はてなリモートインターン2020 コンテナ 講義資料

Transcript

1. ίϯςφ IBUFOBJOUFSO

2. ֿך闌纏דכ ˖ ،فٔ؛٦ءّٝ׾رٔغٔ٦ׅ׷׋׭ך؝ٝذش䪮遭 ˖ %PDLFSⰅꟌ

3. ؝ٝذش⟃⵸ ˖ 暟椚؟٦غ ˖ אך04♳ח醱侧ךفٗإأ׾⹛ַׅ ˖ ,7.װ9FOזוךع؎ػ٦غ؎ؠח״׷⟎䟝⻉ ˖ ְ׻ײ׷⟎䟝وءٝהㄎל׸׷׮ך ˖

   ؜أز04׾饯⹛ׇׁ׷

4. ؝ٝذشך儗➿ ˖ 䎃
   'SFF#4%
   KBJMT ˖ 䎃
   -9$
   -JOVY
   $POUBJOFST ˖ 䎃
   %PDLFS ˖ 䎃
   1PENBO

5. ؝ٝذشהכ ˖ ،فٔ؛٦ءّٝך؝٦سה׉ך⣛㶷ꟼ⤘׾ػح؛٦آ⻉׃׋ ׮ך ˖ مأز04הٔا٦أָꥫꨄׁ׸׋فٗإأ ˖ -JOVYؕ٦طٕכⰟ剣ׁ׸גְ׷ ˖ 〳䵤䚍ָ֮׷

   ˖ 鯪ꆀ

6. ٔا٦أךꥫꨄ ˖ ؝ٝذش♳ד⹛ֻفٗإأָծمأز♳ך➭ךفٗإأח㼎׃ ג䕦갟׾♷ִזְֿה ˖ -JOVYחֶֽ׷׉ך׋׭ך➬穈׫ ˖ /BNFTQBDF ˖ ؛٦ػؽٔذ؍

   ˖ DHSPVQT
   TFDDPNQ
   "QQ"SNPS
   4&-JOVY

7. /BNFTQBDF ˖ فٗإأַ׵鋅ִ׷ٔا٦أ׾ꥫꨄׅ׷ ˖ ⵖ䖴דֹ׷ٔا٦أכ⟃♴ך珏겲 Cgroup, IPC, Network, Mount, PID,

   Time, User, UTS

8. ˖ .PVOU
   /BNFTQBDF ˖ ؿ؋؎ٕءأذيךوؐٝزه؎ٝزךꥫꨄ ˖ QJWPU@SPPU ˖ 1*%
   /BNFTQBDF ˖ فٗإأ*%殢〾瑞꟦ךꥫꨄ

   ˖ せ⵸瑞꟦ⰻד剑ⴱךفٗإأכQJE
    ˖ /procQSPDGTכ׉ך1*%せ⵸瑞꟦ⰻך فٗإأחך׫،ؙإأדֹ׷

9. ؛٦ػؽٔذ؍ ˖ SPPUِ٦ؠָ䭯א暴埄׾ⴓⶴ׃׋׮ך ˖ CAP_NET_RAWָ֮׷ה3"8ا؛حز׾䪔ִ׷ ˖ %PDLFSָ؝ٝذشⰻךSPPUِ٦ؠחرؿٕؓزד♷ִ׷؛٦ػؽٔذ؍ SETPCAP, MKNOD, AUDIT_WRITE,

   CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, NET_BIND_SERVICE, SYS_CHROOT, SETFCAP

10. DHSPVQT ˖ ؝ٝذشⰻךفٗإأך꧊さח㼎׃גٔا٦أ⢪欽ꆀ׾ⵖꣲׅ ׷➬穈׫ ˖ $16⢪欽ꆀծًٌٔ⢪欽ꆀծفٗإأ侧זו ˖ 湊鋔׮遤ֲֿהָדֹծdocker topכֿ׸׾ⵃ欽׃גְ׷

11. TFDDPNQ ˖ فٗإأך涪遤דֹ׷ءأذي؝٦ٕ׾ⵖꣲׅ׷➬穈׫ ˖ TUSJDUٌ٦سSFBE
    XSJUF
    @FYJU
    TJHSFUVSOך׫ ˖ MUFSٌ٦سCQGח״׷ؿ؍ٕةָ〳腉

    ˖ %PDLFSדرؿٕؓزדⵖꣲׁ׸גְ׷ءأذي؝٦ٕך♧鿇 perf_event_open, pivot_root, process_vm_readv, process_vm_writev, ptrace

12. %PDLFS ˖ -JOVYؕ٦طٕך؝ٝذشחꟼׅ׷➬穈׫ ˖ %PDLFS؎ً٦آךؽٕس ˖ ٖ؎َ٦ٍؗحءُ ˖ %PDLFS؎ً٦آַ׵ך؝ٝذشך饯⹛ ˖

    ٖآأزٔ%PDLFS
    )VC

13. ⴓד׻ַ׷%PDLFS
    $-* ءٕؑך酡㸣ך鏣㹀 IUUQTEPDTEPDLFSDPNDPNQPTFDPNQMFUJPO 倜׋ח؝ٝذش׾㹋遤ׅ׷ % docker run !"rm -ti <image>

    <command> 饯⹛׃גְ׷؝ٝذشⰻד؝وٝس׾㹋遤ׅ׷ % docker exec -ti <container id> <command>

14. ؝ٝذشⰻךؿ؋؎ٕ׾مأزח؝ؾ٦ % docker cp <container id!"<src path> <dst path> 饯⹛׃גְ׷؝ٝذشך♧鋮

    % docker ps ٖآأزٔ%PDLFS
    )VCַ׵؎ً٦آ׾تؐٝٗ٦س % docker pull <image>

15. %PDLFS׾圓䧭ׅ׷؝ٝه٦طٝز

16. ؝ٝذشךإُؗٔذ؍ ˖ ⟎䟝وءٝח㼎׃גծ؝ٝذشךꥫꨄٖكٕכ⡚ְ ˖ $POUBJOFS
    #SFBLPVU׾꣇ּ ˖ ؝ٝذشⰻךفٗإأ׾SPPUِ٦ؠד⹛ַׁזְ ˖ TFDDPNQח״׏גءأذي؝٦ٕ׾ⵖꣲׅ׷ ˖

    %PDLFSך3PPUMFTTٌ٦س׾ⵃ欽ׅ׷ ˖ H7JTPSװ,BUB
    $POUBJOFST׾⢪ֲ

17. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] %PDLFSMF ˖ %PDLFS؎ً٦آכ %PDLFSMFַ׵docker build؝وٝسד欰䧭 % docker build -f Dockerfile .

18. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] ٖ؎ٍَؗحءُ ˖ ؽٕس儗꟦ך瀉簭ך׋׭ծ ㄏ⟀⽃⡘דٍؗحءׁُ׸ ׷ ˖ 㹋遤ח儗꟦ַַָ׶ծ㢌刿 걼䏝ך㼰זְ׮ך׾⯓ח㹋 遤ׅ׷

19. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-buil make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] NVMUJTUBHF
    CVJMET ˖ ؟؎ؤ׾㼭ֻׁ⥂א׋׭ ˖ ،فٔ؛٦ءّٝך⹛⡲ח 䗳銲ז⣛㶷ך׫ろ׭׷ ˖ docker buildך!" targetؔفءّٝ

20. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] CVJMELJU ˖ %PDLFS
    ״׶姻䒭堣腉 הז׏׋倜׃ְؽٕت٦ ˖ DOCKER_BUILDKIT=1 ˖ ؽٕس儗חٍؗحءُךو ؐٝزָדֹ׷

21. %PDLFS؎ً٦آ ˖ ؝ٝذشך⹛⡲ח䗳銲זؿ؋؎ٕ׾תה׭׋׮ך ˖ 醱侧ךٖ؎َד圓䧭ׁ׸׷ % docker pull <Πϝʔδ໊!"<λά> %

    docker pull hatena/apply-for-internship-2020:latest

22. %PDLFS؎ً٦آך⚥כוֲז׏גְ׷ % docker save hatena/apply-for-internship-2020:latest > image.tar % tar xf

    image.tar

23. !"" 2e3d6c9f566f06ae7e9a74b69483b8cb783b1bee48beb02b6524fbcb4de48f71 # !"" VERSION # !"" json # $""

    layer.tar !"" 6a28bc9521cd43cb1bbba4facfe4676649681c81ab252d09ad906ca11669d4ca # !"" VERSION # !"" json # $"" layer.tar !"" 83bc3862525ff9d3b82a85ec3369f8cab40f7e716e36f3db84f15763a11af2fe.json !"" da0ea11a16c18578358add538c445cd5408e29ec0f06a7196c51ee7b7e46662d # !"" VERSION # !"" json # $"" layer.tar !"" manifest.json $"" repositories

24. % docker history hatena/apply-for-internship-2020 IMAGE CREATED CREATED BY SIZE 83bc3862525f

    2 months ago /bin/sh -c !"nop) ENTRYPOINT ["./apply-for-… 0B <missing> 2 months ago /bin/sh -c !"nop) COPY file:c47498027cbfc590… 10.4MB <missing> 2 months ago /bin/sh -c !"nop) COPY multi:46d4249576ac663… 405B <missing> 2 months ago /bin/sh -c !"nop) WORKDIR /root/ 0B <missing> 2 months ago /bin/sh -c !"nop) CMD ["bash"] 0B <missing> 2 months ago /bin/sh -c !"nop) ADD file:7780c81c33e6cc5b6… 69.2MB

25. ؝ٝذشך鏣鎘 ˖ ؝ٝذشفٗإأ ˖ ⽃♧ך堣腉ה׃גⴓꨄ׃ג宏䎂أ؛٦ٕ׃װֻׅׅ׷ ˖ ⱄⵃ欽䚍ծ鷲僇䚍 ˖ ⣛㶷ꟼ⤘׾幾׵ׅ

26. ˖ أذ٦زٖأד♶㢌ד֮׷״ֲחׅ׷ ˖ 㹋遤׃גְ׷؝ٝذشⰻד،فٔ؛٦ءّٝ׾㢌刿׃זְ ˖ 宕竲ر٦ةכ؝ٝذش㢩鿇ך؝ٝه٦طٝزח⟣ׇ׷ ˖ ؝ٝذشךٓ؎ؿ؟؎ؙٕכ瀉ְ ˖ ؚٗכTUEPVUTUEFSSח⳿⸂ׅ׷

    ˖ ؚٗ׾ؿ؋؎ٕח剅ֹ⳿ׁזְ

27. ˖ 鏣㹀׾橆㞮㢌侧ח呓秛ׅ׷ ˖ EPDLFS
    CVJME׾װ׶זֶֿׅהזֻ㢌刿דֹ׷ ˖ 醱侧ך橆㞮דずׄ%PDLFS؎ً٦آָ⢪ִ׷

28. ؝ٝذشأٍؗٝ ˖ ؎ً٦آⰻח㶷㖈ׅ׷اؿزؐؑ،ח傀濼ך腚䓲䚍ָזְַ ˖ خ٦ٕ ˖ 5SJWZ ˖ $MBJS ˖

    "ODIPSF

29. 5SJWZ ˖ IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ ˖ %PDLFS؎ً٦آծؿ؋؎ٕءأذيծHJUٔهآزٔח㼎׃גأ ָٍؗٝדֹ׷ % trivy image !"severity

    HIGH hatena/apply-for-internship-2020:latest 2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed 2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!# hatena/apply-for-internship-2020:latest (debian 10.4) ===================================================== Total: 1 (HIGH: 1) +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to!!# | +-----------+------------------+----------+-------------------+------------------+--------------------------------+

30. -FUT
    USZ
    %PDLFS
    2VJ[

31. ؙ؎ؤך儗꟦דׅ % docker run !"rm -i hatena/intern-2020-docker-quiz ˖ Ⰻ㉏姻鍑׃ծ !

    
    ָ⳿׷הؙٔ، ˖ 㔭׏׋הֹכ ˖ "
    docker run !"rm -i hatena/intern-2020- docker-quiz -hint

32. 鍑铡

33. # -q2 ΦϓγϣϯҾ਺Λ౉ͯ͠ىಈͤΑ % docker run !"rm -i hatena/intern-2020-docker-quiz -q2

    # ͜ͷΠϝʔδͷentrypointͱͯ͠ࢦఆ͞Ε͍ͯΔίϚϯυͷϑϧύε͸Կ͔ % docker inspect hatena/intern-2020-docker-quiz | jq '.[].Config.Entrypoint' # /app/flag.txt Λϗετʹίϐʔͯ͠ϑΝΠϧͷ಺༰ΛऔಘͤΑ % docker cp <container id!#/app/flag.txt . # γΣϧΛىಈͯ͠ /app/get_flag2.exe Λ࣮ߦͤΑ % docker run !"rm -ti !"entrypoint /bin/sh hatena/intern-2020-docker-quiz $ ./get_flag2.exe # ͜ͷΠϝʔδʹؚ·ΕΔpythonʹ͍ͭͯɺTrivyʹΑͬͯݕग़͞ΕΔseverity͕HIGHͷ੬ऑੑͷCVE൪߸Λ౴͑Α % trivy i !"severity HIGH hatena/intern-2020-docker-quiz

34. ֿך؎ً٦آךFOUSZQPJOUה׃ג䭷㹀ׁ׸גְ׷؝وٝسךا٦أ؝٦س׾䗁⯋ ׃גծֿך㉏겗ך瘶ִ׾《䖤ׇ״ % docker history hatena/intern-2020-docker-quiz !"no-trunc COPY /app/docker_quiz.go.enc /app/password!"delete_me_after_decrypting

    ./ RUN /bin/sh -c openssl enc -d -aes-256-cbc -pbkdf2 -in docker_quiz.go.enc \ -out docker_quiz.go -pass file:password!"delete_me_after_decrypting !# \ go build docker_quiz.go !# \ rm -rf /root/.cache !# \ rm docker_quiz.go !# \ rm password!"delete_me_after_decrypting ˖ docker_quiz.go.encכ"&4$#$ד农〾⻉ׁ׸׋ؿ؋؎ٕ ˖ QBTTXPSEה䙼׻׸׷ؿ؋؎ٕכ嶊ׁ׸גְ׷״ֲח׫ִ׷ ˖ ؎ً٦آٖ؎َה׃ג婍׏גְ׷ךד《׶⳿ֿׅהָדֹ׷

35. % docker save hatena/intern-2020-docker-quiz > docker-quiz.tar 㾜Ꟛ䖓ծMBZFSUBSך⚥ַ׵ password!"delete_me_after_decrypting׾䱱ׅ % find

    . -name layer.tar | xargs -p -I{} tar tf {} QBTTXPSEָろת׸׋ؿ؋؎ٕ׾䩛חⰅ׸׋ךד docker_quiz.go.enc׾䗁〾׃גا٦أ؝٦س׾Ⰵ䩛

36. { "͜ͷΠϝʔδͷentrypointͱͯ͠ࢦఆ͞Ε͍ͯΔίϚϯυͷιʔείʔυΛ෮ݩͯ͠ɺ͜ͷ໰୊ͷ౴͑ΛऔಘͤΑ", "docker history", []byte{0xb9, 0xb3, 0xbe, 0xb8, 0xa0, 0xce,

    0xc9, 0x8a, 0xca, 0x95, 0x88, 0x9d, 0x8d}, XOR, false, }, (snip) for i !" 0; i < n; i!# { xor[i] !$ 0xff } ̕ % python -c 'print(bytearray([x ^ 0xff for x in \ [0xb9, 0xb3, 0xbe, 0xb8, 0xa0, 0xce, 0xc9, 0x8a, 0xca, 0x95, 0x88, 0x9d, 0x8d]]))'