Design method for realizing lightweight security container based on embedded real-time operating system

Abstract

The invention discloses a design method for realizing a lightweight security container based on an embedded real-time operating system. The method comprises the following steps: creating a security container, and appointing a path and a name of the security container; using file path mapping and quota to configure the security container, setting the number of resources which can be used by the security container and access authority, and configuring a host shared library mapping directory; starting the secure container, and providing an externally accessible port; the application program is executed in the secure container, the permission and behavior of the application program are controlled, and the use time of the CPU of the container is limited by using the priority upper limit; according to the running result, the secure container can exit. According to the method, multiple problems existing in a current container use scene are further solved in a breakthrough mode after multi-aspect support of container functions and container management is achieved, the method has the advantages in multiple aspects of safety, resource occupation, system adaptability and the like, and the real-time performance of an operating system is combined, so that the safety of the operating system is improved. And the use requirements of the industrial control field on the application security are met.

Description

technical field [0001] The invention relates to the technical field of an embedded real-time operating system, in particular to a design method for realizing a lightweight security container based on an embedded real-time operating system. Background technique [0002] At present, Docker or LXC is a common security container solution in the market, which has the following disadvantages: 1. The system occupies too much resources. Many data show that the actual memory occupied by Docker running is too large. If smooth operation is required, the system environment needs about 1GB of memory. . This is very unsuitable for use in the embedded field. The memory of devices in the embedded field is usually extremely small, and it is very common to have more than ten MB or tens of MB. 2. The current container solution cannot well support one container to run multiple processes. Although there are many solutions for how to run multiple processes in one container, none of them are inhe...

AI Technical Summary

Problems solved by technology

[0002] At present, Docker or LXC is a common security container solution in the market, which has the following disadvantages: 1. The system occupies too much resources. Many data show that the actual memory occupied by Docker running is too large. If smooth operation is required, the system environment needs about 1GB of memory.

This is very unsuitable for use in the embedded field. The memory of devices in the embedded field is usually extremely small, and it is very common to have a dozen MB or dozens of MB.

2. The current container solution cannot well support one container to run multiple processes. Although there are many solutions that give how to run multiple processes in one container, none of them are inherently supported strategies

It brings a lot of inconvenience and uncertainty in use

3. The current container solution is difficult to effectively solve the situation where a container runs abnormally or illegally occupies the CPU, which causes the running status of other containers to be blocked

4. The real-time performance of the system is insufficient. Since Linux itself is a non-real-time operating system, the real-time performance is difficult to meet the actual needs of many industrial control fields for secure container applications

Images