Upgrade to Pro — share decks privately, control downloads, hide ads and more …

はてなリモートインターン2021 コンテナ 講義資料

49f49940f0831a426745c028684bcdad?s=47 hatena
October 08, 2021

はてなリモートインターン2021 コンテナ 講義資料

49f49940f0831a426745c028684bcdad?s=128

hatena

October 08, 2021
Tweet

Transcript

  1. ίϯςφ IBUFOBJOUFSO 

  2. ׆ס铺紶ךע ˝ ؤ٤طػ䤗软 ˝ ؤ٤طػ؅㲔杯׌׾ג״ס䤗软 ˝ ؤ٤طػס׻ַכ׆؀ ˝ %PDLFS⪌ꝛ 

  3. ♞䘶⴫յؤ٤طػ♓⯥ ˝ 擻杼ئ٭ف ˝ חס04┕מ邾丗סوٞجت؅Ⳃ־׌ ˝ ئ٭فס㘃峎ֿ擻杼氳םסך㛻㚺 ˝ 邾丗סؓوٛآ٭ب٘٤ֿⳂַיַ׾םלס㕙⺬מյ☽מ䏅ꮶ؅┙ֻי׊ױֹ׆כ ֵֿ׾

    ˝ ,7.׷9FOםלסـؕق٭فؕاמ׻׾♞䘶⴫ ˝ ַ؂׹׾♞䘶ُب٤כ⽛ף׿׾׵ס ˝ أتع04؅颯Ⳃ׈׎׾ 
  4. ♞䘶⴫ס侇♏ ˝ ⺏סئ٭فך邾丗סئ٭فأتعُب٤؅Ⳃ־׌ ˝ ♞䘶ُب٤מ04յؓوٛآ٭ب٘٤յٚؕهٚٛ؅ؕ٤تع٭ ٜ׊㲔车׌׾ ˝ 擻杼ئ٭فמ㵚׌׾ؤتعْٛشعյ畘杼׊׷׌׈׵ֵ׾ ˝ ئ٭فס邾邮׷فشؠؓشو־׼ס䐝⩕םל䦡䍖䓪յ縨꤃㲹

    䓪׵ֵ׾ 
  5. ؤ٤طػס侇♏ ˝ ٌتعס04־׼ꣴꦕ׈׿גوٞجت ˝ ☽סوٞجت־׼ꣴꦕ׈׿ג㲔车梪㗞 ˝ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י 䏅ꮶ؅┙ֻםַ ˝ ؤ٤طػْؕ٭ة

    ˝ ؓوٛآ٭ب٘٤յِغؘٜؗؓյٚؕهٚٛםל㲔车מ䑒釐ם ٛخ٭تֿقشآ٭ة׈׿יַ׾ 
  6. ؤ٤طػ㑔♞䘶⴫ ˝ 䇗'SFF#4%KBJMT ˝ 䇗-9$ -JOVY$POUBJOFST ˝ 䇗%PDLFS ˝ 䇗1PENBO

  7. ؤ٤طػ ˝ ٛخ٭تסꣴꦕ ˝ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י䏅ꮶ ؅┙ֻםַ׆כ ˝ -JOVYמֽׄ׾אסג״ס☼磝ײ ˝ /BNFTQBDF

    ˝ آ٭قلٛطؔ ˝ TFDDPNQ "QQ"SNPS 4&-JOVY 
  8. /BNFTQBDF ˝ ؜٭ؾٜסٛخ٭ت؅ꣴꦕ׊י斻玮׊ג梪㗞מ釤׎׾ ˝ /BNFTQBDFס牊걉 ˝ 6TFS $HSPVQ *1$ /FUXPSL

    .PVOU 1*% 5JNF 654 
  9. /BNFTQBDF 6TFS5JNF ˝ 6TFS ˝ 6*%(*%؅⮆ꦕ׌׾ ˝ 樟ם׾/BNF4QBDFך⺱׋6*%סٗ٭ا؅⛼䡗ך׀׾ ˝ 5JNF

    ˝ ٌتعכؤ٤طػס侇ꝴ؅⮆ꦕ׌׾ ˝ 攐㲊סَؕ٤عךٛتعؓך׀׾ 
  10. /BNFTQBDF 1*%/FUXPSL ˝ 1*% ˝ وٞجت*%樑⺘狜ꝴסꣴꦕ ˝ ⺲⯥狜ꝴ⫂ך僃⮣סوٞجتעQJE ˝ /procQSPDGTעאס1*%⺲⯥狜ꝴ⫂סوٞجتמסײؓؠجتך׀׾

    ˝ /FUXPSL ˝ ؾشع٠٭ؠظفؕتյٜ٭طؔ٤ءط٭هٜյ*1ؓغٝتյَ٭ع樑⺘םלסꣴ ꦕ ˝ ؤ٤طػכٌتعך⮯ס*1؅䧏י׾ 
  11. /BNFTQBDF .PVOU ˝ .PVOU ˝ نٜؒؕبتطّסُؗ٤عَؕ٤عסꣴꦕ ˝ DISPPUכQJWPU@SPPU 

  12. DISPPUכQJWPU@SPPU ˝ DISPPU ˝ وٞجتסٜ٭عظؔٝؠعٛ؅㚺催׊יوٞجت؅颯Ⳃ׌׾ ˝ 䧗㲊׈׿גٜ٭عظؔٝؠعٛ鿥┖סײמؓؠجتך׀׾ ˝ ☼喋┕յDISPPUס㛙מ燯Ⳃך׀י׊ױֹ ˝

    QJWPU@SPPU ˝ وٞجتסٜ٭عنٜؒؕبتطّאס׵ס؅⪌׿僀ֻיٜ٭ع؅㚺催׌׾ ˝ 兢♭ֵֿ׾׵סס㛙׫ע燯Ⳃך׀םַն 
  13. /BNFTQBDF $HSPVQ ˝ $HSPVQ ˝ ؤ٤طػ⫂סوٞجتס꥗⺬מ㵚׊יٛخ٭ت✳榫ꄈ؅⯆꡾ ׌׾☼磝ײ ˝ $16✳榫ꄈյْٓٛ✳榫ꄈյوٞجت丗םל ˝

    泃釱׵车ֹ׆כֿך׀յdocker topע׆׿؅⮵榫׊יַ׾ 
  14. آ٭قلٛطؔ ˝ SPPU嘤꡾؅⮆Ⱏ׊نٜؒؕ׷وٞجتמ嘤꡾؅錃㲊׌׾ ˝ 耗䍏䓪םלך☽סوٞجت׷ٌتع04מ䏅ꮶ؅┙ֻםַ ˝ ؤ٤طػמ䑒釐僃㵸꡾ס嘤꡾؅♀┙յ畘杼׌׾ ˝ EPDLFSס㕙⺬յ嘤꡾؅鴑ⱶ !"cap-add

    ׷⯡ꢜך׀׾ !"cap-drop ˝ ظفؕتמ꡾㲊׊י嘤꡾ס錃㲊׵⺎耆 ˝ ظنؚٜعס嘤꡾ע⪜䌋غ؞ْٖ٤ع׷pscapؤُ٤غך澬鏀׊ױ ׊׺ֹ 
  15. TFDDPNQ ˝ وٞجتס氦车ך׀׾بتطّؤ٭ٜ؅⯆꡾׌׾☼磝ײ ˝ TUSJDUٓ٭غSFBE XSJUF @FYJU TJHSFUVSOסײ ˝ MUFSٓ٭غCQGמ׻׾نٜؔذֿ⺎耆

    ˝ %PDLFSךظنؚٜعך⯆꡾׈׿יַ׾بتطّؤ٭ٜס┉鼧 perf_event_open, pivot_root, process_vm_readv, process_vm_writev, ptrace 
  16. ؤ٤طػס斻玮䓪 ˝ חסٌتع04מꣴꦕ׈׿ג邾丗ס梪㗞؅啶疣ך׀׾ ˝ ♞䘶ُب٤מ奂׬י؛٭ف٭ىشغֿ⛥ַ ˝ ج؞ٖٛطؔ ˝ ⺎䯈䓪 

  17. ؤ٤طػסج؞ٖٛطؔ ˝ ♞䘶ُب٤מ㵚׊יյؤ٤طػסꣴꦕٝيٜע⛥ַ ˝ $POUBJOFS#SFBLPVU؅ꡔ׃ ˝ ؤ٤طػ⫂סوٞجت؅SPPUٗ٭اךⳂ־׈םַ ˝ TFDDPNQמ׻זיبتطّؤ٭ٜ؅⯆꡾׌׾ ˝

    %PDLFSס3PPUMFTTٓ٭غ؅⮵榫׌׾ ˝ H7JTPS׷,BUB$POUBJOFST؅✳ֹ 
  18. ⺎䯈䓪 ˝ 㲔车׌׾梪㗞ֿ꡾㲊׈׿םַ ˝ تآ٭ٜ׊׷׌ַ ˝ ♞䘶ُب٤סؤم٭׻׽㵸׈ַ 

  19. %PDLFS ˝ -JOVY؜٭ؾٜסؤ٤طػמ꞊׌׾☼磝ײ ˝ %PDLFSْؕ٭ةסلٜغ ˝ ٕٝؕ٭؞ٔشبٖ ˝ %PDLFSْؕ٭ة־׼סؤ٤طػס颯Ⳃ ˝

    ٝةتعٛ%PDLFS)VC 
  20. %PDLFS؅啶䡗׌׾ؤ٤َ٭ؾ٤ع 

  21. %PDLFS$-* ˝ %PDLFSDPNNBOEMJOF ˝ بؘٜס遨㱭ס錃㲊 ˝ IUUQTEPDTEPDLFSDPNDPNQPTFDPNQMFUJPO ˝ ٝةتعٛ%PDLFS)VC 

  22. %PDLFS$-* ˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ $ docker pull <image uri> ˝ 二גמؤ٤طػ؅㲔车׌׾

    $ docker run !"rm -ti <image> <command> ˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾ $ docker container ls -a 
  23. %PDLFS$-* ˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾ $ docker exec -ti <container id> <command>

    ˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭ $ docker cp <container id!"<src path> <dst path> ˝ 颯Ⳃ׊יַ׾ؤ٤طػס┉鈋 $ docker ps 
  24. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] %PDLFSMF ˝ %PDLFSْؕ٭ةע%PDLFSMF־׼ docker buildؤُ٤غך榟䡗 $ docker build -f Dockerfile . ˝ %PDLFSMF ˝ '30.ي٭تْؕ٭ة䧗㲊 ˝ 36/♳䙫סؤُ٤غ؅㲔车 ˝ $01:لٜغؤ٤ط؞تع־׼ نٜؒؕ؅⹦䐂׌׾ 
  25. %PDLFSMF ˝ 64&3 ˝ ؤ٤طػ颯Ⳃ侇מ✳榫׌׾ٗ٭ا ˝ &/53:10*/5 ˝ ؤ٤طػ颯Ⳃ侇מ㲔车׌׾ؤُ٤غ 

  26. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] ٕٝؕ؞ٔشبٖ ˝ لٜغ侇ꝴס湾竊סג״յ ⽜♐ⶡ⛣ך؞ٔشبٖ׈׿ ׾ ˝ ⭚杼侇ꝴֿ־־׽յ㚺催값 䈱ס㵼םַ׵ס؅⩝מ㲔车 ׌׾ 
  27. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-buil make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] NVMUJTUBHFCVJMET ˝ ْؕ٭ةئؕث؅㵸׈ׂ⟊ ח ˝ ؓوٛآ٭ب٘٤סⳂ⛼ מ䑒釐ם❣㰆סײ⻠״׾ ˝ docker buildס!" target؛وب٘٤ ˝ 攐㲊סTUBHF؅لٜغ׌ ׾ 
  28. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] CVJMELJU ˝ %PDLFS׻׽塜䌋嚀耆 כםזג二׊ַلٜر٭ ˝ DOCKER_BUILDKIT=1؅錃 㲊׊יֽׂ ˝ لٜغ侇מ؞ٔشبٖסُ ؗ٤عֿך׀׾ 
  29. %PDLFSْؕ٭ة ˝ ؤ٤طػסⳂ⛼מ䑒釐םنٜؒؕ؅ױכ״ג׵ס ˝ 邾丗סٕٝؕך啶䡗׈׿׾ ˝ %PDLFS)VC $ docker pull

    <Πϝʔδ໊!"<λά> $ docker pull hatena/apply-for-internship-2020:latest 
  30. %PDLFSْؕ٭ةס╈עלֹםזיַ׾ % docker save hatena/apply-for-internship-2020:latest > image.tar % tar xf

    image.tar 
  31. %PDLFSْؕ٭ةס╈עלֹםזיַ׾ ├── 2e3d6c9f566f06ae7e9a74b69483b8cb783b1bee48beb02b6524fbcb4de48f71 │ ├── VERSION │ ├── json │

    └── layer.tar ├── 6a28bc9521cd43cb1bbba4facfe4676649681c81ab252d09ad906ca11669d4ca │ ├── VERSION │ ├── json │ └── layer.tar ├── 83bc3862525ff9d3b82a85ec3369f8cab40f7e716e36f3db84f15763a11af2fe.json ├── da0ea11a16c18578358add538c445cd5408e29ec0f06a7196c51ee7b7e46662d │ ├── VERSION │ ├── json │ └── layer.tar ├── manifest.json └── repositories 
  32. %PDLFSْؕ٭ةס╈עלֹםזיַ׾ ˝ ْؕ٭ة啶疣ס㷽塷؅澬鏀׌׾ $ docker history <image> $ docker history

    hatena/apply-for-internship-2020 IMAGE CREATED CREATED BY SIZE COMMENT 8066217f321a 2 minutes ago ENTRYPOINT ["./apply-for-internship-2020"] 0B buildkit.dockerfile.v0 <missing> 2 minutes ago COPY /go/src/github.com/hatena/apply-for-int… 10.4MB buildkit.dockerfile.v0 <missing> 3 minutes ago COPY public.pem private.pem ./ # buildkit 405B buildkit.dockerfile.v0 <missing> 3 minutes ago WORKDIR /root/ 0B buildkit.dockerfile.v0 <missing> 3 weeks ago /bin/sh -c !"nop) CMD ["bash"] 0B <missing> 3 weeks ago /bin/sh -c !"nop) ADD file:45f5dfa135c848a34… 69.3MB $ docker history debian:buster-slim IMAGE CREATED CREATED BY SIZE COMMENT df0140a4030c 3 weeks ago /bin/sh -c !"nop) CMD ["bash"] 0B <missing> 3 weeks ago /bin/sh -c !"nop) ADD file:45f5dfa135c848a34… 69.3MB 
  33. ؤ٤طػס錃銶 ˝ ؤ٤طػوٞجت ˝ ⶡ┉ס嚀耆כ׊י⮆ꦕ׊י姡䇖تآ٭ٜ׊׷׌ׂ׌׾ ˝ ⫋⮵榫䓪յ鵀伺䓪 ˝ ❣㰆꞊➟؅峎׼׌ 

  34. ؤ٤طػ؛٭آتعٝ٭ب٘٤ ˝ 邾丗סؤ٤طػ؅畘杼׌׾ ˝ EPDLFSDPNQPTF "NB[PO&$4 ,VCFSOFUFT 

  35. ؤ٤طػס錃銶 ˝ ْؕ٭ةע鬭ꄈמ׌׾ ˝ 㲔车מ䑒釐ם❣㰆꞊➟סײ ˝ EPDLFSס㕙⺬ע.dockerignore؅✳ֹ 

  36. ؤ٤طػס錃銶 ˝ تط٭عٝتך┘㚺ךֵ׾׻ֹמ׌׾ ˝ 㲔车׊יַ׾ؤ٤طػ⫂ךؓوٛآ٭ب٘٤؅㚺催׊םַ ˝ 姧禈ظ٭ذעؤ٤طػ㛙鼧סؤ٤َ٭ؾ٤عמ♳׎׾ ˝ ؤ٤طػסٚؕنئؕؠٜע湾ַ ˝

    ٞءעTUEPVUTUEFSSמ⭳ⱱ׌׾ ˝ ٞء؅نٜؒؕמ傴׀⭳׈םַ 
  37. ؤ٤طػס錃銶 ˝ 錃㲊؅梪㗞㚺丗מ劲硯׌׾ ˝ EPDLFSCVJME؅׷׽םֽ׌׆כםׂ㚺催ך׀׾ ˝ 邾丗ס梪㗞ך⺱׋%PDLFSْؕ٭ةֿ✳ֻ׾ 

  38. ؤ٤طػت؞ٔ٤ ˝ ْؕ٭ة⫂מ㰆㏇׌׾خنعؘؗؓמ仴湳ס耗䍏䓪ֿםַ־ ˝ ص٭ٜ ˝ 5SJWZ ˝ $MBJS ˝

    "ODIPSF ˝ "84&$3 ˝ %PDLFS)VC 
  39. 5SJWZ ˝ IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ ˝ %PDLFSْؕ٭ةյنٜؒؕبتطّյHJUَٛةعٛמ㵚׊יت ؞ٔ٤ֿך׀׾ $ trivy image !"severity

    HIGH hatena/apply-for-internship-2020:latest 2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed 2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!# hatena/apply-for-internship-2020:latest (debian 10.4) ===================================================== Total: 1 (HIGH: 1) +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to!!# | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ 
  40. ױכ״ ˝ ؤ٤طػע♞䘶⴫䤗软סח ˝ 仴㰆ס☼磝ײ؅┕䣆ׂ⮵榫׊י斻玮䓪؅㲔杯 ˝ ؙؤبتطّס⩗㲔 

  41. "QQFOEJY%PDLFS2VJ[ $ docker run !"rm -i hatena/intern-2020-docker-quiz ˝ ⪒ゖ塜鉮׊յ !

    ֿ⭳׾כؠٛؓ ˝ ㍭זגכ׀ע ˝ " docker run !"rm -i hatena/intern-2020- docker-quiz -hint 