コンテナは友だち！ /friends-who-are-good-at-containers

Transcript

1. ා͘ͳ͍γεςϜϓϩάϥϛϯά ۙ౻Ӊஐ࿕
   
   (.0
   1FQBCP
   *OD
   
   ৽ଔΤϯδχΞ࠲ֶ ίϯςφ͸༑ͩͪʂ

2. ΤϯδχΞ ۙ౻Ӊஐ࿕
   !VE[VSB ٕज़෦ٕज़ج൫νʔϜ ޷͖ͳϥʔϝϯ͸ΒʔΊΜ޻๪ཾ (.0ϖύϘॴଐ

3. ࠓ೔ͷΞδΣϯμ w
   ϓϩηεͱ͸ԿͩΖ͏ʁ
   w
   ίϯςφͱ͸ԿͩΖ͏ʁ
   w
   ΈΜͳ΋ίϯςφʹͳͬͯΈΑ͏ʁʁʁ

4. ϓϩηεͱ͸ʁ

5. 'SPN෼ް͍ຊ w-*/69ϓϩάϥϛϯάΠϯλʔϑΣʔε
 
   ΦϥΠϦʔ ͜ͷதͰ΋Ұ൪෼ް͍ຊ

6. ϓϩηεͱ͸ϓϩάϥϜͷ࣮ߦதͷ࢟Ͱ͢
   ʮϓϩηεͱ͸ɺϓϩάϥϜͷ࣮ߦʹඞཁ ͳγεςϜϦιʔεΛׂΓ౰ͯΔͨΊɺΧʔ ωϧ͕ఆٛ͢Δந৅ΤϯςΟςΟͰ͋Δʯͱ ΋ݴ͍׵͑ΒΕ·͢ɻ ʰ-JOVYϓϩάϥϛϯάΠϯλʔϑΣʔεʱষ
   ϓϩηε

7. ϓϩηεͱ৮Ε߹͏ wʮϓϩάϥϜͷ࣮ߦʹඞཁͳϦιʔεʯΛ೷͍ͯΈΔ
   wͦΕ͕ɺ͢ͳΘͪϓϩηεଐੑͰ΋͋Δ
   wྫ
   w 1*%ɺ਌1*%
   w εςʔλεʢ࣮ߦՄೳɺ*0଴ͪɺʣ
   w ؀ڥม਺
   

   w ϑΝΠϧσΟεΫϦϓλςʔϒϧ w 6TFS*%(SPVQ*%
   w ݖݶʢ,FSOFM
   $BQBCJMJUZʣ
   w ΧϨϯτσΟϨΫτϦ
   w ϝϞϦϚοϐϯά

8. TUSVDU
   UBTL@TUSVDU

9. QSPD
   
   QSPDGT wγεςϜ΍ϓϩηεͷ৘ใΛऔಘͰ͖ΔಛघϑΝΠϧγεςϜ
   wQSPD
   ͷԼʹ࠷ॳ͔ΒϚ΢ϯτ͞Ε͍ͯΔ৔߹͕ଟ͍ɻ
   wϚ΢ϯτ͞Ε͍ͯͳ͍ͱ࢖͑ͳ͍πʔϧ΋͋ΔʢQTɺUPQͦͷଞʣ

10. த਎ΛݟͯΈΑ͏ wԋश
    
    ௕͘ଘࡏ͢ΔΑ͏ͳϓϩηεΛ࡞ͬͯΈΑ͏ɻ
    w 
    ͦͷϓϩηεͷ1*%Λಛఆ͠Α͏ɻ
    w 
    ͦͷϓϩηεʹ͍ͭͯɺҎԼͷ৘ใΛऔಘͯ͠ΈΑ͏ɻ
    

    w 
    ΧϨϯτσΟϨΫτϦ
    IJOU
    QSPD1*%DXE
    w 
    ؀ڥม਺
    IJOU
    QSPD1*%FOWJSPO
    w 
    ϝϞϦϚοϐϯά
    IJOU
    QSPD1*%NBQT
    w 
    εϨουͷ਺
    IJOU
    QSPD1*%UBTL

11. ίϯςφͱ͸ʁ

12. Ծ૝ԽͷछྨʢҰྫʣ wϋΠύʔόΠβܕʢωΠςΟϒϋΠύʔόΠβʣ
    wઐ༻ͷ04΍ɺ-JOVY
    ,FSOFMࣗମΛϋΠύʔόΠβͱͯ͠࢖͍ɺͦͷ ্Ͱ04Λ૸ΒͤΔ
    wϗετ04ܕʢϗετϋΠύʔόΠβʣ
    w൚༻తͳ04ͷ্ʹɺ7JSUVBM#PYͷΑ͏ͳԾ૝ԽͷͨΊͷઐ༻ιϑτ ΢ΣΞΛೖΕͯ૸ΒͤΔ
    wίϯςφܕ
    ˠ
    

13. ίϯςφͱ͸ wখ͞ͳಠཱͨ͠؀ڥΛɺҰͭͷ04ͷ্ʹ࡞Δٕज़ɻ
    wͨͩ͠ɺԾ૝Խٕज़ͷΑ͏ʹѻΘΕΔ͕ɺԿ͔ΛԾ૝తʹ࡞͍ͬͯΔ ͱ͍͏͜ͱͰ͸ͳ͍

14. ίϯςφ͸
    ಛघͳϓϩηεͰ͋Δ

15. ͜Ε͚֮ͩ͑ͯؼͬͯ͘Εʂʂ̍

16. ίϯςφͷ࣮૷ w%PDLFS
    
    (PMBOH੡ɻ,VCFSOFUFTͳͲͱ࿈ܞ͠ɺঃʑʹ׆༻γʔϯ ͕޿·͍ͬͯΔ
    w-9$-9%
    
    ΧʔωϧͷίϯςφϨϑΝϨϯε࣮૷తཱͪҐஔɻ$੡
    w)BDPOJXB
    
    NSVCZ
    
    $
    ݴޠͰͰ͖ͨίϯςφɻ3VCZͷ%4-Ͱίϯ ςφΛఆٛͰ͖Δɻ(.0ϖύϘͱ͍͏ձ͕ࣾϚωʔδυΫϥ΢υͷ όοΫΤϯυʹ࠾༻͠࿩୊ʹɻ

17. ίϯςφ͸Ͳ͏΍ͬͯ࡞ΒΕ͍ͯΔ͔ wࠓ͋͛ͨ-JOVYίϯςφͷ࣮૷Ͱ͸ɺجຊతʹಉ͡ΧʔωϧͷػೳΛ ૊Έ߹Θͤͯɺʮখ͘͞ಠཱͨ͠؀ڥʯΛ࡞͍ͬͯΔɻ
    wͦͷػೳ͕ద༻͞Ε͍ͯΔ͔͍ͳ͍͔͸ɺϓϩηεͷଐੑͰ΋͋Δͷ Ͱɺ
    QSPD
    ͷԼͳͲ͔Β֬ೝ͢Δ͜ͱ͕Ͱ͖·͢

18. %PDLFSͰίϯςφΛ࡞ͬͯΈΑ͏

19. QSPD1*%OT
    ͷԼΛݟͯΈΑ͏

20. ͜Ε͸ɺଞͷϓϩηεͱҧ͍ͬͯΔ wͱ͍͏͜ͱΛ֬ೝ͢Δ

21. ͜Ε͸ɺଞͷϓϩηεͱҧ͍ͬͯΔ wͱ͍͏͜ͱΛ֬ೝ͢Δ ◀ ◀ ◀ ◀ ◀

22. -JOVY
    /BNFTQBDF

23. -JOVY
    /BNFTQBDF
    ͱ͸ wΧʔωϧ͸ɺάϩʔόϧͰ؅ཧ͍ͯ͠ΔϦιʔε͕ͨ͘͞Μ͋Δɻ
    wͦ͏͍͏Ϧιʔεͷ͏ͪҰ෦͸ɺ໊લۭؒΛ੾ͬͯɺಛఆͷϓϩηε ͨͪͷͨΊʹผͷϦιʔεΛ֬อ͢Δ͜ͱ͕Ͱ͖Δ
    w654
    /BNFTQBDF
    
    ϗετ໊ͳͲ
    w1*%
    /BNFTQBDF
    
    ϓϩηε*%
    w/FUXPSL
    /BNFTQBDF
    
    ωοτϫʔΫઃఆʢ/*$ଞʣ
    wͳͲͳͲɻ࠷৽ͷ-JOVYͰ͸ਓͷࣆͭͷ/BNFTQBDF

24. QSPD1*%OT
    ͱ͸ wʮͦͷϓϩηε͕ॴଐ͢Δ/BNFTQBDFΛදݱ͢ΔϑΝΠϧʯΛ
 ݟ͚ͭΔ͜ͱ͕Ͱ͖ΔσΟϨΫτϦ
    w͋Δϓϩηεͱɺผͷϓϩηε͕ҧ͏ϑΝΠϧʢJOPEF൪߸ʣΛ
 ͍ࠩͯ͠Ε͹ɺͦͷϓϩηεͨͪ͸ผʑͷ໊લۭؒʹ͍ΔͶɺ
 ͱ֬ೝͰ͖Δ

25. DHSPVQ

26. QSPD1*%DHSPVQ
    ͱ͍͏ϑΝΠϧ wͳʹ΍Βಛघͳจࣈྻ͕ॻ͔Ε͍ͯΔ

27. ࣮ࡍͷσΟϨΫτϦʹରԠ͢Δ wTZTGTDHSPVQ
    ͱ͍͏ͱ͜ΖΛௐ΂Δͱ

28. ͜Ε͕DHSPVQ wDHSPVQ͸ɺ΋ͱ΋ͱϓϩηεΛάϧʔϐϯά͢ΔͨΊͷػೳɻ
    wϓϩηεͷάϧʔϓຖʹɺ$16ͷར༻཰Ͱ͋ͬͨΓɺϝϞϦͰ͋ͬͨ Γɺ1*%ͷ਺Ͱ͋ͬͨΓɺͷ੍ݶΛ͔͚Δ͜ͱ͕Ͱ͖Δɻ͋Δ͍͸ɺ άϧʔϓผͷར༻ঢ়گΛ֬ೝͨ͠Γ΋Ͱ͖Δ
    wDHSPVQʹؔ͢Δૢ࡞͸ɺ
    DHSPVQGT
    ͱ͍͏ಛघϑΝΠϧγεςϜΛ ܦ༝ͯ͠Ͱ͖Δ

29. ࣮ࡍͷ੍ݶΛ֬ೝ •docker run --pids-limit=128 -ti debian:jessie /bin/bash wͷΑ͏ͳίϚϯυͰɺϓϩηε਺ͷDHSPVQ੍ݶΛ͔͚ΒΕΔ
    w͜ͷγΣϧͰɺ
    GPSL
    CPNC
    ߈ܸΛͯ͠΋ɺؼͬͯ͘Δ

30. None

31. ΈΜͳ΋ίϯςφʹ
    ͳͬͯΈΑ͏ʁʁʁ

32. ͜͜·Ͱͷ·ͱΊ wίϯςφ͸ͨͩͷ ϓϩηεɻා͘ͳ͍Αʂ

33. ͱ͍͏͜ͱͰ wίϯςφΛܰʙ͘ϋϯυϝΠυͯ͠Έ·͠ΐ͏͔ɻ

34. 
    ಠཱͨ͠SPPUʹ͸͍Δ wEFCPPUTUSBQ
    ͱݴ͏ίϚϯυͰɺ%FCJBOͷϑΝΠϧγεςϜ͚ͩΛ
 ४උͰ͖Δɻ
    wDISPPU
    ͱݴ͏ίϚϯυͰɺͦͷதʹೖΔ͜ͱ͕Ͱ͖·͢
    w ࣮͸%PDLFSͳ͠Ͱ΋ɺ6CVOUV౳ͷதͰ%FCJBO؀ڥΛಘΔ͜ͱ͸Ͱ͖Δ mkdir /root/7th-engineer debootstrap

    --variant=minbase \ jessie \ /root/7th-engineer \ http://ftp.jp.debian.org/debian
35. None

36. 
    /BNFTQBDFΛ෼཭͢Δ wVOTIBSFͱݴ͏ίϚϯυΛ࢖͏ͱͰ͖Δ
    •unshare --fork --pid --mount --uts wͷΑ͏ʹͯ͠ɺ1*%
    OBNFTQBDFɺ.PVOU
    /BNFTQBDFɺ654
    /BNFTQBDFΛ෼཭Ͱ͖Δ

37. 
    DHSPVQ
    ͷ੍ݶΛ͔͚Δ w৽͍͠DHSPVQ͸ɺ
 NLEJSͳͲͰ؆୯ʹ࡞ΕΔ
    wࣗ෼Λॴଐͤ͞Δʹ͸ɺ
    UBTLT
    ͱ͍͏ϑΝΠϧʹࣗ෼ͷ1*%Λॻ͖ࠐ Ί͹0,ɻ
    •echo $$ > /sys/fs/cgroup/cpu/7th-engineer/tasks

38. 
    Ұ࿈ͷॲཧΛͭͳ͛Δɻॱ൪஫ҙ mkdir -p /sys/fs/cgroup/cpu/7th-engineer unshare --fork --pid --mount --uts

    echo $$ > /sys/fs/cgroup/cpu/7th-engineer/tasks chroot /root/7th-engineer cd / mount -t proc proc /proc hostname 7th-engineer.example bash -l ʮ͓·͡ͳ͍ʯతॲཧΛ௥Ճɻ্͔Βೖྗ࣮ͯ͠ߦͯ͠ΈΑ͏

39. ͜Ε͸ίϯςφʁ wγεςϜ͕%FCJBOͰ͋Δ
    wϓϩηε͕ಠཱ͍ͯ͠Δ
    wϗετ໊΋ҧ͏

40. ԋशͦͷ w 
    ઌ΄Ͳͷʮࣗ࡞ίϯςφʯʹ͍ͭͯɺ
 ผͷλʔϛφϧ͔ΒϗετʹೖΓɺҎԼΛ͔֬ΊͯΈΑ͏ɻ
    w 
    ϗετ͔Βݟͯίϯςφ͕ʮϓϩηεʯͰ͋Δ͜ͱ
    w 

    
    1*%ɺ.PVOUɺ654
    /BNFTQBDF͕෼཭͍ͯ͠Δ͜ͱ
    w 
    ίϯςφ಺Ͱ$16Λ͍͘Β࢖ͬͯ΋ɺϗετͷ$16Λ͔͠ ࢖Θͳ͘ͳΔΑ͏ɺDHSPVQΛઃఆͯ͠ΈΑ͏ɻ·ͨɺ֬ೝ͠Α͏
 IJOU
    IUUQTBDDFTTSFEIBUDPNEPDVNFOUBUJPOKB+13FE@)BU@&OUFSQSJTF@-JOVY IUNM3FTPVSDF@.BOBHFNFOU@(VJEFTFDDQVIUNM
    

41. ·ͱΊ

42. ֮͑ͱ͘͜ͱͭ w-JOVYʹ͓͍ͯ͸ɺϓϩηεʹؔ͢Δͨ͘͞Μͷ৘ใ͕
    QSPD
    ͷԼʹ ͋Δ͜ͱ
    w-JOVYίϯςφ͸ɺΧʔωϧͷϦιʔεʮ෼཭ʯͱʮ੍ݶʯͷػೳΛ ࢖ͬͨϓϩηεͰ͋Δ͜ͱ

43. ֮͑ͱ͘͜ͱͭ w-JOVYʹ͓͍ͯ͸ɺϓϩηεʹؔ͢Δͨ͘͞Μͷ৘ใ͕
    QSPD
    ͷԼʹ ͋Δ͜ͱ
    w-JOVYίϯςφ͸ɺΧʔωϧͷϦιʔεʮ෼཭ʯͱʮ੍ݶʯͷػೳΛ ࢖ͬͨϓϩηεͰ͋Δ͜ͱ
    wͲΜͳʹ೉ͦ͠͏ͳπʔϧͰ΋ɺ୭͔͕ॻ͍ͨ΋ͷͰ͋Γɺ
 ͦͯ͠044Ͱ͋ΔݶΓ͸த਎Λਂ͘஌Δ͜ͱ͕Ͱ͖Δͱ͍͏͜ͱ

44. ࠓ೔࿩͞ͳ͔ͬͨ͜ͱ wίϯςφؔ࿈ͷͦͷଞͷػೳͷօ͞Μ
    wQJWPU@SPPU
    w,FSOFM
    $BQBCJMJUZ
    w3FTPVSDF
    -JNJU SMJNJU
    wTFDDPNQ#1'
    w."$ 4&-JOVY"QQ"SNPS

    ΍-JOVY
    4FDVSJUZ
    .PEVMFT -4.
    

45. ͞ΒͳΔਂΈ w͋ͷ
    !SZ
    Λҭͯͨ ڈ೥ͷ࠲ֶࢿྉ
    wIUUQTTQFBLFSEFDLDPNVE[VSBUIFTLFMUPOPGXIBMFT