Upgrade to Pro — share decks privately, control downloads, hide ads and more …

はてなリモートインターンシップ2022 コンテナ 講義資料

Avatar for Hatena Hatena
December 19, 2022

はてなリモートインターンシップ2022 コンテナ 講義資料

Avatar for Hatena

Hatena

December 19, 2022
Tweet

More Decks by Hatena

Other Decks in Programming

Transcript

  1. Namespace PID ID pid ubuntu@utm:~$ ps PID TTY TIME CMD

    1889 pts/0 00:00:00 bash 2711 pts/0 00:00:00 ps ubuntu@utm:~$ sudo unshare !"fork !"pid !"mount-proc ps PID TTY TIME CMD 1 pts/0 00:00:00 ps 
  2. seccomp strict read, write, _exit, sigreturn lter bpf Docker perf_event_open,

    pivot_root, process_vm_readv, process_vm_writev, ptrace 
  3. seccomp ❆ seccomp.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name":

    "kill", "action": "SCMP_ACT_ERRNO" } ] } Docker noy72@noy72 $ docker run !"name ubuntu_bash \ !"rm -it !"security-opt seccomp=seccomp.json ubuntu bash root@f9d4b6ac2a8a:/# sleep 100 & [1] 10 root@f9d4b6ac2a8a:/# kill 10 bash: kill: (10) - Operation not permitted 
  4. Docker CLI ˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ $ docker pull <image uri> ˝

    二גמؤ٤طػ؅㲔车׌׾ $ docker run !"rm -ti <image> <command> ˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾ $ docker exec -ti <container id> <command> 
  5. Docker CLI ˝ ⛼䡗յ⹦䐂׊גْؕ٭ة؅澬鏀׌׾ $ docker images ˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾ $

    docker container ls -a $ docker ps -a ˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭ $ docker cp <container id!"<src path> <dst path> 
  6. Docker le # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder

    RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] ⶡ硾םط؞تعي٭تס تؠٛوعنٜؒؕ Docker docker build ךْؕ٭ة؅لٜغ 
  7. Docker le - FROM # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] Docker le FROM AS <name> 
  8. Docker le - RUN # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] !"mount 
  9. Docker le - COPY # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] !"from 
  10. Docker le - USER # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] root 
  11. Docker le - ENTRYPOINT # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] CMD 
  12. Multi-stage builds # syntax = docker/dockerfile:experimental # Ϗϧυ͢ΔΠϝʔδ FROM golang:1.18-alpine

    AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # ੒Ռ෺Λ࣋ͭΠϝʔδ FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] docker build !"target stage 
  13. Docker Dockerfile FROM ubuntu RUN echo "hoge" > hoge.txt RUN

    rm hoge.txt ⛼䡗׊גْؕ٭ة؅⭳ⱱ׊י鉮⬲ $ docker save $CID > image.tar $ tar xf image.tar 
  14. ْؕ٭ةע邾丗סٕٝؕ٭־׼ם׾ . ├── 3fe352f27d6d9b899da69b9799728c4492690186797a106cbfa029264b6ebcf7 │ ├── VERSION │ ├── json

    │ └── layer.tar ├── aa8c0471e58774435617a2efb80b963d0288bdbdfdd7ded778776c3051664569.json ├── af197d5ca08b03ffdfd8c1285260360fbbc237328d421b73c2abc3f07bb054d9 │ ├── VERSION │ ├── json │ └── layer.tar ├── b3ea71bd7712c8534c4e3440a02a2217d0049fc8acacac191cf875bc21ab9f6a │ ├── VERSION │ ├── json │ └── layer.tar └── manifest.json 
  15. layer.tar b3ea71bd7712c8534c4e3!!" layer.tar % tar xf layer.tar % ls VERSION

    hoge.txt json layer.tar % cat hoge.txt hoge הםײמ RUN rm hoge.txt .wh.hoge.txt 
  16. history docker history <image> ❆ $ docker history aa8c0471e587 IMAGE

    CREATED CREATED BY SIZE COMMENT aa8c0471e587 16 seconds ago /bin/sh -c rm hoge.txt 0B ec48e0efeb2e 16 seconds ago /bin/sh -c echo "hoge" > hoge.txt 5B bad148f8963f 30 hours ago /bin/sh -c !"nop) CMD ["bash"] 0B <missing> 30 hours ago /bin/sh -c !"nop) ADD file:3db67543ea64bf672… 69.2MB 
  17. ! 1. RUN !!" <secret> !!" 2. RUN !!" >

    secret.txt !!" RUN rm secret.txt 
  18. ٕٝؕ؞ٔشبٖ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN

    apk !"update add make WORKDIR /services/blog <͕͜͜มߋ͞Εͨ৔߹͸↓ͷ෦෼Λ࠶࣮ߦ> COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build ˝ 㚺催ֵֿזג车♓꡸ס ⽜♐ֿ⫋㲔车׈׿׾ ˝ 㚺催׈׿׷׌ַ鼧⮆ע儕㶾 מ 
  19. ؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN

    apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY . . RUN go mod download RUN !"mount=type=cache,target=/root/.cache/go-build \ make build 
  20. ؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN

    apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY . . RUN go mod download RUN !"mount=type=cache,target=/root/.cache/go-build \ make build 
  21. Trivy https://github.com/aquasecurity/trivy Docker git $ trivy image !"severity HIGH hatena/apply-for-internship-2020:latest

    2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed 2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!# hatena/apply-for-internship-2020:latest (debian 10.4) ===================================================== Total: 1 (HIGH: 1) +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to!!# | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ 
  22. Docker Quiz $ docker run !"rm -i hatena/intern-2020-docker-quiz ! "

    docker run !"rm -i hatena/intern-2020- docker-quiz -hint 
  23. ENTRYPOINT CMD ❆ CMD ["8.8.8.8"] ENTRYPOINT ["ping"] docker run <image>

    ping 8.8.8.8 docker run <image> 127.0.0.1 ping 127.0.0.1 docker run !"entrypoint date <image> date Docker le CMD ENTRYPOINT ( / ) - CMD ENTRYPOINT 