CN-122019048-A - Method, device, equipment and medium for constructing mirror image credibility of limited environment container

Abstract

The invention provides a method, a device, equipment and a medium for constructing a limited environment container mirror image credibility, which comprises the steps of submitting Dockerfile three types of materials, a dependency list and an item source code to a version control system, carrying out static security scanning on submitted Dockerfile through a vulnerability scanning tool, pulling an authenticated basic mirror image from a controlled basic mirror image item of a controlled mirror image warehouse, completing construction of a service mirror image by combining Dockerfile, carrying out setting scanning on the constructed service mirror image, pushing the mirror image subjected to compliance inspection to the mirror image warehouse, exporting the mirror image into an archive file, loading the mirror image subjected to compliance verification and completing container deployment according to a deployment list in a limited production environment which only allows access to internal necessary services and has no external network access authority, and carrying out basic operation state verification and business function verification after the deployment is completed, thereby remarkably improving the security of the mirror image.

Inventors

• LI NING
• XIE QI
• WANG ZHONGLING
• ZHANG QIAN
• LI SITONG
• REN TINGTING

Assignees

• 华福证券有限责任公司

Dates

Publication Date

20260512

Application Date

20251226

Claims (10)

1. 1. The trusted construction method of the limited environment container image is characterized by comprising the following steps: s1, submitting Dockerfile, relying on a list and project source codes to a version control system; s2, carrying out static security scanning on submitted Dockerfile through a vulnerability scanning tool, and classifying and disposing a scanning result according to a preset risk classification rule, wherein the risk classification rule comprises four grades of serious risk, high risk, medium risk and low risk, and each grade corresponds to different recognition ranges and processing strategies; S3, pulling the authenticated basic image from the controlled basic image project of the controlled image warehouse, and combining Dockerfile to complete the construction of the service image; S4, setting and scanning the constructed service mirror image, wherein the scanning range comprises system layer loopholes, dependency layer loopholes, license protocol compliance and mirror image configuration compliance; S5, pushing the mirror images which pass the compliance inspection to a mirror image warehouse, and carrying out version management according to a preset version naming rule, wherein a developer only has mirror image pulling authority, and an operation and maintenance person has mirror image pushing, pulling and authority management full authority; S6, exporting the mirror image into an archive file, generating and recording a hash value of the archive file to a constructed audit log, transmitting the archive file to a production environment through a controlled security channel, recalculating the hash value of the received archive file before deployment, and carrying out consistency check on the hash value and an original hash value in the constructed audit log; And S7, loading the mirror image passing the consistency check in a limited production environment which only allows access to the internal necessary service and has no external network access authority, completing container deployment according to the deployment list, and performing basic running state verification and service function verification after the deployment is completed.
2. 2. The method for trusted building of restricted environment container images of claim 1, wherein in S2, the identification range of the serious risk comprises using uncontrolled or unknown source base images, executing high-risk instructions by a root user, including instructions for downloading and executing remote scripts, having a first set remote code execution vulnerability, and including malicious persistence behaviors in Dockerfile; In the S2, the high risk identification range comprises using an unauthorized but source-identifiable basic image, including a second set vulnerability of the system, enabling dangerous authority capability, using an uncontrolled software source, and not explicitly specifying a dependent version number; In the S2, the identification range of the medium risk comprises third setting loopholes of a dependency library, using upgrading instructions without version locking, unlocking a system package version and unclamping a cache, wherein the processing strategies are used for allowing the follow-up construction flow to enter, and performing secondary scanning evaluation after the mirror image construction is completed; In the step S2, the identification range of the low risk comprises a fourth setting vulnerability, a mirror image volume or structural problem which does not follow the best practice of mirror image construction and does not affect safety, a processing strategy is that a main flow is not blocked, and setting optimization suggestions are added in a deployment document.
3. 3. The method for trusted building of restricted environment container images of claim 1, wherein in S3, the base images in the controlled base image project are images previously pulled from an official source and stored in an image repository.
4. 4. The method for trusted building of restricted environment container images according to claim 1, wherein in S5, the format of the preset version naming rule is item identification-item name-environment identification-version number, and the environment identification comprises test environment identification and production environment identification.
5. 5. The method for constructing the image credible of the limited environment container according to claim 1, wherein in the step S6, the hash value is calculated by adopting an SHA-256 algorithm, the information recorded in the audit log is constructed and comprises an image name, an image version number, construction time, an operation and maintenance account number identifier and the hash value, and the controlled security channel comprises internal hierarchical storage equipment and an internal cloud disk.
6. 6. The method for trusted building of restricted environment container images of claim 1, wherein in S7, the deployment list is required to be checked safely before deployment, and the method specifically comprises the following steps: Checking mirror image information, namely checking consistency of mirror image names, version numbers and hash values and constructing audit logs; rechecking the running configuration, namely rechecking CPU limit, memory limit, a container restarting strategy and a process running user; Rechecking the network configuration, namely rechecking the port of the container, the mapping relation of the host port, the network mode and the communication range between services; rechecking the storage configuration, namely rechecking a data volume mounting list, a corresponding relation between a host and a container path, a data volume authority and an environment variable list; And performing deployment of the deployment list after the safety rechecking.
7. 7. The method for constructing the image credibility of the limited environment container according to claim 1, wherein in S7, the basic running state verification comprises in-container process survival state verification, service monitoring port availability verification, log normal output verification and communication stability verification with an internal dependent service; In the step S7, the deployment operation further comprises environment parameter configuration, wherein the environment parameter configuration comprises setting service operation users and authorities, configuring resource limitations, configuring health checks, configuring container log paths and log rotation strategies, configuring a network access control list and accessing a white list, configuring service starting environment variables, and configuring internal load balancing or service registration information.
8. 8. A limited environment container image trusted building apparatus comprising: the version control module submits Dockerfile, dependency list and project source code three types of materials to the version control system; the static scanning module carries out static security scanning on submitted Dockerfile through a vulnerability scanning tool and classifies and disposes a scanning result according to a preset risk classification rule, wherein the risk classification rule comprises four grades of serious risk, high risk, medium risk and low risk, and each grade corresponds to different recognition ranges and processing strategies; the mirror image construction module is used for pulling the authenticated basic mirror image from the controlled basic mirror image project of the controlled mirror image warehouse and completing the construction of the service mirror image by combining Dockerfile; The vulnerability scanning module is used for setting and scanning the constructed service mirror image, wherein the scanning range comprises system layer vulnerabilities, dependency layer vulnerabilities, license protocol compliance and mirror image configuration compliance; The system comprises a mirror image management module, a development personnel, an operation and maintenance personnel, a mirror image management module and a control module, wherein the mirror image management module pushes the mirror image which passes through compliance inspection to a mirror image warehouse and carries out version management according to a preset version naming rule; The security distribution module is used for exporting the mirror image into an archive file, generating and recording the hash value of the archive file to a constructed audit log, transmitting the archive file to a production environment through a controlled security channel, recalculating the hash value of the received archive file before deployment, and carrying out consistency check on the hash value and an original hash value in the constructed audit log; And the limited deployment module is used for loading the mirror image passing the consistency check and completing the container deployment according to the deployment list in a limited production environment which only allows access to internal necessary services and has no external network access authority, and carrying out basic running state verification and service function verification after the deployment is completed.
9. 9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any one of claims 1 to 7 when executing the program.
10. 10. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any one of claims 1 to 7.

Description

Method, device, equipment and medium for constructing mirror image credibility of limited environment container Technical Field The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for trusted construction of a limited environment container image. Background With the rapid application of AI technology in securities industry, the deployment demands of AI model reasoning services and data processing services in enterprises are increasing. However, the securities industry has high security requirements, the production environment is usually isolated from the extranet, and developers are not allowed to directly perform uncontrolled operations at the production server. In the prior art, the following situations are common in small and medium-sized securities institutions: 1. Lack of mature DevOps tool chain, difficulty in introducing professional pipelines, and lack of mirrored supply chain management capability. 2. The developer builds the Docker image by himself, the image content is uncontrollable, and the image content may contain malicious codes, unknown dependencies or untrusted base images. The pip source and the base mirror source are not controlled, the credibility of the dependent source cannot be verified, and the risk of supply chain attack exists. 4. The mirror image lacks a unified version management mechanism, and cannot roll back, audit and reproduce the environment. 5. The development and production environment authorities are mixed, and developers can directly inject images into the production environment, so that audit loss and human risks exist. Therefore, the prior art cannot meet the requirements of security industry on the construction and deployment of AI containers with safety, traceability, auditability and controllable sources. Disclosure of Invention The invention aims to solve the technical problem of providing a method, a device, equipment and a medium for constructing the mirror image credibility of a limited environment container, and the safety of the mirror image is obviously improved. In a first aspect, the present invention provides a trusted construction method for a limited environment container image, including the steps of: s1, submitting Dockerfile, relying on a list and project source codes to a version control system; s2, carrying out static security scanning on submitted Dockerfile through a vulnerability scanning tool, and classifying and disposing a scanning result according to a preset risk classification rule, wherein the risk classification rule comprises four grades of serious risk, high risk, medium risk and low risk, and each grade corresponds to different recognition ranges and processing strategies; S3, pulling the authenticated basic image from the controlled basic image project of the controlled image warehouse, and combining Dockerfile to complete the construction of the service image; S4, setting and scanning the constructed service mirror image, wherein the scanning range comprises system layer loopholes, dependency layer loopholes, license protocol compliance and mirror image configuration compliance; S5, pushing the mirror images which pass the compliance inspection to a mirror image warehouse, and carrying out version management according to a preset version naming rule, wherein a developer only has mirror image pulling authority, and an operation and maintenance person has mirror image pushing, pulling and authority management full authority; S6, exporting the mirror image into an archive file, generating and recording a hash value of the archive file to a constructed audit log, transmitting the archive file to a production environment through a controlled security channel, recalculating the hash value of the received archive file before deployment, and carrying out consistency check on the hash value and an original hash value in the constructed audit log; And S7, loading the mirror image passing the consistency check in a limited production environment which only allows access to the internal necessary service and has no external network access authority, completing container deployment according to the deployment list, and performing basic running state verification and service function verification after the deployment is completed. In a second aspect, the present invention provides a limited environment container image trusted building apparatus comprising: the version control module submits Dockerfile, dependency list and project source code three types of materials to the version control system; the static scanning module carries out static security scanning on submitted Dockerfile through a vulnerability scanning tool and classifies and disposes a scanning result according to a preset risk classification rule, wherein the risk classification rule comprises four grades of serious risk, high risk, medium risk and low risk, and each grade corresponds to differen