Sandbox runtime environment deployment methods, devices and related equipment

By obtaining the requirement information from the application configuration file, and using the sandbox awareness module and formula calculations, the sandbox runtime environment and container image are automatically selected and completed, solving the problem of complex configuration in existing technologies and achieving efficient and low-cost application environment deployment.

CN122309022APending Publication Date: 2026-06-30CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER
Filing Date
2024-12-30
Publication Date
2026-06-30

Smart Images

  • Figure CN122309022A_ABST
    Figure CN122309022A_ABST
Patent Text Reader

Abstract

This disclosure provides a method, apparatus, and related equipment for deploying a sandbox runtime environment, relating to the field of software technology. The method includes: obtaining a configuration file of a target application, wherein the configuration file contains performance and / or security requirements information of the target application; determining the target sandbox runtime environment and the corresponding container image type for deploying the target application based on the performance and / or security requirements information of the target application; performing completion processing on the configuration file based on the target sandbox runtime environment and the corresponding container image type; and sending the completed configuration file to a container management cluster, so that the container management cluster creates a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application. This disclosure can effectively simplify the application environment deployment process, improve the efficiency of application environment deployment, and reduce the operation and maintenance costs of application environment deployment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of software technology, and in particular to a method, apparatus and related equipment for deploying a sandbox runtime environment. Background Technology

[0002] In cloud computing and microservice architectures, container technology has been widely adopted due to its lightweight nature and ease of management. Since different applications may have varying performance and security requirements, selecting and configuring a suitable sandbox runtime environment based on its characteristics, performance, and security features is a pressing technical problem that needs to be solved in this field.

[0003] It should be noted that the information disclosed in the background section above is only used to enhance the understanding of the background of this disclosure, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention

[0004] This disclosure provides a sandbox runtime environment deployment method, apparatus, and related equipment, which at least to some extent overcomes the technical problem in related technologies that cannot automatically select and adapt the sandbox runtime environment according to application requirements.

[0005] Other features and advantages of this disclosure will become apparent from the following detailed description, or may be learned in part from practice of this disclosure.

[0006] According to another aspect of this disclosure, a method for deploying a sandbox runtime environment is also provided, comprising: obtaining a configuration file of a target application, wherein the configuration file contains performance requirement information and / or security requirement information of the target application; determining a target sandbox runtime environment and a corresponding container image type for deploying the target application based on the performance requirement information and / or security requirement information of the target application; performing completion processing on the configuration file based on the target sandbox runtime environment and the corresponding container image type, and sending the completed configuration file to a container management cluster, so that the container management cluster creates a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application.

[0007] In some embodiments, determining the target sandbox runtime environment and corresponding container image type for deploying the target application based on the performance and / or security requirements of the target application includes: detecting the node resource information of each worker node in the container management cluster, wherein the node resource information includes: one or more sandbox runtime environments already installed on each worker node and the remaining resource information of each worker node; selecting the target sandbox runtime environment for deploying the target application based on the performance and / or security requirements of the target application and the node resource information of each worker node in the container management cluster; and determining the container image type for the container image to be created based on the target sandbox runtime environment.

[0008] In some embodiments, based on the performance and / or security requirements of the target application and the node resource information of each worker node in the container management cluster, the target sandbox runtime environment for deploying the target application is selected, including: calculating the recommended probability value of the sandbox runtime environment on each worker node using the following formula, and selecting the sandbox runtime environment with the highest recommended probability value as the target sandbox runtime environment for deploying the target application:

[0009] Possiblity runtime =A image ×[1-Normalize(B space ×X replica ×C frequency +D stable )]×100%; where, Possiblity runtime Indicates the probability value of recommendation; A image For logical values, if a sandbox runtime environment exists on the worker node that satisfies the performance and / or security requirements, then A... image The value is 1. If there is no sandbox runtime environment on the working node that meets the performance and / or security requirements, then A... image The value of is 0; Normalize(·) represents the normalization function; B space This indicates the impact of installing the corresponding sandbox runtime environment container image on the worker node on the node's remaining resources; X replica This indicates the number of copies or instances of the application during sandbox runtime; C frequency Indicates the launch frequency of the target application; D stable This indicates the stability status of the application; if the application is stable, a runtime that provides better performance and reliability may be more suitable; if the application is temporary and is expected to terminate frequently, a runtime with faster startup and shutdown times may be more appropriate.

[0010] In some embodiments, the container management cluster includes: a master node and at least one worker node connected to the master node; wherein, the worker node includes: a sandbox awareness module, used to detect the node resource information of each worker node in the container management cluster and report it to the sandbox recommendation and completion module; the master node includes: a sandbox recommendation and completion module, used to complete the sandbox runtime environment for deploying the target application and the corresponding container image type in the configuration file of the target application based on the performance requirements and / or security requirements of the target application and the node resource information of each worker node in the container management cluster reported by the sandbox awareness module.

[0011] In some embodiments, the worker node further includes: an advanced container runtime environment for managing container images of different sandbox runtime environments; and a low-level container runtime environment for running container images of different sandbox runtime environments.

[0012] In some embodiments, the container management cluster is a Kubernetes cluster; the configuration file is a YAML format configuration file.

[0013] According to another aspect of this disclosure, a sandbox runtime environment deployment apparatus is also provided, comprising: a configuration file interception module, configured to obtain a configuration file of a target application, wherein the configuration file contains performance requirement information and / or security requirement information of the target application; a sandbox runtime environment determination module, configured to determine a target sandbox runtime environment for deploying the target application and a corresponding container image type based on the performance requirement information and / or security requirement information of the target application; and a configuration file completion module, configured to complete the configuration file according to the target sandbox runtime environment and the corresponding container image type, and send the completed configuration file to a container management cluster, so that the container management cluster creates a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application.

[0014] According to another aspect of this disclosure, an electronic device is also provided, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the sandbox runtime environment deployment method described in any of the preceding claims by executing the executable instructions.

[0015] According to another aspect of this disclosure, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed by a processor, implements the sandbox runtime environment deployment method described in any of the preceding claims.

[0016] According to another aspect of this disclosure, a computer program product is also provided, comprising: a computer program or instructions that, when executed by a processor, implement the sandbox runtime environment deployment method described in any one of the preceding claims.

[0017] The sandbox runtime environment deployment method, apparatus, and related devices provided in this disclosure, after obtaining a configuration file containing application performance requirements and / or security requirements, can automatically complete the sandbox runtime environment and corresponding container image type required for deploying the application in the application's configuration file according to the application's performance requirements and / or security requirements, so that the container management cluster can create a container image corresponding to the sandbox runtime environment to run the application based on the completed configuration file.

[0018] The embodiments disclosed herein can effectively simplify the application environment deployment process, improve the efficiency of application environment deployment, and reduce the operation and maintenance costs of application environment deployment.

[0019] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description

[0020] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.

[0021] Figure 1 This diagram illustrates an application system architecture according to an embodiment of the present disclosure.

[0022] Figure 2 This diagram illustrates a flowchart of a sandbox runtime environment deployment method according to an embodiment of the present disclosure;

[0023] Figure 3 This illustration shows a flowchart of a method for determining the sandbox runtime environment and corresponding container image type based on application requirements according to an embodiment of this disclosure.

[0024] Figure 4 This diagram illustrates a sandbox runtime environment deployment system architecture based on a Kubernetes cluster, as shown in an embodiment of the present disclosure.

[0025] Figure 5 This diagram illustrates a sandbox perception module according to an embodiment of the present disclosure.

[0026] Figure 6 This diagram illustrates a sandbox recommendation completion module according to an embodiment of the present disclosure.

[0027] Figure 7 This illustration shows a flowchart of a sandbox runtime environment deployment method based on a Kubernetes cluster, as shown in an embodiment of this disclosure.

[0028] Figure 8 This diagram illustrates a sandbox runtime environment deployment device according to an embodiment of the present disclosure.

[0029] Figure 9 A structural block diagram of an electronic device according to an embodiment of the present disclosure is shown. Detailed Implementation

[0030] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, they are provided so that this disclosure will be more comprehensive and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

[0031] Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.

[0032] To facilitate understanding, before introducing the embodiments of this disclosure, the following explanations are provided for several terms involved in the embodiments of this disclosure:

[0033] K8S: Kubernetes is an open-source container orchestration platform used for the deployment, scaling, and management of various containerized applications.

[0034] Sandbox runtime is a technology used to isolate and run applications. It aims to provide an isolated environment for running applications, ensuring that applications do not interfere with each other, while protecting the stability and security of the host system.

[0035] The specific implementation methods of the embodiments of this disclosure will now be described in detail with reference to the accompanying drawings.

[0036] Figure 1 A schematic diagram of an exemplary application system architecture to which the sandbox runtime environment deployment method of the embodiments of this disclosure can be applied is shown. Figure 1As shown, the system architecture may include terminal device 101, network 102 and server 103.

[0037] Network 102 is a medium used to provide a communication link between terminal device 101 and server 103, and can be a wired network or a wireless network.

[0038] Optionally, the aforementioned wireless or wired networks use standard communication technologies and / or protocols. The network is typically the Internet, but can also be any network, including but not limited to Local Area Networks (LANs), Metropolitan Area Networks (MANs), Wide Area Networks (WANs), mobile, wired or wireless networks, private networks, or any combination of virtual private networks. In some embodiments, technologies and / or formats including Hyper Text Markup Language (HTML), Extensible Markup Language (XML), etc., are used to represent data exchanged over the network. Furthermore, conventional encryption technologies such as Secure Socket Layer (SSL), Transport Layer Security (TLS), Virtual Private Networks (VPNs), and Internet Protocol Security (IPSec) can be used to encrypt all or some links. In other embodiments, custom and / or dedicated data communication technologies can be used to replace or supplement the aforementioned data communication technologies.

[0039] Terminal device 101 can be various electronic devices, including but not limited to smartphones, tablets, laptops, desktop computers, smart speakers, smartwatches, wearable devices, augmented reality devices, virtual reality devices, etc.

[0040] Optionally, the client of the application installed on different terminal devices 101 may be the same, or the client of the same type of application based on different operating systems. Depending on the terminal platform, the specific form of the application client may also be different; for example, the application client may be a mobile client, a PC client, etc.

[0041] Server 103 can be a server that provides various services, such as a backend management server that supports the device operated by the user using terminal device 101. The backend management server can analyze and process received requests and other data, and feed the processing results back to the terminal device.

[0042] Optionally, the server can be a standalone physical server, a server cluster or distributed system consisting of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.

[0043] Those skilled in the art will know that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative; any number of terminal devices, networks, and servers can be included depending on actual needs. This disclosure does not limit the scope of the embodiments.

[0044] Under the above system architecture, this disclosure provides a sandbox runtime environment deployment method, which can be executed by any electronic device with computing power.

[0045] In some embodiments, the sandbox runtime environment deployment method provided in this disclosure can be executed by a terminal device of the above-described system architecture; in other embodiments, the sandbox runtime environment deployment method provided in this disclosure can be executed by a server in the above-described system architecture; in still other embodiments, the sandbox runtime environment deployment method provided in this disclosure can be implemented by the terminal device and the server in the above-described system architecture through interaction.

[0046] Figure 2 This diagram illustrates a flowchart of a sandbox runtime environment deployment method according to an embodiment of the present disclosure, such as... Figure 2 As shown, the sandbox runtime environment deployment method provided in this embodiment includes the following steps:

[0047] S202, Obtain the configuration file of the target application, wherein the configuration file contains the performance requirements and / or security requirements of the target application.

[0048] It should be noted that the target application in this embodiment can be any type of application. In some embodiments, the application refers to an application that needs to be deployed or run using a sandbox runtime environment. The configuration file in S202 above can be a user-configured file containing performance requirement information and / or security requirement information of the target application. The performance requirement information reflects the performance requirements of the target application; the security requirement information reflects the security requirements of the target application. In some embodiments, the performance requirement information can be the application startup frequency of the target application; the security requirement information can be the security isolation level of the target application (such as virtual machine isolation or container isolation).

[0049] S204. Based on the performance and / or security requirements of the target application, determine the target sandbox runtime environment and the corresponding container image type for deploying the target application.

[0050] It should be noted that the target sandbox runtime environment in S204 above refers to a sandbox runtime environment that meets the performance and / or security requirements of the target application. In practice, the performance and / or security requirements provided by each sandbox runtime environment can be collected in advance. After obtaining the performance and / or security requirements of the target application, a sandbox runtime environment that meets these requirements can be automatically matched and used as the target sandbox runtime environment for deploying the target application. Different sandbox runtime environments require different types of container images to be created. Therefore, after determining the sandbox runtime environment for deploying the target application, the type of container image to be created can be further determined.

[0051] S206. Based on the target sandbox runtime environment and the corresponding container image type, the configuration file is completed, and the completed configuration file is sent to the container management cluster so that the container management cluster can create a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application.

[0052] It should be noted that after determining the target sandbox runtime environment and the corresponding container image type for the target application, the environment information of the target sandbox runtime environment and the corresponding container image type are added to the configuration file of the target application. This enables the container management cluster of the application to be deployed to create the container image corresponding to the target sandbox runtime environment based on the environment information of the target sandbox runtime environment and the corresponding container image type contained in the configuration file after the completion, so as to run the target application in a container sandbox isolation manner.

[0053] In some embodiments, the container management cluster in this disclosure is a Kubernetes cluster; the configuration file of the target application can be a YAML format configuration file.

[0054] Kubernetes (K8S) is an open-source platform for automating the deployment, scaling, and management of containerized applications. It provides a container orchestration system that helps users manage the operation of large-scale containerized applications. A Kubernetes cluster consists of a Master node and multiple Node nodes. The Master node is the core of the control plane, responsible for managing and monitoring the state of the entire cluster. Node nodes are where applications actually run; each node contains a kubelet, kube-proxy, and a container runtime component. The kubelet is responsible for running Pods on the node and monitoring their status; the kube-proxy is responsible for routing network traffic within the cluster and managing service load balancing; and the container runtime component is responsible for running application containers on the node.

[0055] In Kubernetes (K8S), each application consists of a group of containers, organized into one or more Pods (container groups). A Pod is the smallest unit of deployment in a K8S cluster. Each Pod contains one or more containers that share network and storage resources and run on the same host. Pods can be static (remaining unchanged over time) or dynamic (moving between different nodes in the cluster). Pods can be exposed through Service objects so that other components can access them. A Service is an abstraction used to expose the network endpoints of Pods. It can group multiple Pods together and provide them with a unique DNS name and a stable IP address. Services also provide load balancing and failover capabilities to ensure that applications continue to function normally when nodes fail. The API server exposes cluster state information through a RESTful API interface and receives requests from Kubelet clients.

[0056] In the Kubernetes (K8S) era, multiple sandbox runtime environments were available for hosting and running containers. These sandbox runtime environments are the components responsible for the actual creation and management of containers; they integrate with K8S to provide a runtime environment for applications. However, different sandbox runtime environments can vary in performance, resource utilization, and startup time, thus impacting application performance. Therefore, in complex container orchestration and management environments, it is crucial to select and configure the appropriate runtime based on the characteristics, performance, and security of different sandbox runtimes.

[0057] Considering that deployment YAML configuration files for different sandbox runtimes require providing customized parameters for the sandbox (such as dozens of virtual machine class parameters), and that when calling different sandbox runtime environments based on YAML configuration files, the container image of the same application may need to be differentiated and adapted for different sandbox runtime environments, this requires manual differentiation by the user, increasing configuration complexity. The sandbox runtime environment deployment method provided in this disclosure automatically completes the configuration file of the target application based on the determined target sandbox runtime environment and the corresponding container image type, reducing user complexity and improving usability and maintainability.

[0058] Figure 3 This invention discloses a method flowchart for determining the sandbox runtime environment and corresponding container image type based on application requirements, as shown in an embodiment of the present disclosure. Figure 3 As shown, the specific steps include the following:

[0059] S302 detects the node resource information of each worker node in the container management cluster. The node resource information includes: one or more sandbox runtime environments installed on each worker node and the remaining resource information of each worker node.

[0060] S304. Based on the performance and / or security requirements of the target application, and the node resource information of each worker node in the container management cluster, select the target sandbox runtime environment for deploying the target application.

[0061] S306, Determine the container image type to be created based on the target sandbox runtime environment.

[0062] In some embodiments, S302 above can calculate the recommended probability value of the sandbox runtime environment on each worker node using the following formula, and select the sandbox runtime environment with the highest recommended probability value as the target sandbox runtime environment for deploying the target application:

[0063] Possiblity runtime =A image ×[1-Normalize(B space ×X replica ×C frequency +D stable )]×100% (1)

[0064] Among them, Possiblity runtime Indicates the probability value of recommendation; A image For logical values, if a sandbox runtime environment exists on the worker node that meets the performance and / or security requirements, then A... imageThe value is 1. If there is no sandbox runtime environment on the worker node that meets the performance and / or security requirements, then A... image The value of is 0; Normalize(·) represents the normalization function; B space This indicates the impact of installing the corresponding sandbox runtime environment container image on the worker node on the node's remaining resources; X replica This indicates the number of copies or instances of the application during sandbox runtime; C frequency Indicates the launch frequency of the target application; D stable This indicates the stability of the application. If the application is stable, a runtime that provides better performance and reliability may be more suitable. If the application is temporary and is expected to terminate frequently, a runtime with faster startup and shutdown times may be more appropriate.

[0065] In some embodiments, such as Figure 4 As shown, the container management cluster in this embodiment includes: a master node and at least one worker node connected to the master node;

[0066] The worker nodes include: a sandbox awareness module, which detects the node resource information of each worker node in the container management cluster and reports it to the sandbox recommendation and completion module; the master node includes: a sandbox recommendation and completion module, which, based on the performance and / or security requirements of the target application and the node resource information of each worker node in the container management cluster reported by the sandbox awareness module, completes the sandbox runtime environment and the corresponding container image type for deploying the target application in the target application's configuration file.

[0067] In some embodiments, the worker node further includes: an advanced container runtime environment for managing container images of different sandbox runtime environments; and a low-level container runtime environment for running container images of different sandbox runtime environments.

[0068] The high-level runtime is primarily responsible for transferring and managing container images, decompressing images, and passing them to the low-level runtime to run containers.

[0069] Kubelet, acting as a client, uses the gRPC framework to communicate with the container runtime via sockets. It comprises two types of services: ImageService and RuntimeService. The ImageService provides remote program calls for downloading, inspecting, and deleting images. The RuntimeService contains remote program calls for managing container lifecycles and interacting with containers (exec / attach / port-forward). Kubelet, as a client, invokes the runtime's interfaces. These runtime interfaces must be implemented according to the CRI specifications.

[0070] This requires the container management system to be able to select the appropriate runtime environment and container image based on the specific needs of the application.

[0071] Figure 4 This disclosure illustrates a sandbox runtime environment deployment system architecture based on a Kubernetes cluster, as shown in the embodiments below. Figure 4 As shown, a Kubernetes cluster includes a master node and at least one worker node. The master node contains a sandbox recommendation and completion module. Each worker node contains a sandbox awareness module and a sandbox controller. The sandbox recommendation and completion module is used to: intercept the user's deployment YAML file; run a recommendation algorithm based on the user's application and sandbox awareness module information to generate the required sandbox runtime environment and corresponding container image type; and complete the YAML file information and pass it to the API server. The sandbox awareness module is used to: detect the installed sandbox runtime environment on the worker nodes and the remaining resources on the worker nodes, and report the node resource information to the sandbox recommendation and completion module.

[0072] In some embodiments, the sandbox awareness module, such as Figure 5 As shown, the sandbox awareness module detects the runtime binary files installed in / usr / bin / on the Worker node, generates sandbox runtime parameters, and passes them to the sandbox recommendation completion module; the sandbox controller selects the appropriate sandbox runtime environment according to the instructions and executes the application.

[0073] In some embodiments, the sandbox-recommended completion module, such as Figure 6As shown, it includes: an algorithm execution module 601, a YAML configuration file interception module 602, and a YAML configuration file completion module 603. The algorithm execution module 601 provides a sandbox runtime environment recommendation algorithm; the YAML configuration file interception module 602 handles incomplete YAML configuration files provided by the user; the YAML configuration file completion module 603 obtains the installed sandbox runtime environment, runs the sandbox runtime environment recommendation algorithm provided by the algorithm execution module 601, generates the required sandbox runtime environment and corresponding container image type, and completes the incomplete YAML configuration files intercepted by the YAML configuration file interception module 602.

[0074] In some embodiments of this disclosure, the sandbox runtime recommendation algorithm is as follows: Calculated according to the above formula (1), first check if there are any available images that can run in the corresponding sandbox runtime environment. If there are images, then set A... image The value is 1; if a mirror image is missing, then A is set. image The value is 0; then the available CPU and memory of the worker node are checked. The container image resource usage information is estimated to generate a regularized 0-1 value b. space =1-b, representing the impact on node resources. Considering the application's startup frequency, C frequency This equals the number of times the application starts per minute. Finally, determine whether the application is stable or transient. If the application is stable, a runtime offering better performance and reliability may be more suitable. On the other hand, if the application is transient and expected to terminate frequently, a runtime with faster start-up and undo times may be more appropriate. Generate a parameter value D. stable Calculate the regularized Possibility. runtime The algorithm should provide a recommended sandbox runtime environment for the application, based on the factors mentioned above, for all Possible... runtime When the value is greater than 0, select Possiblity. runtime The sandbox runtime environment with the largest value is passed to the sandbox runtime completion module.

[0075] Figure 7 This illustration shows a flowchart of a sandbox runtime environment deployment method based on a Kubernetes cluster, as shown in this embodiment of the present disclosure. Figure 7 As shown, it specifically includes:

[0076] S702, Obtain the YAML file provided by the user, which contains application requirements. This YAML file may be an incomplete configuration file containing only the application requirements.

[0077] S704 detects the installed sandbox runtime environment. In practice, the sandbox awareness module can detect the installed runtime and remaining resource information on each working node and pass it to the sandbox recommendation and completion module.

[0078] S706 intercepts user-provided YAML files. In practice, the sandbox-recommended completion module intercepts user-provided YAML files.

[0079] S708 is an algorithm-based recommendation system for running sandbox runtime environments. In practice, the sandbox recommendation and completion module runs a recommendation algorithm based on the user's application requirements to generate the necessary sandbox runtime environment and the corresponding container image type.

[0080] S710, complete the YAML file and send it to the Kubernetes cluster. The Kubernetes cluster includes a master node and at least one worker node. The master node has an API server configured; the worker nodes have Kubelet clients configured.

[0081] In S712, the API server on the master node sends requests to the Kubelet clients on the worker nodes. In practice, the API server runs the completed YAML file. The Kubelet clients on the worker nodes receive the instructions.

[0082] S714, the advanced container runtime environment issues instructions to create a sandbox runtime environment and the corresponding container image. The Kubelet client on the worker node interacts with the container engine, issuing instructions through the advanced container runtime environment to create a sandbox runtime environment and the corresponding container image type.

[0083] S716 is a low-level container runtime environment that receives instructions and runs applications.

[0084] As can be seen from the above, the sandbox runtime environment deployment method based on a K8S cluster provided in this embodiment adds a unified sandbox runtime interface module. By automatically recommending sandboxes, automatically adapting to corresponding image versions, and automatically completing YAML deployment files, the complexity of user operation is reduced, and ease of use and maintainability are improved.

[0085] The sandbox runtime environment deployment method provided in this disclosure can be applied to, but is not limited to, ECI elastic container instances or FaaS function computing products. The application of this disclosure embodiment in ECI elastic container instances or FaaS function computing products is described below:

[0086] Example 1: ECI Elastic Container Instance.

[0087] (1) Choose a suitable container orchestration tool: K8S has powerful orchestration and management functions and can be used to manage various containerized applications.

[0088] (2) Prepare the infrastructure: Ensure that the infrastructure supports MicroVM, secure containers and WASM runtime.

[0089] (3) Build the image: Create an appropriate container image for each runtime. For MicroVM, an image that supports Firecracker needs to be created. For secure containers, the application and the secure container runtime need to be packaged together in the image. For the WASM runtime, an image that supports WASM needs to be built.

[0090] (4) Deploy to K8S: Use K8S to deploy these images to the cluster.

[0091] (5) Set appropriate Pod security policies: To increase security, you can set Pod security policies in K8S to restrict container permissions and resource access.

[0092] (6) Configure hybrid deployment: Ensure that the application is correctly configured in K8S to use different runtimes.

[0093] (7) Unified orchestration and management: Use K8S cluster management functions, such as Services and Ingress, to achieve unified orchestration and management.

[0094] (8) Monitoring and tuning: Implement appropriate monitoring and logging to ensure the normal operation of the system. Tune the system based on performance and resource usage to improve its efficiency and reliability.

[0095] Applying the sandbox runtime environment deployment method provided in this embodiment to ECI elastic container instances enables hybrid deployment of MicroVM, secure containers, and WASM runtime, with unified orchestration and management, thereby providing greater flexibility and security to meet the needs of different applications.

[0096] Example 2: FaaS function calculates products.

[0097] (1) Application scenario: Determine the characteristics and requirements of stable functions and high-frequency temporary functions, understand the composition and availability of resource pools, and define performance indicators in order to intelligently perceive the system status.

[0098] (2) Design node pools: Design different node pools according to the different types of function requirements, determine the size and resource configuration of each node pool, and consider high availability and fault recovery strategies.

[0099] (3) Implement intelligent sensing: Deploy a monitoring and measurement system to monitor the performance and load of the node pool in real time.

[0100] (4) Formulate a unified scheduling strategy: Develop a scheduler or use existing scheduling tools to allocate tasks to the appropriate node pool according to the type and requirements of the function.

[0101] (5) Multi-resource pool coordination: Create multiple resource pools in a unified management layer and assign different node pools to them to ensure resource isolation between resource pools and prevent interference.

[0102] (6) Performance optimization: Regularly conduct performance evaluation and optimization, adjust resource allocation and node pool size based on monitoring data, and use caching strategies and data preheating to improve function response time.

[0103] Applying the sandbox runtime environment deployment method provided in this embodiment to FaaS function computing products can enable unified scheduling and coordinated allocation of nodes for stable functions and high-frequency temporary functions, achieving intelligent perception and coordinated management of multiple resource pools.

[0104] Based on the same inventive concept, this disclosure also provides a sandbox runtime environment deployment device, as described in the following embodiments. Since the principle by which this device embodiment solves the problem is similar to that of the above-described method embodiments, the implementation of this device embodiment can refer to the implementation of the above-described method embodiments, and repeated details will not be elaborated further.

[0105] Figure 8 This diagram illustrates a sandbox runtime environment deployment device according to an embodiment of the present disclosure, such as... Figure 8 As shown, the device includes: a configuration file interception module 801, a sandbox runtime environment determination module 802, and a configuration file completion module 803.

[0106] The configuration file interception module 801 is used to obtain the configuration file of the target application, which contains the performance requirements and / or security requirements of the target application; the sandbox runtime environment determination module 802 is used to determine the target sandbox runtime environment and the corresponding container image type for deploying the target application based on the performance requirements and / or security requirements of the target application; the configuration file completion module 803 is used to complete the configuration file according to the target sandbox runtime environment and the corresponding container image type, and send the completed configuration file to the container management cluster so that the container management cluster can create a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application.

[0107] In some embodiments, the sandbox runtime environment determination module 802 is further configured to: detect the node resource information of each worker node in the container management cluster, wherein the node resource information includes: one or more sandbox runtime environments installed on each worker node and the remaining resource information of each worker node; select the target sandbox runtime environment for deploying the target application based on the performance requirements and / or security requirements of the target application and the node resource information of each worker node in the container management cluster; and determine the container image type of the container image to be created based on the target sandbox runtime environment.

[0108] In some embodiments, the sandbox runtime environment determination module 802 is further configured to calculate the recommended probability value of the sandbox runtime environment on each working node using the formula (1) above, and select the sandbox runtime environment with the highest recommended probability value as the target sandbox runtime environment for deploying the target application.

[0109] In some embodiments, the container management cluster includes: a master node and at least one worker node connected to the master node; wherein, the worker node includes: a sandbox awareness module, used to detect the node resource information of each worker node in the container management cluster and report it to the sandbox recommendation and completion module; the master node includes: a sandbox recommendation and completion module, used to complete the sandbox runtime environment and the corresponding container image type for deploying the target application in the target application's configuration file based on the target application's performance requirements and / or security requirements and the node resource information of each worker node in the container management cluster reported by the sandbox awareness module.

[0110] Furthermore, in some embodiments, the aforementioned working node further includes: a high-level container runtime environment for managing container images of different sandbox runtime environments; and a low-level container runtime environment for running container images of different sandbox runtime environments.

[0111] In some embodiments, the container management cluster in this disclosure is a Kubernetes cluster; the configuration file of the target application is a YAML format configuration file.

[0112] It should be noted that the examples and application scenarios implemented by the modules in the above device embodiments and the corresponding steps in the method embodiments are the same, but are not limited to the content disclosed in the above method embodiments. It should also be noted that the above modules, as part of the device, can be executed in a computer system such as a set of computer-executable instructions.

[0113] Those skilled in the art will understand that various aspects of this disclosure can be implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as a "circuit", "module" or "system".

[0114] Based on the same inventive concept, this disclosure also provides an electronic device, which includes: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the sandbox runtime environment deployment method described above by executing the executable instructions. Since the principle by which this electronic device embodiment solves the problem is similar to that of the above method embodiments, the implementation of this electronic device embodiment can refer to the implementation of the above method embodiments, and repeated details will not be described again.

[0115] The following reference Figure 9 To describe an electronic device 900 according to such an embodiment of the present disclosure. Figure 9 The electronic device 900 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments disclosed herein.

[0116] like Figure 9 As shown, the electronic device 900 is manifested in the form of a general-purpose computing device. The components of the electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, and a bus 930 connecting different system components (including the storage unit 920 and the processing unit 910).

[0117] The storage unit stores program code that can be executed by the processing unit 910, causing the processing unit 910 to perform the steps described in the "Exemplary Methods" section of this specification according to various exemplary embodiments of this disclosure. For example, the processing unit 910 can perform the following steps of the above method embodiments: obtaining a configuration file of the target application, wherein the configuration file contains performance requirement information and / or security requirement information of the target application; determining the target sandbox runtime environment and the corresponding container image type for deploying the target application based on the performance requirement information and / or security requirement information of the target application; performing completion processing on the configuration file based on the target sandbox runtime environment and the corresponding container image type, and sending the completed configuration file to the container management cluster, so that the container management cluster creates a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application.

[0118] Storage unit 920 may include readable media in the form of volatile storage units, such as random access memory (RAM) 9201 and / or cache memory 9202, and may further include read-only memory (ROM) 9203.

[0119] Storage unit 920 may also include a program / utility 9204 having a set (at least one) program module 9205, such program module 9205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.

[0120] Bus 930 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.

[0121] Electronic device 900 can also communicate with one or more external devices 940 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 900, and / or with any device that enables electronic device 900 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 950. Furthermore, electronic device 900 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 960. As shown, network adapter 960 communicates with other modules of electronic device 900 via bus 930. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.

[0122] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

[0123] Based on the same inventive concept, this disclosure also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the sandbox runtime environment deployment method described above. Since the principle by which this computer-readable storage medium embodiment solves the problem is similar to that of the above method embodiments, the implementation of this computer-readable storage medium embodiment can refer to the implementation of the above method embodiments, and repeated details will not be elaborated further.

[0124] More specific examples of computer-readable storage media in this disclosure may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

[0125] In this disclosure, a computer-readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of transmitting, propagating, or transmitting a program for use by or in connection with an instruction execution system, apparatus, or device.

[0126] Optionally, the program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0127] In practical implementation, program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Java and C++, and conventional procedural programming languages ​​such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0128] Based on the same inventive concept, this disclosure also provides a computer program product, including a computer program or instructions, which, when executed by a processor, implements the sandbox runtime environment deployment method of any one of the above method embodiments. Since the principle by which this computer program product embodiment solves the problem is similar to that of the above method embodiments, the implementation of this computer program product embodiment can refer to the implementation of the above method embodiments, and repeated details will not be elaborated further.

[0129] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.

[0130] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.

[0131] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

[0132] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the appended claims.

Claims

1. A method for deploying a sandbox runtime environment, characterized in that, include: Obtain the configuration file of the target application, wherein the configuration file contains the performance requirements and / or security requirements of the target application; Based on the performance and / or security requirements of the target application, determine the target sandbox runtime environment and the corresponding container image type for deploying the target application; Based on the target sandbox runtime environment and the corresponding container image type, the configuration file is completed, and the completed configuration file is sent to the container management cluster so that the container management cluster can create a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application.

2. The sandbox runtime environment deployment method according to claim 1, characterized in that, Based on the performance and / or security requirements of the target application, determine the target sandbox runtime environment and the corresponding container image type for deploying the target application, including: The node resource information of each worker node in the container management cluster is detected, wherein the node resource information includes: one or more sandbox runtime environments installed on each worker node and the remaining resource information of each worker node; Based on the performance and / or security requirements of the target application, and the node resource information of each worker node in the container management cluster, select the target sandbox runtime environment for deploying the target application. Based on the target sandbox runtime environment, determine the container image type for the container image to be created.

3. The sandbox runtime environment deployment method according to claim 2, characterized in that, Based on the performance and / or security requirements of the target application, and the node resource information of each worker node within the container management cluster, a target sandbox runtime environment is selected for deploying the target application, including: The recommended probability value of the sandbox runtime environment on each worker node is calculated using the following formula, and the sandbox runtime environment with the highest recommended probability value is selected as the target sandbox runtime environment for deploying the target application: Possiblity runtime =A image ×[1-Normalize(B space ×X replica ×C frequency +D stable )]×100%; Among them, Possiblity runtime Indicates the probability value of recommendation; A image For logical values, if a sandbox runtime environment exists on the worker node that satisfies the performance and / or security requirements, then A... image The value is 1. If there is no sandbox runtime environment on the working node that meets the performance and / or security requirements, then A... image The value of is 0; Normalize(·) represents the normalization function; B space This indicates the impact of installing the corresponding sandbox runtime environment container image on the worker node on the node's remaining resources; X replica This indicates the number of copies or instances of the application during sandbox runtime; C frequency Indicates the launch frequency of the target application; D stable This indicates the stability status of the application.

4. The sandbox runtime environment deployment method according to claim 1, characterized in that, The container management cluster includes: a master node and at least one worker node connected to the master node; The working node includes a sandbox awareness module, which is used to detect the node resource information of each working node in the container management cluster and report it to the sandbox recommendation and completion module. The master node includes a sandbox recommendation and completion module, which is used to complete the sandbox runtime environment for deploying the target application and the corresponding container image type in the target application's configuration file based on the target application's performance requirements and / or security requirements and the node resource information of each worker node in the container management cluster reported by the sandbox awareness module.

5. The sandbox runtime environment deployment method according to claim 4, characterized in that, The working node also includes: Advanced container runtime environment for managing container images of different sandbox runtime environments; Low-level container runtime environment, used to run container images of different sandbox runtime environments.

6. The sandbox runtime environment deployment method according to any one of claims 1 to 5, characterized in that, The container management cluster is a Kubernetes cluster; the configuration file is a YAML format configuration file.

7. A sandbox runtime environment deployment device, characterized in that, include: The configuration file interception module is used to obtain the configuration file of the target application, wherein the configuration file contains the performance requirement information and / or security requirement information of the target application; The sandbox runtime environment determination module is used to determine the target sandbox runtime environment and the corresponding container image type for deploying the target application based on the performance requirements and / or security requirements of the target application. The configuration file completion module is used to complete the configuration file according to the target sandbox runtime environment and the corresponding container image type, and send the completed configuration file to the container management cluster so that the container management cluster can create a container image corresponding to the target sandbox runtime environment based on the completed configuration file to run the target application.

8. An electronic device, characterized in that, include: processor; as well as Memory for storing the executable instructions of the processor; The processor is configured to execute the sandbox runtime environment deployment method of any one of claims 1 to 6 by executing the executable instructions.

9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the sandbox runtime environment deployment method according to any one of claims 1 to 6.

10. A computer program product, comprising: A computer program or instruction, characterized in that, when executed by a processor, the computer program or instruction implements the sandbox runtime environment deployment method according to any one of claims 1 to 6.