Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers

KONDO Uchio
June 16, 2018
Technology
0
2.5k

ロリポップ!マネージドクラウドを支えるコンテナ技術 / lolipop-mc-containers

@PHPカンファレンス福岡 2018
(スポンサートークです!)

https://phpcon.fukuoka.jp/2018/

KONDO Uchio

June 16, 2018
Tweet

More Decks by KONDO Uchio

See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
1.9k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
53
Narrative of Ruby & Rust
udzura
0
91
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.1k
Talk of RBS
udzura
0
240
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
580
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
480
Device access filtering in cgroup v2
udzura
0
530
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
450

Other Decks in Technology

See All in Technology
Jetpack Glanceではじめる Material 3のColor
mochico
0
560
様々なユースケースに利用できる "パスキー" の 導入事例の紹介とUXの課題解説 @ DroidKaigi 2023
ritou
1
1.7k
Introduction to mcl-wasm
herumi
1
290
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
0
180
ビジネス向けアプリを開発するときに知っておくべきAndroid Enterpriseの世界
imsaku
0
470
承認コネクタについて
miyakemito
1
120
Create the DTO System of your Dreams: stateOptions + entityClass
weaverryan
0
170
できる!アクセシビリティ向上/droidkaigi2023-day2
nikkei_engineer_recruiting
0
890
GitHub Copilot Behind the Scene
yuhattor
1
610
Postmanで始めるAI・機械学習プラットフォームHugging Face
nagix
1
170
2023/09/14 Fin-JAWS #32 「SIEM on Amazon OpenSearch Serviceを1年運用してわかったこと」
junjikoide
1
200
リスキリングの特効薬!「技術コミュニティ」のススメ
mamohacy
1
620

Featured

See All Featured
Three Pipe Problems
jasonvnalue
89
9.2k
Designing for Performance
lara
601
66k
Raft: Consensus for Rubyists
vanstee
130
5.9k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Code Review Best Practice
trishagee
53
13k
What's in a price? How to price your products and services
michaelherold
236
10k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.5k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Automating Front-end Workflow
addyosmani
1354
200k
We Have a Design System, Now What?
morganepeng
40
6.3k
For a Future-Friendly Web
brad_frost
168
8.2k

Transcript

  1. ۙ౻͏͓ͪ(.01FQBCP *OD
    1)1ΧϯϑΝϨϯε෱Ԭ
    ϩϦϙοϓʂ
    ϚωʔδυΫϥ΢υΛࢧ͑Δ
    ίϯςφٕज़ͷશͯ

    View Slide

  2. γχΞɾϓϦϯγύϧ
    ۙ౻͏͓ͪ!VE[VSB
    (.0ϖύϘɹٕज़෦ɹٕज़ج൫νʔϜ
    IUUQTCMPHVE[VSBKQ

    View Slide

  3. 'VLVPLBSC
    !
    ԙϖύες
    (.0ϖύϘ෱Ԭࢧࣾ'

    View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. IUUQTNDMPMJQPQKQ

    View Slide

  8. Λ❗ Λ❗

    View Slide

  9. 8PSE1SFTTͳΒҰॠʂ
    1)1؀ڥ΋͙͢ʹʂ
    44)΋Ͱ͖Δʂ
    ಠࣗυϝΠϯ΋γϡοͱʂ
    ແྉͰ5-4ରԠ΋ʂ

    View Slide

  10. View Slide

  11. ίϯςφ

    View Slide

  12. Linux containers, in short, contain
    applications in a way that keep them
    isolated from the host system that
    they run on.
    IUUQTPQFOTPVSDFDPNSFTPVSDFTXIBUBSFMJOVYDPOUBJOFST

    View Slide

  13. ίϯςφΛ࢖͏ཧ༝
    Ͱ

    View Slide

  14. ։ൃऀ༷ʹ
    ΞϓϦέʔγϣϯʹ
    ूத͍͖͍ͯͨͩͨ͠

    View Slide

  15. αʔόͰۤ࿑ͨ͘͠ͳ͍ʂ
    wϛυϧ΢ΣΞͳͲΛࣗ෼ͰೖΕΔͷ͸᠘΋ଟͯ͘େม
    wಥવෛՙ͕ߴ·ͬͨΒͲ͏͠Α͏ʁ
    w৭ʑͳ੬ऑੑ͕ग़͖ͯͯΔ͚ͲɺͲ͏ରॲ͢Ε͹͍͍ͷʁ

    View Slide

  16. ίϯςφͷಛ௃
    wίϯςφ͸ϙʔλϒϧ
    wˠඞཁͳ΋ͷʮશ෦ೖΓʯͷ؀ڥΛ͝ఏڙʂ
    wίϯςφ͸ىಈɾఀࢭ͕ߴ଎
    wˠඞཁʹԠͯ͡ͷىಈʢΦʔτεέʔϧʣ΋଎͍ʂ
    wˠෆཁͳ৔߹͸ͪΌΜͱఀࢭͯ͠ɺඅ༻͕͔͔Γ͗͢ͳ͍Α͏ʹ
    wˠίϯςφͷΞοϓάϨʔυɾೖΕସ͑࠶ىಈ΋ૉૣ͘ʂ

    View Slide

  17. ίϯςφӡ༻͸
    ϖύϘʹ͓೚ͤʂ

    View Slide

  18. ίϯςφͷಛ௃
    ͷ

    View Slide

  19. օ༷ʹͱͬͯίϯςφͱ͸

    View Slide

  20. ίϯςφͷ͞Βʹਂ͍࿩

    View Slide

  21. ಛघͳϓϩηεͷ࡞ΓํΛ͢Δ

    View Slide

  22. ʮίϯςφؔ࿈ػೳʯΛ༗ޮʹ
    cgroup
    Linux

    Namespace
    Capability
    chroot/

    pivot_root
    seccomp

    View Slide

  23. ίϯςφ͸
    ϓϩηε

    View Slide

  24. ϓϩηε͸
    ؆୯ʹ࡞ΕΔ

    View Slide

  25. ίϯςφ͸
    ࡞ΕΔʂ

    View Slide

  26. ։ൃऀ༷ʹ
    ΞϓϦέʔγϣϯʹ
    ूத͍͖͍ͯͨͩͨ͠
    "HBJO

    View Slide

  27. ࠷ߴʹूதͰ͖Δ
    ίϯςφ؀ڥΛʂ

    View Slide

  28. Haconiwa

    View Slide

  29. )BDPOJXBͷ࢓૊Έ
    w-JOVYͷ༷ʑͳίϯςφػೳΛ૊Έ߹ΘͤՄೳͳϥϯλΠϜ
    wγεςϜίʔϧ౳ΛɺɹɹɹɹΛܦ༝੍ͯ͠ޚͰ͖ΔΑ͏ʹ͠ɺ

    %4-ʹΑΓػೳͷ૊Έ߹Θͤ΍ɺ༷ʑͳΠϕϯτʹԠͨ͡ϑοΫॲཧ
    Λهड़Ͱ͖Δɻ

    View Slide

  30. ਤղ
    Linux

    Kernel mruby gems Haconiwa

    DSL Containers
    Syscalls:

    * chroot

    * mount

    * prctl

    * unshare

    * setns

    * (cgroup op)

    * seccomp

    * setuid

    * setgid

    * ......
    mruby-dir
    mruby-linux-namespace
    mruby-cgroup
    mruby-seccomp
    ......
    sample.haco

    View Slide

  31. Կ͕خ͍͠ʁ

    View Slide

  32. ৽͍͠
    ίϯςφΞʔΩςΫνϟ

    View Slide

  33. ίϯςφͱ͍͑Ͳ΋ɺ೉͍͠՝୊
    w
    ͓٬༷؀ڥΛͳΔ΂͘շదɺ͔ͭߴूੵʹ

    ूੵ཰Λߴ͘͠ͳ͚Ε͹ɺݱ࣮తͳ͓஋ஈͰఏڙ͠ଓ͚Δ͜ͱ͕Ͱ͖
    ͳ͍ʂɹͦΕͰ΋ɺշదͰͳ͍؀ڥʹ͸ͨ͘͠ͳ͍ʂ
    w
    ίϯςφͱ͸͍͑ɺӡ༻ʹ޻෉͠ͳ͍ͱߴ଎͡Όͳ͍

    ىಈɺఀࢭɺεέʔϧΞ΢τͳͲΛ͍͍ͪͪखಈͰ΍͍ͬͯͯ͸

    ঢ়گʹԠͯ͡ͳΊΒ͔ʹίϯςφͷ਺Λม͑ΒΕͳ͍͔ʁ

    View Slide

  34. 'BTU$POUBJOFS
    ΞʔΩςΫνϟ

    View Slide

  35. ਤղ
    Web

    Proxy
    Web

    Request

    Dispatcher
    FastContainer
    Runtime
    CMDB

    FastContainer
    Killed
    1. Check
    2. Boot
    3. Forward
    4. Terminate

    View Slide

  36. ίϯςφΛ॥؀ͤ͞Δʂ
    wίϯςφ͸ɺඞཁͳ࣌ʹ͔͠ىಈͤ͞ͳ͍ʂ

    ˠϗεταʔόͷϦιʔεΛඞཁҎ্ʹ࢖Θͳ͍ͷͰɺଟ͘ͷϢʔβ
    ༷ʹఏڙ͢Δ͜ͱ͕Ͱ͖ΔΑ͏ʹʂ
    wίϯςφͷʮੜଘ࣌ؒʯΛ۠੾ͬͯఏڙ͢Δʂ

    ˠίϯςφʹೖΕସ͑Λڧ੍ͤ͞ɺৗʹ৽͘͠อͨͤΔ͜ͱͰɺ

    ΞοϓάϨʔυɺΦʔτεέʔϧΛ༰қʹ࣮ݱͰ͖Δʂ
    ˠ΋ͬͱշదͳ؀ڥʹʂ

    View Slide

  37. ݚڀ։ൃͷͱΓ͘Έ
    ͷ

    View Slide

  38. IUUQTSBOEQFQBCPDPN

    View Slide

  39. ΞʔΩςΫνϟ౳
    ࿦จԽ

    View Slide

  40. αʔϏεͰ࢖ٕͬͨज़Λ࿦จʹ
    wɹɹɹɹɹɹɹɹɹɹɹͰ͸ɺ

    ݚڀ։ൃͱࣄۀߩݙͷؔΘΓΛେࣄʹ͍ͯ͠·͢
    wྫ͑͹'BTU$POUBJOFS

    w044΋࿦จʹ)BDPOJXB

    View Slide

  41. View Slide

  42. ىಈߴ଎Խ
    $3*6

    View Slide

  43. ΑΓշదͳίϯςφΛɻ
    w$3*6 $IFDLQPJOUBOE3FTUPSF*O6TFSTQBDF
    Λ༻͍ͯɺ

    ىಈ్தͷϓϩηεͷνΣοΫϙΠϯτΛ࡞੒ɺىಈΛߴ଎Խ͢Δ

    ݚڀΛਐΊ͍ͯ·͢ɻ
    w$IFDLQPJOU3FTUPSF$3*6͸֤ॴͰݚڀ͕ਐΜͰ͍·͕͢ɺ

    TFDDPNQͱQUSBDFΛ૊Έ߹Θͤɺ೚ҙͷϓϩηεΛىಈߴ଎Խ͢Δ

    ख๏Λ΍͍ͬͯͬͯ·͢ʂ
    IUUQTICNBUTVNPUPSKQFOUSZ

    View Slide

  44. ·ͱΊ

    View Slide

  45. ։ൃऀ༷͕։ൃʹ
    ूத͢ΔͨΊʹ
    શྗΛਚ͍ͯ͘͠·͢ʂ
    ͸

    View Slide

  46. 1MFBTF
    "TLUIF4QFBLFS

    View Slide

  47. ϓϥοτϑΥʔϜΛʮ࡞ͬͯʯΈ·ͤΜ͔
    ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU
    IUUQIBUFOBOFXTDPNBSUJDMFT

    View Slide