Slide 1
Slide 1 text
5IF N
3VCZPO$POUBJOFS
6DIJP,POEP(.01&1"#0JOD
4FQUI
3VCZ,BJHJ
8FMDPNFUPNZIBDPOJXB
Slide 2
Slide 2 text
4PGUXBSF%FWFMPQFS1SJODJQBM
6DIJP,POEP
(.01FQBCP
*OD%FW1SPEVDUJWJUZ3%5FBN
Slide 3
Slide 3 text
6DIJP,POEP !VE[VSB
*TBOZP3VCZJTU
POFPG
'VLVPLBSCDPPSEJOBUPST
3BJMT(JSMT'VLVPLB0SHBOJ[FST
BOEBTZTUFNQSPHSBNNJOHOPWJDF
0OFPGUIFBVUIPSTPG
l5IF1FSGFDU3VCZz
l5IF1FSGFDU3VCZPO3BJMTz
#PUIJO+BQBOFTF
Slide 4
Slide 4 text
'VLVPLB
!VE[VSBJTGSPN'VLVPLB
#VUCFJOHB.JLBXB4BNVSBJJOIJTIFBSU
'VLVPLBJTMPDBUFEJOUIFl8FTUz
+BQBO
XIJDIJTBl$PBTUzDJUZ
-FU`TWJTJU'VLVPLBSC
GSPNIUUQTIPXDBTFDJUZGVLVPLBMHKQBMMSJHIUTSFTFSWFE
Slide 5
Slide 5 text
.ZDPOUBJOFSCBTFECBDLHSPVOE
Slide 6
Slide 6 text
#FGPSFUIF9EBZ*EFDJEFEUPDSFBUFIBDPOJXB
w *IBWFCFFOFYQFSJFODFELJOETPGDPOUBJOFST
w %PDLFSGPSBOJOIPVTF$*CBTJT
w -9$GPSB1BB4QSPWJEFECZNZDPNQBOZ TRBMFKQ
Slide 7
Slide 7 text
%PDLFSGPSJOIPVTF$*
w ESPOFJP 044WFSTJPO
Slide 8
Slide 8 text
%SPOFJP
w %SPOFVTFT%PDLFSBTBOFQIFNFSBM$*DPOUBJOFSCBDLFOE
w %SPOFBOE%PDLFSJTTPDPPM
CVU*NFU
w 4PNFTUSBOHFCVHT
w *ODSFBTJOHBNPVOUPGPQFSBUJPOT
Slide 9
Slide 9 text
FH*TTVF
8IFOUSZJOH%PDLFSJO%PDLFS VTFGVM
GPS*OGSB$*
TPNFQBDLBHFTNBEFUSPVCMFJO
JOTUBMMJOH FTQFDJBMMZIUUQE
BOE
TZTUFNE
5IJTJTCFDBVTFPMEFSWFSTJPOTPGBVGT
CVJMEEPFTO`UTVQQPSUpMFDBQBCJMJUJFT
#VU*DPVMEOPUEFTDSJCFUIFCVHJO
EFUBJMBUUIBUUJNF
Slide 10
Slide 10 text
0QFSBUJPOT
PQFSBUJPOT
w &WFSZEBZIBSEEJTLDMFBOVQPQFSBUJPOʜʜ
• docker ps -a | \
grep Exited | \
awk '{ print $1 }' | \
xargs docker rm -f
w *ODSFBTJOH-"
$16VTBHF
NFNPSZʜʜ
w *XBTMFTTGBNJMJBSBOEIBEMFTTLOPXIPXTBCPVU%PDLFSPSDPOUBJOFST
JOUFSOBM
TP*IBETPNFUSPVCMFT
Slide 11
Slide 11 text
4RBMF
w *TB1MBUGPSNBTB4FSWJDF
w 1SPWJEFECZ(.01FQBCP
Slide 12
Slide 12 text
-9$JO4RBMF
w -9$MPPLFENPSFMJHIUXFJHIUBOEVOEFSTUBOEBCMFUPNFUIBOEPDLFS
w FH
w $BOVTFCJOENPVOUSBUIFSUIBOBVGT PSBMJLF
w $BODIPPTFOPOFUXPSLJTPMBUJPO
QMBZJOHJTPMBUJPOJOTJEFUIFDPOUBJOFS
TPVOEFSTUBOEBCMFBOEDPOUSPMMBCMFGPSNFBUUIBUUJNF
Slide 13
Slide 13 text
#VUʜʜ
w *NFUTPNFEJTDPOUFOUBHBJOJOPQFSBUJPO
w FHSFTPVSDFSFBMMPDBUJPO
w DQVTFUSFBMMPDBUJPOJTEPOFCZSFHFOFSBUJOHDPOpHXJUIDIFGJO4RBMF
w 0UIFSSFTPVSDFSFBMMPDBUJPOTBSFEPOFCZIBOE FHNFNPSZMJNJU
w "OE*IBEBDPOqJDUJOVQHSBEJOH-9$JUTFMG
w #FDBVTFXFXFSFVTJOHWFSZFBSMZ-9$
Slide 14
Slide 14 text
$PODMVTJPO
w *IBEUPTUVEZIBSEFSBCPVUDPOUBJOFSTʜʜ
w *XJTIFEUPIBWFBCSBOEOFXDPOUBJOFSFOHJOFXIJDIFOBCMFVT
w UPDPNCJOFDPOUBJOFSTZTUFNBUUSJCVUFTJOBDDPSEBODFXJUIPVSDIPJDF
w UPDIBOHFUIFTFTZTUFNBUUSJCVUFTCZEZOBNJDQSPHSBNNJOH
w 4P*IBWFDSFBUFEIBDPOJXB
)BDPOJXBTJHOJpFTBNJOJBUVSFHBSEFOJO+BQBOFTF
BOE$JOWPMWFT$0/UBJOFS
Slide 15
Slide 15 text
"TNBMMUPVSPG)BDPOJXB
Slide 16
Slide 16 text
*OTUBMMBUJPO
w 1BDLBHFTBSFBWBJMBCMFJOQBDLBHFDMPVE
IUUQTQBDLBHFDMPVEJPVE[VSBIBDPOJXBJOTUBMM
# example for deb-ish distro
curl -s https://packagecloud.io/install/repositories/udzura/
haconiwa/script.deb.sh | sudo bash
apt-get update
apt-get install haconiwa
apt-get install lxc lxc-templates # Required to bootstrap fs
Slide 17
Slide 17 text
'JSTU
DSFBUFUIFDPOpHpMFGSPNCPJMFSQMBUF
$ haconiwa new test.haco
assign new haconiwa name = haconiwa-0491a405
assign rootfs location = /var/lib/haconiwa/0491a405
create test.haco
Slide 18
Slide 18 text
5IFpMFMPPLTMJLFKVTUBTNBMMSVCZTDSJQU
Slide 19
Slide 19 text
3VOUIFCPPUTUSBQWJBlIBDPOJXBDSFBUFz
w 5IFOUIFBMQJOFMJOVYJTCFJOHCPPUTUSBQQFECZEFGBVMU
Slide 20
Slide 20 text
*OTUBMMTTIE
DIBOHFTTIEDPOpH
Haconiwa.define do |config|
#...
config.provision do |p|
p.run_shell <<-SHELL
apk add --update openssh
sed -i 's/#Port.*/Port 2222/' /etc/ssh/sshd_config
# NOTE: insecure but an example below
sed -i 's/#PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
echo root:r00t | chpasswd
ssh-keygen -t rsa -P "" -f /etc/ssh/ssh_host_rsa_key
SHELL
end
#...
end
Slide 21
Slide 21 text
lIBDPOJXBQSPWJTJPOzUPQSPWJTJPOBHBJO
Slide 22
Slide 22 text
$IBOHFlJOJUzDPNNBOEUPTTIE
UIFOJOWPLFlSVOz
Haconiwa.define do |config|
# The container name and container's hostname:
config.name = "haconiwa-0491a405"
# The first process when invoking haconiwa run:
# config.init_command = "/bin/bash"
# To:
config.init_command = %w(/usr/sbin/sshd -D)
# And uncomment:
config.daemonize!
#...
end
$ haconiwa run test.haco
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
EFNPIUUQTDMPVEHJUIVCVTFSDPOUFOUDPNBTTFUTBEGGFBFFDBFCCFBHJG
Slide 25
Slide 25 text
'JOBMMZ
SVOlIBDPOJXBLJMMzUPLJMMTTIEDPOUBJOFS
$ haconiwa kill test.haco
Kill success
Slide 26
Slide 26 text
.PSFBCPVU%4-
w :PVDBODPOpHVSFOBNFTQBDF
DHSPVQ
DBQBCJMJUZ
NPVOUQPJOU
MJNJU
TFUVJE
TFUHJEʜʜWJBIBDPpMF
JGOFDFTTBSZ TFFDPNNFOUT
w #PJMFSQMBUF`TEFGBVMU
w *UVOTIBSFTOBNFTQBDFTVUTJQDQJENOUCVUOFUVTFS
w *USFNPVOUTTPNFNPVOUQPJOUTJOBOFXOBNFTQBDF FHQSPD
TZT
Slide 27
Slide 27 text
$PODMVTJPOPGUIJTTFDUJPO
w )BDPOJXBDBOCFJOTUBMMFEBTQBDLBHFT
$FOU04%FCJBOKFTTJF6CVOUVUSVTUZBOEYFOJBM
w )BDPOJXBTVQQPSUTUIFTFDPOUBJOFSPQFSBUJPOT
w OFXDSFBUFSVOBUUBDILJMM
w :PVDBODPNCJOFDPOUBJOFSGVODUJPOBMJUJFTVTJOHIBDPpMF`T%4-
4FFDPNNFOUTPOHFOFSBUFEPOF
Slide 28
Slide 28 text
$POUBJOFSUFDIOPMPHZPWFSWJFX
Slide 29
Slide 29 text
"GUFSJOTUBMM)BDPOJXB
w 5IFSFBSFUXPFYUSBCJOBSJFT
w IBDPSC
w IBDPJSC
w 5IFZBSFKVTUNSVCZBOENJSCCJOBSJFT
XIJDIBSFFNCFEEFEXJUIDPOUBJOFS
NHFNT
Slide 30
Slide 30 text
-FU`TTUVEZDPOUBJOFSXJUINSVCZ
Slide 31
Slide 31 text
8IBUXFDBMM -JOVY
DPOUBJOFS
w *TDPNQPTFEXJUITPNF-JOVYGFBUVSFT
w -JOVY/BNFTQBDF
w DISPPUCJOENPVOU
w DHSPVQT
w -JOVYDBQBCJMJUJFT
w SFTPVSDFMJNJUT
TFUVJETFUHJEʜʜ
Slide 32
Slide 32 text
-JOVYOBNFTQBDF
w -JOVYOBNFTQBDFQSPWJEFTUIFQBSUJUJPOTJO04SFTPVSDFT
w FH
w 654/BNFTQBDF4FQBSBUFTIPTUOBNFGSPNIPTUNBDIJOF
w 1*%/BNFTQBDF$PVOUTVQ1SPDFTT*%TBHBJO
w .PVOU/BNFTQBDF4FQBSBUFTNPVOUQPJOUJOGPSNBUJPOGSPNIPTU
w 0UIFST*1$
/FUXPSL
6TFS
$(SPVQ
Slide 33
Slide 33 text
/BNFTQBDFVOTIBSFUPTFF654OBNFTQBDF
puts "Before unshare:"
RunCmd.new("sample1").run "uname -a"
# This puts “localhost”
# Then unsure the UTS namespace
Namespace.unshare Namespace::CLONE_NEWUTS
Procutil.sethostname "rubykaigi.example.org"
puts "After new namespace:"
RunCmd.new("sample1").run "uname -a"
# This puts “rubykaigi.example.org” and parent remains unchanged
Slide 34
Slide 34 text
DISPPUBOECJOENPVOU
w DISPPU
DISPPU
w $IBOHFTUIFSPPUEJSFDUPSZPGUIFDBMMJOHQSPDFTT
w CJOENPVOU
w *TVTFGVMUPVTFTPNFEJSFDUPSJFTPSpMFTGSPNBOPUIFSMPDBUJPO
w 0SUPBEETPNFTVCEJSFDUPSJFTFYUSBBUUSJCVUFT FHSFBEPOMZ
Slide 35
Slide 35 text
FH04EJSFDUPSZUSFFVOEFSIPTU04TVCEJSFDUPSZ
w lDISPPUzJOUPIFSFUPFOUFSBOJTPMBUFEpMFTZTUFN
Slide 36
Slide 36 text
/BNFTQBDFDISPPUTNBMMFTUDPOUBJOFS
# The smallest container with mruby:
Namespace.unshare(Namespace::CLONE_NEWNS|Namespace::CLONE_NEWPID)
m = Mount.new
m.make_private "/"
root = "/var/lib/haconiwa/125f23ef"
m.bind_mount root, root, readonly: true # To make readonly
Dir.chroot root
Dir.chdir "/"
c = Process.fork {
m.mount "proc", "/proc", :type => "proc"
Exec.exec "/bin/sh"
}
puts "Container exited: #{Process.waitpid2(c).inspect}"
Slide 37
Slide 37 text
5IFTNBMMFTUDPOUBJOFSJOMJOFT
Slide 38
Slide 38 text
DHSPVQT $POUSPM(SPVQT
w 5IFGFBUVSFPG-JOVYLFSOFM
w 5IJTlQSPWJEFTGPSHSPVQJOHPGUBTLTBOESFTPVSDFUSBDLJOHBOEMJNJUBUJPOTGPS
UIPTFHSPVQTz GSPNNBODHSPVQT
w 5IJTGFBUVSFGPSIBOEMJOHSFTPVSDFTCZHSPVQTPGUBTLTJTVTFGVMUPNBLF
lBDPOUBJOFS JOEFFEBHSPVQPGQSPDFTTFT
zMPPLTMJLFBOJOEJWJEVBM04
Slide 39
Slide 39 text
FHDQVTFUMJNJUBUJPOCZDHSPVQ
cpuset = Cgroup::CPUSET.new "rubykaigi001"
cpuset.cpus = "0-1"; cpuset.mems = "0"
cpuset.create
# Comment out to use full-core
cpuset.attach
def fib(n); n < 2 ? 1 : fib(n-2) + fib(n-1); end
procs = (1..4).to_a.map do
Process.fork do
loop { fib(rand(1000)) }
end
end
procs.each {|pid| Process.waitpid pid }
Slide 40
Slide 40 text
-JNJUUIFDPSFTUPVTF
/PDHSPVQ
DQVTFUDQVT
Slide 41
Slide 41 text
-JOVYDBQBCJMJUJFT
w 5SBEJUJPOBMlSPPUzIBTTVQFSQPXFSBOEUIJTJTUPPEBOHFSPVTJOTPNFDBTFT
w -JOVYDBQBCJMJUJFTJTBOJEFBUPEJWJEFUIFQSJWJMFHFTJOUPEJTUJODUVOJUT
w 8FDBODIPPTFKVTUUIFOFDFTTBSZVOJUTGPSPQFSBUJPOT
Slide 42
Slide 42 text
FHESPQQJOHUJNFDPOUSPMQSJWJMFHFGSPNlSPPUz
# Will be dropped after the process invoke execve(2)
Capability.drop_bound Capability.from_name("cap_sys_time")
exec "/bin/bash" # Then to be new program...
root@localhost:~# hacorb mruby/caps.rb # new process below
root@localhost:~# date -s 'Thu, 21 Dec 95 14:44:05 JST'
date: cannot set date: Operation not permitted # even a root
Wed Dec 20 21:44:05 PST 1995
root@localhost:~# date
Thu Aug 25 20:40:59 PDT 2016 # unchanged
Slide 43
Slide 43 text
0UIFST
w 3FTPVSDFDPOUSPM SMJNJU
0OFTXFVTFWJBVMJNJU
w TFUVJETFUHJE$POUSPMMJOHFGGFDUJWFSFBMVTFS*%JTJNQPSUBOUGPSBDPOUBJOFS
w 0UIFSTPDBMMFEDPOUBJOFSGFBUVSFTTVDIBTB4&-JOVYQPMJDZBSFOPU
TVQQPSUFECZDVSSFOUIBDPOJXB
TPSSZCVUMFUNFTLJQʜ
Slide 44
Slide 44 text
$PODMVTJPOUIFDPOUBJOFSXFDBMMJT
*TPMBUJPOT
-JOVYOBNFTQBDF
DISPPU
CJOENPVOU
ʜ
-JNJUBUJPOT
DHSPVQT
DBQBCJMJUJFT
SFTPVSDFMJNJU
ʜ
8JUIUIFTF
UIFlQSPDFTTzDBOCFUSFBUFEBTBOl04zCZEFWFMPQFST
"OEUIFTFDBOCFDPOUSPMMFECZIBDPOJXB`T3VCZ%4-
Slide 45
Slide 45 text
':*0$*TQFDJpDBUJPOT
w *UEFpOFTXIBUGFBUVSFTUPCFTVQQPSUFECZ0$*DPOUBJOFS
FH/BNFTQBDFT
$POUSPMHSPVQT
1SPDFTTDPOpHVSBUJPO TVDIBTDBQBCJMJUJFT
6TFS
OBNFTQBDFNBQQJOHT
TFDDPNQʜʜ
w IUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFDCMPCNBTUFSDPOpHNE
w IUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFDCMPCNBTUFSDPOpHMJOVYNE
w #58
0$*TQFDSFGFSTUPMJOVYBOETPMBSJTTQFDJpDDPOpH
w *UJTMJLFMZUIBU)BDPOJXBDBOQSPWJEFUIFBCTUSBDUMBZFSGPSSFTPVSDF
MJNJUBUJPO
OBNFTQBDF
pMFTZTUFN
CFUXFFOLFSOFMT
w *UXJMMCFSFMFBTFEGBSJOUIFGVUVSF
NBZCF
Slide 46
Slide 46 text
)BDPOJXBBOENSVCZ
BOENSVCZJTHPPEGPSTZTUFNQSPHSBNNJOH
Slide 47
Slide 47 text
"WFSZTIPSUIJTUPSZPG)BDPOJXB
Slide 48
Slide 48 text
'JSTUJNQMFNFOUBUJPOPG)BDPOJXB
w *O$3VCZ
w /BNFTQBDFIBOEMJOHCZ,FSOFMTZTDBMM
w %JSDISPPUNPVOU
DBMMCZ,FSOFMTZTUFN
w %PJOHBpMFPQFSBUJPO PQFOSFBEXSJUF
GPSDHSPVQ
w 6TJOH''*GPSDBQBCJMJUJFT EFQFOEFOUPOMJCDBQ
w "OE1SPDFTTGPSL,FSOFMFYFDUIFHPMEFOUXJO
Slide 49
Slide 49 text
*UXPSLT
CVUʜʜ
w 5IFSFXFSFTPNFXPSSJFT
Slide 50
Slide 50 text
&TQFDJBMMZ
TPNFSFTUSJDUJPOTJOTZTUFNDBMMT
w $3VCZJTJOWPLFEJONVMUJUISFBEFENPEF
5IJTJTCFDBVTFPGBUJNFSUISFBEXIJDIJTVTFGVMUPBMNPTUBMMPGMBOHVBHFVTF
DBTFT#VUʜʜ
[vagrant@udzura ~]$ ruby -e 'loop { sleep 1 }' &
[1] 7560
[vagrant@udzura ~]$ ls -l /proc/7560/task/
total 0
dr-xr-xr-x 6 vagrant vagrant 0 8݄ 25 11:38 7560
dr-xr-xr-x 6 vagrant vagrant 0 8݄ 25 11:38 7561
Slide 51
Slide 51 text
*OTQFDUJOHNBOBCPVUOBNFTQBDFTZTDBMMT
w NBOQBHFPGVOTIBSF
w $-0/&@/&81*% TJODF-JOVY
ʜʜ
$-0/&@/&81*%BVUPNBUJDBMMZJNQMJFT$-0/&@5)3&"%BTXFMMʜʜ
&33034
&*/7"-$-0/&@5)3&"%
$-0/&@4*()"/%
PS$-0/&@7.XBTTQFDJpFE
JOqBHT
BOEUIFDBMMFSJTNVMUJUISFBEFE
w IUUQNBOPSHMJOVYNBOQBHFTNBOVOTIBSFIUNM
Slide 52
Slide 52 text
*OTQFDUJOHNBOBCPVUOBNFTQBDFTZTDBMMT
w NBOQBHFPGTFUOT
w "QSPDFTTNBZOPUCFSFBTTPDJBUFEXJUIBOFXNPVOUOBNFTQBDFJGJUJT
NVMUJUISFBEFE
w "NVMUJUISFBEFEQSPDFTTNBZOPUDIBOHFVTFSOBNFTQBDFXJUITFUOT
w ʜʜ
w IUUQNBOPSHMJOVYNBOQBHFTNBOTFUOTIUNM
Slide 53
Slide 53 text
4P3VCZJNQMFNFOUBUJPODIPTF
w 5PDSFBUFVOTIBSFEQSPDFTT
w DSFBUFTBUFNQPSBSZTIFMMpMFBOEUIFOQBTTJUUPVOTIBSF
w 5PBUUBDIFYJTUJOHOBNFTQBDF
w JUMBSHFMZEFQFOETPOOTFOUFS
w 5IFTFBSFʜʜ5IFTFBSFVOEFTJSBCMFTUSBUFHZ VHMZQSPDFTTMBZPVU
Slide 54
Slide 54 text
4P*EFDJEFEUPSFXSJUF
JONSVCZ
Slide 55
Slide 55 text
3FXSJUFJONSVCZʜʜ
w 5IJTFOETVQUPCFBHPPEDIPJDFUPNFJOTPNFSFBTPO
w *`NHPJOHUPEFTDSJCF
Slide 56
Slide 56 text
(SFBUFYJTUJOHNSCHFNT
w MJCDHSPVQNSVCZXSBQQFSCZNBUTVNPUPSZ
w MJCDBQNSVCZXSBQQFSCZNBUTVNPUPSZ
w TNBMMVOTIBSF
XSBQQFSCZIJSPLBXB OPU*%IBDPOJXB
w **+`THSFBUNSCHFNT FTQFDJBMMZNSVCZEJSBOENSVCZQSPDFTT
Slide 57
Slide 57 text
NSVCZ`T$"1*GPSXSBQQJOH$MJCSBSZDBMM
w *IBEUPJNQMFNFOUTPNFNSCHFNT
BMNPTUPGXIJDIBSFXSBQQJOHTPNF$
MFWFMTZTUFNDBMMTPS$MJCSBSZGVODUJPOT
w #VUUIJTXBTBFBTJFSKPCUIBO*FYQFDUFE
Slide 58
Slide 58 text
&YBNQMFNSVCZMJOVYOBNFTQBDF
w 8SJUFBTNBMMGVODUJPOXJUIBOBJWFVTFPGTFUOT
w 5IFOBUUBDIUPBNPEVMF
static mrb_value mrb_namespace_setns_by_fd(mrb_state *mrb, mrb_value self)
{
mrb_int fileno, nstype;
int ret;
mrb_get_args(mrb, "ii", &fileno, &nstype);
ret = setns((int)fileno, (int)nstype);
if (ret < 0) {
mrb_sys_fail(mrb, "setns failed");
}
return mrb_fixnum_value(ret);
}
/* ... */
void mrb_mruby_namespace_gem_init(mrb_state *mrb)
{
struct RClass *namespace;
namespace = mrb_define_class(mrb, "Namespace", mrb->object_class);
mrb_define_class_method(mrb, namespace, "setns_by_fd",
mrb_namespace_setns_by_fd, MRB_ARGS_REQ(2));
}
Slide 59
Slide 59 text
'PS3VCZJTI"1*MPPLT
KVTUEPXSJUF
w *IBWFJNQMFNFOUFEVTFSGSJFOEMZQBSBNFUFSBSHVNFOUTJOUIFSVCZMBZFS
class Namespace
def self.setns(flag, options)
fd = options[:fd]
pid = options[:pid]
if fd
setns_by_fd(fd, flag)
elsif pid
setns_by_pid(pid, flag)
else
raise ArgumentError, "Options :fd or :pid must be specified"
end
end
end
Slide 60
Slide 60 text
NSVCZBTBl$zGSBNFXPSL
w NSVCZQSPWJEFTNBOZGVODUJPOBMJUJFTUIBUBSFVTFGVMJOXSJUJOH$
w ($
SFTPVSDFMJGFDZDMFNBOBHFNFOU
w TUSJOHBSSBZIBTIUBCMFPCKFDUBOEGVODUJPOTGSJFOEMZUPIBOEMF
w 6TFSJOQVU BTBSVCZDPEF
$XPSMENBQQFS NSC@HFU@BSHTNSC@@WBMVF
Slide 61
Slide 61 text
FHSFTPVSDFMJGFDZDMFNBOBHFNFOU
w NSVCZIBT($
w :PVKVTUDBO
w CJOEZPVS$PCKFDUUP
3VCZPCKFDUXIFODSFBUFE
w SFHJTUFSUIFGSFFJOHGVODUJPO
GPS$PCKFDU
XIFO3VCZPCKFDUJT($`FE
static void mrb_cap_context_free(mrb_state *mrb, void *p)
{
mrb_cap_context *ctx = (mrb_cap_context *)p;
cap_free(ctx->cap);
mrb_free(mrb, ctx);
}
static const struct mrb_data_type mrb_cap_context_type = {
"mrb_cap_context", mrb_cap_context_free,
};
mrb_value mrb_cap_init(mrb_state *mrb, mrb_value self)
{
mrb_cap_context *cap_ctx; //...
DATA_TYPE(self) = &mrb_cap_context_type;
DATA_PTR(self) = cap_ctx;
//...
}
&YBNQMFBUNSVCZDBQBCJMJUZ
Slide 62
Slide 62 text
FHl4USJOHzIBOEMJOHBOETPPO
w )VNBOTXBOUFEUPBWPJEEJSFDUMZIBOEMJOHPGDIBS<>`T
w NSVCZ`T4USJOHDMBTTQSPWJEFT
w 3FTPVSDFIBOEMJOHJO3VCZMBZFS
w 4USJOHNPEJpDBUJPOUPPMDIBJOT
w :PVDBODBMM3VCZ`TQPXFSGVMBOE
qFYJCMF4USJOHNFUIPETFWFOJO
$XPSME
w 'PSBSSBZIBTIBOEPUIFSPCKFDUT
TBNFBTBCPWF
mrb_value member;
mrb_get_config_value(mrb, "member", "o", &member);
mrb_value mnum = mrb_funcall(mrb, member, "size", 0);
int i;
int seki_num = mrb_fixnum(mnum);
for (i = 0; i < seki_num; i++) {
mnum = mrb_funcall(mrb, member, "size", 0);
mrb_value seki = mrb_funcall(mrb, mrb_top_self(mrb),
"rand", 1, mnum);
mrb_p(mrb, mrb_funcall(mrb, member, "[]", 1, seki));
mrb_funcall(mrb, member, "delete_at", 1, seki);
}
5IFlTFLJHBFNSVCZzDPEF
IUUQTHJUIVCDPNNBUTVNPUPSNSVCZDPOpHCMPCNBTUFSFYBNQMFTFLJHBFTFLJHBFD
Slide 63
Slide 63 text
NSVCZDMJGPSDPNNBOEMJOFUPPM
w 7FSZIFMQGVMGPSJNQMFNFOUJOHBDPNNBOE BOEJU`TCJOBSZ
w haconiwaCJOBSZJTDSFBUFEVOEFSUIFNSVCZDMJEJSFDUPSZMBZPVU
UIBOLT
w *IBWFBEEFETPNFDVTUPNJ[BUJPOTUP3BLFpMF
w FH
w NSVCZWFSTJPOMPDLFSDIFDLTPVUTQFDJpDWFSTJPOPGNSVCZGSPNHJUIVCXIFOCVJMEJOH
w NSVCZNSCHFNWFSTJPOEFUFDUPS
w POCVJMEJOH
HFOFSBUFTBpMFXIJDIIBTBMMPGNSCHFNBOENSVCZWFSTJPOIBTIFT JTQPTTJCMF
BOEUIFO
FNCFETUIJTUPBDPNNBOE
w "OE*IBWFDSFBUFENSVCZBSHUBCMFGPSQBSTJOHBSHVNFOUT
w IUUQTHJUIVCDPNVE[VSBNSVCZBSHUBCMF
Slide 64
Slide 64 text
':*UIFDPOUBJOFSNSCHFNT*VTFPSDSFBUF
GFBUVSFT DPVOUFSQBSUNSVCZHFN
-JOVYOBNFTQBDF mruby-linux-namespace
DISPPUBOECJOENPVOU mruby-dir
mruby-mount(*)
DHSPVQT mruby-cgroup
-JOVYDBQBCJMJUJFT mruby-capability
3FTPVSDFMJNJUT mruby-resources
0UIFST GPSLFYFDXBJU
mruby-process
mruby-exec(*)
w "DUVBMMZ
UIFTFBSFBMSFBEZVTFECZUIFIBDPSCFYBNQMF
OPUQVCMJTIFEUPNHFNMJTU
Slide 65
Slide 65 text
$PODMVTJPOPGUIJTQBSU
w 'PSPOFTXIPBSFPCMJHFEUPVUJMJ[FTZTUFNDBMMTPS$MJCSBSJFT
NSVCZ`TFDPTZTUFNBOE"1*TIPVMECFBIFMQ
w NSVCZWFSTJPOPG)BDPOJXBJTXSJUUFOJOKVTUNPOUIT
QPXFSFECZNSVCZ
Slide 66
Slide 66 text
$POUBJOFSBT$PEF
0SDIFTUSBUJPOBT$PEF
Slide 67
Slide 67 text
/PXUIBUXFIBWF)BDPOJXB
w 8JUI)BDPOJXB
XFDBODPNCJOFBOEDPOUSPMMJOVYDPOUBJOFSGFBUVSFTCZ
XSJUJOHNSVCZDPEF
w *OPUIFSXPSET
XFIBWFSFBMJ[FEUIF$POUBJOFSBT$PEF
w /PUFUIJTJTVOEFSIFBWZEFWFMPQNFOU
Slide 68
Slide 68 text
#VUXIBUXFXBOUJOSFBMPQTXPSMEJT
w 5IFXBZUPDPOUSPM
w )PXUPEFQMPZNVMUJQMFDPOUBJOFST
w )PXUPJODSFBTFPSEFDSFBTFDPOUBJOFST
w )PXUPMJOLNVMUJQMFDPOUBJOFSTJONVMUJQMFSPMFT
w ʜʜJOFBTZBOEqVFOUNBOOFS
w BLB5IFMBZFSPG0SDIFTUSBUJPO
Slide 69
Slide 69 text
0SDIFTUSBUJPOBT$PEF
FTQFDJBMMZGPSDPOUBJOFST
Slide 70
Slide 70 text
*IBWFOPTJMWFSCVMMFUBCPVUUIJTRVFTUJPO
w #VU
CVUIBWFBGFXJEFBT
w 3FTUPGUIFQSFTFOUBUJPOXJMMCFVTFEGPSUIFTFESFBNZUIPVHIUT
Slide 71
Slide 71 text
#58DVSSFOUMZIBDPOJXBTVQQPSUT
w 4JNQMFDMVTUFSJOHXJUIFUDECBDLFOE
w 0WFSMBZOFUXPSLJOHVTJOHqBOOFM
FUDEBOEOFUOT
config.namespace.enter "net", via: "/var/run/netns/haco001"
Slide 72
Slide 72 text
EFNPIUUQTDMPVEHJUIVCVTFSDPOUFOUDPNBTTFUTGDFFBFEFDBFBHJG
Slide 73
Slide 73 text
&YQFSJNFOUBMlIBDPOJXBXBUDIzDPNNBOE
w $BVUJPO5IJTJTFYQFSJNFOUBMPGFYQFSJNFOUBMOFTT
w 5IFTQFDXJMMEFpOJUFMZDIBOHF
Slide 74
Slide 74 text
1SFQBSFDPOUBJOFSCBTFBT
Haconiwa.define do |config|
suffix = UUID.secure_uuid("%4x%4x")
config.name = "haconiwa-#{suffix}"
config.init_command = ["/bin/sleep", UUID.secure_random(30..60).to_s]
config.daemonize!
root = Pathname.new("/var/lib/haconiwa/common")
config.chroot_to root
#...
end
Slide 75
Slide 75 text
1SFQBSFXBUDIFS%4-BT
Haconiwa.watch do |config|
config.watch :cluster do |event|
if event.cluster.count < 5
# Should be spawned 1 by 1
Haconiwa.spawn "/etc/haconiwa/haco.d/sleeper.haco"
end
end
end
Slide 76
Slide 76 text
5IFOSVOUIFXBUDIJOH%4-
$ haconiwa watch process-keeper.rb
Registered: cluster
……
Slide 77
Slide 77 text
$PVOUPGDPOUBJOFSTXJMMCFLFQUUP
Slide 78
Slide 78 text
*OUIFGVUVSF
CFESFBNJFSBOENPSFBNCJUJPVT
w &WFOU%4-DBOCFSFHJTUFSFEUPFUDE PSTPNFXIFSFHPPETUPSBHF
w &BDIDPOUBJOFSTVQFSWJTPSNJHIUCFMJOLFEJOBXFBLSFMBUJPOTIJQ
BOEUIFOFMFDUUIFMFBEFS
UIFOUIFMFBEFSDBOXBUDIUIFDMVTUFSBOEpSFUIFSFHJTUFSFEFWFOUT
w 5IJTMPPLTMJLFBLFSOFMMFTT
410'MFTTBSDIJUFDUVSFUIBUNBZCFXPSLT
w #VUOPJNQMFNFOUBUJPOZFUʜ
w *IBWFGPVOENSVCZ$JNQMFNFOUBUJPOPGSBGU
TP*`MMUSZOFBSGVUVSF
Slide 79
Slide 79 text
4VQFSWJTPS
5IF$POUBJOFS
1SPDFTT
FUDE
FUDE
FUDE
0WFSMBZ/FUXPSLT
4VQFSWJTPS
5IF$POUBJOFS
1SPDFTT
4VQFSWJTPS
5IF$POUBJOFS
1SPDFTT
47TBSF$MVTUFSECZ3BGU
5IF)PTU
"1*BDDFTT
Slide 80
Slide 80 text
$PODMVTJPOPGUIJTUBML
Slide 81
Slide 81 text
l$POUBJOFSzJTBDPNCJOBUJPO
w $PNQBSFl5IF6/*9QIJMPTPQIZz
w &BDIGFBUVSFJTTNBMMFOPVHIBOEFBTJFSUPMFBSOUIBOZPVFYQFDU
w *OEFFE
ZPVDBOUSZUIFTFMJOVYGFBUVSFTTFQBSBUFMZ CZNSVCZ
Slide 82
Slide 82 text
NSVCZJTWFSZHPPEGPSTZTUFNQSPHSBNNJOH
w NSVCZIBTDPPMBOEXFMMEFTJHOFE$"1*T
w 5IJOFOPVHIUPFBTJMZXSBQTZTUFNDBMMT$MJCSBSJFT
Slide 83
Slide 83 text
8FXJMMCFBCMFUPDPOUSPMDPOUBJOFSTCZDPEFT
w 8FDBOEPJUEFpOJUFMZXJUINSVCZ
w $POUBJOFSUFDIOPMPHZJTUIFneighPGPSDIFTUSBUJPO
w 8JUIIBDPOJXBBOENSVCZ
JUTIPVMECFBSFBMGVUVSFUIBUCPUIDPOUBJOFSTBOE
PSDIFTUSBUJPOXJMMCFVOEFSDPOUSPM
DBUDIJOHVQXJUIEZOBNJDFOWJSPONFOU
DIBOHFT
Slide 84
Slide 84 text
5IFDPOUBJOFSTBTUIFDFMMTPGUIFPSHBOJTN
w 5IJTEPFTOUMPPLMJLFBGBJSZUBMFGPSNF
w BOEGPSNBUTVNPUPSZNBZCF
Slide 85
Slide 85 text
5IFqVFOUTZTUFN
Slide 86
Slide 86 text
͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ
Slide 87
Slide 87 text
4QFDJBM5IBOLT
w "MMPGQIPUPTGSPNIUUQTIPXDBTFDJUZGVLVPLBMHKQ
w 1SPWJEFECZ'VLVPLB$JUZ 8FXFMDPNFFOHJOFFSTNPWJOHUP'VLVPLB
w FYDFQUDFMMTQIPUPIUUQXXXQVCMJDEPNBJOQJDUVSFTOFUWJFXJNBHFQIQ JNBHF 1%
w &OHMJTISFWJFXFSCZ!@[[BL
UIBOLT
Slide 88
Slide 88 text
3FGFSFODFT
w 3FGFSFODFT BMMJO+BQBOFTF
w 4RBMFTUBMLPGNJOF
w IUUQTTQFBLFSEFDLDPNVE[VSBQIQQBBTTRBMFXP[IJFSVKJTIV
w $POUBJOFSUVUPSJBMT
w IUUQTTQFBLFSEFDLDPNIBZBKPUVLVUVUFYVFCVMJOVYLPOUFOBGBMTFMJDF CZ!IBZBKP
w IUUQTTQFBLFSEFDLDPNUFOGPSXBSEPTDLZPUP CZ!UFOGPSXBSE
w IUUQTTQFBLFSEFDLDPNVE[VSBUIFTLFMUPOPGXIBMFT
Slide 89
Slide 89 text
܅ϖύϘͰಇ͔ͳ͍͔ʁ
8FBSFIJSJOH !QC@SFDSVJU
w 1MFBTFUBMLUPNF
JGZPV`SFJOUFSFTUFEJO3VCZ
NSVCZ
DPOUBJOFS
1PLÉNPO(0PSUIFSPDLCBOE1BWFNFOU