Claims:
1. A method for securing a plurality of container images comprising:
securing, by a customized container platform, the plurality of container images using a plurality of build and run operations;
encrypting, by the plurality of build and run operations, a plurality of layers of one of the container images;
packaging one of the container images with aplurality of resources required for executing the container;
decrypting, by the build and run operations, one of the container images and creating the container; wherein the encrypted plurality of layers of the container image are stored in a local repository.

2. The method as claimed in claim 1, wherein the security mechanism further comprises customizing the container platform for securing the plurality ofcontainer images.

3. The method as claimed inclaim 2, wherein the container platform further comprises providing the secure mechanism for the plurality of build and run operations.

4. The method as claimed in claim 1, wherein the encrypted plurality of layers further comprises preventing the inspection of the layer information by an unauthorized user.

5. The method as claimed inclaim 1, wherein encrypting, by the build and run operations, the layers of one of the container images further comprises encrypting with a secure key after the container image is built.

6. The method as claimed inclaim 1, further comprises:
converting the plurality of layers of the container image into an immutable image, wherein the properties of the container image are fixed once the container image is encrypted.

7. The method as claimed inclaim 1, wherein the plurality of build and run operations further comprises acknowledging the secure key from the user and converting the immutable image to a mutable image.

8. The method as claimed in claim 1, wherein the plurality of build and run operations further comprises decrypting the mutable image for creating a container.

9. The method as claimed inclaim 1, wherein the plurality of layers of the container image further comprises:
encrypting the plurality of layers of the container image again; and
storing the encrypted plurality of layers in the repository once the container exits.
, Description:FORM – 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENTS RULES, 2003

COMPLETE SPECIFICATION
(SEE SECTION 10, RULE 13)

A METHOD TO SECURE A CONTAINER IMAGE USING SECURITY MECHANISM

BHARAT ELECTRONICS LIMITED
WITH ADDRESS:
OUTER RING ROAD, NAGAVARA, BANGALORE 560045, KARNATAKA, INDIA

THE FOLLOWING SPECIFICATION PARTICULARLY DESCRIBES THE INVENTION AND THE MANNER IN WHICH IT IS TO BE PERFORMED.

TECHNICAL FIELD
[0001] The present invention relates generally to a method for securing a container image, in particular to secure the layers of container images.
BACKGROUND
[0002] Docker images are read-only templates and they are created from Dockerfile (a text file with the name “Dockerfile”), which describes what a user wants to include in the container along with application. Docker images are used to create containers and are the build component of the Docker. There are public or private stores to hold the images called the Docker registries. Conventionally, virtual machines were used that requireda dedicated guest operating system. Additionally, the images that were encrypted were not secure if theyare embedded with secrets. The unauthorized users can access the image and able to examine secrets, even though if it is a masked layers.
[0003] US Patent Application US 2017/0116415A1 discloses a method for securing execution of software containers using security profiles, comprising: receiving an event indication that a container image requires profiling, wherein the container image includes resource utilized to execute a corresponding application container; generating a security profile for the container image, wherein the generated security includes at least a system calls profile; monitoring the operation of a runtime execution of the application container; and detecting a violation of the security profile based on the monitored operation, wherein the security profile is of the container image corresponding to the application container.
[0004] Another US Patent Application US9,639,558B2 discloses a computer-implemented method comprising: selecting, by a processor, an image to be built; performing a hashing function on the image to produce a checksum: querying a registry for an existing image including a same checksum, and based on no existing image including the same checksum being found: acquiring a parent image for the image to be built; building the image to produce a built image: adding the checksum for the image to the built image: and storing the built image in the registry.
[0005] Another US patent Application US2017/0177860A1 discloses a method comprising: one or more processors; and memory including instructions that, as a result of execution by the one or more processors, cause the system to: receive, from a first device associated with a first customer of a computing resource service provider, a container image and information specifying an event trigger for terminating execution of the container image, the container image comprising a set of software layers, the first customer located in a first geographic region; store the set of software layers in a first repository associated with the first customer to form a stored container image, the first repository being located in the first geographic region; copy the stored container image to a second repository to form a copied container image, the second repository located in a second geographic region different from the first geographic region; receive a request, from a second device associated with a second customer of the computing resource service provider, to deploy the container image into at least one virtual machine instance associated with the second customer, the at least one virtual machine instance being located in the second geographic region; deploy the copied container image as a software container to execute in the at least one virtual machine instance; and as a result of an occurrence of the event trigger, terminate execution of the Software container.
[0006] There is still a need of an invention which solves the above defined problems.
SUMMARY
[0007] This summary is provided to introduce concepts related to securing the container images on a host machine by using a secure mechanism, thus protecting it from the other users not to inspect the data from the container image layers.
[0008] One of the various embodiments herein include a computer-implemented method. This computer-implemented method includes customizing the container platform for the plurality of build and run operations of container images and the software containers.
[0009] In another implementation, the customized build operation of the container platform builds the container image from a Dockerfile provided by a user and said customized build operation of the container platform encrypts a plurality of layers of the container image and also makes them immutable using a secure key, where the key is stored in a hash format. These plurality of secured images are stored in a repository. Furthermore, the security mechanism does not allow the unauthorized users to get the information of the container layers by inspecting them.
[0010] In another implementation, the customized container platform, using the run operation, is configured to create a container from the already built image wherein it accepts the key from the user and if the authentication of the key is successful, the platform converts the image into mutable format and said customized container platform if configured to decrypt the plurality of layers to create the container.
[0011] In another implementation, once the container exits from the running state, the customized platform converts the plurality of layers back to the encrypted format.

BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
[0012] The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the drawings to reference features.
[0013] Fig. 1 illustrates an exemplary overview of the container image architecture, according to an exemplary implementation of the present disclosure.
[0014] Fig. 2 illustrates an exemplary block diagram of customized container platform communication architecture between client and daemon using custom commands, according to an exemplary implementation of the present disclosure.
[0015] Fig. 3 illustrates an exemplary block diagram of layers of container, according to an exemplary implementation of the present disclosure.
[0016] Fig. 4 illustrates an exemplary block diagram of encryption of container image using a secure mechanism, according to an exemplary implementation of the present disclosure.
[0017] Fig. 5 illustrates an exemplary block diagram of decryption of container image using a secure mechanism, according to an exemplary implementation of the present disclosure.
[0018] It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative methodsembodying the principles of the present disclosure. Similarly, it will be appreciated that any flow charts, flow diagrams, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
DETAILED DESCRIPTION
[0019] The various embodiments of the present disclosure provide amethodfor securing the container images on a host machine by using a secure mechanism, thus protecting it from the other users not to inspect the data from the container image layers.
[0020] In the following description, for purpose of explanation, specific details are set forth in order to provide an understanding of the present claimed subject matter. It will be apparent, however, to one skilled in the art that the present claimed subject matter may be practiced without these details. One skilled in the art will recognize that embodiments of the present claimed subject matter, some of which are described below, may be incorporated into a number of systems.
[0021] However, the systems and methodsare not limited to the specific embodiments described herein. Further, structures and devices shown in the figures are illustrative of exemplary embodiments of the presentlyclaimed subject matterand are meant to avoid obscuring of the presentlyclaimed subject matter.
[0022] Furthermore, connections between components and/or modules within the figures are not intended to be limited to direct connections. Rather, these components and modules may be modified, re-formatted or otherwise changed by intermediary components and modules.
[0023] In one embodiment herein, a computer-implemented method is provided. This computer-implemented method includes customizing the container platform for the plurality of build and run operations of container images and the software containers. Further, the customized build operation of the container platform builds the container image from a Dockerfile provided by a user and said customized build operation of the container platform encrypts a plurality of layers of the container image and also makes them immutable using a secure key, where the key is stored in a hash format. These plurality of secured images are stored in a repository. Furthermore, the security mechanism does not allow the unauthorized users to get the information of the container layers by inspecting them.
[0024] In another embodiment, the customized container platform, using the run operation, is configured to create a container from the already built image wherein it accepts the key from the user and if the authentication of the key is successful, the platform converts the image into mutable format and said customized container platform if configured to decrypt the plurality of layers to create the container. Further, once the container exits from the running state, the customized platform converts the plurality of layers back to the encrypted format.
[0025] In another embodiment, a method is provided for securing the plurality of container images on a customized container platform. Further, the customized container platform include the implemented changes in the plurality ofbuild and run operations. These container service commands help to protect the plurality of layers of the image from the unauthorized user inspecting them and to protect the malware file system attacks. Further, the build and runtime operations are configured to provide the environment to build the container images and to execute the software applications. The result of the build container image is stored in local repository. Each container image including various layers and the container layer at the top of the stack is configurable and read-only image layers are now immutable.
[0026] It should be noted that the description merely illustrates the principles of the present invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described herein, embody the principles of the present invention. Furthermore, all examples recited herein are principally intended expressly to be only for explanatory purposes to help the reader in understanding the principles of the invention and the concepts contributed by the inventor to furthering the art and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass equivalents thereof.
[0027] Fig. 1 illustrates an exemplary overview of the container image architecture, according to an exemplary implementation of the present disclosure. The process starts by customizing the container platform 104 using a secure mechanism for a plurality ofbuild and run operations. Further, this process includes dockerfile 106 with secure application and their dependencies. The customized container platform is configured to build a container image from the dockerfile 108. At this instance, the build command is configured to encrypt the plurality of layers of the container image 110 and to store the plurality of layers in a local repository 112. Each layer of the container image is a unique UUID (Universally Unique IDentifier) with hexadecimal string format. Until the instructions of the Dockerfile are modified, the already built layers of the image remain the same. While creating container from image using custom run command 114, it will prompt to enter the valid user key for authentication 116. Once the entered user credentials are authenticated the customized run operation creates the container 120 to execute 122 the application which has the accurate information. In case of the authentication failure, the run operation terminates the container creation process 118. Further, if application is exited then the container is deleted 124.
[0028] Fig. 2 illustrates an exemplary block diagram of customized container platform communication architecture between client and daemon using custom commands, according to an exemplary implementation of the present disclosure. These custom commands uses docker client 202 and docker daemon 214 on the host machine 204. The client and the daemon both can be standalone systems or can be distributed systems. Further, by using a REST api over a network interface, both client and daemon are communicating with each other. The client communicates with daemon to do the process of building and running the plurality of container images. Further, the client commands are customized such as build 208 and run 210 by secure mechanism 212 to protect the plurality of the image layers 218 from vulnerability attack. The image is build using dockerfile 206 with the required syntax and steps. Each step of the dockerfile forms a layer. The encrypted image layers 216 are stored in private local registry. When the user executes the run command, the requested image is decrypted and a read write container 220 is created and it is runnable instance.
[0029] Fig. 3 illustrates an exemplary block diagram of layers of container, according to an exemplary implementation of the present disclosure. The container image includes the series of layers that describes the environment required for an application 304 to run. Every layer except the last container layer 302 are read only layers whereas the container layer is a read write layer. Each layer is different from other layers. The plurality of read only layers are called image layer and readable/writable layer is named as container layer. This container layer is formed while running the container image. The read only layers are underlying layers that are used by the container layer.
[0030] Fig. 4 illustrates an exemplary block diagram of encryption of container image using a secure mechanism, according to an exemplary implementation of the present disclosure. Here, the method is to create the container image by customized client platform 402. The client build command is configured to accept the key 408 provided by the authorized user and to encryptthe intermediate layers of the image 410. Further, the user provided key is stored in the local machine in hash format 412. After the encryption, the image layers are converted into immutable 414 and are stored in the local repository 416 which means it not editable even if we change the permission of the image layers.
[0031] Fig. 5 illustrates an exemplary block diagram of decryption of container image using a secure mechanism,according to an exemplary implementation of the present disclosure.The custom run command is executed to create the container from the encrypted image 504 on the customized client platform. Once the run operation is started, it requests the user to enter the key for authentication 508. If the key entered by the user is valid, then the immutable container image is converted to mutable 510 and the plurality of the intermediate layers of the requested image 512 are decrypted and the new readable/writable container 514 from the image are created.
[0032] The foregoing description of the invention has been set merely to illustrate the invention and is not intended to be limiting. Since modifications of the disclosed embodiments incorporating the substance of the invention may occur to person skilled in the art, the invention should be construed to include everything within the scope of the invention.