A method, system, device, medium, and product for intelligent layered packaging of containers.
By employing intelligent layering and incremental building methods, the problem of low efficiency in Docker Compose image building is solved, enabling efficient and secure cross-environment distribution of container images.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SOUTHWEST CHINA RES INST OF ELECTRONICS EQUIP
- Filing Date
- 2026-04-30
- Publication Date
- 2026-06-30
AI Technical Summary
The existing Docker Compose container technology has an unreasonable layering during the image building stage, resulting in high resource consumption, long build time, and incompatible security hardening across different environments, posing a risk of malicious image deployment.
By parsing the Docker Compose configuration file, the container image is automatically split into a base layer, a core dependency layer, a business code layer, and a configuration layer. Incremental building is performed using file fingerprint comparison, and asymmetric encryption and digital signatures are applied in different environments.
It achieves standardized layering of container images, reduces resource consumption and build time, improves efficiency, and enables consistent builds and secure and controllable distribution in different environments.
Smart Images

Figure CN122308961A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer application technology, specifically to a method, system, device, medium, and product for intelligent layered packaging of containers. Background Technology
[0002] The statements in this section are provided only as background information in connection with this disclosure and may not constitute prior art.
[0003] With the continuous development and widespread use of container technology, Docker Compose, as a multi-container orchestration and runtime tool, has come to play an important role in microservice architecture and continuous integration / continuous deployment (CI / CD).
[0004] However, in order to achieve the goals of storage reduction and transmission optimization, the existing Docker Compose container technology has the following significant drawbacks in the image building stage: First, the traditional approach of manually writing Dockerfiles for container layering means that the appropriateness of container image layering is entirely limited by the programmer's individual ability and experience. Due to the lack of a unified, standardized splitting mechanism, frequently modified business code is often mixed with infrequently modified underlying dependency libraries in the same image layer. Secondly, due to the unreasonable layering mentioned above, when some of the packaged files inside the container change, the system usually needs to perform a full package build, which cannot effectively hit the underlying cache, resulting in a long build time for container applications, extremely high system resource consumption, and low overall efficiency. Finally, existing technologies lack the ability to automatically adapt to different environments (such as development and production environments) when performing container security hardening, and are incompatible with mainstream image signing methods (such as Docker Content Trust), requiring manual signing and verification operations, which can easily lead to security risks of malicious image deployment due to human negligence. Summary of the Invention
[0005] The purpose of this invention is to address the shortcomings of existing technologies by providing a method, system, device, medium, and product for intelligent layered packaging of container applications. This invention aims to solve problems such as the limited container resource consumption and running efficiency during packaging by the programmer's skill level, low efficiency of full packaging and building, and incompatibility and adaptation of container image security hardening, thereby achieving the goal of consistent and rapid building and secure and controllable distribution of container applications.
[0006] The technical solution of the present invention is as follows: A method for intelligent layered encapsulation of container applications, comprising: Read the Docker Compose configuration file and its corresponding Dockerfile file in the target project, parse the preset layered strategy configuration items, environment tags and image naming rules of each service in the Docker Compose configuration file, and extract the base image instructions, dependency installation instructions, code copy instructions and configuration file copy instructions in the Dockerfile file; Based on the preset layering strategy configuration items and combined with the preset layering priority rules, the container image is automatically split into a base layer, a core dependency layer, a business code layer, and a configuration layer; wherein, the base layer is defined by the base image instruction, the core dependency layer is defined by the dependency installation instruction, the business code layer is defined by the code copy instruction, and the configuration layer is defined by the configuration file copy instruction. For each layer of files, a current file fingerprint is generated. The current file fingerprint is compared with the historically built layer fingerprint database to determine whether the content of each layer has changed. For layers that are determined to have changed content, incremental layer building is performed based on the corresponding instructions in the Dockerfile to generate a new image layer. For layers that are determined not to have changed content, the historically built image layer is directly reused. The packaging parameters of the corresponding environment are loaded according to the environment tag, the new image layer is processed according to the packaging parameters, and the core dependency layer and the business code layer are encrypted using an asymmetric encryption algorithm. A digital signature is generated for the encrypted image layer based on the private key. The reused historical image layers are integrated with the processed and encrypted image layers in a layered order to generate a complete container image. The complete container image is then tagged with a version label according to the image naming rules. At the same time, the name of the generated complete container image and the version label are updated to the corresponding service image field in the Docker Compose configuration file.
[0007] Furthermore, the foundation layer includes the operating system kernel and application runtime environment; the core dependency layer includes application framework-level third-party dependency libraries; the business code layer includes user-written business logic code; and the configuration layer includes environment-differentiated configuration parameters.
[0008] Furthermore, generating the current file fingerprint for the file content of each layer includes: calculating the hash value of the file content corresponding to each layer, as the current file fingerprint; The step of determining whether content changes have occurred in each layer includes: comparing the current file fingerprint with the historical file fingerprints in the layer fingerprint database; if the current file fingerprint does not match the historical file fingerprint, it is determined that the corresponding layer has undergone content changes; if the current file fingerprint matches the historical file fingerprint, it is determined that the corresponding layer has not undergone content changes.
[0009] Furthermore, the environment label indicates a development environment or a production environment; When the environment label indicates the development environment, the loaded packaging parameters include debug library retention instructions; When the environment label indicates the production environment, the loaded packaging parameters include redundant file removal instructions and core layered encryption instructions.
[0010] Furthermore, the asymmetric encryption algorithm includes the RSA algorithm or the SM2 algorithm; The step of tagging the complete container image with a version label according to the image naming rules includes: obtaining the system name, application name, service name, packaging time and version information; generating the target image name and the version label according to the combination format included in the image naming rules; and assigning them to the complete container image.
[0011] This invention also proposes a smart layered packaging system for container applications, comprising: The configuration parsing module is used to read the Docker Compose configuration file and its corresponding Dockerfile file in the target project, parse the preset layered strategy configuration items, environment tags and image naming rules of each service in the Docker Compose configuration file, and extract the basic image instructions, dependency installation instructions, code copy instructions and configuration file copy instructions in the Dockerfile file. The layering and splitting module is used to automatically split the container image into a base layer, a core dependency layer, a business code layer, and a configuration layer based on the preset layering strategy configuration items and the preset layering priority rules; wherein, the base layer is defined by the base image instruction, the core dependency layer is defined by the dependency installation instruction, the business code layer is defined by the code copy instruction, and the configuration layer is defined by the configuration file copy instruction. The incremental build module is used to generate a current file fingerprint for the file content of each layer, and compare the current file fingerprint with the historically built layer fingerprint database to determine whether the content of each layer has changed; for the layer determined to have changed content, the layer incremental build is executed based on the corresponding instructions in the Dockerfile to generate a new image layer; for the layer determined not to have changed content, the historically built image layer is directly reused. The environment adaptation and security encapsulation module is used to load the packaging parameters of the corresponding environment according to the environment tag, process the generated new image layer according to the packaging parameters, encrypt the core dependency layer and the business code layer using an asymmetric encryption algorithm, and generate a digital signature for the encrypted image layer based on the private key. The image integration and configuration update module is used to integrate the reused historically built image layers with the processed and encrypted image layers in a layered order to generate a complete container image. The module adds a version tag to the complete container image according to the image naming rules, and updates the name of the generated complete container image and the version tag to the corresponding service image field in the Docker Compose configuration file.
[0012] Furthermore, the system also includes: A hierarchical fingerprint database, connected to the incremental construction module, is used to store historical file fingerprints and mirror layer association information for each layer.
[0013] The present invention also proposes an electronic device, comprising: At least one processor; and a memory communicatively connected to said at least one processor; The memory stores instructions that can be executed by the at least one processor, and the at least one processor executes the instructions stored in the memory to perform the method described above.
[0014] The present invention also proposes a computer-readable storage medium for storing instructions that, when executed, cause the method described above to be implemented.
[0015] The present invention also proposes a computer program product, which implements the above-described method when executed by a processor.
[0016] Compared with existing technologies, the advantages of this invention are: 1. Intelligent Layering and Standardization of Container Images. This invention, by pre-setting and parsing the layering strategy in the Docker Compose configuration, forces container images to be automatically split from bottom to top into a base layer, a core dependency layer, a business code layer, and a configuration layer. This completely breaks the bottleneck of container resource consumption and runtime efficiency being limited by programmer skill levels, avoids the mixing of code and dependencies, and lays the underlying data structure foundation for subsequent rapid incremental builds.
[0017] 2. Fine-grained, ultra-fast incremental build based on file fingerprints. This invention constructs a container layered fingerprint library, calculates the unique file hash fingerprint of each layer's content, and automatically compares the current fingerprint with historical fingerprints. The system only triggers refactoring for layers that have changed (such as frequently modified business code layers), while directly reusing historical image layers for unchanged layers. This mechanism completely eliminates the need for full packaging, significantly reduces CPU and network I / O resource consumption, greatly shortens packaging time, and improves build speed.
[0018] 3. Balancing performance with environment adaptability and secure, controllable encapsulation. This invention automatically removes redundant files to reduce image size when generating production environment images by parsing environment tags in the Docker Compose configuration. Simultaneously, it avoids the performance overhead of traditional full-disk indiscriminate encryption, selectively performing asymmetric encryption and digital signatures only on the core dependency layer and business code layer. This mechanism protects core assets from reverse engineering while avoiding the additional decryption overhead of the common infrastructure layer, automatically achieving consistent cross-environment building and secure, controllable distribution of container images. Attached Figure Description
[0019] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments recorded in the embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings.
[0020] Figure 1 A flowchart of a smart layered encapsulation method for container applications; Figure 2 This is a diagram illustrating the composition of an intelligent layered packaging system for container applications. Figure 3 This is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation
[0021] It should be noted that relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0022] The features and performance of the present invention will be further described in detail below with reference to embodiments.
[0023] Example 1 This application provides a method for intelligent layered packaging of container applications. This method is typically executed by a computer device with computing and storage capabilities (such as a build server, a developer's local terminal, or a continuous integration server). Combined with... Figure 1 The method flowchart shown illustrates the following steps: Step S101: Read the Docker Compose configuration file and its corresponding Dockerfile file in the target project, parse the preset layered strategy configuration items, environment tags and image naming rules of each service in the Docker Compose configuration file, and extract the base image instructions, dependency installation instructions, code copy instructions and configuration file copy instructions in the Dockerfile file.
[0024] As a further supplement and explanation to step S101, in the actual working principle, the computer device first reads the configuration directory of the target project through the YAML parser. Specifically, the parsed preset layering strategy configuration items (e.g., layer-strategy: auto) are used to instruct the system to enable intelligent layering mode; environment tags (e.g., env-tag: dev or prod) are used to indicate the current build target environment; image naming rules (e.g., image-name-format:{XTMC}-{YYMC}-{service name}:{packaging time-version}) are used to standardize the output artifacts; in addition, the build context path (e.g., build: .) is parsed simultaneously to accurately locate the working directory where the target project's code and dependency files are located, providing the basic path for the extraction of subsequent instructions. When extracting Dockerfile instructions, the system scans out underlying build instructions such as FROM (corresponding to the base image instruction), RUN (corresponding to the dependency installation instruction), and COPY (corresponding to the code and configuration file copy instruction), providing a data foundation for subsequent decoupling and reorganization.
[0025] Step S102: Based on the preset layering strategy configuration items and combined with the preset layering priority rules, the container image is automatically split into a base layer, a core dependency layer, a business code layer, and a configuration layer; wherein, the base layer is defined by the base image instruction and includes the operating system kernel and application runtime environment; the core dependency layer is defined by the dependency installation instruction and includes application framework-level third-party dependency libraries; the business code layer is defined by the code copy instruction and includes user-written business logic code; the configuration layer is defined by the configuration file copy instruction and includes environment-differentiated configuration parameters.
[0026] As a further supplement and explanation to step S102, this step introduces a hierarchical priority rule to force the mirroring to be standardized and decoupled from bottom to top: the base layer (highest priority / lowest level) is separated due to its minimal changes; the core dependency layer only changes when a new component is introduced, belonging to the low-frequency change layer; the business code layer contains the core logic written by the user, belonging to the high-frequency change layer; and the configuration layer (lowest priority / topmost level) contains environment parameters. Through the intelligent splitting mechanism, the coupling problem caused by non-standardized writing is automatically corrected, and the easily changeable parts are placed in the upper layer, improving the cache hit rate.
[0027] Step S103: Generate a current file fingerprint for the file content of each layer, including: calculating the hash value of the file content corresponding to each layer as the current file fingerprint; comparing the current file fingerprint with the historically built layer fingerprint database; if the current file fingerprint is inconsistent with the historical file fingerprint, it is determined that the corresponding layer has undergone content change; if the current file fingerprint is consistent with the historical file fingerprint, it is determined that the corresponding layer has not undergone content change; for layers determined to have undergone content change, perform incremental layer building based on the corresponding instructions in the Dockerfile to generate a new image layer; for layers determined not to have undergone content change, directly reuse the historically built image layer.
[0028] As a further supplement and explanation to step S103, the system uses a secure hash algorithm (e.g., SHA-256) to calculate hash values for the file content within each layer defined in step S102, using these hash values as unique file fingerprints to identify the content status of each layer. For example, when a developer only modifies the business code, the system calculates and finds that the unique file fingerprint of the business code layer has changed, while the fingerprint of the core dependency layer matches the historical fingerprint in the layered fingerprint database. In this case, the system directly reuses the historical mirror layer, triggering only a rebuild instruction for the business code layer, achieving incremental builds within seconds.
[0029] Step S104: Load the packaging parameters corresponding to the environment according to the environment tag. When the environment tag indicates a development environment, the loaded packaging parameters include a debug library retention instruction; when the environment tag indicates a production environment, the loaded packaging parameters include a redundant file removal instruction and a core layered encryption instruction; process the generated new image layer according to the packaging parameters, and encrypt the core dependency layer and the business code layer using an asymmetric encryption algorithm, and generate a digital signature for the encrypted image layer based on the private key.
[0030] As a further supplement and explanation to step S104, if the parsed env-tag is "dev" (development environment), the system retains the test scripts for debugging; if it is "prod" (production environment), the system automatically executes redundancy removal instructions to achieve image slimming. Furthermore, the system selectively uses asymmetric encryption algorithms (such as RSA2048 or SM2) only on the core dependency layer and business code layer, protecting the application code while avoiding the additional decryption overhead caused by encrypting the common infrastructure layer. Simultaneously, a digital signature is generated for integrity verification, achieving secure and controllable distribution.
[0031] Step S105: Integrate the reused historically built image layer with the processed and encrypted image layer in the order of layering to generate a complete container image. Obtain the system name, application name, service name, packaging time and version information. Generate the target image name and the version tag according to the combination format included in the image naming rules, and assign them to the complete container image. At the same time, update the name and version tag of the generated complete container image to the corresponding service image field in the DockerCompose configuration file.
[0032] Example 2 Corresponding to the method described in Embodiment 1, combined with Figure 2 The system composition diagram shown in this application also illustrates an intelligent layered packaging system for container applications. The functional modules within this system can be implemented through software, hardware, or a combination of both. Specifically, the system includes: The configuration parsing module is used to read the Docker Compose configuration file and its corresponding Dockerfile file in the target project, parse the preset layered strategy configuration items, environment tags, image naming rules and build context paths of each service in the Docker Compose configuration file, and extract the base image instructions, dependency installation instructions, code copy instructions and configuration file copy instructions in the Dockerfile file. The layering and splitting module, connected to the configuration parsing module, is used to automatically split the container image into a base layer, a core dependency layer, a business code layer, and a configuration layer based on the preset layering strategy configuration items and the preset layering priority rules. A hierarchical fingerprint database is used to store the association information between historical file fingerprints and mirror layers for each layer; The incremental construction module connects the layered splitting module and the layered fingerprint library. It is used to generate the current file fingerprint for the file content of each layer, compare the current file fingerprint with the historical file fingerprint in the layered fingerprint library, perform incremental construction, generate a new mirror layer for the changed layer, and reuse the unchanged mirror layer. The environment adaptation and security encapsulation module is connected to the configuration parsing module and the incremental construction module, respectively. It is used to load the packaging parameters of the corresponding environment according to the environment tag passed by the configuration parsing module, perform redundant file removal according to the packaging parameters, perform core layer encryption on the core dependency layer and the business code layer using an asymmetric encryption algorithm, and generate a digital signature on the encrypted image layer based on the private key. The image integration and configuration update module is connected to the incremental build module and the environment adaptation and security encapsulation module, respectively. It is used to integrate the reused historically built image layers and the processed and encrypted image layers in a layered order to generate a complete container image with version tags, and automatically update the generated image name and the version tags to the corresponding service image field of the Docker Compose configuration file.
[0033] In the above system's operating mechanism, a tight data flow relationship is formed between the modules: the configuration parsing module serves as the system's entry point, extracting build instructions and passing them to the downstream layered splitting module, while the parsed environment tags are directly passed across modules to the environment adaptation and security encapsulation module to guide subsequent encryption and removal strategies; the incremental build module, as the core hub, determines which layers need to be newly built and which layers can be directly reused through bidirectional interaction with the layered fingerprint database, and outputs the processed objects to the environment adaptation and security encapsulation module; finally, the image integration and configuration update module collects the data stream reused by the incremental build module and the data stream processed by the environment adaptation and security encapsulation module, completing the final product encapsulation and configuration file write-back closed loop.
[0034] Example 3 Based on the same technical concept, embodiments of the present invention also provide an electronic device that can implement the intelligent layered packaging method for container applications provided in the above embodiments of the present invention. In one embodiment, the electronic device can be a server, a terminal device, or other electronic devices. Figure 3 As shown, the electronic device may include: At least one processor and a memory connected to the at least one processor. In this embodiment of the invention, the specific connection medium between the processor and the memory is not limited. Figure 3 The example used is the connection between the processor and memory via a bus. The bus... Figure 3 The connections between other components are indicated by thick lines and are for illustrative purposes only, not as limiting information. Buses can be divided into address buses, data buses, control buses, etc., but for ease of representation, [the specific bus type is not shown here]. Figure 3 The processor is represented by a single thick line, but this does not imply that there is only one bus or one type of bus. Alternatively, a processor can also be called a controller; there are no restrictions on the name.
[0035] In this embodiment of the invention, the memory stores instructions executable by at least one processor. By executing the instructions stored in the memory, the at least one processor can perform the intelligent layered packaging method for container applications described above. The processor can implement... Figure 3 The functions of each module in the device shown.
[0036] The processor is the control center of the device. It can connect to various parts of the control device through various interfaces and lines. By running or executing instructions stored in memory and calling data stored in memory, it can monitor the device's various functions and process data, thereby enabling overall monitoring of the device.
[0037] In an alternative design, the processor may include one or more processing units. The processor may integrate an application processor and a modem processor, wherein the application processor primarily handles the operating system, user interface, and applications, while the modem processor primarily handles wireless communication. It is understood that the modem processor may also not be integrated into the processor. In some embodiments, the processor and memory may be implemented on the same chip; in some embodiments, they may also be implemented separately on separate chips.
[0038] The processor can be a general-purpose processor, such as a CPU, digital signal processor, application-specific integrated circuit, field-programmable gate array or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, capable of implementing or executing the methods, steps, and logic block diagrams disclosed in the embodiments of this invention. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the container application intelligent layered packaging method disclosed in the embodiments of this invention can be directly manifested as execution by a hardware processor, or execution by a combination of hardware and software modules within the processor.
[0039] Memory, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. Memory can include at least one type of storage medium, such as flash memory, hard disk, multimedia cards, card-type memory, random access memory (RAM), static random access memory (SRAM), programmable read-only memory (PROM), read-only memory (ROM), and electrically erasable programmable read-only memory (EPROM). Only memory (EEPROM), magnetic storage, magnetic disks, optical disks, etc. A memory is any other medium capable of carrying or storing desired program code in the form of instructions or data structures, and accessible by a computer, but is not limited thereto. The memory in embodiments of this invention can also be a circuit or any other device capable of performing storage functions for storing program instructions and / or data.
[0040] By designing and programming the processor, the code corresponding to the intelligent layered packaging method for container applications described in the foregoing embodiments can be embedded into the chip, enabling the chip to execute the steps of the method described in the foregoing embodiments during runtime. How to design and program the processor is a technique well-known to those skilled in the art and will not be elaborated upon here.
[0041] Based on the same inventive concept, embodiments of the present invention also provide a storage medium storing computer instructions that, when executed on a computer, cause the computer to perform a container application intelligent layered encapsulation method described above.
[0042] In some alternative embodiments, the present invention also provides that various aspects of a container application smart layered packaging method can also be implemented as a program product comprising program code that, when the program product is run on a device, causes the control device to perform the steps in a container application smart layered packaging method according to various exemplary embodiments of the present invention as described above.
[0043] It should be noted that although several units or sub-units of the apparatus have been mentioned in the detailed description above, this division is merely exemplary and not mandatory. In fact, according to embodiments of the invention, the features and functions of two or more units described above can be embodied in one unit. Conversely, the features and functions of one unit described above can be further divided and embodied by multiple units. Furthermore, although the operation of the method of the invention is described in a specific order in the drawings, this does not require or imply that these operations must be performed in that specific order, or that all the operations shown must be performed to achieve the desired result. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step, and / or one step may be broken down into multiple steps.
[0044] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can be implemented in one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROMs) containing computer-usable program code. The form of a computer program product implemented on ROM, optical memory, etc.
[0045] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a server, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0046] Program code for performing the operations of this invention can be written using any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, as well as conventional procedural programming languages such as C or similar languages. The program code can be executed entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server.
[0047] In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0048] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0049] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0050] Furthermore, in some embodiments, a computer program product is also proposed, which, when executed by a processor, implements the above-described intelligent layered encapsulation method for container applications.
[0051] Example 4 To more intuitively illustrate the specific engineering application of the intelligent layered encapsulation method for container applications in Embodiment 1 of this application, this embodiment provides a specific target project example.
[0052] Assume the target project contains three container services: web, mysql, and redis.
[0053] The target project's directory structure includes files such as Dockerfile, .env, compose.xml, app.py, test.py, and app.conf; specifically as follows:
[0054] The core instruction parameters in the Dockerfile are as follows:
[0055] The core parameters of the accompanying .env file are as follows:
[0056] The core configuration of the accompanying compose.xml file is as follows:
[0057] In the initial state, the following example (from top to bottom) of the initial hierarchical information obtained by viewing the Docker history using `docker build -t myapp&&docker history myapp` is shown:
[0058] Based on the method flow of Embodiment 1, the specific encapsulation and execution steps of this embodiment are as follows: 1) Configuration Analysis: Read the Docker Compose configuration file (compose.xml) and its associated Dockerfile from the target project. Parse the preset layer strategy configuration items (layer-strategy: auto), environment tags (env-tag: dev), service image naming rules (image-name-format: {XTMC}-{YYMC}-{service name}:{packaging time-version}), and build context path (build: ., implicit or specified) in compose.xml. Simultaneously, extract the base image instructions (FROM ubuntu:20.04 AS base), dependency installation instructions (COPYrequirements.txt .; RUN pip3 install -r requirements.txt, etc.), code copying instructions (COPYapp.py .; COPY static / . / static / ), and configuration file copying instructions (COPY app.conf .) from the Dockerfile.
[0059] 2) Intelligent hierarchical splitting: Based on the aforementioned layering strategy configuration items and combined with preset layering priority rules, the container image is automatically split into four layers, namely: ① The base layer, defined by the base image instructions, contains the operating system kernel and application runtime environment, which is ubuntu:20.04 in the initial layer information; ② Core dependency layer, defined by dependency installation instructions, contains application framework-level third-party dependency libraries, which are layers aaaa2, aaaa3, and aaaa4 in the initial layering information; ③ Business code layer, defined by the code copy instruction, contains the business logic code written by the user, which is the aaaa5 layer in the initial layering information; ④ Configuration layer, defined by the configuration file copy instruction, contains environment-differentiated configuration parameters, which is the aaaa6 layer in the initial layering information.
[0060] 3) Change detection and incremental construction: The hash values of the file contents corresponding to the layers ubuntu:20.04, aaaa2 to aaaa4, aaaa5, and aaaa6 are calculated to serve as unique file fingerprints. The fingerprint of the file to be built is compared with the historical layer fingerprint database to determine if any content changes have occurred in each layer. For example, if only the app.py file has changed, the file fingerprint corresponding to its business code layer (i.e., layer aaaa5) will be inconsistent with the historical fingerprint. In this case, the system only rebuilds layer aaaa5 and generates a new image layer; while the fingerprints of other layers (such as core dependency layers like aaaa2, aaaa3, and aaaa4) remain unchanged, and the historically built image layers can be reused directly. This process significantly shortens the build time.
[0061] 4) Environmental Adaptation and Secure Encapsulation: Based on the parsed environment tag (e.g., env-tag: dev), the corresponding packaging parameters for that environment are loaded. When the environment is designated as development, the packaging parameters include instructions from the dev section of the .env file (such as preserving debug libraries). If modified to a production environment (prod), the packaging parameters include instructions for removing redundant files and core layered encryption instructions (i.e., instructions from the prod section of the .env file). The incrementally built image layer is then processed according to these packaging parameters. The core dependency layer and business code layer are encrypted using an asymmetric encryption algorithm (i.e., the SM2 value of the encode-method field in the .env file), and a digital signature is generated for the encrypted image layer based on the private key.
[0062] 5) Image integration and configuration updates: The reused historical image layer is integrated with the incrementally built and processed new image layer in a layered order to generate a complete container image. The image is then tagged with a version number according to the image naming rules (in this example, it is generated as: xtmc-yymc-web:20260121-v1). Simultaneously, the system automatically updates the generated image name and version number back to the corresponding service image field in the compose.xml configuration file (i.e., replacing the original web segment's image field value), completing the packaging and encapsulation loop without manual intervention.
[0063] In summary, the intelligent layered packaging method and system for container applications provided by this invention, through steps such as configuration parsing, intelligent layered splitting, change detection and incremental building, environment adaptation and secure packaging, image integration and configuration updates, can solve the problems of container resource consumption and running efficiency being limited by programmer skill level, low efficiency of full packaging and building, and incompatibility of container image security hardening during existing Docker Compose packaging, and achieve the goal of consistent and rapid building and secure and controllable distribution of container applications.
[0064] The embodiments described above merely illustrate specific implementation methods of this application, and while the descriptions are detailed and specific, they should not be construed as limiting the scope of protection of this application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the technical solution of this application, and these modifications and improvements all fall within the scope of protection of this application.
[0065] This background section is provided to generally present the context of the invention. The work of the currently named inventors, the work to the extent described in this background section, and aspects of this section that did not constitute prior art at the time of application are neither expressly nor impliedly acknowledged as prior art to the invention.
Claims
1. A method for intelligent layered encapsulation of containers, characterized in that, include: Read the Docker Compose configuration file and its corresponding Dockerfile file in the target project, parse the preset layered strategy configuration items, environment tags and image naming rules of each service in the Docker Compose configuration file, and extract the base image instructions, dependency installation instructions, code copy instructions and configuration file copy instructions in the Dockerfile file; Based on the preset layering strategy configuration items and combined with the preset layering priority rules, the container image is automatically split into a base layer, a core dependency layer, a business code layer, and a configuration layer; wherein, the base layer is defined by the base image instruction, the core dependency layer is defined by the dependency installation instruction, the business code layer is defined by the code copy instruction, and the configuration layer is defined by the configuration file copy instruction. For each layer of files, a current file fingerprint is generated. The current file fingerprint is compared with the historically built layer fingerprint database to determine whether the content of each layer has changed. For layers that are determined to have changed content, incremental layer building is performed based on the corresponding instructions in the Dockerfile to generate a new image layer. For layers that are determined not to have changed content, the historically built image layer is directly reused. The packaging parameters of the corresponding environment are loaded according to the environment tag, the new image layer is processed according to the packaging parameters, and the core dependency layer and the business code layer are encrypted using an asymmetric encryption algorithm. A digital signature is generated for the encrypted image layer based on the private key. The reused historical image layers are integrated with the processed and encrypted image layers in a layered order to generate a complete container image. The complete container image is then tagged with a version label according to the image naming rules. At the same time, the name of the generated complete container image and the version label are updated to the corresponding service image field in the Docker Compose configuration file.
2. The intelligent layered packaging method for container applications as described in claim 1, characterized in that, The foundation layer includes the operating system kernel and application runtime environment; the core dependency layer includes application framework-level third-party dependency libraries; the business code layer includes user-written business logic code; and the configuration layer includes environment-differentiated configuration parameters.
3. The intelligent layered packaging method for container applications as described in claim 1, characterized in that, The step of generating a current file fingerprint for the file content of each layer includes: calculating the hash value of the file content corresponding to each layer as the current file fingerprint; The step of determining whether content changes have occurred in each layer includes: comparing the current file fingerprint with the historical file fingerprints in the layer fingerprint database; if the current file fingerprint does not match the historical file fingerprint, it is determined that the corresponding layer has undergone content changes; if the current file fingerprint matches the historical file fingerprint, it is determined that the corresponding layer has not undergone content changes.
4. The intelligent layered packaging method for container applications as described in claim 1, characterized in that, The environment label indicates the development environment or production environment; When the environment label indicates the development environment, the loaded packaging parameters include debug library retention instructions; When the environment label indicates the production environment, the loaded packaging parameters include redundant file removal instructions and core layered encryption instructions.
5. The intelligent layered packaging method for container applications as described in claim 1, characterized in that, The asymmetric encryption algorithm includes the RSA algorithm or the SM2 algorithm; The step of tagging the complete container image with a version label according to the image naming rules includes: obtaining the system name, application name, service name, packaging time and version information; generating the target image name and the version label according to the combination format included in the image naming rules; and assigning them to the complete container image.
6. A smart layered packaging system for container applications, characterized in that, include: The configuration parsing module is used to read the Docker Compose configuration file and its corresponding Dockerfile file in the target project, parse the preset layered strategy configuration items, environment tags and image naming rules of each service in the Docker Compose configuration file, and extract the basic image instructions, dependency installation instructions, code copy instructions and configuration file copy instructions in the Dockerfile file. The layering and splitting module is used to automatically split the container image into a base layer, a core dependency layer, a business code layer, and a configuration layer based on the preset layering strategy configuration items and the preset layering priority rules; wherein, the base layer is defined by the base image instruction, the core dependency layer is defined by the dependency installation instruction, the business code layer is defined by the code copy instruction, and the configuration layer is defined by the configuration file copy instruction. The incremental build module is used to generate a current file fingerprint for the file content of each layer, and compare the current file fingerprint with the historically built layer fingerprint database to determine whether the content of each layer has changed; for the layer determined to have changed content, the layer incremental build is executed based on the corresponding instructions in the Dockerfile to generate a new image layer; for the layer determined not to have changed content, the historically built image layer is directly reused. The environment adaptation and security encapsulation module is used to load the packaging parameters of the corresponding environment according to the environment tag, process the generated new image layer according to the packaging parameters, encrypt the core dependency layer and the business code layer using an asymmetric encryption algorithm, and generate a digital signature for the encrypted image layer based on the private key. The image integration and configuration update module is used to integrate the reused historically built image layers with the processed and encrypted image layers in a layered order to generate a complete container image. The module adds a version tag to the complete container image according to the image naming rules, and updates the name of the generated complete container image and the version tag to the corresponding service image field in the DockerCompose configuration file.
7. The intelligent layered packaging system for container applications based on Docker Compose as described in claim 6, characterized in that, The system also includes: A hierarchical fingerprint database, connected to the incremental construction module, is used to store historical file fingerprints and mirror layer association information for each layer.
8. An electronic device, characterized in that, include: At least one processor; and a memory communicatively connected to the at least one processor; The memory stores instructions executable by the at least one processor, which executes the instructions stored in the memory to perform the method as described in any one of claims 1-7.
9. A computer-readable storage medium, characterized in that, The computer-readable storage medium is used to store instructions that, when executed, cause the method as described in any one of claims 1-7 to be implemented.
10. A computer program product, characterized in that, When the computer program is executed by a processor, it implements the method described in any one of claims 1-7.