はてなリモートインターン2021 コンテナ講義資料

by Hatena

Slide 1

Slide 1 text

ίϯςφ IBUFOBJOUFSO 

Slide 2

Slide 2 text

׆ס铺紶ךע ˝ ؤ٤طػ䤗软 ˝ ؤ٤طػ؅㲔杯׌׾ג״ס䤗软 ˝ ؤ٤طػס׻ַכ׆؀ ˝ %PDLFS⪌ꝛ 

Slide 3

Slide 3 text

♞䘶⴫յؤ٤طػ♓⯥ ˝ 擻杼ئ٭ف ˝ חס04┕מ邾丗סوٞجت؅Ⳃ־׌ ˝ ئ٭فס㘃峎ֿ擻杼氳םסך㛻㚺 ˝ 邾丗סؓوٛآ٭ب٘٤ֿⳂַיַ׾םלס㕙⺬מյ☽מ䏅ꮶ؅┙ֻי׊ױֹ׆כ ֵֿ׾ ˝ ,7.׷9FOםלסـؕق٭فؕاמ׻׾♞䘶⴫ ˝ ַ؂׹׾♞䘶ُب٤כ⽛ף׿׾׵ס ˝ أتع04؅颯Ⳃ׈׎׾ 

Slide 4

Slide 4 text

♞䘶⴫ס侇♏ ˝ ⺏סئ٭فך邾丗סئ٭فأتعُب٤؅Ⳃ־׌ ˝ ♞䘶ُب٤מ04յؓوٛآ٭ب٘٤յٚؕهٚٛ؅ؕ٤تع٭ ٜ׊㲔车׌׾ ˝ 擻杼ئ٭فמ㵚׌׾ؤتعْٛشعյ畘杼׊׷׌׈׵ֵ׾ ˝ ئ٭فס邾邮׷فشؠؓشو־׼ס䐝⩕םל䦡䍖䓪յ縨꤃㲹䓪׵ֵ׾ 

Slide 5

Slide 5 text

ؤ٤طػס侇♏ ˝ ٌتعס04־׼ꣴꦕ׈׿גوٞجت ˝ ☽סوٞجت־׼ꣴꦕ׈׿ג㲔车梪㗞 ˝ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י 䏅ꮶ؅┙ֻםַ ˝ ؤ٤طػْؕ٭ة ˝ ؓوٛآ٭ب٘٤յِغؘٜؗؓյٚؕهٚٛםל㲔车מ䑒釐ם ٛخ٭تֿقشآ٭ة׈׿יַ׾ 

Slide 6

Slide 6 text

ؤ٤طػ㑔♞䘶⴫ ˝ 䇗'SFF#4%KBJMT ˝ 䇗-9$ -JOVY$POUBJOFST ˝ 䇗%PDLFS ˝ 䇗1PENBO 

Slide 7

Slide 7 text

ؤ٤طػ ˝ ٛخ٭تסꣴꦕ ˝ ؤ٤طػ┕ךⳂׂوٞجتֿյٌتع┕ס☽סوٞجتמ㵚׊י䏅ꮶ ؅┙ֻםַ׆כ ˝ -JOVYמֽׄ׾אסג״ס☼磝ײ ˝ /BNFTQBDF ˝ آ٭قلٛطؔ ˝ TFDDPNQ "QQ"SNPS 4&-JOVY 

Slide 8

Slide 8 text

/BNFTQBDF ˝ ؜٭ؾٜסٛخ٭ت؅ꣴꦕ׊י斻玮׊ג梪㗞מ釤׎׾ ˝ /BNFTQBDFס牊걉 ˝ 6TFS $HSPVQ *1$ /FUXPSL .PVOU 1*% 5JNF 654 

Slide 9

Slide 9 text

/BNFTQBDF 6TFS5JNF ˝ 6TFS ˝ 6*%(*%؅⮆ꦕ׌׾ ˝ 樟ם׾/BNF4QBDFך⺱׋6*%סٗ٭ا؅⛼䡗ך׀׾ ˝ 5JNF ˝ ٌتعכؤ٤طػס侇ꝴ؅⮆ꦕ׌׾ ˝ 攐㲊סَؕ٤عךٛتعؓך׀׾ 

Slide 10

Slide 10 text

/BNFTQBDF 1*%/FUXPSL ˝ 1*% ˝ وٞجت*%樑⺘狜ꝴסꣴꦕ ˝ ⺲⯥狜ꝴ⫂ך僃⮣סوٞجتעQJE ˝ /procQSPDGTעאס1*%⺲⯥狜ꝴ⫂סوٞجتמסײؓؠجتך׀׾ ˝ /FUXPSL ˝ ؾشع٠٭ؠظفؕتյٜ٭طؔ٤ءط٭هٜյ*1ؓغٝتյَ٭ع樑⺘םלסꣴ ꦕ ˝ ؤ٤طػכٌتعך⮯ס*1؅䧏י׾ 

Slide 11

Slide 11 text

/BNFTQBDF .PVOU ˝ .PVOU ˝ نٜؒؕبتطّסُؗ٤عَؕ٤عסꣴꦕ ˝ DISPPUכQJWPU@SPPU 

Slide 12

Slide 12 text

DISPPUכQJWPU@SPPU ˝ DISPPU ˝ وٞجتסٜ٭عظؔٝؠعٛ؅㚺催׊יوٞجت؅颯Ⳃ׌׾ ˝ 䧗㲊׈׿גٜ٭عظؔٝؠعٛ鿥┖סײמؓؠجتך׀׾ ˝ ☼喋┕յDISPPUס㛙מ燯Ⳃך׀י׊ױֹ ˝ QJWPU@SPPU ˝ وٞجتסٜ٭عنٜؒؕبتطّאס׵ס؅⪌׿僀ֻיٜ٭ع؅㚺催׌׾ ˝ 兢♭ֵֿ׾׵סס㛙׫ע燯Ⳃך׀םַն 

Slide 13

Slide 13 text

/BNFTQBDF $HSPVQ ˝ $HSPVQ ˝ ؤ٤طػ⫂סوٞجتס꥗⺬מ㵚׊יٛخ٭ت✳榫ꄈ؅⯆꡾ ׌׾☼磝ײ ˝ $16✳榫ꄈյْٓٛ✳榫ꄈյوٞجت丗םל ˝ 泃釱׵车ֹ׆כֿך׀յdocker topע׆׿؅⮵榫׊יַ׾ 

Slide 14

Slide 14 text

آ٭قلٛطؔ ˝ SPPU嘤꡾؅⮆Ⱏ׊نٜؒؕ׷وٞجتמ嘤꡾؅錃㲊׌׾ ˝ 耗䍏䓪םלך☽סوٞجت׷ٌتع04מ䏅ꮶ؅┙ֻםַ ˝ ؤ٤طػמ䑒釐僃㵸꡾ס嘤꡾؅♀┙յ畘杼׌׾ ˝ EPDLFSס㕙⺬յ嘤꡾؅鴑ⱶ !"cap-add ׷⯡ꢜך׀׾ !"cap-drop ˝ ظفؕتמ꡾㲊׊י嘤꡾ס錃㲊׵⺎耆 ˝ ظنؚٜعס嘤꡾ע⪜䌋غ؞ْٖ٤ع׷pscapؤُ٤غך澬鏀׊ױ ׊׺ֹ 

Slide 15

Slide 15 text

TFDDPNQ ˝ وٞجتס氦车ך׀׾بتطّؤ٭ٜ؅⯆꡾׌׾☼磝ײ ˝ TUSJDUٓ٭غSFBE XSJUF @FYJU TJHSFUVSOסײ ˝ MUFSٓ٭غCQGמ׻׾نٜؔذֿ⺎耆 ˝ %PDLFSךظنؚٜعך⯆꡾׈׿יַ׾بتطّؤ٭ٜס┉鼧 perf_event_open, pivot_root, process_vm_readv, process_vm_writev, ptrace 

Slide 16

Slide 16 text

ؤ٤طػס斻玮䓪 ˝ חסٌتع04מꣴꦕ׈׿ג邾丗ס梪㗞؅啶疣ך׀׾ ˝ ♞䘶ُب٤מ奂׬י؛٭ف٭ىشغֿ⛥ַ ˝ ج؞ٖٛطؔ ˝ ⺎䯈䓪 

Slide 17

Slide 17 text

ؤ٤طػסج؞ٖٛطؔ ˝ ♞䘶ُب٤מ㵚׊יյؤ٤طػסꣴꦕٝيٜע⛥ַ ˝ $POUBJOFS#SFBLPVU؅ꡔ׃ ˝ ؤ٤طػ⫂סوٞجت؅SPPUٗ٭اךⳂ־׈םַ ˝ TFDDPNQמ׻זיبتطّؤ٭ٜ؅⯆꡾׌׾ ˝ %PDLFSס3PPUMFTTٓ٭غ؅⮵榫׌׾ ˝ H7JTPS׷,BUB$POUBJOFST؅✳ֹ 

Slide 18

Slide 18 text

⺎䯈䓪 ˝ 㲔车׌׾梪㗞ֿ꡾㲊׈׿םַ ˝ تآ٭ٜ׊׷׌ַ ˝ ♞䘶ُب٤סؤم٭׻׽㵸׈ַ 

Slide 19

Slide 19 text

%PDLFS ˝ -JOVY؜٭ؾٜסؤ٤طػמ꞊׌׾☼磝ײ ˝ %PDLFSْؕ٭ةסلٜغ ˝ ٕٝؕ٭؞ٔشبٖ ˝ %PDLFSْؕ٭ة־׼סؤ٤طػס颯Ⳃ ˝ ٝةتعٛ%PDLFS)VC 

Slide 20

Slide 20 text

%PDLFS؅啶䡗׌׾ؤ٤َ٭ؾ٤ع 

Slide 21

Slide 21 text

%PDLFS$-* ˝ %PDLFSDPNNBOEMJOF ˝ بؘٜס遨㱭ס錃㲊 ˝ IUUQTEPDTEPDLFSDPNDPNQPTFDPNQMFUJPO ˝ ٝةتعٛ%PDLFS)VC 

Slide 22

Slide 22 text

%PDLFS$-* ˝ ٝةتعٛ־׼ْؕ٭ة؅رؗ٤ٞ٭غ $ docker pull ˝ 二גמؤ٤طػ؅㲔车׌׾ $ docker run !"rm -ti ˝ ⛼䡗׊גؤ٤طػ؅澬鏀׌׾ $ docker container ls -a 

Slide 23

Slide 23 text

%PDLFS$-* ˝ 颯Ⳃ׊יַ׾ؤ٤طػ⫂ךؤُ٤غ؅㲔车׌׾ $ docker exec -ti ˝ ؤ٤طػ⫂סنٜؒؕ؅ٌتعמؤم٭ $ docker cp ˝ 颯Ⳃ׊יַ׾ؤ٤طػס┉鈋 $ docker ps 

Slide 24

Slide 24 text

# syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] %PDLFSMF ˝ %PDLFSْؕ٭ةע%PDLFSMF־׼ docker buildؤُ٤غך榟䡗 $ docker build -f Dockerfile . ˝ %PDLFSMF ˝ '30.ي٭تْؕ٭ة䧗㲊 ˝ 36/♳䙫סؤُ٤غ؅㲔车 ˝ $01:لٜغؤ٤ط؞تع־׼ نٜؒؕ؅⹦䐂׌׾ 

Slide 25

Slide 25 text

%PDLFSMF ˝ 64&3 ˝ ؤ٤طػ颯Ⳃ侇מ✳榫׌׾ٗ٭ا ˝ &/53:10*/5 ˝ ؤ٤طػ颯Ⳃ侇מ㲔车׌׾ؤُ٤غ 

Slide 26

Slide 26 text

# syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] ٕٝؕ؞ٔشبٖ ˝ لٜغ侇ꝴס湾竊סג״յ ⽜♐ⶡ⛣ך؞ٔشبٖ׈׿ ׾ ˝ ⭚杼侇ꝴֿ־־׽յ㚺催값 䈱ס㵼םַ׵ס؅⩝מ㲔车 ׌׾ 

Slide 27

Slide 27 text

# syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-buil make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] NVMUJTUBHFCVJMET ˝ ْؕ٭ةئؕث؅㵸׈ׂ⟊ ח ˝ ؓوٛآ٭ب٘٤סⳂ⛼ מ䑒釐ם❣㰆סײ⻠״׾ ˝ docker buildס!" target؛وب٘٤ ˝ 攐㲊סTUBHF؅لٜغ׌ ׾ 

Slide 28

Slide 28 text

# syntax = docker/dockerfile:experimental FROM golang:1.14-alpine AS builder RUN apk !"update add make WORKDIR /services/blog COPY go.mod go.sum ./ RUN go mod download COPY Makefile ./ RUN make setup COPY . . RUN !"mount=type=cache,target=/root/.cache/go-build make build FROM alpine COPY !"from=builder /(snip)/server /(snip)/server RUN adduser -D -u 1000 app USER 1000 ENTRYPOINT ["/services/blog/bin/server"] CVJMELJU ˝ %PDLFS׻׽塜䌋嚀耆 כםזג二׊ַلٜر٭ ˝ DOCKER_BUILDKIT=1؅錃㲊׊יֽׂ ˝ لٜغ侇מ؞ٔشبٖסُ ؗ٤عֿך׀׾ 

Slide 29

Slide 29 text

%PDLFSْؕ٭ة ˝ ؤ٤طػסⳂ⛼מ䑒釐םنٜؒؕ؅ױכ״ג׵ס ˝ 邾丗סٕٝؕך啶䡗׈׿׾ ˝ %PDLFS)VC $ docker pull <Πϝʔδ໊!"<λά> $ docker pull hatena/apply-for-internship-2020:latest 

Slide 30

Slide 30 text

%PDLFSْؕ٭ةס╈עלֹםזיַ׾ % docker save hatena/apply-for-internship-2020:latest > image.tar % tar xf image.tar 

Slide 31

Slide 31 text

%PDLFSْؕ٭ةס╈עלֹםזיַ׾ ├── 2e3d6c9f566f06ae7e9a74b69483b8cb783b1bee48beb02b6524fbcb4de48f71 │ ├── VERSION │ ├── json │ └── layer.tar ├── 6a28bc9521cd43cb1bbba4facfe4676649681c81ab252d09ad906ca11669d4ca │ ├── VERSION │ ├── json │ └── layer.tar ├── 83bc3862525ff9d3b82a85ec3369f8cab40f7e716e36f3db84f15763a11af2fe.json ├── da0ea11a16c18578358add538c445cd5408e29ec0f06a7196c51ee7b7e46662d │ ├── VERSION │ ├── json │ └── layer.tar ├── manifest.json └── repositories 

Slide 32

Slide 32 text

%PDLFSْؕ٭ةס╈עלֹםזיַ׾ ˝ ْؕ٭ة啶疣ס㷽塷؅澬鏀׌׾ $ docker history $ docker history hatena/apply-for-internship-2020 IMAGE CREATED CREATED BY SIZE COMMENT 8066217f321a 2 minutes ago ENTRYPOINT ["./apply-for-internship-2020"] 0B buildkit.dockerfile.v0 2 minutes ago COPY /go/src/github.com/hatena/apply-for-int… 10.4MB buildkit.dockerfile.v0 3 minutes ago COPY public.pem private.pem ./ # buildkit 405B buildkit.dockerfile.v0 3 minutes ago WORKDIR /root/ 0B buildkit.dockerfile.v0 3 weeks ago /bin/sh -c !"nop) CMD ["bash"] 0B 3 weeks ago /bin/sh -c !"nop) ADD file:45f5dfa135c848a34… 69.3MB $ docker history debian:buster-slim IMAGE CREATED CREATED BY SIZE COMMENT df0140a4030c 3 weeks ago /bin/sh -c !"nop) CMD ["bash"] 0B 3 weeks ago /bin/sh -c !"nop) ADD file:45f5dfa135c848a34… 69.3MB 

Slide 33

Slide 33 text

ؤ٤طػס錃銶 ˝ ؤ٤طػوٞجت ˝ ⶡ┉ס嚀耆כ׊י⮆ꦕ׊י姡䇖تآ٭ٜ׊׷׌ׂ׌׾ ˝ ⫋⮵榫䓪յ鵀伺䓪 ˝ ❣㰆꞊➟؅峎׼׌ 

Slide 34

Slide 34 text

ؤ٤طػ؛٭آتعٝ٭ب٘٤ ˝ 邾丗סؤ٤طػ؅畘杼׌׾ ˝ EPDLFSDPNQPTF "NB[PO&$4 ,VCFSOFUFT 

Slide 35

Slide 35 text

ؤ٤طػס錃銶 ˝ ْؕ٭ةע鬭ꄈמ׌׾ ˝ 㲔车מ䑒釐ם❣㰆꞊➟סײ ˝ EPDLFSס㕙⺬ע.dockerignore؅✳ֹ 

Slide 36

Slide 36 text

ؤ٤طػס錃銶 ˝ تط٭عٝتך┘㚺ךֵ׾׻ֹמ׌׾ ˝ 㲔车׊יַ׾ؤ٤طػ⫂ךؓوٛآ٭ب٘٤؅㚺催׊םַ ˝ 姧禈ظ٭ذעؤ٤طػ㛙鼧סؤ٤َ٭ؾ٤عמ♳׎׾ ˝ ؤ٤طػסٚؕنئؕؠٜע湾ַ ˝ ٞءעTUEPVUTUEFSSמ⭳ⱱ׌׾ ˝ ٞء؅نٜؒؕמ傴׀⭳׈םַ 

Slide 37

Slide 37 text

ؤ٤طػס錃銶 ˝ 錃㲊؅梪㗞㚺丗מ劲硯׌׾ ˝ EPDLFSCVJME؅׷׽םֽ׌׆כםׂ㚺催ך׀׾ ˝ 邾丗ס梪㗞ך⺱׋%PDLFSْؕ٭ةֿ✳ֻ׾ 

Slide 38

Slide 38 text

ؤ٤طػت؞ٔ٤ ˝ ْؕ٭ة⫂מ㰆㏇׌׾خنعؘؗؓמ仴湳ס耗䍏䓪ֿםַ־ ˝ ص٭ٜ ˝ 5SJWZ ˝ $MBJS ˝ "ODIPSF ˝ "84&$3 ˝ %PDLFS)VC 

Slide 39

Slide 39 text

5SJWZ ˝ IUUQTHJUIVCDPNBRVBTFDVSJUZUSJWZ ˝ %PDLFSْؕ٭ةյنٜؒؕبتطّյHJUَٛةعٛמ㵚׊יت ؞ٔ٤ֿך׀׾ $ trivy image !"severity HIGH hatena/apply-for-internship-2020:latest 2020-08-05T08:44:37.496+0900 WARN You should avoid using the :latest tag as it is cached. You need to specify '!"clear-cache' option when :latest image is changed 2020-08-05T08:44:40.616+0900 INFO Detecting Debian vulnerabilities!!# hatena/apply-for-internship-2020:latest (debian 10.4) ===================================================== Total: 1 (HIGH: 1) +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ | perl-base | CVE-2020-10878 | HIGH | 5.28.1-6 | 5.28.1-6+deb10u1 | perl: corruption of | | | | | | | intermediate language state | | | | | | | of compiled regular expression | | | | | | | due to!!# | +-----------+------------------+----------+-------------------+------------------+--------------------------------+ 

Slide 40

Slide 40 text

ױכ״ ˝ ؤ٤طػע♞䘶⴫䤗软סח ˝ 仴㰆ס☼磝ײ؅┕䣆ׂ⮵榫׊י斻玮䓪؅㲔杯 ˝ ؙؤبتطّס⩗㲔 

Slide 41

Slide 41 text

"QQFOEJY%PDLFS2VJ[ $ docker run !"rm -i hatena/intern-2020-docker-quiz ˝ ⪒ゖ塜鉮׊յ ! ֿ⭳׾כؠٛؓ ˝ ㍭זגכ׀ע ˝ " docker run !"rm -i hatena/intern-2020- docker-quiz -hint 