Upgrade to Pro — share decks privately, control downloads, hide ads and more …

はてなリモートインターンシップ2022 コンテナ 講義資料

Hatena
December 19, 2022

はてなリモートインターンシップ2022 コンテナ 講義資料

Hatena

December 19, 2022
Tweet

More Decks by Hatena

Other Decks in Programming

Transcript

  1. ίϯςφ
    IBUFOBJOUFSO

    View Slide

  2. !
    Docker
    Docker
    Docker

    View Slide

  3. ؤ٤طػזי⛰

    View Slide

  4. ؤ٤طػעꣴꦕ׈׿גوٞجت
    :
    ؤ٤طػꣴꦕ׈׿גوٞجتךעםַ

    View Slide

  5. ؤ٤طػْؕ٭ةמ׌׬י⻠ױ׿יַ׾
    ˝ ؤ٭غ
    ˝ 㲔车ٓةٖ٭ٜ
    ˝ ٚ٤ذّؕ
    ˝ ❣㰆قشآ٭ة
    ˝ אס☽מبتطّ؛هةؘؠعֿ䑒釐כ׌׾ֵ׼׹׾نٜؒؕ

    View Slide

  6. 企ׂי⺎䯈䓪ֵֿזי鬭ַ
    擻杼ُب٤٬♞䘶ُب٤כ奂׬י
    ˝ 颯Ⳃ٬⢥塛ֿ企ַ
    ˝ ⺎䯈䓪ֵֿ׾
    ˝ تآ٭ٚلٛطؔ
    ˝ ♞䘶ُب٤כ奂׬י⮵榫׌׾鞲嶎ֿ㵼םׂי鬭ַ

    View Slide

  7. ؤ٤طػ䤗软ע佅־׼ֵ׾
    2000 FreeBSD jails
    2008 LXC (Linux Containers)
    2013 Docker
    2019 Podman

    View Slide

  8. ؤ٤طػ؅㲔杯׌׾䤗软

    View Slide

  9. ٛخ٭ت؅ꣴꦕ׌׾☼磝ײ
    ٛخ٭تסꣴꦕ
    ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י
    䏅ꮶ؅┙ֻםַ׆כ
    Namespace
    seccomp, AppArmor, SELinux

    View Slide

  10. Namespace
    Namespace
    User, Cgroup, IPC, Network, Mount, PID, Time, UTS
    

    View Slide

  11. Namespace
    PID
    ID
    pid
    ubuntu@utm:~$ ps
    PID TTY TIME CMD
    1889 pts/0 00:00:00 bash
    2711 pts/0 00:00:00 ps
    ubuntu@utm:~$ sudo unshare !"fork !"pid !"mount-proc ps
    PID TTY TIME CMD
    1 pts/0 00:00:00 ps
    

    View Slide

  12. Namespace
    User
    UID/GID
    NameSpace UID
    root
    

    View Slide

  13. Namespace
    Time
    uptime:
    

    View Slide

  14. Namespace
    Network
    IP
    IP
    

    View Slide

  15. Namespace
    Mount
    chroot pivot_root
    

    View Slide

  16. Namespace > Mount
    chroot
    chroot
    pivot_root
    : /
    

    View Slide

  17. Namespace
    Cgroup
    CPU
    docker top
    

    View Slide

  18. آ٭قلٛطؔ
    root
    OS
    docker (!"cap-add) (!"cap-drop)
    pscap
    

    View Slide

  19. آ٭قلٛطؔ
    Linux manual capabilities

    CAP_SYS_BOOT
    CAP_SYS_CHROOT
    CAP_KILL
    

    View Slide

  20. seccomp
    strict read, write, _exit, sigreturn
    lter bpf
    Docker
    perf_event_open, pivot_root,
    process_vm_readv, process_vm_writev,
    ptrace
    

    View Slide

  21. seccomp

    seccomp.json
    {
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
    {
    "name": "kill",
    "action": "SCMP_ACT_ERRNO"
    }
    ]
    }
    Docker
    noy72@noy72 $ docker run !"name ubuntu_bash \
    !"rm -it !"security-opt seccomp=seccomp.json
    ubuntu bash
    root@f9d4b6ac2a8a:/# sleep 100 &
    [1] 10
    root@f9d4b6ac2a8a:/# kill 10
    bash: kill: (10) - Operation not permitted
    

    View Slide

  22. ؤ٤طػס斻玮䓪
    1 OS
    㱦⪒䓪 ⺎䯈䓪
    

    View Slide

  23. ؤ٤طػסج؞ٖٛطؔ㱦⪒䓪
    Container Breakout
    root
    seccomp
    Docker Rootless
    gVisor Kata Containers
    

    View Slide

  24. Docker
    

    View Slide

  25. Docker
    Docker
    Docker
    םלֿך׀׾وٚشعنؚ٭ّ
    

    View Slide

  26. Docker
    

    View Slide

  27. Docker CLI
    Docker command line
    https://docs.docker.com/compose/completion/
    

    View Slide

  28. Docker CLI
    ˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ
    $ docker pull
    ˝ 二גמؤ٤طػ؅㲔车׌׾
    $ docker run !"rm -ti
    ˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾
    $ docker exec -ti
    

    View Slide

  29. Docker CLI
    ˝ ⛼䡗յ⹦䐂׊גْؕ٭ة؅澬鏀׌׾
    $ docker images
    ˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾
    $ docker container ls -a
    $ docker ps -a
    ˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭
    $ docker cp
    

    View Slide

  30. Docker
    

    View Slide

  31. Docker
    Docker le
    DockerHub
    

    View Slide

  32. Docker le
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    FROM alpine
    COPY !"from=builder /services/blog/bin/server \
    /services/blog/bin/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    ⶡ硾םط؞تعي٭تס
    تؠٛوعنٜؒؕ
    Docker
    docker build
    ךْؕ٭ة؅لٜغ
    

    View Slide

  33. Docker le - FROM
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    FROM alpine
    COPY !"from=builder /services/blog/bin/server \
    /services/blog/bin/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    Docker le
    FROM
    AS
    

    View Slide

  34. Docker le - RUN
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    FROM alpine
    COPY !"from=builder /services/blog/bin/server \
    /services/blog/bin/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    !"mount
    

    View Slide

  35. Docker le - COPY
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    FROM alpine
    COPY !"from=builder /services/blog/bin/server \
    /services/blog/bin/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    !"from
    

    View Slide

  36. Docker le - USER
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    FROM alpine
    COPY !"from=builder /services/blog/bin/server \
    /services/blog/bin/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    root
    

    View Slide

  37. Docker le - ENTRYPOINT
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    FROM alpine
    COPY !"from=builder /services/blog/bin/server \
    /services/blog/bin/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    CMD
    

    View Slide

  38. Multi-stage builds
    # syntax = docker/dockerfile:experimental
    # Ϗϧυ͢ΔΠϝʔδ
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    # ੒Ռ෺Λ࣋ͭΠϝʔδ
    FROM alpine
    COPY !"from=builder /services/blog/bin/server \
    /services/blog/bin/server
    RUN adduser -D -u 1000 app
    USER 1000
    ENTRYPOINT ["/services/blog/bin/server"]
    docker build !"target
    stage
    

    View Slide

  39. Docker
    Dockerfile
    FROM ubuntu
    RUN echo "hoge" > hoge.txt
    RUN rm hoge.txt
    ⛼䡗׊גْؕ٭ة؅⭳ⱱ׊י鉮⬲
    $ docker save $CID > image.tar
    $ tar xf image.tar
    

    View Slide

  40. ْؕ٭ةע邾丗סٕٝؕ٭־׼ם׾
    .
    ├── 3fe352f27d6d9b899da69b9799728c4492690186797a106cbfa029264b6ebcf7
    │ ├── VERSION
    │ ├── json
    │ └── layer.tar
    ├── aa8c0471e58774435617a2efb80b963d0288bdbdfdd7ded778776c3051664569.json
    ├── af197d5ca08b03ffdfd8c1285260360fbbc237328d421b73c2abc3f07bb054d9
    │ ├── VERSION
    │ ├── json
    │ └── layer.tar
    ├── b3ea71bd7712c8534c4e3440a02a2217d0049fc8acacac191cf875bc21ab9f6a
    │ ├── VERSION
    │ ├── json
    │ └── layer.tar
    └── manifest.json
    

    View Slide

  41. layer.tar
    b3ea71bd7712c8534c4e3!!" layer.tar
    % tar xf layer.tar
    % ls
    VERSION hoge.txt json layer.tar
    % cat hoge.txt
    hoge
    הםײמ
    RUN rm hoge.txt
    .wh.hoge.txt
    

    View Slide

  42. history
    docker history

    $ docker history aa8c0471e587
    IMAGE CREATED CREATED BY SIZE COMMENT
    aa8c0471e587 16 seconds ago /bin/sh -c rm hoge.txt 0B
    ec48e0efeb2e 16 seconds ago /bin/sh -c echo "hoge" > hoge.txt 5B
    bad148f8963f 30 hours ago /bin/sh -c !"nop) CMD ["bash"] 0B
    30 hours ago /bin/sh -c !"nop) ADD file:3db67543ea64bf672… 69.2MB
    

    View Slide

  43. !
    1.
    RUN !!" !!"
    2.
    RUN !!" > secret.txt
    !!"
    RUN rm secret.txt
    

    View Slide

  44. 嚀㳡䗯㕔؅䣽ֹ亠嫎
    multi-stage build
    RUN !"mount=type=secret
    RUN !!# > secret.txt !$ !!# !$ rm secret.txt
    

    View Slide

  45. نٜؒؕמ傴׀鱮׳כ׀לֹ׌׾
    Copy On Write (COW)
    OverlayFS
    Docker COW
    

    View Slide

  46. ٕٝؕ؞ٔشبٖ
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    <͕͜͜มߋ͞Εͨ৔߹͸↓ͷ෦෼Λ࠶࣮ߦ>
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    ˝ 㚺催ֵֿזג车♓꡸ס
    ⽜♐ֿ⫋㲔车׈׿׾
    ˝ 㚺催׈׿׷׌ַ鼧⮆ע儕㶾
    מ
    

    View Slide

  47. ؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY . .
    RUN go mod download
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    

    View Slide

  48. ؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY go.mod go.sum ./
    RUN go mod download
    COPY . .
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    # syntax = docker/dockerfile:experimental
    FROM golang:1.18-alpine AS builder
    RUN apk !"update add make
    WORKDIR /services/blog
    COPY . .
    RUN go mod download
    RUN !"mount=type=cache,target=/root/.cache/go-build \
    make build
    

    View Slide

  49. ؤ٤طػס錃銶
    

    View Slide

  50. 1 1
    ˝ ⶡ┉ס嚀耆כ׊י⮆ꦕ׊י姡䇖تآ٭ٜ׊׷׌ׂ׌׾
    ˝ ⫋⮵榫䓪յ鵀伺䓪
    ˝ ❣㰆꞊➟؅峎׼׌
    

    View Slide

  51. ؤ٤طػ؛٭آتعٝ٭ب٘٤
    docker-compose, Amazon ECS, Kubernetes
    

    View Slide

  52. ْؕ٭ةע鬭ꄈמ׌׾
    docker .dockerignore
    

    View Slide

  53. تط٭عٝتךِٖؕ٭ذهٜמ׌׾
    stdout/stderr
    

    View Slide

  54. 錃㲊؅梪㗞㚺丗מ劲硯׌׾
    docker build
    Docker
    

    View Slide

  55. ؤ٤طػت؞ٔ٤
    

    View Slide

  56. ْؕ٭ةמ耗䍏䓪ֿםַ־زؘشؠ
    Trivy
    Clair
    Anchore
    AWS ECR
    DockerHub
    docker scan
    

    View Slide

  57. Trivy
    https://github.com/aquasecurity/trivy
    Docker git
    $ trivy image !"severity HIGH hatena/apply-for-internship-2020:latest
    2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed
    2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!#
    hatena/apply-for-internship-2020:latest (debian 10.4)
    =====================================================
    Total: 1 (HIGH: 1)
    +-----------+------------------+----------+-------------------+------------------+--------------------------------+
    | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
    +-----------+------------------+----------+-------------------+------------------+--------------------------------+
    | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of |
    | | | | | | intermediate language state |
    | | | | | | of compiled regular expression |
    | | | | | | due to!!# |
    +-----------+------------------+----------+-------------------+------------------+--------------------------------+
    

    View Slide

  58. ױכ״
    1
    Namespace secomp
    Docker
    1 1
    

    View Slide

  59. ֽ׊ױַ
    

    View Slide

  60. Docker Quiz
    $ docker run !"rm -i hatena/intern-2020-docker-quiz
    !
    "
    docker run !"rm -i hatena/intern-2020-
    docker-quiz -hint
    

    View Slide

  61. ENTRYPOINT CMD

    CMD ["8.8.8.8"]
    ENTRYPOINT ["ping"]
    docker run ping 8.8.8.8
    docker run 127.0.0.1 ping 127.0.0.1
    docker run !"entrypoint date date
    Docker le CMD ENTRYPOINT ( / ) - CMD ENTRYPOINT
    

    View Slide