Business container debugging method, device, equipment, medium and product
By creating privileged containers for remote debugging, the issues of debugging tool compatibility and resource consumption in containerization technology are resolved, enabling efficient and secure remote container debugging.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- INDUSTRIAL AND COMMERCIAL BANK OF CHINA
- Filing Date
- 2026-02-05
- Publication Date
- 2026-06-19
AI Technical Summary
Existing containerization technologies lack remote debugging capabilities in their debugging tools. Traditional debugging methods are resource-intensive, complex, and have low compatibility, making them incompatible with existing older version clusters.
By creating privileged containers, pulling debugging images from the image repository, entering the target container for debugging, and promptly deleting the privileged container after debugging, remote debugging can be achieved, reducing resource consumption.
It breaks through the limitations of local debugging, adapts to remote operation and maintenance scenarios, reduces resource consumption, improves compatibility and security, and reduces computational burden.
Smart Images

Figure CN122240236A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of financial technology, specifically to a data processing method for a financial technology-related distributed data system, and more specifically to a business container debugging method, apparatus, device, medium, and product. Background Technology
[0002] With the rapid development of cloud computing and microservice architectures, containerization technology has become a core infrastructure for modern software development and deployment. Containerization technology, with its significant advantages such as environment consistency, lightweight deployment, and high orchestration, solves problems such as high resource consumption and slow startup speeds in traditional virtualization solutions, providing strong technical support for the rapid iteration and efficient deployment of applications.
[0003] During the operation of containerized applications, developers and operations engineers often need to delve into the container's internal environment to monitor its operation and troubleshoot issues by executing debugging tools, checking process status, analyzing the file system, and diagnosing network connectivity. This process is called in-container debugging. However, the inherent characteristics of containerization technology and the simplification of base images lead to a lack of debugging tools, posing significant challenges to traditional debugging methods in container environments and greatly increasing the difficulty of debugging. For example, existing debugging tools, such as existing container troubleshooting tools, lack remote debugging capabilities, supporting only local debugging on the host machine, which is unsuitable for remote use scenarios; debugging tools specifically designed for container orchestration systems require the deployment of additional containers, which necessitate the configuration of additional proxy resources, resulting in high resource overhead, complexity, and low compatibility between the additional proxy resources and the target container, leading to low adaptability and high cost; command-line tools rely on newer cluster versions and are incompatible with existing older cluster versions, exhibiting high requirements for cluster version and runtime environment, and low adaptability. Summary of the Invention
[0004] In view of the above problems, this application provides a method, apparatus, equipment, medium and product for debugging business containers.
[0005] According to a first aspect of this application, a method for debugging a business container is provided, comprising: in response to receiving a debugging request, sending a request to create a debugging container to the service interface of the cluster where the target container is located, and indicating preset debugging image information in the request, and issuing a privileged request to the cluster to set the debugging container as a privileged container with access permissions to the target container; in response to the request to create a debugging container, causing the cluster to pull a debugging container image from a preset image repository according to the debugging image information to create a debugging container, and encapsulating the debugging container as a privileged container if the privileged request is approved; entering the target container based on the privileged container to access the container data of the target container, debugging the business process in the target container based on the container data, and obtaining a debugging result; and deleting the privileged container in response to the debugging result indicating that debugging is complete or receiving a debugging termination request.
[0006] According to an embodiment of this application, a running business container is selected as the target container in a preset management platform; the container attribute information of the target container is obtained, and a debug request for the target container is generated based on the container attribute information.
[0007] According to an embodiment of this application, the process of creating a debug container further includes configuring namespace sharing rules between the debug container and the target container. The namespace sharing rules include: obtaining namespace sharing configuration parameters carried in the request to create the debug container, wherein the namespace sharing configuration parameters indicate the namespaces that can be shared in the target container; and mounting the debug namespace of the debug container to the namespace of the target container based on the namespace sharing configuration parameters, so as to realize data sharing or environment sharing between the debug container and the target container under the indicated namespace dimension.
[0008] According to an embodiment of this application, accessing the target container's container data via a privileged container includes: transmitting pre-acquired operation instructions via a communication link between the privileged container and the management platform; executing a boot script according to the operation instructions; using a cut-in command in the boot script to cut the terminal session on the management platform into the target container's namespace, so as to obtain the target container's runtime environment through the terminal session, and using the runtime environment-related data as container data.
[0009] According to embodiments of this application, the method further includes restricting resource access for privileged containers, including binding a preset deployment unit security policy to the service account of the privileged container to limit the range of resources that the privileged container can access in the host machine of the target container. The range of accessible resources includes the process information, network information, and system file information of the target container.
[0010] According to embodiments of this application, the executable command restriction on the privileged container is further included, including: monitoring terminal commands in the terminal session in real time through a command filtering component deployed in the privileged container, determining the list category to which the terminal command belongs, the list category including a preset allowed command list and a prohibited command list, the allowed command list containing tool commands necessary for container debugging, and the prohibited command list containing destructive or unauthorized system commands; if the terminal command belongs to the allowed command list, it is allowed to execute and the command result is returned as the debugging result; if it belongs to the prohibited command list, it is refused to execute and a warning message is returned.
[0011] According to an embodiment of this application, a preset main process monitoring script is run in a privileged container, causing the main process monitoring script to poll and check the active state of the terminal session and the live state of the target container; in response to the terminal session being inactive or the live state of the target container being terminated, the main process monitoring script marks the live state of the privileged container as terminated.
[0012] According to an embodiment of this application, privileged containers whose survival status has terminated are cleaned up at preset time intervals using a preset cleanup procedure.
[0013] A second aspect of this application provides a business container debugging apparatus, comprising: a pre-request module, configured to, in response to receiving a debugging request, send a request to create a debugging container to the service interface of the cluster where the target container resides, and in the request indicate preset debugging image information, and send a privileged request to the cluster to set the debugging container as a privileged container with access permissions to the target container; a container creation module, configured to, in response to the request to create a debugging container, cause the cluster to pull a debugging container image from a preset image repository according to the debugging image information to create the debugging container, and, if the privileged request passes, encapsulate the debugging container as a privileged container; a debugging execution module, configured to, based on the privileged container, enter the target container to access the container data of the target container, debug the business processes in the target container based on the container data, and obtain debugging results; and a debugging cleanup module, configured to, in response to the debugging result indicating that debugging is complete or receiving a debugging termination request, delete the privileged container.
[0014] A third aspect of this application provides an electronic device comprising: one or more processors; and a memory for storing one or more computer programs, wherein the one or more processors execute the one or more computer programs to implement the steps of the method described above.
[0015] A fourth aspect of this application also provides a computer-readable storage medium having a computer program or instructions stored thereon, which, when executed by a processor, implement the steps of the above-described method.
[0016] The fifth aspect of this application also provides a computer program product, including a computer program or instructions that, when executed by a processor, implement the steps of the above-described method.
[0017] One or more of the above embodiments have the following beneficial effects: When business debugging is required, in response to receiving a debugging request, a request to create a debugging container is sent to the service interface of the cluster where the target container is located. The request indicates the preset debugging image information and sends a privileged request to the cluster to set the debugging container as a privileged container with access to the target container. This creates a privileged container capable of obtaining the container data of the target container, thereby enabling remote debugging based on the privileged container. This privileged container is created based on the debugging container image pulled from the image repository, which often stores information related to the target container. Image mirroring overcomes compatibility issues, breaks through local debugging limitations, and adapts to remote operation and maintenance scenarios. It eliminates the need to deploy additional proxy components, creating only a single privileged container, thus reducing resource consumption. Furthermore, it allows entry into the target container via the privileged container to access its container data, enabling debugging of business processes within the target container and obtaining debugging results. In response to debugging results indicating completion or receiving a debugging termination request, the privileged container is deleted. Prompt deletion of the privileged container after debugging of the target container ensures security while releasing computing resources in a timely manner. This improves compatibility, reduces resource consumption, and promptly releases computing resources, lowering the overall computational burden of the cluster. Attached Figure Description
[0018] The above-mentioned contents, other objects, features and advantages of this application will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:
[0019] Figure 1 The illustrations depict application scenarios of the business container debugging method, apparatus, device, media, and program product according to embodiments of this application.
[0020] Figure 2 A flowchart illustrating a service container debugging method according to an embodiment of this application is shown schematically.
[0021] Figure 3 This illustration shows a schematic diagram of the data flow involved in the business container debugging method according to an embodiment of this application;
[0022] Figure 4 The illustration shows a schematic diagram of a container debugging scenario involved in the business container debugging method according to an embodiment of this application;
[0023] Figure 5This illustration schematically shows a main process monitoring script involved in the business container debugging method according to an embodiment of this application;
[0024] Figure 6 This schematically illustrates a structural block diagram of a service container debugging apparatus according to an embodiment of the present application;
[0025] Figure 7 A block diagram schematically illustrates an electronic device suitable for implementing a business container debugging method according to an embodiment of this application. Detailed Implementation
[0026] The embodiments of this application will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of this application. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of this application for ease of explanation. However, it will be apparent that one or more embodiments may be implemented without these specific details. Furthermore, descriptions of well-known structures and technologies are omitted in the following description to avoid unnecessarily obscuring the concepts of this application.
[0027] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.
[0028] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.
[0029] When using expressions such as "at least one of A, B and C", they should generally be interpreted in accordance with the meaning that is commonly understood by those skilled in the art (e.g., "a system having at least one of A, B and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B and C, etc.).
[0030] In the technical solution of this application, the user information (including but not limited to user personal information, user image information, user device information, such as location information) and data (including but not limited to data used for analysis, stored data, and displayed data) involved are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, storage, use, processing, transmission, provision, disclosure, and application of related data all comply with relevant laws, regulations, and standards, take necessary confidentiality measures, do not violate public order and good morals, and provide corresponding operation entry points for users to choose to authorize or refuse.
[0031] This application provides a business container debugging method, apparatus, device, medium, and product. The business container debugging method includes: in response to receiving a debugging request, sending a request to create a debugging container to the service interface of the cluster where the target container resides, indicating preset debugging image information in the request, and issuing a privileged request to the cluster to set the debugging container as a privileged container with access permissions to the target container; in response to the request to create a debugging container, causing the cluster to pull a debugging container image from a preset image repository according to the debugging image information to create the debugging container, and, if the privileged request is approved, encapsulating the debugging container as a privileged container; entering the target container based on the privileged container to access the container data of the target container, debugging the business processes in the target container based on the container data, and obtaining a debugging result; and in response to the debugging result indicating debugging completion or receiving a debugging termination request, deleting the privileged container.
[0032] Figure 1 The illustration shows an application scenario diagram of the business container debugging method according to an embodiment of this application.
[0033] like Figure 1 As shown, the application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105.
[0034] Users can use the first terminal device 101, the second terminal device 102, and the third terminal device 103 to interact with the server 105 via the network 104 to receive or send messages, etc. Various communication client applications can be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103, such as web browser applications, search applications, instant messaging tools, email clients, social media platform software, etc.
[0035] The first terminal device 101, the second terminal device 102, and the third terminal device 103 can be various electronic devices with displays and support web browsing, including but not limited to smartphones, tablets, laptops, and desktop computers.
[0036] Network 104 may include various connection types, such as wired or wireless communication links or fiber optic cables. Network 104 serves as the medium for providing communication links between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. Network 104 may include various connection types, such as wired or wireless communication links or fiber optic cables.
[0037] Server 105 can be a server that provides various services, such as a backend management server that supports websites browsed by users using the first terminal device 101, the second terminal device 102, and the third terminal device 103 (this is just an example). The backend management server can analyze and process data such as received user requests, and feed back the processing results (such as web pages, information, or data obtained or generated according to user requests) to the terminal devices.
[0038] It should be noted that the service container debugging method provided in this application embodiment can generally be executed by server 105. Correspondingly, the service container debugging device provided in this application embodiment can generally be located in server 105. The service container debugging method provided in this application embodiment can also be executed by a server or server cluster that is different from server 105 and capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and / or server 105. Correspondingly, the service container debugging device provided in this application embodiment can also be located in a server or server cluster that is different from server 105 and capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and / or server 105.
[0039] It should be understood that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.
[0040] The following will be based on Figure 1 The described scene, through Figures 2-4 The service container debugging method according to the embodiments of this application will be described in detail.
[0041] Figure 2 A flowchart illustrating a service container debugging method according to an embodiment of this application is shown.
[0042] like Figure 2 As shown, the service container debugging method of this embodiment includes S210~S250, as detailed below:
[0043] In response to receiving the debugging request, operation S210 sends a request to create a debugging container to the service interface of the cluster where the target container resides, indicating the preset debugging image information in the request, and issuing a privileged request to the cluster to set the debugging container as a privileged container with access permissions to the target container; in response to the request to create a debugging container, operation S220 causes the cluster to pull the debugging container image from the preset image repository according to the debugging image information to create the debugging container, and encapsulates the debugging container as a privileged container if the privileged request is approved; operation S230 enters the target container based on the privileged container to access the container data of the target container, and debugs the business processes in the target container based on the container data to obtain the debugging result; in response to the debugging result indicating that the debugging is completed or receiving a debugging termination request, operation S240 deletes the privileged container.
[0044] As an example, open-source container orchestration platforms are used to automate the deployment, scaling, and management of containerized applications. In a container orchestration platform, a Pod is the runtime environment and management unit for containers, and it is the smallest unit of scheduling and deployment. All containers must run within a Pod; containers cannot exist independently. When debugging business containers is required, a privileged Pod is started as a springboard to enter the namespace of the target container, enabling remote debugging. This privileged Pod is referred to here as a privileged container.
[0045] Figure 3 This illustration shows a schematic diagram of the data flow involved in the business container debugging method according to an embodiment of this application; Figure 4 The illustration shows a schematic diagram of a container debugging scenario involved in the business container debugging method according to an embodiment of this application.
[0046] exist Figure 3 , Figure 4 In the example shown, the management platform provides users with an application runtime module, enabling users to initiate debugging based on the operation page of the application runtime module, and to specifically operate the debugging of the business container based on the operation page. The business container to be debugged is the target container.
[0047] Figure 3 , Figure 4In the specific example shown, the user selects the target container and triggers the "Enable Debugging" operation in the application runtime module of the management platform, and then creates a debug container request. After receiving the debug request, the backend of the management platform sends a request to the API Server (Application Programming Interface Server) of the cluster where the target container resides to create the debug container. The request specifies the use of predefined debug image information, which indicates information such as the type of debug image, such as a preset debug image compatible with the target container or a custom debug image. The debug request also specifies that the debug container shares the host machine's PID (Process Namespace), IPC (Inter-Process Communication Namespace), and Net... Namespace (network namespace) sets the debug container as a privileged container and sets the runtime node of the privileged container to the host machine where the target container resides. Upon receiving the creation request, the cluster pulls the debug container image (referred to as the debug image) from the image repository, creates the specified debug container, and configures namespace sharing rules for the debug container based on the privilege request. If the configuration is complete and there are remaining computing resources on the host machine available for the debug container, then the debug container with the configured namespace sharing rules is designated as a privileged container. Users access the privileged container through the container terminal of the management platform. A communication connection is established between the container terminal of the management platform and the terminal of the privileged container. A WebSocket connection is established, and when the user enters the privileged container terminal, a bootstrap script guides them into the target container's namespace to obtain the target container's runtime environment. Within this environment, the user can only see / obtain information such as the target container's processes, network, and file system. This information constitutes the target container's container data. For example, the user can use debugging tools within the container, such as tcpdump, nmon, and netstat, to debug the target container's business processes. The user performs debugging through the container terminal on the management platform. After debugging is complete, the user exits the terminal, and the management platform immediately issues a command to delete the debugging container, thus releasing the cluster's resources.
[0048] Based on this, remote debugging can be achieved using privileged containers without modifying the application's base image or template. These privileged containers are created from debug container images pulled from an image repository, which typically stores images related to the target container. This overcomes compatibility issues, breaks through local debugging limitations, and adapts to remote operation and maintenance scenarios. No additional proxy components need to be deployed; only a single privileged container is created, reducing resource consumption. Furthermore, the privileged container enters the target container to access its container data, allowing debugging of the business processes within the target container to obtain debugging results. In response to debugging results indicating completion or receiving a debugging termination request, the privileged container is deleted. The privileged container is promptly deleted after debugging of the target container, ensuring security while releasing computing resources in a timely manner. This improves compatibility, reduces resource consumption, and promptly releases computing resources, lowering the overall computational burden of the cluster.
[0049] In this embodiment, a running business container is selected as the target container in a preset management platform; the container attribute information of the target container is obtained, and a debug request for the target container is generated based on the container attribute information.
[0050] As an example, the pre-defined management platform displays a list of all running business containers within the cluster. This list includes the container identifier, application name, running status, and host information for each container. The platform receives user selections of target containers from the list, retrieves their container attribute information (including container ID, cluster identifier, host IP address, namespace identifier, and business process ID), and generates and sends a debugging request to the management platform backend based on the container attribute information and user-specified debugging requirements, such as debugging tool type and debugging duration limits.
[0051] In this way, the system systematically collects the core attributes of the target container, such as the container ID, cluster identifier, and namespace identifier, to ensure the accuracy of the container creation parameters, reduce the probability of creation failure, support users to specify the type and duration of debugging tools, make debugging requests more in line with actual scenarios, and display key information such as container identifier, application, and running status, so that users can quickly and accurately filter target containers and improve the efficiency of initiating debugging requests.
[0052] In this implementation, the process of creating a debug container also includes configuring namespace sharing rules between the debug container and the target container. The namespace sharing rules include: obtaining the namespace sharing configuration parameters carried in the request to create the debug container, which indicate the namespaces that can be shared in the target container; and mounting the debug namespace of the debug container to the namespace of the target container based on the namespace sharing configuration parameters, so as to realize data sharing or environment sharing between the debug container and the target container under the indicated namespace dimension.
[0053] As an example, the process of creating a debug container also includes configuring namespace sharing rules between the debug container and the target container: the namespace sharing configuration parameter is carried in the debug container creation request, which explicitly specifies the Linux namespace type of the target container to be shared; when the cluster creates the debug container, it mounts the corresponding namespace of the debug container to the namespace of the target container through Linux system calls based on the parameter, realizing environment sharing in a specified dimension. The debug container creation request generated by the platform carries the namespace sharing configuration parameter, which explicitly shares the PID, Net, and IPC namespaces, but does not share the mount and hostname namespaces. After receiving the debug container creation request, the cluster obtains the PID of the target container's main process through a preset information retrieval command, and calls the target container's namespace. After mounting the debug container's debug namespace to the target container's shareable namespace, the debug container can directly view the target container's cache service process, port information, and IPC message queue, etc.
[0054] Based on this, standardized namespace sharing configuration parameters are provided to clearly define the types of namespaces that can be shared, avoid unnecessary namespace sharing, reduce resource conflicts and security risks, automate namespace mounting without manual intervention, reduce configuration errors, and improve the success rate of debugging container creation.
[0055] In this embodiment, entering the target container based on the privileged container to access the container data of the target container includes: transmitting pre-acquired operation instructions based on the communication link between the privileged container and the management platform; executing a boot script according to the operation instructions; using the cut-in command in the boot script to cut the terminal session on the management platform into the namespace of the target container, so as to obtain the runtime environment of the target container through the terminal session, and using the runtime environment-related data as container data.
[0056] As an example, the steps for entering the target container based on the privileged container include: first, establishing a WebSocket (two-way communication) connection between the management platform and the privileged container to form a communication link; then, transmitting the operation instructions initiated by the user on the management platform and the debugging output data (i.e., debugging results) that the user needs to receive based on this communication link; after the host machine of the privileged container receives the operation instructions initiated by the user, it automatically executes a preset boot script based on the privileged container. This boot script contains a cut-in command carrying the target container namespace identifier parameter; through this cut-in command, the terminal session of the user on the management platform used for debugging the target container is switched into the namespace of the target container, allowing the user to directly operate the target container environment in the terminal interface / page of the management platform, and then debug it to obtain the debugging results.
[0057] Based on this, a stable remote communication link is established to ensure real-time synchronization of operation command transmission and debugging result output, thereby improving the stability of remote debugging. Furthermore, the system automatically executes the boot script and switchover command, eliminating the need for users to manually switch namespaces, lowering the operational threshold, simplifying the association process between the terminal session and the target container namespace, shortening access time, and improving debugging efficiency.
[0058] In this embodiment, resource access restrictions on privileged containers are also included, including binding a preset deployment unit security policy to the service account of the privileged container to limit the range of resources that the privileged container can access in the host machine of the target container. The range of accessible resources includes the process information, network information, and system file information of the target container.
[0059] As an example, the steps also include restricting resource access for privileged containers: creating a deployment unit security policy based on a preset deployment unit security technology, clearly defining the range of host resources that privileged containers can access, such as network ports, file system paths, and system devices. The range of accessible resources includes the target container's process information, network information, and system file information, while the range of inaccessible resources is the range outside the accessible resource range; binding the deployment unit security policy to the service account of the privileged container, so that the privileged container can only access permitted host resources and prohibits unauthorized access.
[0060] For example, the deployment unit security policy can configure allowed network ports (8080, 3306) and file paths, while prohibiting access to sensitive paths such as / etc / passwd and / root. When a user attempts to access port 22 (SSH port) of the host machine or modify the / etc / passwd file through a privileged container, the operation is blocked by the deployment unit security policy.
[0061] Based on this, fine-grained resource access control rules are established based on the deployment unit security policy. Only resources necessary for debugging are allowed, and access to sensitive resources is prohibited. This reduces the risk of unauthorized access, effectively protects sensitive resources on the host machine, prevents unauthorized access or tampering, and ensures the operational security of the cluster and business containers.
[0062] In this embodiment, the executable command restriction for the privileged container is also included, which includes: monitoring terminal commands in the terminal session in real time through a command filtering component deployed in the privileged container, determining the list category to which the terminal command belongs, the list category including a preset allowed command list and a prohibited command list, the allowed command list containing tool commands necessary for container debugging, and the prohibited command list containing destructive or unauthorized system commands; if the terminal command belongs to the allowed command list, it is allowed to execute and the command result is returned as the debugging result; if it belongs to the prohibited command list, it is refused to execute and a warning message is returned.
[0063] As an example, the method also includes steps to restrict executable commands in privileged containers, namely, pre-setting a list of allowed commands (including commands for debugging tools) and a list of prohibited commands (including destructive and unauthorized system commands); deploying a command filtering component in the privileged container to monitor terminal commands entered by the user in real time; allowing execution of commands that belong to the allowed list, and refusing execution and returning a warning if they belong to the prohibited list.
[0064] In a more specific example, consider the allowed command list (debugging tool commands such as tcpdump, netstat, nmon, cat, tail, etc.) and the prohibited command list (dangerous commands such as rm, sudo, su, shutdown, etc.). The privileged container startup script integrates a command filtering component to monitor all input commands. If a user inputs "rm -rf / var / log / app.log", the filtering component detects that "rm" belongs to the prohibited command list, refuses execution, and returns a warning message "Violation has been prohibited" to the management platform's interface. If a user inputs "tail -f / var / log / app.log", because "tail" is in the allowed command list, the command executes normally and outputs logs in real time. If a user attempts to execute "sudo su -" to switch to the root user, the filtering component detects that both "sudo" and "su" belong to the prohibited command list, refuses execution, and returns a warning message.
[0065] Based on this, by setting allowed and prohibited command lists, executable commands are precisely restricted. Only commands necessary for debugging are allowed, while dangerous commands are prohibited, thus avoiding destructive operations from the source. The command filtering component monitors terminal input in real time, and intercepts and returns warnings for illegal commands immediately, thereby improving operational security, standardizing the scope of debugging command usage, reducing the impact of misoperations on business containers and the host machine, and ensuring business continuity during debugging.
[0066] Figure 5 The illustration shows a schematic diagram of the main process listening script involved in the business container debugging method according to an embodiment of this application.
[0067] exist Figure 5 In the illustrated embodiment, a preset main process monitoring script is run in the privileged container, causing the main process monitoring script to poll and check the active state of the terminal session and the live state of the target container; in response to the terminal session being inactive or the live state of the target container being terminated, the main process monitoring script marks the live state of the privileged container as terminated.
[0068] As an example, a main process listening script runs in a privileged container, polling and detecting the active status of terminal sessions and the survival status of the target container at a preset period. If the inactive duration of a session exceeds a preset inactive threshold, it is determined that the terminal session is inactive, or the target container has terminated. In either of these two cases, the listening script triggers the privileged container's main process to exit the management platform, scan the cluster at a preset period, delete the privileged containers that the main process has exited, and release resources.
[0069] Based on dual detection of session activity status and target container liveness status, privileged containers are automatically exited to avoid long-term idle resource occupation; the platform regularly scans and cleans up terminated debug containers to ensure reasonable use of cluster resources; it reduces manual intervention, lowers the container management cost for operation and maintenance personnel, and improves the utilization rate of cluster resources.
[0070] For example, the main process listening script is configured with a polling cycle of 30 seconds and a terminal session timeout threshold of 30 minutes. It queries the target container status through the cluster health check interface. The main process listening script detects the number of connections on the communication link in real time to determine the session activity level and the target container status. If a user temporarily leaves, resulting in 30 minutes of inactivity in the terminal session, the script detects that the number of connections is 0 and the session has timed out. It outputs "Session timed out, triggering container exit" to the session terminal and marks the privileged container's survival status as terminated. Alternatively, if the target container enters a waiting / hibernating / shutdown / past state due to a business process crash, the main process listening script marks the privileged container's survival status as terminated.
[0071] Based on this, privileged containers can automatically exit by detecting both session activity and target container liveness, thus avoiding long-term idle resource occupation.
[0072] In this embodiment, privileged containers whose survival status has terminated are cleaned up according to a preset cleanup procedure at preset time intervals.
[0073] As an example, the cluster scans the cluster every 15 minutes using a pre-defined cleanup procedure. If it finds a privileged container in a terminated state, it sends a deletion request to the cluster to delete the privileged container in a terminated state. When the centralized / session terminal agrees to the deletion request, the cleanup procedure deletes the privileged container in a terminated state and releases associated resources such as storage volumes and networks.
[0074] Based on this, we can ensure the rational use of cluster resources, reduce the container management costs for operations and maintenance personnel, and improve the utilization rate of cluster resources.
[0075] As described above, the business container debugging method provided in this embodiment can overcome compatibility issues, break through local debugging limitations, and adapt to remote operation and maintenance scenarios. It eliminates the need to deploy additional proxy components, creating only a single privileged container, thus reducing resource consumption. The privileged container is used to access the target container's data, and the business processes within the target container are debugged based on this data to obtain debugging results. In response to the debugging result indicating completion or receiving a debugging termination request, the privileged container is deleted. The privileged container is promptly deleted after debugging of the target container, ensuring security while releasing computing resources in a timely manner. Furthermore, security mechanisms such as resource access restrictions and executable command restrictions are implemented. This improves compatibility, reduces resource consumption, and releases computing resources promptly, reducing the overall computational burden of the cluster and enhancing the security of business container debugging.
[0076] Based on the above-described business container debugging method, this application also provides a business container debugging apparatus. The following will be combined with... Figure 6 The device is described in detail.
[0077] Figure 6 A schematic block diagram of a business container debugging apparatus according to an embodiment of this application is shown.
[0078] like Figure 6 As shown, the business container debugging device 600 in this embodiment includes a pre-request module 610, a container creation module 620, a debugging execution module 630, and a debugging cleanup module 640.
[0079] The pre-request module 610 can perform operation S210, in response to receiving a debug request, send a request to create a debug container to the service interface of the cluster where the target container is located, and indicate the preset debug image information in the request, and send a privileged request to the cluster to set the debug container as a privileged container with access to the target container.
[0080] The container creation module 620 can perform operation S220 in response to the request to create a debug container, enabling the cluster to pull the debug container image from the preset image repository according to the debug image information to create the debug container, and encapsulate the debug container as a privileged container if the privilege request is approved.
[0081] The debugging module 630 can perform operation S230, enter the target container based on the privileged container, access the container data of the target container, debug the business process in the target container based on the container data, and obtain the debugging results;
[0082] The debug cleanup module 640 can perform operation S240, which deletes privileged containers in response to a debug result indicating that debugging is complete or a debug termination request is received.
[0083] In this embodiment, a request generation unit is also included, which is used to select a running business container as the target container in a preset management platform; obtain the container attribute information of the target container; and generate a debug request for the target container based on the container attribute information.
[0084] In this embodiment, during the process of creating a debug container, the container creation module 620 also includes configuring namespace sharing rules between the debug container and the target container. The namespace sharing rules include: obtaining the namespace sharing configuration parameters carried in the debug container creation request, which indicate the namespaces that can be shared in the target container; and mounting the debug namespace of the debug container to the namespace of the target container based on the namespace sharing configuration parameters, so as to realize data sharing or environment sharing between the debug container and the target container under the indicated namespace dimension.
[0085] The debugging module 630 enters the target container based on the privileged container to access the container data of the target container, including: transmitting pre-acquired operation instructions based on the communication link between the privileged container and the management platform; executing a boot script according to the operation instructions; and using the cut-in command in the boot script to cut the terminal session on the management platform into the namespace of the target container, so as to obtain the runtime environment of the target container through the terminal session and use the runtime environment-related data as container data.
[0086] In this embodiment, the service container debugging device 600 further includes a resource restriction unit for restricting resource access to privileged containers. This includes binding a preset deployment unit security policy to the service account of the privileged container to limit the range of accessible resources of the privileged container on the host machine of the target container. The range of accessible resources includes the process information, network information, and system file information of the target container. It also includes a command restriction unit for restricting executable commands of the privileged container. This includes monitoring terminal commands in the terminal session in real time through a command filtering component deployed in the privileged container, determining the list category to which the terminal commands belong. The list categories include a preset allowed command list and a prohibited command list. The table contains the necessary tool commands for container debugging, while the prohibited command list contains destructive or unauthorized system commands. If a terminal command belongs to the allowed command list, it is allowed to execute and the command result is returned as the debugging result; if it belongs to the prohibited command list, it is refused to execute and a warning message is returned. It also includes a listening unit for running a preset main process listening script in the privileged container. This script polls and checks the active state of the terminal session and the liveness of the target container. In response to an inactive terminal session or a terminated liveness of the target container, the main process listening script marks the privileged container's liveness as terminated. A preset cleanup procedure cleans up privileged containers with a terminated liveness at preset time intervals.
[0087] Furthermore, according to embodiments of this application, any multiple modules among the pre-request module 610, container creation module 620, debug execution module 630, and debug cleanup module 640 can be merged into one module, or any one of these modules can be split into multiple modules. Alternatively, at least some of the functions of one or more of these modules can be combined with at least some of the functions of other modules and implemented in one module. According to embodiments of this application, at least one of the pre-request module 610, container creation module 620, debug execution module 630, and debug cleanup module 640 can be at least partially implemented as hardware circuitry, such as a field-programmable gate array (FPGA), a programmable logic array (PLA), a system-on-a-chip, a system-on-a-substrate, a system-on-package, an application-specific integrated circuit (ASIC), or any other reasonable means of integrating or packaging circuitry, or implemented in hardware or firmware, or in any one of software, hardware, and firmware implementations, or in a suitable combination of any of these. Alternatively, at least one of the pre-request module 610, container creation module 620, debugging module 630, and debugging cleanup module 640 may be implemented at least partially as a computer program module that can perform corresponding functions when the computer program module is run.
[0088] It should be noted that the implementation methods, technical problems solved, functions achieved, and technical effects of each module in the device embodiment are the same as or similar to the implementation methods, technical problems solved, functions achieved, and technical effects of each corresponding step in the method embodiment, and will not be repeated here.
[0089] Figure 7 A block diagram schematically illustrates an electronic device suitable for implementing a business container debugging method according to an embodiment of this application.
[0090] like Figure 7 As shown, an electronic device 700 according to an embodiment of this application includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 702 or a program loaded from a storage portion 708 into a random access memory (RAM) 703. The processor 701 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 701 may also include onboard memory for caching purposes. The processor 701 may include a single processing unit or multiple processing units for performing different actions of the method flow according to an embodiment of this application.
[0091] RAM 703 stores various programs and data required for the operation of electronic device 700. Processor 701, ROM 702, and RAM 703 are interconnected via bus 704. Processor 701 executes various operations of the method flow according to embodiments of this application by executing programs in ROM 702 and / or RAM 703. It should be noted that the programs may also be stored in one or more memories other than ROM 702 and RAM 703. Processor 701 may also execute various operations of the method flow according to embodiments of this application by executing programs stored in said one or more memories.
[0092] According to embodiments of this application, the electronic device 700 may further include an input / output (I / O) interface 705, which is also connected to a bus 704. The electronic device 700 may also include one or more of the following components connected to the input / output (I / O) interface 705: an input section 706 including a keyboard, mouse, etc.; an output section 707 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 708 including a hard disk, etc.; and a communication section 709 including a network interface card such as a LAN card, modem, etc. The communication section 709 performs communication processing via a network such as the Internet. A drive 710 is also connected to the input / output (I / O) interface 705 as needed. A removable medium 711, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 710 as needed so that computer programs read from it can be installed into the storage section 708 as needed.
[0093] This application also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs, which, when executed, implement the method according to the embodiments of this application.
[0094] According to embodiments of this application, the computer-readable storage medium can be a non-volatile computer-readable storage medium, such as including but not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, the computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this application, the computer-readable storage medium may include ROM 702 and / or RAM 703 and / or one or more memories other than ROM 702 and RAM 703 described above.
[0095] Embodiments of this application also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code is used to enable the computer system to implement the business container debugging method provided in the embodiments of this application.
[0096] When the computer program is executed by the processor 701, it performs the functions defined in the system / apparatus of this application embodiment. According to the embodiments of this application, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0097] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and may be downloaded and installed via the communication section 709, and / or installed from a removable medium 711. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.
[0098] In such an embodiment, the computer program can be downloaded and installed from a network via the communication section 709, and / or installed from the removable medium 711. When the computer program is executed by the processor 701, it performs the functions defined in the system of this application embodiment. According to the embodiments of this application, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.
[0099] According to embodiments of this application, program code for executing the computer programs provided in the embodiments of this application can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages include, but are not limited to, languages such as Java, C++, "C", or similar programming languages. The program code can be executed entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0100] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0101] Those skilled in the art will understand that the features described in the various embodiments of this application can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this application. In particular, the features described in the various embodiments of this application can be combined and / or combined in various ways without departing from the spirit and teachings of this application. All such combinations and / or combinations fall within the scope of this application.
Claims
1. A method for debugging a business container, characterized in that, The method includes: In response to receiving a debugging request, a request to create a debugging container is sent to the service interface of the cluster where the target container is located. The request indicates the preset debugging image information and sends a privileged request to the cluster to set the debugging container as a privileged container with access to the target container. In response to the request to create a debug container, the cluster pulls a debug container image from a preset image repository based on the debug image information to create the debug container, and if the privilege request is approved, encapsulates the debug container as a privileged container. Enter the target container based on the privileged container to access the container data of the target container, debug the business process in the target container based on the container data, and obtain the debugging results; In response to the debugging result indicating that debugging is complete or a debugging termination request is received, the privileged container is deleted.
2. The business container debugging method according to claim 1, characterized in that, Also includes: Select the running business container as the target container in the preset management platform; Obtain the container attribute information of the target container, and generate a debug request for the target container based on the container attribute information.
3. The business container debugging method according to claim 1, characterized in that, The process of creating the debug container also includes configuring namespace sharing rules between the debug container and the target container, wherein the namespace sharing rules include: Obtain the namespace sharing configuration parameters carried in the request to create a debug container, wherein the namespace sharing configuration parameters indicate the namespaces that can be shared in the target container; Based on the namespace sharing configuration parameters, the debug namespace of the debug container is mounted to the namespace of the target container, so as to enable the debug container and the target container to share data or environment under the indicated namespace dimension.
4. The business container debugging method according to claim 2, characterized in that, Accessing the target container from the privileged container, and thus accessing the target container's container data, includes: Pre-acquired operation instructions are transmitted based on the communication link between the privileged container and the management platform; The boot script is executed according to the operation instructions. The terminal session on the management platform is switched to the namespace of the target container through the switch command in the boot script, so as to obtain the runtime environment of the target container through the terminal session and use the data related to the runtime environment as container data.
5. The business container debugging method according to claim 1, characterized in that, It also includes resource access restrictions on the privileged container, including: The preset deployment unit security policy is bound to the service account of the privileged container to limit the scope of accessible resources of the privileged container in the host machine of the target container. The scope of accessible resources includes the process information, network information and system file information of the target container.
6. The business container debugging method according to claim 4, characterized in that, It also includes restricting the executable commands of the privileged container, including: The command filtering component deployed in the privileged container monitors the terminal commands in the terminal session in real time and determines the list category to which the terminal commands belong. The list category includes a preset allowed command list and a prohibited command list. The allowed command list contains tool commands necessary for container debugging, and the prohibited command list contains destructive or unauthorized system commands. If the terminal command belongs to the allowed command list, it is allowed to be executed and the command result is returned as the debugging result; if it belongs to the prohibited command list, it is refused to be executed and a warning message is returned.
7. The business container debugging method according to claim 6, characterized in that, Also includes: A preset main process monitoring script is run in the privileged container, causing the main process monitoring script to poll and check the activity status of the terminal session and the survival status of the target container. In response to the terminal session being inactive or the target container being in a terminated state, the main process listening script marks the privileged container as terminated.
8. The business container debugging method according to claim 4, characterized in that, Also includes: The system uses a pre-defined cleanup procedure to clean up privileged containers whose liveness has ended at preset time intervals.
9. A business container debugging device, characterized in that, The device includes: The pre-request module is used to respond to a received debug request by sending a request to create a debug container to the service interface of the cluster where the target container is located, indicating the preset debug image information in the request, and sending a privileged request to the cluster to set the debug container as a privileged container with access to the target container. The container creation module is used to respond to the request to create a debug container, so that the cluster pulls the debug container image from the preset image repository according to the debug image information to create the debug container, and encapsulates the debug container into a privileged container if the privilege request is approved; The debugging module is used to enter the target container based on the privileged container, access the container data of the target container, debug the business processes in the target container based on the container data, and obtain debugging results; The debug cleanup module is used to delete the privileged container in response to the debug result indicating that the debug is complete or to receive a debug termination request.
10. An electronic device, comprising: One or more processors; Memory, used to store one or more computer programs. The characteristic feature is that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1 to 8.
11. A computer-readable storage medium having a computer program or instructions stored thereon, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 8.
12. A computer program product, comprising a computer program or instructions, characterized in that, When the computer program or instructions are executed by a processor, they implement the steps of the method according to any one of claims 1 to 8.