はてなリモートインターン2020 コンテナ講義資料

ίϯςφ
IBUFOBJOUFSO

View Slide

ֿך闌纏דכ
˖ ،فٔ؛٦ءّٝ׾رٔغٔ٦ׅ׷׋׭ך؝ٝذش䪮遭
˖ %PDLFSⰅꟌ

View Slide

؝ٝذش⟃⵸
˖ 暟椚؟٦غ
˖ אך04♳ח醱侧ךفٗإأ׾⹛ַׅ
˖ ,7.װ9FOזוךع؎ػ٦غ؎ؠח״׷⟎䟝⻉
˖ ְ׻ײ׷⟎䟝وءٝהㄎל׸׷׮ך
˖ ؜أز04׾饯⹛ׇׁ׷

View Slide

؝ٝذشך儗➿
˖ 䎃'SFF#4%KBJMT
˖ 䎃-9$ -JOVY$POUBJOFST

˖ 䎃%PDLFS
˖ 䎃1PENBO

View Slide

؝ٝذشהכ
˖ ،فٔ؛٦ءّٝך؝٦سה׉ך⣛㶷ꟼ⤘׾ػح؛٦آ⻉׃׋
׮ך
˖ مأز04הٔا٦أָꥫꨄׁ׸׋فٗإأ
˖ -JOVYؕ٦طٕכⰟ剣ׁ׸גְ׷
˖ 〳䵤䚍ָ֮׷
˖ 鯪ꆀ

View Slide

ٔا٦أךꥫꨄ
˖ ؝ٝذش♳ד⹛ֻفٗإأָծمأز♳ך➭ךفٗإأח㼎׃
ג䕦갟׾♷ִזְֿה
˖ -JOVYחֶֽ׷׉ך׋׭ך➬穈׫
˖ /BNFTQBDF
˖ ؛٦ػؽٔذ؍
˖ DHSPVQT TFDDPNQ "QQ"SNPS 4&-JOVY

View Slide

/BNFTQBDF
˖ فٗإأַ׵鋅ִ׷ٔا٦أ׾ꥫꨄׅ׷
˖ ⵖ䖴דֹ׷ٔا٦أכ⟃♴ך珏겲
Cgroup, IPC, Network, Mount, PID, Time, User,
UTS

View Slide

˖ .PVOU/BNFTQBDF
˖ ؿ؋؎ٕءأذيךوؐٝزه؎ٝزךꥫꨄ
˖ QJWPU@SPPU
˖ 1*%/BNFTQBDF
˖ فٗإأ*%殢〾瑞꟦ךꥫꨄ
˖ せ⵸瑞꟦ⰻד剑ⴱךفٗإأכQJE
˖ /procQSPDGTכ׉ך1*%せ⵸瑞꟦ⰻך
فٗإأחך׫،ؙإأדֹ׷

View Slide

؛٦ػؽٔذ؍
˖ SPPUِ٦ؠָ䭯א暴埄׾ⴓⶴ׃׋׮ך
˖ CAP_NET_RAWָ֮׷ה3"8ا؛حز׾䪔ִ׷
˖ %PDLFSָ؝ٝذشⰻךSPPUِ٦ؠחرؿٕؓزד♷ִ׷؛٦ػؽٔذ؍
SETPCAP, MKNOD, AUDIT_WRITE, CHOWN,
NET_RAW, DAC_OVERRIDE, FOWNER, FSETID,
KILL, SETGID, SETUID, NET_BIND_SERVICE,
SYS_CHROOT, SETFCAP

View Slide

DHSPVQT
˖ ؝ٝذشⰻךفٗإأך꧊さח㼎׃גٔا٦أ⢪欽ꆀ׾ⵖꣲׅ
׷➬穈׫
˖ $16⢪欽ꆀծًٌٔ⢪欽ꆀծفٗإأ侧זו
˖ 湊鋔׮遤ֲֿהָדֹծdocker topכֿ׸׾ⵃ欽׃גְ׷

View Slide

TFDDPNQ
˖ فٗإأך涪遤דֹ׷ءأذي؝٦ٕ׾ⵖꣲׅ׷➬穈׫
˖ TUSJDUٌ٦سSFBE XSJUF @FYJU TJHSFUVSOך׫
˖ MUFSٌ٦سCQGח״׷ؿ؍ٕةָ〳腉
˖ %PDLFSדرؿٕؓزדⵖꣲׁ׸גְ׷ءأذي؝٦ٕך♧鿇
perf_event_open, pivot_root,
process_vm_readv, process_vm_writev,
ptrace

View Slide

%PDLFS
˖ -JOVYؕ٦طٕך؝ٝذشחꟼׅ׷➬穈׫
˖ %PDLFS؎ً٦آךؽٕس
˖ ٖ؎َ٦ٍؗحءُ
˖ %PDLFS؎ً٦آַ׵ך؝ٝذشך饯⹛
˖ ٖآأزٔ%PDLFS)VC

View Slide

ⴓד׻ַ׷%PDLFS$-*
ءٕؑך酡㸣ך鏣㹀
IUUQTEPDTEPDLFSDPNDPNQPTFDPNQMFUJPO
倜׋ח؝ٝذش׾㹋遤ׅ׷
% docker run !"rm -ti
饯⹛׃גְ׷؝ٝذشⰻד؝وٝس׾㹋遤ׅ׷
% docker exec -ti

View Slide

؝ٝذشⰻךؿ؋؎ٕ׾مأزח؝ؾ٦
% docker cp
饯⹛׃גְ׷؝ٝذشך♧鋮
% docker ps
ٖآأزٔ%PDLFS)VCַ׵؎ً٦آ׾تؐٝٗ٦س
% docker pull

View Slide

%PDLFS׾圓䧭ׅ׷؝ٝه٦طٝز

View Slide

؝ٝذشךإُؗٔذ؍
˖ ⟎䟝وءٝח㼎׃גծ؝ٝذشךꥫꨄٖكٕכ⡚ְ
˖ $POUBJOFS#SFBLPVU׾꣇ּ
˖ ؝ٝذشⰻךفٗإأ׾SPPUِ٦ؠד⹛ַׁזְ
˖ TFDDPNQח״׏גءأذي؝٦ٕ׾ⵖꣲׅ׷
˖ %PDLFSך3PPUMFTTٌ٦س׾ⵃ欽ׅ׷
˖ H7JTPSװ,BUB$POUBJOFST׾⢪ֲ

View Slide

# syntax = docker/dockerfile:experimental
FROM golang:1.14-alpine AS builder
RUN apk !"update add make
WORKDIR /services/blog
COPY go.mod go.sum ./
RUN go mod download
COPY Makefile ./
RUN make setup
COPY . .
RUN !"mount=type=cache,target=/root/.cache/go-build
make build
FROM alpine
COPY !"from=builder /(snip)/server /(snip)/server
RUN adduser -D -u 1000 app
USER 1000
ENTRYPOINT ["/services/blog/bin/server"]
%PDLFSMF
˖ %PDLFS؎ً٦آכ
%PDLFSMFַ׵docker
build؝وٝسד欰䧭
% docker build -f Dockerfile .

View Slide

RUN go mod download
COPY Makefile ./
RUN make setup
COPY . .
make build
FROM alpine
USER 1000
ٖ؎ٍَؗحءُ
˖ ؽٕس儗꟦ך瀉簭ך׋׭ծ
ㄏ⟀⽃⡘דٍؗحءׁُ׸
׷
˖ 㹋遤ח儗꟦ַַָ׶ծ㢌刿
걼䏝ך㼰זְ׮ך׾⯓ח㹋
遤ׅ׷

View Slide

RUN go mod download
COPY Makefile ./
RUN make setup
COPY . .
RUN !"mount=type=cache,target=/root/.cache/go-buil
make build
FROM alpine
USER 1000
NVMUJTUBHFCVJMET
˖ ؟؎ؤ׾㼭ֻׁ⥂א׋׭
˖ ،فٔ؛٦ءّٝך⹛⡲ח
䗳銲ז⣛㶷ך׫ろ׭׷
˖ docker buildך!"
targetؔفءّٝ

View Slide

RUN go mod download
COPY Makefile ./
RUN make setup
COPY . .
make build
FROM alpine
USER 1000
CVJMELJU
˖ %PDLFS״׶姻䒭堣腉
הז׏׋倜׃ְؽٕت٦
˖ DOCKER_BUILDKIT=1
˖ ؽٕس儗חٍؗحءُךو
ؐٝزָדֹ׷

View Slide

%PDLFS؎ً٦آ
˖ ؝ٝذشך⹛⡲ח䗳銲זؿ؋؎ٕ׾תה׭׋׮ך
˖ 醱侧ךٖ؎َד圓䧭ׁ׸׷
% docker pull <Πϝʔδ໊!"<λά>
% docker pull hatena/apply-for-internship-2020:latest

View Slide

%PDLFS؎ً٦آך⚥כוֲז׏גְ׷
% docker save hatena/apply-for-internship-2020:latest > image.tar
% tar xf image.tar

View Slide

!"" 2e3d6c9f566f06ae7e9a74b69483b8cb783b1bee48beb02b6524fbcb4de48f71
# !"" VERSION
# !"" json
# $"" layer.tar
!"" 6a28bc9521cd43cb1bbba4facfe4676649681c81ab252d09ad906ca11669d4ca
# !"" VERSION
# !"" json
# $"" layer.tar
!"" 83bc3862525ff9d3b82a85ec3369f8cab40f7e716e36f3db84f15763a11af2fe.json
!"" da0ea11a16c18578358add538c445cd5408e29ec0f06a7196c51ee7b7e46662d
# !"" VERSION
# !"" json
# $"" layer.tar
!"" manifest.json
$"" repositories

View Slide

% docker history hatena/apply-for-internship-2020
IMAGE CREATED CREATED BY SIZE
83bc3862525f 2 months ago /bin/sh -c !"nop) ENTRYPOINT ["./apply-for-… 0B
2 months ago /bin/sh -c !"nop) COPY file:c47498027cbfc590… 10.4MB
2 months ago /bin/sh -c !"nop) COPY multi:46d4249576ac663… 405B
2 months ago /bin/sh -c !"nop) WORKDIR /root/ 0B
2 months ago /bin/sh -c !"nop) CMD ["bash"] 0B
2 months ago /bin/sh -c !"nop) ADD file:7780c81c33e6cc5b6… 69.2MB

View Slide

؝ٝذشך鏣鎘
˖ ؝ٝذشفٗإأ
˖ ⽃♧ך堣腉ה׃גⴓꨄ׃ג宏䎂أ؛٦ٕ׃װֻׅׅ׷
˖ ⱄⵃ欽䚍ծ鷲僇䚍
˖ ⣛㶷ꟼ⤘׾幾׵ׅ

View Slide

˖ أذ٦زٖأד♶㢌ד֮׷״ֲחׅ׷
˖ 㹋遤׃גְ׷؝ٝذشⰻד،فٔ؛٦ءّٝ׾㢌刿׃זְ
˖ 宕竲ر٦ةכ؝ٝذش㢩鿇ך؝ٝه٦طٝزח⟣ׇ׷
˖ ؝ٝذشךٓ؎ؿ؟؎ؙٕכ瀉ְ
˖ ؚٗכTUEPVUTUEFSSח⳿⸂ׅ׷
˖ ؚٗ׾ؿ؋؎ٕח剅ֹ⳿ׁזְ

View Slide

˖ 鏣㹀׾橆㞮㢌侧ח呓秛ׅ׷
˖ EPDLFSCVJME׾װ׶זֶֿׅהזֻ㢌刿דֹ׷
˖ 醱侧ך橆㞮דずׄ%PDLFS؎ً٦آָ⢪ִ׷

View Slide

؝ٝذشأٍؗٝ
˖ ؎ً٦آⰻח㶷㖈ׅ׷اؿزؐؑ،ח傀濼ך腚䓲䚍ָזְַ
˖ خ٦ٕ
˖ 5SJWZ
˖ $MBJS
˖ "ODIPSF

View Slide

5SJWZ
˖ IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ
˖ %PDLFS؎ً٦آծؿ؋؎ٕءأذيծHJUٔهآزٔח㼎׃גأ
ָٍؗٝדֹ׷
% trivy image !"severity HIGH hatena/apply-for-internship-2020:latest
2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed
2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!#
hatena/apply-for-internship-2020:latest (debian 10.4)
=====================================================
Total: 1 (HIGH: 1)
+-----------+------------------+----------+-------------------+------------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+------------------+--------------------------------+
| perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of |
| | | | | | intermediate language state |
| | | | | | of compiled regular expression |
| | | | | | due to!!# |
+-----------+------------------+----------+-------------------+------------------+--------------------------------+

View Slide

-FUTUSZ%PDLFS2VJ[

View Slide

ؙ؎ؤך儗꟦דׅ
% docker run !"rm -i hatena/intern-2020-docker-quiz
˖ Ⰻ㉏姻鍑׃ծ
!
ָ⳿׷הؙٔ،
˖ 㔭׏׋הֹכ
˖
"
docker run !"rm -i hatena/intern-2020-
docker-quiz -hint

View Slide

鍑铡

View Slide

# -q2 ΦϓγϣϯҾ਺Λ౉ͯ͠ىಈͤΑ
% docker run !"rm -i hatena/intern-2020-docker-quiz -q2
# ͜ͷΠϝʔδͷentrypointͱͯ͠ࢦఆ͞Ε͍ͯΔίϚϯυͷϑϧύε͸Կ͔
% docker inspect hatena/intern-2020-docker-quiz | jq '.[].Config.Entrypoint'
# /app/flag.txt Λϗετʹίϐʔͯ͠ϑΝΠϧͷ಺༰ΛऔಘͤΑ
% docker cp # γΣϧΛىಈͯ͠ /app/get_flag2.exe Λ࣮ߦͤΑ
% docker run !"rm -ti !"entrypoint /bin/sh hatena/intern-2020-docker-quiz
$ ./get_flag2.exe
# ͜ͷΠϝʔδʹؚ·ΕΔpythonʹ͍ͭͯɺTrivyʹΑͬͯݕग़͞ΕΔseverity͕HIGHͷ੬ऑੑͷCVE൪߸Λ౴͑Α
% trivy i !"severity HIGH hatena/intern-2020-docker-quiz

View Slide

ֿך؎ً٦آךFOUSZQPJOUה׃ג䭷㹀ׁ׸גְ׷؝وٝسךا٦أ؝٦س׾䗁⯋
׃גծֿך㉏겗ך瘶ִ׾《䖤ׇ״
% docker history hatena/intern-2020-docker-quiz !"no-trunc
COPY /app/docker_quiz.go.enc /app/password!"delete_me_after_decrypting ./
RUN /bin/sh -c openssl enc -d -aes-256-cbc -pbkdf2 -in docker_quiz.go.enc \
-out docker_quiz.go -pass file:password!"delete_me_after_decrypting !# \
go build docker_quiz.go !# \
rm -rf /root/.cache !# \
rm docker_quiz.go !# \
rm password!"delete_me_after_decrypting
˖ docker_quiz.go.encכ"&4$#$ד农〾⻉ׁ׸׋ؿ؋؎ٕ
˖ QBTTXPSEה䙼׻׸׷ؿ؋؎ٕכ嶊ׁ׸גְ׷״ֲח׫ִ׷
˖ ؎ً٦آٖ؎َה׃ג婍׏גְ׷ךד《׶⳿ֿׅהָדֹ׷

View Slide

% docker save hatena/intern-2020-docker-quiz > docker-quiz.tar
㾜Ꟛ䖓ծMBZFSUBSך⚥ַ׵
password!"delete_me_after_decrypting׾䱱ׅ
% find . -name layer.tar | xargs -p -I{} tar tf {}
QBTTXPSEָろת׸׋ؿ؋؎ٕ׾䩛חⰅ׸׋ךד
docker_quiz.go.enc׾䗁〾׃גا٦أ؝٦س׾Ⰵ䩛

View Slide

{
"͜ͷΠϝʔδͷentrypointͱͯ͠ࢦఆ͞Ε͍ͯΔίϚϯυͷιʔείʔυΛ෮ݩͯ͠ɺ͜ͷ໰୊ͷ౴͑ΛऔಘͤΑ",
"docker history",
[]byte{0xb9, 0xb3, 0xbe, 0xb8, 0xa0, 0xce, 0xc9, 0x8a, 0xca, 0x95, 0x88, 0x9d, 0x8d},
XOR,
false,
},
(snip)
for i !" 0; i < n; i!# {
xor[i] !$ 0xff
}
̕
% python -c 'print(bytearray([x ^ 0xff for x in \
[0xb9, 0xb3, 0xbe, 0xb8, 0xa0, 0xce, 0xc9, 0x8a, 0xca, 0x95, 0x88, 0x9d, 0x8d]]))'

View Slide

はてなリモートインターン2020 コンテナ講義資料

はてなリモートインターン2020 コンテナ講義資料

Hatena

More Decks by Hatena

Other Decks in Technology

Featured

Transcript

はてなリモートインターン2020 コンテナ 講義資料

はてなリモートインターン2020 コンテナ 講義資料

Hatena

More Decks by Hatena

Other Decks in Technology

Featured

Transcript

はてなリモートインターン2020 コンテナ講義資料

はてなリモートインターン2020 コンテナ講義資料