Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
chroot-network-uts-container
Search
masayoshi
June 17, 2017
Technology
890
6
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
chroot-network-uts-container
chroot ✕ netowork namespace ✕UTS namespace
masayoshi
June 17, 2017
More Decks by masayoshi
See All by masayoshi
Perlアプリケーションで トレースを実装するまでの 工夫と苦労話
masayoshi
1
800
これからSREになる人と、これからもSREをやっていく人へ
masayoshi
6
6.1k
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
8
12k
Developers Summit 2021 summer
masayoshi
15
32k
2021-06-cloud-native-reg-event
masayoshi
8
2.6k
SRE_Culture_Organization
masayoshi
16
11k
cloudnative-kansai-2019
masayoshi
1
790
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
4k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
3.1k
Other Decks in Technology
See All in Technology
4人目のSREはAgent
tanimuyk
0
320
Zenoh on Zephyr on LiteX
takasehideki
2
150
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
240
Agentic AI 時代のテスト手法: Kiro とはじめるプロパティベーステスト (AWS Summit Japan 2026 | DEV212)
ymhiroki
0
130
プライバシー保護の理論と実践
lycorptech_jp
PRO
1
170
そこにあるから地図ができる~位置を示す"モノ"を愉しむ~ - Interface 2026年6月号GPS特集オフ会 / interface_202606_GPS_offline
sakaik
1
150
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
430
Kotlin 開発のツラミを爆破した話! / Explode the difficulty of Kotlin dev!
eller86
0
120
テスト設計の本質を改めて考えてみる~生成AIを活用する時代だからこそ、作ったテストの説明性を高めよう~
yamasaki696
1
230
フルAIで個人開発して学んだあれこれ / yuruai vol.1
isaoshimizu
0
160
AIで政治は変わるのか? — 中高生と考えたAI時代の民主主義(東海高校サタデープログラム)
eitarosuda
0
270
toB プロダクトから見たWAF
tokai235
0
260
Featured
See All Featured
How to Think Like a Performance Engineer
csswizardry
28
2.7k
The World Runs on Bad Software
bkeepers
PRO
72
12k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
BBQ
matthewcrist
89
10k
Reality Check: Gamification 10 Years Later
codingconduct
0
2.2k
A Tale of Four Properties
chriscoyier
163
24k
The Limits of Empathy - UXLibs8
cassininazir
1
370
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
490
First, design no harm
axbom
PRO
2
1.2k
WENDY [Excerpt]
tessaabrams
11
38k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
Transcript
chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾԽͷใަձˏେࡕ
ࣗݾհ • id:masayoshi • ͯͳˏژ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌SDNؔ࿈ͷݚڀ
ࠓ͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS
namespace
ࠓ͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯΒ͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠
ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦ɺ࣮ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯͬͯΈΔͱҧ͍ͳͲ͕Α͔͘Δ •
खݩͰͷωοτϫʔΫςετڥ • ࡉ͔͘มߋ͢ΔͷͰࣗͰ৮Γ͍͢ํ͕ྑ͍
chroot network namespace UTS namespace
ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ͏ͱγϯϓϧ͕ͩҙ֎ͱ͓͠Ζ͍͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͍ͬͯͨ͘ • ωοτϫʔΫͰ༡Ϳͱ͖͜ͷߏΛ͍ͬͯΔ • chroot
namespaceͷҰ෦ͷΈͷΈ߹Θͤଟ͘ͳͦ͞͏ • 1ͭ1ͭશͯΛΈ߹Θ࣮ͤͨྫ৭ʑ͋Δ
͜ͷ3ͭͰ໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •
ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ཧ্ͷརศੑ
ྫ͑ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό
• ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ࢹ + ཧ • ಉҰͷཧαʔόͰ্هͷίϯςφΛෳىಈՄೳ • networkLinux BridgeͰϒϦοδଓ
#SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE TTI
IUUQE TTI WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞ʹίϚϯυ JNBHFͷ࡞আ͘
σϞ͠ͳ͕Βݟ͍ͯ͘
imageͷ࡞ • dockerͳΒdocker export Ͱ • build, shipdockerͰΔͱָͦ͏ • ࠓճrun෦Ͱ༡Ϳ
• dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճdebootstrapͰ࡞ͨͭ͠Λར༻
namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ
namespaceͷӬଓԽ • bindϚϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυӬଓԽָ͕
UTS namespace • ओʹཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU
Networkͷ࡞ • veth࡞ͬͯbridgeʹଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen
vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτΣΞϧʔλʹଓͨ͠Γ • KVMͷVMͱଓͨ͠Γ • ෳNIC + mptcpڥ
Networkͷ࡞ • NetworkϙʔλϏϦςΟʹӨڹ͕ग़͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͖͢Օॴ͕ͨ͘͞Μ͋Δ໘ന͍
• ΦϑϩʔσΟϯά, SR-IOVͳͲߴԽ • VXLANͳͲͷϓϩτίϧٕज़
chrootڥͷ࡞ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
TZTUFNEڥͰCJOEϚϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ
ίϯςφͰͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲىಈ͢Δ
ίϯςφͰͷϓϩηεͷ࣮ߦ • chrootԼͰsystemdಈ࡞͠ͳ͍ͷͰҙ͕ඞཁ • chrootͷΘΓʹsystemd-nspawnΛͬͯಈ͔͢ํ ๏͋Δ • ͦͷ߹ޙड़ͷPID namespaceΛ͏͜ͱʹͳΔ
PID namespace • PID͢Δͱੜ͞ΕͨࢠϓϩηεͦͷۭؒͰinit(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •
docker 1.13Ͱ runʹ initΦϓγϣϯ͕͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબࢶ૿͑Δ • ࠓճͷ༻్Ͱ͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝ͰؾܰʹΔͳΒল͘ͱָ
PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕͞Εͳ͍ • ίϯςφɺίϯςφ֎͔Βݟ์ • initʹͿΒԼ͕Δdaemon •
UST, networkͷnamespace͞Ε͍ͯΔ • ϓϩηεੜ࣌ʹ͠ͳ͚Εܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ
ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE
-*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE
curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY
SSH TTI DBUFUDEFCJBO@WFSTJPO TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE
·ͱΊΔͱ… • imageͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφͰෳͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍Ͱ͖ͦ͏ •
ൺֱతރΕ͍ͯΔͷ͔͍ͬͯ͠ͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͍ͯͦ͠͏
͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ ࣗͰ࣮͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • imageཧ • Netoworkߏ • PIDͷཧ,
ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ
• imageͷཧػೳ • snapshotɺόʔδϣχϯά? • imageͷҠಈͲ͏͢Δ? • Networkߏ • αϒωοτݻఆͰIPखಈͳͷͰҠಈͲ͏͢Δʁɹ
• ҟͳΔαϒωοτͱͷ௨৴? • PIDɺϓϩηεॲཧ • PID͢Δ or ͠ͳ͍? • ίϯςφͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?
·ͱΊ • ίϯςφࣗ࡞ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏͋Δ͕ namespaceؾܰʹ͑Δ • طଘίϯςφٕज़ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζݟ͑ͯ͘Δ
• Ұճ৮͓ͬͯ͘ͱྑͦ͞͏