Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Linux ίϯςφͷ෦ΛΖ͏ OSC 2018 Kyoto Ճ౻ହจ (@ten_forward) 2018-08-04
Slide 2
Slide 2 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 1/54
Slide 3
Slide 3 text
ࣗݾհ Ճ౻ହจ • http://www.ten-forward.ws/ • @ten_forward • http://gplus.to/tenforward • https://github.com/tenforward • http://tenforward.hatenablog.com/ (ٕज़ϒϩά) 2/54
Slide 4
Slide 4 text
ࣗݾհ (OSSɾίϯςφؔ࿈) • Plamo Linux ϝϯςφ • LXC ͰֶͿίϯςφೖɹʔܰྔԾԽڥΛ࣮ݱ͢Δٕज़ gihyo.jp Ͱ࿈ࡌ 3/54
Slide 5
Slide 5 text
ࣗݾհ (ίϯςφؔ࿈) • LXC/LXD ͷ։ൃʹগ͠ࢀՃ • man page ͷຊޠ༁ • ެࣜϖʔδ (linuxcontainers.org) ༁ • όάϑΟοΫεͳͲগ͚ͩ͠ίʔυʹߩݙ • LXD ຊޠϝοηʔδ • ίϯςφܕԾԽͷใަձओ࠻ 4/54
Slide 6
Slide 6 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 5/54
Slide 7
Slide 7 text
ࠓͷඪ • ίϯςφͷ֓ཁΛཧղ͢Δ • Linux ίϯςφڥΛߏங͢ΔࡍʹΑ͘ΘΕΔٕज़Λཧղ ͢Δ 6/54
Slide 8
Slide 8 text
ࠓͷൃද ࠓίϯςφͰΑ͘ΘΕΔػೳͷ͍͔ͭ͘ΛऔΓ্͛ɺ࣮ྫ σϞΛަ͑ͳ͕Βઆ໌͠·͢ɻίϯςφؔ࿈ػೳΛཏతʹΓͨ ͍߹ • LXC ͰֶͿίϯςφೖ ʵܰྔԾԽڥΛ࣮ݱ͢Δٕज़ (gihyo.jp) • speakerdeck ʹ͋Δࢲͷ OSC ͳͲͷൃදࢿྉ • ͦͷଞࢀߟࢿྉ (࠷ޙʹ͍͔ͭ͘հ͠·͢) ͳͲΛ͝ཡ͍ͩ͘͞ɻ 7/54
Slide 9
Slide 9 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 8/54
Slide 10
Slide 10 text
ίϯςφͱ ΧʔωϧͷػೳͰ • ִ͞ΕۭͨؒͰϓϩηεΛ࣮ߦ͢Δ • ʮԾڥʯͱ͍͏ΑΓʮִ͞Εͨڥʯͱߟ͑ͨํ͕ޡ ղ͕ͳ͍ • ִ͞Εͨಉۭؒ͡ͰϓϩηεΛͻͱ͚࣮ͭͩߦ͢Δ͜ͱɺ ෳ࣮ߦ͢Δ͜ͱͰ͖Δ • ϓϩηεʹରͯ͠Ϧιʔε੍ݶΛઃఆ͢Δ (ˡࠓܰ͘৮Ε ·͢) 9/54
Slide 11
Slide 11 text
ίϯςφͱ • ͭ·Γ୯ͳΔϓϩηε (or ୯ͳΔϓϩηεͷू߹) • ϓϩηεʹʮଐੑʯΛࢦఆ͢Δ • ྫ͑ʜ • ଞͷϓϩηε͔Βݟ͑ͳ͘͢Δ • ࣮ߦͰ͖Δૢ࡞ʹ੍ݶΛՃ͑Δ • ϓϩηεʹϦιʔε੍ݶΛద༻͢Δ • ͳͲͳͲʜ • ී௨ʹىಈͨ͠ͷͱνϣοτҧ͏ϓϩηε 10/54
Slide 12
Slide 12 text
ίϯςφͷϝϦοτɾσϝϦοτ ͭ·Γ • ίϯςφΛىಈ͢Δ ʹ ϓϩηεΛىಈ͢Δ • ىಈ͕ૣ͍ʢϓϩηεΛىಈ͢Δͷʹ͔͔Δ͚࣌ؒͩʣ • Χʔωϧϗετ্Ͱಈ͍͍ͯΔΧʔωϧͷΈ • ԾϚγϯ (VM) ͷΑ͏ʹҟͳΔ OS ͷγεςϜϓϩάϥ Ϝಈ͔ͤͳ͍ (ΤϛϡϨʔλΛಈ͔ͤͰ͖·͕͢) • ΧʔωϧʹؔΘΔૢ࡞Λίϯςφ͝ͱʹผʑʹߦ͑ͳ͍ 11/54
Slide 13
Slide 13 text
Linux Ҏ֎ʹ͓͚Δίϯςφ • ίϯςφ Linux ಠࣗͷٕज़Ͱ͋Γ·ͤΜ • Linux Ҏ֎Ͱίϯςφͷ࣮͋Γ·͢ͷͰ؆୯ʹհ͠ ͓͖ͯ·͢ • FreeBSD jail (ଞʹ VPS ͱ͍͏࣮͋Δ) • Solaris Zones • Windows (Windows Server ίϯςφɾHyper-V ίϯ ςφ) 12/54
Slide 14
Slide 14 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 13/54
Slide 15
Slide 15 text
Linux ʹ͓͚Δίϯςφ Linux Χʔωϧʹ୯Ұͷʮίϯςφʯͱ͍͏ػೳ͕͋ΔΘ͚Ͱ ͳ͍ • ৭ʑͳػೳΛΈ߹ΘͤͯʮίϯςφʯΛ࡞Δ • ˠ ࣗʹཉ͍͠ػೳΛΈ߹Θͤͯʮίϯςφʯ͕࡞ΕΔ • Docker LXC/LXD ͳͲͷίϯςφ࣮͕ࣗཉ͍͠ ༷ʑͳػೳΛΈ߹ΘͤͯίϯςφڥΛߏங͍ͯ͠Δ ͦΕͰɺίϯςφͰΑ͘ΘΕΔػೳΛհ͠ͳ͕Βίϯςφ͕ Ͱ͖Δ·ͰΛݟ͍͖ͯ·͠ΐ͏ 14/54
Slide 16
Slide 16 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 15/54
Slide 17
Slide 17 text
ίϯςφಠࣗͷϑΝΠϧγεςϜ ྫ͑ʜ • ΠϝʔδΛऔಘͯ͠ϗετ OS ͷϑΝΠϧγεςϜ্ʹల։ ͢Δ • Ͱίϯςφىಈޙऔಘͨ͠ΠϝʔδͷσΟϨΫτϦπϦʔ ͚͕ͩݟ͍͑ͯΔ ͜ΕΛͲͷΑ͏ʹ࣮ݱ͢Δͷ͔Λ͔࣍ΒΈ͍͖ͯ·͠ΐ͏ 16/54
Slide 18
Slide 18 text
chroot • ͬͱγϯϓϧʹίϯςφઐ༻ͷϑΝΠϧγεςϜ (σΟϨ ΫτϦπϦʔ) ΛݟͤΒΕΔ • ݟ্͔͚ͷϧʔτσΟϨΫτϦΛมߋ͢Δ • ͨͩ͠ɺchroot ͨ͠ڥ͔Βൈ͚ग़ͤΔ • chroot Ͱ͖ͳ͍Α͏ʹݖݶΛണୣ͢Δඞཁ͕͋Δ 17/54
Slide 19
Slide 19 text
chroot ͷσϞ • ΈͲ͜Ζ • ৽͍͠ / (root) ʹ͍ͨ͠σΟϨΫτϦʹҠಈͯ͠ chroot ίϚϯυΛ࣮ߦ͢Δ͚ͩͷ؆୯͞ • Ͱɺ৽ͨͳ / (root) ͔Βൈ͚ͩͤΔ 18/54
Slide 20
Slide 20 text
pivot_root • root ϑΝΠϧγεςϜΛऔΓସ͑Δ • ϑΝΠϧγεςϜࣗମΛऔΓସ͑ΔͷͰൈ͚ΒΕͳ͍ (ൈ͚Δ ͱ͍͏֓೦͕ͳ͍) • chroot ʹൺΔͱ੍ݶ͕ଟ͍ • Docker LXC pivot_root Λ༻ 19/54
Slide 21
Slide 21 text
pivot_root pivot_root ৽ͨʹ / (root) ͱ͍ͨ͠σΟϨΫτϦ (Ϛϯτ ϙΠϯτ) ͱίϚϯυ࣮ߦલ࣌ͷ / (root) ΛϚϯτ͢ΔσΟ ϨΫτϦ (৽ root ҎԼ) Λࢦఆ͢Δ pivot_root [৽͍͠ root] [Ҏલͷ root] (ྫ) pivot_root . old ͜ΕͰΧϨϯτσΟϨΫτϦ͕ / (root) ͱͳΓɺҎલͷ/͕./old ҎԼʹϚϯτ͞ΕΔ 20/54
Slide 22
Slide 22 text
bind Ϛϯτ • Ϛϯτ͍ͯ͠ΔπϦʔͷҰ෦ΛผͷॴʹϚϯτ͢Δػೳ • ϗετͱίϯςφͰσΟϨΫτϦϑΝΠϧΛڞ༗͢Δࡍʹ ͍·͢ 21/54
Slide 23
Slide 23 text
bind Ϛϯτ • ৽ͨͳ / (root) ʹมߋ͢ΔͨΊʹ pivot_root Λ͏ࡍ • ͋ΔσΟϨΫτϦҎԼʹίϯςφΠϝʔδΛల։ͯ͠ʮϑΝ ΠϧγεςϜʯͰͳ͍ͷͰ pivot_root Ͱ͖ͳ͍ • ίϯςφͷ / (root) ͱ͍ͨ͠σΟϨΫτϦΛ bind Ϛϯτ ͢Δͱɺͦ͜ϚϯτϙΠϯτʹͳΓɺ ʮϑΝΠϧγες ϜʯͬΆ͘ͳΓ • ͜ΕͰ pivot_root Ͱ͖·͢!! 22/54
Slide 24
Slide 24 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 23/54
Slide 25
Slide 25 text
Namespace • ίϯςφͷ OS Ϧιʔε͕ʜ • ଞͷίϯςφϗετ͔Β • ݟ͑ͨΓ • ૢ࡞Ͱ͖ͨΓ • ڞ௨ͩͬͨΓ • ͨ͠ΒࠔΓ·͢ΑͶ!! ͦΜͳͷʮִ͞Εۭͨؒʯ͡Όͳ͍!! • ͦΜͳͱ͖͏ͷ͕ “Namespace(໊લۭؒ)”!! • Namespace ୯ҰͷػೳͰͳ͘ɺϦιʔε͝ͱʹ Namespace ͕༻ҙ͞Ε·͢ • Linux ίϯςφͷཁͷػೳ 24/54
Slide 26
Slide 26 text
Namespace ͷઆ໌ͷલʹ • ͭ·Γ Namespace ͕ͦ͜ Linux ίϯςφͱݴͬͯա ݴͰͳ͍ • ͦΜͳʮLinux ίϯςφʯΛ࠷؆୯ʹ࡞Δʹ!! • Docker Λ͏ͷͰͳ͘ • LXC Λ͏ͷͰͳ͘ • unshare ίϚϯυ!!(util_linux ύοέʔδʹؚ·Ε·͢) • ޙड़ͷ Network Namespace ip netns ίϚϯυ͕ ศར • Ͱ Linux ʹ࣮͞Ε͍ͯΔ৭ʑͳ Namespace ػೳΛ Έ͍͖ͯ·͠ΐ͏ 25/54
Slide 27
Slide 27 text
৭ʑͳ Namespace Linux ʹҎԼͷΑ͏ͳ Namespace ͕࣮͞Ε͍ͯ·͢ • Mount Namespace • UTS Namespace • PID Namespace • IPC Namespace • Network Namespace • User Namespace • cgroup Namespace Ҏ্ͷ Namespace ͍ͣΕಠཱͯ͑͠·͢ 26/54
Slide 28
Slide 28 text
Mount Namespace • ίϯςφͷϚϯτɺϚϯτૢ࡞Λ • Namespace Ͱߦͬͨ mountɺumount ͕ଞͷ Namespace ʹӨڹΛ༩͑ͳ͍Α͏ʹ͢Δ • ִ͠ͳ͍Α͏ʹͰ͖Δ • ࠷ۙσϑΥϧτͰִ͞Ε͍ͯͳ͍ (systemd ͕ͦͷΑ ͏ʹઃఆ͢ΔͨΊ) ͷͰɺִ͢ΔΑ͏ʹઃఆ͠ͳ͚ΕͳΒ ͳ͍ • ͭ·ΓଞͷίϯςφͰߦͬͨϚϯτૢ࡞͕ݟ͑ͳ͍ 27/54
Slide 29
Slide 29 text
bind Ϛϯτɺpivot_rootɺmount namespace ͷσϞ • ݟͲ͜Ζ • bind Ϛϯτ͢Δ͜ͱͰ pivot_root ͕Ͱ͖ΔΑ͏ʹͳΔ • ίϯςφ༻ͷϑΝΠϧγεςϜ͚͕ͩݟ͑ΔΑ͏ʹͳΔ • Mount namespace ͷػೳʹΑΓίϯςφͷϚϯτͷ ू߹ͱϗετͷϚϯτͷू߹ಠཱ͍ͯ͠Δ 28/54
Slide 30
Slide 30 text
͜͜·ͰͰʜ • ίϯςφͷϑΝΠϧγεςϜִ͕͞Ε·ͨ͠ • ͔͠͠ɺଞͷ OS Ϧιʔεϗετଞͷίϯςφͱڞ༗ͨ͠ ·· • ϓϩηε • ϗετ໊υϝΠϯ໊ (UTS) • ωοτϫʔΫ • Ϣʔβ • ʜ • ࣍ʹଞͷϦιʔεΛִ͢Δ Namespace Λհ͍͖ͯ͠ ·͠ΐ͏ 29/54
Slide 31
Slide 31 text
UTS Namespace • ίϯςφ͝ͱʹҧ͏ϗετ໊͚͍ͭͨͰ͢ΑͶ? • ͦΜͳͱ͖ʹ͏ Namespace ͕ UTS Namespace • ίϯςφ͝ͱʹҟͳΔϗετ໊ɺυϝΠϯ໊Λ͚ͭΒΕ·͢ • uname(2) ͕ฦ͢Λ 30/54
Slide 32
Slide 32 text
PID Namespace • ίϯςφͰͲΜͳϓϩηεΛ࣮ߦ͍ͯ͠Δ͔ɺଞͷίϯςφ ͔Βݟ͑ͨΒΠϠͰ͢ΑͶ? • ίϯςφ͝ͱʹಠཱͯ͠ PID Λ͍࣋ͪͨ • ͦΜͳ࣌͏ Namespace ͕ PID Namespace • ͨͩ͠ɺϗετ ( Namespace) ͔Βίϯςφ (ࢠͷ Namespace) ͷϓϩηεݟ͑·͢ 31/54
Slide 33
Slide 33 text
UTS, PID Namespace ͷσϞ • ݟͲ͜Ζ • ίϯςφͰίϯςφͷϓϩηε͚͕ͩݟ͍͑ͯΔ • ίϯςφͰϗετ໊Λม͑ͯϗετͷϗετ໊มΘͬͯ ͍ͳ͍ 32/54
Slide 34
Slide 34 text
Network Namespace • ίϯςφ͝ͱʹಠཱͨ͠ΞυϨεωοτϫʔΫΠϯλʔ ϑΣʔεΛ͍࣋ͪͨ!! • ͦΜͳͱ͖ʹ Network Namespace !! • σόΠε • ΞυϨε • ϙʔτ • ϧʔςΟϯά • ϑΟϧλϦϯά • ιέοτ • ʜ ͕ಠཱͯ࣋ͯ͠·͢ • ୯Ұϗετ্ʹෳͷωοτϫʔΫΛ࡞ͬͯςετͰ͖ͨΓ ͢Δ 33/54
Slide 35
Slide 35 text
ίϯςφͰΑ͘͏ωοτϫʔΫػೳ ʙ veth • ରͱͳΔΠϯλʔϑΣʔεΛੜ͠ɺରͷΠϯλʔϑΣʔεؒ Ͱ௨৴Λߦ͏ʹ L2 ͷτϯωϧ • ରͷΠϯλʔϑΣʔεͷยํΛίϯςφʹଓʹίϯςφͷ Network Namespace ʹॴଐͤ͞Δ • ͏ยํΛϗετ্ͷϒϦοδʹଓ 34/54
Slide 36
Slide 36 text
Network Namespace ͷσϞ • ݟͲ͜Ζ • Network Namespace ࡞ޙͷঢ়ଶ • veth ϖΞͷ࡞ • ยํͷΠϯλʔϑΣʔεΛ࡞ͨ͠ Namespace ʹଐͤ͞ ͨޙͷঢ়ଶ • ΠϯλʔϑΣʔεؒͰ௨৴͕Ͱ͖Δ 35/54
Slide 37
Slide 37 text
User Namespace • ίϯςφͷ root Ϣʔβͱϗετͷ root Ϣʔβͱಉ͡͡Ό ةݥ!! • ͦΜͳͱ͖ʹ͏ͷ͕ User Namespace!! • ଞͷ Namespace root ݖݶ͕ඞཁͰ͕͢ɺ͜Ε͚ͩҰ ൠϢʔβͰ࡞Մೳ • ίϯςφͷ UID,GID Λɺϗετ্ͷ UID,GID ͱϚοϐ ϯά͠·͢ 36/54
Slide 38
Slide 38 text
User Namespace ͷσϞ • ݟͲ͜Ζ • ίϯςφͰ root ͕࣮ߦ͍ͯ͠Δϓϩηε͕ɺϗετ্Ͱ ҰൠϢʔβݖݶͰಈ͍͍ͯΔ • ίϯςφͰ root ݖݶͰ࡞ͨ͠ϑΝΠϧͷΦʔφʔ͕ϗε τ্ͰҰൠϢʔβʹͳ͍ͬͯΔ • User Namespace ҰൠϢʔβݖݶͰ࡞ΕΔɻଞͷ Namespace ࡞Εͳ͍ • User Namespace Ͱଞͷ Namespace ͕࡞ΕΔ 37/54
Slide 39
Slide 39 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 38/54
Slide 40
Slide 40 text
cgroup • ίϯςφ͝ͱʹཧϦιʔε (ϝϞϦɺCPUɺωοτϫʔΫଳ ҬͳͲ) Λ੍ݶ͍ͨ͠߹ʹ͏ • ੍ݶ͢ΔϦιʔε͝ͱʹػೳ͕ఏڙ͞ΕΔͷͰɺ੍ݶ͍ͨ͠ ͷ͚ͩ͑ྑ͍ • ίϯςφͰͳ͘ී௨ͷϓϩηεʹద༻Մೳɻ • ෳͷϓϩηεΛάϧʔϓԽͯ͠ద༻Ͱ͖Δ (ʹίϯςφ) • ৄ͘͠ࢀߟࢿྉΛࢀর!! 39/54
Slide 41
Slide 41 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 40/54
Slide 42
Slide 42 text
ηΩϡϦςΟػೳ • ίϯςφͱϗετ্Ͱಈ͘୯ͳΔϓϩηε • ίϯςφ্Ͱ࣮ߦ໋ͨ͠ྩ͕ϗετଞͷίϯςφʹӨڹΛ༩ ͑ΔՄೳੑ͕͋Δ ͦ͜Ͱ • ༷ʑͳಛݖɾ໋ྩͷҰ෦Λ੍ݶͨ͠Γ • ༷ʑͳಛݖɾ໋ྩͷҰ෦ͷΈΛίϯςφʹ༩͑ͨΓͯ͠ ϗετଞͷίϯςφʹӨڹ͕ٴͳ͍Α͏ʹ͢Δ 41/54
Slide 43
Slide 43 text
Capability • root ͕࣋ͭಛݖΛࡉׂ͔ͯ͘͠༗ޮɾແޮ͕ઃఆͰ͖Δ • ྫ͑ʜ • ίϯςφ͔Βউखʹ࣌ؒΛม͑ΒΕͨΒࠔΔ (ίϯςφͷ࣌ ܭϗετͱڞ௨Ͱ͢Ͷ) • ࣌ؒΛઃఆͰ͖Δݖݶ (CAP_SYS_TIME) Λແޮʹ • chroot Λൈ͚ΒΕͨΒࠔΔ • chroot Ͱ͖Δݖݶ (CAP_SYS_CHROOT) Λແޮʹ • ίϯςφϥϯλΠϜͰσϑΥϧτͰແޮʹ͢Δ Capability ͕ఆٛ͞Ε͍ͯͨΓ͢Δ • ৄ͘͠ man 7 capabilities Λࢀর 42/54
Slide 44
Slide 44 text
seccomp OS ͷػೳΛݺͼग़ͨ͢Ίʹ͏γεςϜίʔϧʹର͢ΔϑΟϧλ Ϧϯά • ಛఆͷγεςϜίʔϧΛڐՄͨ͠Γ • ಛఆͷγεςϜίʔϧΛېࢭͨ͠Γ • ίϯςφϥϯλΠϜͰσϑΥϧτͰڐՄ͢ΔγεςϜίʔϧ͕ ఆٛ͞Ε͍ͯͨΓ͢Δ • ৄ͘͠ man 2 seccomp Λࢀর 43/54
Slide 45
Slide 45 text
MAC Mandatory Access Control(ڧ੍ΞΫηε੍ޚ) • Ϧιʔεॴ༗ऀͷઃఆ͢Δݖݶ (DAC) ʹؔΘΒͣɺγεςϜ ཧऀ͕ૢ࡞ରͰ͋ΔϦιʔεʹΞΫηε੍ޚΛઃఆͰ͖Δ • AppArmor SELinux ͳͲ • ίϯςφઐ༻ʹԾԽ͞Εͳ͍ɺίϯςφ͔Βૢ࡞͞Εͯ ࠔΔϦιʔεͷ੍ݶΛઃఆ͢Δ • ͨͱ͑/proc /sys ҎԼͷϑΝΠϧͳͲ 44/54
Slide 46
Slide 46 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 45/54
Slide 47
Slide 47 text
ͦͷଞͷػೳ ͜Ε·Ͱʹհͨ͠Ҏ֎ʹ Linux Χʔωϧʹ࣮͞Ε͍ͯΔ ༷ʑͳػೳ͕ඞཁʹԠͯ͡ར༻͞Ε͍ͯΔ • ωοτϫʔΫ (ԾΠϯλʔϑΣʔεͳͲ) • ϑΝΠϧγεςϜ (overlayfs ͳͲ) • ϓϩηεͷνΣοΫϙΠϯτɾϦετΞ • ͳͲͳͲʜ 46/54
Slide 48
Slide 48 text
ࣗݾհ ࠓͷඪ ίϯςφͷ֓ཁ Linux ʹ͓͚Δίϯςφ ίϯςφͷϑΝΠϧγεςϜ Namespace(໊લۭؒ) cgroup ηΩϡϦςΟػೳ ͦͷଞͷػೳ ·ͱΊ 47/54
Slide 49
Slide 49 text
ࠓઆ໌ͨ͜͠ͱͷ·ͱΊ • ίϯςφͱ୯ͳΔϓϩηεɻ௨ৗͷىಈͱগ͠ҧ͏ଐੑΛ Ճ͑ͨϓϩηε • Linux ͰɺίϯςφΧʔωϧʹ࣮͞Ε͍ͯΔ৭ʑͳػ ೳΛΈ߹Θ࣮ͤͯݱ͍ͯ͠Δ • ίϯςφઐ༻ͷϑΝΠϧγεςϜΛݟͤΔͨΊʹ chroot pivot_root Λ͏ • ίϯςφΛ࣮ݱ͢ΔΩϞͱͳΔػೳ͕ “Namespace(໊લ ۭؒ)” • ίϯςφΛηΩϡΞʹ࣮ߦ͢ΔͨΊʹ༷ʑͳηΩϡϦςΟػೳ ͕ΘΕΔɻ“Capability”ɺ“seccomp”ɺ“MAC” 48/54
Slide 50
Slide 50 text
·ͱΊ • ੈͷதʹଘࡏ͢ΔίϯςφϥϯλΠϜͰίϯςφΛಈ࡞ͤ͞ ΔͨΊʹ৭ʑͳػೳΛ͍ɺσϑΥϧτͰྑ͍ײ͡Ͱίϯςφ ͕ಈ͘Α͏ʹௐ͞Ε͍ͯ·͢ • ͕͍ࣗͬͯΔίϯςφϥϯλΠϜͰͲͷΑ͏ͳػೳ͕ ΘΕ͍ͯΔͷ͔ɺͲͷΑ͏ͳػೳΛ͏͜ͱ͕Ͱ͖Δͷ͔Λཧ ղ͢ΕɺΑΓదʹίϯςφΛ͏͜ͱ͕Ͱ͖ΔͰ͠ΐ͏ • ࠷ۙͰɺཁ݅ʹ͋ͬͨඞཁͳػೳ͚ͩΛͬͯίϯςφΛ࡞ ΕΔϓϩμΫτ͋Γ·͢ (ࢀߟࢿྉࢀর) 49/54
Slide 51
Slide 51 text
தΛཧղͯ͠ޮՌతʹɺָ͘͠ɺ҆શʹίϯςφ Λ͍·͠ΐ͏ 50/54
Slide 52
Slide 52 text
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ 51/54
Slide 53
Slide 53 text
ࢀߟࢿྉ • ίϯςφશൠͷػೳΛཧղ͢ΔͨΊʹ • LXC ͰֶͿίϯςφೖ ʵܰྔԾԽڥΛ࣮ݱ͢Δٕज़ http://gihyo.jp/admin/serial/01/linux_containers • ࢲͷ͜Ε·Ͱͷߨԋࢿྉ https://speakerdeck.com/tenforward • ίϯςφΛʮकΔʯΈ͔ΒதΛཧղ͠Α͏!!1 (by @udzura ͞Μ) https://speakerdeck.com/udzura/how-to-be-a- container 52/54
Slide 54
Slide 54 text
ࢀߟࢿྉ • ίϯςφ͕Ͱ͖Δ·ͰͷॲཧΛ͏ͨΊʹ • MINCS (γΣϧͰॻ͔Εͨίϯςφ) (by @mhiramat ͞ Μ) https://github.com/mhiramat/mincs • MINCS Ͱ Linux ίϯςφΛ࡞Ζ͏ (MINCS ʹؔ͢Δൃද ࢿྉ) • ֶͭͬͯ͘Ϳ Linux ίϯςφͷཪଆ (by @hayajo ͞Μ) • Go Ͱ࡞Δ Linux ίϯςφ (by @hayajo ͞Μ) • ඞཁͳػೳ͚ͩΛͬͯίϯςφΛಈ͔ͨ͢Ίʹ • Haconiwa (mruby Ͱॻ͔Εͨίϯςφ࡞ͷͨΊͷ DSL) http://haconiwa.mruby.org/ 53/54
Slide 55
Slide 55 text
ࢀߟࢿྉ • ίϯςφؔ࿈ػೳͷ࣮ͳͲΛਂ͘Δʹ • Linux Namespaces (Namespace ͷΧʔωϧ෦ͷ࣮ ʹؔ͢Δࢿྉ)(by Masami Ichikawa ͞Μ) • cgroup ͋Ε͜Ε (cgroup ͷ෦ͷ͓)(by @hiro_kamezawa ͞Μ) • seccomp Λ mruby Ͱࢼ͢ (ϩʔϑΝΠه) • AppArmor ͱ Docker ͱͦͷଞίϯςφతϓϩηεʹ͍ͭ ͯௐͨ (ϩʔϑΝΠه) • ͦͷଞ • ʮίϯςφܕԾԽͷใަձʯ ͜Ε·Ͱͷൃදࢿྉಈը͕ެ։͞Ε͍ͯ·͢ 54/54