$30 off During Our Annual Pro Sale. View Details »

コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

KONDO Uchio
July 01, 2017
Technology
6
4k

コンテナを「守る」仕組みから中身を理解しよう!!1; /how-to-be-a-container

@YAPC::Fukuoka 2017

KONDO Uchio

July 01, 2017
Tweet

More Decks by KONDO Uchio

See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
79
Narrative of Ruby & Rust
udzura
0
120
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.1k
Talk of RBS
udzura
0
270
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
610
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
510
Device access filtering in cgroup v2
udzura
0
570
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
500

Other Decks in Technology

See All in Technology
RDBを使う単体テストの前に 用意しておきたい環境を考え てみたの
bun913
0
400
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
440
LangChainやるならPythonよりTypeScriptの方がいんじゃね?
optimisuke
0
220
Java in containers and serverless
takesection
0
120
生成AIでシステム開発はどう変わるか
etaroid
17
6.9k
「極意本」サンプルコードをクラウド上で動かそう
upura
1
690
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
0
130
CPOが開発する覚悟 〜コンパウンドスタートアップにおける、爆速の新規プロダクト開発スタイル〜
mosa_siru
7
6.1k
開発生産性向上へのコミットについて理解してもらうためのスライドテンプレートを作った話
ouchi2501
0
190
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
1
180
分散型SNS最新状況
kojira
0
190
機械学習システム構築実践ガイド
shibuiwilliam
0
280

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
Building Applications with DynamoDB
mza
87
5.3k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Building Effective Engineering Teams - LeadDev
addyosmani
22
1.2k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
YesSQL, Process and Tooling at Scale
rocio
159
13k
GraphQLの誤解/rethinking-graphql
sonatard
45
8.7k
Code Review Best Practice
trishagee
53
14k
Fireside Chat
paigeccino
18
2.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k

Transcript

  1. %PDLFSɺ)BDPOJXBɺͦΕ͔Β1FSM
    ۙ౻͏͓ͪ(.01FQBCP *OD
    :"1$'VLVPLB
    ίϯςφΛʮकΔʯ࢓૊Έ͔Βɺ
    த਎Λཧղ͠Α͏

    View Slide

  2. ΤϯδχΞ
    ۙ౻͏͓ͪ!VE[VSB
    (.0ϖύϘٕज़ج൫νʔϜ
    5XJUUFS(JU)VC!VE[VSB
    'BDFCPPLVDIJPLPOEP

    View Slide

  3. !VE[VSBʹ͍ͭͯ
    ɾ3VCZJTUɻ೥໨ʁ
    ɾύʔϑΣΫτ3VCZ3P3ڞஶ
    ɾ'VLVPLBSC
    ɾ3VCZ,BJHJTQFBLFS
    ɾNSVCZίϯςφ)BDPOJXB

    View Slide

  4. !VE[VSBʹ͍ͭͯ
    ɾ3VCZJTUɻ೥໨ʁ
    ɾύʔϑΣΫτ3VCZ3P3ڞஶ
    ɾ'VLVPLBSC
    ɾ3VCZ,BJHJTQFBLFS
    ɾNSVCZίϯςφ)BDPOJXB

    View Slide

  5. 3VCZJTU

    View Slide

  6. ෱Ԭ3VCZձٞ!
    IUUQSFHJPOBMSVCZLBJHJPSHGVLVPLB

    View Slide

  7. ίϯςφ

    View Slide

  8. TFDVSJUZ

    View Slide

  9. 6/*9
    -JOVY

    View Slide

  10. ίϯςφͱ͸
    w༷ʑͳ6/*9γεςϜʹ͓͍ͯ͸ɺ༷ʑͳίϯςφ࣮૷͕͋Δ
    w'SFF#4%ܥͷKBJMɺ4PMBSJT$POUBJOFSɺ
    w-JOVYʹ͓͍ͯ͸ɺ-9$ɺ%PDLFSɺTZTUFNE—OTQBXOͳͲ
    w-JOVYͷίϯςφ͸جຊతʹʮಛघͳϓϩηεʯͱ࣮ͯ͠૷

    View Slide

  11. ϓϩηεͬͯʁ

    View Slide

  12. ϓϩηεͷ࡞Γํ
    ਌ϓϩηε
    ࢠϓϩηε
    ৽͍͠
    ϓϩάϥϜ
    GPSL

    FYFDWF

    XBJU

    View Slide

  13. ϓϩηεͷ࡞Γํ
    ਌ϓϩηε
    ࢠϓϩηε
    ৽͍͠
    ϓϩάϥϜ
    ϓϩηεΛ
    ʮෳ੡ʯ͢Δ
    ݹ͍ϓϩηεΛࣺͯɺ
    ৽͍͠ϓϩάϥϜʹʮม਎ʯ͢Δ
    ਌͕ࢠڙͷ
    ऴྃΛ؂ࢹ

    View Slide

  14. ϓϩηεͷଐੑ
    wͱ͜ΖͰɺϓϩηεʹ͸༷ʑͳଐੑ͕͋Δ
    wQSPDͷԼ͔Β֬ೝͰ͖Δ
    wDXE SPPU OTGT QQJE QJE DBQBCJMJUZ DHSPVQ

    View Slide

  15. ྫQSPD1*%TUBUVT
    1*%ɺ਌ͷ1*%
    ࣮ߦϢʔβɺάϧʔϓ
    ϓϩηεάϧʔϓͳͲͷ*%
    ϝϞϦͷར༻ঢ়گ
    γάφϧͷઃఆʢϚεΫͳͲʣ
    $BQBCJMJUZ4FU

    View Slide

  16. GPSL
    ͱFYFD
    ͷؒ
    ਌ϓϩηε
    ࢠϓϩηε
    ৽͍͠
    ϓϩάϥϜ
    GPSL

    FYFDWF

    XBJU

    GPSL
    ͱFYFD଒ͷ࣮ߦͷؒʹɺ
    ϓϩηεͷଐੑΛมߋ͢Δ͜ͱ͕Ͱ͖Δ

    View Slide

  17. GPSL
    ͱFYFD
    ͷؒ
    wGPSL
    ͢ΔͱɺϓϩάϥϜͱͯ͠͸GPSL
    ݩͷίϐʔͱͳΔ͕ɺͦͷ
    ࣌఺Ͱಠཱͨ͠ଐੑΛ࣋ͭ
    wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ
    ݺ΂Δ
    wͦͷଐੑͷ͏ͪଟ͘͸FYFD
    ͯ͠৽͍͠΋ͷΛܧঝ͢ΔͷͰɺͦͷ
    ৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠
    ѻ͑Δ

    View Slide

  18. GPSL
    ͱFYFD
    ͷؒ
    wGPSL
    ͢ΔͱɺϓϩάϥϜͱͯ͠͸GPSL
    ݩͷίϐʔͱͳΔ͕ɺͦͷ
    ࣌఺Ͱಠཱͨ͠ଐੑΛ࣋ͭ
    wಠཱ͍ͯ͠ΔͷͰɺͦͷޙͰ༷ʑͳଐੑΛมߋ͢ΔγεςϜίʔϧΛ
    ݺ΂Δ
    wͦͷଐੑͷ͏ͪଟ͘͸FYFD
    ͯ͠৽͍͠΋ͷΛܧঝ͢ΔͷͰɺͦͷ
    ৽͍͠ϓϩηε͕ίϯςφతͳଐੑΛ͍࣋ͬͯΔͱɺίϯςφͱͯ͠
    ѻ͑Δ
    VOTIBSF
    DISPPU
    QSDUM

    ࠓ೔ɺ͜Ε͔Βઆ໌͢Δ֤߲໨Ͱ͢

    View Slide

  19. ຊൃදͰͷ࢖͍ํ
    wޙड़͢ΔΑ͏ͳγεςϜίʔϧ౳Λ༻͍ͯɺԿ͔͠Βͷ04Ϧιʔεͷ
    ִ཭ɺػೳ੍ݶɺ·ͨݖݶ෼཭ΛߦͬͨϓϩηεΛɺ

    ʮίϯςφʢ·ͨ͸ίϯςφతϓϩηεʣʯͱݺͼ·͢ɻ

    View Slide

  20. ίϯςφͷத਎

    View Slide

  21. %PDLFS.PCZMJCDPOUBJOFS
    w%PDLFSͷίϯςφϓϩηε࡞੒ͷίΞ࣮૷͸ʮ3VO$ʯͱ͍͏໊લͰ
    ಠཱ͍ͯ͠Δɻͦͷத਎Ͱ࢖͍ͬͯΔ΋ͷ͕MJCDPOUBJOFS
    wMJCDPOUBJOFSࣗମ͸ଞͷ

    (Pݴޠͷ࣮૷͔Β΋ར༻Մೳ
    wίϯςφपΓͷ༷ʑͳ

    ੜͷΦϓγϣϯΛࢦఆ
    IUUQTNFEJVNDPN!UJ⒎BOZGBZKEPDLFSFUQMVTFOHJOFJTOPXCVJMUPOSVODBOEDPOUBJOFSEBEEFFG

    View Slide

  22. -9$
    w-JOVYίϯςφͷϦϑΝϨϯεత࣮૷
    wத਎͸ɺ$ݴޠ

    γεςϜίʔϧΛඇৗʹ

    ૉ௚ʹར༻
    wίϯςφܥγεςϜίʔϧͷݺͼํͷษڧʹͳΔ

    View Slide

  23. )BDPOJXB
    w!VE[VSBͱ͍͏ਓ͕NSVCZͰ࡞ͬͨίϯςφ࣮૷
    wγεςϜίʔϧͱͷΞΫηεΛ$CJOEJOHͰɺϓϩηε࡞੒΍%4-ධ
    ՁͳͲͷॲཧΛNSVCZͰॻ͍͍ͯΔ
    w෭࢈෺ͱͯ͠ίϯςφܥγεςϜίʔϧʹ؆୯ʹΞΫηεͰ͖Δ
    NSVCZJSCόΠφϦ͕ೖΔʢύοέʔδΠϯετʔϧͷ৔߹ʣ

    View Slide

  24. ͦͷଞͷ࣮૷
    w1FSMͷ࣮૷KBJMJOH BRS
    wIUUQTHJUIVCDPNLB[VIPKBJMJOH
    wIUUQTHJUIVCDPNIBZBKPBRS
    w3VTUʹWBHHBͱ͍͏΋ͷ͕͋ΔΒ͍͠
    wIUUQTHJUIVCDPNUBJMIPPLWBHHB

    View Slide

  25. ίϯςφͷ
    ػೳͱ
    ηΩϡϦςΟ

    View Slide

  26. ࠓ೔࿩͢͜ͱ
    wDISPPUQJWPU@SPPU
    w-JOVYOBNFTQBDF
    w$(SPVQ
    w,FSOFM$BQBCJMJUZ
    wTFDDPNQ
    w."$BQQBSNPS

    View Slide

  27. ࠓ೔࿩͢͜ͱ
    wDISPPUQJWPU@SPPU
    w-JOVYOBNFTQBDF
    w$(SPVQ
    w,FSOFM$BQBCJMJUZ
    wTFDDPNQ
    w."$BQQBSNPS
    04Ϧιʔεͷ෼཭
    ݖݶɾػೳͷ੍ݶ
    ΞΫηείϯτϩʔϧ
    04Ϧιʔεͷར༻੍ݶ

    View Slide

  28. DISPPU

    View Slide

  29. DISPPU
    ίϚϯυ
    wDISPPU
    γεςϜίʔϧͷϥούʔ
    w΋ͬͱ΋୯७ͳʮίϯςφʯ
    wผͷͱ͜Ζʹ࡞ͬͨ04ͷSPPUϑΝΠϧγεςϜͷதʹʮೖΓʯɺ

    ਌ϓϩηεͱ͸ผͷ؀ڥΛ࡞Δ
    wDISPPUޙͷ؀ڥ͔ΒɺผͷSPPU΍ɺ਌ͷϑΝΠϧγεςϜ͸ɺ

    ݪଇͱͯ͠͸ݟ͑ͳ͍

    View Slide

  30. ୯७ͳ͚ͩʹ͕݀͋Δ
    wDISPPU
    ͨ͠؀ڥ಺෦ͰɺDISPPU
    Մೳͩͱ؆୯ʹൈ͚ΒΕΔ
    # mkdir .tmp
    # mount --bind . .tmp
    # mount devtmpfs -t devtmpfs .tmp/dev
    # perl -e 'chroot ".tmp";
    chdir "..";chdir "..";chdir "..";
    chdir "..";chdir "..";chdir "..";
    chroot ".";exec "/bin/sh"'
    # ls /vagrant
    ...... (਌ͷσΟϨΫτϦ͕ݟ͑Δʂ)

    View Slide

  31. VODISPPUΛ๷͙ʹ͸
    wDISPPUͰ͖ͳ͘͢Δͱ͍͏ํ๏͕Ұൠత
    wݖݶΛམͱ͢DBQBCJMJUZ
    wγεςϜίʔϧ୯ҐͰݺ΂ͳ͘͢ΔTFDDPNQ
    wͦͷଞɺ6TFSOBNFTQBDFΛ෼͚ͯ͠·͑͹࣮࣭୤ࠈෆՄ
    w͍ͣΕʹͤΑɺ΄͔ͷίϯςφػೳͱ૊Έ߹Θͤͯ҆શੑΛ֬อ͢Δ

    View Slide

  32. DGQJWPU@SPPU
    wSPPUϑΝΠϧγεςϜΛʮೖΕସ͑ΔʯɻDISPPUΑΓڧྗ
    w04ͷϒʔτϓϩηεɺOFUCPPUͷࡍʹ࢖͍ͬͯΔ
    wDISPPUΑΓ͸੍ݶ͕͋Δ
    wlOFX@SPPUͱQVU@PME͸ݱࡏͷSPPUͱಉ͡ϑΝΠϧγεςϜʹ͋ͬͯ͸ͳ
    Βͳ͍zͳͲ
    wDISPPU΄Ͳखܰʹ͸࢖͑ͳ͍͕ɺҰํ୤ࠈͷ໰୊͸ͳ͘ͳΔ
    IUUQTMJOVYKNPTEOKQIUNM-%1@NBOQBHFTNBOQJWPU@SPPUIUNM

    View Slide

  33. -JOVY
    OBNFTQBDF

    View Slide

  34. -JOVYOBNFTQBDF͕ͳ͍ͱ
    wDISPPU͢ΔͱϑΝΠϧγεςϜ͕෼཭͞ΕΔɻ
    wͱ͍͏͜ͱͰɺ/procΛվΊͯϚ΢ϯτ͢Δඞཁ͕͋Δɻ
    wϚ΢ϯτ͢Δͱ

    ݟ͑ͯ͸͍͚ͳ͍΋ͷ͕

    ݟ͑ΔΑ͏ͳ

    View Slide

  35. 04ͷϦιʔε͸ଞʹ΋ʮ෼཭Ͱ͖Δʯ
    wϓϩηεΛ෼཭͠ͳ͍ͱɺίϯςφͷத͔Β֎ͷϓϩηεΛ͍͡ΕΔ
    wϗετ໊Λ෼཭͠ͳ͍ͱɺίϯςφ಺Ͱผ్ϗετ໊ΛઃఆͰ͖ͳ͍
    wͦͷଞʹɺ෼཭Ͱ͖Δ΋ͷ
    wϚ΢ϯτϙΠϯτͷ৘ใ
    w*1$ϦιʔεTINHFU
    ͱ͔NR@PQFO
    తͳ΋ͷ
    wωοτϫʔΫɺϢʔβ*%ɺ$(SPVQ

    View Slide

  36. Πϝʔδ
    wάϩʔόϧOBNFTQBDFͷ

    தʹɺ͍͔ͭ͘

    OBNFTQBDFΛ࡞ΕΔ
    IUUQTTQFBLFSEFDLDPNVE[VSBDSFBUJOHDPOUBJOFSTXJUIHPMBOH

    View Slide

  37. Ұ෦͚ͩͷҠಈ΋Մೳ
    wྫip nets exec
    wOFUXPSLOBNFTQBDFʢʴЋʣ

    ͚ͩΛ෼཭͢Δ

    ίϯςφͱݴ͑Δ
    wҰൠతʹ͸ɺηοτͰ෼཭͢Δํ͕ศརͰ͸͋Δ
    $ sudo ip netns add test001
    $ sudo ip netns exec test001 /bin/bash
    root@test-1:/home/ubuntu# ip a
    1: lo: mtu 65536 qdisc noop
    state DOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd
    00:00:00:00:00:00

    View Slide

  38. ͱ͍͏͜ͱͰɺ1*%Λ෼཭͢Δ
    w࣮૷ͷํ਑
    w1*%͸/proc͔Βݟ͑Δ΋ͷ
    wͳͷͰผͷ/procΛ҆શʹϚ΢ϯτͰ͖ΔΑ͏ɺ

    .PVOUOBNFTQBDF΋Ұॹʹ෼཭͢Δ
    wGPSLͷ୅ΘΓʹDMPOF
    γεςϜίʔϧΛݺͼɺ࠷ޙʹFYFD
    ͢Δ
    ৚݅Λࡉ͔͘ࢦఆͰ͖Δ
    GPSL
    ͱߟ͍͑ͯͩ͘͞

    View Slide

  39. 1FSMΛษڧͯ͠ॻ͍ͯΈ·ͨ͠
    #!/usr/bin/env perl
    use strict;
    use POSIX;
    use Linux::Clone;
    my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID;
    my $pid = Linux::Clone::clone sub {
    system "mount --make-rslave /";
    chroot "/var/lib/rootfs/yapc"; chdir "/";
    exec "/bin/sh"; 127 }, 0, $flg;
    print "PID=", $pid, "\n";
    waitpid $pid, 0 if($pid);
    print "Container exited\n";

    View Slide

  40. ಈ࡞֬ೝ
    w͜ͷล·Ͱ͸ɺͲΜͳίϯςφͰ΋ಉ͡Α͏ʹ࣮૷͍ͯ͠Δ

    View Slide

  41. ٳܜ

    View Slide

  42. <13>

    View Slide

  43. (.0ϖύϘ෱Ԭࢧࣾ͸
    ΤϯδχΞΛืू͍ͯ͠·͢
    ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU

    View Slide

  44. ࢓ࣄͰɺίϯςφΛ

    ΨοπϦ࢖͍͍ͨʂ

    ͋Δ͍͸։ൃ͍ͨ͠ํ

    ੠Λֻ͓͚͍ͩ͘͞

    View Slide

  45. SFTVNF

    View Slide

  46. DHSPVQ

    View Slide

  47. $POUSPM(SPVQ DHSPVQ

    w-JOVYʹ͸ɺϓϩηεΛάϧʔϐϯάͯ͠ɺͦͷάϧʔϓ͝ͱʹ

    ϋʔυ΢ΣΞϦιʔε04ϦιʔεͳͲͷར༻ঢ়گΛ֬ೝͨ͠Γɺ

    ͋Δ͍͸੍ޚΛ͢Δػೳ͕͋ΔɻͦΕ͕DHSPVQ
    wMJCDHSPVQͷΑ͏ͳϥΠϒϥϦ΍ɺDHSPVQGT͔ΒΞΫηεՄೳ
    w·ͨɺTZTUFNE͕಺෦Ͱར༻͢ΔʢϓϩηεͷάϧʔϐϯάɺϦιʔ
    ε੍ݶͳͲʣ
    wDGTZTUFNEOTQBXO
    TZTUFNEʹಉࠝͷίϯςφ

    View Slide

  48. DHSPVQTVCTZTUFN
    w੍ޚͰ͖Δର৅͝ͱʹαϒγεςϜ͕͋Δ
    wαϒγεςϜ͸ͨ͘͞Μ͋Δ
    wDQV
    wNFNPSZ
    wCMLJP OFU@DMT GSFF[FS
    wͦͷதͰ΋QJETαϒγεςϜΛ঺հ

    View Slide

  49. ίϯςφͰͷGPSLCPNC߈ܸ
    w౰વͰ͋Δ͕ɺ฼؋04શମͰͷϓϩηεͷ࠷େ਺͸༗ݶͰ͋Δ
    w͕ͨͬͯ͠ɺίϯςφ؀ڥͷத͔Β๲େͳϓϩηεΛ࡞੒͢Δͱɺ

    ݁Ռతʹ฼؋04ͷϓϩηε਺ͷ্ݶʹୡ͢Δ͜ͱ͸ى͜Γ͏Δ
    w఻౷తʹ͸ɺSMJNJUͰϓϩηεπϦʔ͝ͱͷϓϩηε਺Λ੍ݶ
    wίϯςφͷ৔߹BUUBDIͳͲʹΑΓɺίϯςφ಺ͷશͯͷϓϩηε͕ɺ
    ಉ͡ϓϩηεπϦʔʹॴଐ͍ͯ͠ͳ͍৔߹΋͋Γ͏Δ

    View Slide

  50. QJETTVCTZTUFN
    w-JOVYҎ߱Ͱಋೖ͞ΕͨαϒγεςϜ
    wҎԼͷ஋Λར༻Ͱ͖Δ
    wQJETDVSSFOUάϧʔϓ಺ͷݱࡏͷϓϩηε਺
    wQJETNBYͦͷάϧʔϓͰڐՄ͢Δ࠷େϓϩηε਺
    SPPUάϧʔϓͰ͸ར༻Ͱ͖ͳ͍ͷͰ஫ҙ
    ࢀߟʮ-9$ͰֶͿίϯςφೖ໳ʯ
    IUUQHJIZPKQBENJOTFSJBMMJOVY@DPOUBJOFST

    View Slide

  51. ͖ͬ͞ͷ1FSMίϯςφʹύον
    --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900
    +++ bomber.pl 2017-06-20 12:55:41.572399620 +0900
    @@ -2,11 +2,19 @@
    use strict;
    use POSIX;
    use Linux::Clone;
    +system "mkdir -p /sys/fs/cgroup/pids/yapc-fukuoka";
    my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | Linux::Clone::NEWPID;
    my $pid = Linux::Clone::clone sub {
    system "mount --make-rslave /";
    chroot "/var/lib/haconiwa/rootfs/php"; chdir "/";
    - exec "/bin/sh"; 127 }, 0, $flg;
    + exec "/bin/bash"; 127 }, 0, $flg;
    +open TASKS, ">> /sys/fs/cgroup/pids/yapc-fukuoka/tasks";
    +print TASKS "$pid";
    +close TASKS;
    +open MAX, ">> /sys/fs/cgroup/pids/yapc-fukuoka/pids.max";
    +print MAX "32";
    +close MAX;
    +
    print "PID=", $pid, "\n";
    waitpid $pid, 0 if($pid);
    QJETDHSPVQΛ௥Ճ
    ίϯςφͷQJEΛॴଐͤ͞ɺ
    NBYΛ੍ݶ

    View Slide

  52. GPSLCPNCΛ๷͛Δ͜ͱ͕Θ͔Δ
    wQJETNBY੍ݶͳͩ͠ͱ฼؋͝ͱ௜໧͠·͢

    View Slide

  53. ,FSOFM
    $BQBCJMJUZ

    View Slide

  54. -JOVY,FSOFM$BQBCJMJUZ
    w-JOVYͰ͸ɺSPPU͕͍࣋ͬͯΔ༷ʑͳݖݶΛɺࡉ͔͘෼ׂͯ͠ɺ

    Ұ෦͚ͩ෇༩ɺ·ͨ͸Ұ෦੍͚ͩݶ͢Δ͜ͱ͕Ͱ͖Δ
    w͜ΕΒͷݖݶͷू߹ΛέʔύϏϦςΟηοτɺҰͭҰͭΛέʔύϏϦ
    ςΟͱݺͿɻ
    wྫ͑͹ɺ࣌ؒΛઃఆ͢Δݖݶ CAP_SYS_TIME
    ɺLJMMΛͲΜͳϓϩηε
    ʹ΋ૹΔݖݶ CAP_KILL
    ɺ࠶ىಈ͢Δݖݶ CAP_SYS_BOOT

    View Slide

  55. 6CVOUV9FOJBM -JOVY
    Ͱ͸
    wdͷͷ

    έʔύϏϦςΟ

    View Slide

  56. έʔύϏϦςΟͷܧঝϧʔϧ
    wϓϩηεϑΝΠϧͷͭͷηοτ 1FSNJUUFE*OIFSJUBCMF&⒎FDUJWF
    ɺ
    ό΢ϯσΟϯάηοτɺΞϯϏΤϯτηοτ -JOVYҎ߱
    Ͱܾ·Δ
    wৄࡉ͸NBODBQBCJMJUJFT
    wྫTFUVTFSJESPPUͰɺଞ͕

    σϑΥϧτͷ৔߹ɺ

    ό΢ϯσΟϯάηοτͰམͱͯ͠

    FYFDWF
    ͢Δͱ৽͍͠ϓϩάϥϜ

    Ͱ͸ͦͷݖݶ͕མ͍ͪͯΔ

    View Slide

  57. ྫҰൠϢʔβͰ൪ΛϦεϯ͍ͨ͠
    wҰൠతʹɺ൪ҎԼͷϙʔτ͸ҰൠϢʔβ͸࢖͑ͳ͍
    w͜͏͍͏(Pͷ)5514FSWFSΛ࡞ͬͨΒɺҰൠϢʔβ͸ىಈͰ͖ͳ͍

    View Slide

  58. TFUDBQ
    ͰpMFDBQBCJMJUJFTΛ෇༩͢Δ
    w൪ҎԼΛϦεϯ͢Δݖݶʹ CAP_NET_BIND_SERVICE
    ubuntu@compute-1:~$ sudo setcap cap_net_bind_service+ep ./listen80
    ubuntu@compute-1:~$ ./listen80 &
    [1] 5915
    ubuntu@compute-1:~$ curl localhost
    Hello, World
    ubuntu@compute-1:~$ sudo getcap ./listen80
    ./listen80 = cap_net_bind_service+ep
    VCVOUVϢʔβͰ
    αʔόΛىಈͰ͖Δ

    View Slide

  59. ྫ੍ݶ෇͖ͷίϯςφ಺SPPU
    wίϯςφ಺෦Ͱ΋ɺSPPUΛ౉͢ͱศརͳ͜ͱ͸ଟ͍
    wͱ͸ݴ͑ͳΜͰ΋͸ͤͨ͘͞ͳ͍ɻͰ͖Δ͜ͱ͚ͩ
    wCAP_SYS_TIMEͱCAP_SYS_CHROOTݖݶΛୣͬͯΈΔ

    View Slide

  60. ࠷ॳͷ1FSMίϯςφʹύον
    --- chroot2.pl 2017-06-20 10:47:02.780313607 +0900
    +++ dropcap.pl 2017-06-20 14:38:31.335190235 +0900
    @@ -2,10 +2,14 @@
    use strict;
    use POSIX;
    use Linux::Clone;
    +use Linux::Prctl;
    +
    my $flg = POSIX::SIGCHLD | Linux::Clone::NEWNS | ...;
    my $pid = Linux::Clone::clone sub {
    system "mount --make-rslave /";
    chroot "/var/lib/haconiwa/rootfs/php"; chdir "/";
    + $Linux::Prctl::capbset{"sys_time"} = 0;
    + $Linux::Prctl::capbset{"sys_chroot"} = 0;
    exec "/bin/sh"; 127 }, 0, $flg;
    print "PID=", $pid, "\n";
    waitpid $pid, 0 if($pid); CPVOEJOHTFU͔Β࡟আ

    View Slide

  61. EBUFͰ೔෇ͷηοτ͕Ͱ͖ͳ͘ͳΔ
    w0QFSBUJPOOPUQFSNJUUFEѻ͍ʹͳΔ
    root@compute-1:~# perl dropcap.pl
    PID=5962
    # date
    Tue Jun 20 06:34:50 UTC 2017
    # date -s 00:00:00
    date: cannot set date: Operation not permitted
    Tue Jun 20 00:00:00 UTC 2017
    # date
    Tue Jun 20 06:34:59 UTC 2017

    View Slide

  62. DISPPUͰίϯςφΛൈ͚ΒΕͳ͘ͳΔʂ

    View Slide

  63. %PDLFS.PCZͰ͸
    wEPDLFSNPCZSVOͷΦϓγϣϯɺDBQBEE DBQESPQ

    ΦϓγϣϯͰίϯτϩʔϧՄೳ
    wσϑΥϧτͷ$BQBCJMJUZ͸ιʔεʹϋʔυίʔυ͞Ε͍ͯΔ
    wIUUQTHJUIVCDPNNPCZNPCZCMPCNBTUFSPDJ
    EFGBVMUTHP--

    View Slide

  64. ͱ͜ΖͰօ͞Μ

    View Slide

  65. QSJWJMFHFEΛ҆қʹ࢖͍ͬͯ·ͤΜ͔ʁ
    wจࣈͲ͓Γɺਫ਼ࠪͤͣʹɺ͢΂ͯͷ$BQBCJMJUZΛ෇༩͢ΔΦϓγϣϯ
    wͦͷଞͷɺTFDDPNQBQQBSNPSͳͲͷઃఆʹΑΓɺίϯςφ಺ͷ
    ݖݶ͸ߜΓࠐ·ΕΔɻͱ͸͍͑
    wྫ͑͹ɺΧʔωϧʹΑͬͯTFDDPNQ౳͕༗ޮͰͳ͍͜ͱ΋͋Δ
    w TFDDPNQ BQQBSNPS౳Λແޮʹ͢ΔΦϓγϣϯ΋͋Δ
    w ҆શੑ͕ઈର֬อͰ͖ΔΑ͏ͳ৔໘ $*Ͱར༻ΠϝʔδΛݶఆ͢Δ౳
    Ͱ͸·ͨผ͕ͩ
    w࠷খݖݶͷݪଇʹै͍ɺਫ਼ࠪͯ͠DBQBEEͰ໌ࣔత௥Ճ͢Δ΂͖

    View Slide

  66. ٳܜ

    View Slide

  67. ͓ർΕͰ͠ΐ͏ͷͰ
    ෱Ԭͷඒຯ͍͠΋ͷͷը૾Λ
    ோΊ·͠ΐ͏

    View Slide

  68. View Slide

  69. View Slide

  70. View Slide

  71. SFTUPSF

    View Slide

  72. TFDDPNQ

    View Slide

  73. TFDDPNQ TFDDPNQCQG

    w-JOVYͰɺαϯυϘοΫεΛ࣮ݱ͢ΔͨΊʹɺ

    ϓϩηεͷγεςϜίʔϧݺͼग़͠ΛϑΟϧλϦϯά͠ɺ

    ੍ݶɾτϥοϓɾτϥοΩϯάͳͲΛ࣮ݱ͢Δػೳ
    wࠓճ͸ɺ-JOVYҎ߱ͷTFDDNPQNPEFͷ࿩
    w#FSLFMFZ1BDLFU'JMUFS #1'
    Λ༻͍ͯߴ଎ʹݺͼग़͠ΛϑΟϧλϦ
    ϯά͢Δ

    View Slide

  74. Կ͕Ͱ͖Δ͔
    wಛఆͷγεςϜίʔϧͷڐՄ
    wಛఆͷγεςϜίʔϧͷېࢭ 4*(4:4ͷૹ෇

    wಛఆͷγεςϜίʔϧͷݺͼग़͠Λ೚ҙͷFSSOPͰฦ͢
    wಛఆͷγεςϜίʔϧΛɺQUSBDF
    ͰτϥοΫՄೳʹ͢Δ
    w࠷ॳʹσϑΥϧτͷڍಈΛࢦఆ͠ɺݸผͷγεςϜίʔϧͷ৔߹Λఆ
    ٛ͢Δ

    View Slide

  75. ͔͜͜ΒNSVCZ͕ग़ͯ͘Δ
    w1FSMྗ͕௿͘ɺ͍͢·ͤΜ ҰԠϞδϡʔϧ͸͋ΔΑ͏Ͱ͕͢ɻ

    wIBDPOJXBNSVCZTFDDPNQ

    View Slide

  76. NSVCZTDSJQU
    #!/usr/bin/env hacorb
    context = Seccomp.new(default: :allow) do |rule|
    rule.kill :mkdir
    rule.kill :fchownat
    end
    pid = Process.fork do
    context.load
    puts "==== It will be jailed. Please try to mkdir/chown"
    exec "/bin/sh"
    end
    p(Process.waitpid2 pid)

    View Slide

  77. ࣮ߦ͢ΔͱɺαϯυϘοΫε্ཱ͕͕ͪΔ
    w·͝͏ࣄͳ͖SPPUͰ͋Δ͕ɺϑΝΠϧͷॴ༗ऀΛม͑ͨΓɺ

    σΟϨΫτϦΛ࡞Εͳ͍ɻ͜Ε΋Ұछͷʮίϯςφʯ
    wʢIBDPOJXBQBDLBHFʹಉࠝ͞ΕΔIBDPSCόΠφϦΛ࢖͏ʣ
    4:(4:4ͷΤϥʔϝοηʔδ

    View Slide

  78. ৄࡉ͸ϒϩάʹॻ͖·ͨ͠ʜ
    wNSCHFNͷ֓ཁʮTFDDPNQΛNSVCZͰࢼ͢ʯ
    wIUUQVE[VSBIBUFOBCMPHKQFOUSZ
    wTFDDPNQʹΑΔγεςϜίʔϧτϥοΩϯά

    ʮNSVCZͱTFDDPNQͱQUSBDFͰγεςϜίʔϧΛͱʹ͔͘௥͍͔͚Δʯ
    wIUUQVE[VSBIBUFOBCMPHKQFOUSZ
    ಛఆͷγεςϜίʔϧݺͼग़͠ΛϩΪϯά͢Δ
    γΣϧͷྫ͸ͪ͜Βͷهࣄ͔Β

    View Slide

  79. %PDLFSͷதͰ͸ʁ
    wݺͼग़ͤΔγεςϜίʔϧͷʮϗϫΠτϦετʯ͕ଘࡏ͢Δ
    wυΩϡϝϯτʹ΋͋Δ௨Γɻ
    wΦϓγϣϯͰ೚ҙͷϑΟϧλʔΛద༻Ͱ͖Δͦ͏
    4FDDPNQTFDVSJUZQSPpMFTGPS%PDLFS
    IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDDPNQ

    View Slide

  80. ."$
    "QQ"SNPS

    View Slide

  81. ίϯςφػೳઆ໌ͱͯ͠͸ɺ
    ͜ΕͰ࠷ޙͳΜͰ
    ؤு͓ͬͯฉ͖͍ͩ͘͞

    View Slide

  82. ༤େͳେ෼ͷࣗવΛݟͯٳܜ
    CZ!NBUTVNPUPSZ͞Μ

    View Slide

  83. ."$ͱ͸
    w͜͜Ͱ͸.BOEBUPSZ"DDFTT$POUSPMڧ੍ΞΫηε੍ޚͷ͜ͱ
    wҰൠతͳɺϑΝΠϧΦ΢φʔ͝ͱʹΞΫηε͢ΔݖݶΛߜΔํࣜ͸ɺ
    ೚ҙΞΫηε੍ޚ %JTDSFUJPOBSZ"DDFTT$POUSPM
    ͱݺ͹ΕΔɻ
    wࣄނͳͲʹΑΓݖݶΛඞཁҎ্ʹΏΔ͘Ͱ͖ͯ͠·͏

    ʢσΟϨΫτϦΛύʔϛογϣϯͰެ։Ͱ͖Δ౳ʣ͜ͱ͕͋Δ

    View Slide

  84. ."$ͱ͸

    w%"$ͷݖݶݕࠪΛͨ͠ޙͰɺ؅ཧऀͷઃఆͨ͠."$ͷϙϦγʔ͕ద
    ༻͞ΕɺϦιʔε΁ͷΞΫηε͕ڧ੍ίϯτϩʔϧ͞ΕΔ
    wʮࣗ෼ͷݖݶͰ͋ͬͯ΋ɺࣗ෼ͰίϯτϩʔϧͰ͖ͳ͍ʯ͜ͱ΋
    wྫ͑͹ࣗ෼Ͱ࡞ͬͨϑΝΠϧʹɺࣗ෼ͰΞΫηεͰ͖ͳ͘ͳΔɺͱ͍
    ͏ઃఆ΋ՄೳͰ͋Δ
    w·ͨɺ%"$ΑΓࡉ͔͍ΞΫηε੍ޚ΋Մೳʹ

    View Slide

  85. "QQ"SNPSͱ͸
    w."$Λ࣮ݱ͢Δϛυϧ΢ΣΞͷҰͭ
    wϓϩάϥϜͷύε୯Ґϓϩηε୯ҐͰϓϩϑΝΠϧͷద༻͕Ͱ͖Δ
    ͷ͕ಛ௃
    w6CVOUVͷ$BOPOJDBMࣾʹΑΓ։ൃ͕͞Ε͍ͯΔ
    wFOGPSDFNPEFͱDPNQMBJONPEFʢه࿥ͷΈʣ͕͋Δ

    View Slide

  86. %PDLFSͰͷར༻
    wίϯςφ͸σϑΥϧτɺEPDLFSEFGBVMUͱ͍͏ϓϩϑΝΠϧ͕౰ͨΔ
    ίϯςφΛͭ࡞ͬͨͷͰɺ
    ͭͷϓϩηεʹద༻͞Ε͍ͯΔ
    -9$΋࢖ͬͯ·͢Ͷ

    View Slide

  87. ϓϩϑΝΠϧͷྫ
    IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZBQQBSNPSOHJOYFYBNQMFQSPpMF
    wಠࣗͷݴޠΛ༻͍ͯهड़͢Δ

    View Slide

  88. ΧελϜϓϩϑΝΠϧΛ౰ͯΔʹ͸
    wdeny /usr/bin/top mrwklxͱ͍͏ϧʔϧΛՃ͑ͨϓϩϑΝΠϧ
    Λ࡞੒ɺొ࿥͢Δ
    wEPDLFSSVOίϚϯυͰ--security-opt apparmor=exampleͷ
    Α͏ʹࢦఆͯ͠ىಈ
    wͦͷίϯςφͰ͸ɺUPQίϚϯυΛ࣮ߦ͢Δ͜ͱ͕Ͱ͖ͳ͍ɻ
    wBVEJUͷΈɺͳͲ΋Մೳ
    ৄࡉ͸ϒϩάͰ
    ʮ"QQ"SNPSͱ%PDLFSͱͦͷଞίϯςφతϓϩηεʹ͍ͭͯʯ
    IUUQVE[VSBIBUFOBCMPHKQFOUSZ

    View Slide

  89. ΑΓৄࡉͳத਎
    wMJCBQQBSNPSͱ͍͏ϥΠϒϥϦͰϓϩάϥϜ͔ΒΞΫηεͰ͖Δ
    wݱࡏͷϓϩηεͷϓϩϑΝΠϧΛมߋ͢ΔBB@DIBOHF@QSPpMF
    ͱ

    FYFDWF
    ͷλΠϛϯάͰมߋ͢ΔBB@DIBOHF@POFYFD
    ͕͋Δ
    wʢ6CVOUVͷNBOͰηΫγϣϯ͕ͳͷͰʣ
    wNSVCZͷCJOEJOH࡞੒ࡁʢ͔͠͠·ͩ)BDPOJXBʹ૊ΈࠐΜͰͳ͍ʣ
    IUUQNBOQBHFTVCVOUVDPNNBOQBHFTYFOJBMNBOBB@DIBOHF@QSPpMFIUNM

    View Slide

  90. ͓ർΕ༷

    Ͱͨ͠

    View Slide

  91. ·ͱΊ

    View Slide

  92. ίϯςφ͸
    ಛผͳϓϩηεʹա͗ͳ͍ɻ
    ˠͦͷϓϩηεΛ҆શʹɺಠཱͨ͠ܗͰɺ
    ޮ཰తʹར༻͢΂༷͘ʑͳγεςϜίʔϧ΍ػೳ͕͋Δ

    View Slide

  93. %PDLFS͸σϑΥϧτͰ
    ͍Ζ͍Ζ͍͍ײ͡ʹ͍ͯ͠Δ
    ˠ͔͠͠ɺཧղ͕ෆे෼ͩͱൈ͚ಓΛ࡞ͬͯ͠·͏͜ͱ΋ɻ
    ɹQSJWJMFHFEΦϓγϣϯɺؒҧͬͨઃఆɺ
    ɹΧʔωϧόʔδϣϯͰ࢖͑ͳ͍ػೳͳͲ

    View Slide

  94. ࢀߟεΠενʔζϞσϧ
    ˠҰͭҰͭʹ͕ۭ͍͍݀ͯͨͱͯ͠΋ɺ
    ɹͨ͘͞ΜॏͶΔ͜ͱͰɺશͯͷ݀Λൈ͚Δ͜ͱ͸
    ɹඇৗʹ೉͘͠ͳΔ
    *NBHF$$IUUQTQJYBCBZDPNQ

    View Slide

  95. ͔ͬ͠Γͱத਎ʹڵຯΛ࣋ͪ
    ཧղͯ͠࢖͏͜ͱͰ
    ϋϚΓͲ͜ΖΛճආͰ͖Δ
    ˠIBDPSC͕ศར͔΋͠Εͳ͍ɻ
    ɹ1FSMͰ΋ɺίϯςφػೳͰ༡΂ΔΑʂ

    View Slide

  96. ָ҆͘͠શʹ
    ίϯςφΛ࢖͓͏ʂ

    View Slide

  97. ࢀߟࢿྉͷօ͞Μ
    wVE[VSBͷϒϩάʢTFDDPNQBQQBSNPSIBDPOJXBଞʣ
    wMYDKQ!5FO'PSXBSE͞Μͷࢿྉ
    w IUUQTTQFBLFSEFDLDPNUFOGPSXBSE
    wաڈͷ:"1$ :"1B$
    ൃදͳͲ
    w 1FSMͰθϩ͔Β࡞Δίϯςφ
    w ֶͭͬͯ͘Ϳ-JOVYίϯςφͷཪଆ
    w%PDLFSTFDVSJUZ
    w IUUQTEPDTEPDLFSDPNFOHJOFTFDVSJUZTFDVSJUZ

    View Slide

  98. 4QFDJBM5IBOLT
    w!5FO'PSXBSE͞ΜʹຊεϥΠυͷϨϏϡʔΛ͓ئ͍͠·ͨ͠ɻ

    ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ·ͨຊொͰҿΈ·͠ΐ͏ɻ

    View Slide