Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers
Search
KONDO Uchio
June 16, 2018
Technology
0
3.2k
ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers
@PHPカンファレンス福岡 2018
(スポンサートークです!)
https://phpcon.fukuoka.jp/2018/
KONDO Uchio
June 16, 2018
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.3k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
220
Narrative of Ruby & Rust
udzura
0
190
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.6k
Talk of RBS
udzura
0
410
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
740
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
700
Device access filtering in cgroup v2
udzura
1
820
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
770
Other Decks in Technology
See All in Technology
AWSアカウントのセキュリティ自動化、どこまで進める? 最適な設計と実践ポイント
yuobayashi
7
850
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
320
手を動かしてレベルアップしよう!
maruto
0
240
【内製開発Summit 2025】イオンスマートテクノロジーの内製化組織の作り方/In-house-development-summit-AST
aeonpeople
2
1k
What's new in Go 1.24?
ciarana
1
110
Share my, our lessons from the road to re:Invent
naospon
0
150
AWS Well-Architected Frameworkで学ぶAmazon ECSのセキュリティ対策
umekou
2
150
あなたが人生で成功するための5つの普遍的法則 #jawsug #jawsdays2025 / 20250301 HEROZ
yoshidashingo
2
320
開発者のための FinOps/FinOps for Engineers
oracle4engineer
PRO
2
180
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
19k
設計を積み重ねてシステムを刷新する
sansantech
PRO
0
180
JAWS DAYS 2025 アーキテクチャ道場 事前説明会 / JAWS DAYS 2025 briefing document
naospon
0
2.6k
Featured
See All Featured
Become a Pro
speakerdeck
PRO
26
5.2k
Adopting Sorbet at Scale
ufuk
75
9.2k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Gamification - CAS2011
davidbonilla
80
5.2k
For a Future-Friendly Web
brad_frost
176
9.6k
Building Your Own Lightsaber
phodgson
104
6.2k
Automating Front-end Workflow
addyosmani
1369
200k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Six Lessons from altMBA
skipperchong
27
3.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k
Being A Developer After 40
akosma
89
590k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.3k
Transcript
ۙ౻͏͓ͪ(.01FQBCP *OD 1)1ΧϯϑΝϨϯεԬ ϩϦϙοϓʂ ϚωʔδυΫϥυΛࢧ͑Δ ίϯςφٕज़ͷશͯ
γχΞɾϓϦϯγύϧ ۙ౻͏͓ͪ!VE[VSB (.0ϖύϘɹٕज़෦ɹٕज़ج൫νʔϜ IUUQTCMPHVE[VSBKQ
'VLVPLBSC ! ԙϖύες (.0ϖύϘԬࢧࣾ'
None
<?php
None
IUUQTNDMPMJQPQKQ
Λ❗ Λ❗
8PSE1SFTTͳΒҰॠʂ 1)1ڥ͙͢ʹʂ 44)Ͱ͖Δʂ ಠࣗυϝΠϯγϡοͱʂ ແྉͰ5-4ରԠʂ
None
ίϯςφ
Linux containers, in short, contain applications in a way that
keep them isolated from the host system that they run on. IUUQTPQFOTPVSDFDPNSFTPVSDFTXIBUBSFMJOVYDPOUBJOFST
ίϯςφΛ͏ཧ༝ Ͱ
։ൃऀ༷ʹ ΞϓϦέʔγϣϯʹ ूத͍͖͍ͯͨͩͨ͠
αʔόͰۤ࿑ͨ͘͠ͳ͍ʂ wϛυϧΣΞͳͲΛࣗͰೖΕΔͷ᠘ଟͯ͘େม wಥવෛՙ͕ߴ·ͬͨΒͲ͏͠Α͏ʁ w৭ʑͳ੬ऑੑ͕ग़͖ͯͯΔ͚ͲɺͲ͏ରॲ͢Ε͍͍ͷʁ
ίϯςφͷಛ wίϯςφϙʔλϒϧ wˠඞཁͳͷʮશ෦ೖΓʯͷڥΛ͝ఏڙʂ wίϯςφىಈɾఀࢭ͕ߴ wˠඞཁʹԠͯ͡ͷىಈʢΦʔτεέʔϧʣ͍ʂ wˠෆཁͳ߹ͪΌΜͱఀࢭͯ͠ɺඅ༻͕͔͔Γ͗͢ͳ͍Α͏ʹ wˠίϯςφͷΞοϓάϨʔυɾೖΕସ͑࠶ىಈૉૣ͘ʂ
ίϯςφӡ༻ ϖύϘʹ͓ͤʂ
ίϯςφͷಛ ͷ
օ༷ʹͱͬͯίϯςφͱ
ίϯςφͷ͞Βʹਂ͍
ಛघͳϓϩηεͷ࡞ΓํΛ͢Δ
ʮίϯςφؔ࿈ػೳʯΛ༗ޮʹ cgroup Linux Namespace Capability chroot/ pivot_root seccomp
ίϯςφ ϓϩηε
ϓϩηε ؆୯ʹ࡞ΕΔ
ίϯςφ ࡞ΕΔʂ
։ൃऀ༷ʹ ΞϓϦέʔγϣϯʹ ूத͍͖͍ͯͨͩͨ͠ "HBJO
࠷ߴʹूதͰ͖Δ ίϯςφڥΛʂ
Haconiwa
)BDPOJXBͷΈ w-JOVYͷ༷ʑͳίϯςφػೳΛΈ߹ΘͤՄೳͳϥϯλΠϜ wγεςϜίʔϧΛɺɹɹɹɹΛܦ༝੍ͯ͠ޚͰ͖ΔΑ͏ʹ͠ɺ %4-ʹΑΓػೳͷΈ߹Θͤɺ༷ʑͳΠϕϯτʹԠͨ͡ϑοΫॲཧ Λهड़Ͱ͖Δɻ
ਤղ Linux Kernel mruby gems Haconiwa DSL Containers Syscalls: *
chroot * mount * prctl * unshare * setns * (cgroup op) * seccomp * setuid * setgid * ...... mruby-dir mruby-linux-namespace mruby-cgroup mruby-seccomp ...... sample.haco
Կ͕خ͍͠ʁ
৽͍͠ ίϯςφΞʔΩςΫνϟ
ίϯςφͱ͍͑Ͳɺ͍͠՝ w ͓٬༷ڥΛͳΔ͘շదɺ͔ͭߴूੵʹ ूੵΛߴ͘͠ͳ͚Εɺݱ࣮తͳ͓ஈͰఏڙ͠ଓ͚Δ͜ͱ͕Ͱ͖ ͳ͍ʂɹͦΕͰɺշదͰͳ͍ڥʹͨ͘͠ͳ͍ʂ w ίϯςφͱ͍͑ɺӡ༻ʹ͠ͳ͍ͱߴ͡Όͳ͍ ىಈɺఀࢭɺεέʔϧΞτͳͲΛ͍͍ͪͪखಈͰ͍ͬͯͯ ঢ়گʹԠͯ͡ͳΊΒ͔ʹίϯςφͷΛม͑ΒΕͳ͍͔ʁ
'BTU$POUBJOFS ΞʔΩςΫνϟ
ਤղ Web Proxy Web Request Dispatcher FastContainer Runtime CMDB ❌
FastContainer Killed 1. Check 2. Boot 3. Forward 4. Terminate
ίϯςφΛ॥ͤ͞Δʂ wίϯςφɺඞཁͳ࣌ʹ͔͠ىಈͤ͞ͳ͍ʂ ˠϗεταʔόͷϦιʔεΛඞཁҎ্ʹΘͳ͍ͷͰɺଟ͘ͷϢʔβ ༷ʹఏڙ͢Δ͜ͱ͕Ͱ͖ΔΑ͏ʹʂ wίϯςφͷʮੜଘ࣌ؒʯΛ۠ͬͯఏڙ͢Δʂ ˠίϯςφʹೖΕସ͑Λڧ੍ͤ͞ɺৗʹ৽͘͠อͨͤΔ͜ͱͰɺ ΞοϓάϨʔυɺΦʔτεέʔϧΛ༰қʹ࣮ݱͰ͖Δʂ ˠͬͱշదͳڥʹʂ
ݚڀ։ൃͷͱΓ͘Έ ͷ
IUUQTSBOEQFQBCPDPN
ΞʔΩςΫνϟ จԽ
αʔϏεͰٕͬͨज़Λจʹ wɹɹɹɹɹɹɹɹɹɹɹͰɺ ݚڀ։ൃͱࣄۀߩݙͷؔΘΓΛେࣄʹ͍ͯ͠·͢ wྫ͑'BTU$POUBJOFS w044จʹ)BDPOJXB
None
ىಈߴԽ $3*6
ΑΓշదͳίϯςφΛɻ w$3*6 $IFDLQPJOUBOE3FTUPSF*O6TFSTQBDF Λ༻͍ͯɺ ىಈ్தͷϓϩηεͷνΣοΫϙΠϯτΛ࡞ɺىಈΛߴԽ͢Δ ݚڀΛਐΊ͍ͯ·͢ɻ w$IFDLQPJOU3FTUPSF$3*6֤ॴͰݚڀ͕ਐΜͰ͍·͕͢ɺ TFDDPNQͱQUSBDFΛΈ߹ΘͤɺҙͷϓϩηεΛىಈߴԽ͢Δ ख๏Λ͍ͬͯͬͯ·͢ʂ IUUQTICNBUTVNPUPSKQFOUSZ
·ͱΊ
։ൃऀ༷͕։ൃʹ ूத͢ΔͨΊʹ શྗΛਚ͍ͯ͘͠·͢ʂ
1MFBTF "TLUIF4QFBLFS
ϓϥοτϑΥʔϜΛʮ࡞ͬͯʯΈ·ͤΜ͔ ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU IUUQIBUFOBOFXTDPNBSUJDMFT