Container security execution method and device and storage medium

Abstract

The invention provides a container security execution method and device and a storage medium, and the method comprises the steps: building a main monitor and a plurality of sub-monitors based on an SGX, and carrying out the management of a container through the main monitor and the plurality of sub-monitors; the method comprises the following steps: in response to the first starting of a container system, carrying out integrity measurement on a structural file of the container system, calculating an integrity measurement value of the structural file of the container system, and storing the integrity measurement value as an integrity measurement base value of the container system to a main monitor. The problem that containers in the same Network Namespace can access each other is solved, the problem of isolation between the containers is solved, and malicious attack behaviors of untrusted containers are prevented by setting a container network white list and limiting the access capability of other containers to the running containers. The problems that the integrity and legality of a code segment and a stack function return address are verified when a container runs, the code segment is tampered when the container runs, and the stack function return address overflows are solved.

Description

technical field [0001] The invention belongs to the field of computers, and in particular relates to a container security execution method, device and storage medium. Background technique [0002] With the rapid development of Internet technology and big data, cloud computing technology has become the mainstream computing method. More and more enterprises and users choose cloud computing as the primary computing and storage method. Among them, virtual machines and containers are the two main virtual machine technologies in cloud computing. Container technology is a lightweight virtualization solution in which multiple containers share an operating system kernel. The container includes the system environment it depends on and the applications to be deployed. The size of the container is generally only tens to hundreds of MB. Among the container technologies, Docker containers are more popular among enterprises. Docker containers have the advantages of faster interaction a...

AI Technical Summary

Problems solved by technology

Protect the security of the Docker image and verify the integrity of the container image, but lacks the comparison and verification of the integrity value of the stored image after Docker download and the official website, and lacks the encrypted storage function

Cgroup is used to limit the use of resources by containers, but the lack of overall planning may cause an application to overuse computing, memory, and disk resources, thereby crowding out the resources of other applications in the shared host, making it unable to provide services normally

At the same time, in the existing technology, the integrity measurement of the program at runtime is generally assisted by the TPM, which needs to increase the hardware cost

Images