Slide 1
Slide 1 text
ۙ౻͏͓ͪ(.01FQBCP
*OD
1)1ΧϯϑΝϨϯεԬ
ϩϦϙοϓʂ
ϚωʔδυΫϥυΛࢧ͑Δ
ίϯςφٕज़ͷશͯ
Slide 2
Slide 2 text
γχΞɾϓϦϯγύϧ
ۙ౻͏͓ͪ!VE[VSB
(.0ϖύϘɹٕज़෦ɹٕज़ج൫νʔϜ
IUUQTCMPHVE[VSBKQ
Slide 3
Slide 3 text
'VLVPLBSC
!
ԙϖύες
(.0ϖύϘԬࢧࣾ'
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
IUUQTNDMPMJQPQKQ
Slide 8
Slide 8 text
Λ❗ Λ❗
Slide 9
Slide 9 text
8PSE1SFTTͳΒҰॠʂ
1)1ڥ͙͢ʹʂ
44)Ͱ͖Δʂ
ಠࣗυϝΠϯγϡοͱʂ
ແྉͰ5-4ରԠʂ
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
ίϯςφ
Slide 12
Slide 12 text
Linux containers, in short, contain
applications in a way that keep them
isolated from the host system that
they run on.
IUUQTPQFOTPVSDFDPNSFTPVSDFTXIBUBSFMJOVYDPOUBJOFST
Slide 13
Slide 13 text
ίϯςφΛ͏ཧ༝
Ͱ
Slide 14
Slide 14 text
։ൃऀ༷ʹ
ΞϓϦέʔγϣϯʹ
ूத͍͖͍ͯͨͩͨ͠
Slide 15
Slide 15 text
αʔόͰۤ࿑ͨ͘͠ͳ͍ʂ
wϛυϧΣΞͳͲΛࣗͰೖΕΔͷ᠘ଟͯ͘େม
wಥવෛՙ͕ߴ·ͬͨΒͲ͏͠Α͏ʁ
w৭ʑͳ੬ऑੑ͕ग़͖ͯͯΔ͚ͲɺͲ͏ରॲ͢Ε͍͍ͷʁ
Slide 16
Slide 16 text
ίϯςφͷಛ
wίϯςφϙʔλϒϧ
wˠඞཁͳͷʮશ෦ೖΓʯͷڥΛ͝ఏڙʂ
wίϯςφىಈɾఀࢭ͕ߴ
wˠඞཁʹԠͯ͡ͷىಈʢΦʔτεέʔϧʣ͍ʂ
wˠෆཁͳ߹ͪΌΜͱఀࢭͯ͠ɺඅ༻͕͔͔Γ͗͢ͳ͍Α͏ʹ
wˠίϯςφͷΞοϓάϨʔυɾೖΕସ͑࠶ىಈૉૣ͘ʂ
Slide 17
Slide 17 text
ίϯςφӡ༻
ϖύϘʹ͓ͤʂ
Slide 18
Slide 18 text
ίϯςφͷಛ
ͷ
Slide 19
Slide 19 text
օ༷ʹͱͬͯίϯςφͱ
Slide 20
Slide 20 text
ίϯςφͷ͞Βʹਂ͍
Slide 21
Slide 21 text
ಛघͳϓϩηεͷ࡞ΓํΛ͢Δ
Slide 22
Slide 22 text
ʮίϯςφؔ࿈ػೳʯΛ༗ޮʹ
cgroup
Linux
Namespace
Capability
chroot/
pivot_root
seccomp
Slide 23
Slide 23 text
ίϯςφ
ϓϩηε
Slide 24
Slide 24 text
ϓϩηε
؆୯ʹ࡞ΕΔ
Slide 25
Slide 25 text
ίϯςφ
࡞ΕΔʂ
Slide 26
Slide 26 text
։ൃऀ༷ʹ
ΞϓϦέʔγϣϯʹ
ूத͍͖͍ͯͨͩͨ͠
"HBJO
Slide 27
Slide 27 text
࠷ߴʹूதͰ͖Δ
ίϯςφڥΛʂ
Slide 28
Slide 28 text
Haconiwa
Slide 29
Slide 29 text
)BDPOJXBͷΈ
w-JOVYͷ༷ʑͳίϯςφػೳΛΈ߹ΘͤՄೳͳϥϯλΠϜ
wγεςϜίʔϧΛɺɹɹɹɹΛܦ༝੍ͯ͠ޚͰ͖ΔΑ͏ʹ͠ɺ
%4-ʹΑΓػೳͷΈ߹Θͤɺ༷ʑͳΠϕϯτʹԠͨ͡ϑοΫॲཧ
Λهड़Ͱ͖Δɻ
Slide 30
Slide 30 text
ਤղ
Linux
Kernel mruby gems Haconiwa
DSL Containers
Syscalls:
* chroot
* mount
* prctl
* unshare
* setns
* (cgroup op)
* seccomp
* setuid
* setgid
* ......
mruby-dir
mruby-linux-namespace
mruby-cgroup
mruby-seccomp
......
sample.haco
Slide 31
Slide 31 text
Կ͕خ͍͠ʁ
Slide 32
Slide 32 text
৽͍͠
ίϯςφΞʔΩςΫνϟ
Slide 33
Slide 33 text
ίϯςφͱ͍͑Ͳɺ͍͠՝
w
͓٬༷ڥΛͳΔ͘շదɺ͔ͭߴूੵʹ
ूੵΛߴ͘͠ͳ͚Εɺݱ࣮తͳ͓ஈͰఏڙ͠ଓ͚Δ͜ͱ͕Ͱ͖
ͳ͍ʂɹͦΕͰɺշదͰͳ͍ڥʹͨ͘͠ͳ͍ʂ
w
ίϯςφͱ͍͑ɺӡ༻ʹ͠ͳ͍ͱߴ͡Όͳ͍
ىಈɺఀࢭɺεέʔϧΞτͳͲΛ͍͍ͪͪखಈͰ͍ͬͯͯ
ঢ়گʹԠͯ͡ͳΊΒ͔ʹίϯςφͷΛม͑ΒΕͳ͍͔ʁ
Slide 34
Slide 34 text
'BTU$POUBJOFS
ΞʔΩςΫνϟ
Slide 35
Slide 35 text
ਤղ
Web
Proxy
Web
Request
Dispatcher
FastContainer
Runtime
CMDB
❌
FastContainer
Killed
1. Check
2. Boot
3. Forward
4. Terminate
Slide 36
Slide 36 text
ίϯςφΛ॥ͤ͞Δʂ
wίϯςφɺඞཁͳ࣌ʹ͔͠ىಈͤ͞ͳ͍ʂ
ˠϗεταʔόͷϦιʔεΛඞཁҎ্ʹΘͳ͍ͷͰɺଟ͘ͷϢʔβ
༷ʹఏڙ͢Δ͜ͱ͕Ͱ͖ΔΑ͏ʹʂ
wίϯςφͷʮੜଘ࣌ؒʯΛ۠ͬͯఏڙ͢Δʂ
ˠίϯςφʹೖΕସ͑Λڧ੍ͤ͞ɺৗʹ৽͘͠อͨͤΔ͜ͱͰɺ
ΞοϓάϨʔυɺΦʔτεέʔϧΛ༰қʹ࣮ݱͰ͖Δʂ
ˠͬͱշదͳڥʹʂ
Slide 37
Slide 37 text
ݚڀ։ൃͷͱΓ͘Έ
ͷ
Slide 38
Slide 38 text
IUUQTSBOEQFQBCPDPN
Slide 39
Slide 39 text
ΞʔΩςΫνϟ
จԽ
Slide 40
Slide 40 text
αʔϏεͰٕͬͨज़Λจʹ
wɹɹɹɹɹɹɹɹɹɹɹͰɺ
ݚڀ։ൃͱࣄۀߩݙͷؔΘΓΛେࣄʹ͍ͯ͠·͢
wྫ͑'BTU$POUBJOFS
w044จʹ)BDPOJXB
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
ىಈߴԽ
$3*6
Slide 43
Slide 43 text
ΑΓշదͳίϯςφΛɻ
w$3*6 $IFDLQPJOUBOE3FTUPSF*O6TFSTQBDF
Λ༻͍ͯɺ
ىಈ్தͷϓϩηεͷνΣοΫϙΠϯτΛ࡞ɺىಈΛߴԽ͢Δ
ݚڀΛਐΊ͍ͯ·͢ɻ
w$IFDLQPJOU3FTUPSF$3*6֤ॴͰݚڀ͕ਐΜͰ͍·͕͢ɺ
TFDDPNQͱQUSBDFΛΈ߹ΘͤɺҙͷϓϩηεΛىಈߴԽ͢Δ
ख๏Λ͍ͬͯͬͯ·͢ʂ
IUUQTICNBUTVNPUPSKQFOUSZ
Slide 44
Slide 44 text
·ͱΊ
Slide 45
Slide 45 text
։ൃऀ༷͕։ൃʹ
ूத͢ΔͨΊʹ
શྗΛਚ͍ͯ͘͠·͢ʂ
Slide 46
Slide 46 text
1MFBTF
"TLUIF4QFBLFS
Slide 47
Slide 47 text
ϓϥοτϑΥʔϜΛʮ࡞ͬͯʯΈ·ͤΜ͔
࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU
IUUQIBUFOBOFXTDPNBSUJDMFT