Upgrade to Pro — share decks privately, control downloads, hide ads and more …

chroot-network-uts-container

masayoshi
June 17, 2017
Technology
6
770

 chroot-network-uts-container

chroot ✕ netowork namespace ✕UTS namespace

masayoshi

June 17, 2017
Tweet

More Decks by masayoshi

See All by masayoshi
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
9
9.4k
Developers Summit 2021 summer
masayoshi
15
28k
2021-06-cloud-native-reg-event
masayoshi
8
2.5k
SRE_Culture_Organization
masayoshi
17
9.9k
cloudnative-kansai-2019
masayoshi
1
670
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.5k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.7k
はてなのインフラストラクチャ設計構想 / The Concept of Hatena Infrastructure
masayoshi
1
5.3k
はてなのインフラ環境を自宅で再現する
masayoshi
7
12k

Other Decks in Technology

See All in Technology
新卒1年目、はじめてのアプリケーションサーバー【IBM WebSphere Liberty】
ktgrryt
0
190
TSのコードをRustで書き直した話
askua
4
980
Mocking your codebase without cursing it
gaqzi
0
130
なぜfreeeはハブ・アンド・スポーク型の データメッシュアーキテクチャにチャレンジするのか?
shinichiro_joya
3
900
サービスローンチを成功させろ! 〜SREが教える30日間の攻略ガイド〜
mmmatsuda
2
3.6k
あなたの興味は信頼性?それとも生産性? SREとしてのキャリアに悩むみなさまに伝えたい選択肢
jacopen
5
2k
レイクハウスとはなんだったのか?
akuwano
14
1.6k
サーバーレス環境における生成AI活用の可能性
mikanbox
1
160
reinvent2024を起点に振り返るサーバーレスアップデート
mihonda
1
170
Tech Blog執筆のモチベート向上作戦
imamura_ko_0314
0
620
大学教員が押さえておくべき生成 AI の基礎と活用例〜より効率的な教育のために〜
soh9834
1
160
実践している探索的テストの進め方 #jasstnano
makky_tyuyan
1
130

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.4k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3.1k
How GitHub (no longer) Works
holman
312
140k
GitHub's CSS Performance
jonrohan
1030
460k
Rails Girls Zürich Keynote
gr2m
94
13k
A Tale of Four Properties
chriscoyier
157
23k
Agile that works and the tools we love
rasmusluckow
328
21k
Why Our Code Smells
bkeepers
PRO
335
57k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
27
1.9k
Optimizing for Happiness
mojombo
376
70k
Speed Design
sergeychernyshev
25
750
How to Ace a Technical Interview
jacobian
276
23k

Transcript

  1. chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾ૝Խͷ৘ใަ׵ձˏେࡕ

  2. ࣗݾ঺հ • id:masayoshi • ͸ͯͳˏژ౎ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌୅͸SDNؔ࿈ͷݚڀ

  3. ࠓ೔࿩͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS

    namespace

  4. ࠓ೔࿩͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯ΋Β͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠

  5. ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦෼ɺ࣮૷ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯ࢖ͬͯΈΔͱҧ͍ͳͲ͕Α͘෼͔Δ •

    खݩͰͷωοτϫʔΫςετ؀ڥ • ࡉ͔͘มߋ͢ΔͷͰࣗ෼Ͱ৮Γ΍͍͢ํ͕ྑ͍

  6. chroot network namespace UTS namespace

  7. ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ࢖͏ͱγϯϓϧ͕ͩҙ֎ͱ͓΋͠Ζ͍෺͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͘࢖͍ͬͯͨ • ωοτϫʔΫͰ༡Ϳͱ͖͸͜ͷߏ੒Λ࢖͍ͬͯΔ • chroot

    namespaceͷҰ෦ͷΈͷ૊Έ߹Θͤ͸ଟ͘ͳͦ͞͏ • 1ͭ1ͭ΍શͯΛ૊Έ߹Θ࣮ͤͨ૷ྫ͸৭ʑ͋Δ

  8. ͜ͷ3ͭͰ΋໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •

    ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ؅ཧ্ͷརศੑ

  9. ྫ͑͹ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό

    • ؂ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ؂ࢹ + ؅ཧ • ಉҰͷ෺ཧαʔόͰ্هͷίϯςφΛෳ਺ىಈՄೳ • network͸Linux BridgeͰϒϦοδ઀ଓ

  10. #SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE    TTI 

    IUUQE  TTI   WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU

  11. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

  12. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU

  13. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞੒ʹίϚϯυ JNBHFͷ࡞੒͸আ͘

  14. σϞ͠ͳ͕Βݟ͍ͯ͘

  15. imageͷ࡞੒ • dockerͳΒdocker export Ͱ • build, ship͸dockerͰ΍Δͱָͦ͏ • ࠓճ͸run෦෼Ͱ༡Ϳ

    • dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճ͸debootstrapͰ࡞੒ͨ͠΍ͭΛར༻

  16. namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns ഑Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>͸ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ

  17. namespaceͷӬଓԽ • bindϚ΢ϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυ͸ӬଓԽָ͕

  18. UTS namespace • ओʹ؅ཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ࢖͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU

  19. Networkͷ࡞੒ • veth࡞ͬͯbridgeʹ઀ଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ͸)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen

    vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτ΢ΣΞϧʔλʹ઀ଓͨ͠Γ • KVMͷVMͱ઀ଓͨ͠Γ • ෳ਺NIC + mptcp؀ڥ

  20. Networkͷ࡞੒ • Network͸ϙʔλϏϦςΟʹӨڹ͕ग़΍͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͢΂͖Օॴ͕ͨ͘͞Μ͋Δ໘ന͍෼໺

    • ΦϑϩʔσΟϯά, SR-IOVͳͲߴ଎Խ • VXLANͳͲͷϓϩτίϧٕज़

  21. chroot؀ڥͷ࡞੒ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

    TZTUFNE؀ڥͰ͸CJOEϚ΢ϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ

  22. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲ΋ىಈ͢Δ

  23. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ • chroot഑ԼͰ͸systemd͸ಈ࡞͠ͳ͍ͷͰ஫ҙ͕ඞཁ • chrootͷ୅ΘΓʹsystemd-nspawnΛ࢖ͬͯಈ͔͢ํ ๏΋͋Δ • ͦͷ৔߹ޙड़ͷPID namespaceΛ࢖͏͜ͱʹͳΔ

  24. PID namespace • PID෼཭͢Δͱੜ੒͞Εͨࢠϓϩηε͸ͦͷۭؒͰ͸init(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •

    docker 1.13Ͱ runʹ initΦϓγϣϯ͕෇͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબ୒ࢶ΋૿͑Δ • ࠓճͷ༻్Ͱ͸͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹ͸ඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝Ͱؾܰʹ΍ΔͳΒল͘ͱָ

  25. PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕෼཭͞Εͳ͍ • ίϯςφ಺ɺίϯςφ֎͔Βݟ์୊ • initʹͿΒԼ͕Δdaemon •

    UST, networkͷnamespace͸෼཭͞Ε͍ͯΔ • ϓϩηεੜ੒࣌ʹ෼཭͠ͳ͚Ε͹ܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ෼཭͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ

  26. ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

    IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

  27. ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE

     -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE  TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE  -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE

  28. curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY

  29. SSH TTI DBUFUDEFCJBO@WFSTJPO  TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE

  30. ·ͱΊΔͱ… • image಺ͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφ಺Ͱෳ਺ͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍͸Ͱ͖ͦ͏ •

    ൺֱతރΕ͍ͯΔ΋ͷ͔͠࢖͍ͬͯͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͸͍ͯͦ͠͏

  31. ͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ
 ࣗ෼Ͱ࣮૷͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • image؅ཧ • Netoworkߏ੒ • PIDͷ؅ཧ,

    ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ

  32. • imageͷ؅ཧػೳ • snapshot΍ɺόʔδϣχϯά͸? • imageͷҠಈ͸Ͳ͏͢Δ? • Networkߏ੒ • αϒωοτ΋ݻఆͰIP΋खಈͳͷͰҠಈ͸Ͳ͏͢Δʁɹ

    • ҟͳΔαϒωοτͱͷ௨৴͸? • PID෼཭ɺϓϩηεॲཧ • PID͸෼཭͢Δ or ͠ͳ͍? • ίϯςφ಺ͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?

  33. ·ͱΊ • ίϯςφࣗ࡞͸ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏࿩͸͋Δ͕ namespace͸ؾܰʹ࢖͑Δ • طଘίϯςφٕज़΁ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζ΋ݟ͑ͯ͘Δ

    • Ұճ͸৮͓ͬͯ͘ͱྑͦ͞͏