Upgrade to Pro — share decks privately, control downloads, hide ads and more …

chroot-network-uts-container

masayoshi
June 17, 2017
Technology
6
670

 chroot-network-uts-container

chroot ✕ netowork namespace ✕UTS namespace

masayoshi

June 17, 2017
Tweet

More Decks by masayoshi

See All by masayoshi
Developers Summit 2021 summer
masayoshi
14
22k
2021-06-cloud-native-reg-event
masayoshi
8
2.3k
SRE_Culture_Organization
masayoshi
17
9.4k
cloudnative-kansai-2019
masayoshi
1
560
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.2k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.4k
はてなのインフラストラクチャ設計構想 / The Concept of Hatena Infrastructure
masayoshi
1
5.1k
はてなのインフラ環境を自宅で再現する
masayoshi
7
12k
負荷分散技術を選ぶときに考えること
masayoshi
21
12k

Other Decks in Technology

See All in Technology
アクセス制御にまつわる改善 / Improving access control
itkq
0
460
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
250
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
150
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.5k
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
210
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
220
日本におけるデータエンジニアリングのこれまでとこれから
foursue
16
4k
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.2k
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
850
Hands-on / Kaname Frusawa / Cloud Compare Users Meetup 2024 at University of Tokyo on April 17
paraworld
2
480
On Your Data を超えていく!
hirotomotaguchi
2
610
SREとその組織類型
tatsuo48
9
1.6k

Featured

See All Featured
The Language of Interfaces
destraynor
151
23k
4 Signs Your Business is Dying
shpigford
175
21k
We Have a Design System, Now What?
morganepeng
42
6.7k
The Art of Programming - Codeland 2020
erikaheidi
41
12k
In The Pink: A Labor of Love
frogandcode
138
21k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Scaling GitHub
holman
457
140k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
Unsuck your backbone
ammeep
662
57k
Thoughts on Productivity
jonyablonski
57
3.8k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k
Being A Developer After 40
akosma
56
580k

Transcript

  1. chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾ૝Խͷ৘ใަ׵ձˏେࡕ

  2. ࣗݾ঺հ • id:masayoshi • ͸ͯͳˏژ౎ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌୅͸SDNؔ࿈ͷݚڀ

  3. ࠓ೔࿩͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS

    namespace

  4. ࠓ೔࿩͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯ΋Β͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠

  5. ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦෼ɺ࣮૷ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯ࢖ͬͯΈΔͱҧ͍ͳͲ͕Α͘෼͔Δ •

    खݩͰͷωοτϫʔΫςετ؀ڥ • ࡉ͔͘มߋ͢ΔͷͰࣗ෼Ͱ৮Γ΍͍͢ํ͕ྑ͍

  6. chroot network namespace UTS namespace

  7. ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ࢖͏ͱγϯϓϧ͕ͩҙ֎ͱ͓΋͠Ζ͍෺͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͘࢖͍ͬͯͨ • ωοτϫʔΫͰ༡Ϳͱ͖͸͜ͷߏ੒Λ࢖͍ͬͯΔ • chroot

    namespaceͷҰ෦ͷΈͷ૊Έ߹Θͤ͸ଟ͘ͳͦ͞͏ • 1ͭ1ͭ΍શͯΛ૊Έ߹Θ࣮ͤͨ૷ྫ͸৭ʑ͋Δ

  8. ͜ͷ3ͭͰ΋໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •

    ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ؅ཧ্ͷརศੑ

  9. ྫ͑͹ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό

    • ؂ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ؂ࢹ + ؅ཧ • ಉҰͷ෺ཧαʔόͰ্هͷίϯςφΛෳ਺ىಈՄೳ • network͸Linux BridgeͰϒϦοδ઀ଓ

  10. #SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE    TTI 

    IUUQE  TTI   WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU

  11. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

  12. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU

  13. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞੒ʹίϚϯυ JNBHFͷ࡞੒͸আ͘

  14. σϞ͠ͳ͕Βݟ͍ͯ͘

  15. imageͷ࡞੒ • dockerͳΒdocker export Ͱ • build, ship͸dockerͰ΍Δͱָͦ͏ • ࠓճ͸run෦෼Ͱ༡Ϳ

    • dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճ͸debootstrapͰ࡞੒ͨ͠΍ͭΛར༻

  16. namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns ഑Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>͸ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ

  17. namespaceͷӬଓԽ • bindϚ΢ϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυ͸ӬଓԽָ͕

  18. UTS namespace • ओʹ؅ཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ࢖͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU

  19. Networkͷ࡞੒ • veth࡞ͬͯbridgeʹ઀ଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ͸)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen

    vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτ΢ΣΞϧʔλʹ઀ଓͨ͠Γ • KVMͷVMͱ઀ଓͨ͠Γ • ෳ਺NIC + mptcp؀ڥ

  20. Networkͷ࡞੒ • Network͸ϙʔλϏϦςΟʹӨڹ͕ग़΍͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͢΂͖Օॴ͕ͨ͘͞Μ͋Δ໘ന͍෼໺

    • ΦϑϩʔσΟϯά, SR-IOVͳͲߴ଎Խ • VXLANͳͲͷϓϩτίϧٕज़

  21. chroot؀ڥͷ࡞੒ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

    TZTUFNE؀ڥͰ͸CJOEϚ΢ϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ

  22. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲ΋ىಈ͢Δ

  23. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ • chroot഑ԼͰ͸systemd͸ಈ࡞͠ͳ͍ͷͰ஫ҙ͕ඞཁ • chrootͷ୅ΘΓʹsystemd-nspawnΛ࢖ͬͯಈ͔͢ํ ๏΋͋Δ • ͦͷ৔߹ޙड़ͷPID namespaceΛ࢖͏͜ͱʹͳΔ

  24. PID namespace • PID෼཭͢Δͱੜ੒͞Εͨࢠϓϩηε͸ͦͷۭؒͰ͸init(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •

    docker 1.13Ͱ runʹ initΦϓγϣϯ͕෇͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબ୒ࢶ΋૿͑Δ • ࠓճͷ༻్Ͱ͸͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹ͸ඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝Ͱؾܰʹ΍ΔͳΒল͘ͱָ

  25. PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕෼཭͞Εͳ͍ • ίϯςφ಺ɺίϯςφ֎͔Βݟ์୊ • initʹͿΒԼ͕Δdaemon •

    UST, networkͷnamespace͸෼཭͞Ε͍ͯΔ • ϓϩηεੜ੒࣌ʹ෼཭͠ͳ͚Ε͹ܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ෼཭͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ

  26. ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

    IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

  27. ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE

     -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE  TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE  -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE

  28. curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY

  29. SSH TTI DBUFUDEFCJBO@WFSTJPO  TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE

  30. ·ͱΊΔͱ… • image಺ͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφ಺Ͱෳ਺ͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍͸Ͱ͖ͦ͏ •

    ൺֱతރΕ͍ͯΔ΋ͷ͔͠࢖͍ͬͯͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͸͍ͯͦ͠͏

  31. ͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ
 ࣗ෼Ͱ࣮૷͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • image؅ཧ • Netoworkߏ੒ • PIDͷ؅ཧ,

    ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ

  32. • imageͷ؅ཧػೳ • snapshot΍ɺόʔδϣχϯά͸? • imageͷҠಈ͸Ͳ͏͢Δ? • Networkߏ੒ • αϒωοτ΋ݻఆͰIP΋खಈͳͷͰҠಈ͸Ͳ͏͢Δʁɹ

    • ҟͳΔαϒωοτͱͷ௨৴͸? • PID෼཭ɺϓϩηεॲཧ • PID͸෼཭͢Δ or ͠ͳ͍? • ίϯςφ಺ͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?

  33. ·ͱΊ • ίϯςφࣗ࡞͸ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏࿩͸͋Δ͕ namespace͸ؾܰʹ࢖͑Δ • طଘίϯςφٕज़΁ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζ΋ݟ͑ͯ͘Δ

    • Ұճ͸৮͓ͬͯ͘ͱྑͦ͞͏