つくって学ぶLinuxコンテナの裏側

by Hayato Imai

Slide 1

Slide 1 text

ֶͭͬͯ͘Ϳ -JOVYίϯςφͷཪଆ :"1$"TJB)BDIJPKJNJE +VM

Slide 2

Slide 2 text

ࣗݾ঺հ w )BZBUP*NBJ !IBZBKP w ΢Υʔληϧגࣜձࣾ w ΞάϦϊʔτ w Πϯϑϥ୲౰

Slide 3

Slide 3 text

ΞδΣϯμ w -JOVYίϯςφ֓ཁ w ίϯςφΤϯδϯΛͭ͘Ζ͏ w ·ͱΊ

Slide 4

Slide 4 text

-JOVYίϯςφ֓ཁ

Slide 5

Slide 5 text

-JOVYίϯςφ֓ཁ ϋʔυ΢ΣΞԾ૝Խͱ 04ϨϕϧԾ૝Խʢ̍ʣ ϋʔυ΢ΣΞԾ૝Խ w ෳ਺ͷԾ૝Խ͞Εͨϋʔυ΢ΣΞΛಈ͔͢Ծ૝Խํࣜ w 7.8BSF 7JSUVBM#PY 9FO ,7. )ZQFS7ͳͲͰ࠾ ༻͞Ε͍ͯΔ 04ϨϕϧԾ૝Խ w ෳ਺ͷԾ૝Խ͞Εͨ04؀ڥΛಈ͔͢Ծ૝Խํࣜ w $POUBJOFS -JOVY +BJM 'SFF#4% ;POF 4PSBMJT ͱ ݺ͹Ε͍ͯΔ

Slide 6

Slide 6 text

-JOVYίϯςφ֓ཁ ϋʔυ΢ΣΞԾ૝Խͱ 04ϨϕϧԾ૝Խʢ̎ʣ ϋʔυ΢ΣΞԾ૝Խ 04ϨϕϧԾ૝Խ 04 ࣗ༝ ϗετڞ௨ ϑοτϓϦϯτ େ͖͍ খ͍͞ ूੵ౓ ௿͍ ߴ͍ ىಈεϐʔυ ஗͍ ଎͍ ִ཭Ϩϕϧ ߴ͍ ௿͍

Slide 7

Slide 7 text

-JOVYίϯςφ֓ཁ -JOVYίϯςφͱ͸ w 04ϨϕϧԾ૝ԽΛجຊͱͨܰ͠ྔͷԾ૝Խٕज़ w ಉҰΧʔωϧͷϓϩηε܈ΛάϧʔϓԽ w ଞͷάϧʔϓͱ͸ಠཱͨ͠؀ڥͰಈ࡞ ͔͋ͨ΋ผͷγεςϜ্ͰϓϩηεΛ࣮ߦ͍ͯ͠ΔΑ͏ʹ ݟͤΔػೳͰ͢ɻ

Slide 8

Slide 8 text

-JOVYίϯςφ֓ཁ ίϯςφΛߏ੒͢Δओͳٕज़ ʮίϯςφʯͱݺ͹ΕΔҰͭͷٕज़ͰͰ͖͍ͯΔΘ͚Ͱ͸ͳ͘ɺ Լهʹڍ͛ΔΑ͏ͳෳ਺ͷٕज़ͷ૊Έ߹ΘͤͰߏ੒͞ΕΔɻ w /BNFTQBDF w $POUSPM(SPVQ DHSPVQ w $BQBCJMJUZ w DISPPUQJWPU@SPPU w CJOENPVOU w 6OJPO'JMFTZTUFN w 4FDDPNQ w ."$ w WFUI NBDWMBO JQWMBO BOENPSF

Slide 9

Slide 9 text

-JOVYίϯςφ֓ཁ ୅දతͳίϯςφ࣮૷ w %PDLFS SVO$ IUUQTXXXEPDLFSDPN w -9$ IUUQTMJOVYDPOUBJOFSTPSH w SLU $PSF043PDLFU IUUQTDPSFPTDPNSLU w TZTUFNE IUUQTXXXGSFFEFTLUPQPSHXJLJ4PGUXBSFTZTUFNE

Slide 10

Slide 10 text

-JOVYίϯςφ֓ཁ ܰྔίϯςφ࣮૷ w KBJMJOH IUUQTHJUIVCDPNLB[VIPKBJMJOH w ESPPU IUUQTHJUIVCDPNZVVLJESPPU w NJODT IUUQTHJUIVCDPNNIJSBNBUNJODT w 'JSFKBJM IUUQTpSFKBJMXPSEQSFTTDPN w QqBTL IUUQTHJUIVCDPNHIFEPQqBTL

Slide 11

Slide 11 text

ίϯςφΤϯδϯΛ ͭ͘Ζ͏

Slide 12

Slide 12 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ ίϯςφΤϯδϯZBQ$ $ sudo yapc /bin/bash $ sudo YAPC_CPU_QUOTA=50000 yapc \ /bin/bash -c "yes >/dev/null" $ sudo YAPC_CAPS="cap_net_raw" yapc ping 127.0.0.1 $ sudo YAPC_ROOT=centos yapc yum --help w γΣϧεΫϦϓτ w ϦιʔεΛ෼཭ͨ͠؀ڥͰϓϩάϥϜΛ࣮ߦ w $16΍ϝϞϦͳͲͷγεςϜϦιʔεΛ੍ݶՄೳ w ίϯςφ಺ͷݖݶΛ੍ݶՄೳ w SPPUϑΝΠϧγεςϜΛࢦఆՄೳ IUUQTHJUIVCDPNIBZBKPZBQ$USFFZBQDPKJNJE

Slide 13

Slide 13 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ ZBQ$ͷ࣮ߦ؀ڥ w 6CVOUVʢΧʔωϧʣ ‣ 7BHSBOUpFಉࠝ IUUQTBUMBTIBTIJDPSQDPNCPYDVUUFSCPYFTVCVOUV w ίϯςφ಺Ͱbashͱcapsh(libcap)ͷ࣮ߦ؀ڥ͕ ඞཁ

Slide 14

Slide 14 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ ZBQ$ʹඞཁͳཁૉ Ϧιʔεͷ෼཭ Ϧιʔεͷ੍ݶ ݖݶͷ੍ݶ SPPUϑΝΠϧγεςϜͷมߋ

Slide 15

Slide 15 text

Ϧιʔεͷ෼཭ ίϯςφΤϯδϯΛͭ͘Ζ͏ /BNFTQBDFͱݺ͹ΕΔΧʔωϧͷػೳͰ࣮ݱ͠·͢ɻ

Slide 16

Slide 16 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ෼཭ /BNFTQBDFͱ͸ w Ϛ΢ϯτϙΠϯτɺ1*%ͳͲͷϦιʔεΛ෼཭͠ɺϓϩηε ʹରͯ͠ઐ༻ͷάϩʔόϧϦιʔεΛ͍࣋ͬͯΔ͔ͷΑ͏ʹ ݟͤΔ w ͢΂ͯͷϓϩηε͸͍ͣΕ͔ͷωʔϜεϖʔεʹଐ͍ͯ͠Δ w ωʔϜεϖʔεΛ෼཭͠ͳ͍৔߹͸਌ϓϩηεͷωʔϜεϖʔ εΛҾ͖ܧ͙ʢfork $P8ʣ w /proc//ns/Ͱ֬ೝͰ͖Δ

Slide 17

Slide 17 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ෼཭ /BNFTQBDFͷछྨ ໊લ Χʔωϧ ֓ཁ .PVOU Ϛ΢ϯτϙΠϯτͷू߹Λ෼཭͢Δɻ 654 ϗετ໊ɺ/*4υϝΠϯ໊Λ෼཭͢Δɻ *1$ 4ZT7*1$ΦϒδΣΫτɺ104*9ΩϡʔΛ෼཭͢Δɻ 1*% 1*%ۭؒΛ෼཭͢Δɻ /FUXPSL ωοτϫʔΫʹؔ࿈͢ΔγεςϜϦιʔεΛ෼཭͢Δɻ 6TFS 6*%(*%ͳͲΛ෼཭͢Δɻ $HSPVQ $HSPVQϧʔτσΟϨΫτϦΛ෼཭͢Δ

Slide 18

Slide 18 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ෼཭ /BNFTQBDFͷૢ࡞ w DMPOF ৽͍͠ϓϩηεΛੜ੒ͯ͠ωʔϜεϖʔεΛ෼཭͢Δ w VOTIBSF ݱࡏͷϓϩηεͷωʔϜεϖʔεΛ෼཭͢Δ w TFUOT ࢦఆͨ͠ϓϩηεͷωʔϜεϖʔεΛมߋ͢Δ w VOTIBSF VOTIBSF ͷ$-*ΠϯλʔϑΣʔε 1*%ωʔϜεϖʔε͸ࢠϓϩηεͷωʔϜεϖʔε͕෼཭Ҡಈ͞ΕΔ

Slide 19

Slide 19 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ෼཭ ZBQ$ͷ/BNFTQBDF࣮૷ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD w unshare(1)ͰϦιʔεΛ෼཭ w .PVOU 654 *1$ 1*%ωʔϜεϖʔεΛ෼཭ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-

Slide 20

Slide 20 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ෼཭ ZBQ$ͷ/BNFTQBDFσϞ ✔ 1*%͕ಠཱ͍ͯ͠Δ͜ͱΛ֬ೝ ✔ ϗετ໊มߋ͕ϗετ΁Өڹ͕ͳ͍͜ͱΛ֬ೝ $ sudo /vagrant/yapc.1 /bin/bash CONT# ps auxf CONT# hostname yapc; hostname

Slide 21

Slide 21 text

Ϧιʔεͷ੍ޚ ίϯςφΤϯδϯΛͭ͘Ζ͏ $POUSPM(SPVQ DHSPVQ ͱݺ͹ΕΔΧʔωϧͷػೳͰ࣮ݱ͠·͢ɻ

Slide 22

Slide 22 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ੍ޚ $POUPSM(SPVQ DHSPVQ ͱ͸ w ϓϩηεΛάϧʔϓԽ͠ɺάϧʔϓʹଘࡏ͢Δϓ ϩηεʹରͯ͠$16࣌ؒɺϝϞϦ࢖༻ྔɺϒϩο ΫσόΠεͷೖग़ྗଳҬͳͲͷϦιʔεͷ؅ཧΛ ߦ͏ w DHSPVQΛಈతʹ࠶ఆٛ͢Δ͜ͱ΋Մೳ

Slide 23

Slide 23 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ੍ޚ DHSPVQϑΝΠϧγεςϜ w cgroupfsΛϚ΢ϯτ͠ɺσΟϨΫτϦʹΑΔ֊૚ߏ଄Ͱάϧʔ ϓΛදݱ w cpu, memoryͳͲ୯ҰͷϦιʔεΛαϒγεςϜͱݺͿ w ҟͳΔෳ਺ͷ֊૚Λ࣋ͭ͜ͱ͕Մೳ ʢcpu, memoryͳͲͷαϒγεςϜ͝ͱʣ w ෳ਺ͷαϒγεςϜΛ૊Έ߹Θͤͨ֊૚ߏ଄΋࡞੡Մೳ ʢcpu+memoryͳͲʣ w Ұൠతʹ͸/sys/fs/cgroup/ҎԼʹϚ΢ϯτ

Slide 24

Slide 24 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ੍ޚ αϒγεςϜͷछྨʢ̍ʣ αϒγεςϜ Χʔωϧ ֓ཁ DQV $16࣮ߦ࣌ؒͷ੍ޚ DQVBDDU $16Ϩϙʔτͷੜ੒ DQVTFU $16ίΞͷׂ౰ EFWJDFT σόΠεϑΝΠϧͷΞΫηε੍ޚ GSFF[FS ϓϩηεͷҰ࣌ఀࢭ࠶։ NFNPSZ ϝϞϦ্ݶͷ੍ޚ

Slide 25

Slide 25 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ੍ޚ αϒγεςϜͷछྨʢ̎ʣ αϒγεςϜ Χʔωϧ ֓ཁ OFU@DMT ωοτϫʔΫύέοτ΁ͷλά෇͚ CMLJP ϒϩοΫσόΠεͷೖग़ྗ੍ޚ QSFG@FWFOU QSFGπʔϧͰϞχλϦϯάͷ੍ޚ OFU@QSJP ωοτϫʔΫτϥϑΟοΫͷ༏ઌ౓Λ੍ޚ IVHFUMC αΠζͷେ͖͍Ծ૝ϝϞϦϖʔδͷ࠶ಡ QJET ϓϩηε্ݶͷ੍ޚ

Slide 26

Slide 26 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ੍ޚ DHSPVQͷૢ࡞ w /sys/fs/cgroupσΟϨΫτϦͷૢ࡞ • cgroup-tools(libcgroup-tools)

Slide 27

Slide 27 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ੍ޚ ZBQ$ͷDHSPVQ࣮૷ w cgcreatecgsetcgdeleteͰDHSPVQΛૢ࡞ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-- IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-- w ࢠϓϩηεͱͯ͠ىಈ͢ΔίϯςφͷϦιʔεΛ੍ޚ͢ΔͨΊʹɺ unshareͰ͸ࣗ਎ͷεΫϦϓτʢ$0ʣΛݺͼग़ͯ͠1*%νΣοΫ ʢ1*%/BNFTQBDFGPSLͳͷͰɺίϯςφͰͷ1*%͸ͱͳΔʣ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-- w trapͰϓϩηεऴྃ࣌ʹ࡞੒ͨ͠άϧʔϓΛ࡟আ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD- IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD

Slide 28

Slide 28 text

ίϯςφΤϯδϯΛͭ͘Ζ͏Ϧιʔεͷ੍ޚ ZBQ$ͷDHSPVQσϞ ✔ ϗετͰtopΛ࣮ߦ͠ɺ্هίϯςφϓϩηεͷ $16࢖༻཰͕෇ۙʹͳΔ͜ͱΛ֬ೝ $ sudo YAPC_CPU_QUOTA=50000 \ /vagrant/yapc.2 /bin/bash -c "yes >/dev/null"

Slide 29

Slide 29 text

ݖݶͷ੍ݶ ίϯςφΤϯδϯΛͭ͘Ζ͏ $BQBCJMJUZͱݺ͹ΕΔΧʔωϧͷػೳͰ࣮ݱ͠·͢ɻ

Slide 30

Slide 30 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZͱ͸ʢ̍ʣ w ࡉ෼Խͨ͠SPPUݖݶΛϓϩηεɺϑΝΠϧʹׂΓ ౰ͯΔ ‣ ௨ৗ͸ҰൠϢʔβʔݖݶʢඇಛݖʣͰಈ͔͘ɺ SPPUݖݶʢಛݖʣͰಈ͔͘ͷछྨ ‣ ಈ࡞͍ͯ͠Δಛݖϓϩηεͷ੬ऑੑʹΑΓɺί ϯϐϡʔλʔΛࣗ༝ʹૢ࡞͞Εͯ͠·͏ڪΕ w ϓϩηεʹ੬ऑੑ͕͋ͬͨͱͯ͠΋ӨڹͷൣғΛ ڱΊΔ͜ͱ͕Ͱ͖Δ

Slide 31

Slide 31 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZͱ͸ʢ̎ʣ vagrant@vagrant:~$ ls -l /bin/ping -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping vagrant@vagrant:~$ cp /bin/ping . vagrant@vagrant:~$ ls -l ./ping -rwxr-xr-x 1 vagrant vagrant 44168 Jun 29 23:51 ./ping vagrant@vagrant:~$ ./ping 127.0.0.1 ping: icmp open socket: Operation not permitted vagrant@vagrant:~$ sudo setcap CAP_NET_RAW+ep ./ping vagrant@vagrant:~$ getcap ./ping ./ping = cap_net_raw+ep vagrant@vagrant:~$ ./ping -c 3 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.014 ms ... ྫʣTFUVTFS*%SPPUͰ͸ͳ͍QJOHϓϩάϥϜʹ $"1@/&5@3"8έʔύϏϦςΟΛ༩͑Δ

Slide 32

Slide 32 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZͷछྨʢ̍ʣ w ݱࡏछྨ IUUQNBOPSHMJOVYNBOQBHFTNBO DBQBCJMJUJFTIUNM

Slide 33

Slide 33 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZͷछྨʢ̎ʣ %PDLFSͰσϑΥϧτͰ༗ޮʹͳΔ$BQBCJMJUZʢछྨʣ έʔύϏϦςΟ ֓ཁ $"1@"6%*5@83*5& Χʔωϧ؂ࠪͷϩάʹϨίʔυΛॻ͖ࠐΉ $"1@$)08/ ϑΝΠϧͷ6*%ͱ(*%Λ೚ҙʹมߋ͢Δ $"1@%"$@07&33*%& ϑΝΠϧͷSFBEXSJUFFYFDͷݖݶνΣοΫΛόΠύε͢Δ $"1@'08/&3 ϑΝΠϧͷ6*%ͱ(*%Λมߋ͢Δ $"1@'4&5*% ϑΝΠϧ͕มߋ͞Εͨͱ͖ʹTVJEͱTHJEϏοτΛΫϦΞ͠ͳ͍ $"1@,*-- γάφϧΛૹ৴͢ΔࡍʹݖݶνΣοΫ͕όΠύε͢Δ $"1@.,/0% NLOPE ͰεϖγϟϧɾϑΝΠϧΛ࡞੒͢Δ $"1@/&5@#*/%@4&37*$& ΢Σϧϊ΢ϯϙʔτΛόΠϯυ͢Δ $"1@/&5@3"8 3"8ιέοτͱ1"$,&5ιέοτͷ࢖༻͢Δ $"1@4&5'$"1 ϑΝΠϧέʔύϏϦςΟΛઃఆ͢Δ $"1@4&5(*% ϓϩηεͷ(*%ͱ௥Ճͷ(*%ϦετΛૢ࡞͢Δ $"1@4&51$"1 ϓϩηεͷέʔύϏϦςΟΛૢ࡞͢Δ $"1@4&56*% ϓϩηεͷ6*%Λૢ࡞͢Δ $"1@4:4@$)3005 DISPPU Λݺͼग़͢

Slide 34

Slide 34 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZ4FU ϓϩηεɺϑΝΠϧ͝ͱʹέʔύϏϦςΟηοτΛ࣋ͭ έʔύϏϦςΟ ηοτ ϓϩηε ϑΝΠϧ આ໌ ڐՄʢ1SNʣ ✔ ✔ &⒎ͱ*OIͰ࣋ͭ͜ͱ͕ڐՄ͞ΕΔέʔύϏϦςΟͷ ू߹ɻҰ౓0''ʹͨ͠΋ͷ͸ࣗྗͰ࠶ηοτෆՄ ܧঝʢ*OIʣ ✔ ✔ FYFDWF ͨ͠ࡍʹܧঝ͢ΔέʔύϏϦςΟͷू߹ ࣮ޮʢ&⒎ʣ ✔ ✔ ࣮ࡍʹ൑ఆ͞ΕΔέʔύϏϦςΟͷू߹ ʢϑΝΠϧͰ͸Ϗοτʣ ό΢ϯσΟϯά ʢ#OEʣ ✔ ֫ಘͰ͖ΔέʔύϏϦςΟΛ੍ݶ͢ΔͨΊͷू߹ ؀ڥʢ"NCʣ ✔ ಛݖͷͳ͍ϓϩάϥϜΛFYFDWF ͨ͠ࡍʹอ࣋͞ ΕΔέʔύϏϦςΟͷू߹

Slide 35

Slide 35 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZ4FUͷ֬ೝ $ cat /proc/self/status | grep ^Cap CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 $ sudo cat /proc/self/status | grep ^Cap CapInh: 0000000000000000 CapPrm: 0000003fffffffff CapEff: 0000003fffffffff CapBnd: 0000003fffffffff CapAmb: 0000000000000000 $ getcap ./ping ./ping = cap_net_raw+ep ϓϩηεͷέʔύϏϦςΟηοτͷ֬ೝ ϑΝΠϧͷέʔύϏϦςΟηοτͷ֬ೝ

Slide 36

Slide 36 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZͷٻΊํ P'(Amb) = (file is privileged) ? 0 : P(Amb) P'(Prm) = (P(Inh) & F(Inh)) | (F(Prm) & cap_bset) | P'(Amb) P'(Eff) = F(Eff) ? P'(Prm) : P'(Amb) P'(Inh) = P(Inh) 1FYFDWF લͷϓϩηεͷέʔύϏϦςΟηοτ 1FYFDWF ޙͷϓϩηεͷέʔύϏϦςΟηοτ 'ϑΝΠϧͷέʔύϏϦςΟηοτ DBQ@CTFUϓϩηεͷό΢ϯσΟϯάηοτ

Slide 37

Slide 37 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ $BQBCJMJUZͷૢ࡞ w QSDUM w DBQTFU DBQHFU w TFUYBUUS HFUYBUUS w MJCDBQʢਪ঑ʣ

Slide 38

Slide 38 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ ZBQ$ͷ$BQBCJMJUZ࣮૷ w capsh(8)ͰέʔύϏϦςΟΛૢ࡞ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-- w σϑΥϧτͷέʔύϏϦςΟηοτ͸%PDLFSΛ ࢀߟʢͨͩ͠CAP_NET_RAW͸আ͘ʣ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD- IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD

Slide 39

Slide 39 text

ίϯςφΤϯδϯΛͭ͘Ζ͏ݖݶͷ੍ݶ ZBQ$ͷ$BQBCJMJUZσϞ ✔ ping͕Ͱ͖ͳ͍͜ͱΛ֬ೝ $ sudo /vagrant/yapc.3 ping 127.0.0.1 $ sudo YAPC_CAPS="cap_net_raw" \ /vagrant/yapc.3 ping 127.0.0.1 ✔ ping͕Ͱ͖Δ͜ͱΛ֬ೝ

Slide 40

Slide 40 text

SPPUϑΝΠϧγεςϜͷมߋ ίϯςφΤϯδϯΛͭ͘Ζ͏ DISPPU΍QJWPU@SPPUͰ࣮ݱ͠·͢ɻ ·ͨɺPWFSMBZGT΋ར༻͠·͢ɻ

Slide 41

Slide 41 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ DISPPUQJWPU@SPPUͱ͸ DISPPU w ϓϩηεͷϧʔτσΟϨΫτϦΛมߋ͢Δ w ύε໊ղܾ࣌ͷϧʔτσΟϨΫτϦ͕มߋ͞ΕΔ QJWPU@SPPU w ϓϩηεͷSPPUϑΝΠϧγεςϜΛೖΕସ͑Δ w ݩͷSPPUϑΝΠϧγεςϜΛΞϯϚ΢ϯτͰ͖Δ

Slide 42

Slide 42 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ QJWPU@SPPUͷ৚݅ w σΟϨΫτϦͰͳ͚Ε͹ͳΒͳ͍ w new_rootͱput_old͸ݱࡏͷSPPUͱಉ͡ϑΝΠϧγεςϜʹ͋ͬ ͯ͸ͳΒͳ͍ w put_old͸new_rootҎԼʹͳ͚Ε͹ͳΒͳ͍ w ଞͷϑΝΠϧγεςϜ͕put_oldʹϚ΢ϯτ͞Ε͍ͯͯ͸ͳΒͳ͍ QJWPU@SPPͰࢦఆ͢Δ৽͍͠ϑΝΠϧγεςϜͱʢnew_rootʣͱݩ ͷϑΝΠϧγεςϜͷҠಈઌʢput_oldʣ͸ҎԼͷ੍ݶ͕͋Δ

Slide 43

Slide 43 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ DISPPUQJWPU@SPPUͷૢ࡞ w DISPPU DISPPU w QJWPU@SPPU QJWPU@SPPU

Slide 44

Slide 44 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ PWFSMBZGTͱ͸ w 6OJPO'JMFTZTUFNͷͻͱͭ w σΟϨΫτϦΛॏͶ͋ΘͤͯͭͷϑΝΠϧγε ςϜʹݟͤΔ w DPQZPOXSJUFͰϑΝΠϧΛࠩ෼؅ཧ͢Δ w Χʔωϧ͔ΒऔΓࠐ·Εͨ

Slide 45

Slide 45 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ PWFSMBZGTͷMPXFS VQQFS XPSL MPXFS w Լ૚ͷσΟϨΫτϦɻಡΈऔΓઐ༻ w ϑΝΠϧγεςϜͷϕʔεͱͳΔσΟϨΫτϦ VQQFS w ্૚ͷσΟϨΫτϦɻॻ͖ࠐΈՄೳ w ৽ن࡞੒ɺߋ৽͞ΕͨϑΝΠϧ͸͜͜ʹॻ͖ग़͞ΕΔ XPSL w ࡞ۀ༻σΟϨΫτϦ w VQQFSͱಉ͡ϑΝΠϧγεςϜʹଘࡏ͢Δඞཁ͕͋Δ

Slide 46

Slide 46 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ PWFSMBZGTͷૢ࡞ w NPVOU NPVOU $ CLONE_DIR=$(mktemp -d) $ for d in upper work root; do mkdir $CLONE_DIR/$d; done $ sudo mount \ -t overlay \ -o lowerdir=/,upperdir=$CLONE_DIR/upper,workdir=$CLONE_DIR/work \ overlayfs \ $CLONE_DIR/root

Slide 47

Slide 47 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ ZBQ$ͷQJWPU@SPPU PWFSMBZGT࣮૷ w PWFSMBZGT NPVOU IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-- w QJWPU@SPPU IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-- w CJOE@NPVOU IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD-- ‣ ϑΝΠϧ΍σΟϨΫτϦͳͲΛϑΝΠϧγεςϜͷผͷ৔ॴͰݟ͑ ΔΑ͏ʹ͢Δ ‣ TZNMJOLͱҧ͍chrootpivot_rootʹΑΔ੍໿͕ͳ͍ ‣ IBSEMJOLͱҧ͍σΟϨΫτϦ΋0, IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQD

Slide 48

Slide 48 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ ZBQ$ͷQJWPU@SPPU PWFSMBZGT σϞʢ̍ʣ $ sudo /vagrant/yapc.4 /bin/bash CONT# touch /yapc; ls -l /yapc ✔ ϗετͰ/yapc͕ଘࡏ͠ͳ͍͜ͱΛ֬ೝ ✔ ϗετͰ/tmp/yapc-.XXXXXX/upper/yapc ͕ଘࡏ͢Δ͜ͱΛ֬ೝ

Slide 49

Slide 49 text

ίϯςφΤϯδϯΛͭ͘Ζ͏SPPUϑΝΠϧγεςϜͷมߋ ZBQ$ͷQJWPU@SPPU PWFSMBZGT σϞʢ̎ʣ $ sudo YAPC_ROOT=centos /vagrant/yapc.4 /bin/bash CONT# yum install -y epel-release; yum install -y sl; sl ✔ ࣄલʹdocker exportͰDFOUPTͷSPPUϑΝΠϧγεςϜ ΞʔΧΠϒΛ࡞੡ɻϗετͷ~/centos΁ల։͢Δ docker export $(docker create centos) > centos.tar ✔ yumίϚϯυ͕࢖͑Δ͜ͱΛ֬ೝ

Slide 50

Slide 50 text

"QQFOEJY ωοτϫʔΫͷ෼཭ ίϯςφΤϯδϯΛͭ͘Ζ͏ /FUXPSL/BNFTQBDFͰ࣮ݱ͠·͢ɻ ෼཭͞ΕͨωοτϫʔΫؒͷ઀ଓʹ͸WFUIΛར༻͠·͢ɻ

Slide 51

Slide 51 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ /FUXPSL/BNFTQBDF͕ ෼཭͢ΔϦιʔε w ωοτϫʔΫσόΠε w *1WWϓϩτίϧελοΫ w ϧʔςΟϯάςʔϒϧ w ϑΝΠΞ΢Υʔϧ w QSPDOFU w TZTDMBTTOFU w ϙʔτ൪߸

Slide 52

Slide 52 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ /FUXPSL/BNFTQBDFͷૢ࡞ w JQOFUOT • ip netns [list] ωοτϫʔΫωʔϜεϖʔεΛҰཡදࣔ • ip netns add ωοτϫʔΫωʔϜεϖʔεͷ࡞੡ • ip netns del ωοτϫʔΫωʔϜεϖʔεͷ࡟আ • ip netns exec ωοτϫʔΫωʔϜεϖʔεΛࢦఆͯ͠ίϚϯυ࣮ޮ w BOENPSF

Slide 53

Slide 53 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ WFUIͱ͸ w Ծ૝తͳΠʔαωοτΠϯλʔϑΣʔεͷϖΞΛ ࡞੒ͯ͠઀ଓ͢Δ

Slide 54

Slide 54 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ WFUIͷૢ࡞ w JQMJOL $ sudo ip link add \ name veth0 \ type veth \ peer name veth1

Slide 55

Slide 55 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ ZBQ$ͷ /FUXPSL/BNFTQBDFͱWFUI࣮૷ w JQOFUOT JQMJOL IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQDB-- ‣ ip netns execͰ/sys/͕ΞϯϚ΢ϯτ͞Εͯ͠·͏ DHSPVQ͕ઃఆͰ͖ͳ͍ ‣ pivot_rootͰϗετͷ/run(/var/run)͕ݟ͑ͳ͘ͳΔ /FUXPSL/BNFTQBDF͕ར༻Ͱ͖ͳ͍ ‣ ্ه̎఺͔Β࣮૷͕͍ۤ͠ײ͡ʹʢྑ͍Ҋ͕͋Γ·ͨ͠Βڭ ͑ͯԼ͍͞ʣ IUUQTHJUIVCDPNIBZBKPZBQ$CMPCZBQDPKJNJEZBQDB

Slide 56

Slide 56 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ ZBQ$ͷ /FUXPSL/BNFTQBDFͱWFUIσϞʢ̍ʣ $ sudo \ YAPC_NET=1 YAPC_CAPS="cap_net_raw,cap_net_admin" \ /vagrant/yapc.a \ ip link ✔ ίϯςφ಺Ͱಠཱͨ͠ωοτϫʔΫΠϯλʔϑΣʔ ε͕ݟ͑Δ͜ͱΛ֬ೝ

Slide 57

Slide 57 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ ZBQ$ͷ /FUXPSL/BNFTQBDFͱWFUIσϞʢ̎ʣ $ sudo ip link add name yapc0 type bridge $ sudo ip link set dev yapc0 up $ sudo ip a add 10.0.0.1/24 \ broadcast 10.0.0.255 \ label yapc0 \ dev yapc0 ϒϦοδΛ࡞੒͢Δ

Slide 58

Slide 58 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ ZBQ$ͷ /FUXPSL/BNFTQBDFͱWFUIσϞʢ̎ʣ $ sudo \ YAPC_NET=1 YAPC_CAPS="cap_net_raw,cap_net_admin" \ /vagrant/yapc.a \ /bin/bash ωοτϫʔΫωʔϜεϖʔεΛ༗ޮʹͨ͠ίϯ ςφͰbashΛ࣮ߦ

Slide 59

Slide 59 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ ZBQ$ͷ /FUXPSL/BNFTQBDFͱWFUIσϞʢ̏ʣ $ ip link # σόΠε໊Λ֬ೝ $ sudo ip link set dev vethXXXXXXX up $ sudo ip link set dev vethXXXXXXX master yapc0 CONT# ip link # eth0ͷଘࡏΛ֬ೝ CONT# ip link set dev eth0 up CONT# ip a add 10.0.0.10/24 dev eth0 ϗετଆͷWFUIΛϒϦοδʹొ࿥͢Δ ίϯςφଆͷvethʹ*1ΞυϨεΛׂΓ౰Δ

Slide 60

Slide 60 text

ίϯςφΤϯδϯΛͭ͘Ζ͏"QQFOEJYωοτϫʔΫͷ෼཭ ZBQ$ͷ /FUXPSL/BNFTQBDFͱWFUIσϞʢ̐ʣ CONT# ping 10.0.0.1 ✔ ϗετʹping͕Ͱ͖Δ͜ͱΛ֬ೝ

Slide 61

Slide 61 text

·ͱΊ

Slide 62

Slide 62 text

w -JOVYίϯςφ͸༷ʑͳػೳͷ૊Έ߹ΘͤͰͰ͖͍ͯΔ w Ϧιʔεͷ෼཭ ‣ /BNFTQBDF w Ϧιʔεͷ੍ݶ ‣ DHSPVQ w ݖݶͷ੍ݶ ‣ $BQBCJMJUZ w SPPUϑΝΠϧγεςϜͷมߋ ‣ DISPPUQJWPU@SPPU PWFSMBZGT ·ͱΊ

Slide 63

Slide 63 text

w %PDLFSͰϗετΛ৐ͬऔΒΕͨ IUUQRJJUBDPNUJUJMBUJUFNTGGBDFF w ඇಛݖίϯςφ w ."$ w 4FDDPNQ w 13@4&5@/0@/&8@13*74 ·ͱΊ ػձ͕͋Ε͹ίϯςφͷηΩϡϦςΟ·ΘΓͷ ػೳ΍ରࡦʹ͍ͭͯ࿩ͤΕ͹