Upgrade to Pro — share decks privately, control downloads, hide ads and more …

chroot-network-uts-container

masayoshi
June 17, 2017
Technology
6
790

 chroot-network-uts-container

chroot ✕ netowork namespace ✕UTS namespace

masayoshi

June 17, 2017
Tweet

More Decks by masayoshi

See All by masayoshi
これからSREになる人と、これからもSREをやっていく人へ
masayoshi
6
4.9k
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
8
10k
Developers Summit 2021 summer
masayoshi
15
29k
2021-06-cloud-native-reg-event
masayoshi
8
2.5k
SRE_Culture_Organization
masayoshi
17
10k
cloudnative-kansai-2019
masayoshi
1
700
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.5k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.8k
はてなのインフラストラクチャ設計構想 / The Concept of Hatena Infrastructure
masayoshi
1
5.4k

Other Decks in Technology

See All in Technology
20250328_RubyKaigiで出会い鯛_____RubyKaigiから始まったはじめてのOSSコントリビュート.pdf
mterada1228
0
450
Zabbixチョットデキルとは!?
kujiraitakahiro
0
140
Beyond {shiny}: The Future of Mobile Apps with R
colinfay
0
230
ペアーズにおけるData Catalog導入の取り組み
hisamouna
0
260
古き良き Laravel のシステムは関数型スタイルでリファクタできるのか
leveragestech
1
350
Lightdashの利活用状況 ー導入から2年経った現在地_20250409
hirokiigeta
2
240
Tokyo dbt Meetup #13 dbtと連携するBI製品&機能ざっくり紹介
sagara
0
360
Webアプリを Lambdaで動かすまでに考えること / How to implement monolithic Lambda Web Application
_kensh
6
660
近年の PyCon 情勢から見た PyCon APAC のまとめ
terapyon
0
270
モンテカルロ木探索のパフォーマンスを予測する Kaggleコンペ解説 〜生成AIによる未知のゲーム生成〜
rist
4
1.3k
出前館を支えるJavaとKotlin
demaecan
0
150
サーバシステムを無理なくコンテナ移行する際に伝えたい4つのポイント/Container_Happy_Migration_Method
ozawa
1
130

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
99
5.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
4 Signs Your Business is Dying
shpigford
183
22k
The Cost Of JavaScript in 2023
addyosmani
48
7.6k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
The World Runs on Bad Software
bkeepers
PRO
67
11k
Making Projects Easy
brettharned
116
6.1k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
It's Worth the Effort
3n
184
28k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.3k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k

Transcript

  1. chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾ૝Խͷ৘ใަ׵ձˏେࡕ

  2. ࣗݾ঺հ • id:masayoshi • ͸ͯͳˏژ౎ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌୅͸SDNؔ࿈ͷݚڀ

  3. ࠓ೔࿩͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS

    namespace

  4. ࠓ೔࿩͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯ΋Β͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠

  5. ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦෼ɺ࣮૷ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯ࢖ͬͯΈΔͱҧ͍ͳͲ͕Α͘෼͔Δ •

    खݩͰͷωοτϫʔΫςετ؀ڥ • ࡉ͔͘มߋ͢ΔͷͰࣗ෼Ͱ৮Γ΍͍͢ํ͕ྑ͍

  6. chroot network namespace UTS namespace

  7. ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ࢖͏ͱγϯϓϧ͕ͩҙ֎ͱ͓΋͠Ζ͍෺͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͘࢖͍ͬͯͨ • ωοτϫʔΫͰ༡Ϳͱ͖͸͜ͷߏ੒Λ࢖͍ͬͯΔ • chroot

    namespaceͷҰ෦ͷΈͷ૊Έ߹Θͤ͸ଟ͘ͳͦ͞͏ • 1ͭ1ͭ΍શͯΛ૊Έ߹Θ࣮ͤͨ૷ྫ͸৭ʑ͋Δ

  8. ͜ͷ3ͭͰ΋໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •

    ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ؅ཧ্ͷརศੑ

  9. ྫ͑͹ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό

    • ؂ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ؂ࢹ + ؅ཧ • ಉҰͷ෺ཧαʔόͰ্هͷίϯςφΛෳ਺ىಈՄೳ • network͸Linux BridgeͰϒϦοδ઀ଓ

  10. #SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE    TTI 

    IUUQE  TTI   WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU

  11. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

  12. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU

  13. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞੒ʹίϚϯυ JNBHFͷ࡞੒͸আ͘

  14. σϞ͠ͳ͕Βݟ͍ͯ͘

  15. imageͷ࡞੒ • dockerͳΒdocker export Ͱ • build, ship͸dockerͰ΍Δͱָͦ͏ • ࠓճ͸run෦෼Ͱ༡Ϳ

    • dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճ͸debootstrapͰ࡞੒ͨ͠΍ͭΛར༻

  16. namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns ഑Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>͸ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ

  17. namespaceͷӬଓԽ • bindϚ΢ϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυ͸ӬଓԽָ͕

  18. UTS namespace • ओʹ؅ཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ࢖͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU

  19. Networkͷ࡞੒ • veth࡞ͬͯbridgeʹ઀ଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ͸)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen

    vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτ΢ΣΞϧʔλʹ઀ଓͨ͠Γ • KVMͷVMͱ઀ଓͨ͠Γ • ෳ਺NIC + mptcp؀ڥ

  20. Networkͷ࡞੒ • Network͸ϙʔλϏϦςΟʹӨڹ͕ग़΍͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͢΂͖Օॴ͕ͨ͘͞Μ͋Δ໘ന͍෼໺

    • ΦϑϩʔσΟϯά, SR-IOVͳͲߴ଎Խ • VXLANͳͲͷϓϩτίϧٕज़

  21. chroot؀ڥͷ࡞੒ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

    TZTUFNE؀ڥͰ͸CJOEϚ΢ϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ

  22. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲ΋ىಈ͢Δ

  23. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ • chroot഑ԼͰ͸systemd͸ಈ࡞͠ͳ͍ͷͰ஫ҙ͕ඞཁ • chrootͷ୅ΘΓʹsystemd-nspawnΛ࢖ͬͯಈ͔͢ํ ๏΋͋Δ • ͦͷ৔߹ޙड़ͷPID namespaceΛ࢖͏͜ͱʹͳΔ

  24. PID namespace • PID෼཭͢Δͱੜ੒͞Εͨࢠϓϩηε͸ͦͷۭؒͰ͸init(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •

    docker 1.13Ͱ runʹ initΦϓγϣϯ͕෇͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબ୒ࢶ΋૿͑Δ • ࠓճͷ༻్Ͱ͸͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹ͸ඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝Ͱؾܰʹ΍ΔͳΒল͘ͱָ

  25. PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕෼཭͞Εͳ͍ • ίϯςφ಺ɺίϯςφ֎͔Βݟ์୊ • initʹͿΒԼ͕Δdaemon •

    UST, networkͷnamespace͸෼཭͞Ε͍ͯΔ • ϓϩηεੜ੒࣌ʹ෼཭͠ͳ͚Ε͹ܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ෼཭͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ

  26. ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

    IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

  27. ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE

     -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE  TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE  -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE

  28. curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY

  29. SSH TTI DBUFUDEFCJBO@WFSTJPO  TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE

  30. ·ͱΊΔͱ… • image಺ͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφ಺Ͱෳ਺ͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍͸Ͱ͖ͦ͏ •

    ൺֱతރΕ͍ͯΔ΋ͷ͔͠࢖͍ͬͯͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͸͍ͯͦ͠͏

  31. ͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ
 ࣗ෼Ͱ࣮૷͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • image؅ཧ • Netoworkߏ੒ • PIDͷ؅ཧ,

    ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ

  32. • imageͷ؅ཧػೳ • snapshot΍ɺόʔδϣχϯά͸? • imageͷҠಈ͸Ͳ͏͢Δ? • Networkߏ੒ • αϒωοτ΋ݻఆͰIP΋खಈͳͷͰҠಈ͸Ͳ͏͢Δʁɹ

    • ҟͳΔαϒωοτͱͷ௨৴͸? • PID෼཭ɺϓϩηεॲཧ • PID͸෼཭͢Δ or ͠ͳ͍? • ίϯςφ಺ͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?

  33. ·ͱΊ • ίϯςφࣗ࡞͸ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏࿩͸͋Δ͕ namespace͸ؾܰʹ࢖͑Δ • طଘίϯςφٕज़΁ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζ΋ݟ͑ͯ͘Δ

    • Ұճ͸৮͓ͬͯ͘ͱྑͦ͞͏