Code running method and device related to large model service, equipment and medium
By combining a sandbox environment and network request control rules in large model services, the problems of high resource consumption and complex network request management in existing technologies are solved, achieving more efficient and secure code execution and deployment.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING VOLCANO ENGINE TECH CO LTD
- Filing Date
- 2026-05-11
- Publication Date
- 2026-06-16
AI Technical Summary
Existing large-scale model services incur high resource consumption during code execution, rely on container orchestration engines leading to high operation and maintenance costs, and have complex network request management, making it difficult to meet the requirements of private deployment.
By running code in a sandbox environment and combining it with network request control rules, resources and network requests during code execution can be managed, using a sandbox environment and network request control rules for isolation and management.
It improves resource utilization and management flexibility, simplifies architecture design, reduces dependence on container orchestration engines, is easy to deploy, and enhances the security of code execution and communication behavior.
Smart Images

Figure CN122226499A_ABST
Abstract
Description
Technical Field
[0001] One or more of the above relate to a code execution method, a code execution device, an electronic device, and a computer-readable storage medium related to a large model service. Background Technology
[0002] With the continuous development of artificial intelligence technology, large models have emerged. A large model can be understood as a large-scale parameter neural network obtained by pre-training with a large amount of training data.
[0003] Large models enable the creation of large model services with different capabilities applicable to various scenarios. For example, large model services can generate and execute code. Therefore, it is crucial to facilitate convenient deployment and enhance the security of code execution processes related to large model services. Summary of the Invention
[0004] This summary section is provided to briefly introduce the concepts, which will be described in detail in the detailed description section below. This summary section is not intended to identify key or essential features of the claimed technical solution, nor is it intended to limit the scope of the claimed technical solution.
[0005] This document provides at least one method for executing code related to a large model service, comprising: obtaining a first code execution request sent by the large model service, wherein the first code execution request is generated by the large model service based on a received user request, and the first code execution request is used to request the execution of first code; associating the first code execution request with a first sandbox environment, and associating the first code execution request with a first network request control rule, wherein the first sandbox environment is bound to first identity information, and the first network request control rule is used to process network requests related to the first identity information; running the first code in a first process started in the first sandbox environment, and controlling the transmission of the first network request based on the first network request control rule in response to a first network request generated during the running of the first code.
[0006] This document provides at least one embodiment of a code execution apparatus related to a large model service, comprising: an acquisition module configured to: acquire a first code execution request sent by the large model service, wherein the first code execution request is generated by the large model service based on a received user request, and the first code execution request is used to request the execution of first code; an association module configured to: associate the first code execution request with a first sandbox environment and associate the first code execution request with a first network request control rule, wherein the first sandbox environment is bound to first identity information, and the first network request control rule is used to process communication requests related to the first identity information; and a execution module configured to: run the first code in a first process started in the first sandbox environment, and, in response to a first communication request generated during the execution of the first code, process the first communication request based on the first network request control rule.
[0007] At least one scenario of this document provides an electronic device comprising: at least one processor; and at least one memory including one or more computer program instructions; wherein the one or more computer program instructions are executed by the processor to perform a code execution method related to large model services provided by at least one scenario of this document.
[0008] At least one aspect of this document provides a computer-readable storage medium that non-transitory stores computer-readable instructions, wherein when the computer-readable instructions are executed by a processor, a code execution method related to a large model service provided by at least one aspect of this document is implemented.
[0009] At least one aspect of this document provides a computer program product, including a computer program that, when executed by a processor, implements a code execution method related to a large model service provided by at least one aspect of this document.
[0010] In one of the code execution methods related to large model services provided in this paper, for code execution requests generated by the large model service, the code is securely run in an isolated sandbox environment by associating a sandbox environment with network request control rules. The network request control rules manage the network requests generated during code execution. On the one hand, managing resources used during code execution at the process level improves resource utilization and resource management flexibility compared to executing code at the container group scheduling level. On the other hand, the architecture is simpler, does not rely on container orchestration engines or other infrastructure, and is easy to deploy. Attached Figure Description
[0011] The above and other features, advantages, and aspects of the various scenarios described herein will become more apparent when taken in conjunction with the accompanying drawings and the following detailed description. Throughout the drawings, the same or similar reference numerals denote the same or similar elements. It should be understood that the drawings are schematic, and the originals and elements are not necessarily drawn to scale.
[0012] Figure 1 This illustration schematically shows an application scenario of a code execution method related to large model services provided in at least one of the cases described in this paper;
[0013] Figure 2 The illustration shows a flowchart of a code execution method related to a large model service, provided in at least one scenario of this paper;
[0014] Figure 3 The illustration shows a first sandbox environment and a first network request control rule provided in at least one scenario of this document;
[0015] Figure 4 This paper schematically illustrates the structure of a first file system provided in at least one scenario.
[0016] Figure 5 The schematic diagram illustrates the structure of a code execution device related to a large model service, as provided in at least one scenario of this paper; and
[0017] Figure 6 A schematic diagram of the structure of an electronic device suitable for implementing at least one of the situations described herein is shown. Detailed Implementation
[0018] One or more scenarios described herein will now be described in more detail with reference to the accompanying drawings. While some scenarios are shown in the drawings, it should be understood that this document can be implemented in various forms and should not be construed as limited to the scenarios set forth herein; rather, these scenarios are provided to provide a more thorough and complete understanding of this document. It should be understood that the accompanying drawings and scenarios are for illustrative purposes only and are not intended to limit the scope of this document.
[0019] It should be understood that the steps described in the method embodiments herein may be performed in different orders and / or in parallel. Furthermore, the method embodiments may include additional steps and / or omit the steps shown. The scope of this document is not limited in this respect.
[0020] The term "comprising" and its variations as used herein are open-ended inclusions, meaning "including but not limited to". The term "based on" means "at least partially based on". The term "one situation" means "at least one situation"; the term "another situation" means "at least one additional situation"; the term "some situations" means "at least some situations". Definitions of other terms will be given in the following description.
[0021] It should be noted that the concepts of "first" and "second" mentioned in this article are only used to distinguish different devices, modules or units, and are not used to limit the order of the functions performed by these devices, modules or units or their interdependencies.
[0022] It should be noted that the terms "one" and "more" used in this document are illustrative rather than restrictive, and those skilled in the art should understand that, unless otherwise expressly indicated in the context, they should be understood as "one or more".
[0023] The names of the messages or information exchanged between the various devices in the embodiments herein are for illustrative purposes only and are not intended to limit the scope of these messages or information.
[0024] It is understood that the data involved in this technical solution (including but not limited to the data itself, the acquisition, use, storage or deletion of the data) shall comply with the requirements of relevant laws, regulations and related provisions.
[0025] It is understood that before using the technical solutions disclosed in each scenario in this article, relevant users should be informed of the type, scope of use, and usage scenarios of the information involved in this article and their authorization should be obtained through appropriate means in accordance with relevant laws and regulations. Relevant users may include any type of rights holder, such as individuals, enterprises, or groups.
[0026] For example, in response to receiving an active request from a user, a prompt message is sent to the relevant user to clearly inform the user that the requested operation will require obtaining and using the user's information, thereby enabling the relevant user to choose whether to provide information to the software or hardware such as electronic devices, applications, servers, or storage media that perform the operation of any of the technical solutions described herein.
[0027] As an optional but non-restrictive implementation, in response to a user's active request, a prompt message can be sent to the user, such as a pop-up window, where the prompt message can be presented in text format. Furthermore, the pop-up window can also include a selection control allowing the user to choose "agree" or "disagree" to provide information to the electronic device.
[0028] It is understood that the above notification and user authorization process are merely illustrative and do not constitute a limitation on the implementation method described in this article. Other methods that comply with relevant laws and regulations may also be applied to the implementation method described in this article.
[0029] Large models can be understood as large-scale parametric neural networks obtained by pre-training with a large amount of training data. For example, large models can be implemented based on the transformer architecture and can include large language models, speech models, multimodal models, etc.
[0030] Based on large models, large model services with different capabilities can be implemented for different scenarios. For example, large model services can have the ability to generate and execute code.
[0031] In the aforementioned large model service capable of generating and executing code, in response to a user request, the large model service first generates a piece of code, and then obtains the response information of the user request by executing the code. For example, the large model service can generate a piece of code for performing mathematical calculations, statistical analysis, data processing, chart generation, logic verification, etc., execute the code, obtain the code execution result, and then combine the code execution result to generate the response information of the user request. In this way, the accuracy of processing user requests is improved.
[0032] In practical applications, after generating code, the large model service can execute the code in a code execution environment. In some large model services, the code execution environment can be implemented based on Function Compute as a Service (FaaS). FaaS is typically implemented using virtual machine technology. Specifically, in a FaaS-based code execution environment, the large model service sends the code execution request to the FaaS gateway. The FaaS gateway verifies and authenticates the code execution request and then sends it to the FaaS controller. The FaaS controller encapsulates the code execution request into a container image, generates a container group (pod) configuration, and calls the interface components (e.g., API server) provided by the container orchestration engine (e.g., Kubernetes). It then starts the scheduler of the container orchestration engine, allocates compute nodes, creates container groups on the allocated compute nodes, starts containers in the container groups, runs the code in the containers, obtains the code execution results, returns them to the FaaS controller, and transmits them to the large model service through the FaaS gateway. Finally, FaaS destroys the container and releases the resources of the compute nodes.
[0033] However, the code execution environment based on FaaS described above has at least the following problems: First, each code execution request requires the creation and destruction of containers, both of which consume resources. The container orchestration engine also needs to maintain the lifecycle of containers, resulting in significant resource overhead. Second, FaaS is heavily reliant on the container orchestration engine, thus requiring substantial resources for cluster maintenance and placing high demands on the infrastructure. Furthermore, for FaaS to manage network requests, it needs to define network rules through the network policy capability of the container network interface (CNI) of the container orchestration engine. This requires selecting a CNI that supports network policy capabilities. Moreover, FaaS contains multiple components (FaaS gateway, FaaS controller, image repository) and is deeply integrated with the interface components, scheduler, and CNI of the container orchestration engine, resulting in a complex technical architecture, high operational costs, and difficulty in meeting users' private deployment requirements.
[0034] To at least partially solve the above-mentioned technical problems, this paper provides a code execution method related to a large model service in at least one scenario, including: obtaining a first code execution request sent by the large model service, the first code execution request being generated by the large model service based on a received user request, the first code execution request being used to request the execution of first code, associating the first code execution request with a first sandbox environment, and associating the first code execution request with a first network request control rule, the first sandbox environment being bound to first identity information, the first network request control rule being used to process network requests related to the first identity information, running the first code in a first process started in the first sandbox environment, and responding to the generation of a first network request during the running of the first code, and controlling the transmission of the first network request based on the first network request control rule.
[0035] Based on the code execution method related to large model services provided in at least one of the embodiments described herein, at least one of the embodiments described herein also provides a code execution device, electronic device, computer-readable storage medium, and computer program product related to large model services.
[0036] In one of the code execution methods related to large model services provided in this paper, for code execution requests generated by the large model service, the code is securely run in an isolated sandbox environment by associating a sandbox environment with network request control rules. The network request control rules manage the network requests generated during code execution. On the one hand, managing resources used during code execution at the process level improves resource utilization and resource management flexibility compared to executing code at the container group scheduling level. On the other hand, the architecture is simpler, does not rely on container orchestration engines or other infrastructure, and is easy to deploy.
[0037] The following detailed description, with reference to the accompanying drawings, illustrates one or more scenarios and some examples thereof.
[0038] Figure 1 The illustration shows an application scenario diagram of a code execution method related to large model services provided in at least one of the cases described in this paper.
[0039] like Figure 1 As shown, the application scenarios provided in this case may include large model service 101 and code execution service 102. Large model service 101 can be understood as a service implemented based on a large model, and code execution service 102 can be understood as a service that can provide a code execution environment and can run code.
[0040] This article does not restrict the delivery form of the large model service 101 in one or more scenarios. For example, the large model service 101 can be an online interface call service, providing services to the outside world in the form of an interface; or the large model service 101 can also be a privately deployed service, that is, deployed in the user's local data center or private cloud, providing services in a private form.
[0041] This article does not restrict the delivery form of the code execution service 102 in one or more ways. For example, the code execution service 102 can be a standalone software system, or the code execution service 102 can be a cloud service.
[0042] The large model service 101 and the code execution service 102 can communicate with each other. For example, the large model service 101 can send a code execution request to the code execution service 102, and the code execution service 102 can send the code execution result to the large model service 101. That is, the code execution service 102 provides a code execution environment to the large model service 101, enabling the large model service 101 to realize the functions of code generation and code execution.
[0043] The application scenario provided in this case may also include a sandbox pool 103, which may include multiple pre-built sandbox environments. The sandbox pool 103 can communicate with the code execution service 102. For example, the code execution service 102 can obtain an idle sandbox environment from the sandbox pool 103 and run the code in the obtained idle sandbox environment. In this way, there is no need to rebuild the sandbox environment, thus improving the code execution efficiency.
[0044] The following will combine Figures 2 to 4 This paper provides a detailed description of a code execution method related to large model services for at least one scenario.
[0045] Figure 2The illustration shows a flowchart of a code execution method related to a large model service, provided in at least one scenario of this paper.
[0046] like Figure 2 As shown, the code execution method related to the large model service in this scenario includes steps S201 to S203. In some cases, the execution entity of the code execution method related to the large model service can be a code execution service, and the steps included in the code execution method related to the large model service are described below:
[0047] Step S201: Obtain the first code execution request sent by the large model service.
[0048] In one or more of the scenarios described in this article, the large model service can be understood as a service implemented based on a large model. The first code execution request can be generated by the large model service based on the received user request, and the first code execution request can be used to request the execution of the first code.
[0049] For example, a user request could be information described in natural language sent by a user using a large model service.
[0050] In other words, the large model service can receive user requests, generate a first code execution request based on the user requests, for example, generate the first code based on the user requests, encapsulate the first code into a first code execution request, and then send the first code execution request.
[0051] For example, a user request could be "What is the sum of all prime numbers less than 100?" After receiving the user request, the large model service generates the first code, for example, the first code used to calculate the sum of prime numbers less than 100. The first code is then encapsulated into a first code execution request, which is used to request the execution of the first code. The first code execution request is then sent, for example, to the code execution service.
[0052] This article does not restrict the method of obtaining the first code execution request sent by the large model service in one or more scenarios. For example, the large model service can send the first code execution request by calling the interface provided by the code execution service, so that the code execution service can obtain the first code execution request; or, for another example, the large model service can publish the first code execution request in a message queue, and the code execution service can consume the messages in the message queue to obtain the first code execution request.
[0053] Step S202: Associate the first code execution request with the first sandbox environment and associate the first code execution request with the first network request control rule.
[0054] The first sandbox environment can be understood as a sandbox environment used to run the first code, and the first network request control rule can be understood as a network request control rule used to process network requests related to the execution request of the first code.
[0055] Associating a first code execution request with a first sandbox environment can be understood as establishing a relationship between the first code execution request and the first sandbox environment. Associating a first code execution request with a first network request control rule can be understood as establishing a relationship between the first code execution request and the first network request control rule. For example, the first sandbox environment can be bound to first identity information, and the first network request control rule can be used to process network requests related to the first identity information.
[0056] The first identity information can be used to represent the identity of the running process. For example, the first identity information can be a username (uid). That is, by associating the first code execution request with the first sandbox environment and with the first network request control rule, the relationship between the first code execution request, the first sandbox environment, and the first network request control rule is established using the first identity information.
[0057] In some possible implementations, the first code execution request is associated with a first sandbox environment, including: selecting an idle first sandbox environment from multiple pre-built sandbox environments in the sandbox pool, and then binding the first sandbox environment with the first identity information. For example, by performing a setuid operation, the username of the first sandbox environment is modified to the first identity information (e.g., uid is 5000). In this way, the first sandbox environment is allocated to the first code execution request, and the first sandbox environment is subsequently used to process the first code execution request.
[0058] In some possible implementations, network request control rules are pre-built. For example, by performing the operation of configuring a firewall (iptables), the processing rules for network requests in the network request control rules are built. The first code execution request is associated with the first network request control rule, including: modifying the network request control rule to obtain the first network request control rule, so that the first network request control rule is used to process network requests related to the first identity information. For example, modifying the output chain of the network request control rule so that the first network request control rule only processes network requests of processes running with the first identity information.
[0059] Step S203: In the first process started in the first sandbox environment, first code is run, and in response to the first network request generated during the running of the first code, the transmission of the first network request is controlled based on the first network request control rules.
[0060] The first process can be understood as any process started in the first sandbox environment. For example, the first process can be an idle process that is pre-started in the first sandbox environment when the first sandbox environment is built. The first process can be used to run the first code and implement the processing of the first code execution request.
[0061] During the execution of the first code, different types of network requests may be generated. For example, the first code may include code that calls an external interface, in which case the execution of the first code will generate a Hypertext Transfer Protocol (HTTP) request; for another example, the first code may include code for domain name resolution, in which case the execution of the first code will generate a Domain Name System (DNS) request; for yet another example, the first code may include code for remote login, in which case the execution of the first code will generate a login request; for yet another example, the first code may include code for file transfer, in which case the execution of the first code will generate a file transfer request; and for yet another example, the first code may include code for database access, in which case the first code may include a database access request.
[0062] The first network request can be understood as any network request generated during the execution of the first code. Transmitting the first network request may lead to insecure communication behavior. Therefore, in one or more scenarios in this paper, the transmission of the first network request is controlled by the first network request control rules, such as determining whether the first network request can be transmitted.
[0063] Furthermore, a timeout can be set during the execution of the first code in the first process. For example, a timeout of 60 seconds can be set. If the execution of the first code exceeds the timeout, the first process will be terminated, reducing the possibility of prolonged resource occupation due to abnormal execution of the first process's code.
[0064] Furthermore, after the first process finishes running, cleanup logic can be executed, such as releasing the resources occupied by the first code during its execution and returning the first sandbox environment to the sandbox pool so that the first sandbox environment can subsequently handle other code execution requests.
[0065] Furthermore, after the first process finishes running, the code execution results can be placed in the data directory (e.g., the / mnt / data directory). By scanning the data directory, the code execution results can be stored in object storage so that the large model service can obtain the code execution results in a timely manner.
[0066] In this way, by using the first sandbox environment to process the first code execution request, the code execution process is isolated from other services and other processes, thus improving the security of the code execution process. By using the first network request control rules to process the first network requests generated during code execution, the security of communication behavior during code execution is improved. This ensures the security of the large model service in two dimensions: the code execution itself and communication behavior. At the same time, compared with the FaaS approach that uses container groups as the smallest scheduling unit, it has improvements in resource utilization, management flexibility, and deployment costs, and can more accurately meet the resource requirements of different code execution requests.
[0067] Figure 3 The illustration shows a schematic diagram of a first sandbox environment and a first network request control rule provided in at least one scenario of this document.
[0068] Combination Figure 3 The construction process of the first sandbox environment in one or more scenarios described in this paper is explained. For example, the first sandbox environment can be constructed by the following steps: creating a first control group, a first namespace and a first file system, and configuring first identity information to obtain the first sandbox environment.
[0069] For example, such as Figure 3 As shown, the first process started in the first sandbox environment is associated with the first control group, the first namespace, the first file system, and the first identity information. By constructing the first control group, the first namespace, and the first file system, a complete first sandbox environment is formed. By configuring the first identity information, the identity information of the running first process is specified.
[0070] The first control group (cgroup) can be used to limit the amount of resources used by at least one process in the first sandbox environment. For example, the first control group can be used to limit the maximum amount of resources that a process launched in the first sandbox environment (e.g., the first process) can use. The amount of resources can include the size of the central processing unit (CPU), the size of memory, the size of disk, the running time, etc. By building the first control group, the resource usage during the code execution process is limited, reducing the instability of large model services caused by excessive resource consumption during the code execution process.
[0071] The first namespace is used to provide an independent runtime environment for the first sandbox environment. For example, the first namespace can isolate the processes started in the first sandbox environment (e.g., the first process) in the runtime environment (e.g., including network environment, process environment, etc.). By building the first namespace, the runtime environment of different code execution requests is isolated, which improves the independence and security of the code execution process corresponding to the first code execution request and reduces the possibility of mutual interference between different code execution requests.
[0072] The first file system can be used to provide an independent file environment for the first sandbox environment. For example, the first file system can isolate the process (e.g., the first process) started in the first sandbox environment in the file environment. By building the first file system, the files required and generated during the code execution process exist only within the first file system and have no impact on the execution of other services or other processes.
[0073] The permission level of the first identity information can be lower than the set level threshold (such as non-root privileges). By configuring the first identity information, the access permission scope of the process launched in the first sandbox environment (such as the first process) can be restricted, thereby improving the security of the code execution process.
[0074] Thus, in the process of building the first sandbox environment, the number of resources used, the runtime environment, the file environment, and the permission level during code execution are all restricted to a certain extent. This allows the first sandbox environment to constrain the execution of the first code to a certain extent. Under the premise of low dependence on infrastructure, good adaptability in private deployment scenarios, simple architecture, and low resource consumption, it can achieve security control during code execution.
[0075] Continue as Figure 3 As shown, in some cases, the first file system may include a first directory, a second directory, and a third directory. Files mounted in the first directory may have only read permissions, files mounted in the second directory may have both read and write permissions, and the third directory may be a view directory obtained by merging the first and second directories.
[0076] In other words, the first file system in the first sandbox environment is divided into a read-only area (i.e., files in the first directory) and a read-write area (i.e., files in the second directory). By separating the read-only area and the read-write area of the first file system, different files are mounted in different areas (i.e., different directories), thereby improving the organization of file mounting in the first file system.
[0077] In addition, the first file system also provides a third directory, which combines the views of the first and second directories. That is, the files in the first and second directories can be seen in the third directory. In this case, associating the first code execution request with the first sandbox environment includes mounting the process root directory of the first process started by the first sandbox environment to the third directory.
[0078] For example, by performing the chroot operation, the root directory of the first process is mounted to the third directory, allowing the first process to use the first file system to run the first code.
[0079] In this way, by providing a third directory and mounting the root directory of the first process to the third directory, the first process only needs to focus on the view of the third directory to understand the files mounted in the first and second directories. At the same time, when the first process needs to operate on the first file system, it only needs to operate on the third directory. The specific operation logic is implemented by the first file system (such as reading from files mounted in the first directory, reading from files mounted in the second directory, or writing to the second directory), which improves file operation efficiency and thus improves code execution efficiency.
[0080] For example, the first file system can be implemented through the file system service (overlayfs). The file system service provides a hierarchical merged file system. The lower layer of the file system service includes at least one read-only layer (i.e., the first directory), and the upper layer of the file system service includes a read-write layer (i.e., the second directory). The file system service also provides a merged layer, which is the third directory. The merged layer includes at least one read-only layer and a merged view of the read-write layer. The merged layer is displayed externally (e.g. to the first process), so that the first process can see the complete root directory of the first file system.
[0081] In some cases, the first directory may contain code execution environment files, and in response to a first code execution request and related to the first dependency files, the first directory may also contain the first dependency files, and the second directory may contain the execution result files of the first code.
[0082] The code runtime environment file can be understood as the basic dependency file required during the code execution process (e.g., the execution process of any code). The first dependency file can be understood as the specific dependency file required during the execution of the first piece of code.
[0083] For example, when multiple first directories are included, the code runtime environment files can be mounted in one first directory, and the first dependency files can be mounted in another first directory.
[0084] For example, the first dependency file is retrieved from the network file system (NFS) or network attached storage (NAS) connected to the user who sent the user request, and then the first dependency file is mounted to the first directory.
[0085] The execution result file of the first code can be understood as the intermediate and final data (i.e., the code execution result) generated during the execution of the first code. Since the execution result file of the first code needs to be written to the first file system in real time by the first process during the code execution, the execution result file of the first code is mounted in the second directory with read and write permissions.
[0086] Thus, on the one hand, since the dependency files (including the code runtime environment file and the first dependency file) provide environmental support for the code execution process, there is no need to modify the dependency files during the code execution process. Therefore, mounting the code runtime environment file and the first dependency file in the first directory reduces the possibility of accidental manipulation of dependency files during the code execution process. On the other hand, it supports the loading and expansion of dependency files for different languages and different users, enriches the types of user requests that the large model service can handle, and improves the applicability of the code execution of the large model service. Furthermore, it records the code execution process of the first code in real time.
[0087] Figure 4 The schematic diagram illustrates the structure of a first file system provided in at least one scenario of this document.
[0088] like Figure 4 As shown, in the first file system implemented based on the file system service, the lower layer includes two first directories. One first directory mounts the code execution environment files, and the other first directory mounts the first dependency files. The upper layer includes a second directory, which mounts the execution result files of the first code. The first file system also includes a merge layer, namely a third directory. The third directory has a complete view of the first and second directories. That is, after the process root directory of the first process is mounted to the third directory, the first process can see the code execution environment files, the first dependency files, and the execution result files. During the execution of the first code, the first process can also operate on the third directory to realize the real-time writing of the execution result files of the first code to the second directory.
[0089] Continue as Figure 3 As shown, in some cases, the second directory can be mounted on the first virtual disk, and the write size of the first virtual disk can be less than the configured first threshold.
[0090] For example, the first virtual disk can be provided by the kernel's loop module or a memory-based temporary file system (tmpfs).
[0091] For example, the first threshold can be 64 MiB (mebibyte).
[0092] Considering that the execution of the first code may generate a large number of execution result files, which may lead to insufficient disk space on the host machine, the second directory is mounted on the first virtual disk, and the write size of the first virtual disk is limited. This limits the amount of data that can be written to the first file system during the execution of the first code, ensuring the smooth execution of the code related to the large model service.
[0093] In some cases, the transmission of a first network request is controlled based on a first network request control rule, including: transmitting the first network request in response to the first network request type satisfying a set type configured in the first network request control rule, and transmitting the first network request in response to the first network request satisfying a whitelist condition configured in the first network request control rule.
[0094] In other words, the first network request control rule can include two aspects: on the one hand, transmitting network requests of a specified type, and on the other hand, transmitting network requests that meet the whitelist conditions.
[0095] For example, the network request type can include inbound traffic for network access, such as HTTP requests and DNS requests. If the network request type is not transmitted, the execution of the first code will be interrupted. Therefore, by configuring the network request type in the first network request control rule, the execution of the first code can be ensured to proceed normally.
[0096] For example, whitelist conditions may include Internet Protocol (IP) addresses. That is, when the sender or receiver of the first network request is an IP address involved in the whitelist conditions, the first network request is transmitted. Targeted whitelist conditions are configured in combination with the specific requirements of the first code execution request.
[0097] Continue as Figure 3As shown, in the first network request control rule implemented based on iptables, the transmission control of the first network request can be performed sequentially. For example, the output chain of the first network request control rule is configured to filter network requests related to the first identity information. That is, corresponding to associating the first network request control rule with the first code execution request, the output chain of the first network request control rule is used to filter the network requests generated in the host machine, and to filter out the network requests related to the first identity information (i.e., the first network request). The filter chain of the first network request control rule is configured to transmit network requests of a set type. The filter chain of the first network request control rule is used to transmit the first network request of the set type. The codebox whitelist chain of the first network request control rule is configured to transmit network requests that meet the whitelist conditions. The codebox whitelist chain of the first network request control rule is used to transmit the first network request that does not belong to the set type but meets the whitelist conditions.
[0098] In this way, by configuring the first network request control rules, the security control of the first network request can be achieved, reducing the possibility of insecure communication behavior during the execution of the first code.
[0099] In some cases, considering that the first network request of the specified type is the entry traffic for network access and needs to be transmitted to avoid interruption of the code execution process of the first code, but the first network request of the specified type may still perform insecure communication behavior, therefore, in the first process started in the first sandbox environment, before running the first code, a first environment variable can also be configured in the first process, which can be used to execute the communication proxy service.
[0100] Correspondingly, continue as follows Figure 3 As shown, in response to the first network request type satisfying the set type configured in the first network request control rule, transmitting the first network request includes: in response to the first network request type satisfying the set type configured in the first network request control rule, transmitting the first network request to a communication proxy service, so that the communication proxy service controls the transmission of the first network request.
[0101] The communication proxy service can be understood as a component with the ability to manage network requests securely. By injecting the first environment variable, the communication proxy service is started and used to transmit the first network request of the set type. That is, the security management capability of the communication proxy service is used to control the transmission of the first network request. Only when the communication proxy service confirms the security of the first network request will the first network request be transmitted to the receiver.
[0102] For example, the first environment variable can be the HTTP_PROXY environment variable or the HTTPS_PROXY environment variable, and the communication proxy service can be the SSRF_PROXY service, which has the ability to manage the security of HTTP requests.
[0103] In this way, by using the communication proxy service to further control the first network request belonging to the specified type, the first network request is prevented from being transmitted to an insecure recipient, such as preventing the first network request from accessing an unauthorized intranet environment. Without making additional modifications to the overall architecture of the code execution service, the security control of network requests generated during the execution of code related to the large model service is further enhanced, thereby improving the security of the large model service.
[0104] Based on the code execution method related to large model services provided in at least one scenario of this paper, this paper also provides a code execution device related to large model services in at least one scenario. The following will combine... Figure 5 A detailed description is provided of the code execution apparatus related to the large model service.
[0105] Figure 5 The schematic diagram illustrates the structure of a code execution device related to a large model service, as provided in at least one of the scenarios described herein.
[0106] like Figure 5 As shown, the code execution device 500 related to the large model service in this scenario includes an acquisition module 501, an association module 502, and an execution module 503. For example, the acquisition module 501, association module 502, and execution module 503 can be implemented using hardware (e.g., circuit) modules or software modules, as in the following cases, which will not be elaborated further. For example, the acquisition module 501, association module 502, and execution module 503 can be implemented using a central processing unit (CPU), a general-purpose graphics processing unit (GPGPU), a graphics processing unit (GPU), a tensor processor (TPU), a field-programmable gate array (FPGA), or other processing units with data processing capabilities and / or instruction execution capabilities, along with corresponding computer instructions.
[0107] The acquisition module 501 is configured to: acquire a first code execution request sent by the large model service, wherein the first code execution request is generated by the large model service based on a received user request, and the first code execution request is used to request the execution of first code. For example, the acquisition module 501 can be configured to execute step S201 described above; its specific implementation principle can be found in the relevant description of step S201, and will not be repeated here.
[0108] The association module 502 is configured to associate the first code execution request with a first sandbox environment and to associate the first code execution request with a first network request control rule, wherein the first sandbox environment is bound to first identity information, and the first network request control rule is used to process communication requests related to the first identity information. For example, the association module 502 can be configured to execute step S202 described above; its specific implementation principle can be found in the relevant description of step S202, and will not be repeated here.
[0109] The execution module 503 is configured to: run the first code in the first process started in the first sandbox environment, and, in response to a first communication request generated during the execution of the first code, process the first communication request based on the first network request control rules. For example, the execution module 503 can be configured to execute step S203 as described above; its specific implementation principle can be found in the relevant description of step S203, and will not be repeated here.
[0110] In at least one scenario described herein, the code execution device 500 associated with the large model service further includes a construction module configured to: create a first control group, a first namespace, and a first file system, and configure the first identity information to obtain the first sandbox environment; wherein the first control group is used to limit the amount of resources used by at least one process in the first sandbox environment, the first namespace is used to provide an independent running environment for the first sandbox environment, the first file system is used to provide an independent file environment for the first sandbox environment, and the permission level of the first identity information is less than a set level threshold.
[0111] In at least one of the embodiments described herein, the first file system includes a first directory, a second directory, and a third directory. Files mounted in the first directory have only read permissions, files mounted in the second directory have both read and write permissions, and the third directory is a view directory obtained by merging the first directory and the second directory. The association module 502 is further configured to mount the process root directory of the first process started in the first sandbox environment to the third directory.
[0112] In at least one of the scenarios described herein, the first directory mounts code execution environment files, and in response to the first code execution request relating to the first dependency file, the first directory also mounts the first dependency file; the second directory mounts the execution result file of the first code.
[0113] In at least one scenario described herein, the second directory is mounted on a first virtual disk, the write size of which is less than a configured first threshold.
[0114] In at least one of the embodiments described herein, the execution module 503 is further configured to: transmit the first network request in response to the first network request type satisfying a set type configured in the first network request control rule; and transmit the first network request in response to the first network request satisfying a whitelist condition configured in the first network request control rule.
[0115] In at least one scenario described herein, before running the first code in the first process started in the first sandbox environment, the association module 502 is further configured to: configure a first environment variable in the first process, the first environment variable being used to execute the communication proxy service; the running module 503 is further configured to: in response to the first network request type satisfying the set type configured in the first network request control rule, transmit the first network request to the communication proxy service, so that the communication proxy service controls the transmission of the first network request.
[0116] It should be noted that, for clarity and brevity, this document does not present all the constituent units of the code execution device 500 related to the large model service in at least one scenario. To implement the necessary functions of the code execution device 500 related to the large model service, those skilled in the art may provide or configure other constituent units not shown, according to specific needs, and this document does not limit such provisions.
[0117] The code execution device 500 related to large model services provided in at least one aspect of this article and the code execution method related to large model services provided in at least one aspect of this article are based on the same inventive concept and can achieve the same technical effect and the same technical purpose as the code execution method related to large model services provided in at least one aspect of this article. For details, please refer to the relevant description above, which will not be repeated here.
[0118] This document also provides, in at least one embodiment, an electronic device including a processing device and a storage device, the storage device including one or more computer program modules; wherein the one or more computer program modules are stored in the storage device and configured to be executed by the processing device, the one or more computer program modules being used to implement the code execution method related to large model services provided in any embodiment of this document.
[0119] For example, the processing device may be a processor, such as a central processing unit (CPU), digital signal processor (DSP), image processor (GPU), general-purpose graphics processor (GPGPU), or other form of processing unit with data processing capabilities and / or instruction execution capabilities. It may be a general-purpose processor or a dedicated processor and may control other components in the electronic device to perform the desired functions.
[0120] For example, the storage device may be a memory, which may include one or more computer program products. These computer program products may include various forms of computer-readable storage media, such as volatile memory and / or non-volatile memory. The volatile memory may, for example, include random access memory (RAM) and / or cache memory. The non-volatile memory may, for example, include read-only memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium, and a processing device may execute these program instructions to implement the functions described in at least one of the embodiments herein (implemented by the processing device) and / or other desired functions. Various application programs and various data may also be stored on the computer-readable storage medium, which is not limited in the embodiments described herein.
[0121] The following is for reference. Figure 6 The diagram illustrates a structural schematic of an electronic device (e.g., a terminal device or a server) 600 suitable for implementing at least one of the embodiments described herein. The terminal device in at least one embodiment may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital radio receivers, personal digital assistants (PDAs), tablet computers (PADs), portable multimedia players (PMPs), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital televisions and desktop computers. Figure 6 The electronic device shown is merely an example and should not impose any limitation on the functionality and scope of use of at least one of the situations described herein.
[0122] like Figure 6 As shown, electronic device 600 may include a processing device (e.g., a central processing unit, a graphics processor, etc.) 601, which can perform various appropriate actions and processes according to a program stored in read-only memory (ROM) 602 or a program loaded from storage device 608 into random access memory (RAM) 603. RAM 603 also stores various programs and data required for the operation of electronic device 600. Processing device 601, ROM 602, and RAM 603 are interconnected via bus 604. Input / output (I / O) interface 605 is also connected to bus 604.
[0123] Typically, the following devices can be connected to I / O interface 605: input devices 606 including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, accelerometers, gyroscopes, etc.; output devices 607 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 608 including, for example, magnetic tapes, hard disks, etc.; and communication devices 609. Communication device 609 allows electronic device 600 to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 6 An electronic device 600 with various devices is shown; however, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.
[0124] In particular, according to one or more embodiments herein, the processes described in the above-referenced flowcharts can be implemented as computer software programs. For example, one or more embodiments herein include a computer program product comprising a computer program carried on a non-transitory computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such an embodiment, the computer program can be downloaded and installed from a network via communication device 609, or installed from storage device 608, or installed from ROM 602. When the computer program is executed by processing device 601, it performs the functions defined in the methods of at least one embodiment herein.
[0125] The electronic device 600 provided in at least one aspect of this document and the code execution method related to large model services provided in at least one aspect of this document are based on the same inventive concept and can achieve the same technical effect and the same technical purpose as the code execution method related to large model services provided in at least one aspect of this document. For details, please refer to the relevant descriptions above, which will not be repeated here.
[0126] It should be noted that the computer-readable medium described above can be a computer-readable signal medium, a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this document, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this document, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wires, optical fibers, RF (radio frequency), etc., or any suitable combination thereof.
[0127] The computer-readable storage medium provided in at least one aspect of this document and the code execution method related to large model services provided in at least one aspect of this document are based on the same inventive concept and can achieve the same technical effect and the same technical purpose as the code execution method related to large model services provided in at least one aspect of this document. For details, please refer to the relevant descriptions above, which will not be repeated here.
[0128] In some implementations, clients and servers can communicate using any currently known or future-developed network protocol, such as the Hypertext Transfer Protocol (HTTP), and can interconnect with digital data communication (e.g., communication networks) of any form or medium. Examples of communication networks include local area networks (LANs), wide area networks (WANs), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future-developed networks.
[0129] The aforementioned computer-readable medium may be included in the aforementioned electronic device; or it may exist independently and not assembled into the electronic device.
[0130] The aforementioned computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to execute the aforementioned code execution method related to the large model service.
[0131] Computer program code for performing the operations described herein may be written in one or more programming languages or a combination thereof, including but not limited to object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as C or similar languages. The program code may execute entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer may be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or may be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0132] One or more embodiments of this document also provide a computer program product comprising one or more computer instructions. When these computer instructions are loaded and executed on a computing device, all or part of the processes or functions described in any of these embodiments are generated.
[0133] The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions may be transmitted from one website, computer, or data center to another website, computer, or data center via wired (e.g., coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means.
[0134] When the computer program product is executed by a computer, the computer executes any of the aforementioned code execution methods related to the large model service. The computer program product can be a software installation package; when any of the aforementioned code execution methods related to the large model service is required, the computer program product can be downloaded and executed on the computer.
[0135] The computer program product provided in at least one of the embodiments described herein and the code execution method related to large model services provided in at least one of the embodiments described herein are based on the same inventive concept and can achieve the same technical effect and the same technical purpose as the code execution method related to large model services provided in at least one of the embodiments described herein. For details, please refer to the relevant descriptions above, which will not be repeated here.
[0136] The flowcharts and block diagrams in the accompanying figures illustrate the architecture, functionality, and operation of possible implementations of the systems, methods, and computer program products according to the various scenarios described herein. In this respect, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing the specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the figures. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0137] The units or modules described in at least one of the scenarios herein can be implemented in software or hardware. The names of the units or modules do not, in some cases, constitute a limitation on the unit or module itself.
[0138] The functions described above in this document can be performed at least in part by one or more hardware logic components. For example, exemplary types of hardware logic components that can be used, without limitation, include: field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), system-on-a-chip (SoCs), complex programmable logic devices (CPLDs), and so on.
[0139] In the context of this document, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0140] Based on one or more scenarios described in this article, Example 1 provides a method for running code related to large model services, including:
[0141] Obtain a first code execution request sent by the large model service, wherein the first code execution request is generated by the large model service based on a received user request, and the first code execution request is used to request the execution of first code;
[0142] The first code execution request is associated with a first sandbox environment, and the first code execution request is associated with a first network request control rule, wherein the first sandbox environment is bound to first identity information, and the first network request control rule is used to process network requests related to the first identity information;
[0143] In the first process started in the first sandbox environment, the first code is run, and in response to the first network request generated during the running of the first code, the transmission of the first network request is controlled based on the first network request control rules.
[0144] Based on one or more scenarios in this paper, Example 2 provides the construction of the first sandbox environment in Example 1 through the following steps:
[0145] Create a first control group, a first namespace, and a first file system, and configure the first identity information to obtain the first sandbox environment;
[0146] Wherein, the first control group is used to limit the amount of resources used by at least one process in the first sandbox environment, the first namespace is used to provide an independent operating environment for the first sandbox environment, the first file system is used to provide an independent file environment for the first sandbox environment, and the permission level of the first identity information is less than a set level threshold.
[0147] According to one or more scenarios in this article, Example 3 provides a first file system in Example 2 including a first directory, a second directory and a third directory. Files mounted in the first directory have only read permissions, files mounted in the second directory have both read and write permissions, and the third directory is a view directory obtained by merging the first directory and the second directory.
[0148] Associating the first code execution request with the first sandbox environment includes:
[0149] Mount the root directory of the first process started in the first sandbox environment to the third directory.
[0150] According to one or more scenarios in this article, Example 4 provides that the first directory in Example 3 is mounted with code execution environment files, and in response to the first code execution request related to the first dependency file, the first directory is also mounted with the first dependency file;
[0151] The second directory contains the execution result file of the first code.
[0152] According to one or more scenarios described herein, Example 5 provides a second directory from Example 3 mounted on a first virtual disk, the write size of which is less than a configured first threshold.
[0153] According to one or more scenarios described herein, Example Six provides control over the transmission of the first network request based on the first network request control rule in any of Examples One through Five, including:
[0154] In response to the first network request type satisfying the configured type in the first network request control rule, the first network request is transmitted; and
[0155] In response to the first network request satisfying the whitelist conditions configured in the first network request control rules, the first network request is transmitted.
[0156] According to one or more scenarios described herein, Example 7 provides the method from Example 6, which, before running the first code in the first process launched in the first sandbox environment, further includes:
[0157] Configure a first environment variable in the first process; the first environment variable is used to execute the communication proxy service.
[0158] The response to the first network request, wherein the type satisfies the set type configured in the first network request control rule, and the first network request is transmitted, includes:
[0159] In response to the first network request type satisfying the set type configured in the first network request control rule, the first network request is transmitted to the communication proxy service so that the communication proxy service controls the transmission of the first network request.
[0160] Based on one or more scenarios described herein, Example 8 provides a code execution apparatus related to a large model service, including:
[0161] The acquisition module is configured to: acquire a first code execution request sent by the large model service, wherein the first code execution request is generated by the large model service based on a received user request, and the first code execution request is used to request the execution of first code;
[0162] The association module is configured to: associate the first code execution request with the first sandbox environment, and associate the first code execution request with the first network request control rule, wherein the first sandbox environment is bound to the first identity information, and the first network request control rule is used to process communication requests related to the first identity information;
[0163] The running module is configured to: run the first code in a first process started in the first sandbox environment, and process the first communication request based on the first network request control rules in response to a first communication request generated during the running of the first code.
[0164] According to one or more of the provisions herein, Example 9 provides an electronic device comprising:
[0165] At least one processor; and
[0166] At least one memory, including one or more computer program instructions;
[0167] The one or more computer program instructions are executed by the processor at runtime, which is a code execution method related to large model services provided in at least one of the scenarios described herein.
[0168] According to one or more of the scenarios described herein, Example 10 provides a computer-readable storage medium that non-transitory stores computer-readable instructions, wherein when the computer-readable instructions are executed by a processor, they implement a code execution method related to a large model service provided by at least one scenario described herein.
[0169] The above description is merely a preferred embodiment and an explanation of the technical principles employed. Those skilled in the art should understand that the scope of disclosure herein is not limited to technical solutions formed by specific combinations of the above-described technical features, but also includes other technical solutions formed by arbitrary combinations of the above-described technical features or their equivalents without departing from the above-disclosed concept. For example, technical solutions formed by substituting the above features with (but not limited to) technical features disclosed herein that have similar functions.
[0170] Furthermore, while the operations are described in a specific order, this should not be construed as requiring these operations to be performed in the specific order shown or in a sequential order. In certain contexts, multitasking and parallel processing may be advantageous. Similarly, while some specific implementation details are included in the above discussion, these should not be interpreted as limiting the scope of this paper. Certain features described in the context of a single case can also be implemented in combination within that single case. Conversely, various features described in the context of a single case can also be implemented individually or in any suitable sub-combination in multiple cases.
[0171] Although the subject matter has been described using language specific to structural features and / or methodological logic, it should be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or actions described above. Rather, the specific features and actions described above are merely illustrative examples of implementing the claims.
Claims
1. A code execution method related to large model services, comprising: Obtain a first code execution request sent by the large model service, wherein the first code execution request is generated by the large model service based on a received user request, and the first code execution request is used to request the execution of first code; The first code execution request is associated with a first sandbox environment, and the first code execution request is associated with a first network request control rule, wherein the first sandbox environment is bound to first identity information, and the first network request control rule is used to process network requests related to the first identity information; In the first process started in the first sandbox environment, the first code is run, and in response to the first network request generated during the running of the first code, the transmission of the first network request is controlled based on the first network request control rules.
2. The method according to claim 1, wherein, The first sandbox environment is constructed through the following steps: Create a first control group, a first namespace, and a first file system, and configure the first identity information to obtain the first sandbox environment; Wherein, the first control group is used to limit the amount of resources used by at least one process in the first sandbox environment, the first namespace is used to provide an independent operating environment for the first sandbox environment, the first file system is used to provide an independent file environment for the first sandbox environment, and the permission level of the first identity information is less than a set level threshold.
3. The method according to claim 2, wherein, The first file system includes a first directory, a second directory, and a third directory. Files mounted in the first directory have only read permissions, files mounted in the second directory have both read and write permissions, and the third directory is a view directory obtained by merging the first directory and the second directory. Associating the first code execution request with the first sandbox environment includes: Mount the root directory of the first process started in the first sandbox environment to the third directory.
4. The method according to claim 3, wherein, The first directory contains code execution environment files, and in response to the first code execution request, the first directory also contains the first dependency file. The second directory contains the execution result file of the first code.
5. The method according to claim 3, wherein, The second directory is mounted on the first virtual disk, and the write size of the first virtual disk is less than a configured first threshold.
6. The method according to any one of claims 1 to 5, wherein, The control of the transmission of the first network request based on the first network request control rule includes: In response to the first network request type satisfying the configured type in the first network request control rule, the first network request is transmitted; and In response to the first network request satisfying the whitelist conditions configured in the first network request control rules, the first network request is transmitted.
7. The method according to claim 6, wherein, In the first process launched in the first sandbox environment, before running the first code, the method further includes: Configure a first environment variable in the first process; the first environment variable is used to execute the communication proxy service. Wherein, the transmission of the first network request in response to the first network request type satisfying the set type configured in the first network request control rule includes: In response to the first network request type satisfying the set type configured in the first network request control rule, the first network request is transmitted to the communication proxy service so that the communication proxy service controls the transmission of the first network request.
8. A code execution device related to a large model service, comprising: The acquisition module is configured to: acquire a first code execution request sent by the large model service, wherein the first code execution request is generated by the large model service based on a received user request, and the first code execution request is used to request the execution of first code; The association module is configured to: associate the first code execution request with the first sandbox environment, and associate the first code execution request with the first network request control rule, wherein the first sandbox environment is bound to the first identity information, and the first network request control rule is used to process communication requests related to the first identity information; The running module is configured to: run the first code in a first process started in the first sandbox environment, and process the first communication request based on the first network request control rules in response to a first communication request generated during the running of the first code.
9. An electronic device, comprising: At least one processor; as well as At least one memory, including one or more computer program instructions; The one or more computer program instructions are executed by the processor to perform the method according to any one of claims 1 to 7.
10. A computer-readable storage medium for non-transitory storage of computer-readable instructions, wherein, The method of any one of claims 1 to 7 is implemented when the computer-readable instructions are executed by a processor.