ロリポップ！マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers

Transcript

1. ۙ౻͏͓ͪ
   
   (.0
   1FQBCP
   *OD
   
   1)1ΧϯϑΝϨϯε෱Ԭ ϩϦϙοϓʂ
   ϚωʔδυΫϥ΢υΛࢧ͑Δ
   ίϯςφٕज़ͷશͯ

2. γχΞɾϓϦϯγύϧ ۙ౻͏͓ͪ
   !VE[VSB (.0ϖύϘɹٕज़෦ɹٕज़ج൫νʔϜ IUUQTCMPHVE[VSBKQ

3. 'VLVPLBSC
   
   !
   ԙ
   ϖύες (.0ϖύϘ෱Ԭࢧࣾ
   
   '

4. None

5. <?php

6. None

7. IUUQTNDMPMJQPQKQ
   

8. 
   
   
   
   
   
   
   Λ❗
   
   
   
   
   
   
   Λ❗

9. 8PSE1SFTTͳΒҰॠʂ
   1)1؀ڥ΋͙͢ʹʂ 44)΋Ͱ͖Δʂ ಠࣗυϝΠϯ΋γϡοͱʂ
   ແྉͰ5-4ରԠ΋ʂ

10. None

11. ίϯςφ

12. Linux containers, in short, contain applications in a way that

    keep them isolated from the host system that they run on. IUUQTPQFOTPVSDFDPNSFTPVSDFTXIBUBSFMJOVYDPOUBJOFST
    

13. ίϯςφΛ࢖͏ཧ༝ Ͱ

14. ։ൃऀ༷ʹ
    ΞϓϦέʔγϣϯʹ
    ूத͍͖͍ͯͨͩͨ͠

15. αʔόͰۤ࿑ͨ͘͠ͳ͍ʂ wϛυϧ΢ΣΞͳͲΛࣗ෼ͰೖΕΔͷ͸᠘΋ଟͯ͘େม
    wಥવෛՙ͕ߴ·ͬͨΒͲ͏͠Α͏ʁ
    w৭ʑͳ੬ऑੑ͕ग़͖ͯͯΔ͚ͲɺͲ͏ରॲ͢Ε͹͍͍ͷʁ

16. ίϯςφͷಛ௃ wίϯςφ͸ϙʔλϒϧ
    wˠඞཁͳ΋ͷʮશ෦ೖΓʯͷ؀ڥΛ͝ఏڙʂ
    wίϯςφ͸ىಈɾఀࢭ͕ߴ଎
    wˠඞཁʹԠͯ͡ͷىಈʢΦʔτεέʔϧʣ΋଎͍ʂ
    wˠෆཁͳ৔߹͸ͪΌΜͱఀࢭͯ͠ɺඅ༻͕͔͔Γ͗͢ͳ͍Α͏ʹ
    wˠίϯςφͷΞοϓάϨʔυɾೖΕସ͑࠶ىಈ΋ૉૣ͘ʂ

17. ίϯςφӡ༻͸
    ϖύϘʹ͓೚ͤʂ

18. ίϯςφͷಛ௃ ͷ

19. օ༷ʹͱͬͯ
    ίϯςφͱ͸

20. ίϯςφͷ͞Βʹਂ͍࿩

21. ಛघͳϓϩηεͷ࡞ΓํΛ͢Δ

22. ʮίϯςφؔ࿈ػೳʯΛ༗ޮʹ cgroup Linux Namespace Capability chroot/ pivot_root seccomp

23. ίϯςφ͸
    ϓϩηε

24. ϓϩηε͸
    ؆୯ʹ࡞ΕΔ

25. ίϯςφ͸
    ࡞ΕΔʂ

26. ։ൃऀ༷ʹ
    ΞϓϦέʔγϣϯʹ
    ूத͍͖͍ͯͨͩͨ͠ "HBJO

27. ࠷ߴʹूதͰ͖Δ
    ίϯςφ؀ڥΛʂ

28. Haconiwa

29. )BDPOJXB
    ͷ࢓૊Έ w-JOVY
    ͷ༷ʑͳίϯςφػೳΛ૊Έ߹ΘͤՄೳͳϥϯλΠϜ
    wγεςϜίʔϧ౳Λɺɹɹɹɹ
    
    
    
    
    
    
    Λܦ༝੍ͯ͠ޚͰ͖ΔΑ͏ʹ͠ɺ
 %4-ʹΑΓػೳͷ૊Έ߹Θͤ΍ɺ༷ʑͳΠϕϯτʹԠͨ͡ϑοΫॲཧ Λهड़Ͱ͖Δɻ

30. ਤղ Linux Kernel mruby gems Haconiwa DSL Containers Syscalls: *

    chroot * mount * prctl * unshare * setns * (cgroup op) * seccomp * setuid * setgid * ...... mruby-dir mruby-linux-namespace mruby-cgroup mruby-seccomp ...... sample.haco

31. Կ͕خ͍͠ʁ

32. ৽͍͠
    ίϯςφΞʔΩςΫνϟ

33. ίϯςφͱ͍͑Ͳ΋ɺ೉͍͠՝୊ w
    ͓٬༷؀ڥΛͳΔ΂͘շదɺ͔ͭߴूੵʹ
 ूੵ཰Λߴ͘͠ͳ͚Ε͹ɺݱ࣮తͳ͓஋ஈͰఏڙ͠ଓ͚Δ͜ͱ͕Ͱ͖ ͳ͍ʂɹͦΕͰ΋ɺշదͰͳ͍؀ڥʹ͸ͨ͘͠ͳ͍ʂ
    w
    ίϯςφͱ͸͍͑ɺӡ༻ʹ޻෉͠ͳ͍ͱߴ଎͡Όͳ͍
 ىಈɺఀࢭɺεέʔϧΞ΢τͳͲΛ͍͍ͪͪखಈͰ΍͍ͬͯͯ͸
 ঢ়گʹԠͯ͡ͳΊΒ͔ʹίϯςφͷ਺Λม͑ΒΕͳ͍͔ʁ

34. 'BTU$POUBJOFS
    ΞʔΩςΫνϟ

35. ਤղ Web Proxy Web Request Dispatcher FastContainer Runtime CMDB ❌

    FastContainer Killed 1. Check 2. Boot 3. Forward 4. Terminate

36. ίϯςφΛ॥؀ͤ͞Δʂ wίϯςφ͸ɺඞཁͳ࣌ʹ͔͠ىಈͤ͞ͳ͍ʂ
 ˠϗεταʔόͷϦιʔεΛඞཁҎ্ʹ࢖Θͳ͍ͷͰɺଟ͘ͷϢʔβ ༷ʹఏڙ͢Δ͜ͱ͕Ͱ͖ΔΑ͏ʹʂ
    wίϯςφͷʮੜଘ࣌ؒʯΛ۠੾ͬͯఏڙ͢Δʂ
 ˠίϯςφʹೖΕସ͑Λڧ੍ͤ͞ɺৗʹ৽͘͠อͨͤΔ͜ͱͰɺ
 ΞοϓάϨʔυɺΦʔτεέʔϧΛ༰қʹ࣮ݱͰ͖Δʂ ˠ΋ͬͱշదͳ؀ڥʹʂ

37. ݚڀ։ൃͷͱΓ͘Έ ͷ

38. IUUQTSBOEQFQBCPDPN
    

39. ΞʔΩςΫνϟ౳
    ࿦จԽ

40. αʔϏεͰ࢖ٕͬͨज़Λ࿦จʹ wɹɹɹɹɹɹɹɹɹɹɹͰ͸ɺ
 ݚڀ։ൃͱࣄۀߩݙͷؔΘΓΛେࣄʹ͍ͯ͠·͢
    wྫ͑͹
    'BTU$POUBJOFS
 w044΋࿦จʹ
    )BDPOJXB

41. None

42. ىಈߴ଎Խ
    $3*6

43. ΑΓշదͳίϯςφΛɻ w$3*6 $IFDLQPJOUBOE3FTUPSF
    *O
    6TFSTQBDF Λ༻͍ͯɺ
 ىಈ్தͷϓϩηεͷνΣοΫϙΠϯτΛ࡞੒ɺىಈΛߴ଎Խ͢Δ
 ݚڀΛਐΊ͍ͯ·͢ɻ
    w$IFDLQPJOU3FTUPSF$3*6͸֤ॴͰݚڀ͕ਐΜͰ͍·͕͢ɺ
 TFDDPNQͱQUSBDFΛ૊Έ߹Θͤɺ೚ҙͷϓϩηεΛىಈߴ଎Խ͢Δ
 ख๏Λ΍͍ͬͯͬͯ·͢ʂ IUUQTICNBUTVNPUPSKQFOUSZ
    

44. ·ͱΊ

45. ։ൃऀ༷͕։ൃʹ
    ूத͢ΔͨΊʹ
    શྗΛਚ͍ͯ͘͠·͢ʂ ͸

46. 1MFBTF
    "TL
    UIF
    4QFBLFS

47. ϓϥοτϑΥʔϜΛʮ࡞ͬͯʯΈ·ͤΜ͔ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ [email protected] IUUQIBUFOBOFXTDPNBSUJDMFT