Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
FargateのPID namespace sharing を試してみた
Search
kamadakohei
October 16, 2023
Programming
0
1.3k
FargateのPID namespace sharing を試してみた
JAWS-UG コンテナ支部 × JAWS-UG 千葉支部 #1 今知りたいコンテナセキュリティ
kamadakohei
October 16, 2023
Tweet
Share
More Decks by kamadakohei
See All by kamadakohei
Amazon CloudWatch Syntheticsで始める合成監視
kamadakohei
0
530
Amazon VPC Latticeを触ってみた!
kamadakohei
0
970
ECS Service Connect By Terraform
kamadakohei
0
1.3k
AIアプリ作ってみた
kamadakohei
0
440
LINEBot作ってみた
kamadakohei
0
74
Other Decks in Programming
See All in Programming
AIでLINEスタンプを作ってみた
eycjur
1
230
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
rkaga
5
2.3k
テストカバレッジ100%を10年続けて得られた学びと品質
mottyzzz
2
600
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
390
時間軸から考えるTerraformを使う理由と留意点
fufuhu
16
4.8k
Navigating Dependency Injection with Metro
zacsweers
3
2.3k
Azure SRE Agentで運用は楽になるのか?
kkamegawa
0
2.4k
testingを眺める
matumoto
1
140
Navigation 2 を 3 に移行する(予定)ためにやったこと
yokomii
0
320
ProxyによるWindow間RPC機構の構築
syumai
3
1.2k
Testing Trophyは叫ばない
toms74209200
0
880
私の後悔をAWS DMSで解決した話
hiramax
4
210
Featured
See All Featured
A Modern Web Designer's Workflow
chriscoyier
696
190k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.6k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.2k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Designing for humans not robots
tammielis
253
25k
GraphQLの誤解/rethinking-graphql
sonatard
72
11k
Making Projects Easy
brettharned
117
6.4k
Writing Fast Ruby
sferik
628
62k
Unsuck your backbone
ammeep
671
58k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Transcript
© 2022 SRE Holdings Corporation 1 2980 © 2022 SRE
Holdings Corporation Fargate PID namespace sharing 2023/10/16
© 2022 SRE Holdings Corporation 2 • • SRE Holdings
• ⁃ Web ⁃ Twitter: Lam(@boy_hap)
© 2022 SRE Holdings Corporation 3 • namespace • Fargate
PID namespace sharing • • •
© 2022 SRE Holdings Corporation 4 SRE Holdings 2014 2019
SRE / AI DX DX IT
© 2022 SRE Holdings Corporation 5 namespace • Linux •
PID namespace namespace 名前 機能 network namespace ネットワークの分離 pid namespace プロセスIDの分離 uts namespace ホスト、ドメインの分離 mount namespace マウントポイントの分離
© 2022 SRE Holdings Corporation 6 9.5 namespace • namespace
: 9.5 namespace • namespace • PID namespace
© 2022 SRE Holdings Corporation 7 Fargate PID namespace •
ECS on EC2 ⾒ pid namespace • ECS on Fargate ⾒ namespace • Fargete
© 2022 SRE Holdings Corporation 8 Fargate pid namespace sharing
• pidMode task pid namespace sharing ⾒ pid namespace = • pid namespace sharing ⁃ ⁃
© 2022 SRE Holdings Corporation 9 • Fargate ⾒ ⁃
⁃ 引⽤)https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ 引⽤)https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b
© 2022 SRE Holdings Corporation 10 AWS • nginx sleeper
⁃ nginx nginx main ⁃ sleeper sleep in nity sleeper ecs exec nginx pid Mode
© 2022 SRE Holdings Corporation 11 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512" }
© 2022 SRE Holdings Corporation 12 pidMode ⾒ sleeper •
• ID 1
© 2022 SRE Holdings Corporation 13 pidMode ⾒ nginx •
• ID 1
© 2022 SRE Holdings Corporation 14 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512", "pidMode": "task" }
© 2022 SRE Holdings Corporation 15 pidMode task ⾒ sleeper)
• • pause PID 1 pause https://text.superbrothers.dev/200328-how-to-avoid-pid-1-problem-in-kubernetes/ • ID ID
© 2022 SRE Holdings Corporation 16 • /proc/( PID)/root •
© 2022 SRE Holdings Corporation 17 strace
© 2022 SRE Holdings Corporation 18 kill kill
© 2022 SRE Holdings Corporation 19 • Fargate ⾒ pidMode=task
pid namespace • •
© 2022 SRE Holdings Corporation 20 • "NB[PO&$4PO"84'BSHBUFͰઃఆՄೳͳ-JOVYύϥϝʔλͷՃ https://aws.amazon.com/jp/blogs/news/announcing-additional-linux-controls-for-amazon-ecs-tasks-on-aws-fargate/ •
λεΫఆٛύϥϝʔλ https://docs.aws.amazon.com/ja_jp/AmazonECS/latest/developerguide/task_de nition_parameters.html#other_task_de nition_params • 'BSHBUFͰ1*%OBNFTQBDFڞ༗Λࢼ͢ https://qiita.com/hoogee/items/1555312b385605246253 • &$4PO'BSHBUFͰαΠυΧʔ͔ΒϓϩηεγεςϜίʔϧࢹ͕؆୯ʹͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂ https://dev.classmethod.jp/articles/ecs-on-fargate-support-shared-pid-namespace/
© 2022 SRE Holdings Corporation 21 • &$4'BSHBUFͰແྉͰূཧ͍ͨ͠ https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b •
4FSWFSMFTT"HFOUTΛར༻ͯ͠&$4'BSHBUFڥͰ4ZTEJH4FDVSFΛར༻ͯ͠Έͨʙ5FSSBGPSNฤʙ https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ • &$4PO'BSHBUFͷηΩϡϦςΟରࡦԿΛΔ͖ʁ։ൃऀઢͰߟ͑Δ https://speakerdeck.com/tomoki10/security-for-ecs-on-fargate-secjawsdays