Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers
Search
KONDO Uchio
June 16, 2018
Technology
0
3.3k
ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers
@PHPカンファレンス福岡 2018
(スポンサートークです!)
https://phpcon.fukuoka.jp/2018/
KONDO Uchio
June 16, 2018
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.4k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
250
Narrative of Ruby & Rust
udzura
0
220
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.7k
Talk of RBS
udzura
0
450
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
780
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
730
Device access filtering in cgroup v2
udzura
1
920
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
840
Other Decks in Technology
See All in Technology
AWS CDK 入門ガイド これだけは知っておきたいヒント集
anank
5
700
freeeのアクセシビリティの現在地 / freee's Current Position on Accessibility
ymrl
2
280
AWS 怖い話 WAF編 @fillz_noh #AWSStartup #AWSStartup_Kansai
fillznoh
0
110
スタックチャン家庭用アシスタントへの道
kanekoh
0
120
振り返りTransit Gateway ~VPCをいい感じでつなげるために~
masakiokuda
1
170
shake-upを科学する
rsakata
7
960
QuickSight SPICE の効果的な運用戦略~S3 + Athena 構成での実践ノウハウ~/quicksight-spice-s3-athena-best-practices
emiki
0
280
united airlines ™®️ USA Contact Numbers: Complete 2025 Support Guide
flyunitedhelp
1
470
セキュアな社内Dify運用と外部連携の両立 ~AIによるAPIリスク評価~
zozotech
PRO
0
110
インフラ寄りSREの生存戦略
sansantech
PRO
9
3.5k
「Chatwork」のEKS環境を支えるhelmfileを使用したマニフェスト管理術
hanayo04
1
300
Deep Security Conference 2025:生成AI時代のセキュリティ監視 /dsc2025-genai-secmon
mizutani
3
240
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
The Invisible Side of Design
smashingmag
301
51k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
21
1.3k
RailsConf 2023
tenderlove
30
1.1k
Writing Fast Ruby
sferik
628
62k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Navigating Team Friction
lara
187
15k
Transcript
ۙ౻͏͓ͪ(.01FQBCP *OD 1)1ΧϯϑΝϨϯεԬ ϩϦϙοϓʂ ϚωʔδυΫϥυΛࢧ͑Δ ίϯςφٕज़ͷશͯ
γχΞɾϓϦϯγύϧ ۙ౻͏͓ͪ!VE[VSB (.0ϖύϘɹٕज़෦ɹٕज़ج൫νʔϜ IUUQTCMPHVE[VSBKQ
'VLVPLBSC ! ԙϖύες (.0ϖύϘԬࢧࣾ'
None
<?php
None
IUUQTNDMPMJQPQKQ
Λ❗ Λ❗
8PSE1SFTTͳΒҰॠʂ 1)1ڥ͙͢ʹʂ 44)Ͱ͖Δʂ ಠࣗυϝΠϯγϡοͱʂ ແྉͰ5-4ରԠʂ
None
ίϯςφ
Linux containers, in short, contain applications in a way that
keep them isolated from the host system that they run on. IUUQTPQFOTPVSDFDPNSFTPVSDFTXIBUBSFMJOVYDPOUBJOFST
ίϯςφΛ͏ཧ༝ Ͱ
։ൃऀ༷ʹ ΞϓϦέʔγϣϯʹ ूத͍͖͍ͯͨͩͨ͠
αʔόͰۤ࿑ͨ͘͠ͳ͍ʂ wϛυϧΣΞͳͲΛࣗͰೖΕΔͷ᠘ଟͯ͘େม wಥવෛՙ͕ߴ·ͬͨΒͲ͏͠Α͏ʁ w৭ʑͳ੬ऑੑ͕ग़͖ͯͯΔ͚ͲɺͲ͏ରॲ͢Ε͍͍ͷʁ
ίϯςφͷಛ wίϯςφϙʔλϒϧ wˠඞཁͳͷʮશ෦ೖΓʯͷڥΛ͝ఏڙʂ wίϯςφىಈɾఀࢭ͕ߴ wˠඞཁʹԠͯ͡ͷىಈʢΦʔτεέʔϧʣ͍ʂ wˠෆཁͳ߹ͪΌΜͱఀࢭͯ͠ɺඅ༻͕͔͔Γ͗͢ͳ͍Α͏ʹ wˠίϯςφͷΞοϓάϨʔυɾೖΕସ͑࠶ىಈૉૣ͘ʂ
ίϯςφӡ༻ ϖύϘʹ͓ͤʂ
ίϯςφͷಛ ͷ
օ༷ʹͱͬͯίϯςφͱ
ίϯςφͷ͞Βʹਂ͍
ಛघͳϓϩηεͷ࡞ΓํΛ͢Δ
ʮίϯςφؔ࿈ػೳʯΛ༗ޮʹ cgroup Linux Namespace Capability chroot/ pivot_root seccomp
ίϯςφ ϓϩηε
ϓϩηε ؆୯ʹ࡞ΕΔ
ίϯςφ ࡞ΕΔʂ
։ൃऀ༷ʹ ΞϓϦέʔγϣϯʹ ूத͍͖͍ͯͨͩͨ͠ "HBJO
࠷ߴʹूதͰ͖Δ ίϯςφڥΛʂ
Haconiwa
)BDPOJXBͷΈ w-JOVYͷ༷ʑͳίϯςφػೳΛΈ߹ΘͤՄೳͳϥϯλΠϜ wγεςϜίʔϧΛɺɹɹɹɹΛܦ༝੍ͯ͠ޚͰ͖ΔΑ͏ʹ͠ɺ %4-ʹΑΓػೳͷΈ߹Θͤɺ༷ʑͳΠϕϯτʹԠͨ͡ϑοΫॲཧ Λهड़Ͱ͖Δɻ
ਤղ Linux Kernel mruby gems Haconiwa DSL Containers Syscalls: *
chroot * mount * prctl * unshare * setns * (cgroup op) * seccomp * setuid * setgid * ...... mruby-dir mruby-linux-namespace mruby-cgroup mruby-seccomp ...... sample.haco
Կ͕خ͍͠ʁ
৽͍͠ ίϯςφΞʔΩςΫνϟ
ίϯςφͱ͍͑Ͳɺ͍͠՝ w ͓٬༷ڥΛͳΔ͘շదɺ͔ͭߴूੵʹ ूੵΛߴ͘͠ͳ͚Εɺݱ࣮తͳ͓ஈͰఏڙ͠ଓ͚Δ͜ͱ͕Ͱ͖ ͳ͍ʂɹͦΕͰɺշదͰͳ͍ڥʹͨ͘͠ͳ͍ʂ w ίϯςφͱ͍͑ɺӡ༻ʹ͠ͳ͍ͱߴ͡Όͳ͍ ىಈɺఀࢭɺεέʔϧΞτͳͲΛ͍͍ͪͪखಈͰ͍ͬͯͯ ঢ়گʹԠͯ͡ͳΊΒ͔ʹίϯςφͷΛม͑ΒΕͳ͍͔ʁ
'BTU$POUBJOFS ΞʔΩςΫνϟ
ਤղ Web Proxy Web Request Dispatcher FastContainer Runtime CMDB ❌
FastContainer Killed 1. Check 2. Boot 3. Forward 4. Terminate
ίϯςφΛ॥ͤ͞Δʂ wίϯςφɺඞཁͳ࣌ʹ͔͠ىಈͤ͞ͳ͍ʂ ˠϗεταʔόͷϦιʔεΛඞཁҎ্ʹΘͳ͍ͷͰɺଟ͘ͷϢʔβ ༷ʹఏڙ͢Δ͜ͱ͕Ͱ͖ΔΑ͏ʹʂ wίϯςφͷʮੜଘ࣌ؒʯΛ۠ͬͯఏڙ͢Δʂ ˠίϯςφʹೖΕସ͑Λڧ੍ͤ͞ɺৗʹ৽͘͠อͨͤΔ͜ͱͰɺ ΞοϓάϨʔυɺΦʔτεέʔϧΛ༰қʹ࣮ݱͰ͖Δʂ ˠͬͱշదͳڥʹʂ
ݚڀ։ൃͷͱΓ͘Έ ͷ
IUUQTSBOEQFQBCPDPN
ΞʔΩςΫνϟ จԽ
αʔϏεͰٕͬͨज़Λจʹ wɹɹɹɹɹɹɹɹɹɹɹͰɺ ݚڀ։ൃͱࣄۀߩݙͷؔΘΓΛେࣄʹ͍ͯ͠·͢ wྫ͑'BTU$POUBJOFS w044จʹ)BDPOJXB
None
ىಈߴԽ $3*6
ΑΓշదͳίϯςφΛɻ w$3*6 $IFDLQPJOUBOE3FTUPSF*O6TFSTQBDF Λ༻͍ͯɺ ىಈ్தͷϓϩηεͷνΣοΫϙΠϯτΛ࡞ɺىಈΛߴԽ͢Δ ݚڀΛਐΊ͍ͯ·͢ɻ w$IFDLQPJOU3FTUPSF$3*6֤ॴͰݚڀ͕ਐΜͰ͍·͕͢ɺ TFDDPNQͱQUSBDFΛΈ߹ΘͤɺҙͷϓϩηεΛىಈߴԽ͢Δ ख๏Λ͍ͬͯͬͯ·͢ʂ IUUQTICNBUTVNPUPSKQFOUSZ
·ͱΊ
։ൃऀ༷͕։ൃʹ ूத͢ΔͨΊʹ શྗΛਚ͍ͯ͘͠·͢ʂ
1MFBTF "TLUIF4QFBLFS
ϓϥοτϑΥʔϜΛʮ࡞ͬͯʯΈ·ͤΜ͔ ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU IUUQIBUFOBOFXTDPNBSUJDMFT