Upgrade to Pro — share decks privately, control downloads, hide ads and more …

時代が求めたSTNSと僕

Kazuhiko Yamashita
May 14, 2016
Technology
9
21k

 時代が求めたSTNSと僕

第5回ペパボテックカンファレンス〜インフラエンジニア大特集〜

Kazuhiko Yamashita

May 14, 2016
Tweet

More Decks by Kazuhiko Yamashita

See All by Kazuhiko Yamashita
若者とGPTのすべて
pyama86
0
120
Dynamic VM Scheduling
 in OpenStack
pyama86
1
730
GMOペパボにおける大規模インフラのセキュリティ管理
pyama86
1
74
Is Kubernetes On-premises Hardway?
pyama86
2
390
突然のグループ一斉在宅勤務開始!!1に
おける働き方を変革する技術や仕組み
pyama86
4
1k
企業に必要とされている インフラ技術とこれから
pyama86
12
8.3k
「ペパボっぽい」
エンジニアカルチャーを創る
言葉と仕組み
pyama86
20
5.1k
CloudNative Buildpacksで創る、CloudNativeな開発体験
pyama86
9
12k
CN Buildpacksが作る未来
pyama86
2
2.5k

Other Decks in Technology

See All in Technology
社内でChatGPTを利用するためのガイドラインを整備した話
yoshikieguchi
0
690
Enabling Developers in a Multi-Cloud World :: GOTO Aarhus 2023
salaboy
0
110
トラブルシューティングから Linux カーネルに潜り込む
hiboma
7
1.2k
[Journal club] Hyena Hierarchy: Towards Larger Convolutional Language Models
keio_smilab
PRO
1
110
Serverless Framework ユーザーが CDK に引っ越しして感じたハードルについて言語化してみる
hassaku63
0
710
監視からオブザーバビリティへ〜オブザーバビリティの成熟度/From Monitoring to Observability - Maturity of Observability
newrelic2023
0
400
Datadogで実現するセキュリティ オブザーバビリティ
taka2noda
1
120
初学者が1ヶ月ほどAWS CDKを勉強してみた - AWS CDK Conference Japan 2023
sakaguchi
0
570
点群SegmentationのためのTransformerサーベイ
takmin
1
460
Design insights from unit tests @ itkonekt 2023
victorrentea
0
110
Security-JAWS#29 AWS Summit Tokyo 2023 オンデマンド配信を楽しむためのセキュリティ関連トピックご紹介
kthrtty
1
160
とあるQAエンジニアが、マイクロサービスの開発チームと、出会ったーー / Scrum Fest Niigata 2023
yoyakoba
0
110

Featured

See All Featured
The Invisible Side of Design
smashingmag
292
49k
The Mythical Team-Month
searls
211
41k
Thoughts on Productivity
jonyablonski
52
2.9k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Gamification - CAS2011
davidbonilla
75
4.2k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
8.9k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
Side Projects
sachag
450
38k
Into the Great Unknown - MozCon
thekraken
5
480

Transcript

  1. ʙՆͷ೔ͷ1986ʙ
    ࣌୅͕ٻΊͨSTNSͱ๻

    View Slide

  2. hi!
    GMO Pepabo, Inc.
    ϗεςΟϯάࣄۀ෦
    ϜʔϜʔυϝΠϯάϧʔϓ
    γχΞΤϯδχΞ
    @pyama86

    View Slide

  3. blog
    https://ten-snapon.com

    View Slide

  4. Ϣʔβʔ؅ཧ

    View Slide

  5. Α͋͘Δӡ༻
    ɾLDAPͰ؅ཧ
    ɾߏ੒؅ཧπʔϧͰ/etc/passwdͳͲΛ഑෍͢Δ
    ɾrpm΍debͰ഑෍͢Δ
    ɾαʔόϩάΠϯͯ͠useradd pyama

    View Slide

  6. LDAP?

    View Slide

  7. LDAP
    Lightweight Directory Access Protocol

    View Slide

  8. LDAP
    ɾLinuxͷϢʔβʔ؅ཧ͚ͩͰ͸ͳ͘ɺPostfixͷΑ͏
    ͳϝʔϧαʔόɺόοΫΦϑΟεͰར༻͞ΕΔΑ͏
    ͳۈଵ؅ཧγεςϜͳͲͰ΋ରԠ͍ͯ͠Δέʔε͕
    ଟ͍
    Ϣʔβʔଐੑ؅ཧͷܾఆ൛తଘࡏ

    View Slide

  9. user_name:pyama
    user_id:1000
    group_id:1000
    shell:/bin/bash
    home:/home/pyama
    LDAP
    com
    pepabo
    user
    pyama
    ૊৫ͷ֊૚ߏ଄ͱϢʔβʔͷଐੑΛ
    ؅ཧ͢Δ͜ͱ͕ग़དྷΔ

    View Slide

  10. LDAP

    View Slide

  11. Lightweight?

    View Slide

  12. ΍ΕΔ͜ͱ͕ଟ͍ͱ
    ӡ༻ͷෳࡶ͞͸૿͢

    View Slide

  13. LDAPͷڊେԽɾཚཱɾͦͯ͠ઓࠃ࣌୅΁
    ɾLDAP͕৭ʑͳγεςϜͱ࿈ܞ͗ͯ͢͠ɺڊେԽ
    ͠ɺ؅ཧ͕೉͘͠ͳ͖ͬͯͨ
    ɾDevOpsʹΑΔΞϓϦέʔγϣϯΤϯδχΞͷΠϯ
    ϑϥਐग़ɺΞϓϦέʔγϣϯσϓϩΠ͕SSHϕʔε
    Ͱ͋Δ͜ͱ͕ଟ͘ɺσβΠφʔͳͲͷ৬छ΋SSHϩ
    άΠϯ͢Δඞཁ͕ੜ·Εͨ(Ϣʔβʔଐੑͷ૿Ճ)

    View Slide

  14. ݁ՌɺαʔϏε͝ͱʹ
    αʔόཱͯͨΓͯ͠·ͤΜ͔

    View Slide

  15. ؅ཧͱ͸?

    View Slide

  16. ͋ͷ೔ͷԶୡ͕΍Γ͔ͨͬͨ͜ͱ͸
    αʔόʹϩάΠϯͨ͠Γɺ
    σϓϩΠ͍͚ͨͩͩͬͨ͠͸ͣͩ

    View Slide

  17. View Slide

  18. STNS
    ɾGoݴޠͰ࣮૷ͨ͠Linuxϛυϧ΢ΣΞ
    ɾJSONαʔόͱnss,pamϞδϡʔϧͷγεςϜ
    ɾrhel,debian/i386,x86_64ͷύοέʔδϦϙδτϦΛ
    ఏڙ

    View Slide

  19. ίϯηϓτ
    ໊લղܾɺެ։伴औಘɺsudoೝূͷΈΛఏڙ͢Δɻ
    ଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ
    ૊Έ߹ΘͤΛ༰қʹɻ
    ๻ୡͷੈ୅ͷ৽͍͠Ϣʔβʔ؅ཧͷ࢓૊Έ
    https://github.com/STNS/STNS

    View Slide

  20. VS LDAP
    ɾTomlܗࣜͷઃఆϑΝΠϧͰՄಡੑ͕ߴ͍
    ɾLinuxͷϢʔβʔ؅ཧʹಛԽ͍ͯ͠ΔͨΊӡ༻͕
    ൥ࡶʹͳΓͮΒ͍
    ɾ൚༻తͳJSONΠϯλʔϑΣʔεͷͨΊ֦ு͕༰қ
    ɾಋೖָ͕͗ͯ͢5ճ͘Β͍ೖΕͨ͘ͳΔ

    View Slide

  21. ͿͬͪΌ͚LDAP೉͍͠
    https://ten-snapon.com/archives/1055

    View Slide

  22. ΞʔΩςΫνϟ
    STNS
    http(1104)
    process
    libnss-stns
    libpam-stns
    query-wrapper
    key-wrapper
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠
    JSONܗࣜͷΠϯλʔϑΣʔε
    ͞Βʹ೚ҙͷwrapperΛར༻Մೳ

    View Slide

  23. ઃఆϑΝΠϧ
    ɾαʔό
    /etc/stns/stns.conf
    ɾΫϥΠΞϯτ
    /etc/stns/libnss_stns.conf
    /etc/nsswitch.conf → ໊લղܾͷ༏ઌॱҐઃఆ
    /etc/ssh/sshd_config → sshdͷઃఆ
    /etc/nscd.conf → ໊લղܾͷΩϟογϡઃఆ

    View Slide

  24. stns.conf(αʔό)
    port = 1104
    include = "/etc/stns/conf.d/*"
    # ϕʔγοΫೝূΛαϙʔτ
    user = "basic_user"
    password = "basic_password"
    [users.example]
    id = 1001
    group_id = 1001
    keys = ["ssh-rsa XXXXX…"]
    [groups.example]
    id = 1001
    users = ["example"]
    [sudoers.example]
    password =
    "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
    hash_type = "sha256"

    View Slide

  25. stns.conf(αʔό)
    stns.conf user.conf
    group.conf
    deploy.conf
    ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ
    ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

    View Slide

  26. stns.conf(αʔό)
    ɾσϓϩΠϢʔβʔͷఆٛ
    ɾ૊৫ߏ଄Λදݱ͢Δ
    ɾSudoύεϫʔυΛ؅ཧ͢Δ

    View Slide

  27. σϓϩΠϢʔβʔͷ؅ཧ

    View Slide

  28. ΞϓϦέʔγϣϯσϓϩΠ
    [email protected]
    [email protected]
    [email protected]
    /home/deploy/.ssh/authrized_keys
    ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

    View Slide

  29. σϓϩΠϢʔβʔͷ؅ཧ
    ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ
    ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ
    ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ
    βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ
    βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

    View Slide

  30. σϓϩΠϢʔβʔͷ؅ཧ
    [users.deploy]
    id = 1000
    group_id = 1000
    link_users = [“foo","bar"]
    [users.foo]
    keys = ["ssh-rsa aaa”]
    [users.bar]
    keys = ["ssh-rsa bbb"]
    deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ
    ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻͢Δ͜ͱ͕ग़དྷΔ
    →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ
    ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

    View Slide

  31. ૊৫ߏ଄Λදݱ͢Δ

    View Slide

  32. ૊৫ߏ଄Λදݱ͢Δ
    ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ
    βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά
    Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

    View Slide

  33. ૊৫ߏ଄Λදݱ͢Δ
    [groups.tech]
    users = ["antipop"]
    link_groups = [“tech-1"]
    [groups.tech-1]
    users = ["pyama"]
    pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ
    ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ
    sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

    View Slide

  34. SudoύεϫʔυΛ
    ؅ཧ͢Δ

    View Slide

  35. sudoύεϫʔυΛ؅ཧ͢Δ
    $ sudo ls
    [sudo] password for pyama:
    nice_guy.txt
    /etc/sudoersͷઃఆʹґଘ͢Δ͕ɺҰൠతʹ͸
    sudo࣮ߦͨ͠ϢʔβʔͷύεϫʔυΛٻΊΒΕΔ

    View Slide

  36. sudoύεϫʔυΛ؅ཧ͢Δ
    [sudoers.example]
    password =
    "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2"
    hash_type = "sha256"
    /etc/stns/stns.conf
    /etc/pam.d/sudo
    auth sufficient libpam_stns.so sudo example
    ݸผʹϢʔβʔ͝ͱʹύεϫʔυΛ؅ཧ͢ΔखؒΛল͖ɺ
    ෆਖ਼ΞΫηε࣌ʹsudo͞ΕΔ͜ͱΛ๷͙
    (rootύεϫʔυͷ౪ௌରࡦʹ΋)

    View Slide

  37. libnss_stns.conf

    View Slide

  38. libnss_stns.conf(ΫϥΠΞϯτ)
    api_end_point = ["http://:1104", "http://:1104"]
    user = "basic_user"
    password = "basic_password"
    wrapper_path = "/usr/local/bin/stns-query-wrapper"
    chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"
    ssl_verify = true

    View Slide

  39. wrapper_path
    STNSͰ͸ΠϯλʔϑΣʔεͷϑΥʔϚοτ͑͞߹ͬ
    ͍ͯΕ͹೚ҙͷόοΫΤϯυΛ࢖༻Մೳɻ
    $ /usr/local/bin/stns-query-wrapper /user/name/pyama
    {
    "pyama": {
    "id": 10301,
    "password": "",
    "hash_type": "",
    "group_id": 2000,
    "directory": "",
    "shell": "",
    "gecos": "",
    "keys": [
    "ssh-rsa xxx"
    ],
    "link_users": null
    }
    }

    View Slide

  40. όοΫΤϯυʹRailsAPIΛར༻͢Δྫ
    process
    libnss-stns
    libpam-stns
    query-wrapper
    key-wrapper
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ
    Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ
    ΋͸΍GoݴޠΛར༻͢Δඞཁ΋ͳ͍

    View Slide

  41. chain_ssh_wrapper
    STNSʹՃ͑ͯଞγεςϜ͔Β΋ެ։伴Λऔಘ
    STNS
    LDAP
    stns-key-wrapper
    ssh-ldap-wrapper
    sshd
    chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"
    LDAPͱͷฒߦӡ༻͕Մೳ

    View Slide

  42. ࢖ͬͯΈΔʁ

    View Slide

  43. ಋೖͷखܰ͞
    1ίϚϯυͰϦϙδτϦΛ௥Ճ͠ɺ
    yumɺaptͰ࠷৽൛Λར༻Մೳ

    View Slide

  44. ಋೖͷखܰ͞
    puppetϚχϑΣετɺchefΫοΫϒοΫΛఏڙ
    Ճ͑ͯ೔ຊޠΠϯετʔϧυΩϡϝϯτ
    https://github.com/STNS/STNS/blob/master/docs/install_ja.md

    View Slide

  45. ੑೳධՁ
    ଌఆ؀ڥ
    ɾMacBookAir 13inch
    ɾ1.7GHz Core i7
    ɾϝϞϦ8G
    ্ه؀ڥͰVirtualBoxVMΛCPUίΞ1ɺϝϞϦ1GByte
    Ͱىಈ

    View Slide

  46. ੑೳධՁ
    ςετσʔλΛ1000݅౤ೖ
    require "toml"
    users = Hash.new { |h,k| h[k] = Hash.new(&h.default_proc) }
    (1..1000).each do |n|
    users[:users]["user_#{n}"]["id"] = n
    users[:users]["user_#{n}"]["group_id"] = n
    end
    puts TOML::Generator.new(users).body
    $ ab -k -c 100 -n 100000 http://localhost:11104/user/name/user_1
    abΛར༻͠ɺಉ࣌઀ଓ100Ͱ10ສΞΫηε
    Total transferred: 36600000 bytes
    HTML transferred: 19000000 bytes
    Requests per second: 11543.13 [#/sec] (mean)
    Time per request: 8.663 [ms] (mean)
    Time per request: 0.087 [ms] (mean, across all concurrent requests)
    Transfer rate: 4125.77 [Kbytes/sec] received

    View Slide

  47. ߏ੒ྫ
    nginx
    stns
    nginx
    stns
    keepalived keepalived
    nginxͰSSLΛऴ୺
    ෛՙ෼ࢄͭͭ͠ɺSSLͱϕʔγοΫೝূΛ
    ར༻͠ɺηΩϡΞʹӡ༻͢Δ

    View Slide

  48. ಋೖࣄྫ

    View Slide

  49. GitHub Flow

    View Slide

  50. GitHub FlowͰϢʔβʔ؅ཧ
    thor Λར༻͠Github(GHE)͔Β
    Ϣʔβʔ৘ใɺάϧʔϓ৘ใ
    ެ։伴৘ใΛੜ੒͢Δ
    [users.pyama]
    id = 1000
    group_id =1000
    keys = ["ssh-rsa xxx”]
    [groups.muu-developer]
    id = 1000
    bundle exec thor build

    View Slide

  51. GitHub FlowͰϢʔβʔ؅ཧ
    ࡞੒͞ΕͨtomlϑΝΠϧΛϓϧϦΫΤετ
    ಉ࣌ʹdroneͰ໊લղܾͷςετΛߦ͏
    [users.pyama]
    id = 1000
    group_id =1000
    keys = ["ssh-rsa xxx”]
    [groups.muu-developer]
    id = 1000

    View Slide

  52. GitHub FlowͰϢʔβʔ؅ཧ
    มߋ಺༰ΛϨϏϡʔޙɺCapistranoͰσϓϩΠ
    [users.pyama]
    id = 1000
    group_id =1000
    keys = ["ssh-rsa
    xxx”]
    [groups.muu-

    View Slide

  53. GitHub FlowͰϢʔβʔ؅ཧ
    ɾ։ൃͱಉ͡Α͏ʹϢʔβʔ؅ཧΛߦ͏͜ͱͰ
    ख͔ܰͭਖ਼֬ʹαʔόΞΫηεݖݶΛఏڙ
    ɾGitHubΛར༻͢Δ͜ͱͰূ੻؅ཧ͕༰қʹ
    ɾCIπʔϧͱ૊Έ߹ΘͤΔ͜ͱͰɺಈ࡞Λอূ͢Δ

    View Slide

  54. ·ͱΊ

    View Slide

  55. ๻͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍
    1.൥ࡶԽͨ͠Ϣʔβʔ؅ཧΛ΍Γ௚͢खஈͱͯ͠Ͳ
    ͏ͩΖ͏͔
    2.Web։ൃͷΑ͏ʹϢʔβʔ΋σϓϩΠ͢Δͱͳ͔
    ͳ͔ྑ͍

    View Slide

  56. ͦͯ͠ɺ͜Ε͔Βͷ࿩

    View Slide

  57. ࠓޙͷػೳ௥Ճ
    ɾ֎෦APIΛར༻Մೳʹ͢Δ
    ɾύεϫʔυόοΫΤϯυΛ࣮૷ʁ

    View Slide

  58. ֎෦APIར༻
    wrapper-cmd = [“original-command.rb”]
    STNS
    stns-module
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    original-command.rb
    run
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    STNSʹϢʔβʔ৘ใΛొ࿥͢Δඞཁ͕ͳ͘ͳΓɺ
    ֎෦γεςϜͱͷ࿈ܞ͕ߋʹՃ଎

    View Slide

  59. ύεϫʔυόοΫΤϯυΛ࣮૷ʁ
    STNS
    stns-module passwd pyama DatabaseͳͲ
    change password
    ΫϥΠΞϯταΠυ͔ΒpasswdͳͲΛར༻͠ɺ
    ύεϫʔυΛมߋՄೳʹ͢Δػೳ
    ๻͕࣮૷ʹফۃతͳͨΊɺੈ࿦ʹҕͶ͍ͨ

    View Slide

  60. ࠓͷ࣌୅ʹ͋ͬͨ
    Ϣʔβ؅ཧΛ

    View Slide

  61. ͝ਗ਼ௌ
    ༗೉͏͍͟͝·ͨ͠

    View Slide

  62. ͜͜Ͱঁੑਞ͔Β࣭໰͕
    ࡴ౸͢Δ

    View Slide