ίϯςφ IBUFOBJOUFSO 

! Docker Docker Docker 

ؤ٤طػזי⛰ 

ؤ٤طػעꣴꦕ׈׿גوٞجت : ؤ٤طػꣴꦕ׈׿גوٞجتךעםַ 

ؤ٤طػْؕ٭ةמ׌׬י⻠ױ׿יַ׾ ˝ ؤ٭غ ˝ 㲔车ٓةٖ٭ٜ ˝ ٚ٤ذّؕ ˝ ❣㰆قشآ٭ة ˝ אס☽מبتطّ؛هةؘؠعֿ䑒釐כ׌׾ֵ׼׹׾نٜؒؕ 

企ׂי⺎䯈䓪ֵֿזי鬭ַ 擻杼ُب٤٬♞䘶ُب٤כ奂׬י ˝ 颯Ⳃ٬⢥塛ֿ企ַ ˝ ⺎䯈䓪ֵֿ׾ ˝ تآ٭ٚلٛطؔ ˝ ♞䘶ُب٤כ奂׬י⮵榫׌׾鞲嶎ֿ㵼םׂי鬭ַ 

ؤ٤طػ䤗软ע佅־׼ֵ׾ 2000 FreeBSD jails 2008 LXC (Linux Containers) 2013 Docker 2019 Podman 

ؤ٤طػ؅㲔杯׌׾䤗软 

ٛخ٭ت؅ꣴꦕ׌׾☼磝ײ ٛخ٭تסꣴꦕ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י 䏅ꮶ؅┙ֻםַ׆כ Namespace seccomp, AppArmor, SELinux 

Namespace Namespace User, Cgroup, IPC, Network, Mount, PID, Time, UTS 

Namespace PID ID pid ubuntu@utm:~$ ps PID TTY TIME CMD 1889 pts/0 00:00:00 bash 2711 pts/0 00:00:00 ps ubuntu@utm:~$ sudo unshare !"fork !"pid !"mount-proc ps PID TTY TIME CMD 1 pts/0 00:00:00 ps 

Namespace User UID/GID NameSpace UID root 

Namespace Time uptime: 

Namespace Network IP IP 

Namespace Mount chroot pivot_root 

Namespace > Mount chroot chroot pivot_root : / 

Namespace Cgroup CPU docker top 

آ٭قلٛطؔ root OS docker (!"cap-add) (!"cap-drop) pscap 

آ٭قلٛطؔ Linux manual capabilities ❆ CAP_SYS_BOOT CAP_SYS_CHROOT CAP_KILL 

seccomp strict read, write, _exit, sigreturn lter bpf Docker perf_event_open, pivot_root, process_vm_readv, process_vm_writev, ptrace 

seccomp ❆ seccomp.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "kill", "action": "SCMP_ACT_ERRNO" } ] } Docker noy72@noy72 $ docker run !"name ubuntu_bash \ !"rm -it !"security-opt seccomp=seccomp.json ubuntu bash root@f9d4b6ac2a8a:/# sleep 100 & [1] 10 root@f9d4b6ac2a8a:/# kill 10 bash: kill: (10) - Operation not permitted 

ؤ٤طػס斻玮䓪 1 OS 㱦⪒䓪 ⺎䯈䓪 

ؤ٤طػסج؞ٖٛطؔ㱦⪒䓪 Container Breakout root seccomp Docker Rootless gVisor Kata Containers 

Docker 

Docker Docker Docker םלֿך׀׾وٚشعنؚ٭ّ 

Docker 

Docker CLI Docker command line https://docs.docker.com/compose/completion/ 

Docker CLI ˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ $ docker pull ˝ 二גמؤ٤طػ؅㲔车׌׾ $ docker run !"rm -ti ˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾ $ docker exec -ti 

Docker CLI ˝ ⛼䡗յ⹦䐂׊גْؕ٭ة؅澬鏀׌׾ $ docker images ˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾ $ docker container ls -a $ docker ps -a ˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭ $ docker cp 

Docker 

Docker Docker le DockerHub 

Docker le # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] ⶡ硾םط؞تعي٭تס تؠٛوعنٜؒؕ Docker docker build ךْؕ٭ة؅لٜغ 

Docker le - FROM # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] Docker le FROM AS 

Docker le - RUN # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] !"mount 

Docker le - COPY # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] !"from 

Docker le - USER # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] root 

Docker le - ENTRYPOINT # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] CMD 

Multi-stage builds # syntax = docker/dockerfile:experimental # Ϗϧυ͢ΔΠϝʔδ FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # ੒Ռ෺Λ࣋ͭΠϝʔδ FROM alpine COPY !"from=builder /services/blog/bin/server \ /services/blog/bin/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] docker build !"target stage 

Docker Dockerfile FROM ubuntu RUN echo "hoge" > hoge.txt RUN rm hoge.txt ⛼䡗׊גْؕ٭ة؅⭳ⱱ׊י鉮⬲ $ docker save $CID > image.tar $ tar xf image.tar 

ْؕ٭ةע邾丗סٕٝؕ٭־׼ם׾ . ├── 3fe352f27d6d9b899da69b9799728c4492690186797a106cbfa029264b6ebcf7 │ ├── VERSION │ ├── json │ └── layer.tar ├── aa8c0471e58774435617a2efb80b963d0288bdbdfdd7ded778776c3051664569.json ├── af197d5ca08b03ffdfd8c1285260360fbbc237328d421b73c2abc3f07bb054d9 │ ├── VERSION │ ├── json │ └── layer.tar ├── b3ea71bd7712c8534c4e3440a02a2217d0049fc8acacac191cf875bc21ab9f6a │ ├── VERSION │ ├── json │ └── layer.tar └── manifest.json 

layer.tar b3ea71bd7712c8534c4e3!!" layer.tar % tar xf layer.tar % ls VERSION hoge.txt json layer.tar % cat hoge.txt hoge הםײמ RUN rm hoge.txt .wh.hoge.txt 

history docker history ❆ $ docker history aa8c0471e587 IMAGE CREATED CREATED BY SIZE COMMENT aa8c0471e587 16 seconds ago /bin/sh -c rm hoge.txt 0B ec48e0efeb2e 16 seconds ago /bin/sh -c echo "hoge" > hoge.txt 5B bad148f8963f 30 hours ago /bin/sh -c !"nop) CMD ["bash"] 0B 30 hours ago /bin/sh -c !"nop) ADD file:3db67543ea64bf672… 69.2MB 

! 1. RUN !!" !!" 2. RUN !!" > secret.txt !!" RUN rm secret.txt 

嚀㳡䗯㕔؅䣽ֹ亠嫎 multi-stage build RUN !"mount=type=secret RUN !!# > secret.txt !$ !!# !$ rm secret.txt 

نٜؒؕמ傴׀鱮׳כ׀לֹ׌׾ Copy On Write (COW) OverlayFS Docker COW 

ٕٝؕ؞ٔشبٖ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog <͕͜͜มߋ͞Εͨ৔߹͸↓ͷ෦෼Λ࠶࣮ߦ> COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build ˝ 㚺催ֵֿזג车♓꡸ס ⽜♐ֿ⫋㲔车׈׿׾ ˝ 㚺催׈׿׷׌ַ鼧⮆ע儕㶾 מ 

؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY . . RUN go mod download RUN !"mount=type=cache,target=/root/.cache/go-build \ make build 

؞ٔشبٖס✳؂׿亠ֿ樟ם׾❆ # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build \ make build # syntax = docker/dockerfile:experimental FROM golang:1.18-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY . . RUN go mod download RUN !"mount=type=cache,target=/root/.cache/go-build \ make build 

ؤ٤طػס錃銶 

1 1 ˝ ⶡ┉ס嚀耆כ׊י⮆ꦕ׊י姡䇖تآ٭ٜ׊׷׌ׂ׌׾ ˝ ⫋⮵榫䓪յ鵀伺䓪 ˝ ❣㰆꞊➟؅峎׼׌ 

ؤ٤طػ؛٭آتعٝ٭ب٘٤ docker-compose, Amazon ECS, Kubernetes 

ْؕ٭ةע鬭ꄈמ׌׾ docker .dockerignore 

تط٭عٝتךِٖؕ٭ذهٜמ׌׾ stdout/stderr 

錃㲊؅梪㗞㚺丗מ劲硯׌׾ docker build Docker 

ؤ٤طػت؞ٔ٤ 

ْؕ٭ةמ耗䍏䓪ֿםַ־زؘشؠ Trivy Clair Anchore AWS ECR DockerHub docker scan 

Trivy https://github.com/aquasecurity/trivy Docker git $ trivy image !"severity HIGH hatena/apply-for-internship-2020:latest 2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed 2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!# hatena/apply-for-internship-2020:latest (debian 10.4) ===================================================== Total: 1 (HIGH: 1) +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to!!# | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ 

ױכ״ 1 Namespace secomp Docker 1 1 

ֽ׊ױַ 

Docker Quiz $ docker run !"rm -i hatena/intern-2020-docker-quiz ! " docker run !"rm -i hatena/intern-2020- docker-quiz -hint 

ENTRYPOINT CMD ❆ CMD ["8.8.8.8"] ENTRYPOINT ["ping"] docker run ping 8.8.8.8 docker run 127.0.0.1 ping 127.0.0.1 docker run !"entrypoint date date Docker le CMD ENTRYPOINT ( / ) - CMD ENTRYPOINT 