方式及装置
CN105045656A (zh) * 2015-06-30 2015-11-11 深圳清华大学研究院 基于虚拟容器的大数据存储与管理方法
CN105068874A (zh) * 2015-08-12 2015-11-18 国家电网公司 一种结合Docker技术的资源按需动态分配方法
CN105160269A (zh) * 2015-08-13 2015-12-16 浪潮电子信息产业股份有限公司 一种Docker容器内数据的访问方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015126292A1 (fr) * 2014-02-20 2015-08-27 Telefonaktiebolaget L M Ericsson (Publ) Procédés, appareils et produits de programme informatique permettant de déployer et de gérer des conteneurs logiciels
CN104951308A (zh) * 2015-06-30 2015-09-30 北京奇虎科技有限公司 Docker Registry的管理优化方式及装置
CN105045656A (zh) * 2015-06-30 2015-11-11 深圳清华大学研究院 基于虚拟容器的大数据存储与管理方法
CN105068874A (zh) * 2015-08-12 2015-11-18 国家电网公司 一种结合Docker技术的资源按需动态分配方法
CN105160269A (zh) * 2015-08-13 2015-12-16 浪潮电子信息产业股份有限公司 一种Docker容器内数据的访问方法及装置

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110719303A (zh) * 2018-07-11 2020-01-21 大唐移动通信设备有限公司 一种容器化nrf的方法及系统
CN110719303B (zh) * 2018-07-11 2021-03-12 大唐移动通信设备有限公司 一种容器化nrf的方法及系统
CN113765963A (zh) * 2020-07-24 2021-12-07 北京沃东天骏信息技术有限公司 数据处理方法、装置、设备及计算机可读存储介质
CN113162806A (zh) * 2021-04-23 2021-07-23 华上(天津)信息科技发展有限公司 一种远程运维方法
CN113434257A (zh) * 2021-07-07 2021-09-24 曙光信息产业(北京)有限公司 一种Docker的操作方法、装置、服务器和存储介质
CN116107715A (zh) * 2023-02-02 2023-05-12 北京天云融创软件技术有限公司 一种运行Docker容器任务的方法和任务调度器
CN116107715B (zh) * 2023-02-02 2023-09-26 北京天云融创软件技术有限公司 一种运行Docker容器任务的方法和任务调度器

Also Published As

Publication number Publication date
CN106899544A (zh) 2017-06-27
CN106899544B (zh) 2020-04-03

Similar Documents

Publication Publication Date Title
WO2017101252A1 (fr) Procédé, serveur et système de connexion à un conteneur docker
US11469964B2 (en) Extension resource groups of provider network services
US11025647B2 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
WO2019184164A1 (fr) Procédé de déploiement automatique de nœud travailleur de kubernetes, dispositif, appareil terminal et support de stockage lisible
US9875359B2 (en) Security management for rack server system
CN103946834B (zh) 虚拟网络接口对象
US20180262388A1 (en) Remote device deployment
US8572609B2 (en) Configuring bypass functionality of a network device based on the state of one or more hosted virtual machines
US11991077B2 (en) Data interfaces with isolation for containers deployed to compute nodes
US10972449B1 (en) Communication with components of secure environment
WO2019127973A1 (fr) Procédé, système et dispositif d'authentification d'autorité pour référentiel de miroirs et support de stockage
US20110002346A1 (en) Extended Network Protocols for Communicating Metadata with Virtual Machines
US20190141036A1 (en) Access control
US20200159555A1 (en) Provider network service extensions
WO2018094809A1 (fr) Procédé et appareil de partage de ressources
US20210337016A1 (en) Peripheral device enabling virtualized computing service extensions
US11520530B2 (en) Peripheral device for configuring compute instances at client-selected servers
WO2018160039A1 (fr) Procédé et système de traitement d'authentification automatique utilisant une fonction de division
CN111510444A (zh) 容器的远程访问方法、系统、服务端和访问辅助组件
CN111240924A (zh) 一种Linux虚拟机Socket监听的检测方法及其系统
US20070180238A1 (en) Method, apparatus and system for performing access control and intrusion detection on encrypted data
US20180343257A1 (en) Data Leakage and Information Security Using Access Control
CN109039823B (zh) 一种网络系统防火墙检测方法、装置、设备及存储介质
US20150334115A1 (en) Dynamic provisioning of virtual systems
Zheng et al. A flexible and efficient container-based nfv platform for middlebox networking

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16874316

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 19/10/2018)

122 Ep: pct application non-entry in european phase

Ref document number: 16874316

Country of ref document: EP

Kind code of ref document: A1