はてなリモートインターンシップ2022 コンテナ 講義資料

Transcript

1. ίϯςφ IBUFOBJOUFSO 

2. ! Docker Docker Docker 

3. ؤ٤طػזי⛰ 

4. ؤ٤طػעꣴꦕ׈׿גوٞجت : ؤ٤طػꣴꦕ׈׿גوٞجتךעםַ 

5. ؤ٤طػْؕ٭ةמ׌׬י⻠ױ׿יַ׾ ˝ ؤ٭غ ˝ 㲔车ٓةٖ٭ٜ ˝ ٚ٤ذّؕ ˝ ❣㰆قشآ٭ة ˝

   אס☽מبتطّ؛هةؘؠعֿ䑒釐כ׌׾ֵ׼׹׾نٜؒؕ 

6. 企ׂי⺎䯈䓪ֵֿזי鬭ַ 擻杼ُب٤٬♞䘶ُب٤כ奂׬י ˝ 颯Ⳃ٬⢥塛ֿ企ַ ˝ ⺎䯈䓪ֵֿ׾ ˝ تآ٭ٚلٛطؔ ˝ ♞䘶ُب٤כ奂׬י⮵榫׌׾鞲嶎ֿ㵼םׂי鬭ַ

   

7. ؤ٤طػ䤗软ע佅־׼ֵ׾ 2000 FreeBSD jails 2008 LXC (Linux Containers) 2013 Docker

   2019 Podman 

8. ؤ٤طػ؅㲔杯׌׾䤗软 

9. ٛخ٭ت؅ꣴꦕ׌׾☼磝ײ ٛخ٭تסꣴꦕ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י 䏅ꮶ؅┙ֻםַ׆כ Namespace seccomp, AppArmor, SELinux 

10. Namespace Namespace User, Cgroup, IPC, Network, Mount, PID, Time, UTS

    

11. Namespace PID ID pid ubuntu@utm:~$ ps PID TTY TIME CMD

    1889 pts/0 00:00:00 bash 2711 pts/0 00:00:00 ps ubuntu@utm:~$ sudo unshare !"fork !"pid !"mount-proc ps PID TTY TIME CMD 1 pts/0 00:00:00 ps 

12. Namespace User UID/GID NameSpace UID root 

13. Namespace Time uptime: 

14. Namespace Network IP IP 

15. Namespace Mount chroot pivot_root 

16. Namespace > Mount chroot chroot pivot_root : / 

17. Namespace Cgroup CPU docker top 

18. آ٭قلٛطؔ root OS docker (!"cap-add) (!"cap-drop) pscap 

19. آ٭قلٛطؔ Linux manual capabilities ❆ CAP_SYS_BOOT CAP_SYS_CHROOT CAP_KILL 

20. seccomp strict read, write, _exit, sigreturn lter bpf Docker perf_event_open,

    pivot_root, process_vm_readv, process_vm_writev, ptrace 

21. seccomp ❆ seccomp.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name":

    "kill", "action": "SCMP_ACT_ERRNO" } ] } Docker noy72@noy72 $ docker run !"name ubuntu_bash \ !"rm -it !"security-opt seccomp=seccomp.json ubuntu bash root@f9d4b6ac2a8a:/# sleep 100 & [1] 10 root@f9d4b6ac2a8a:/# kill 10 bash: kill: (10) - Operation not permitted 

22. ؤ٤طػס斻玮䓪 1 OS 㱦⪒䓪 ⺎䯈䓪 

23. ؤ٤طػסج؞ٖٛطؔ㱦⪒䓪 Container Breakout root seccomp Docker Rootless gVisor Kata Containers

    

24. Docker 

25. Docker Docker Docker םלֿך׀׾وٚشعنؚ٭ّ 

26. Docker 

27. Docker CLI Docker command line https://docs.docker.com/compose/completion/ 

28. Docker CLI ˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ $ docker pull <image uri> ˝

    二גמؤ٤طػ؅㲔车׌׾ $ docker run !"rm -ti <image> <command> ˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾ $ docker exec -ti <container id> <command> 

29. Docker CLI ˝ ⛼䡗յ⹦䐂׊גْؕ٭ة؅澬鏀׌׾ $ docker images ˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾ $

    docker container ls -a $ docker ps -a ˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭ $ docker cp <container id!"<src path> <dst path> 

30. Docker 

31. Docker Docker le DockerHub 

32. Docker le # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder

    RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] ⶡ硾םط؞تعي٭تס تؠٛوعنٜؒؕ Docker docker build ךْؕ٭ة؅لٜغ 

33. Docker le - FROM # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] Docker le FROM AS <name> 

34. Docker le - RUN # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] !"mount 

35. Docker le - COPY # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] !"from 

36. Docker le - USER # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] root 

37. Docker le - ENTRYPOINT # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] CMD 

38. Multi-stage builds # syntax = docker/dockerfile:experimental # Ϗϧυ͢ΔΠϝʔδ FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # ੒Ռ෺Λ࣋ͭΠϝʔδ FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] docker build !"target stage 

39. Docker Dockerfile FROM ubuntu RUN echo "hoge" > hoge.txt RUN

    rm hoge.txt ⛼䡗׊גْؕ٭ة؅⭳ⱱ׊י鉮⬲ $ docker save $CID > image.tar $ tar xf image.tar 

40. ْؕ٭ةע邾丗סٕٝؕ٭־׼ם׾ . ├── 3fe352f27d6d9b899da69b9799728c4492690186797a106cbfa029264b6ebcf7 │ ├── VERSION │ ├── json

    │ └── layer.tar ├── aa8c0471e58774435617a2efb80b963d0288bdbdfdd7ded778776c3051664569.json ├── af197d5ca08b03ffdfd8c1285260360fbbc237328d421b73c2abc3f07bb054d9 │ ├── VERSION │ ├── json │ └── layer.tar ├── b3ea71bd7712c8534c4e3440a02a2217d0049fc8acacac191cf875bc21ab9f6a │ ├── VERSION │ ├── json │ └── layer.tar └── manifest.json 

41. layer.tar b3ea71bd7712c8534c4e3!!" layer.tar % tar xf layer.tar % ls VERSION

    hoge.txt json layer.tar % cat hoge.txt hoge הםײמ RUN rm hoge.txt .wh.hoge.txt 

42. history docker history <image> ❆ $ docker history aa8c0471e587 IMAGE

    CREATED CREATED BY SIZE COMMENT aa8c0471e587 16 seconds ago /bin/sh -c rm hoge.txt 0B ec48e0efeb2e 16 seconds ago /bin/sh -c echo "hoge" > hoge.txt 5B bad148f8963f 30 hours ago /bin/sh -c !"nop) CMD ["bash"] 0B <missing> 30 hours ago /bin/sh -c !"nop) ADD file:3db67543ea64bf672… 69.2MB 

43. ! 1. RUN !!" <secret> !!" 2. RUN !!" >

    secret.txt !!" RUN rm secret.txt 

44. 嚀㳡䗯㕔؅䣽ֹ亠嫎 multi-stage build RUN !"mount=type=secret RUN !!# > secret.txt !$

    !!# !$ rm secret.txt 

45. نٜؒؕמ傴׀鱮׳כ׀לֹ׌׾ Copy On Write (COW) OverlayFS Docker COW 

46. ٕٝؕ؞ٔشبٖ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN

    apk !"update add make WORKDIR /services/blog <͕͜͜มߋ͞Εͨ৔߹͸↓ͷ෦෼Λ࠶࣮ߦ> COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build ˝ 㚺催ֵֿזג车♓꡸ס ⽜♐ֿ⫋㲔车׈׿׾ ˝ 㚺催׈׿׷׌ַ鼧⮆ע儕㶾 מ 

47. ؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN

    apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY . . RUN go mod download RUN !"mount=type=cache,target=/root/.cache/go-build \ make build 

48. ؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN

    apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY . . RUN go mod download RUN !"mount=type=cache,target=/root/.cache/go-build \ make build 

49. ؤ٤طػס錃銶 

50. 1 1 ˝ ⶡ┉ס嚀耆כ׊י⮆ꦕ׊י姡䇖تآ٭ٜ׊׷׌ׂ׌׾ ˝ ⫋⮵榫䓪յ鵀伺䓪 ˝ ❣㰆꞊➟؅峎׼׌ 

51. ؤ٤طػ؛٭آتعٝ٭ب٘٤ docker-compose, Amazon ECS, Kubernetes 

52. ْؕ٭ةע鬭ꄈמ׌׾ docker .dockerignore 

53. تط٭عٝتךِٖؕ٭ذهٜמ׌׾ stdout/stderr 

54. 錃㲊؅梪㗞㚺丗מ劲硯׌׾ docker build Docker 

55. ؤ٤طػت؞ٔ٤ 

56. ْؕ٭ةמ耗䍏䓪ֿםַ־زؘشؠ Trivy Clair Anchore AWS ECR DockerHub docker scan 

57. Trivy https://github.com/aquasecurity/trivy Docker git $ trivy image !"severity HIGH hatena/apply-for-internship-2020:latest

    2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed 2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!# hatena/apply-for-internship-2020:latest (debian 10.4) ===================================================== Total: 1 (HIGH: 1) +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to!!# | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ 

58. ױכ״ 1 Namespace secomp Docker 1 1 

59. ֽ׊ױַ 

60. Docker Quiz $ docker run !"rm -i hatena/intern-2020-docker-quiz ! "

    docker run !"rm -i hatena/intern-2020- docker-quiz -hint 

61. ENTRYPOINT CMD ❆ CMD ["8.8.8.8"] ENTRYPOINT ["ping"] docker run <image>

    ping 8.8.8.8 docker run <image> 127.0.0.1 ping 127.0.0.1 docker run !"entrypoint date <image> date Docker le CMD ENTRYPOINT ( / ) - CMD ENTRYPOINT 