Supercharge Your Innovation With Domain-Expert AI Agents!

Docker container creating method and creating system

A docker container and system-defined technology, applied in the creation system and the field of Docker container creation, can solve hidden dangers, and the security issues left by Docker containers, so as to achieve the effect of strengthening security, avoiding security threats, and simplifying the mandatory access control process

Inactive Publication Date: 2017-01-04
CHINA UNITED NETWORK COMM GRP CO LTD
View PDF4 Cites 10 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, although the Docker container can separate seemingly independent spaces through the Namespace method, the Linux operating system kernel cannot be separated through the Namespace method, so even if the Docker container has multiple independent spaces (Containers), due to all Linux operating system calls are actually processed through the kernel of the host, so it will eventually leave a security risk for the Docker container

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Docker container creating method and creating system
  • Docker container creating method and creating system
  • Docker container creating method and creating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0047] This embodiment provides a method for creating a Docker container, such as figure 1 shown, including:

[0048] Step S1: Define a mandatory access control policy for the image in the Docker container, so that the mandatory access control policy is used when starting the process in the Docker container.

[0049] Step S2: When the Docker container is created, the mandatory access control policy is embedded in the metadata in the image.

[0050] The method for creating the Docker container provides a customized mandatory access control policy for the mirror image in the Docker container, so that the mandatory access control policy can be used when running the mirror image in the process, thereby avoiding When the process in the Docker container is run during the call, it poses a threat to the security of the Docker container, and strengthens the security of the Docker container; at the same time, it also simplifies the mandatory access control process when the system calls...

Embodiment 2

[0052] This embodiment provides a method for creating a Docker container, including:

[0053] Step S1: Define a mandatory access control policy for the image in the Docker container, so that the mandatory access control policy is used when starting the process in the Docker container.

[0054] In this step, defining mandatory access control policies for images in Docker containers includes:

[0055] Step S11: Define a name for the mandatory access control policy according to the function of the image.

[0056] For example: policy_module(docker_apache, 1.0), that is, the name of the mandatory access control policy is docker_apache, which means that the Apache service program is running in the Docker container.

[0057] Step S12: Define the mandatory access control type of the image.

[0058] For example, virt_sandbox_domain_template(httpd_t), which defines the mandatory access control type of the image as httpd_t.

[0059] Step S13: Define the upper bound of the type authori...

Embodiment 3

[0080] This embodiment provides a system for creating a Docker container, such as image 3 As shown, it includes: definition module 1, which is used to define the mandatory access control policy for the image in the Docker container, so that the mandatory access control policy is used when starting the process in the Docker container. The embedding module 2 is used to embed the mandatory access control policy into the metadata in the image when the Docker container is created.

[0081] The creation system of the Docker container can provide a customized mandatory access control policy for the image in the Docker container by setting the definition module 1 and the embedding module 2, so that the mandatory access control policy can be used when running the image in the process, thereby avoiding host When the kernel (such as the Linux operating system) runs the process in the Docker container in different system calls, it poses a threat to the security of the Docker container, w...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a Docker container creating method and creating system. The Docker container creating method includes the steps that a mandatory access control strategy is defined for a mirror image in a Docker container so that the mandatory access control strategy can be used in the process opening a Docker container; when the Docker container is created, the mandatory access control strategy is embedded into metadata in the mirror image. The Docker container creating method can use the mandatory access control strategy when the mirror image operates in the process, accordingly the threat produced to the safety of the Docker container when a mainframe kernel (such as Linux operating system) calls the process of operating the Docker container in different systems is avoided, and the safety of the Docker container is strengthened. In addition, the mandatory access control process when the system calls or accesses the process in the Docker container is further simplified.

Description

technical field [0001] The present invention relates to the technical field of communication, in particular to a method and system for creating a Docker container. Background technique [0002] Currently, in the Linux operating system, all containers run the same mandatory access control type (SELinux type, such as svirt_lxc_net_t), which allows all network ports to be in the listening state, and also allows all network ports to initiate external connections. For containers, for example, if a service program is run in a container, once the service program is successfully invaded, the service program process will connect to any network port and become a robot that creates spam, and may also attack other users through the network. The host and the container, which leaves undeniable security issues for the container. [0003] The security issues of Docker containers are essentially the security issues of container technology. More than 90% of security issues can be attributed ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F9/455
CPCG06F9/45533
Inventor 熊微徐雷王志军
Owner CHINA UNITED NETWORK COMM GRP CO LTD
Features
  • R&D
  • Intellectual Property
  • Life Sciences
  • Materials
  • Tech Scout
Why Patsnap Eureka
  • Unparalleled Data Quality
  • Higher Quality Content
  • 60% Fewer Hallucinations
Social media
Patsnap Eureka Blog
Learn More

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2025 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com