CN113901469B - Container image storage method, system, computer device and computer storage medium - Google Patents
Container image storage method, system, computer device and computer storage medium Download PDFInfo
- Publication number
- CN113901469B CN113901469B CN202111203139.2A CN202111203139A CN113901469B CN 113901469 B CN113901469 B CN 113901469B CN 202111203139 A CN202111203139 A CN 202111203139A CN 113901469 B CN113901469 B CN 113901469B
- Authority
- CN
- China
- Prior art keywords
- container
- detection
- security
- mirror image
- image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000001514 detection method Methods 0.000 claims abstract description 148
- 241000700605 Viruses Species 0.000 claims description 24
- 238000013507 mapping Methods 0.000 claims description 18
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 17
- 238000010276 construction Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 241000283086 Equidae Species 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides a container image storage method, a system, computer equipment and a computer readable storage medium, wherein the method comprises the steps of constructing a security detection identification chain for a container image, determining a first security level category of the container image based on the security detection identification chain, and storing the container image into a corresponding image warehouse based on the first security level category. The security detection identification chain is used for dividing the security level of the container mirror image, the security level of the container mirror image is stored in the mirror image warehouse of the corresponding security level, so that the problem of storage security of the container mirror image at present is at least solved, when the mirror image is deployed in the container, the mirror image warehouse which is not used can be used according to different requirements on the security level, and therefore the security of various applications in the container is ensured, meanwhile, the convenience in acquiring and using the container mirror image is effectively improved, and the user experience is improved.
Description
Technical Field
The present disclosure relates to the field of container mirroring, and in particular, to a container mirroring storage method, a container mirroring storage system, a computer device, and a computer readable storage medium.
Background
The container technology is used as one of Cloud Native technologies, and is largely used due to the characteristics of rapidness, high efficiency, high portability, less resource occupation and the like, and the mirror image is used as a basis for the operation of the container, and various mirror images are widely deployed in the container along with the largely use of the container. The mirror image warehouse (dock Hub) is a storage position of the mirror images and is also an important channel for obtaining the mirror images, and at present, the main mirror image warehouse comprises a public warehouse and a private warehouse, wherein the public warehouse is widely used by users due to the characteristics of large number of mirror images, convenient use, openness and the like, and in this case, a plurality of security problems are also accompanied, and related research reports show that more than 30% of official mirror images in the mirror image warehouse contain high-risk holes, and nearly 70% of mirror images have high-risk or medium-risk holes, and meanwhile, due to the openness of the mirror image warehouse, malicious software such as trojans, backdoors and the like is implanted when the mirror images are manufactured and uploaded to the mirror image warehouse.
The security problem of the container mirror image has become one of the main security problems faced by the deployment of the container by the cloud native technology, and how to effectively solve the security problem of the mirror image storage has become an important way for ensuring the security of the container.
Disclosure of Invention
The present disclosure provides a container image storage method, system, computer device and computer readable storage medium, so as to at least solve the storage security problem of the current container image, thereby effectively guaranteeing the security of the container.
To achieve the above object, the present disclosure provides a container mirror image storage method, including:
Constructing a safety detection identification chain for the container mirror image;
determining a first security level class of the container image based on the security detection identification chain; and storing the container image in a corresponding image repository based on the first security level category.
In one embodiment, the building a security check identification chain for a container image includes:
adding a detection identifier and a security level identifier to the container mirror image based on the security detection result of the container mirror image, and
And constructing a security detection identification chain for the container mirror image based on the detection identification and the security level identification.
In one embodiment, before adding the detection identifier and the security level identifier to the container image based on the security detection result of the container image, the method further comprises:
carrying out safety detection on the container mirror image to obtain a safety detection result of the container mirror image;
The security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
In one embodiment, before determining the first security level class of the container image based on the security detection identification chain, further comprising:
Pre-dividing a plurality of first security level categories related to the container mirror images and a plurality of second security level categories related to the mirror image warehouse;
Establishing a mapping relation between the first security level categories related to the container mirror images and the second security levels related to the mirror image warehouses;
The storing the container image into a corresponding image repository based on the first security level category includes:
and storing the container mirror image into a mirror image warehouse corresponding to a second security level class according to the mapping relation based on the security level class.
To achieve the above object, the present disclosure further provides a container mirror storage system, including:
An identification chain construction module configured to construct a security detection identification chain for the container image;
A category determination module configured to determine a first security level category of the container image based on the security detection identification chain, and
A storage module arranged to store the container images in corresponding image warehouses based on the first security level category.
In one embodiment, the identification chain building module comprises:
an identification adding unit configured to add a detection identification and a security level identification to the container image based on a security detection result of the container image, and
A construction unit arranged to construct a security detection identity chain for the container image based on the detection identity and the security level identity.
In one embodiment, the identification chain construction module further comprises:
The safety detection unit is used for carrying out safety detection on the container mirror image before the identification adding unit adds the detection identification and the safety grade identification to the container mirror image to obtain a safety detection result of the container mirror image;
The security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
In one embodiment, the system further comprises:
A classification module configured to pre-classify a number of first security level classes for the container images and a number of second security level classes for the image repository before the identification classification module determines the first security level class for the container images;
A mapping module arranged to establish a mapping relationship between the number of first security level categories for the container image and the number of second security levels for the image repository;
the storage module is specifically configured to store the container image into an image warehouse corresponding to a second security level class according to the mapping relation based on the security level class.
To achieve the above object, the present disclosure correspondingly provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor executes the container image storage method when the processor runs the computer program stored in the memory.
To achieve the above object, the present disclosure accordingly also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the container image storage method.
According to the container mirror image storage method, the system, the computer equipment and the computer readable storage medium, a safety detection identification chain is built for the container mirror image, then a first safety level class of the container mirror image is determined based on the safety detection identification chain, and the container mirror image is stored in a corresponding mirror image warehouse based on the first safety level class. The present disclosure divides the security level of a container image based on a security detection identification chain, and stores the security level in an image warehouse of a corresponding security level to ensure the security of the container image, when the image deployment is performed in the container, according to different requirements for security levels, the unused mirror image warehouse can be used, so that the security of various applications in the container is ensured, the acquisition and use convenience of the container mirror image can be effectively improved, and the user experience is improved.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain, without limitation, the disclosed embodiments.
Fig. 1 is a flow chart of a container mirror image storage method according to an embodiment of the disclosure;
FIG. 2 is a schematic view of a scenario of a mirrored warehouse in an embodiment of the present disclosure;
FIG. 3 is a flow chart of another method for storing container images according to an embodiment of the disclosure;
FIG. 4 is a flow chart of another method for storing container images according to an embodiment of the disclosure;
FIG. 5 is a schematic diagram of a container mirror storage system according to an embodiment of the disclosure;
fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the following detailed description of the specific embodiments of the present disclosure will be given with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the disclosure, are not intended to limit the disclosure.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present disclosure and the foregoing drawings are used for distinguishing similar objects and not necessarily for describing a particular sequential or chronological order, and that embodiments and features of embodiments of the present disclosure may be arbitrarily combined with each other without conflict.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present disclosure, and are not of specific significance per se. Thus, "module," "component," or "unit" may be used in combination.
With the wide use of Cloud computing and virtualization technologies, various industries are clouding their services to different degrees, but simply converting a host, a platform or an application into a virtualized form cannot solve the problems of slow upgrade, architecture bloated, and failure to quickly iterate of the traditional application, so that the concept of Cloud Native (Cloud Native) has been developed. The cloud proto technology is represented by continuous delivery, development and operation (combination of collaboration and integration), container, arrangement and micro-service, wherein the container technology can effectively divide resources of a single operating system into isolated groups so as to better balance conflicting resource use demands among the isolated groups, and the container technology has the characteristics of rapidness, high efficiency, high portability, less resource occupation and the like to obtain a large amount of use, and the mirror image is taken as a basis of container operation, and various mirrors with the large amount of use of the container are widely deployed in the container.
In order to solve the above problems, in the embodiments of the present disclosure, a security detection identification chain is constructed for a container image, and then the security level of the container image is divided based on the security detection identification chain, and then the security level is stored in a container image library with a corresponding security level to ensure the security of the container image.
Referring to fig. 1, fig. 1 is a flowchart of a container image storage method according to an embodiment of the disclosure, where the method includes steps S101 to S103.
In step S101, a security check identification chain is built for the container image.
In this embodiment, the security of the container image is identified by building a security check identification chain for the container image that needs to be stored in the container image repository. Specifically, the safety detection identification chain comprises safety identifications added to the container mirror images in each detection process, wherein the safety identifications can comprise detection identifications and safety grade identifications, and the whole process tracking of the safety detection of the container mirror images can be realized by constructing the safety detection identification chain for the container mirror images so as to ensure that the container mirror images stored in the mirror image warehouse have the traceability of the safety detection.
Taking the example of the security detection identification chain including identification 1, detection identification and identification 2, and security level identification, the detection identification is shown in the following table 1, and the security level identification is shown in the following table 2.
TABLE 1
TABLE 2
In step S102, a first security level class of the container image is determined based on the security detection identification chain.
In this embodiment, the first SECURITY class of the container image is determined based on the SECURITY level identification in the SECURITY detection identification chain, for example, the images with SECURITY level S1 and S2 are classified as images with low SECURITY level, the images with level S3 and S4 are classified as images with medium SECURITY level, and the image with level S5 is classified as image with high SECURITY level. Taking multiple security checks on the container image as an example, the corresponding security check identification CHAIN S-CHAIN is formed to track the security check overall process of the image. The method for forming the security detection identification chain is exemplified as follows:
The first step is that no threat exists after virus, trojan horse, malicious program and the like are checked and killed, and the identification information is as follows:
| S-CHAIN | SECURITY |
| A | S1 |
The second step is that after the virus, the Trojan horse, the malicious program and the like are detected and killed, threat is not existed, meanwhile, the vulnerability scanning is finished, high-risk vulnerability is not existed, and the identification information is as follows:
| S-CHAIN | SECURITY |
| A-B01 | S2 |
thirdly, no threat exists after virus, trojan horse, malicious program and the like are detected and killed, high-risk loopholes do not exist after loophole scanning is completed, medium-risk loopholes and high-risk loopholes do not exist after loophole scanning is completed again, and identification information is as follows:
| S-CHAIN | SECURITY |
| A-B01-B02 | S3 |
fourthly, no threat exists after virus, trojan horse, malicious program and the like are detected and killed, high-risk loopholes do not exist after loophole scanning is completed, medium-risk loopholes and high-risk loopholes do not exist after loophole scanning is completed again, low-risk loopholes, medium-risk loopholes and high-risk loopholes do not exist after loophole scanning is completed for the third time, and identification information is as follows:
| S-CHAIN | SECURITY |
| A-B01-B02-B03 | S4 |
Fifth, after the virus, trojan horse, malicious program and the like are checked and killed, threat does not exist, high-risk loopholes do not exist in the completion of loophole scanning, medium-risk loopholes and high-risk loopholes do not exist in the completion of loophole scanning again, low-risk loopholes, medium-risk loopholes and high-risk loopholes do not exist in the completion of loophole scanning for the third time, non-compliance items do not exist in the completion of compliance item detection, and the identification information is as follows:
| S-CHAIN | SECURITY |
| A-B01-B02-B03-C | S5 |
It should be noted that, in some embodiments, the content of the security detection for the container image is not limited to the above-mentioned security detection method, and the above-mentioned five steps are not required to be performed step by step, and a corresponding detection identifier and a security level identifier can be added after a corresponding detection is performed and a result is obtained. Further, to limit the total length of the security detection identification CHAIN S-CHAIN, the number of identifications added after detection may be limited to 15, and when the number exceeds 15, the 2 nd or 3 rd is deleted on the basis of the 1 st remaining, and so on, it is understood that the determination of the first security level class of the container image is obtained according to the latest security level identification of the security detection identification CHAIN.
In step S103, the container images are stored in a corresponding image repository based on the first security level class.
Specifically, a plurality of different types of mirror image warehouses can be built according to different security levels of the container mirror images, for example, a high-level mirror image warehouse, a medium-level mirror image warehouse and a low-level mirror image warehouse are built for use in different environments, for example, a low-security-level mirror image can be used for convenience under the condition that personal environments have no requirements on the security levels, a certain convenience can be sacrificed for the security levels, a medium-security-level mirror image can be used, for example, the security levels are high in the production environments, and a high-security-level mirror image must be used for ensuring the security of a network and a system, as shown in fig. 2, the low-security-level mirror image warehouse is used for storing the container mirror images of the S1 and the S2, the medium-security-level mirror image warehouse is used for storing the container mirror images of the S3 and the S4, and the high-security-level mirror image is used for storing the container mirror images of the S5.
In the related art, aiming at the security problem of the container mirror image, a private mirror image warehouse is established, the security detection technology is utilized to detect the unsafe problem existing in the mirror image downloaded from the public warehouse, and then the mirror image subjected to the security detection is stored in the private mirror image warehouse. In addition, although the safety detection is carried out, the identification information is not added to the mirror image to form an identification chain, the mirror image is used, and meanwhile, the security level of the mirror image cannot be intuitively judged, and the history modification condition of the mirror image cannot be judged. Compared with the related art, the embodiment realizes the safety detection process identification of the container mirror image in a mode of constructing the safety detection identification chain, determines the safety level of the container mirror image, and divides the container mirror image into the corresponding mirror image warehouses according to the safety level, thereby effectively guaranteeing the mirror image safety of different safety levels and improving the convenience of users for using the container mirror image.
Further, unlike the related art, in this embodiment, a private IMAGE repository is not required to be created, but an existing public repository is divided, so that the IMAGE storage cost is reduced to a certain extent, specifically, the information ubiquitous in the current container IMAGE includes REPOSITORY, TAG, IMAGE ID, CREATED, SIZE and other information, and in this embodiment, S-CHAIN information is added to represent a SECURITY detection identification CHAIN on the basis of the original information, SECURITY is added to represent a SECURITY level, and the following table shows:
taking http mirror downloaded from public warehouse as an example, the added identification information is described:
for example, the image is subjected to virus, trojan and malicious program searching and killing, and the vulnerability scanning is performed without high-risk vulnerability, and specific information conditions are as follows:
if the image is subjected to vulnerability scanning and medium-risk and high-risk vulnerabilities are not existed, then baseline detection is performed, and specific information conditions are as follows:
Further, in this embodiment, after performing security detection on the container image, a detection identifier and a security level identifier are added to the container image based on the security detection result, and then a security detection identifier chain is constructed, so as to track the security detection process of the container image, where the security detection identifier chain is constructed for the container image (step S101), as shown in fig. 3, and includes the following steps:
s101b, adding detection identification and security level identification to the container mirror image based on the security detection result of the container mirror image, and
S101c, constructing a safety detection identification chain for the container mirror image based on the detection identification and the safety level identification.
Further, before adding the detection identifier and the security level identifier to the container image based on the security detection result of the container image (step S101 b), the method further includes step S101a:
In step S101a, performing security detection on the container image to obtain a security detection result of the container image;
The security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
Specifically, by performing security detection on the container mirror image, three items of mirror image vulnerability scanning, mirror image virus detection and mirror image compliance detection are realized, information such as the vulnerability of the mirror image, viruses, trojan horses, malicious programs, non-compliance items and the like can be found through scanning, and when the result of scanning the mirror image is completed, the result is output and a detection identifier and a security level identifier are added.
Referring to fig. 4, fig. 4 is a flow chart of another method for storing container images provided in the embodiment of the present disclosure, based on the previous embodiment, the present embodiment implements classification storage of container images by establishing a mapping relationship between container images and an image warehouse about security levels, and facilitates users to download appropriate container images while guaranteeing security of container images, thereby improving user experience, specifically, before determining a first security level class of the container images based on the security detection identification chain (step S102), further includes step S401 and step S402, and further divides step S103 into step S103a.
In step S401, a number of first security level categories regarding the container images and a number of second security level categories regarding the image repository are pre-divided.
In step S402, a mapping relationship between the number of first security level categories regarding the container mirroring and the number of second security levels regarding the mirroring repository is established.
In step S103a, the container image is stored in the image repository corresponding to the second security class according to the mapping relation based on the security class.
For example, the security level class of the container mirror image and the security level of the mirror image warehouse are divided into a high security level, a medium security level and a low security level, wherein the high security level of the container mirror image and the high security level of the mirror image warehouse are mapped with each other, and so on, after the security level class of the container mirror image is determined, the security level class of the container mirror image is stored in the corresponding mirror image warehouse based on the mapping relation. In some embodiments, different security levels and mapping relationships may be divided, which is not limited in this embodiment.
Based on the same technical concept, the embodiments of the present disclosure correspondingly further provide a container mirror storage system, as shown in fig. 5, which includes an identification chain construction module 51, a category determination module 52, and a storage module 53, wherein,
The identification chain construction module 51 is configured to construct a security detection identification chain for the container image;
the class determination module 52 is configured to determine a first security level class of the container image based on the security detection identification chain, and
The storage module 53 is arranged to store the container images in a corresponding image repository based on the first security level class.
In one embodiment, the identification chain construction module 51 includes:
an identification adding unit configured to add a detection identification and a security level identification to the container image based on a security detection result of the container image, and
A construction unit arranged to construct a security detection identity chain for the container image based on the detection identity and the security level identity.
In one embodiment, the identification chain construction module further comprises:
The safety detection unit is used for carrying out safety detection on the container mirror image before the identification adding unit adds the detection identification and the safety grade identification to the container mirror image to obtain a safety detection result of the container mirror image;
The security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
In one embodiment, the system further comprises:
A classification module configured to pre-classify a number of first security level classes for the container images and a number of second security level classes for the image repository before the identification classification module determines the first security level class for the container images;
A mapping module arranged to establish a mapping relationship between the number of first security level categories for the container image and the number of second security levels for the image repository;
the storage module is specifically configured to store the container image into an image warehouse corresponding to a second security level class according to the mapping relation based on the security level class.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a computer device, as shown in fig. 6, where the computer device includes a memory 61 and a processor 62, where the memory 61 stores a computer program, and when the processor 62 runs the computer program stored in the memory 61, the processor 62 executes the container image storage method.
Based on the same technical concept, the embodiments of the present disclosure correspondingly further provide a computer readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the processor executes the container image storage method.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components, for example, one physical component may have a plurality of functions, or one function or step may be cooperatively performed by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Finally, it should be noted that the foregoing embodiments are merely for illustrating the technical solutions of the present disclosure, and not for limiting the same, and although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that the technical solutions described in the foregoing embodiments may be modified or some or all of the technical features may be equivalently replaced, and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present disclosure.
Claims (8)
1. A method of storing a container image, comprising:
Constructing a safety detection identification chain for the container mirror image, wherein the safety detection identification chain comprises safety identifications added for the container mirror image in each detection process, and the safety identifications comprise detection identifications and safety grade identifications;
Determining a first security level class of the container image based on the security detection identification chain, and storing the container image in a corresponding image repository based on the first security level class;
the construction of the safety detection identification chain for the container mirror image comprises the following steps:
Adding a detection identifier and a security level identifier to the container mirror image based on the security detection result of the container mirror image; the security detection conditions of the container mirror image comprise five types, namely that no threat exists after virus, trojan and malicious program are detected and killed, no high-risk loophole exists after loophole scanning, no medium-risk and high-risk loophole exists after loophole scanning, no low-risk, medium-risk and high-risk loophole exists after loophole scanning, and no non-compliance item exists after compliance item detection; the security level of the container mirror image is divided into five levels, wherein the first level of security level corresponds to no threat after being subjected to virus, trojan and malicious program detection only, or is subjected to vulnerability scanning only, no threat exists, or is subjected to compliance item detection only, no non-compliance item exists, the second level of security level corresponds to no threat after being subjected to virus, trojan and malicious program detection, and is subjected to vulnerability scanning, or is subjected to virus, trojan and malicious program detection, and is subjected to compliance detection, or is subjected to vulnerability scanning, and is subjected to compliance detection, and is subjected to vulnerability scanning, and is subjected to intermediate risk and high risk, or is subjected to compliance detection, and is subjected to low risk and low risk detection, and is subjected to compliance detection, the five-level security level corresponds to no threat after virus, trojan and malicious program are detected and killed, no low-risk, medium-risk and high-risk loopholes exist after loophole scanning, no non-compliance items exist after rule item detection, and
And constructing a security detection identification chain for the container mirror image based on the detection identification and the security level identification.
2. The method of claim 1, further comprising, prior to adding the detection identity and the security level identity to the container image based on the security detection result of the container image:
carrying out safety detection on the container mirror image to obtain a safety detection result of the container mirror image;
The security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
3. The method of claim 1, further comprising, prior to determining the first security level class of the container image based on the security detection identification chain:
Pre-dividing a plurality of first security level categories related to the container mirror images and a plurality of second security level categories related to the mirror image warehouse;
Establishing a mapping relation between the first security level categories related to the container mirror images and the second security levels related to the mirror image warehouses;
The storing the container image into a corresponding image repository based on the first security level category includes:
and storing the container mirror image into a mirror image warehouse corresponding to a second security level class according to the mapping relation based on the security level class.
4. A container mirrored storage system comprising:
the identification chain construction module is used for constructing a safety detection identification chain for the container mirror image, wherein the safety detection identification chain comprises safety identifications added for the container mirror image in each detection process, and the safety identifications comprise detection identifications and safety grade identifications;
A category determination module configured to determine a first security level category of the container image based on the security detection identification chain, and
A storage module configured to store the container images into corresponding image warehouses based on the first security level category;
the identification chain construction module comprises:
An identification adding unit configured to add a detection identification and a security level identification to a container image based on a security detection result of the container image; the security detection conditions of the container mirror image comprise five types, namely, no threat exists after virus, trojan and malicious program are detected and killed, no high-risk loophole exists after loophole scanning, no medium-risk loophole and no high-risk loophole exist after loophole scanning, no low-risk, medium-risk and high-risk loophole exist after loophole scanning, and no non-compliance item exists after the loophole scanning, the security level of the container mirror image is divided into five levels, wherein the first level of security level corresponds to no threat exists after virus, trojan and malicious program are detected and killed, or only loophole exists after loophole scanning, or only the compliance item is detected, no non-compliance item exists after the loophole is detected and killed, the second level of security level corresponds to no threat exists after virus, trojan and malicious program are detected, and no high-risk loophole exists, or no threat exists after the virus, trojan and malicious program are scanned, and no high-risk item exists, or no compliance item exists after the loophole is detected, and no high-risk item exists, and no compliance item exists when the three-level of security level corresponds to the non-compliance item is detected, and no high-risk item exists after the loophole is detected, and no high-risk item exists, and no compliance item exists after the loophole is scanned, and no high-risk item exists, and no risk item exists, meanwhile, the five-level security level corresponds to no threat after virus, trojan and malicious program are checked and killed, no low-risk, medium-risk and high-risk loopholes exist after loophole scanning, no non-compliance item exists after rule item detection, and
A construction unit arranged to construct a security detection identity chain for the container image based on the detection identity and the security level identity.
5. The system of claim 4, wherein the identification chain construction module further comprises:
The safety detection unit is used for carrying out safety detection on the container mirror image before the identification adding unit adds the detection identification and the safety grade identification to the container mirror image to obtain a safety detection result of the container mirror image;
The security detection result comprises any one or any combination of a mirror image vulnerability scanning detection result, a mirror image virus detection result and a mirror image compliance detection result.
6. The system of claim 4, further comprising:
A classification module configured to pre-classify a number of first security level classes for the container images and a number of second security level classes for the image repository before the identification classification module determines the first security level class for the container images;
A mapping module arranged to establish a mapping relationship between the number of first security level categories for the container image and the number of second security levels for the image repository;
the storage module is specifically configured to store the container image into an image warehouse corresponding to a second security level class according to the mapping relation based on the security level class.
7. A computer device comprising a memory and a processor, the memory having a computer program stored therein, the processor performing the container image storage method according to any of claims 1 to 3 when the processor runs the computer program stored in the memory.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, performs the container image storage method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111203139.2A CN113901469B (en) | 2021-10-15 | 2021-10-15 | Container image storage method, system, computer device and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111203139.2A CN113901469B (en) | 2021-10-15 | 2021-10-15 | Container image storage method, system, computer device and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113901469A CN113901469A (en) | 2022-01-07 |
| CN113901469B true CN113901469B (en) | 2025-02-07 |
Family
ID=79192337
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111203139.2A Active CN113901469B (en) | 2021-10-15 | 2021-10-15 | Container image storage method, system, computer device and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113901469B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113268739A (en) * | 2021-05-13 | 2021-08-17 | 江苏拓邮信息智能技术研究院有限公司 | Docker mirror image security detection method |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9436652B2 (en) * | 2013-06-01 | 2016-09-06 | General Electric Company | Honeyport active network security |
| CN103646214B (en) * | 2013-12-18 | 2016-08-31 | 国家电网公司 | A kind of method setting up trusted context in distribution terminal |
| CN106997392B (en) * | 2017-04-10 | 2020-03-03 | 北京搜狐新媒体信息技术有限公司 | Processing method and device and reading method and device of Docker mirror image cache information |
| CN109992956A (en) * | 2017-12-29 | 2019-07-09 | 华为技术有限公司 | The processing method and relevant apparatus of the security strategy of container |
| CN110263546B (en) * | 2019-05-24 | 2023-05-05 | 创新先进技术有限公司 | Method, device and equipment for carrying out security check on container mirror image |
| CN110472413B (en) * | 2019-07-26 | 2021-06-01 | Oppo广东移动通信有限公司 | Jenkins-based equipment management method and device, storage medium and electronic equipment |
| CN111859392A (en) * | 2020-07-14 | 2020-10-30 | 苏州浪潮智能科技有限公司 | A kind of image management and control method, device, equipment and storage medium |
-
2021
- 2021-10-15 CN CN202111203139.2A patent/CN113901469B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113268739A (en) * | 2021-05-13 | 2021-08-17 | 江苏拓邮信息智能技术研究院有限公司 | Docker mirror image security detection method |
Non-Patent Citations (1)
| Title |
|---|
| Docker and Kubernetes;Chao‐Chun Chen等;《IEEE》;20221231;第619-213页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113901469A (en) | 2022-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11962601B1 (en) | Automatically prioritizing computing resource configurations for remediation | |
| US11184380B2 (en) | Security weakness and infiltration detection and repair in obfuscated website content | |
| US11514171B2 (en) | Code vulnerability detection and remediation | |
| AU2017250108B2 (en) | Method and apparatus for reducing security risk in a networked computer system architecture | |
| RU2680738C1 (en) | Cascade classifier for the computer security applications | |
| US10601857B2 (en) | Automatically assessing a severity of a vulnerability via social media | |
| US8065731B1 (en) | System and method for malware containment in communication networks | |
| EP2784715B1 (en) | System and method for adaptive modification of antivirus databases | |
| CN112528284B (en) | Malicious program detection method and device, storage medium and electronic equipment | |
| US20110138036A1 (en) | Scalable reusable scanning of application networks/systems | |
| US20200162470A1 (en) | Limiting user access to suspicious objects of a social network service based on social links | |
| CN103180862A (en) | System and method for server-coupled malware prevention | |
| US10810106B1 (en) | Automated application security maturity modeling | |
| CN111931048A (en) | Artificial intelligence-based black product account detection method and related device | |
| CN106295333A (en) | For detecting the method and system of malicious code | |
| US11093774B2 (en) | Optical character recognition error correction model | |
| Wu et al. | Detect repackaged android application based on http traffic similarity | |
| US20230106639A1 (en) | User sentiment analysis for url reputations | |
| CN113177204A (en) | Container mirror image security detection method, terminal device and storage medium | |
| Alnaim et al. | Towards a security reference architecture for NFV | |
| Axon et al. | Emerging cybersecurity capability gaps in the industrial internet of things: Overview and research agenda | |
| CN113901469B (en) | Container image storage method, system, computer device and computer storage medium | |
| KR102726549B1 (en) | Maintaining System Security | |
| CN110266719B (en) | Security policy issuing method, device, equipment and medium | |
| US20230325500A1 (en) | Anomalous activity detection in container images |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |