Container image processing method and apparatus, and non-transitory computer-readable storage medium
US-2021011885-A1 · Jan 14, 2021 · US
Protecting container images and runtime data
US12242879B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12242879-B2 |
| Application number | US-202217858120-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 6, 2022 |
| Priority date | Jul 6, 2022 |
| Publication date | Mar 4, 2025 |
| Grant date | Mar 4, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An approach for protecting container image and runtime data from host access may be presented. Container systems have allowed for more efficient utilization of computing resources, removing the requirement of a hypervisor, and packaging all necessary dependencies within an application. Preventing host access to container image and runtime data can be advantageous for a multitude of reasons. The approach herein may include, flattening a plurality of root file system of a one or more container images into a single layer. The approach may also include generating a container base image for each of the one or more flattened root file system. The approach may include encrypting each of the generated container base images with the flattened root file system.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for protecting container image and runtime data from host access, the method comprising: retrieving, by a processor, one or more container images from a container registry, wherein the one or more container images are based on a root file system comprised of one or more layers; flattening, by the processor, each of the one or more container images of the root file system into a single layer; generating, by the processor, a container base image for each flattened container image; building, by the processor, a virtual machine overlay base image based, at least in part, on one or more of the generated container base images; sharing, by the processor, the virtual machine overlay base image based, at least in part, on a dynamic sharing policy; and encrypting, by the processor, each generated container base image. 2. The computer-implemented method of claim 1 , wherein building the virtual machine overlay base image further comprises: generating, by the processor, an identity for the virtual machine overlay base image based, at least in part, on a respective identity of each container operational on the virtual machine overlay base image; determining, by the processor, if the generated identity for the virtual machine overlay base image exists within the container registry; and responsive to determining that the generated identity for the virtual machine overlay base image does not exist within the container registry, publishing the virtual machine overlay base image within the container registry. 3. The computer-implemented method of claim 1 , wherein the virtual machine overlay base image is shared within at least one of the following: container pod, deployment, or namespace. 4. The computer-implemented method of claim 1 , wherein the root file system of the one or more retrieved container images is a union file system. 5. A computer system for protecting container image and runtime data from host access, the system comprising: a memory; and a processor in communication with the memory, the processor being configured to perform operations to: retrieve one or more container images from a container registry, wherein the one or more container images are based on a root file system comprised of one or more layers; flatten each of the one or more container images of the root file system into a single layer; generate a container base image for each flattened container image; build a virtual machine overlay base image based, at least in part, on one or more of the generated container base images; share the virtual machine overlay base image based, at least in part, on a dynamic sharing policy; and encrypt each generated container base image. 6. The computer system of claim 5 , wherein building the virtual machine overlay base image further comprises operations to: generate an identity for the virtual machine overlay base image based, at least in part, on a respective identity of each container operational on the virtual machine overlay base image; determine if the generated identity for the virtual machine overlay base image exists within the container registry; and responsive to determining that the generated identity for the virtual machine overlay base image does not exist within the container registry, publish the virtual machine overlay base image within the container registry. 7. The computer system of claim 5 , wherein the virtual layer base overlay image is shared within at least one of the following: container pod, deployment, or namespace. 8. The computer system of claim 5 , wherein the root file system of the one or more retrieved container images is a union file system. 9. A computer program product for protecting container image and runtime data from host access having program instructions embodied therewith, the program instructions executable by a processor to cause the processors to perform one or more operations, comprising: program instructions to retrieve one or more container images from a container registry, wherein the one or more container images are based on a root file system comprised of one or more layers; program instructions to flatten each of the one or more container images of the root file system into a single layer; program instructions to generate a container base image for each flattened container image; program instructions to build a virtual machine overlay base image based, at least in part, on one or more of the generated container base images; program instructions to share the virtual machine overlay base image based, at least in part, on a dynamic sharing policy; and program instructions to encrypt each generated container base image. 10. The computer program product of claim 9 , wherein building the virtual machine overlay base image further comprises: program instructions to generate an identity for the virtual machine overlay base image based, at least in part, on a respective identity of each container operational on the virtual machine overlay base image; program instructions to determine if the generated identity for the virtual machine overlay base image exists within the container registry; and program instructions to responsive to determining that the generated identity for the virtual machine overlay base image does not exist within the container registry, publish the virtual machine overlay base image within the container registry. 11. The computer program product of claim 9 , wherein the root file system of the one or more retrieved container images is a union file system.
Assignees
Inventors
Classifications
- G06F21/602Primary
Providing cryptographic facilities or services · CPC title
Hash functions, e.g. MD5, SHA, HMAC or f9 MAC · CPC title
Isolation or security of virtual machine instances · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
- G06F9/45558Primary
Hypervisor-specific management and integration aspects · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12242879B2 cover?
- An approach for protecting container image and runtime data from host access may be presented. Container systems have allowed for more efficient utilization of computing resources, removing the requirement of a hypervisor, and packaging all necessary dependencies within an application. Preventing host access to container image and runtime data can be advantageous for a multitude of reasons. The…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 04 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).