Rubyで君もコンテナになる - Haconiwaのごく一部の機能の紹介 / learn-you-a-linux-namespace-for-great-good

Transcript

1. 
   3VCZεΫϦϓτͰ܅΋ίϯςφʹͳΔ
    ۙ౻͏͓ͪ
   
   (.0
   1FQBCP
   *OD
   
   QJYJWϐΫγϒ෱ԬΦϑΟε
   
   Φʔϓϯه೦-5ࡇ )BDPOJXBͷ࿩

2. ΤϯδχΞ ۙ౻͏͓ͪ
   !VE[VSB (.0ϖύϘ
   ٕज़ج൫νʔϜ
   ϓϦϯγύϧ IUUQVE[VSBIBUFOBCMPHKQ

3. (.0ϖύϘ
   
   'VLVPLBSC ۙ౻Ӊஐ࿕ ೥ΑΓ෱Ԭࡏॅ
   3P3ΤϯδχΞˠ%FW0QTํ໘ͱܦ༝ͯ͠
 ؾ͍ͮͨΒ$ͱNSVCZͰ-JOVYίϯςφΛॻ͍ͯͨਓ
   ޷͖ͳγεςϜίʔϧ͸
   VOTIBSF 
   FYFDWF 

4. 'VLVPLBSC ִि͍͍ͩͨਫ༵೔։࠵
   !
   ఱਆ
   ϖύϘ(SPPWFOBVUT
   0⒏DF

5. )BDPOJXB

6. )BDPOJXB
   ͱ͸ wNSVCZͰग़དྷͨ-JOVYίϯςφϥϯλΠϜ
   w%PDLFSͳͲͷ-JOVYίϯςφ͸ɺ-JOVYΧʔωϧͷ ༷ʑͳػೳͷ૊Έ߹ΘͤͰͰ͖͍ͯΔɻ
   wͦΕΒػೳͷ૊Έ߹Θͤ΍ɺίϯςφͷ্ཱͪ͛ϑΣʔ ζ͝ͱͷϑοΫɺγάφϧϋϯυϥͳͲΛࣗ༝ʹɺ 3VCZʹΑΔ%4-Ͱهड़Ͱ͖Δͷ͕ಛ௃

7. )BDPOJXB
   ͷࢿྉ w໊ݹ԰3VCZձٞ
 Ͱ΋࿩͠·ͨ͠ʂʂ̍
   w։ൃͷܦҢͳͲ
 ͸ͦͪΒʹ IUUQTTQFBLFSEFDLDPNVE[VSBIBDPOJXBBOEGVUVSFPT
   

8. ୈճ
   ϑΫΦΧ3VCZେ৆ड৆ ͜Ε͔ΒདྷΔίϯςφϥϯλΠϜͷ͸ͣ

9. -JOVY
   ͷ༷ʑͳػೳ

10. -JOVY
    /BNFTQBDF

11. DHSPVQ

12. ,FSOFM
    $BQBCJMJUZ

13. ͬͯΑ͘Θ͔Βͳ͍εΑͶ

14. ࠓ೔͸
    -JOVY
    /BNFTQBDF
    ͚ͩ
    ֮͑ͯؼΓ·͠ΐ͏

15. -JOVY
    /BNFTQBDF w-JOVYͷ༷ʑͳϦιʔεʢྫ͑͹ϗετ໊ɺϚ΢ϯτ ϙΠϯτɺͳͲͳͲʣ͸ɺ໊લۭؒΛ͍࣋ͬͯΔɻ
    wͳͷͰɺಉ͡ϗετ্ʹ͋ͬͯ΋ɺ͋Δϓϩηεͱผ ͷϓϩηεͱͰɺผʑͷϗετ໊Λ͍࣋ͬͯΔΑ͏ʹ ݟ͔͚ͤΔ͜ͱ͕Ͱ͖Δɻ

16. ΠϝʔδΘ͔ͳ͍͢ΑͶ

17. ͦ͜Ͱ)BDPOJXB

18. 6CVOUV
    9FOJBMʹΠϯετʔϧ $ curl -s https://packagecloud.io/install/repositories/ udzura/haconiwa/script.deb.sh | sudo bash #

    https://packagecloud.io/udzura/haconiwa/install $ sudo apt install haconiwa $ haconiwa version haconiwa: v0.6.2

19. ʢࠓճ͸ʣEFCPPUTUSBQͰSPPUGTΛ༻ҙ $ sudo apt install debootstrap $ debootstrap --arch amd64

    jessie \ /var/lib/haconiwa/jessie-box \ http://ftp.jp.debian.org/debian I: Retrieving Release I: Retrieving Release.gpg I: Checking Release signature ...

20. ͜͏͍͏3VCZͷεΫϦϓτΛॻ͘ Haconiwa.define do |config| config.name = "pixiv-example" config.init_command = ["/bin/bash"]

    config.chroot_to "/var/lib/haconiwa/jessie-box" end

21. ͔֬ʹʮίϯςφʯʹೖΕΔɻ Ͱ΋͜Ε͸ɺͨͩͷDISPPUͰ͢Ͷ

22. 654
    OBNFTQBDFΛ෼͚Δ diff --git a/sample.haco b/sample.haco index f163d45..fa15f50 100644 --- a/sample.haco

    +++ b/sample.haco @@ -2,4 +2,6 @@ Haconiwa.define do |config| config.name = "pixiv-example" config.init_command = ["/bin/bash"] config.chroot_to "/var/lib/haconiwa/jessie-box" + + config.namespace.unshare "uts" end

23. ϗετ໊͕෼͔Εͨʂ ঃʑʹίϯςφͬΆ͘ $ hostname udzura.example.com # ίϯςφʹೖΔ $ sudo haconiwa

    run sample.haco Container fork success and going to wait: pid=14895 root@pixiv-example:/# hostname pixiv-example

24. .PVOU
    OBNFTQBDFΛ෼͚Δɻ diff --git a/sample.haco b/sample.haco index fa15f50..83996c0 100644 --- a/sample.haco

    +++ b/sample.haco @@ -4,4 +4,7 @@ Haconiwa.define do |config| config.chroot_to "/var/lib/haconiwa/jessie-box" config.namespace.unshare "uts" + config.namespace.unshare "mount" + + config.mount_independent "procfs" end Ұॹʹ
    QSPD
    ͳͲΛίϯςφ಺෦ͰϚ΢ϯτ͢Δ

25. Ϛ΢ϯτϙΠϯτ͕ಠཱͨ͠ QSPD
    ΋ແࣄϚ΢ϯτͰ͖ɺ֎͔Βݟ͑ͳ͍ # on container root@pixiv-example:/# mount proc on /proc

    type proc (rw,relatime) # on host $ mount | grep proc proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)

26. 1*%
    OBNFTQBDFΛ෼͚Δ *1$
    OBNFTQBDF
    ͸ɺͪΐͬͱྫ͕೉͍͠ͷͰলུ diff --git a/sample.haco b/sample.haco index 83996c0..b27d7be 100644 ---

    a/sample.haco +++ b/sample.haco @@ -5,6 +5,7 @@ Haconiwa.define do |config| config.namespace.unshare "uts" config.namespace.unshare "mount" + config.namespace.unshare "pid" config.mount_independent "procfs" end

27. 1*%͕͔Βʹͳͬͨ root@pixiv-example:/# sleep 100 & [1] 3 root@pixiv-example:/# ps auxf

    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.3 20228 3220 ? S 10:10 0:00 /bin/bash root 3 0.0 0.0 4236 668 ? S 10:10 0:00 sleep 100 root 4 0.0 0.2 17496 2128 ? R+ 10:10 0:00 ps auxf ঃʑʹಠཱ͖ͯͨ͠

28. ࠷ޙʹ
    OFUOTΛ࡞ΓɺWFUIΛҾ͘ ip netns add pixiv001 ip link add haco__991 type

    veth peer name eth2 ip addr add 172.29.89.1/24 broadcast 172.29.89.255 dev haco__991 ip link set haco__991 up ip link set eth2 netns pixiv001 ip netns exec pixiv001 ip addr add 172.29.89.2/24 dev eth2 # ίϯςφͷΞυϨε ip netns exec pixiv001 ip link set lo up ip netns exec pixiv001 ip link set eth2 up # ૄ௨֬ೝ ping 172.29.89.2 ip netns exec pixiv001 ping 172.29.89.1

29. ͦͷ/FUXPSL
    OBNFTQBDFʹೖΔ diff --git a/sample.haco b/sample.haco index b27d7be..7835814 100644 --- a/sample.haco

    +++ b/sample.haco @@ -6,6 +6,8 @@ Haconiwa.define do |config| config.namespace.unshare "uts" config.namespace.unshare "mount" config.namespace.unshare "pid" + config.namespace.enter "net", via: "/var/run/netns/pixiv001" config.mount_independent "procfs" + config.mount_independent "sysfs" end TZT
    ഑Լʹ΋ωοτϫʔΫσόΠεͷ৘ใ͕͋ΔͷͰɺϦϚ΢ϯτਪ঑

30. ೖΕͨʂ $ sudo haconiwa run sample.haco Container fork success and

    going to wait: pid=12554 root@pixiv-example:/# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default link/ether 92:80:3b:32:32:6d brd ff:ff:ff:ff:ff:ff inet 172.29.89.2/24 scope global eth2 valid_lft forever preferred_lft forever inet6 fe80::9080:3bff:fe32:326d/64 scope link valid_lft forever preferred_lft forever

31. શମ Haconiwa.define do |config| config.name = "pixiv-example" config.init_command = ["/bin/bash"]

    config.chroot_to "/var/lib/haconiwa/jessie-box" config.namespace.unshare "uts" config.namespace.unshare "mount" config.namespace.unshare "pid" config.namespace.enter "net", via: "/var/run/netns/pixiv001" config.mount_independent "procfs" config.mount_independent "sysfs" end DHSPVQDBQBCJMJUZSMJNJUͦͷଞ΋%4-ͰઃఆͰ͖·͢

32. ิ଍ɺͦͷଞͷ/BNFTQBDF w*1$
    OBNFTQBDF
    
    TZTW104*9
    *1$ͷϦιʔε໊લۭؒͷ෼ׂɻ։ ൃऀ͕৮Δػձ͸গͳ͍͕ɺྫ͑͹IUUQEͷ಺෦Ͱ࢖͍ͬͯΔͷͰɺ IUUQEΛϗετʹ ୆ཱ͍ͯͨͱ͖ʹඞཁ
    w6TFS
    OBNFTQBDF
    
    ϗετͷಛఆͷϢʔβάϧʔϓ*%ͷൣғΛɺ ผͷ*%ʹݟ͔͚ͤΔ͜ͱ͕Ͱ͖ΔɻSPPUͰͳ͍ϢʔβΛVJEʹݟͤ ΔͳͲͰ͖Δɻ-JOVY
    
    Ͱ࣮૷׬ྃ Ͱ΋$FOU04Ͱ͸σϑΥϧτແޮ

    
    w$(SPVQ
    OBNFTQBDF
    
    DHSPVQͷ໊લۭؒɻϗετͰDHSPVQπϦʔ Λෳ਺࡞ΕΔɻ-JOVY
    
    ͔ΒೖͬͨΒ͍͠
    IUUQICNBUTVNPUPSKQFOUSZ
    

33. ·ͱΊ

34. )BDPOJXBΛ࢖͑͹ wίϯςφͷ༷ʑͳػೳΛɺ޷͖ͳΑ͏ʹ૊Έ߹Θͤͯ ࢖͑ΔɻͦΕΛ3VCZͰॻ͚Δɻ
    w/BNFTQBDFपΓҎ֎΋ࣗࡏʹઃఆͰ͖Δ
    wίϯςφͷษڧʹ΋ศར͔΋ɻ
    wྫ͑͹ɺෳ਺ίϯςφΛڞ௨ͷ/FUXPSL
    OBNFTQBDF ʹॴଐͤ͞ΔɺͳͲ΋ՄೳʢDG
    ࠷ޙͷྫʣ

35. &OKPZ
    $POUBJOFS
    #V⒎FU

36. ܅΋)BDPOJXBͰ΍Ζ͏ʂ ϖύϘͷ࠾༻ˠ !QC@SFDSVJU

37. ϖύΧϨ
    ୈظ
    కΊ੾ΓഭΔ
    WJTJU
    IUUQTXXXXBOUFEMZDPNQSPKFDUT
    
    

38. ը૾ʹ͍ͭͯ wλΠτϧഎܠը૾͸1VCMJD
    EPNBJO $$ ͷ΋ͷͷΈΛར༻͍ͯ͠· ͢ɻ
    wҰ෦ͷը૾͸ɺ஌ਓࡱӨͷ΋ͷɺ·ͨ͸(.0ϖύϘͷ࠾༻ϖʔδͷ ΋ͷΛར༻͓ͯ͠Γ·͢ɻແஅస༻ͳͲ͸͓߇͍͑ͩ͘͞ɻ