Linux コンテナの内部を知ろう / OSC 2018 Kyoto

Slide 1

Slide 1 text

Linux ίϯςφͷ಺෦Λ஌Ζ͏ OSC 2018 Kyoto Ճ౻ହจ (@ten_forward) 2018-08-04

Slide 2

Slide 2 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 1/54

Slide 3

Slide 3 text

ࣗݾ঺հ Ճ౻ହจ • http://www.ten-forward.ws/ • @ten_forward • http://gplus.to/tenforward • https://github.com/tenforward • http://tenforward.hatenablog.com/ (ٕज़ϒϩά) 2/54

Slide 4

Slide 4 text

ࣗݾ঺հ (OSSɾίϯςφؔ࿈) • Plamo Linux ϝϯςφ • LXC ͰֶͿίϯςφೖ໳ɹʔܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़ gihyo.jp Ͱ࿈ࡌ 3/54

Slide 5

Slide 5 text

ࣗݾ঺հ (ίϯςφؔ࿈) • LXC/LXD ͷ։ൃʹগ͠ࢀՃ • man page ͷ೔ຊޠ༁ • ެࣜϖʔδ (linuxcontainers.org) ຋༁ • όάϑΟοΫεͳͲগ͚ͩ͠ίʔυʹ΋ߩݙ • LXD ೔ຊޠϝοηʔδ • ίϯςφܕԾ૝Խͷ৘ใަ׵ձओ࠻ 4/54

Slide 6

Slide 6 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 5/54

Slide 7

Slide 7 text

ࠓ೔ͷ໨ඪ • ίϯςφͷ֓ཁΛཧղ͢Δ • Linux ίϯςφ؀ڥΛߏங͢ΔࡍʹΑ͘࢖ΘΕΔٕज़Λཧղ ͢Δ 6/54

Slide 8

Slide 8 text

ࠓ೔ͷൃද ࠓ೔͸ίϯςφͰΑ͘࢖ΘΕΔػೳͷ͍͔ͭ͘ΛऔΓ্͛ɺ࣮ྫ΍ σϞΛަ͑ͳ͕Βઆ໌͠·͢ɻίϯςφؔ࿈ػೳΛ໢ཏతʹ஌Γͨ ͍৔߹͸ • LXC ͰֶͿίϯςφೖ໳ ʵܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़ (gihyo.jp) • speakerdeck ʹ͋Δࢲͷ OSC ͳͲͷൃදࢿྉ • ͦͷଞࢀߟࢿྉ (࠷ޙʹ͍͔ͭ͘঺հ͠·͢) ͳͲΛ͝ཡ͍ͩ͘͞ɻ 7/54

Slide 9

Slide 9 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 8/54

Slide 10

Slide 10 text

ίϯςφͱ͸ ΧʔωϧͷػೳͰ • ִ཭͞ΕۭͨؒͰϓϩηεΛ࣮ߦ͢Δ • ʮԾ૝؀ڥʯͱ͍͏ΑΓ͸ʮִ཭͞Εͨ؀ڥʯͱߟ͑ͨํ͕ޡ ղ͕ͳ͍ • ִ཭͞Εͨಉۭؒ͡಺ͰϓϩηεΛͻͱ͚࣮ͭͩߦ͢Δ͜ͱ΋ɺ ෳ਺࣮ߦ͢Δ͜ͱ΋Ͱ͖Δ • ϓϩηεʹରͯ͠Ϧιʔε੍ݶΛઃఆ͢Δ (ˡࠓ೔͸ܰ͘৮Ε ·͢) 9/54

Slide 11

Slide 11 text

ίϯςφͱ͸ • ͭ·Γ୯ͳΔϓϩηε (or ୯ͳΔϓϩηεͷू߹) • ϓϩηεʹʮଐੑʯΛࢦఆ͢Δ • ྫ͑͹ʜ • ଞͷϓϩηε͔Βݟ͑ͳ͘͢Δ • ࣮ߦͰ͖Δૢ࡞ʹ੍ݶΛՃ͑Δ • ϓϩηεʹϦιʔε੍ݶΛద༻͢Δ • ͳͲͳͲʜ • ී௨ʹىಈͨ͠ͷͱ͸νϣοτҧ͏ϓϩηε 10/54

Slide 12

Slide 12 text

ίϯςφͷϝϦοτɾσϝϦοτ ͭ·Γ • ίϯςφΛىಈ͢Δ ʹ ϓϩηεΛىಈ͢Δ • ىಈ͕ૣ͍ʢϓϩηεΛىಈ͢Δͷʹ͔͔Δ͚࣌ؒͩʣ • Χʔωϧ͸ϗετ্Ͱಈ͍͍ͯΔΧʔωϧͷΈ • Ծ૝Ϛγϯ (VM) ͷΑ͏ʹҟͳΔ OS ͷγεςϜ΍ϓϩάϥ Ϝ͸ಈ͔ͤͳ͍ (ΤϛϡϨʔλΛಈ͔ͤ͹Ͱ͖·͕͢) • ΧʔωϧʹؔΘΔૢ࡞Λίϯςφ͝ͱʹผʑʹ͸ߦ͑ͳ͍ 11/54

Slide 13

Slide 13 text

Linux Ҏ֎ʹ͓͚Δίϯςφ • ίϯςφ͸ Linux ಠࣗͷٕज़Ͱ͸͋Γ·ͤΜ • Linux Ҏ֎Ͱ΋ίϯςφͷ࣮૷͸͋Γ·͢ͷͰ؆୯ʹ঺հ͠ ͓͖ͯ·͢ • FreeBSD jail (ଞʹ VPS ͱ͍͏࣮૷΋͋Δ) • Solaris Zones • Windows (Windows Server ίϯςφɾHyper-V ίϯ ςφ) 12/54

Slide 14

Slide 14 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 13/54

Slide 15

Slide 15 text

Linux ʹ͓͚Δίϯςφ Linux Χʔωϧʹ͸୯Ұͷʮίϯςφʯͱ͍͏ػೳ͕͋ΔΘ͚Ͱ͸ ͳ͍ • ৭ʑͳػೳΛ૊Έ߹ΘͤͯʮίϯςφʯΛ࡞Δ • ˠ ࣗ෼ʹཉ͍͠ػೳΛ૊Έ߹Θͤͯʮίϯςφʯ͕࡞ΕΔ • Docker ΍ LXC/LXD ͳͲͷίϯςφ࣮૷΋ࣗ਎͕ཉ͍͠ ༷ʑͳػೳΛ૊Έ߹Θͤͯίϯςφ؀ڥΛߏங͍ͯ͠Δ ͦΕͰ͸ɺίϯςφͰΑ͘࢖ΘΕΔػೳΛ঺հ͠ͳ͕Βίϯςφ͕ Ͱ͖Δ·ͰΛݟ͍͖ͯ·͠ΐ͏ 14/54

Slide 16

Slide 16 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 15/54

Slide 17

Slide 17 text

ίϯςφಠࣗͷϑΝΠϧγεςϜ ྫ͑͹ʜ • ΠϝʔδΛऔಘͯ͠ϗετ OS ͷϑΝΠϧγεςϜ্ʹల։ ͢Δ • Ͱ΋ίϯςφىಈޙ͸औಘͨ͠ΠϝʔδͷσΟϨΫτϦπϦʔ ͚͕ͩݟ͍͑ͯΔ ͜ΕΛͲͷΑ͏ʹ࣮ݱ͢Δͷ͔Λ͔࣍ΒΈ͍͖ͯ·͠ΐ͏ 16/54

Slide 18

Slide 18 text

chroot • ΋ͬͱ΋γϯϓϧʹίϯςφઐ༻ͷϑΝΠϧγεςϜ (σΟϨ ΫτϦπϦʔ) ΛݟͤΒΕΔ • ݟ্͔͚ͷϧʔτσΟϨΫτϦΛมߋ͢Δ • ͨͩ͠ɺchroot ͨ͠؀ڥ͔Βൈ͚ग़ͤΔ • chroot Ͱ͖ͳ͍Α͏ʹݖݶΛണୣ͢Δඞཁ͕͋Δ 17/54

Slide 19

Slide 19 text

chroot ͷσϞ • ΈͲ͜Ζ • ৽͍͠ / (root) ʹ͍ͨ͠σΟϨΫτϦʹҠಈͯ͠ chroot ίϚϯυΛ࣮ߦ͢Δ͚ͩͷ؆୯͞ • Ͱ΋ɺ৽ͨͳ / (root) ͔Βൈ͚ͩͤΔ 18/54

Slide 20

Slide 20 text

pivot_root • root ϑΝΠϧγεςϜΛऔΓସ͑Δ • ϑΝΠϧγεςϜࣗମΛऔΓସ͑ΔͷͰൈ͚ΒΕͳ͍ (ൈ͚Δ ͱ͍͏֓೦͕ͳ͍) • chroot ʹൺ΂Δͱ੍ݶ͕ଟ͍ • Docker ΍ LXC ͸ pivot_root Λ࢖༻ 19/54

Slide 21

Slide 21 text

pivot_root pivot_root ͸৽ͨʹ / (root) ͱ͍ͨ͠σΟϨΫτϦ (Ϛ΢ϯτ ϙΠϯτ) ͱίϚϯυ࣮ߦલ࣌఺ͷ / (root) ΛϚ΢ϯτ͢ΔσΟ ϨΫτϦ (৽ root ҎԼ) Λࢦఆ͢Δ pivot_root [৽͍͠ root] [Ҏલͷ root] (ྫ) pivot_root . old ͜ΕͰΧϨϯτσΟϨΫτϦ͕ / (root) ͱͳΓɺҎલͷ/͕./old ҎԼʹϚ΢ϯτ͞ΕΔ 20/54

Slide 22

Slide 22 text

bind Ϛ΢ϯτ • Ϛ΢ϯτ͍ͯ͠ΔπϦʔͷҰ෦Λผͷ৔ॴʹϚ΢ϯτ͢Δػೳ • ϗετͱίϯςφͰσΟϨΫτϦ΍ϑΝΠϧΛڞ༗͢Δࡍʹ΋ ࢖͍·͢ 21/54

Slide 23

Slide 23 text

bind Ϛ΢ϯτ • ৽ͨͳ / (root) ʹมߋ͢ΔͨΊʹ pivot_root Λ࢖͏ࡍ • ͋ΔσΟϨΫτϦҎԼʹίϯςφΠϝʔδΛల։ͯ͠΋ʮϑΝ ΠϧγεςϜʯͰ͸ͳ͍ͷͰ pivot_root Ͱ͖ͳ͍ • ίϯςφͷ / (root) ͱ͍ͨ͠σΟϨΫτϦΛ bind Ϛ΢ϯτ ͢Δͱɺͦ͜͸Ϛ΢ϯτϙΠϯτʹͳΓɺ ʮϑΝΠϧγες ϜʯͬΆ͘ͳΓ • ͜ΕͰ pivot_root Ͱ͖·͢!! 22/54

Slide 24

Slide 24 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 23/54

Slide 25

Slide 25 text

Namespace • ίϯςφͷ OS Ϧιʔε͕ʜ • ଞͷίϯςφ΍ϗετ͔Β • ݟ͑ͨΓ • ૢ࡞Ͱ͖ͨΓ • ڞ௨ͩͬͨΓ • ͨ͠ΒࠔΓ·͢ΑͶ!! ͦΜͳͷʮִ཭͞Εۭͨؒʯ͡Όͳ͍!! • ͦΜͳͱ͖࢖͏ͷ͕ “Namespace(໊લۭؒ)”!! • Namespace ͸୯ҰͷػೳͰ͸ͳ͘ɺϦιʔε͝ͱʹ Namespace ͕༻ҙ͞Ε·͢ • Linux ίϯςφͷཁͷػೳ 24/54

Slide 26

Slide 26 text

Namespace ͷઆ໌ͷલʹ • ͭ·Γ Namespace ͕ͦ͜ Linux ίϯςφͱݴͬͯ΋ա ݴͰ͸ͳ͍ • ͦΜͳʮLinux ίϯςφʯΛ࠷΋؆୯ʹ࡞Δʹ͸!! • Docker Λ࢖͏ͷͰ͸ͳ͘ • LXC Λ࢖͏ͷͰ΋ͳ͘ • unshare ίϚϯυ!!(util_linux ύοέʔδʹؚ·Ε·͢) • ޙड़ͷ Network Namespace ͸ ip netns ίϚϯυ͕ ศར • Ͱ͸ Linux ʹ࣮૷͞Ε͍ͯΔ৭ʑͳ Namespace ػೳΛ Έ͍͖ͯ·͠ΐ͏ 25/54

Slide 27

Slide 27 text

৭ʑͳ Namespace Linux ʹ͸ҎԼͷΑ͏ͳ Namespace ͕࣮૷͞Ε͍ͯ·͢ • Mount Namespace • UTS Namespace • PID Namespace • IPC Namespace • Network Namespace • User Namespace • cgroup Namespace Ҏ্ͷ Namespace ͸͍ͣΕ΋ಠཱͯ͠࢖͑·͢ 26/54

Slide 28

Slide 28 text

Mount Namespace • ίϯςφ಺ͷϚ΢ϯτɺϚ΢ϯτૢ࡞Λ෼཭ • Namespace ಺Ͱߦͬͨ mountɺumount ͕ଞͷ Namespace ʹӨڹΛ༩͑ͳ͍Α͏ʹ͢Δ • ִ཭͠ͳ͍Α͏ʹ΋Ͱ͖Δ • ࠷ۙ͸σϑΥϧτͰ͸ִ཭͞Ε͍ͯͳ͍ (systemd ͕ͦͷΑ ͏ʹઃఆ͢ΔͨΊ) ͷͰɺִ཭͢ΔΑ͏ʹઃఆ͠ͳ͚Ε͹ͳΒ ͳ͍ • ͭ·ΓଞͷίϯςφͰߦͬͨϚ΢ϯτૢ࡞͕ݟ͑ͳ͍ 27/54

Slide 29

Slide 29 text

bind Ϛ΢ϯτɺpivot_rootɺmount namespace ͷσϞ • ݟͲ͜Ζ • bind Ϛ΢ϯτ͢Δ͜ͱͰ pivot_root ͕Ͱ͖ΔΑ͏ʹͳΔ • ίϯςφ༻ͷϑΝΠϧγεςϜ಺͚͕ͩݟ͑ΔΑ͏ʹͳΔ • Mount namespace ͷػೳʹΑΓίϯςφ಺ͷϚ΢ϯτͷ ू߹ͱϗετͷϚ΢ϯτͷू߹͸ಠཱ͍ͯ͠Δ 28/54

Slide 30

Slide 30 text

͜͜·ͰͰʜ • ίϯςφͷϑΝΠϧγεςϜִ͕཭͞Ε·ͨ͠ • ͔͠͠ɺଞͷ OS Ϧιʔε͸ϗετ΍ଞͷίϯςφͱڞ༗ͨ͠ ·· • ϓϩηε • ϗετ໊΍υϝΠϯ໊ (UTS) • ωοτϫʔΫ • Ϣʔβ • ʜ • ࣍ʹଞͷϦιʔεΛִ཭͢Δ Namespace Λ঺հ͍͖ͯ͠ ·͠ΐ͏ 29/54

Slide 31

Slide 31 text

UTS Namespace • ίϯςφ͝ͱʹҧ͏ϗετ໊͚͍ͭͨͰ͢ΑͶ? • ͦΜͳͱ͖ʹ࢖͏ Namespace ͕ UTS Namespace • ίϯςφ͝ͱʹҟͳΔϗετ໊ɺυϝΠϯ໊Λ͚ͭΒΕ·͢ • uname(2) ͕ฦ͢஋Λ෼཭ 30/54

Slide 32

Slide 32 text

PID Namespace • ίϯςφ಺ͰͲΜͳϓϩηεΛ࣮ߦ͍ͯ͠Δ͔ɺଞͷίϯςφ ͔Βݟ͑ͨΒΠϠͰ͢ΑͶ? • ίϯςφ͝ͱʹಠཱͯ͠ PID Λ͍࣋ͪͨ • ͦΜͳ࣌࢖͏ Namespace ͕ PID Namespace • ͨͩ͠ɺϗετ (਌ Namespace) ͔Βίϯςφ (ࢠͷ Namespace) ͷϓϩηε͸ݟ͑·͢ 31/54

Slide 33

Slide 33 text

UTS, PID Namespace ͷσϞ • ݟͲ͜Ζ • ίϯςφ಺Ͱ͸ίϯςφ಺ͷϓϩηε͚͕ͩݟ͍͑ͯΔ • ίϯςφ಺Ͱϗετ໊Λม͑ͯ΋ϗετͷϗετ໊͸มΘͬͯ ͍ͳ͍ 32/54

Slide 34

Slide 34 text

Network Namespace • ίϯςφ͝ͱʹಠཱͨ͠ΞυϨε΍ωοτϫʔΫΠϯλʔ ϑΣʔεΛ͍࣋ͪͨ!! • ͦΜͳͱ͖ʹ Network Namespace !! • σόΠε • ΞυϨε • ϙʔτ • ϧʔςΟϯά • ϑΟϧλϦϯά • ιέοτ • ʜ ͕ಠཱͯ࣋ͯ͠·͢ • ୯Ұϗετ্ʹෳ਺ͷωοτϫʔΫΛ࡞ͬͯςετͰ͖ͨΓ ͢Δ 33/54

Slide 35

Slide 35 text

ίϯςφͰΑ͘࢖͏ωοτϫʔΫػೳ ʙ veth • ରͱͳΔΠϯλʔϑΣʔεΛੜ੒͠ɺରͷΠϯλʔϑΣʔεؒ Ͱ௨৴Λߦ͏ʹ L2 ͷτϯωϧ • ରͷΠϯλʔϑΣʔεͷยํΛίϯςφʹ઀ଓʹίϯςφͷ Network Namespace ʹॴଐͤ͞Δ • ΋͏ยํΛϗετ্ͷϒϦοδʹ઀ଓ 34/54

Slide 36

Slide 36 text

Network Namespace ͷσϞ • ݟͲ͜Ζ • Network Namespace ࡞੒௚ޙͷঢ়ଶ • veth ϖΞͷ࡞੒ • ยํͷΠϯλʔϑΣʔεΛ࡞੒ͨ͠ Namespace ʹଐͤ͞ ͨޙͷঢ়ଶ • ΠϯλʔϑΣʔεؒͰ௨৴͕Ͱ͖Δ 35/54

Slide 37

Slide 37 text

User Namespace • ίϯςφ಺ͷ root Ϣʔβͱϗετͷ root Ϣʔβͱಉ͡͡Ό ةݥ!! • ͦΜͳͱ͖ʹ࢖͏ͷ͕ User Namespace!! • ଞͷ Namespace ͸ root ݖݶ͕ඞཁͰ͕͢ɺ͜Ε͚ͩ͸Ұ ൠϢʔβͰ࡞੒Մೳ • ίϯςφ಺ͷ UID,GID Λɺϗετ্ͷ UID,GID ͱϚοϐ ϯά͠·͢ 36/54

Slide 38

Slide 38 text

User Namespace ͷσϞ • ݟͲ͜Ζ • ίϯςφ಺Ͱ͸ root ͕࣮ߦ͍ͯ͠Δϓϩηε͕ɺϗετ্Ͱ ͸ҰൠϢʔβݖݶͰಈ͍͍ͯΔ • ίϯςφ಺Ͱ root ݖݶͰ࡞੒ͨ͠ϑΝΠϧͷΦʔφʔ͕ϗε τ্Ͱ͸ҰൠϢʔβʹͳ͍ͬͯΔ • User Namespace ͸ҰൠϢʔβݖݶͰ࡞ΕΔɻଞͷ Namespace ͸࡞Εͳ͍ • User Namespace ಺Ͱ͸ଞͷ Namespace ͕࡞ΕΔ 37/54

Slide 39

Slide 39 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 38/54

Slide 40

Slide 40 text

cgroup • ίϯςφ͝ͱʹ෺ཧϦιʔε (ϝϞϦɺCPUɺωοτϫʔΫଳ ҬͳͲ) Λ੍ݶ͍ͨ͠৔߹ʹ࢖͏ • ੍ݶ͢ΔϦιʔε͝ͱʹػೳ͕ఏڙ͞ΕΔͷͰɺ੍ݶ͍ͨ͠΋ ͷ͚ͩ࢖͑͹ྑ͍ • ίϯςφͰͳ͘ී௨ͷϓϩηεʹ΋ద༻Մೳɻ • ෳ਺ͷϓϩηεΛάϧʔϓԽͯ͠ద༻Ͱ͖Δ (ʹίϯςφ) • ৄ͘͠͸ࢀߟࢿྉΛࢀর!! 39/54

Slide 41

Slide 41 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 40/54

Slide 42

Slide 42 text

ηΩϡϦςΟػೳ • ίϯςφͱ͸ϗετ্Ͱಈ͘୯ͳΔϓϩηε • ίϯςφ্Ͱ࣮ߦ໋ͨ͠ྩ͕ϗετ΍ଞͷίϯςφʹӨڹΛ༩ ͑ΔՄೳੑ͕͋Δ ͦ͜Ͱ • ༷ʑͳಛݖɾ໋ྩͷҰ෦Λ੍ݶͨ͠Γ • ༷ʑͳಛݖɾ໋ྩͷҰ෦ͷΈΛίϯςφʹ༩͑ͨΓͯ͠ ϗετ΍ଞͷίϯςφʹӨڹ͕ٴ͹ͳ͍Α͏ʹ͢Δ 41/54

Slide 43

Slide 43 text

Capability • root ͕࣋ͭಛݖΛࡉ͔͘෼ׂͯ͠༗ޮɾແޮ͕ઃఆͰ͖Δ • ྫ͑͹ʜ • ίϯςφ͔Βউखʹ࣌ؒΛม͑ΒΕͨΒࠔΔ (ίϯςφ಺ͷ࣌ ܭ͸ϗετͱڞ௨Ͱ͢Ͷ) • ࣌ؒΛઃఆͰ͖Δݖݶ (CAP_SYS_TIME) Λແޮʹ • chroot Λൈ͚ΒΕͨΒࠔΔ • chroot Ͱ͖Δݖݶ (CAP_SYS_CHROOT) Λແޮʹ • ίϯςφϥϯλΠϜͰσϑΥϧτͰແޮʹ͢Δ Capability ͕ఆٛ͞Ε͍ͯͨΓ͢Δ • ৄ͘͠͸ man 7 capabilities Λࢀর 42/54

Slide 44

Slide 44 text

seccomp OS ͷػೳΛݺͼग़ͨ͢Ίʹ࢖͏γεςϜίʔϧʹର͢ΔϑΟϧλ Ϧϯά • ಛఆͷγεςϜίʔϧΛڐՄͨ͠Γ • ಛఆͷγεςϜίʔϧΛېࢭͨ͠Γ • ίϯςφϥϯλΠϜͰσϑΥϧτͰڐՄ͢ΔγεςϜίʔϧ͕ ఆٛ͞Ε͍ͯͨΓ͢Δ • ৄ͘͠͸ man 2 seccomp Λࢀর 43/54

Slide 45

Slide 45 text

MAC Mandatory Access Control(ڧ੍ΞΫηε੍ޚ) • Ϧιʔεॴ༗ऀͷઃఆ͢Δݖݶ (DAC) ʹؔΘΒͣɺγεςϜ ؅ཧऀ͕ૢ࡞ର৅Ͱ͋ΔϦιʔεʹΞΫηε੍ޚΛઃఆͰ͖Δ • AppArmor ΍ SELinux ͳͲ • ίϯςφઐ༻ʹԾ૝Խ͞Εͳ͍ɺίϯςφ಺͔Βૢ࡞͞Εͯ͸ ࠔΔϦιʔε΁ͷ੍ݶΛઃఆ͢Δ • ͨͱ͑͹/proc ΍/sys ҎԼͷϑΝΠϧͳͲ 44/54

Slide 46

Slide 46 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 45/54

Slide 47

Slide 47 text

ͦͷଞͷػೳ ͜Ε·Ͱʹ঺հͨ͠Ҏ֎ʹ΋ Linux Χʔωϧʹ࣮૷͞Ε͍ͯΔ ༷ʑͳػೳ͕ඞཁʹԠͯ͡ར༻͞Ε͍ͯΔ • ωοτϫʔΫ (Ծ૝ΠϯλʔϑΣʔεͳͲ) • ϑΝΠϧγεςϜ (overlayfs ͳͲ) • ϓϩηεͷνΣοΫϙΠϯτɾϦετΞ • ͳͲͳͲʜ 46/54

Slide 48

Slide 48 text

ࣗݾ঺հ ࠓ೔ͷ໨ඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 47/54

Slide 49

Slide 49 text

ࠓ೔આ໌ͨ͜͠ͱͷ·ͱΊ • ίϯςφͱ͸୯ͳΔϓϩηεɻ௨ৗͷىಈͱ͸গ͠ҧ͏ଐੑΛ Ճ͑ͨϓϩηε • Linux Ͱ͸ɺίϯςφ͸Χʔωϧʹ࣮૷͞Ε͍ͯΔ৭ʑͳػ ೳΛ૊Έ߹Θ࣮ͤͯݱ͍ͯ͠Δ • ίϯςφઐ༻ͷϑΝΠϧγεςϜΛݟͤΔͨΊʹ chroot ΍ pivot_root Λ࢖͏ • ίϯςφΛ࣮ݱ͢ΔΩϞͱͳΔػೳ͕ “Namespace(໊લ ۭؒ)” • ίϯςφΛηΩϡΞʹ࣮ߦ͢ΔͨΊʹ༷ʑͳηΩϡϦςΟػೳ ͕࢖ΘΕΔɻ“Capability”ɺ“seccomp”ɺ“MAC” 48/54

Slide 50

Slide 50 text

·ͱΊ • ੈͷதʹଘࡏ͢ΔίϯςφϥϯλΠϜͰ͸ίϯςφΛಈ࡞ͤ͞ ΔͨΊʹ৭ʑͳػೳΛ࢖͍ɺσϑΥϧτͰྑ͍ײ͡Ͱίϯςφ ͕ಈ͘Α͏ʹௐ੔͞Ε͍ͯ·͢ • ࣗ෼͕࢖͍ͬͯΔίϯςφϥϯλΠϜͰ͸ͲͷΑ͏ͳػೳ͕࢖ ΘΕ͍ͯΔͷ͔ɺͲͷΑ͏ͳػೳΛ࢖͏͜ͱ͕Ͱ͖Δͷ͔Λཧ ղ͢Ε͹ɺΑΓద੾ʹίϯςφΛ࢖͏͜ͱ͕Ͱ͖ΔͰ͠ΐ͏ • ࠷ۙͰ͸ɺཁ݅ʹ͋ͬͨඞཁͳػೳ͚ͩΛ࢖ͬͯίϯςφΛ࡞ ΕΔϓϩμΫτ΋͋Γ·͢ (ࢀߟࢿྉࢀর) 49/54

Slide 51

Slide 51 text

த਎Λཧղͯ͠ޮՌతʹɺָ͘͠ɺ҆શʹίϯςφ Λ࢖͍·͠ΐ͏ 50/54

Slide 52

Slide 52 text

͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ 51/54

Slide 53

Slide 53 text

ࢀߟࢿྉ • ίϯςφશൠͷػೳΛཧղ͢ΔͨΊʹ • LXC ͰֶͿίϯςφೖ໳ ʵܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़ http://gihyo.jp/admin/serial/01/linux_containers • ࢲͷ͜Ε·Ͱͷߨԋࢿྉ https://speakerdeck.com/tenforward • ίϯςφΛʮकΔʯ࢓૊Έ͔Βத਎Λཧղ͠Α͏!!1 (by @udzura ͞Μ) https://speakerdeck.com/udzura/how-to-be-a- container 52/54

Slide 54

Slide 54 text

ࢀߟࢿྉ • ίϯςφ͕Ͱ͖Δ·ͰͷॲཧΛ௥͏ͨΊʹ • MINCS (γΣϧͰॻ͔Εͨίϯςφ) (by @mhiramat ͞ Μ) https://github.com/mhiramat/mincs • MINCS Ͱ Linux ίϯςφΛ࡞Ζ͏ (MINCS ʹؔ͢Δൃද ࢿྉ) • ֶͭͬͯ͘Ϳ Linux ίϯςφͷཪଆ (by @hayajo ͞Μ) • Go Ͱ࡞Δ Linux ίϯςφ (by @hayajo ͞Μ) • ඞཁͳػೳ͚ͩΛ࢖ͬͯίϯςφΛಈ͔ͨ͢Ίʹ • Haconiwa (mruby Ͱॻ͔Εͨίϯςφ࡞੒ͷͨΊͷ DSL) http://haconiwa.mruby.org/ 53/54

Slide 55

Slide 55 text

ࢀߟࢿྉ • ίϯςφؔ࿈ػೳͷ࣮૷ͳͲΛਂ͘஌Δʹ͸ • Linux Namespaces (Namespace ͷΧʔωϧ಺෦ͷ࣮ ૷ʹؔ͢Δࢿྉ)(by Masami Ichikawa ͞Μ) • cgroup ͋Ε͜Ε (cgroup ͷ಺෦ͷ͓࿩)(by @hiro_kamezawa ͞Μ) • seccomp Λ mruby Ͱࢼ͢ (ϩʔϑΝΠ೔ه) • AppArmor ͱ Docker ͱͦͷଞίϯςφతϓϩηεʹ͍ͭ ͯௐ΂ͨ (ϩʔϑΝΠ೔ه) • ͦͷଞ • ʮίϯςφܕԾ૝Խͷ৘ใަ׵ձʯ ͜Ε·Ͱͷൃදࢿྉ΍ಈը͕ެ։͞Ε͍ͯ·͢ 54/54