Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020
Slide 2
Slide 2 text
ABOUT ME ా ਓ(@_moricho_) - Go, Kubernetes, Rust, … - gVisorFirecrackerͳͲOSSͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢
Slide 3
Slide 3 text
gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandboxڥ
Slide 4
Slide 4 text
gVisorͷ֓ཁ: ɾ࣮CloudFunctionGAEgVisor͕ϕʔε ɾGKEͰSandboxػೳ͕GA, gVisorΛ༻Մೳ
Slide 5
Slide 5 text
ͳͥgVisor͕ඞཁͳͷ͔ʁ
Slide 6
Slide 6 text
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετଞίϯςφʹӨڹ — ֤ίϯςφϗετͷσόΠεͱΧʔωϧΛڞ༗
Slide 7
Slide 7 text
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελʹෳͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε૿͍͑ͯΔ — PodSecurityPolicyRBACʹΑΔࡉ੍͔͍ޚ — AppArmorSELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ
Slide 8
Slide 8 text
ͦ͜ͰgVisorʂ
Slide 9
Slide 9 text
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍
Slide 10
Slide 10 text
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮ ɾϗετͱίϯςφͷΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ
Slide 11
Slide 11 text
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม
Slide 12
Slide 12 text
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ - syscallͷϋϯυϧ ɾGofer: disk I/O Λϋϯυϧ - memoryCPUͷཧ - Sentryͱ9P protocolͰ௨৴
Slide 13
Slide 13 text
·ͱΊ: ɾैདྷΑΓϗετ/ΞϓϦέʔγϣϯؒͷUP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩάιʔείʔυΛ͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋ΕΑΓਂ͍෦Λ͍ͨ͠
Slide 14
Slide 14 text
ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4
Slide 15
Slide 15 text
ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html