はてなリモートインターンシップ2022 コンテナ講義資料

ίϯςφ
IBUFOBJOUFSO


View Slide

!
Docker
Docker
Docker


View Slide

ؤ٤طػזי⛰


View Slide

ؤ٤طػעꣴꦕ׈׿גوٞجت
:
ؤ٤طػꣴꦕ׈׿גوٞجتךעםַ


View Slide

ؤ٤طػْؕ٭ةמ׌׬י⻠ױ׿יַ׾
˝ ؤ٭غ
˝ 㲔车ٓةٖ٭ٜ
˝ ٚ٤ذّؕ
˝ ❣㰆قشآ٭ة
˝ אס☽מبتطّ؛هةؘؠعֿ䑒釐כ׌׾ֵ׼׹׾نٜؒؕ


View Slide

企ׂי⺎䯈䓪ֵֿזי鬭ַ
擻杼ُب٤٬♞䘶ُب٤כ奂׬י
˝ 颯Ⳃ٬⢥塛ֿ企ַ
˝ ⺎䯈䓪ֵֿ׾
˝ تآ٭ٚلٛطؔ
˝ ♞䘶ُب٤כ奂׬י⮵榫׌׾鞲嶎ֿ㵼םׂי鬭ַ


View Slide

ؤ٤طػ䤗软ע佅־׼ֵ׾
2000 FreeBSD jails
2008 LXC (Linux Containers)
2013 Docker
2019 Podman


View Slide

ؤ٤طػ؅㲔杯׌׾䤗软


View Slide

ٛخ٭ت؅ꣴꦕ׌׾☼磝ײ
ٛخ٭تסꣴꦕ
ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י
䏅ꮶ؅┙ֻםַ׆כ
Namespace
seccomp, AppArmor, SELinux


View Slide

Namespace
Namespace
User, Cgroup, IPC, Network, Mount, PID, Time, UTS


View Slide

Namespace
PID
ID
pid
ubuntu@utm:~$ ps
PID TTY TIME CMD
1889 pts/0 00:00:00 bash
2711 pts/0 00:00:00 ps
ubuntu@utm:~$ sudo unshare !"fork !"pid !"mount-proc ps
PID TTY TIME CMD
1 pts/0 00:00:00 ps


View Slide

Namespace
User
UID/GID
NameSpace UID
root


View Slide

Namespace
Time
uptime:


View Slide

Namespace
Network
IP
IP


View Slide

Namespace
Mount
chroot pivot_root


View Slide

Namespace > Mount
chroot
chroot
pivot_root
: /


View Slide

Namespace
Cgroup
CPU
docker top


View Slide

آ٭قلٛطؔ
root
OS
docker (!"cap-add) (!"cap-drop)
pscap


View Slide

آ٭قلٛطؔ
Linux manual capabilities
❆
CAP_SYS_BOOT
CAP_SYS_CHROOT
CAP_KILL


View Slide

seccomp
strict read, write, _exit, sigreturn
lter bpf
Docker
perf_event_open, pivot_root,
process_vm_readv, process_vm_writev,
ptrace


View Slide

seccomp
❆
seccomp.json
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "kill",
"action": "SCMP_ACT_ERRNO"
}
]
}
Docker
noy72@noy72 $ docker run !"name ubuntu_bash \
!"rm -it !"security-opt seccomp=seccomp.json
ubuntu bash
root@f9d4b6ac2a8a:/# sleep 100 &
[1] 10
root@f9d4b6ac2a8a:/# kill 10
bash: kill: (10) - Operation not permitted


View Slide

ؤ٤طػס斻玮䓪
1 OS
㱦⪒䓪⺎䯈䓪


View Slide

ؤ٤طػסج؞ٖٛطؔ㱦⪒䓪
Container Breakout
root
seccomp
Docker Rootless
gVisor Kata Containers


View Slide

Docker


View Slide

Docker
Docker
Docker
םלֿך׀׾وٚشعنؚ٭ّ


View Slide

Docker


View Slide

Docker CLI
Docker command line
https://docs.docker.com/compose/completion/


View Slide

Docker CLI
˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ
$ docker pull
˝ 二גמؤ٤طػ؅㲔车׌׾
$ docker run !"rm -ti
˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾
$ docker exec -ti


View Slide

Docker CLI
˝ ⛼䡗յ⹦䐂׊גْؕ٭ة؅澬鏀׌׾
$ docker images
˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾
$ docker container ls -a
$ docker ps -a
˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭
$ docker cp


View Slide

Docker


View Slide

Docker
Docker le
DockerHub


View Slide

Docker le
# syntax = docker/dockerfile:experimental
FROM golang:1.18-alpine AS builder
RUN apk !"update add make
WORKDIR /services/blog
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN !"mount=type=cache,target=/root/.cache/go-build \
make build
FROM alpine
COPY !"from=builder /services/blog/bin/server \
/services/blog/bin/server
RUN adduser -D -u 1000 app
USER 1000
ENTRYPOINT ["/services/blog/bin/server"]
ⶡ硾םط؞تعي٭تס
تؠٛوعنٜؒؕ
Docker
docker build
ךْؕ٭ة؅لٜغ


View Slide

Docker le - FROM
RUN go mod download
COPY . .
make build
FROM alpine
USER 1000
Docker le
FROM
AS


View Slide

Docker le - RUN
RUN go mod download
COPY . .
make build
FROM alpine
USER 1000
!"mount


View Slide

Docker le - COPY
RUN go mod download
COPY . .
make build
FROM alpine
USER 1000
!"from


View Slide

Docker le - USER
RUN go mod download
COPY . .
make build
FROM alpine
USER 1000
root


View Slide

Docker le - ENTRYPOINT
RUN go mod download
COPY . .
make build
FROM alpine
USER 1000
CMD


View Slide

Multi-stage builds
# Ϗϧυ͢ΔΠϝʔδ
RUN go mod download
COPY . .
make build
# ੒Ռ෺Λ࣋ͭΠϝʔδ
FROM alpine
USER 1000
docker build !"target
stage


View Slide

Docker
Dockerfile
FROM ubuntu
RUN echo "hoge" > hoge.txt
RUN rm hoge.txt
⛼䡗׊גْؕ٭ة؅⭳ⱱ׊י鉮⬲
$ docker save $CID > image.tar
$ tar xf image.tar


View Slide

ْؕ٭ةע邾丗סٕٝؕ٭־׼ם׾
.
├── 3fe352f27d6d9b899da69b9799728c4492690186797a106cbfa029264b6ebcf7
│ ├── VERSION
│ ├── json
│ └── layer.tar
├── aa8c0471e58774435617a2efb80b963d0288bdbdfdd7ded778776c3051664569.json
├── af197d5ca08b03ffdfd8c1285260360fbbc237328d421b73c2abc3f07bb054d9
│ ├── json
├── b3ea71bd7712c8534c4e3440a02a2217d0049fc8acacac191cf875bc21ab9f6a
│ ├── json
└── manifest.json


View Slide

layer.tar
b3ea71bd7712c8534c4e3!!" layer.tar
% tar xf layer.tar
% ls
VERSION hoge.txt json layer.tar
% cat hoge.txt
hoge
הםײמ
RUN rm hoge.txt
.wh.hoge.txt


View Slide

history
docker history
❆
$ docker history aa8c0471e587
IMAGE CREATED CREATED BY SIZE COMMENT
aa8c0471e587 16 seconds ago /bin/sh -c rm hoge.txt 0B
ec48e0efeb2e 16 seconds ago /bin/sh -c echo "hoge" > hoge.txt 5B
bad148f8963f 30 hours ago /bin/sh -c !"nop) CMD ["bash"] 0B
30 hours ago /bin/sh -c !"nop) ADD file:3db67543ea64bf672… 69.2MB


View Slide

!
1.
RUN !!" !!"
2.
RUN !!" > secret.txt
!!"
RUN rm secret.txt


View Slide

嚀㳡䗯㕔؅䣽ֹ亠嫎
multi-stage build
RUN !"mount=type=secret
RUN !!# > secret.txt !$ !!# !$ rm secret.txt


View Slide

نٜؒؕמ傴׀鱮׳כ׀לֹ׌׾
Copy On Write (COW)
OverlayFS
Docker COW


View Slide

ٕٝؕ؞ٔشبٖ
<͕͜͜มߋ͞Εͨ৔߹͸↓ͷ෦෼Λ࠶࣮ߦ>
RUN go mod download
COPY . .
make build
˝ 㚺催ֵֿזג车♓꡸ס
⽜♐ֿ⫋㲔车׈׿׾
˝ 㚺催׈׿׷׌ַ鼧⮆ע儕㶾
מ


View Slide

؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆
RUN go mod download
COPY . .
make build
COPY . .
RUN go mod download
make build


View Slide

؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆
RUN go mod download
COPY . .
make build
COPY . .
RUN go mod download
make build


View Slide

ؤ٤طػס錃銶


View Slide

1 1
˝ ⶡ┉ס嚀耆כ׊י⮆ꦕ׊י姡䇖تآ٭ٜ׊׷׌ׂ׌׾
˝ ⫋⮵榫䓪յ鵀伺䓪
˝ ❣㰆꞊➟؅峎׼׌


View Slide

ؤ٤طػ؛٭آتعٝ٭ب٘٤
docker-compose, Amazon ECS, Kubernetes


View Slide

ْؕ٭ةע鬭ꄈמ׌׾
docker .dockerignore


View Slide

تط٭عٝتךِٖؕ٭ذهٜמ׌׾
stdout/stderr


View Slide

錃㲊؅梪㗞㚺丗מ劲硯׌׾
docker build
Docker


View Slide

ؤ٤طػت؞ٔ٤


View Slide

ْؕ٭ةמ耗䍏䓪ֿםַ־زؘشؠ
Trivy
Clair
Anchore
AWS ECR
DockerHub
docker scan


View Slide

Trivy
https://github.com/aquasecurity/trivy
Docker git
$ trivy image !"severity HIGH hatena/apply-for-internship-2020:latest
2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed
2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!#
hatena/apply-for-internship-2020:latest (debian 10.4)
=====================================================
Total: 1 (HIGH: 1)
+-----------+------------------+----------+-------------------+------------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+------------------+--------------------------------+
| perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of |
| | | | | | intermediate language state |
| | | | | | of compiled regular expression |
| | | | | | due to!!# |
+-----------+------------------+----------+-------------------+------------------+--------------------------------+


View Slide

ױכ״
1
Namespace secomp
Docker
1 1


View Slide

ֽ׊ױַ


View Slide

Docker Quiz
$ docker run !"rm -i hatena/intern-2020-docker-quiz
!
"
docker run !"rm -i hatena/intern-2020-
docker-quiz -hint


View Slide

ENTRYPOINT CMD
❆
CMD ["8.8.8.8"]
ENTRYPOINT ["ping"]
docker run ping 8.8.8.8
docker run 127.0.0.1 ping 127.0.0.1
docker run !"entrypoint date date
Docker le CMD ENTRYPOINT ( / ) - CMD ENTRYPOINT


View Slide

はてなリモートインターンシップ2022 コンテナ講義資料

はてなリモートインターンシップ2022 コンテナ講義資料

Hatena

More Decks by Hatena

Other Decks in Programming

Featured

Transcript

はてなリモートインターンシップ2022 コンテナ 講義資料

はてなリモートインターンシップ2022 コンテナ 講義資料

Hatena

More Decks by Hatena

Other Decks in Programming

Featured

Transcript

はてなリモートインターンシップ2022 コンテナ講義資料

はてなリモートインターンシップ2022 コンテナ講義資料