Upgrade to Pro — share decks privately, control downloads, hide ads and more …

はてなリモートインターン2020 コンテナ 講義資料

はてなリモートインターン2020 コンテナ 講義資料

Hatena

May 31, 2022
Tweet

More Decks by Hatena

Other Decks in Technology

Transcript

  1. ίϯςφ
    IBUFOBJOUFSO

    View Slide

  2. ֿך闌纏דכ
    ˖ ،فٔ؛٦ءّٝ׾رٔغٔ٦ׅ׷׋׭ך؝ٝذش䪮遭
    ˖ %PDLFSⰅꟌ

    View Slide

  3. ؝ٝذش⟃⵸
    ˖ 暟椚؟٦غ
    ˖ אך04♳ח醱侧ךفٗإأ׾⹛ַׅ
    ˖ ,7.װ9FOזוךع؎ػ٦غ؎ؠח״׷⟎䟝⻉
    ˖ ְ׻ײ׷⟎䟝وءٝהㄎל׸׷׮ך
    ˖ ؜أز04׾饯⹛ׇׁ׷

    View Slide

  4. ؝ٝذشך儗➿
    ˖ 䎃'SFF#4%KBJMT
    ˖ 䎃-9$ -JOVY$POUBJOFST

    ˖ 䎃%PDLFS
    ˖ 䎃1PENBO

    View Slide

  5. ؝ٝذشהכ
    ˖ ،فٔ؛٦ءّٝך؝٦سה׉ך⣛㶷ꟼ⤘׾ػح؛٦آ⻉׃׋
    ׮ך
    ˖ مأز04הٔا٦أָꥫꨄׁ׸׋فٗإأ
    ˖ -JOVYؕ٦طٕכⰟ剣ׁ׸גְ׷
    ˖ 〳䵤䚍ָ֮׷
    ˖ 鯪ꆀ

    View Slide

  6. ٔا٦أךꥫꨄ
    ˖ ؝ٝذش♳ד⹛ֻفٗإأָծمأز♳ך➭ךفٗإأח㼎׃
    ג䕦갟׾♷ִזְֿה
    ˖ -JOVYחֶֽ׷׉ך׋׭ך➬穈׫
    ˖ /BNFTQBDF
    ˖ ؛٦ػؽٔذ؍
    ˖ DHSPVQT TFDDPNQ "QQ"SNPS 4&-JOVY

    View Slide

  7. /BNFTQBDF
    ˖ فٗإأַ׵鋅ִ׷ٔا٦أ׾ꥫꨄׅ׷
    ˖ ⵖ䖴דֹ׷ٔا٦أכ⟃♴ך珏겲
    Cgroup, IPC, Network, Mount, PID, Time, User,
    UTS

    View Slide

  8. ˖ .PVOU/BNFTQBDF
    ˖ ؿ؋؎ٕءأذيךوؐٝزه؎ٝزךꥫꨄ
    ˖ QJWPU@SPPU
    ˖ 1*%/BNFTQBDF
    ˖ فٗإأ*%殢〾瑞꟦ךꥫꨄ
    ˖ せ⵸瑞꟦ⰻד剑ⴱךفٗإأכQJE
    ˖ /procQSPDGTכ׉ך1*%せ⵸瑞꟦ⰻך
    فٗإأחך׫،ؙإأדֹ׷

    View Slide

  9. ؛٦ػؽٔذ؍
    ˖ SPPUِ٦ؠָ䭯א暴埄׾ⴓⶴ׃׋׮ך
    ˖ CAP_NET_RAWָ֮׷ה3"8ا؛حز׾䪔ִ׷
    ˖ %PDLFSָ؝ٝذشⰻךSPPUِ٦ؠחرؿٕؓزד♷ִ׷؛٦ػؽٔذ؍
    SETPCAP, MKNOD, AUDIT_WRITE, CHOWN,
    NET_RAW, DAC_OVERRIDE, FOWNER, FSETID,
    KILL, SETGID, SETUID, NET_BIND_SERVICE,
    SYS_CHROOT, SETFCAP

    View Slide

  10. DHSPVQT
    ˖ ؝ٝذشⰻךفٗإأך꧊さח㼎׃גٔا٦أ⢪欽ꆀ׾ⵖꣲׅ
    ׷➬穈׫
    ˖ $16⢪欽ꆀծًٌٔ⢪欽ꆀծفٗإأ侧זו
    ˖ 湊鋔׮遤ֲֿהָדֹծdocker topכֿ׸׾ⵃ欽׃גְ׷

    View Slide

  11. TFDDPNQ
    ˖ فٗإأך涪遤דֹ׷ءأذي؝٦ٕ׾ⵖꣲׅ׷➬穈׫
    ˖ TUSJDUٌ٦سSFBE XSJUF @FYJU TJHSFUVSOך׫
    ˖ MUFSٌ٦سCQGח״׷ؿ؍ٕةָ〳腉
    ˖ %PDLFSדرؿٕؓزדⵖꣲׁ׸גְ׷ءأذي؝٦ٕך♧鿇
    perf_event_open, pivot_root,
    process_vm_readv, process_vm_writev,
    ptrace

    View Slide

  12. %PDLFS
    ˖ -JOVYؕ٦طٕך؝ٝذشחꟼׅ׷➬穈׫
    ˖ %PDLFS؎ً٦آךؽٕس
    ˖ ٖ؎َ٦ٍؗحءُ
    ˖ %PDLFS؎ً٦آַ׵ך؝ٝذشך饯⹛
    ˖ ٖآأزٔ%PDLFS)VC

    View Slide

  13. ⴓד׻ַ׷%PDLFS$-*
    ءٕؑך酡㸣ך鏣㹀
    IUUQTEPDTEPDLFSDPNDPNQPTFDPNQMFUJPO
    倜׋ח؝ٝذش׾㹋遤ׅ׷
    % docker run !"rm -ti
    饯⹛׃גְ׷؝ٝذشⰻד؝وٝس׾㹋遤ׅ׷
    % docker exec -ti

    View Slide

  14. ؝ٝذشⰻךؿ؋؎ٕ׾مأزח؝ؾ٦
    % docker cp
    饯⹛׃גְ׷؝ٝذشך♧鋮
    % docker ps
    ٖآأزٔ%PDLFS)VCַ׵؎ً٦آ׾تؐٝٗ٦س
    % docker pull

    View Slide

  15. %PDLFS׾圓䧭ׅ׷؝ٝه٦طٝز

    View Slide

  16. ؝ٝذشךإُؗٔذ؍
    ˖ ⟎䟝وءٝח㼎׃גծ؝ٝذشךꥫꨄٖكٕכ⡚ְ
    ˖ $POUBJOFS#SFBLPVU׾꣇ּ
    ˖ ؝ٝذشⰻךفٗإأ׾SPPUِ٦ؠד⹛ַׁזְ
    ˖ TFDDPNQח״׏גءأذي؝٦ٕ׾ⵖꣲׅ׷
    ˖ %PDLFSך3PPUMFTTٌ٦س׾ⵃ欽ׅ׷
    ˖ H7JTPSװ,BUB$POUBJOFST׾⢪ֲ

    View Slide

  17. # syntax = docker/dockerfile:experimental
    FROM golang:1.14-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY Makefile ./
    RUN make setup
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build
    make build
    FROM alpine
    COPY !"from=builder /(snip)/server /(snip)/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    %PDLFSMF
    ˖ %PDLFS؎ً٦آכ
    %PDLFSMFַ׵docker
    build؝وٝسד欰䧭
    % docker build -f Dockerfile .

    View Slide

  18. # syntax = docker/dockerfile:experimental
    FROM golang:1.14-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY Makefile ./
    RUN make setup
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build
    make build
    FROM alpine
    COPY !"from=builder /(snip)/server /(snip)/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    ٖ؎ٍَؗحءُ
    ˖ ؽٕس儗꟦ך瀉簭ך׋׭ծ
    ㄏ⟀⽃⡘דٍؗحءׁُ׸
    ׷
    ˖ 㹋遤ח儗꟦ַַָ׶ծ㢌刿
    걼䏝ך㼰זְ׮ך׾⯓ח㹋
    遤ׅ׷

    View Slide

  19. # syntax = docker/dockerfile:experimental
    FROM golang:1.14-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY Makefile ./
    RUN make setup
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-buil
    make build
    FROM alpine
    COPY !"from=builder /(snip)/server /(snip)/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    NVMUJTUBHFCVJMET
    ˖ ؟؎ؤ׾㼭ֻׁ⥂א׋׭
    ˖ ،فٔ؛٦ءّٝך⹛⡲ח
    䗳銲ז⣛㶷ך׫ろ׭׷
    ˖ docker buildך!"
    targetؔفءّٝ

    View Slide

  20. # syntax = docker/dockerfile:experimental
    FROM golang:1.14-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY Makefile ./
    RUN make setup
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build
    make build
    FROM alpine
    COPY !"from=builder /(snip)/server /(snip)/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    CVJMELJU
    ˖ %PDLFS״׶姻䒭堣腉
    הז׏׋倜׃ְؽٕت٦
    ˖ DOCKER_BUILDKIT=1
    ˖ ؽٕس儗חٍؗحءُךو
    ؐٝزָדֹ׷

    View Slide

  21. %PDLFS؎ً٦آ
    ˖ ؝ٝذشך⹛⡲ח䗳銲זؿ؋؎ٕ׾תה׭׋׮ך
    ˖ 醱侧ךٖ؎َד圓䧭ׁ׸׷
    % docker pull <Πϝʔδ໊!"<λά>
    % docker pull hatena/apply-for-internship-2020:latest

    View Slide

  22. %PDLFS؎ً٦آך⚥כוֲז׏גְ׷
    % docker save hatena/apply-for-internship-2020:latest > image.tar
    % tar xf image.tar

    View Slide

  23. !"" 2e3d6c9f566f06ae7e9a74b69483b8cb783b1bee48beb02b6524fbcb4de48f71
    # !"" VERSION
    # !"" json
    # $"" layer.tar
    !"" 6a28bc9521cd43cb1bbba4facfe4676649681c81ab252d09ad906ca11669d4ca
    # !"" VERSION
    # !"" json
    # $"" layer.tar
    !"" 83bc3862525ff9d3b82a85ec3369f8cab40f7e716e36f3db84f15763a11af2fe.json
    !"" da0ea11a16c18578358add538c445cd5408e29ec0f06a7196c51ee7b7e46662d
    # !"" VERSION
    # !"" json
    # $"" layer.tar
    !"" manifest.json
    $"" repositories

    View Slide

  24. % docker history hatena/apply-for-internship-2020
    IMAGE CREATED CREATED BY SIZE
    83bc3862525f 2 months ago /bin/sh -c !"nop) ENTRYPOINT ["./apply-for-… 0B
    2 months ago /bin/sh -c !"nop) COPY file:c47498027cbfc590… 10.4MB
    2 months ago /bin/sh -c !"nop) COPY multi:46d4249576ac663… 405B
    2 months ago /bin/sh -c !"nop) WORKDIR /root/ 0B
    2 months ago /bin/sh -c !"nop) CMD ["bash"] 0B
    2 months ago /bin/sh -c !"nop) ADD file:7780c81c33e6cc5b6… 69.2MB

    View Slide

  25. ؝ٝذشך鏣鎘
    ˖ ؝ٝذشفٗإأ
    ˖ ⽃♧ך堣腉ה׃גⴓꨄ׃ג宏䎂أ؛٦ٕ׃װֻׅׅ׷
    ˖ ⱄⵃ欽䚍ծ鷲僇䚍
    ˖ ⣛㶷ꟼ⤘׾幾׵ׅ

    View Slide

  26. ˖ أذ٦زٖأד♶㢌ד֮׷״ֲחׅ׷
    ˖ 㹋遤׃גְ׷؝ٝذشⰻד،فٔ؛٦ءّٝ׾㢌刿׃זְ
    ˖ 宕竲ر٦ةכ؝ٝذش㢩鿇ך؝ٝه٦طٝزח⟣ׇ׷
    ˖ ؝ٝذشךٓ؎ؿ؟؎ؙٕכ瀉ְ
    ˖ ؚٗכTUEPVUTUEFSSח⳿⸂ׅ׷
    ˖ ؚٗ׾ؿ؋؎ٕח剅ֹ⳿ׁזְ

    View Slide

  27. ˖ 鏣㹀׾橆㞮㢌侧ח呓秛ׅ׷
    ˖ EPDLFSCVJME׾װ׶זֶֿׅהזֻ㢌刿דֹ׷
    ˖ 醱侧ך橆㞮דずׄ%PDLFS؎ً٦آָ⢪ִ׷

    View Slide

  28. ؝ٝذشأٍؗٝ
    ˖ ؎ً٦آⰻח㶷㖈ׅ׷اؿزؐؑ،ח傀濼ך腚䓲䚍ָזְַ
    ˖ خ٦ٕ
    ˖ 5SJWZ
    ˖ $MBJS
    ˖ "ODIPSF

    View Slide

  29. 5SJWZ
    ˖ IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ
    ˖ %PDLFS؎ً٦آծؿ؋؎ٕءأذيծHJUٔهآزٔח㼎׃גأ
    ָٍؗٝדֹ׷
    % trivy image !"severity HIGH hatena/apply-for-internship-2020:latest
    2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed
    2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!#
    hatena/apply-for-internship-2020:latest (debian 10.4)
    =====================================================
    Total: 1 (HIGH: 1)
    +-----------+------------------+----------+-------------------+------------------+--------------------------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
    +-----------+------------------+----------+-------------------+------------------+--------------------------------+
    | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of |
    | | | | | | intermediate language state |
    | | | | | | of compiled regular expression |
    | | | | | | due to!!# |
    +-----------+------------------+----------+-------------------+------------------+--------------------------------+

    View Slide

  30. -FUTUSZ%PDLFS2VJ[

    View Slide

  31. ؙ؎ؤך儗꟦דׅ
    % docker run !"rm -i hatena/intern-2020-docker-quiz
    ˖ Ⰻ㉏姻鍑׃ծ
    !
    ָ⳿׷הؙٔ،
    ˖ 㔭׏׋הֹכ
    ˖
    "
    docker run !"rm -i hatena/intern-2020-
    docker-quiz -hint

    View Slide

  32. 鍑铡

    View Slide

  33. # -q2 ΦϓγϣϯҾ਺Λ౉ͯ͠ىಈͤΑ
    % docker run !"rm -i hatena/intern-2020-docker-quiz -q2
    # ͜ͷΠϝʔδͷentrypointͱͯ͠ࢦఆ͞Ε͍ͯΔίϚϯυͷϑϧύε͸Կ͔
    % docker inspect hatena/intern-2020-docker-quiz | jq '.[].Config.Entrypoint'
    # /app/flag.txt Λϗετʹίϐʔͯ͠ϑΝΠϧͷ಺༰ΛऔಘͤΑ
    % docker cp # γΣϧΛىಈͯ͠ /app/get_flag2.exe Λ࣮ߦͤΑ
    % docker run !"rm -ti !"entrypoint /bin/sh hatena/intern-2020-docker-quiz
    $ ./get_flag2.exe
    # ͜ͷΠϝʔδʹؚ·ΕΔpythonʹ͍ͭͯɺTrivyʹΑͬͯݕग़͞ΕΔseverity͕HIGHͷ੬ऑੑͷCVE൪߸Λ౴͑Α
    % trivy i !"severity HIGH hatena/intern-2020-docker-quiz

    View Slide

  34. ֿך؎ً٦آךFOUSZQPJOUה׃ג䭷㹀ׁ׸גְ׷؝وٝسךا٦أ؝٦س׾䗁⯋
    ׃גծֿך㉏겗ך瘶ִ׾《䖤ׇ״
    % docker history hatena/intern-2020-docker-quiz !"no-trunc
    COPY /app/docker_quiz.go.enc /app/password!"delete_me_after_decrypting ./
    RUN /bin/sh -c openssl enc -d -aes-256-cbc -pbkdf2 -in docker_quiz.go.enc \
    -out docker_quiz.go -pass file:password!"delete_me_after_decrypting !# \
    go build docker_quiz.go !# \
    rm -rf /root/.cache !# \
    rm docker_quiz.go !# \
    rm password!"delete_me_after_decrypting
    ˖ docker_quiz.go.encכ"&4$#$ד农〾⻉ׁ׸׋ؿ؋؎ٕ
    ˖ QBTTXPSEה䙼׻׸׷ؿ؋؎ٕכ嶊ׁ׸גְ׷״ֲח׫ִ׷
    ˖ ؎ً٦آٖ؎َה׃ג婍׏גְ׷ךד《׶⳿ֿׅהָדֹ׷

    View Slide

  35. % docker save hatena/intern-2020-docker-quiz > docker-quiz.tar
    㾜Ꟛ䖓ծMBZFSUBSך⚥ַ׵
    password!"delete_me_after_decrypting׾䱱ׅ
    % find . -name layer.tar | xargs -p -I{} tar tf {}
    QBTTXPSEָろת׸׋ؿ؋؎ٕ׾䩛חⰅ׸׋ךד
    docker_quiz.go.enc׾䗁〾׃גا٦أ؝٦س׾Ⰵ䩛

    View Slide

  36. {
    "͜ͷΠϝʔδͷentrypointͱͯ͠ࢦఆ͞Ε͍ͯΔίϚϯυͷιʔείʔυΛ෮ݩͯ͠ɺ͜ͷ໰୊ͷ౴͑ΛऔಘͤΑ",
    "docker history",
    []byte{0xb9, 0xb3, 0xbe, 0xb8, 0xa0, 0xce, 0xc9, 0x8a, 0xca, 0x95, 0x88, 0x9d, 0x8d},
    XOR,
    false,
    },
    (snip)
    for i !" 0; i < n; i!# {
    xor[i] !$ 0xff
    }
    ̕
    % python -c 'print(bytearray([x ^ 0xff for x in \
    [0xb9, 0xb3, 0xbe, 0xb8, 0xa0, 0xce, 0xc9, 0x8a, 0xca, 0x95, 0x88, 0x9d, 0x8d]]))'

    View Slide