Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
FargateのPID namespace sharing を試してみた
Search
kamadakohei
October 16, 2023
Programming
0
1.3k
FargateのPID namespace sharing を試してみた
JAWS-UG コンテナ支部 × JAWS-UG 千葉支部 #1 今知りたいコンテナセキュリティ
kamadakohei
October 16, 2023
Tweet
Share
More Decks by kamadakohei
See All by kamadakohei
Amazon CloudWatch Syntheticsで始める合成監視
kamadakohei
0
520
Amazon VPC Latticeを触ってみた!
kamadakohei
0
970
ECS Service Connect By Terraform
kamadakohei
0
1.3k
AIアプリ作ってみた
kamadakohei
0
430
LINEBot作ってみた
kamadakohei
0
73
Other Decks in Programming
See All in Programming
生成AI、実際どう? - ニーリーの場合
nealle
0
130
Nuances on Kubernetes - RubyConf Taiwan 2025
envek
0
170
tool ディレクティブを導入してみた感想
sgash708
1
140
マイコンでもRustのtestがしたい その2/KernelVM Tokyo 18
tnishinaga
2
2.3k
Introduction to Git & GitHub
latte72
0
110
Webinar: AI-Powered Development: Transformiere deinen Workflow mit Coding Tools und MCP Servern
danielsogl
0
130
コンテキストエンジニアリング Cursor編
kinopeee
1
450
AHC051解法紹介
eijirou
0
600
ライブ配信サービスの インフラのジレンマ -マルチクラウドに至ったワケ-
mirrativ
1
240
【第4回】関東Kaggler会「Kaggleは執筆に役立つ」
mipypf
0
480
Comparing decimals in Swift Testing
417_72ki
0
170
Portapad紹介プレゼンテーション
gotoumakakeru
1
130
Featured
See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Building an army of robots
kneath
306
45k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.4k
How to train your dragon (web standard)
notwaldorf
96
6.2k
GraphQLとの向き合い方2022年版
quramy
49
14k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.4k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Building Adaptive Systems
keathley
43
2.7k
Embracing the Ebb and Flow
colly
86
4.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
21k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
139
34k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
Transcript
© 2022 SRE Holdings Corporation 1 2980 © 2022 SRE
Holdings Corporation Fargate PID namespace sharing 2023/10/16
© 2022 SRE Holdings Corporation 2 • • SRE Holdings
• ⁃ Web ⁃ Twitter: Lam(@boy_hap)
© 2022 SRE Holdings Corporation 3 • namespace • Fargate
PID namespace sharing • • •
© 2022 SRE Holdings Corporation 4 SRE Holdings 2014 2019
SRE / AI DX DX IT
© 2022 SRE Holdings Corporation 5 namespace • Linux •
PID namespace namespace 名前 機能 network namespace ネットワークの分離 pid namespace プロセスIDの分離 uts namespace ホスト、ドメインの分離 mount namespace マウントポイントの分離
© 2022 SRE Holdings Corporation 6 9.5 namespace • namespace
: 9.5 namespace • namespace • PID namespace
© 2022 SRE Holdings Corporation 7 Fargate PID namespace •
ECS on EC2 ⾒ pid namespace • ECS on Fargate ⾒ namespace • Fargete
© 2022 SRE Holdings Corporation 8 Fargate pid namespace sharing
• pidMode task pid namespace sharing ⾒ pid namespace = • pid namespace sharing ⁃ ⁃
© 2022 SRE Holdings Corporation 9 • Fargate ⾒ ⁃
⁃ 引⽤)https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ 引⽤)https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b
© 2022 SRE Holdings Corporation 10 AWS • nginx sleeper
⁃ nginx nginx main ⁃ sleeper sleep in nity sleeper ecs exec nginx pid Mode
© 2022 SRE Holdings Corporation 11 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512" }
© 2022 SRE Holdings Corporation 12 pidMode ⾒ sleeper •
• ID 1
© 2022 SRE Holdings Corporation 13 pidMode ⾒ nginx •
• ID 1
© 2022 SRE Holdings Corporation 14 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512", "pidMode": "task" }
© 2022 SRE Holdings Corporation 15 pidMode task ⾒ sleeper)
• • pause PID 1 pause https://text.superbrothers.dev/200328-how-to-avoid-pid-1-problem-in-kubernetes/ • ID ID
© 2022 SRE Holdings Corporation 16 • /proc/( PID)/root •
© 2022 SRE Holdings Corporation 17 strace
© 2022 SRE Holdings Corporation 18 kill kill
© 2022 SRE Holdings Corporation 19 • Fargate ⾒ pidMode=task
pid namespace • •
© 2022 SRE Holdings Corporation 20 • "NB[PO&$4PO"84'BSHBUFͰઃఆՄೳͳ-JOVYύϥϝʔλͷՃ https://aws.amazon.com/jp/blogs/news/announcing-additional-linux-controls-for-amazon-ecs-tasks-on-aws-fargate/ •
λεΫఆٛύϥϝʔλ https://docs.aws.amazon.com/ja_jp/AmazonECS/latest/developerguide/task_de nition_parameters.html#other_task_de nition_params • 'BSHBUFͰ1*%OBNFTQBDFڞ༗Λࢼ͢ https://qiita.com/hoogee/items/1555312b385605246253 • &$4PO'BSHBUFͰαΠυΧʔ͔ΒϓϩηεγεςϜίʔϧࢹ͕؆୯ʹͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂ https://dev.classmethod.jp/articles/ecs-on-fargate-support-shared-pid-namespace/
© 2022 SRE Holdings Corporation 21 • &$4'BSHBUFͰແྉͰূཧ͍ͨ͠ https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b •
4FSWFSMFTT"HFOUTΛར༻ͯ͠&$4'BSHBUFڥͰ4ZTEJH4FDVSFΛར༻ͯ͠Έͨʙ5FSSBGPSNฤʙ https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ • &$4PO'BSHBUFͷηΩϡϦςΟରࡦԿΛΔ͖ʁ։ൃऀઢͰߟ͑Δ https://speakerdeck.com/tomoki10/security-for-ecs-on-fargate-secjawsdays