CONTAINER DATA OFFLINE AND ONLINE SCAN IN A CLOUD ENVIRONMENT

摘要

Techniques for security scanning of containers executing within VMs. A virtualization system maintains container disk files that store data for containers. The container disk files are stored separate from, and not included within, virtual machine disk files that store data for the virtual machines. To scan data for any particular container, a scanning module scans the container disk file associated with the container, if a threat is found, a container scan catalog is updated to indicate this fact. A container may be disconnected from the network if identified security threats cannot he removed from the container. An entire V M may he disconnected from the network if all containers within the VM have threats that cannot he cleaned. The use of container disk tiles for security threat scanning allows for data for individual containers to be scanned.

主权项

1. A method, comprising:
receiving a request to perform a scan for security threats within a container executing within a virtual machine (VM), wherein the container comprises an operating system-isolated group of processes; identifying a container disk file associated with the container, wherein the container disk file is not included within a virtual machine disk file associated with the VM and is separate from other container disk files associated with other containers executing within the VM; performing the scan on the container disk file to detect security threats; and updating a container scan catalog based on whether a threat is detected in the container disk file.