基于规则验证的Dockerfile临时文件静态检测方法

doi:10.19678/j.issn.1000-3428.0068330

摘要/Abstract

摘要：

Dockerfile中存在的临时文件问题使Docker镜像打包了超过其功能所需的不必要的文件资源, 导致镜像尺寸增大, 影响了镜像传输和部署的效率。现有的动态分析法在运行时会产生大量日志, 造成较大的系统开销, 而静态分析法无法检测出临时文件的多种变化形式, 限制了其在日常检测中的有效应用。提出一种Dockerfile临时文件静态检测方法, 通过规则验证收集21种临时文件形式, 使用节点关联算法改进抽象语法树(AST)结构, 提高检测效率, 并在节点关联的AST(NA-AST)结构基础上使用着色机制对节点进行处理, 保证检测完整性。实验结果表明, 相较于现有方法, 所提方法能够以较小的时间开销检测出文件中存在的各种临时文件形式。此外, 提供一种对临时文件形式分类的依据, 其可用于对后续临时文件新增形式的分析和检测, 具有较高的普适性。

关键词: Docker技术, 容器, Dockerfile临时文件, 抽象语法树, 镜像

Abstract:

The temporary file issue in the Dockerfile causes the Docker image to pack unnecessary file resources beyond its functional requirements, resulting in an increase in image size and affecting the efficiency of image transmission and deployment. Existing dynamic analysis methods generate many logs during runtime, resulting in significant system overhead. However, static analysis methods cannot detect various changes in temporary files, which limits their effective application for daily detection. A static detection method for Dockerfile temporary files is proposed, which collects 21 temporary file forms through rule validation using a node association algorithm to improve the Abstract Syntax Tree(AST) structure and enhance detection efficiency. Based on Node Association-AST (NA-AST), a coloring mechanism is used to process nodes, ensuring detection integrity. The experimental results show that compared to existing schemes, the proposed method can detect various temporary file forms in files with less time overhead. In addition, a basis for classifying the forms of temporary files is provided, which can be used for analyzing and detecting new forms of subsequent temporary files and has higher universality.

Key words: Docker technology, container, Dockerfile temporary file, Abstract Syntax Tree (AST), image

苏珲, 张建辉, 曾俊杰, 楚小茜. 基于规则验证的Dockerfile临时文件静态检测方法[J]. 计算机工程, 2025, 51(3): 189-196.

SU Hui, ZHANG Jianhui, ZENG Junjie, CHU Xiaoxi. Static Detection Method for Dockerfile Temporary Files Based on Rule Validation[J]. Computer Engineering, 2025, 51(3): 189-196.

https://www.ecice06.com/CN/Y2025/V51/I3/189

图/表 10

图1 检测方法框架结构

Fig.1 Framework structure of detection method

图2 NA-AST结构

Fig.2 NA-AST structure

图3 NA-AST着色过程

Fig.3 NA-AST coloring process

图4 检测方法性能表现

Fig.4 Performance of detection method

参考文献 26

1	BENTALEB O, BELLOUM A S Z, SEBAA A, et al. Containerization technologies: taxonomies, applications and challenges. The Journal of Supercomputing, 2022, 78(1): 1144- 1181. doi: 10.1007/s11227-021-03914-1
2	陈轶阳, 王小宁, 卢莎莎, 等. 面向高性能计算系统的容器技术综述. 计算机科学, 2023, 50(2): 353- 363.
	CHEN Y Y, WANG X N, LU S S, et al. Survey of container technology for high-performance computing system. Computer Science, 2023, 50(2): 353- 363.
3	FELTER W, FERREIRA A, RAJAMONY R, et al. An updated performance comparison of virtual machines and Linux containers[C]//Proceedings of the IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS). Washington D. C., USA: IEEE Press, 2015: 171-172.
4	SHARMA P, CHAUFOURNIER L, SHENOY P, et al. Containers and virtual machines at scale: a comparative study[C]//Proceedings of the 17th International Middleware Conference. New York, USA: ACM Press, 2016: 1-13.
5	POTDAR A M, D G N, KENGOND S, et al. Performance evaluation of Docker container and virtual machine. Procedia Computer Science, 2020, 171, 1419- 1428. doi: 10.1016/j.procs.2020.04.152
6	KRATZKE N. A brief history of cloud application architectures. Applied Sciences, 2018, 8(8): 1368. doi: 10.3390/app8081368
7	PAHL C, BROGI A, SOLDANI J, et al. Cloud container technologies: a state-of-the-art review. IEEE Transactions on Cloud Computing, 2019, 7(3): 677- 692. doi: 10.1109/TCC.2017.2702586
8	SINGH V, PEDDOJU S K. Container-based microservice architecture for cloud applications[C]//Proceedings of the International Conference on Computing, Communication and Automation (ICCCA). Washington D. C., USA: IEEE Press, 2017: 847-852.
9	MERKEL D. Docker: lightweight Linux containers for consistent development and deployment. Linux Journal, 2014(239): 2.
10	ZHU H, BAYLEY I. If docker is the answer, what is the question?[C]//Proceedings of the IEEE Symposium on Service-Oriented System Engineering (SOSE). Washington D. C., USA: IEEE Press, 2018: 152-163.
11	CARL B. An introduction to Docker for reproducible research. ACM SIGOPS Operating Systems Review, 2015, 49(1): 71- 79. doi: 10.1145/2723872.2723882
12	Hadolint. Linter[EB/OL]. [2023-10-02]. https://github.com/hadolint/hadolint.
13	LIN C Y, NADI S, KHAZAEI H. A large-scale data set and an empirical study of docker images hosted on docker hub[C]//Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME). Washington D. C., USA: IEEE Press, 2020: 371-381.
14	LU Z G, XU J W, WU Y W, et al. An empirical case study on the temporary file smell in dockerfiles. IEEE Access, 2019, 7, 63650- 63659. doi: 10.1109/ACCESS.2019.2905424
15	XU J W, WU Y W, LU Z G, et al. Dockerfile TF smell detection based on dynamic and static analysis methods[C]//Proceedings of the IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). Washington D. C., USA: IEEE Press, 2019: 185-190.
16	RASTOGI V, DAVIDSON D, de CARLI L, et al. Cimplifier: automatically debloating containers[C]//Proceedings of the 11th Joint Meeting on Foundations of Software Engineering. New York, USA: ACM Press, 2017: 476-486.
17	CHAU N T, YOON J, DOAN T P, et al. AppPACK: a packaging model for single-purpose lightweight virtualization environment. IEEE Access, 2021, 9, 30071- 30079. doi: 10.1109/ACCESS.2021.3055856
18	DU L, WO T Y, YANG R Y, et al. Cider: a rapid docker container deployment system through sharing network storage[C]//Proceedings of the IEEE 19th International Conference on High Performance Computing and Communications; IEEE 15th International Conference on Smart City; IEEE 3rd International Conference on Data Science and Systems (HPCC/SmartCity/DSS). Washington D. C., USA: IEEE Press, 2017: 332-339.
19	LITTLEY M, ANWAR A, FAYYAZ H, et al. Bolt: towards a scalable docker registry via hyperconvergence[C]//Proceedings of the IEEE 12th International Conference on Cloud Computing (CLOUD). Washington D. C., USA: IEEE Press, 2019: 358-366.
20	ZHAO N N, TARASOV V, ALBAHAR H, et al. Large-scale analysis of docker images and performance implications for container storage systems. IEEE Transactions on Parallel and Distributed Systems, 2021, 32(4): 918- 930. doi: 10.1109/TPDS.2020.3034517
21	ZHANG J F, LIU B, WANG X C. A container deployment optimization method for edge computing. Journal of Physics: Conference Series, 2021, 1927(1): 012017. doi: 10.1088/1742-6596/1927/1/012017
22	陆志刚, 徐继伟, 黄涛. 基于分片复用的多版本容器镜像加载方法. 软件学报, 2020, 31(6): 1875- 1888.
	LU Z G, XU J W, HUANG T. Container image deduplication method based on chunking reuse of multi-versions. Journal of Software, 2020, 31(6): 1875- 1888.
23	HARDI N, BLOMER J, GANIS G, et al. Making containers lazy with Docker and CernVM-FS. Journal of Physics: Conference Series, 2018, 1085, 032019. doi: 10.1088/1742-6596/1085/3/032019
24	MOSCIATTI S, BLOMER J, GANIS G, et al. CernVM-FS container image integration. Journal of Physics: Conference Series, 2020, 1525(1): 012058. doi: 10.1088/1742-6596/1525/1/012058
25	MOSCIATTI S, LANGE C, BLOMER J. Increasing the execution speed of containerized analysis workflows using an image snapshotter in combination with CVMFS. Front Big Data, 2021, 4, 7.
26	肖巍, 胡景浩, 侯正章, 等. 基于词向量模型的漏洞检测方法. 吉林大学学报(理学版), 2023, 61(6): 1358- 1366.
	XIAO W, HU J H, HOU Z Z, et al. Vulnerability detection method based on word vector model. Journal of Jilin University (Science Edition), 2023, 61(6): 1358- 1366.

[1]	李俊俊, 董建刚, 李坤. 基于Kubernetes的集群节能策略研究[J]. 计算机工程, 2024, 50(9): 82-91.
[2]	刘道清, 扈红超, 霍树民. 容器云中面向持久化存储的拟态防御技术研究[J]. 计算机工程, 2024, 50(2): 165-179.
[3]	王小雪, 王晓锋, 刘渊. 基于OpenStack的高资源利用率Docker调度模型[J]. 计算机工程, 2022, 48(9): 171-179,196.
[4]	臧迪, 杨志刚, 王晶, 姚治成, 张伟功. 基于网卡虚拟化的高性能容器网络设计[J]. 计算机工程, 2022, 48(7): 214-219.
[5]	罗成, 崔勇, 林予松. 基于带宽预测与自适应压缩的容器迁移方法[J]. 计算机工程, 2022, 48(5): 200-207,214.
[6]	刘金硕, 黄朔, 邓娟. 面向PMVS算法的自动两级并行翻译方法[J]. 计算机工程, 2022, 48(12): 16-23.
[7]	施凌鹏, 朱征, 周俊松, 李鑫, 李静. 面向微服务架构的云系统负载均衡机制[J]. 计算机工程, 2021, 47(9): 44-50,58.
[8]	赵宇峰, 雷晟, 张国钢, 耿英三. 基于容器技术的电力设备仿真云平台设计与开发[J]. 计算机工程, 2021, 47(9): 171-177,184.
[9]	黄晓伟, 范贵生, 虞慧群, 杨星光. 基于重子节点抽象语法树的软件缺陷预测[J]. 计算机工程, 2021, 47(12): 230-235,248.
[10]	徐少峰, 潘文韬, 熊赟, 朱扬勇. 基于结构感知双编码器的代码注释自动生成[J]. 计算机工程, 2020, 46(2): 304-308,314.
[11]	赵瑜, 吴承荣, 严明. 基于LoadRunner的定制化业务背景流量生成系统[J]. 计算机工程, 2020, 46(10): 231-239,247.
[12]	杨凯琪, 姚培, 赵玉龙, 汤凌韬. 面向异构容器云的应用迁移方法[J]. 计算机工程, 2019, 45(8): 42-47.
[13]	熊文, 于全喜, 吴任博, 伦惠勤, 孔海斌, 谭军光. 基于演化博弈的弹性调控平台任务调度研究[J]. 计算机工程, 2019, 45(7): 86-94.
[14]	谭宏楠,石京燕,邹佳恒,杜然,姜晓巍,孙震宇. 应用于JUNO实验的容器技术研究[J]. 计算机工程, 2019, 45(4): 1-5.
[15]	刘彪,王宝生,邓文平. 云环境下支持弹性伸缩的容器化工作流框架[J]. 计算机工程, 2019, 45(3): 7-13.

选择文件类型/文献管理软件名称

选择包含的内容