cgroupとLinux Capabilityの活用 / rcon and capcon internals #lxcjp

1.

DHSPVQͱ-JOVY$BQBCJMJUZͷ׆༻ GMOϖύϘגࣜձࣾ γχΞɾϓϦϯγύϧΤϯδχΞ MATSUMOTO, Ryosuke @matsumotory 2016/04/23 ୈ9ճ ίϯςφܕԾ૝Խͷ৘ใަ׵ձˏ෱Ԭ SDPOBOEDBQDPO
JOUFSOBMT

2.

໨࣍ ίϯςφཁૉٕज़ SDPOJOUFSOBMT DBQDPOJOUFSOBMT ·ͱΊ

3.

ίϯςφཁૉٕज़

4.

ϓϩηε੍ޚٕज़ DHSPVQ ϓϩηεάϧʔϓͷϦιʔε੍ݶɾִ཭ SDPOΛ։ൃ -JOVYDBQBCJMJUZ
εϨου୯Ґʹ੍ޚՄೳͳಛݖάϧʔϓ܈ DBQDPOΛ։ൃ

5.

DHSPVQ

6.

DHSPVQ ϓϩηεάϧʔϓͷϦιʔε੍ޚ $16ɺ*0ɺϝϞϦ౳ DHSPVQGTʹΑΔ*' ϑΝΠϧϕʔεͷૢ࡞
ୈճɹ-JOVYΧʔωϧͷίϯςφػೳʦʧᴷDHSPVQͱ͸ʁʢͦͷʣ SFGIUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST

7.

DHSPVQͷ׆༻ྫ NPE@NSVCZʹΑΔ"QBDIFͷϦιʔε੍ޚ 8FCαʔό΁ͷϦΫΤετ୯Ґ ͜ͷυϝΠϯ܈͸$16Ҏ಺ ͜ͷಈతίϯςϯπ͸$16
͜ͷಈతίϯςϯπ͸*0Λ.CQT ͜ͷಈతίϯςϯπ͸ಛఆͷ$16ͷίΞ SFGIUUQCMPHNBUTVNPUPSKQ Q

8.

-JOVY$BQBCJMJUZ

9.

ΞΫηε੍ޚϞσϧͷ෮श ೚ҙΞΫηε੍ޚʢ%"$ʣ ࣗ਎͕࡞ͬͨϦιʔε΁ͷΞΫηε͸ࣗ਎͕ܾఆ 6/*9ͷඪ४తͳϞσϧ ڧ੍ΞΫηε੍ޚʢ."$
ࣗ਎͕࡞ͬͨϦιʔεʹ׬શʹΞΫηεͰ͖ΔΘ ͚Ͱ͸ͳ͍ɻ؅ཧऀ͕ܾఆ 4&-JOVYɺ50.0:0-JOVY

10.

-JOVYDBQBCJMJUZ ैདྷͷ֊૚ͷ%"$ݖݶϞσϧͷ֦ு εϨου୯Ґʹ੍ޚՄೳͳಛݖάϧʔϓ εϨου͸छྨͷDBQBCJMJUZTFUΛ࣋ͭ 1FSNJUUFEɾ&⒎FDUJWFɾ*OIFSJUBCMF
ͦΕΒͷ૊Έ߹ΘͤͰDBQCJMJUZͷݖݶΛ੍ޚ

11.

1FSNJUUFEͱ&GGFDUJWF 1FSNJUUFE͸ڐՄ &⒎FDUJWFͷηοτɾΞϯηοτ͕Մೳ 1FSNJUUFEΛΞϯηοτ͢Δͱ໭Εͳ͍ &⒎FDUJWF͸࣮ޮ
࣮ࡍͷݖݶՄ൱νΣοΫ͸&⒎FDUJWFΛݟΔ 1FSNJUUFE͕͋Ε͹Ξϯηοτޙͷ࠶ηοτ͕Մೳ

12.

-JOVYDBQBCJMJUZ ໿άϧʔϓʹ෼ׂ͞Ε͍ͯΔ VJEɾHJEมߋͷಛݖ ಛݖϙʔτʢҎԼʣͷόΠϯυಛݖ DISPPUͷಛݖ
SFCPPUͷಛݖͳͲͳͲ SFGIUUQTMJOVYKNPTEOKQIUNM-%1@NBOQBHFTNBODBQBCJMJUJFT IUNM

13.

$BQBCJMJUZͷ׆༻ྫ NPE@QSPDFTT@TFDVSJUZ "QBDIFIUUQEͷTV&9&$ͷεϨου൛ ϓϩηε୯Ґͷݖݶ෼཭͔ΒεϨου୯Ґ΁ ݖݶ෼཭ͷίετΛεϨουͷੜ੒ɾഁغʹ௿ݮ

14.

None

15.

None

16.

ΞΫηε੍ޚϞσϧͷࠓޙ ࠓ΋ͳ͓ೋ֊૚ͷݹయతͳݖݶϞσϧ ࢖͍΍͍͕ͦ͢ΕͰྑ͍ͷ͔ʁ ྫ͑͹ҰൠϢʔβ੍͕ޚͰ͖ͯɺࢠϓϩηεʹ౉࣌͢ʹ ੍ݶͯ͠౉͢ͱ͔΍Γ͍ͨʜ͋ΕͬͰ͖Δʁ աڈͷݚڀͰ͸΋ͬͱෳࡶͳݖݶϞσϧ͕͋ͬͨ
04Ͱ΍ΕΔ͜ͱ͸ͲΜͲΜෳࡶʹͳ͍ͬͯΔ ৽ͨͳೋ֊૚Ҏ্ͷݖݶϞσϧΛݕ౼ͯ͠ΈΔ

17.

SDPO

18.

UIBOLTUP!SSSFFFZZZ

19.

ίϚϯυͷϦιʔε੍ޚ IUUQTHJUIVCDPNNBUTVNPUPSSDPO ࣮ߦ͍ͨ͠ίϚϯυͷϦιʔε੍ޚ ࣮ߦதͷϓϩηεͷϦιʔε੍ޚ $16ɺϝϞϦɺ*0ɺάϧʔϓԽ
ϦιʔεมԽ͔ΒॲཧΛίʔϧόοΫՄೳ

20.

SDPOͷྑ͍ॴ ࣮ߦޙ΍ఀࢭޙʹDHSPVQͷΰϛ૟আ ࣮ߦ࣌ͷίϚϯυΛϫϯϥΠϯͰ੍ޚ DHSPVQ͕͋Ε͹࢖͑Δ MJCDHSPVQΛTUBUJDMJOL
NSVCZͰϫϯόΠφϦʢHMJCDґଘʣ %PDLFS࢖֤ͬͯछHMJCDͷόΠφϦΛެ։

21.

࢖͍Ͳ͜Ζͷྫ ΫϥΠΞϯτͰ-JOVY࢖ͬͯΔਓ ϒϥ΢β͸$16·Ͱ ϝʔϥʔॏ͍͔Β੍ݶͯ͠΍Ζ͏ αʔόͰ-JOVY࢖͍ͬͯΔਓ
͜ͷϓϩάϥϜ͸*0੍ޚͭͭ҆͠શʹ ͔͔࣌ؒͬͯ΋ྑ͍ͷͰ$16཈͑ؾຯͰ

22.

DHSPVQT ,FSOFM MJCDHSPVQ DHSPVQGT NSVCZDHSPVQ NSVCZFWFOUGE SDPO NSVCZSDPO ϝϞϦίʔϧόοΫ ͷΈϑΝΠϧ*0Λར༻

23.

ϝϞϦίʔϧόοΫ DHSPVQͷϝϞϦΠϕϯτΛݕ஌ ϝϞϦ੍ݶ஋΁ͷ౸ୡ΍0VUPG.FNPSZ FWFOUGEΛNSVCZFWFOUGEͱ࣮ͯ͠૷ IUUQTHJUIVCDPNNBUTVNPUPSNSVCZFWFOUGE
NSVCZSDPO 3VCZϒϩοΫΛίʔϧόοΫՄೳ ϝϞϦ੍ݶ஋ͷ֦ு NSVCZFWFOUGEʹΑΔݕ஌ͱ௨஌ IUUQTHJUIVCDPNNBUTVNPUPSNSVCZSDPO

24.

None

25.

None

26.

DBQDPO

27.

೚ҙͷίϚϯυͷಛݖΛݶఆ ೚ҙͷίϚϯυΛ೚ҙͷϢʔβͰ DBQBCJMJUZΛ੍ޚ࣮ͭͭ͠ߦ͔ͨͬͨ͠ ͕ɺͰ͖ͳ͔ͬͨʂ

28.

Ͱ͖ͳ͔ͬͨཧ༝ FYFDWF࣌ʹDBQ͕શͯམͪΔ XSBQQFSπʔϧͳͷͰGPSL FYFDWF͸ඞਢ SPPUݖݶͩͱFWFDWFޙ΋Ҿ͖ܧ͙͕ Ͱ΋ࠓճ͸೚ҙͷϢʔβͰ࣮ߦ͍ͨ͠
ϑΝΠϧDBQΛઃఆ͢ΔͱҾ͖ܧ͙͕ ೚ҙͷίϚϯυ͕ର৅ͳͷͰϑΝΠϧDBQ͸࿔Εͳ͍

29.

ิ଍ɿDBQͷҾ͖ܧ͗ϧʔϧ 1 QFSNJUUFE 1 JOIFSJUBCMF ' JOIFSJUBCMF c
' QFSNJUUFE DBQ@CTFU 1 F⒎FDUJWF ' F⒎FDUJWF 1 QFSNJUUFE 1 JOIFSJUBCMF 1 JOIFSJUBCMF 1FYFDWF લͷεϨουͷέʔύϏϦςΟηοτͷ஋ 1`FYFDWF ޙͷεϨουͷέʔύϏϦςΟηοτͷ஋ 'ϑΝΠϧέʔύϏϦςΟηοτͷ஋ DBQ@CTFUέʔύϏϦςΟό΢ϯσΟϯάηοτͷ஋

30.

·ͱΊ

31.

SDPOBOEDBQDPOJOUFSOBMT DHSPVQTͱ-JOVYDBQBCJMJUZͷ׆༻ ίϚϯυϥΠϯ͔Β׆༻͍ͨ͠ SDPO͸Ͱ͖͚ͨͲDBQDPO͸ະ׬੒ DHSPVQTͱDBQBCJMJUZͰϓϩηεΛ ߴ౓ʹ੍ޚͰ͖Δ

32.

ࠓޙ΍Γ͍ͨ͜ͱ 7.ΛϓϩηεɺίϯςφΛεϨουͱݟཱͯΔ LFSOFM͕͋Δछͷڞ༗ϝϞϦͷΑ͏ͳ΋ͷ ͍͔ʹϓϩηεΛ଎͘ɾޮ཰ྑ͘GPSL ͢Δ͔ ͍͔ʹεϨουΛ଎͘ɾ҆શʹ࡞Δ͔
͍͔ʹϓϩηεؒͷεέδϡʔϧ΍Ϧιʔε؅ཧΛ͢Δ͔ ࠓޙ͸7.΍ίϯςφͷ࿈ܞ͕ࠓͰ͍͏04ͱͳΔੈք͕དྷΔ ͱࢥ͍ͬͯΔͷͰɺݹయతͳ04ͷػೳΛ͍͔ʹωοτϫʔΫ Λ௨ͨͦ͡Εʹஔ͖׵͍͔͑ͯ͘ʹ௅ઓ

cgroupとLinux Capabilityの活用 / rcon and capcon internals #lxcjp

cgroupとLinux Capabilityの活用 / rcon and capcon internals #lxcjp

MATSUMOTO Ryosuke

Want more?

Transcript

DHSPVQͱ-JOVY$BQBCJMJUZͷ׆༻ GMOϖύϘגࣜձࣾ γχΞɾϓϦϯγύϧΤϯδχΞ MATSUMOTO, Ryosuke @matsumotory 2016/04/23 ୈ9ճ ίϯςφܕԾ૝Խͷ৘ใަ׵ձˏ෱Ԭ SDPOBOEDBQDPO

໨࣍ ίϯςφཁૉٕज़ SDPOJOUFSOBMT DBQDPOJOUFSOBMT ·ͱΊ

ίϯςφཁૉٕज़

ϓϩηε੍ޚٕज़ DHSPVQ ϓϩηεάϧʔϓͷϦιʔε੍ݶɾִ཭ SDPOΛ։ൃ -JOVYDBQBCJMJUZ

DHSPVQ

DHSPVQ ϓϩηεάϧʔϓͷϦιʔε੍ޚ $16ɺ0ɺϝϞϦ౳ DHSPVQGTʹΑΔ' ϑΝΠϧϕʔεͷૢ࡞

DHSPVQͷ׆༻ྫ NPE@NSVCZʹΑΔ"QBDIFͷϦιʔε੍ޚ 8FCαʔό΁ͷϦΫΤετ୯Ґ ͜ͷυϝΠϯ܈͸$16Ҏ಺ ͜ͷಈతίϯςϯπ͸$16

-JOVY$BQBCJMJUZ

ΞΫηε੍ޚϞσϧͷ෮श ೚ҙΞΫηε੍ޚʢ%"$ʣ ࣗ਎͕࡞ͬͨϦιʔε΁ͷΞΫηε͸ࣗ਎͕ܾఆ 6/*9ͷඪ४తͳϞσϧ ڧ੍ΞΫηε੍ޚʢ."$

-JOVYDBQBCJMJUZ ैདྷͷ֊૚ͷ%"$ݖݶϞσϧͷ֦ு εϨου୯Ґʹ੍ޚՄೳͳಛݖάϧʔϓ εϨου͸छྨͷDBQBCJMJUZTFUΛ࣋ͭ 1FSNJUUFEɾ&⒎FDUJWFɾ*OIFSJUBCMF

1FSNJUUFEͱ&GGFDUJWF 1FSNJUUFE͸ڐՄ &⒎FDUJWFͷηοτɾΞϯηοτ͕Մೳ 1FSNJUUFEΛΞϯηοτ͢Δͱ໭Εͳ͍ &⒎FDUJWF͸࣮ޮ

-JOVYDBQBCJMJUZ ໿άϧʔϓʹ෼ׂ͞Ε͍ͯΔ VJEɾHJEมߋͷಛݖ ಛݖϙʔτʢҎԼʣͷόΠϯυಛݖ DISPPUͷಛݖ

$BQBCJMJUZͷ׆༻ྫ NPE@QSPDFTT@TFDVSJUZ "QBDIFIUUQEͷTV&9&$ͷεϨου൛ ϓϩηε୯Ґͷݖݶ෼཭͔ΒεϨου୯Ґ΁ ݖݶ෼཭ͷίετΛεϨουͷੜ੒ɾഁغʹ௿ݮ

ΞΫηε੍ޚϞσϧͷࠓޙ ࠓ΋ͳ͓ೋ֊૚ͷݹయతͳݖݶϞσϧ ࢖͍΍͍͕ͦ͢ΕͰྑ͍ͷ͔ʁ ྫ͑͹ҰൠϢʔβ੍͕ޚͰ͖ͯɺࢠϓϩηεʹ౉࣌͢ʹ ੍ݶͯ͠౉͢ͱ͔΍Γ͍ͨʜ͋ΕͬͰ͖Δʁ աڈͷݚڀͰ͸΋ͬͱෳࡶͳݖݶϞσϧ͕͋ͬͨ

SDPO

UIBOLTUP!SSSFFFZZZ

ίϚϯυͷϦιʔε੍ޚ IUUQTHJUIVCDPNNBUTVNPUPSSDPO ࣮ߦ͍ͨ͠ίϚϯυͷϦιʔε੍ޚ ࣮ߦதͷϓϩηεͷϦιʔε੍ޚ $16ɺϝϞϦɺ*0ɺάϧʔϓԽ

SDPOͷྑ͍ॴ ࣮ߦޙ΍ఀࢭޙʹDHSPVQͷΰϛ૟আ ࣮ߦ࣌ͷίϚϯυΛϫϯϥΠϯͰ੍ޚ DHSPVQ͕͋Ε͹࢖͑Δ MJCDHSPVQΛTUBUJDMJOL

࢖͍Ͳ͜Ζͷྫ ΫϥΠΞϯτͰ-JOVY࢖ͬͯΔਓ ϒϥ΢β͸$16·Ͱ ϝʔϥʔॏ͍͔Β੍ݶͯ͠΍Ζ͏ αʔόͰ-JOVY࢖͍ͬͯΔਓ

DHSPVQT ,FSOFM MJCDHSPVQ DHSPVQGT NSVCZDHSPVQ NSVCZFWFOUGE SDPO NSVCZSDPO ϝϞϦίʔϧόοΫ ͷΈϑΝΠϧ*0Λར༻

ϝϞϦίʔϧόοΫ DHSPVQͷϝϞϦΠϕϯτΛݕ஌ ϝϞϦ੍ݶ஋΁ͷ౸ୡ΍0VUPG.FNPSZ FWFOUGEΛNSVCZFWFOUGEͱ࣮ͯ͠૷ IUUQTHJUIVCDPNNBUTVNPUPSNSVCZFWFOUGE

DBQDPO

೚ҙͷίϚϯυͷಛݖΛݶఆ ೚ҙͷίϚϯυΛ೚ҙͷϢʔβͰ DBQBCJMJUZΛ੍ޚ࣮ͭͭ͠ߦ͔ͨͬͨ͠ ͕ɺͰ͖ͳ͔ͬͨʂ

Ͱ͖ͳ͔ͬͨཧ༝ FYFDWF࣌ʹDBQ͕શͯམͪΔ XSBQQFSπʔϧͳͷͰGPSL FYFDWF͸ඞਢ SPPUݖݶͩͱFWFDWFޙ΋Ҿ͖ܧ͙͕ Ͱ΋ࠓճ͸೚ҙͷϢʔβͰ࣮ߦ͍ͨ͠

ิ଍ɿDBQͷҾ͖ܧ͗ϧʔϧ 1 QFSNJUUFE 1 JOIFSJUBCMF ' JOIFSJUBCMF c

·ͱΊ

SDPOBOEDBQDPOJOUFSOBMT DHSPVQTͱ-JOVYDBQBCJMJUZͷ׆༻ ίϚϯυϥΠϯ͔Β׆༻͍ͨ͠ SDPO͸Ͱ͖͚ͨͲDBQDPO͸ະ׬੒ DHSPVQTͱDBQBCJMJUZͰϓϩηεΛ ߴ౓ʹ੍ޚͰ͖Δ

ࠓޙ΍Γ͍ͨ͜ͱ 7.ΛϓϩηεɺίϯςφΛεϨουͱݟཱͯΔ LFSOFM͕͋Δछͷڞ༗ϝϞϦͷΑ͏ͳ΋ͷ ͍͔ʹϓϩηεΛ଎͘ɾޮ཰ྑ͘GPSL ͢Δ͔ ͍͔ʹεϨουΛ଎͘ɾ҆શʹ࡞Δ͔