Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers
KONDO Uchio
June 16, 2018
Technology
0
2.3k
ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers
@PHPカンファレンス福岡 2018
(スポンサートークです!)
https://phpcon.fukuoka.jp/2018/
KONDO Uchio
June 16, 2018
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
15
Narrative of Ruby & Rust
udzura
0
49
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
840
Talk of RBS
udzura
0
180
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
500
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
1
420
Device access filtering in cgroup v2
udzura
0
430
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
370
生産性を可視化したい! / SUZURI's four keys
udzura
11
4.8k
Other Decks in Technology
See All in Technology
立ち止まっても、寄り道しても / even if I stop, even if I take a detour
katoaz
0
420
Stripe / Okta Customer Identity Cloud(旧Auth0) の採用に至った理由 〜モリサワの SaaS 戦略〜
tomuro
0
120
エアドロップ for オープンソースプロジェクト
epicsdao
0
380
MarvelClient Upgrade 64bit クライアントへの自動アップグレード設定
mitsuru_katoh
0
120
日経電子版だけじゃない! 日経の新規Webメディアの開発 - NIKKEI Tech Talk #3
sztm
0
280
証明書って何だっけ? 〜AWSの中間CA移行に備える〜
minorun365
3
2.1k
NGINXENG JP#2 - 3-NGINX Plus・プロダクトのアップデート
hiropo20
0
220
cdk deployに必要な権限ってなんだ?
kinyok
0
160
AI Builderについて
miyakemito
0
890
Kaggleシミュレーションコンペの動向
nagiss
0
260
PHPのimmutable arrayとは
hnw
1
150
PCI DSS に準拠したシステム開発
yutadayo
0
310
Featured
See All Featured
Become a Pro
speakerdeck
PRO
6
3.2k
The Art of Programming - Codeland 2020
erikaheidi
35
11k
Stop Working from a Prison Cell
hatefulcrawdad
263
18k
Thoughts on Productivity
jonyablonski
49
2.7k
Code Review Best Practice
trishagee
50
11k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
Side Projects
sachag
451
37k
The Web Native Designer (August 2011)
paulrobertlloyd
76
2.2k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
The Invisible Customer
myddelton
113
12k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.2k
What the flash - Photography Introduction
edds
64
10k
Transcript
ۙ౻͏͓ͪ(.01FQBCP *OD 1)1ΧϯϑΝϨϯεԬ ϩϦϙοϓʂ ϚωʔδυΫϥυΛࢧ͑Δ ίϯςφٕज़ͷશͯ
γχΞɾϓϦϯγύϧ ۙ౻͏͓ͪ!VE[VSB (.0ϖύϘɹٕज़෦ɹٕज़ج൫νʔϜ IUUQTCMPHVE[VSBKQ
'VLVPLBSC ! ԙϖύες (.0ϖύϘԬࢧࣾ'
None
<?php
None
IUUQTNDMPMJQPQKQ
Λ❗ Λ❗
8PSE1SFTTͳΒҰॠʂ 1)1ڥ͙͢ʹʂ 44)Ͱ͖Δʂ ಠࣗυϝΠϯγϡοͱʂ ແྉͰ5-4ରԠʂ
None
ίϯςφ
Linux containers, in short, contain applications in a way that
keep them isolated from the host system that they run on. IUUQTPQFOTPVSDFDPNSFTPVSDFTXIBUBSFMJOVYDPOUBJOFST
ίϯςφΛ͏ཧ༝ Ͱ
։ൃऀ༷ʹ ΞϓϦέʔγϣϯʹ ूத͍͖͍ͯͨͩͨ͠
αʔόͰۤ࿑ͨ͘͠ͳ͍ʂ wϛυϧΣΞͳͲΛࣗͰೖΕΔͷ᠘ଟͯ͘େม wಥવෛՙ͕ߴ·ͬͨΒͲ͏͠Α͏ʁ w৭ʑͳ੬ऑੑ͕ग़͖ͯͯΔ͚ͲɺͲ͏ରॲ͢Ε͍͍ͷʁ
ίϯςφͷಛ wίϯςφϙʔλϒϧ wˠඞཁͳͷʮશ෦ೖΓʯͷڥΛ͝ఏڙʂ wίϯςφىಈɾఀࢭ͕ߴ wˠඞཁʹԠͯ͡ͷىಈʢΦʔτεέʔϧʣ͍ʂ wˠෆཁͳ߹ͪΌΜͱఀࢭͯ͠ɺඅ༻͕͔͔Γ͗͢ͳ͍Α͏ʹ wˠίϯςφͷΞοϓάϨʔυɾೖΕସ͑࠶ىಈૉૣ͘ʂ
ίϯςφӡ༻ ϖύϘʹ͓ͤʂ
ίϯςφͷಛ ͷ
օ༷ʹͱͬͯίϯςφͱ
ίϯςφͷ͞Βʹਂ͍
ಛघͳϓϩηεͷ࡞ΓํΛ͢Δ
ʮίϯςφؔ࿈ػೳʯΛ༗ޮʹ cgroup Linux Namespace Capability chroot/ pivot_root seccomp
ίϯςφ ϓϩηε
ϓϩηε ؆୯ʹ࡞ΕΔ
ίϯςφ ࡞ΕΔʂ
։ൃऀ༷ʹ ΞϓϦέʔγϣϯʹ ूத͍͖͍ͯͨͩͨ͠ "HBJO
࠷ߴʹूதͰ͖Δ ίϯςφڥΛʂ
Haconiwa
)BDPOJXBͷΈ w-JOVYͷ༷ʑͳίϯςφػೳΛΈ߹ΘͤՄೳͳϥϯλΠϜ wγεςϜίʔϧΛɺɹɹɹɹΛܦ༝੍ͯ͠ޚͰ͖ΔΑ͏ʹ͠ɺ %4-ʹΑΓػೳͷΈ߹Θͤɺ༷ʑͳΠϕϯτʹԠͨ͡ϑοΫॲཧ Λهड़Ͱ͖Δɻ
ਤղ Linux Kernel mruby gems Haconiwa DSL Containers Syscalls: *
chroot * mount * prctl * unshare * setns * (cgroup op) * seccomp * setuid * setgid * ...... mruby-dir mruby-linux-namespace mruby-cgroup mruby-seccomp ...... sample.haco
Կ͕خ͍͠ʁ
৽͍͠ ίϯςφΞʔΩςΫνϟ
ίϯςφͱ͍͑Ͳɺ͍͠՝ w ͓٬༷ڥΛͳΔ͘շదɺ͔ͭߴूੵʹ ूੵΛߴ͘͠ͳ͚Εɺݱ࣮తͳ͓ஈͰఏڙ͠ଓ͚Δ͜ͱ͕Ͱ͖ ͳ͍ʂɹͦΕͰɺշదͰͳ͍ڥʹͨ͘͠ͳ͍ʂ w ίϯςφͱ͍͑ɺӡ༻ʹ͠ͳ͍ͱߴ͡Όͳ͍ ىಈɺఀࢭɺεέʔϧΞτͳͲΛ͍͍ͪͪखಈͰ͍ͬͯͯ ঢ়گʹԠͯ͡ͳΊΒ͔ʹίϯςφͷΛม͑ΒΕͳ͍͔ʁ
'BTU$POUBJOFS ΞʔΩςΫνϟ
ਤղ Web Proxy Web Request Dispatcher FastContainer Runtime CMDB ❌
FastContainer Killed 1. Check 2. Boot 3. Forward 4. Terminate
ίϯςφΛ॥ͤ͞Δʂ wίϯςφɺඞཁͳ࣌ʹ͔͠ىಈͤ͞ͳ͍ʂ ˠϗεταʔόͷϦιʔεΛඞཁҎ্ʹΘͳ͍ͷͰɺଟ͘ͷϢʔβ ༷ʹఏڙ͢Δ͜ͱ͕Ͱ͖ΔΑ͏ʹʂ wίϯςφͷʮੜଘ࣌ؒʯΛ۠ͬͯఏڙ͢Δʂ ˠίϯςφʹೖΕସ͑Λڧ੍ͤ͞ɺৗʹ৽͘͠อͨͤΔ͜ͱͰɺ ΞοϓάϨʔυɺΦʔτεέʔϧΛ༰қʹ࣮ݱͰ͖Δʂ ˠͬͱշదͳڥʹʂ
ݚڀ։ൃͷͱΓ͘Έ ͷ
IUUQTSBOEQFQBCPDPN
ΞʔΩςΫνϟ จԽ
αʔϏεͰٕͬͨज़Λจʹ wɹɹɹɹɹɹɹɹɹɹɹͰɺ ݚڀ։ൃͱࣄۀߩݙͷؔΘΓΛେࣄʹ͍ͯ͠·͢ wྫ͑'BTU$POUBJOFS w044จʹ)BDPOJXB
None
ىಈߴԽ $3*6
ΑΓշదͳίϯςφΛɻ w$3*6 $IFDLQPJOUBOE3FTUPSF*O6TFSTQBDF Λ༻͍ͯɺ ىಈ్தͷϓϩηεͷνΣοΫϙΠϯτΛ࡞ɺىಈΛߴԽ͢Δ ݚڀΛਐΊ͍ͯ·͢ɻ w$IFDLQPJOU3FTUPSF$3*6֤ॴͰݚڀ͕ਐΜͰ͍·͕͢ɺ TFDDPNQͱQUSBDFΛΈ߹ΘͤɺҙͷϓϩηεΛىಈߴԽ͢Δ ख๏Λ͍ͬͯͬͯ·͢ʂ IUUQTICNBUTVNPUPSKQFOUSZ
·ͱΊ
։ൃऀ༷͕։ൃʹ ूத͢ΔͨΊʹ શྗΛਚ͍ͯ͘͠·͢ʂ
1MFBTF "TLUIF4QFBLFS
ϓϥοτϑΥʔϜΛʮ࡞ͬͯʯΈ·ͤΜ͔ ࠷৽ͷ࠾༻ใΛνΣοΫˠ
[email protected]
IUUQIBUFOBOFXTDPNBSUJDMFT