Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
FargateのPID namespace sharing を試してみた
Search
kamadakohei
October 16, 2023
Programming
0
770
FargateのPID namespace sharing を試してみた
JAWS-UG コンテナ支部 × JAWS-UG 千葉支部 #1 今知りたいコンテナセキュリティ
kamadakohei
October 16, 2023
Tweet
Share
More Decks by kamadakohei
See All by kamadakohei
Amazon CloudWatch Syntheticsで始める合成監視
kamadakohei
0
280
Amazon VPC Latticeを触ってみた!
kamadakohei
0
740
ECS Service Connect By Terraform
kamadakohei
0
870
AIアプリ作ってみた
kamadakohei
0
300
LINEBot作ってみた
kamadakohei
0
45
Other Decks in Programming
See All in Programming
Elm 0.19.0 Changes
bkuhlmann
0
500
Hanami and htmx
bkuhlmann
0
220
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
420
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
120
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
280
Snowflakeで眠ったデータを起こそう!
estie
0
140
禅の心を手に入れよ
eltociear
1
280
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
670
Polars入門
daikikatsuragawa
1
160
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
9
4.2k
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
6
1.1k
Featured
See All Featured
A Modern Web Designer's Workflow
chriscoyier
689
190k
Docker and Python
trallard
35
2.7k
Mobile First: as difficult as doing things right
swwweet
217
8.6k
GitHub's CSS Performance
jonrohan
1025
450k
Fireside Chat
paigeccino
22
2.6k
A better future with KSS
kneath
231
16k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
10 Git Anti Patterns You Should be Aware of
lemiorhan
649
58k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
126
32k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
123
39k
YesSQL, Process and Tooling at Scale
rocio
165
13k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Transcript
© 2022 SRE Holdings Corporation 1 2980 © 2022 SRE
Holdings Corporation Fargate PID namespace sharing 2023/10/16
© 2022 SRE Holdings Corporation 2 • • SRE Holdings
• ⁃ Web ⁃ Twitter: Lam(@boy_hap)
© 2022 SRE Holdings Corporation 3 • namespace • Fargate
PID namespace sharing • • •
© 2022 SRE Holdings Corporation 4 SRE Holdings 2014 2019
SRE / AI DX DX IT
© 2022 SRE Holdings Corporation 5 namespace • Linux •
PID namespace namespace 名前 機能 network namespace ネットワークの分離 pid namespace プロセスIDの分離 uts namespace ホスト、ドメインの分離 mount namespace マウントポイントの分離
© 2022 SRE Holdings Corporation 6 9.5 namespace • namespace
: 9.5 namespace • namespace • PID namespace
© 2022 SRE Holdings Corporation 7 Fargate PID namespace •
ECS on EC2 ⾒ pid namespace • ECS on Fargate ⾒ namespace • Fargete
© 2022 SRE Holdings Corporation 8 Fargate pid namespace sharing
• pidMode task pid namespace sharing ⾒ pid namespace = • pid namespace sharing ⁃ ⁃
© 2022 SRE Holdings Corporation 9 • Fargate ⾒ ⁃
⁃ 引⽤)https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ 引⽤)https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b
© 2022 SRE Holdings Corporation 10 AWS • nginx sleeper
⁃ nginx nginx main ⁃ sleeper sleep in nity sleeper ecs exec nginx pid Mode
© 2022 SRE Holdings Corporation 11 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512" }
© 2022 SRE Holdings Corporation 12 pidMode ⾒ sleeper •
• ID 1
© 2022 SRE Holdings Corporation 13 pidMode ⾒ nginx •
• ID 1
© 2022 SRE Holdings Corporation 14 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512", "pidMode": "task" }
© 2022 SRE Holdings Corporation 15 pidMode task ⾒ sleeper)
• • pause PID 1 pause https://text.superbrothers.dev/200328-how-to-avoid-pid-1-problem-in-kubernetes/ • ID ID
© 2022 SRE Holdings Corporation 16 • /proc/( PID)/root •
© 2022 SRE Holdings Corporation 17 strace
© 2022 SRE Holdings Corporation 18 kill kill
© 2022 SRE Holdings Corporation 19 • Fargate ⾒ pidMode=task
pid namespace • •
© 2022 SRE Holdings Corporation 20 • "NB[PO&$4PO"84'BSHBUFͰઃఆՄೳͳ-JOVYύϥϝʔλͷՃ https://aws.amazon.com/jp/blogs/news/announcing-additional-linux-controls-for-amazon-ecs-tasks-on-aws-fargate/ •
λεΫఆٛύϥϝʔλ https://docs.aws.amazon.com/ja_jp/AmazonECS/latest/developerguide/task_de nition_parameters.html#other_task_de nition_params • 'BSHBUFͰ1*%OBNFTQBDFڞ༗Λࢼ͢ https://qiita.com/hoogee/items/1555312b385605246253 • &$4PO'BSHBUFͰαΠυΧʔ͔ΒϓϩηεγεςϜίʔϧࢹ͕؆୯ʹͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂ https://dev.classmethod.jp/articles/ecs-on-fargate-support-shared-pid-namespace/
© 2022 SRE Holdings Corporation 21 • &$4'BSHBUFͰແྉͰূཧ͍ͨ͠ https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b •
4FSWFSMFTT"HFOUTΛར༻ͯ͠&$4'BSHBUFڥͰ4ZTEJH4FDVSFΛར༻ͯ͠Έͨʙ5FSSBGPSNฤʙ https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ • &$4PO'BSHBUFͷηΩϡϦςΟରࡦԿΛΔ͖ʁ։ൃऀઢͰߟ͑Δ https://speakerdeck.com/tomoki10/security-for-ecs-on-fargate-secjawsdays