Linux コンテナの内部を知ろう / OSC 2018 Kyoto

Transcript

1. Linux ίϯςφͷ಺෦Λ஌Ζ͏
   OSC 2018 Kyoto
   Ճ౻ହจ (@ten_forward)
   2018-08-04
   

   View Slide

2. ࣗݾ঺հ
   ࠓ೔ͷ໨ඪ
   ίϯςφͷ֓ཁ
   Linux ʹ͓͚Δίϯςφ
   ίϯςφͷϑΝΠϧγεςϜ
   Namespace(໊લۭؒ)
   cgroup
   ηΩϡϦςΟػೳ
   ͦͷଞͷػೳ
   ·ͱΊ
   1/54
   

   View Slide

3. ࣗݾ঺հ
   Ճ౻ହจ
   • http://www.ten-forward.ws/
   • @ten_forward
   • http://gplus.to/tenforward
   • https://github.com/tenforward
   • http://tenforward.hatenablog.com/ (ٕज़ϒϩά)
   2/54
   

   View Slide

4. ࣗݾ঺հ (OSSɾίϯςφؔ࿈)
   • Plamo Linux ϝϯςφ
   • LXC ͰֶͿίϯςφೖ໳ɹʔܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़
   gihyo.jp Ͱ࿈ࡌ
   3/54
   

   View Slide

5. ࣗݾ঺հ (ίϯςφؔ࿈)
   • LXC/LXD ͷ։ൃʹগ͠ࢀՃ
   • man page ͷ೔ຊޠ༁
   • ެࣜϖʔδ (linuxcontainers.org) ຋༁
   • όάϑΟοΫεͳͲগ͚ͩ͠ίʔυʹ΋ߩݙ
   • LXD ೔ຊޠϝοηʔδ
   • ίϯςφܕԾ૝Խͷ৘ใަ׵ձओ࠻
   4/54
   

   View Slide

6. ࣗݾ঺հ
   ࠓ೔ͷ໨ඪ
   ίϯςφͷ֓ཁ
   Linux ʹ͓͚Δίϯςφ
   ίϯςφͷϑΝΠϧγεςϜ
   Namespace(໊લۭؒ)
   cgroup
   ηΩϡϦςΟػೳ
   ͦͷଞͷػೳ
   ·ͱΊ
   5/54
   

   View Slide

7. ࠓ೔ͷ໨ඪ
   • ίϯςφͷ֓ཁΛཧղ͢Δ
   • Linux ίϯςφ؀ڥΛߏங͢ΔࡍʹΑ͘࢖ΘΕΔٕज़Λཧղ
   ͢Δ
   6/54
   

   View Slide

8. ࠓ೔ͷൃද
   ࠓ೔͸ίϯςφͰΑ͘࢖ΘΕΔػೳͷ͍͔ͭ͘ΛऔΓ্͛ɺ࣮ྫ΍
   σϞΛަ͑ͳ͕Βઆ໌͠·͢ɻίϯςφؔ࿈ػೳΛ໢ཏతʹ஌Γͨ
   ͍৔߹͸
   • LXC ͰֶͿίϯςφೖ໳ ʵܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़
   (gihyo.jp)
   • speakerdeck ʹ͋Δࢲͷ OSC ͳͲͷൃදࢿྉ
   • ͦͷଞࢀߟࢿྉ (࠷ޙʹ͍͔ͭ͘঺հ͠·͢)
   ͳͲΛ͝ཡ͍ͩ͘͞ɻ
   7/54
   

   View Slide

9. ࣗݾ঺հ
   ࠓ೔ͷ໨ඪ
   ίϯςφͷ֓ཁ
   Linux ʹ͓͚Δίϯςφ
   ίϯςφͷϑΝΠϧγεςϜ
   Namespace(໊લۭؒ)
   cgroup
   ηΩϡϦςΟػೳ
   ͦͷଞͷػೳ
   ·ͱΊ
   8/54
   

   View Slide

10. ίϯςφͱ͸
    ΧʔωϧͷػೳͰ
    • ִ཭͞ΕۭͨؒͰϓϩηεΛ࣮ߦ͢Δ
    • ʮԾ૝؀ڥʯͱ͍͏ΑΓ͸ʮִ཭͞Εͨ؀ڥʯͱߟ͑ͨํ͕ޡ
    ղ͕ͳ͍
    • ִ཭͞Εͨಉۭؒ͡಺ͰϓϩηεΛͻͱ͚࣮ͭͩߦ͢Δ͜ͱ΋ɺ
    ෳ਺࣮ߦ͢Δ͜ͱ΋Ͱ͖Δ
    • ϓϩηεʹରͯ͠Ϧιʔε੍ݶΛઃఆ͢Δ (ˡࠓ೔͸ܰ͘৮Ε
    ·͢)
    9/54
    

    View Slide

11. ίϯςφͱ͸
    • ͭ·Γ୯ͳΔϓϩηε (or ୯ͳΔϓϩηεͷू߹)
    • ϓϩηεʹʮଐੑʯΛࢦఆ͢Δ
    • ྫ͑͹ʜ
    • ଞͷϓϩηε͔Βݟ͑ͳ͘͢Δ
    • ࣮ߦͰ͖Δૢ࡞ʹ੍ݶΛՃ͑Δ
    • ϓϩηεʹϦιʔε੍ݶΛద༻͢Δ
    • ͳͲͳͲʜ
    • ී௨ʹىಈͨ͠ͷͱ͸νϣοτҧ͏ϓϩηε
    10/54
    

    View Slide

12. ίϯςφͷϝϦοτɾσϝϦοτ
    ͭ·Γ
    • ίϯςφΛىಈ͢Δ ʹ ϓϩηεΛىಈ͢Δ
    • ىಈ͕ૣ͍ʢϓϩηεΛىಈ͢Δͷʹ͔͔Δ͚࣌ؒͩʣ
    • Χʔωϧ͸ϗετ্Ͱಈ͍͍ͯΔΧʔωϧͷΈ
    • Ծ૝Ϛγϯ (VM) ͷΑ͏ʹҟͳΔ OS ͷγεςϜ΍ϓϩάϥ
    Ϝ͸ಈ͔ͤͳ͍ (ΤϛϡϨʔλΛಈ͔ͤ͹Ͱ͖·͕͢)
    • ΧʔωϧʹؔΘΔૢ࡞Λίϯςφ͝ͱʹผʑʹ͸ߦ͑ͳ͍
    11/54
    

    View Slide

13. Linux Ҏ֎ʹ͓͚Δίϯςφ
    • ίϯςφ͸ Linux ಠࣗͷٕज़Ͱ͸͋Γ·ͤΜ
    • Linux Ҏ֎Ͱ΋ίϯςφͷ࣮૷͸͋Γ·͢ͷͰ؆୯ʹ঺հ͠
    ͓͖ͯ·͢
    • FreeBSD jail (ଞʹ VPS ͱ͍͏࣮૷΋͋Δ)
    • Solaris Zones
    • Windows (Windows Server ίϯςφɾHyper-V ίϯ
    ςφ)
    12/54
    

    View Slide

14. ࣗݾ঺հ
    ࠓ೔ͷ໨ඪ
    ίϯςφͷ֓ཁ
    Linux ʹ͓͚Δίϯςφ
    ίϯςφͷϑΝΠϧγεςϜ
    Namespace(໊લۭؒ)
    cgroup
    ηΩϡϦςΟػೳ
    ͦͷଞͷػೳ
    ·ͱΊ
    13/54
    

    View Slide

15. Linux ʹ͓͚Δίϯςφ
    Linux Χʔωϧʹ͸୯Ұͷʮίϯςφʯͱ͍͏ػೳ͕͋ΔΘ͚Ͱ͸
    ͳ͍
    • ৭ʑͳػೳΛ૊Έ߹ΘͤͯʮίϯςφʯΛ࡞Δ
    • ˠ ࣗ෼ʹཉ͍͠ػೳΛ૊Έ߹Θͤͯʮίϯςφʯ͕࡞ΕΔ
    • Docker ΍ LXC/LXD ͳͲͷίϯςφ࣮૷΋ࣗ਎͕ཉ͍͠
    ༷ʑͳػೳΛ૊Έ߹Θͤͯίϯςφ؀ڥΛߏங͍ͯ͠Δ
    ͦΕͰ͸ɺίϯςφͰΑ͘࢖ΘΕΔػೳΛ঺հ͠ͳ͕Βίϯςφ͕
    Ͱ͖Δ·ͰΛݟ͍͖ͯ·͠ΐ͏
    14/54
    

    View Slide

16. ࣗݾ঺հ
    ࠓ೔ͷ໨ඪ
    ίϯςφͷ֓ཁ
    Linux ʹ͓͚Δίϯςφ
    ίϯςφͷϑΝΠϧγεςϜ
    Namespace(໊લۭؒ)
    cgroup
    ηΩϡϦςΟػೳ
    ͦͷଞͷػೳ
    ·ͱΊ
    15/54
    

    View Slide

17. ίϯςφಠࣗͷϑΝΠϧγεςϜ
    ྫ͑͹ʜ
    • ΠϝʔδΛऔಘͯ͠ϗετ OS ͷϑΝΠϧγεςϜ্ʹల։
    ͢Δ
    • Ͱ΋ίϯςφىಈޙ͸औಘͨ͠ΠϝʔδͷσΟϨΫτϦπϦʔ
    ͚͕ͩݟ͍͑ͯΔ
    ͜ΕΛͲͷΑ͏ʹ࣮ݱ͢Δͷ͔Λ͔࣍ΒΈ͍͖ͯ·͠ΐ͏
    16/54
    

    View Slide

18. chroot
    • ΋ͬͱ΋γϯϓϧʹίϯςφઐ༻ͷϑΝΠϧγεςϜ (σΟϨ
    ΫτϦπϦʔ) ΛݟͤΒΕΔ
    • ݟ্͔͚ͷϧʔτσΟϨΫτϦΛมߋ͢Δ
    • ͨͩ͠ɺchroot ͨ͠؀ڥ͔Βൈ͚ग़ͤΔ
    • chroot Ͱ͖ͳ͍Α͏ʹݖݶΛണୣ͢Δඞཁ͕͋Δ
    17/54
    

    View Slide

19. chroot ͷσϞ
    • ΈͲ͜Ζ
    • ৽͍͠ / (root) ʹ͍ͨ͠σΟϨΫτϦʹҠಈͯ͠ chroot
    ίϚϯυΛ࣮ߦ͢Δ͚ͩͷ؆୯͞
    • Ͱ΋ɺ৽ͨͳ / (root) ͔Βൈ͚ͩͤΔ
    18/54
    

    View Slide

20. pivot_root
    • root ϑΝΠϧγεςϜΛऔΓସ͑Δ
    • ϑΝΠϧγεςϜࣗମΛऔΓସ͑ΔͷͰൈ͚ΒΕͳ͍ (ൈ͚Δ
    ͱ͍͏֓೦͕ͳ͍)
    • chroot ʹൺ΂Δͱ੍ݶ͕ଟ͍
    • Docker ΍ LXC ͸ pivot_root Λ࢖༻
    19/54
    

    View Slide

21. pivot_root
    pivot_root ͸৽ͨʹ / (root) ͱ͍ͨ͠σΟϨΫτϦ (Ϛ΢ϯτ
    ϙΠϯτ) ͱίϚϯυ࣮ߦલ࣌఺ͷ / (root) ΛϚ΢ϯτ͢ΔσΟ
    ϨΫτϦ (৽ root ҎԼ) Λࢦఆ͢Δ
    
    pivot_root [৽͍͠ root] [Ҏલͷ root]
    (ྫ) pivot_root . old
    
    ͜ΕͰΧϨϯτσΟϨΫτϦ͕ / (root) ͱͳΓɺҎલͷ/͕./old
    ҎԼʹϚ΢ϯτ͞ΕΔ
    20/54
    

    View Slide

22. bind Ϛ΢ϯτ
    • Ϛ΢ϯτ͍ͯ͠ΔπϦʔͷҰ෦Λผͷ৔ॴʹϚ΢ϯτ͢Δػೳ
    • ϗετͱίϯςφͰσΟϨΫτϦ΍ϑΝΠϧΛڞ༗͢Δࡍʹ΋
    ࢖͍·͢
    21/54
    

    View Slide

23. bind Ϛ΢ϯτ
    • ৽ͨͳ / (root) ʹมߋ͢ΔͨΊʹ pivot_root Λ࢖͏ࡍ
    • ͋ΔσΟϨΫτϦҎԼʹίϯςφΠϝʔδΛల։ͯ͠΋ʮϑΝ
    ΠϧγεςϜʯͰ͸ͳ͍ͷͰ pivot_root Ͱ͖ͳ͍
    • ίϯςφͷ / (root) ͱ͍ͨ͠σΟϨΫτϦΛ bind Ϛ΢ϯτ
    ͢Δͱɺͦ͜͸Ϛ΢ϯτϙΠϯτʹͳΓɺ
    ʮϑΝΠϧγες
    ϜʯͬΆ͘ͳΓ
    • ͜ΕͰ pivot_root Ͱ͖·͢!!
    22/54
    

    View Slide

24. ࣗݾ঺հ
    ࠓ೔ͷ໨ඪ
    ίϯςφͷ֓ཁ
    Linux ʹ͓͚Δίϯςφ
    ίϯςφͷϑΝΠϧγεςϜ
    Namespace(໊લۭؒ)
    cgroup
    ηΩϡϦςΟػೳ
    ͦͷଞͷػೳ
    ·ͱΊ
    23/54
    

    View Slide

25. Namespace
    • ίϯςφͷ OS Ϧιʔε͕ʜ
    • ଞͷίϯςφ΍ϗετ͔Β
    • ݟ͑ͨΓ
    • ૢ࡞Ͱ͖ͨΓ
    • ڞ௨ͩͬͨΓ
    • ͨ͠ΒࠔΓ·͢ΑͶ!! ͦΜͳͷʮִ཭͞Εۭͨؒʯ͡Όͳ͍!!
    • ͦΜͳͱ͖࢖͏ͷ͕ “Namespace(໊લۭؒ)”!!
    • Namespace ͸୯ҰͷػೳͰ͸ͳ͘ɺϦιʔε͝ͱʹ
    Namespace ͕༻ҙ͞Ε·͢
    • Linux ίϯςφͷཁͷػೳ
    24/54
    

    View Slide

26. Namespace ͷઆ໌ͷલʹ
    • ͭ·Γ Namespace ͕ͦ͜ Linux ίϯςφͱݴͬͯ΋ա
    ݴͰ͸ͳ͍
    • ͦΜͳʮLinux ίϯςφʯΛ࠷΋؆୯ʹ࡞Δʹ͸!!
    • Docker Λ࢖͏ͷͰ͸ͳ͘
    • LXC Λ࢖͏ͷͰ΋ͳ͘
    • unshare ίϚϯυ!!(util_linux ύοέʔδʹؚ·Ε·͢)
    • ޙड़ͷ Network Namespace ͸ ip netns ίϚϯυ͕
    ศར
    • Ͱ͸ Linux ʹ࣮૷͞Ε͍ͯΔ৭ʑͳ Namespace ػೳΛ
    Έ͍͖ͯ·͠ΐ͏
    25/54
    

    View Slide

27. ৭ʑͳ Namespace
    Linux ʹ͸ҎԼͷΑ͏ͳ Namespace ͕࣮૷͞Ε͍ͯ·͢
    • Mount Namespace
    • UTS Namespace
    • PID Namespace
    • IPC Namespace
    • Network Namespace
    • User Namespace
    • cgroup Namespace
    Ҏ্ͷ Namespace ͸͍ͣΕ΋ಠཱͯ͠࢖͑·͢
    26/54
    

    View Slide

28. Mount Namespace
    • ίϯςφ಺ͷϚ΢ϯτɺϚ΢ϯτૢ࡞Λ෼཭
    • Namespace ಺Ͱߦͬͨ mountɺumount ͕ଞͷ
    Namespace ʹӨڹΛ༩͑ͳ͍Α͏ʹ͢Δ
    • ִ཭͠ͳ͍Α͏ʹ΋Ͱ͖Δ
    • ࠷ۙ͸σϑΥϧτͰ͸ִ཭͞Ε͍ͯͳ͍ (systemd ͕ͦͷΑ
    ͏ʹઃఆ͢ΔͨΊ) ͷͰɺִ཭͢ΔΑ͏ʹઃఆ͠ͳ͚Ε͹ͳΒ
    ͳ͍
    • ͭ·ΓଞͷίϯςφͰߦͬͨϚ΢ϯτૢ࡞͕ݟ͑ͳ͍
    27/54
    

    View Slide

29. bind Ϛ΢ϯτɺpivot_rootɺmount namespace ͷσϞ
    • ݟͲ͜Ζ
    • bind Ϛ΢ϯτ͢Δ͜ͱͰ pivot_root ͕Ͱ͖ΔΑ͏ʹͳΔ
    • ίϯςφ༻ͷϑΝΠϧγεςϜ಺͚͕ͩݟ͑ΔΑ͏ʹͳΔ
    • Mount namespace ͷػೳʹΑΓίϯςφ಺ͷϚ΢ϯτͷ
    ू߹ͱϗετͷϚ΢ϯτͷू߹͸ಠཱ͍ͯ͠Δ
    28/54
    

    View Slide

30. ͜͜·ͰͰʜ
    • ίϯςφͷϑΝΠϧγεςϜִ͕཭͞Ε·ͨ͠
    • ͔͠͠ɺଞͷ OS Ϧιʔε͸ϗετ΍ଞͷίϯςφͱڞ༗ͨ͠
    ··
    • ϓϩηε
    • ϗετ໊΍υϝΠϯ໊ (UTS)
    • ωοτϫʔΫ
    • Ϣʔβ
    • ʜ
    • ࣍ʹଞͷϦιʔεΛִ཭͢Δ Namespace Λ঺հ͍͖ͯ͠
    ·͠ΐ͏
    29/54
    

    View Slide

31. UTS Namespace
    • ίϯςφ͝ͱʹҧ͏ϗετ໊͚͍ͭͨͰ͢ΑͶ?
    • ͦΜͳͱ͖ʹ࢖͏ Namespace ͕ UTS Namespace
    • ίϯςφ͝ͱʹҟͳΔϗετ໊ɺυϝΠϯ໊Λ͚ͭΒΕ·͢
    • uname(2) ͕ฦ͢஋Λ෼཭
    30/54
    

    View Slide

32. PID Namespace
    • ίϯςφ಺ͰͲΜͳϓϩηεΛ࣮ߦ͍ͯ͠Δ͔ɺଞͷίϯςφ
    ͔Βݟ͑ͨΒΠϠͰ͢ΑͶ?
    • ίϯςφ͝ͱʹಠཱͯ͠ PID Λ͍࣋ͪͨ
    • ͦΜͳ࣌࢖͏ Namespace ͕ PID Namespace
    • ͨͩ͠ɺϗετ (਌ Namespace) ͔Βίϯςφ (ࢠͷ
    Namespace) ͷϓϩηε͸ݟ͑·͢
    31/54
    

    View Slide

33. UTS, PID Namespace ͷσϞ
    • ݟͲ͜Ζ
    • ίϯςφ಺Ͱ͸ίϯςφ಺ͷϓϩηε͚͕ͩݟ͍͑ͯΔ
    • ίϯςφ಺Ͱϗετ໊Λม͑ͯ΋ϗετͷϗετ໊͸มΘͬͯ
    ͍ͳ͍
    32/54
    

    View Slide

34. Network Namespace
    • ίϯςφ͝ͱʹಠཱͨ͠ΞυϨε΍ωοτϫʔΫΠϯλʔ
    ϑΣʔεΛ͍࣋ͪͨ!!
    • ͦΜͳͱ͖ʹ Network Namespace !!
    • σόΠε
    • ΞυϨε
    • ϙʔτ
    • ϧʔςΟϯά
    • ϑΟϧλϦϯά
    • ιέοτ
    • ʜ
    ͕ಠཱͯ࣋ͯ͠·͢
    • ୯Ұϗετ্ʹෳ਺ͷωοτϫʔΫΛ࡞ͬͯςετͰ͖ͨΓ
    ͢Δ
    33/54
    

    View Slide

35. ίϯςφͰΑ͘࢖͏ωοτϫʔΫػೳ ʙ veth
    • ରͱͳΔΠϯλʔϑΣʔεΛੜ੒͠ɺରͷΠϯλʔϑΣʔεؒ
    Ͱ௨৴Λߦ͏ʹ L2 ͷτϯωϧ
    • ରͷΠϯλʔϑΣʔεͷยํΛίϯςφʹ઀ଓʹίϯςφͷ
    Network Namespace ʹॴଐͤ͞Δ
    • ΋͏ยํΛϗετ্ͷϒϦοδʹ઀ଓ
    34/54
    

    View Slide

36. Network Namespace ͷσϞ
    • ݟͲ͜Ζ
    • Network Namespace ࡞੒௚ޙͷঢ়ଶ
    • veth ϖΞͷ࡞੒
    • ยํͷΠϯλʔϑΣʔεΛ࡞੒ͨ͠ Namespace ʹଐͤ͞
    ͨޙͷঢ়ଶ
    • ΠϯλʔϑΣʔεؒͰ௨৴͕Ͱ͖Δ
    35/54
    

    View Slide

37. User Namespace
    • ίϯςφ಺ͷ root Ϣʔβͱϗετͷ root Ϣʔβͱಉ͡͡Ό
    ةݥ!!
    • ͦΜͳͱ͖ʹ࢖͏ͷ͕ User Namespace!!
    • ଞͷ Namespace ͸ root ݖݶ͕ඞཁͰ͕͢ɺ͜Ε͚ͩ͸Ұ
    ൠϢʔβͰ࡞੒Մೳ
    • ίϯςφ಺ͷ UID,GID Λɺϗετ্ͷ UID,GID ͱϚοϐ
    ϯά͠·͢
    36/54
    

    View Slide

38. User Namespace ͷσϞ
    • ݟͲ͜Ζ
    • ίϯςφ಺Ͱ͸ root ͕࣮ߦ͍ͯ͠Δϓϩηε͕ɺϗετ্Ͱ
    ͸ҰൠϢʔβݖݶͰಈ͍͍ͯΔ
    • ίϯςφ಺Ͱ root ݖݶͰ࡞੒ͨ͠ϑΝΠϧͷΦʔφʔ͕ϗε
    τ্Ͱ͸ҰൠϢʔβʹͳ͍ͬͯΔ
    • User Namespace ͸ҰൠϢʔβݖݶͰ࡞ΕΔɻଞͷ
    Namespace ͸࡞Εͳ͍
    • User Namespace ಺Ͱ͸ଞͷ Namespace ͕࡞ΕΔ
    37/54
    

    View Slide

39. ࣗݾ঺հ
    ࠓ೔ͷ໨ඪ
    ίϯςφͷ֓ཁ
    Linux ʹ͓͚Δίϯςφ
    ίϯςφͷϑΝΠϧγεςϜ
    Namespace(໊લۭؒ)
    cgroup
    ηΩϡϦςΟػೳ
    ͦͷଞͷػೳ
    ·ͱΊ
    38/54
    

    View Slide

40. cgroup
    • ίϯςφ͝ͱʹ෺ཧϦιʔε (ϝϞϦɺCPUɺωοτϫʔΫଳ
    ҬͳͲ) Λ੍ݶ͍ͨ͠৔߹ʹ࢖͏
    • ੍ݶ͢ΔϦιʔε͝ͱʹػೳ͕ఏڙ͞ΕΔͷͰɺ੍ݶ͍ͨ͠΋
    ͷ͚ͩ࢖͑͹ྑ͍
    • ίϯςφͰͳ͘ී௨ͷϓϩηεʹ΋ద༻Մೳɻ
    • ෳ਺ͷϓϩηεΛάϧʔϓԽͯ͠ద༻Ͱ͖Δ (ʹίϯςφ)
    • ৄ͘͠͸ࢀߟࢿྉΛࢀর!!
    39/54
    

    View Slide

41. ࣗݾ঺հ
    ࠓ೔ͷ໨ඪ
    ίϯςφͷ֓ཁ
    Linux ʹ͓͚Δίϯςφ
    ίϯςφͷϑΝΠϧγεςϜ
    Namespace(໊લۭؒ)
    cgroup
    ηΩϡϦςΟػೳ
    ͦͷଞͷػೳ
    ·ͱΊ
    40/54
    

    View Slide

42. ηΩϡϦςΟػೳ
    • ίϯςφͱ͸ϗετ্Ͱಈ͘୯ͳΔϓϩηε
    • ίϯςφ্Ͱ࣮ߦ໋ͨ͠ྩ͕ϗετ΍ଞͷίϯςφʹӨڹΛ༩
    ͑ΔՄೳੑ͕͋Δ
    ͦ͜Ͱ
    • ༷ʑͳಛݖɾ໋ྩͷҰ෦Λ੍ݶͨ͠Γ
    • ༷ʑͳಛݖɾ໋ྩͷҰ෦ͷΈΛίϯςφʹ༩͑ͨΓͯ͠
    ϗετ΍ଞͷίϯςφʹӨڹ͕ٴ͹ͳ͍Α͏ʹ͢Δ
    41/54
    

    View Slide

43. Capability
    • root ͕࣋ͭಛݖΛࡉ͔͘෼ׂͯ͠༗ޮɾແޮ͕ઃఆͰ͖Δ
    • ྫ͑͹ʜ
    • ίϯςφ͔Βউखʹ࣌ؒΛม͑ΒΕͨΒࠔΔ (ίϯςφ಺ͷ࣌
    ܭ͸ϗετͱڞ௨Ͱ͢Ͷ)
    • ࣌ؒΛઃఆͰ͖Δݖݶ (CAP_SYS_TIME) Λແޮʹ
    • chroot Λൈ͚ΒΕͨΒࠔΔ
    • chroot Ͱ͖Δݖݶ (CAP_SYS_CHROOT) Λແޮʹ
    • ίϯςφϥϯλΠϜͰσϑΥϧτͰແޮʹ͢Δ Capability
    ͕ఆٛ͞Ε͍ͯͨΓ͢Δ
    • ৄ͘͠͸ man 7 capabilities Λࢀর
    42/54
    

    View Slide

44. seccomp
    OS ͷػೳΛݺͼग़ͨ͢Ίʹ࢖͏γεςϜίʔϧʹର͢ΔϑΟϧλ
    Ϧϯά
    • ಛఆͷγεςϜίʔϧΛڐՄͨ͠Γ
    • ಛఆͷγεςϜίʔϧΛېࢭͨ͠Γ
    • ίϯςφϥϯλΠϜͰσϑΥϧτͰڐՄ͢ΔγεςϜίʔϧ͕
    ఆٛ͞Ε͍ͯͨΓ͢Δ
    • ৄ͘͠͸ man 2 seccomp Λࢀর
    43/54
    

    View Slide

45. MAC
    Mandatory Access Control(ڧ੍ΞΫηε੍ޚ)
    • Ϧιʔεॴ༗ऀͷઃఆ͢Δݖݶ (DAC) ʹؔΘΒͣɺγεςϜ
    ؅ཧऀ͕ૢ࡞ର৅Ͱ͋ΔϦιʔεʹΞΫηε੍ޚΛઃఆͰ͖Δ
    • AppArmor ΍ SELinux ͳͲ
    • ίϯςφઐ༻ʹԾ૝Խ͞Εͳ͍ɺίϯςφ಺͔Βૢ࡞͞Εͯ͸
    ࠔΔϦιʔε΁ͷ੍ݶΛઃఆ͢Δ
    • ͨͱ͑͹/proc ΍/sys ҎԼͷϑΝΠϧͳͲ
    44/54
    

    View Slide

46. ࣗݾ঺հ
    ࠓ೔ͷ໨ඪ
    ίϯςφͷ֓ཁ
    Linux ʹ͓͚Δίϯςφ
    ίϯςφͷϑΝΠϧγεςϜ
    Namespace(໊લۭؒ)
    cgroup
    ηΩϡϦςΟػೳ
    ͦͷଞͷػೳ
    ·ͱΊ
    45/54
    

    View Slide

47. ͦͷଞͷػೳ
    ͜Ε·Ͱʹ঺հͨ͠Ҏ֎ʹ΋ Linux Χʔωϧʹ࣮૷͞Ε͍ͯΔ
    ༷ʑͳػೳ͕ඞཁʹԠͯ͡ར༻͞Ε͍ͯΔ
    • ωοτϫʔΫ (Ծ૝ΠϯλʔϑΣʔεͳͲ)
    • ϑΝΠϧγεςϜ (overlayfs ͳͲ)
    • ϓϩηεͷνΣοΫϙΠϯτɾϦετΞ
    • ͳͲͳͲʜ
    46/54
    

    View Slide

48. ࣗݾ঺հ
    ࠓ೔ͷ໨ඪ
    ίϯςφͷ֓ཁ
    Linux ʹ͓͚Δίϯςφ
    ίϯςφͷϑΝΠϧγεςϜ
    Namespace(໊લۭؒ)
    cgroup
    ηΩϡϦςΟػೳ
    ͦͷଞͷػೳ
    ·ͱΊ
    47/54
    

    View Slide

49. ࠓ೔આ໌ͨ͜͠ͱͷ·ͱΊ
    • ίϯςφͱ͸୯ͳΔϓϩηεɻ௨ৗͷىಈͱ͸গ͠ҧ͏ଐੑΛ
    Ճ͑ͨϓϩηε
    • Linux Ͱ͸ɺίϯςφ͸Χʔωϧʹ࣮૷͞Ε͍ͯΔ৭ʑͳػ
    ೳΛ૊Έ߹Θ࣮ͤͯݱ͍ͯ͠Δ
    • ίϯςφઐ༻ͷϑΝΠϧγεςϜΛݟͤΔͨΊʹ chroot ΍
    pivot_root Λ࢖͏
    • ίϯςφΛ࣮ݱ͢ΔΩϞͱͳΔػೳ͕ “Namespace(໊લ
    ۭؒ)”
    • ίϯςφΛηΩϡΞʹ࣮ߦ͢ΔͨΊʹ༷ʑͳηΩϡϦςΟػೳ
    ͕࢖ΘΕΔɻ“Capability”ɺ“seccomp”ɺ“MAC”
    48/54
    

    View Slide

50. ·ͱΊ
    • ੈͷதʹଘࡏ͢ΔίϯςφϥϯλΠϜͰ͸ίϯςφΛಈ࡞ͤ͞
    ΔͨΊʹ৭ʑͳػೳΛ࢖͍ɺσϑΥϧτͰྑ͍ײ͡Ͱίϯςφ
    ͕ಈ͘Α͏ʹௐ੔͞Ε͍ͯ·͢
    • ࣗ෼͕࢖͍ͬͯΔίϯςφϥϯλΠϜͰ͸ͲͷΑ͏ͳػೳ͕࢖
    ΘΕ͍ͯΔͷ͔ɺͲͷΑ͏ͳػೳΛ࢖͏͜ͱ͕Ͱ͖Δͷ͔Λཧ
    ղ͢Ε͹ɺΑΓద੾ʹίϯςφΛ࢖͏͜ͱ͕Ͱ͖ΔͰ͠ΐ͏
    • ࠷ۙͰ͸ɺཁ݅ʹ͋ͬͨඞཁͳػೳ͚ͩΛ࢖ͬͯίϯςφΛ࡞
    ΕΔϓϩμΫτ΋͋Γ·͢ (ࢀߟࢿྉࢀর)
    49/54
    

    View Slide

51. த਎Λཧղͯ͠ޮՌతʹɺָ͘͠ɺ҆શʹίϯςφ
    Λ࢖͍·͠ΐ͏
    50/54
    

    View Slide

52. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠
    51/54
    

    View Slide

53. ࢀߟࢿྉ
    • ίϯςφશൠͷػೳΛཧղ͢ΔͨΊʹ
    • LXC ͰֶͿίϯςφೖ໳ ʵܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़
    http://gihyo.jp/admin/serial/01/linux_containers
    • ࢲͷ͜Ε·Ͱͷߨԋࢿྉ
    https://speakerdeck.com/tenforward
    • ίϯςφΛʮकΔʯ࢓૊Έ͔Βத਎Λཧղ͠Α͏!!1 (by
    @udzura ͞Μ)
    https://speakerdeck.com/udzura/how-to-be-a-
    container
    52/54
    

    View Slide

54. ࢀߟࢿྉ
    • ίϯςφ͕Ͱ͖Δ·ͰͷॲཧΛ௥͏ͨΊʹ
    • MINCS (γΣϧͰॻ͔Εͨίϯςφ) (by @mhiramat ͞
    Μ) https://github.com/mhiramat/mincs
    • MINCS Ͱ Linux ίϯςφΛ࡞Ζ͏ (MINCS ʹؔ͢Δൃද
    ࢿྉ)
    • ֶͭͬͯ͘Ϳ Linux ίϯςφͷཪଆ (by @hayajo ͞Μ)
    • Go Ͱ࡞Δ Linux ίϯςφ (by @hayajo ͞Μ)
    • ඞཁͳػೳ͚ͩΛ࢖ͬͯίϯςφΛಈ͔ͨ͢Ίʹ
    • Haconiwa (mruby Ͱॻ͔Εͨίϯςφ࡞੒ͷͨΊͷ
    DSL)
    http://haconiwa.mruby.org/
    53/54
    

    View Slide

55. ࢀߟࢿྉ
    • ίϯςφؔ࿈ػೳͷ࣮૷ͳͲΛਂ͘஌Δʹ͸
    • Linux Namespaces (Namespace ͷΧʔωϧ಺෦ͷ࣮
    ૷ʹؔ͢Δࢿྉ)(by Masami Ichikawa ͞Μ)
    • cgroup ͋Ε͜Ε (cgroup ͷ಺෦ͷ͓࿩)(by
    @hiro_kamezawa ͞Μ)
    • seccomp Λ mruby Ͱࢼ͢ (ϩʔϑΝΠ೔ه)
    • AppArmor ͱ Docker ͱͦͷଞίϯςφతϓϩηεʹ͍ͭ
    ͯௐ΂ͨ (ϩʔϑΝΠ೔ه)
    • ͦͷଞ
    • ʮίϯςφܕԾ૝Խͷ৘ใަ׵ձʯ
    ͜Ε·Ͱͷൃදࢿྉ΍ಈը͕ެ։͞Ε͍ͯ·͢
    54/54
    

    View Slide