はてなリモートインターン2021 コンテナ 講義資料

Transcript

1. ίϯςφ IBUFOBJOUFSO 

2. ׆ס铺紶ךע ˝ ؤ٤طػ䤗软 ˝ ؤ٤طػ؅㲔杯׌׾ג״ס䤗软 ˝ ؤ٤طػס׻ַכ׆؀ ˝ %PDLFS⪌ꝛ 

3. ♞䘶⴫յؤ٤طػ♓⯥ ˝ 擻杼ئ٭ف ˝ חס04┕מ邾丗סوٞجت؅Ⳃ־׌ ˝ ئ٭فס㘃峎ֿ擻杼氳םסך㛻㚺 ˝ 邾丗סؓوٛآ٭ب٘٤ֿⳂַיַ׾םלס㕙⺬מյ☽מ䏅ꮶ؅┙ֻי׊ױֹ׆כ ֵֿ׾

   ˝ ,7.׷9FOםלסـؕق٭فؕاמ׻׾♞䘶⴫ ˝ ַ؂׹׾♞䘶ُب٤כ⽛ף׿׾׵ס ˝ أتع04؅颯Ⳃ׈׎׾ 

4. ♞䘶⴫ס侇♏ ˝ ⺏סئ٭فך邾丗סئ٭فأتعُب٤؅Ⳃ־׌ ˝ ♞䘶ُب٤מ04յؓوٛآ٭ب٘٤յٚؕهٚٛ؅ؕ٤تع٭ ٜ׊㲔车׌׾ ˝ 擻杼ئ٭فמ㵚׌׾ؤتعْٛشعյ畘杼׊׷׌׈׵ֵ׾ ˝ ئ٭فס邾邮׷فشؠؓشو־׼ס䐝⩕םל䦡䍖䓪յ縨꤃㲹

   䓪׵ֵ׾ 

5. ؤ٤طػס侇♏ ˝ ٌتعס04־׼ꣴꦕ׈׿גوٞجت ˝ ☽סوٞجت־׼ꣴꦕ׈׿ג㲔车梪㗞 ˝ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י 䏅ꮶ؅┙ֻםַ ˝ ؤ٤طػْؕ٭ة

   ˝ ؓوٛآ٭ب٘٤յِغؘٜؗؓյٚؕهٚٛםל㲔车מ䑒釐ם ٛخ٭تֿقشآ٭ة׈׿יַ׾ 

6. ؤ٤طػ㑔♞䘶⴫ ˝ 䇗
   'SFF#4%
   KBJMT ˝ 䇗
   -9$
   -JOVY
   $POUBJOFST ˝ 䇗
   %PDLFS ˝ 䇗
   1PENBO

   

7. ؤ٤طػ ˝ ٛخ٭تסꣴꦕ ˝ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י䏅ꮶ ؅┙ֻםַ׆כ ˝ -JOVYמֽׄ׾אסג״ס☼磝ײ ˝ /BNFTQBDF

   ˝ آ٭قلٛطؔ ˝ TFDDPNQ
   "QQ"SNPS
   4&-JOVY 

8. /BNFTQBDF ˝ ؜٭ؾٜסٛخ٭ت؅ꣴꦕ׊י斻玮׊ג梪㗞מ釤׎׾ ˝ /BNFTQBDF
   ס牊걉 ˝ 6TFS
   $HSPVQ
   *1$
   /FUXPSL

   
   .PVOU
   1*%
   5JNF
   654 

9. /BNFTQBDF
   6TFS5JNF ˝ 6TFS ˝ 6*%(*%
   ؅⮆ꦕ׌׾ ˝ 樟ם׾
   /BNF4QBDF
   ך⺱׋
   6*%
   סٗ٭ا؅⛼䡗ך׀׾ ˝ 5JNF

   ˝ ٌتعכؤ٤طػס侇ꝴ؅⮆ꦕ׌׾ ˝ 攐㲊סَؕ٤عךٛتعؓך׀׾ 

10. /BNFTQBDF
    1*%/FUXPSL ˝ 1*% ˝ وٞجت*%樑⺘狜ꝴסꣴꦕ ˝ ⺲⯥狜ꝴ⫂ך僃⮣סوٞجتעQJE
     ˝ /procQSPDGTעאס1*%⺲⯥狜ꝴ⫂סوٞجتמסײؓؠجتך׀׾

    ˝ /FUXPSL ˝ ؾشع٠٭ؠظفؕتյٜ٭طؔ٤ءط٭هٜյ*1ؓغٝتյَ٭ع樑⺘םלסꣴ ꦕ ˝ ؤ٤طػכٌتعך⮯ס
    *1
    ؅䧏י׾ 

11. /BNFTQBDF
    .PVOU ˝ .PVOU ˝ نٜؒؕبتطّסُؗ٤عَؕ٤عסꣴꦕ ˝ DISPPU
    כ
    QJWPU@SPPU 

12. DISPPU
    כ
    QJWPU@SPPU ˝ DISPPU ˝ وٞجتסٜ٭عظؔٝؠعٛ؅㚺催׊יوٞجت؅颯Ⳃ׌׾ ˝ 䧗㲊׈׿גٜ٭عظؔٝؠعٛ鿥┖סײמؓؠجتך׀׾ ˝ ☼喋┕յDISPPU
    ס㛙מ燯Ⳃך׀י׊ױֹ ˝

    QJWPU@SPPU ˝ وٞجتסٜ٭عنٜؒؕبتطّאס׵ס؅⪌׿僀ֻיٜ٭ع؅㚺催׌׾ ˝ 兢♭ֵֿ׾׵סס㛙׫ע燯Ⳃך׀םַն 

13. /BNFTQBDF
    $HSPVQ ˝ $HSPVQ ˝ ؤ٤طػ⫂סوٞجتס꥗⺬מ㵚׊יٛخ٭ت✳榫ꄈ؅⯆꡾ ׌׾☼磝ײ ˝ $16✳榫ꄈյْٓٛ✳榫ꄈյوٞجت丗םל ˝

    泃釱׵车ֹ׆כֿך׀յdocker topע׆׿؅⮵榫׊יַ׾ 

14. آ٭قلٛطؔ ˝ SPPU
    嘤꡾؅⮆Ⱏ׊نٜؒؕ׷وٞجتמ嘤꡾؅錃㲊׌׾ ˝ 耗䍏䓪םלך☽סوٞجت׷ٌتع
    04
    מ䏅ꮶ؅┙ֻםַ ˝ ؤ٤طػמ䑒釐僃㵸꡾ס嘤꡾؅♀┙յ畘杼׌׾ ˝ EPDLFS
    ס㕙⺬յ嘤꡾؅鴑ⱶ !"cap-add

    ׷⯡ꢜך׀׾ !"cap-drop ˝ ظفؕتמ꡾㲊׊י嘤꡾ס錃㲊׵⺎耆 ˝ ظنؚٜعס嘤꡾ע
    ⪜䌋غ؞ْٖ٤ع
    ׷
    pscap
    ؤُ٤غך澬鏀׊ױ ׊׺ֹ 

15. TFDDPNQ ˝ وٞجتס氦车ך׀׾بتطّؤ٭ٜ؅⯆꡾׌׾☼磝ײ ˝ TUSJDUٓ٭غSFBE
    XSJUF
    @FYJU
    TJHSFUVSOסײ ˝ MUFSٓ٭غCQGמ׻׾نٜؔذֿ⺎耆

    ˝ %PDLFSךظنؚٜعך⯆꡾׈׿יַ׾بتطّؤ٭ٜס┉鼧 perf_event_open, pivot_root, process_vm_readv, process_vm_writev, ptrace 

16. ؤ٤طػס斻玮䓪 ˝ חסٌتع
    04
    מꣴꦕ׈׿ג邾丗ס梪㗞؅啶疣ך׀׾ ˝ ♞䘶ُب٤מ奂׬י؛٭ف٭ىشغֿ⛥ַ ˝ ج؞ٖٛطؔ ˝ ⺎䯈䓪 

17. ؤ٤طػסج؞ٖٛطؔ ˝ ♞䘶ُب٤מ㵚׊יյؤ٤طػסꣴꦕٝيٜע⛥ַ ˝ $POUBJOFS
    #SFBLPVU؅ꡔ׃ ˝ ؤ٤طػ⫂סوٞجت؅SPPUٗ٭اךⳂ־׈םַ ˝ TFDDPNQמ׻זיبتطّؤ٭ٜ؅⯆꡾׌׾ ˝

    %PDLFSס3PPUMFTTٓ٭غ؅⮵榫׌׾ ˝ H7JTPS
    ׷
    ,BUB
    $POUBJOFST
    ؅✳ֹ 

18. ⺎䯈䓪 ˝ 㲔车׌׾梪㗞ֿ꡾㲊׈׿םַ ˝ تآ٭ٜ׊׷׌ַ ˝ ♞䘶ُب٤סؤم٭׻׽㵸׈ַ 

19. %PDLFS ˝ -JOVY؜٭ؾٜסؤ٤طػמ꞊׌׾☼磝ײ ˝ %PDLFSْؕ٭ةסلٜغ ˝ ٕٝؕ٭؞ٔشبٖ ˝ %PDLFSْؕ٭ة־׼סؤ٤طػס颯Ⳃ ˝

    ٝةتعٛ%PDLFS
    )VC 

20. %PDLFS؅啶䡗׌׾ؤ٤َ٭ؾ٤ع 

21. %PDLFS
    $-* ˝ %PDLFS
    DPNNBOE
    MJOF ˝ بؘٜס遨㱭ס錃㲊 ˝ IUUQTEPDTEPDLFSDPNDPNQPTFDPNQMFUJPO ˝ ٝةتعٛ%PDLFS
    )VC 

22. %PDLFS
    $-* ˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ $ docker pull <image uri> ˝ 二גמؤ٤طػ؅㲔车׌׾

    $ docker run !"rm -ti <image> <command> ˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾ $ docker container ls -a 

23. %PDLFS
    $-* ˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾ $ docker exec -ti <container id> <command>

    ˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭ $ docker cp <container id!"<src path> <dst path> ˝ 颯Ⳃ׊יַ׾ؤ٤طػס┉鈋 $ docker ps 

24. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] %PDLFSMF ˝ %PDLFSْؕ٭ةע%PDLFSMF־׼ docker buildؤُ٤غך榟䡗 $ docker build -f Dockerfile . ˝ %PDLFSMF ˝ '30.
    ي٭تْؕ٭ة䧗㲊 ˝ 36/
    ♳䙫סؤُ٤غ؅㲔车 ˝ $01:
    لٜغؤ٤ط؞تع־׼ نٜؒؕ؅⹦䐂׌׾ 

25. %PDLFSMF ˝ 64&3 ˝ ؤ٤طػ颯Ⳃ侇מ✳榫׌׾ٗ٭ا ˝ &/53:10*/5 ˝ ؤ٤طػ颯Ⳃ侇מ㲔车׌׾ؤُ٤غ 

26. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] ٕٝؕ؞ٔشبٖ ˝ لٜغ侇ꝴס湾竊סג״յ ⽜♐ⶡ⛣ך؞ٔشبٖ׈׿ ׾ ˝ ⭚杼侇ꝴֿ־־׽յ㚺催값 䈱ס㵼םַ׵ס؅⩝מ㲔车 ׌׾ 

27. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-buil make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] NVMUJTUBHF
    CVJMET ˝ ْؕ٭ةئؕث؅㵸׈ׂ⟊ ח ˝ ؓوٛآ٭ب٘٤סⳂ⛼ מ䑒釐ם❣㰆סײ⻠״׾ ˝ docker buildס!" target؛وب٘٤ ˝ 攐㲊ס
    TUBHF
    ؅لٜغ׌ ׾ 

28. # syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk

    !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] CVJMELJU ˝ %PDLFS
    ׻׽塜䌋嚀耆 כםזג二׊ַلٜر٭ ˝ DOCKER_BUILDKIT=1
    ؅錃 㲊׊יֽׂ ˝ لٜغ侇מ؞ٔشبٖסُ ؗ٤عֿך׀׾ 

29. %PDLFSْؕ٭ة ˝ ؤ٤طػסⳂ⛼מ䑒釐םنٜؒؕ؅ױכ״ג׵ס ˝ 邾丗סٕٝؕך啶䡗׈׿׾ ˝ %PDLFS)VC $ docker pull

    <Πϝʔδ໊!"<λά> $ docker pull hatena/apply-for-internship-2020:latest 

30. %PDLFSْؕ٭ةס╈עלֹםזיַ׾ % docker save hatena/apply-for-internship-2020:latest > image.tar % tar xf

    image.tar 

31. %PDLFSْؕ٭ةס╈עלֹםזיַ׾ ├── 2e3d6c9f566f06ae7e9a74b69483b8cb783b1bee48beb02b6524fbcb4de48f71 │ ├── VERSION │ ├── json │

    └── layer.tar ├── 6a28bc9521cd43cb1bbba4facfe4676649681c81ab252d09ad906ca11669d4ca │ ├── VERSION │ ├── json │ └── layer.tar ├── 83bc3862525ff9d3b82a85ec3369f8cab40f7e716e36f3db84f15763a11af2fe.json ├── da0ea11a16c18578358add538c445cd5408e29ec0f06a7196c51ee7b7e46662d │ ├── VERSION │ ├── json │ └── layer.tar ├── manifest.json └── repositories 

32. %PDLFSْؕ٭ةס╈עלֹםזיַ׾ ˝ ْؕ٭ة啶疣ס㷽塷؅澬鏀׌׾ $ docker history <image> $ docker history

    hatena/apply-for-internship-2020 IMAGE CREATED CREATED BY SIZE COMMENT 8066217f321a 2 minutes ago ENTRYPOINT ["./apply-for-internship-2020"] 0B buildkit.dockerfile.v0 <missing> 2 minutes ago COPY /go/src/github.com/hatena/apply-for-int… 10.4MB buildkit.dockerfile.v0 <missing> 3 minutes ago COPY public.pem private.pem ./ # buildkit 405B buildkit.dockerfile.v0 <missing> 3 minutes ago WORKDIR /root/ 0B buildkit.dockerfile.v0 <missing> 3 weeks ago /bin/sh -c !"nop) CMD ["bash"] 0B <missing> 3 weeks ago /bin/sh -c !"nop) ADD file:45f5dfa135c848a34… 69.3MB $ docker history debian:buster-slim IMAGE CREATED CREATED BY SIZE COMMENT df0140a4030c 3 weeks ago /bin/sh -c !"nop) CMD ["bash"] 0B <missing> 3 weeks ago /bin/sh -c !"nop) ADD file:45f5dfa135c848a34… 69.3MB 

33. ؤ٤طػס錃銶 ˝ ؤ٤طػوٞجت ˝ ⶡ┉ס嚀耆כ׊י⮆ꦕ׊י姡䇖تآ٭ٜ׊׷׌ׂ׌׾ ˝ ⫋⮵榫䓪յ鵀伺䓪 ˝ ❣㰆꞊➟؅峎׼׌ 

34. ؤ٤طػ؛٭آتعٝ٭ب٘٤ ˝ 邾丗סؤ٤طػ؅畘杼׌׾ ˝ EPDLFSDPNQPTF
    "NB[PO
    &$4
    ,VCFSOFUFT 

35. ؤ٤طػס錃銶 ˝ ْؕ٭ةע鬭ꄈמ׌׾ ˝ 㲔车מ䑒釐ם❣㰆꞊➟סײ ˝ EPDLFS
    ס㕙⺬ע
    .dockerignore
    ؅✳ֹ 

36. ؤ٤طػס錃銶 ˝ تط٭عٝتך┘㚺ךֵ׾׻ֹמ׌׾ ˝ 㲔车׊יַ׾ؤ٤طػ⫂ךؓوٛآ٭ب٘٤؅㚺催׊םַ ˝ 姧禈ظ٭ذעؤ٤طػ㛙鼧סؤ٤َ٭ؾ٤عמ♳׎׾ ˝ ؤ٤طػסٚؕنئؕؠٜע湾ַ ˝

    ٞءע
    TUEPVUTUEFSS
    מ⭳ⱱ׌׾ ˝ ٞء؅نٜؒؕמ傴׀⭳׈םַ 

37. ؤ٤طػס錃銶 ˝ 錃㲊؅梪㗞㚺丗מ劲硯׌׾ ˝ EPDLFS
    CVJME؅׷׽םֽ׌׆כםׂ㚺催ך׀׾ ˝ 邾丗ס梪㗞ך⺱׋%PDLFSْؕ٭ةֿ✳ֻ׾ 

38. ؤ٤طػت؞ٔ٤ ˝ ْؕ٭ة⫂מ㰆㏇׌׾خنعؘؗؓמ仴湳ס耗䍏䓪ֿםַ־ ˝ ص٭ٜ ˝ 5SJWZ ˝ $MBJS ˝

    "ODIPSF ˝ "84
    &$3 ˝ %PDLFS)VC 

39. 5SJWZ ˝ IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ ˝ %PDLFSْؕ٭ةյنٜؒؕبتطّյHJUَٛةعٛמ㵚׊יت ؞ٔ٤ֿך׀׾ $ trivy image !"severity

    HIGH hatena/apply-for-internship-2020:latest 2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed 2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!# hatena/apply-for-internship-2020:latest (debian 10.4) ===================================================== Total: 1 (HIGH: 1) +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to!!# | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ 

40. ױכ״ ˝ ؤ٤طػע♞䘶⴫䤗软סח ˝ 仴㰆ס☼磝ײ؅┕䣆ׂ⮵榫׊י斻玮䓪؅㲔杯 ˝ ؙؤبتطّס⩗㲔 

41. "QQFOEJY
    %PDLFS
    2VJ[ $ docker run !"rm -i hatena/intern-2020-docker-quiz ˝ ⪒ゖ塜鉮׊յ !

    
    ֿ⭳׾כؠٛؓ ˝ ㍭זגכ׀ע ˝ "
    docker run !"rm -i hatena/intern-2020- docker-quiz -hint 