Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
chroot-network-uts-container
Search
masayoshi
June 17, 2017
Technology
6
820
chroot-network-uts-container
chroot ✕ netowork namespace ✕UTS namespace
masayoshi
June 17, 2017
Tweet
Share
More Decks by masayoshi
See All by masayoshi
Perlアプリケーションで トレースを実装するまでの 工夫と苦労話
masayoshi
1
410
これからSREになる人と、これからもSREをやっていく人へ
masayoshi
6
5.3k
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
8
11k
Developers Summit 2021 summer
masayoshi
15
30k
2021-06-cloud-native-reg-event
masayoshi
8
2.5k
SRE_Culture_Organization
masayoshi
17
10k
cloudnative-kansai-2019
masayoshi
1
720
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.7k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.9k
Other Decks in Technology
See All in Technology
20250807_Kiroと私の反省会
riz3f7
0
140
【CEDEC2025】現場を理解して実現!ゲーム開発を効率化するWebサービスの開発と、利用促進のための継続的な改善
cygames
PRO
0
720
Mambaで物体検出 完全に理解した
shirarei24
2
210
Segment Anything Modelの最新動向:SAM2とその発展系
tenten0727
0
400
専門分化が進む分業下でもユーザーが本当に欲しかったものを追求するプロダクトマネジメント/Focus on real user needs despite deep specialization and division of labor
moriyuya
0
1k
MCP認可の現在地と自律型エージェント対応に向けた課題 / MCP Authorization Today and Challenges to Support Autonomous Agents
yokawasa
5
1.8k
LLMでAI-OCR、実際どうなの? / llm_ai_ocr_layerx_bet_ai_day_lt
sbrf248
0
430
製造業の課題解決に向けた機械学習の活用と、製造業特化LLM開発への挑戦
knt44kw
0
160
大規模イベントに向けた ABEMA アーキテクチャの遍歴 ~ Platform Strategy 詳細解説 ~
nagapad
0
190
2時間で300+テーブルをデータ基盤に連携するためのAI活用 / FukuokaDataEngineer
sansan_randd
0
130
リリース2ヶ月で収益化した話
kent_code3
1
190
Kiroでインフラ要件定義~テスト を実施してみた
nagisa53
3
300
Featured
See All Featured
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Side Projects
sachag
455
43k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
750
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
1k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Designing for humans not robots
tammielis
253
25k
Building Applications with DynamoDB
mza
95
6.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Transcript
chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾԽͷใަձˏେࡕ
ࣗݾհ • id:masayoshi • ͯͳˏژ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌SDNؔ࿈ͷݚڀ
ࠓ͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS
namespace
ࠓ͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯΒ͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠
ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦ɺ࣮ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯͬͯΈΔͱҧ͍ͳͲ͕Α͔͘Δ •
खݩͰͷωοτϫʔΫςετڥ • ࡉ͔͘มߋ͢ΔͷͰࣗͰ৮Γ͍͢ํ͕ྑ͍
chroot network namespace UTS namespace
ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ͏ͱγϯϓϧ͕ͩҙ֎ͱ͓͠Ζ͍͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͍ͬͯͨ͘ • ωοτϫʔΫͰ༡Ϳͱ͖͜ͷߏΛ͍ͬͯΔ • chroot
namespaceͷҰ෦ͷΈͷΈ߹Θͤଟ͘ͳͦ͞͏ • 1ͭ1ͭશͯΛΈ߹Θ࣮ͤͨྫ৭ʑ͋Δ
͜ͷ3ͭͰ໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •
ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ཧ্ͷརศੑ
ྫ͑ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό
• ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ࢹ + ཧ • ಉҰͷཧαʔόͰ্هͷίϯςφΛෳىಈՄೳ • networkLinux BridgeͰϒϦοδଓ
#SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE TTI
IUUQE TTI WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞ʹίϚϯυ JNBHFͷ࡞আ͘
σϞ͠ͳ͕Βݟ͍ͯ͘
imageͷ࡞ • dockerͳΒdocker export Ͱ • build, shipdockerͰΔͱָͦ͏ • ࠓճrun෦Ͱ༡Ϳ
• dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճdebootstrapͰ࡞ͨͭ͠Λར༻
namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ
namespaceͷӬଓԽ • bindϚϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυӬଓԽָ͕
UTS namespace • ओʹཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU
Networkͷ࡞ • veth࡞ͬͯbridgeʹଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen
vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτΣΞϧʔλʹଓͨ͠Γ • KVMͷVMͱଓͨ͠Γ • ෳNIC + mptcpڥ
Networkͷ࡞ • NetworkϙʔλϏϦςΟʹӨڹ͕ग़͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͖͢Օॴ͕ͨ͘͞Μ͋Δ໘ന͍
• ΦϑϩʔσΟϯά, SR-IOVͳͲߴԽ • VXLANͳͲͷϓϩτίϧٕज़
chrootڥͷ࡞ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
TZTUFNEڥͰCJOEϚϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ
ίϯςφͰͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲىಈ͢Δ
ίϯςφͰͷϓϩηεͷ࣮ߦ • chrootԼͰsystemdಈ࡞͠ͳ͍ͷͰҙ͕ඞཁ • chrootͷΘΓʹsystemd-nspawnΛͬͯಈ͔͢ํ ๏͋Δ • ͦͷ߹ޙड़ͷPID namespaceΛ͏͜ͱʹͳΔ
PID namespace • PID͢Δͱੜ͞ΕͨࢠϓϩηεͦͷۭؒͰinit(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •
docker 1.13Ͱ runʹ initΦϓγϣϯ͕͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબࢶ૿͑Δ • ࠓճͷ༻్Ͱ͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝ͰؾܰʹΔͳΒল͘ͱָ
PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕͞Εͳ͍ • ίϯςφɺίϯςφ֎͔Βݟ์ • initʹͿΒԼ͕Δdaemon •
UST, networkͷnamespace͞Ε͍ͯΔ • ϓϩηεੜ࣌ʹ͠ͳ͚Εܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ
ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE
-*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE
curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY
SSH TTI DBUFUDEFCJBO@WFSTJPO TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE
·ͱΊΔͱ… • imageͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφͰෳͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍Ͱ͖ͦ͏ •
ൺֱతރΕ͍ͯΔͷ͔͍ͬͯ͠ͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͍ͯͦ͠͏
͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ ࣗͰ࣮͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • imageཧ • Netoworkߏ • PIDͷཧ,
ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ
• imageͷཧػೳ • snapshotɺόʔδϣχϯά? • imageͷҠಈͲ͏͢Δ? • Networkߏ • αϒωοτݻఆͰIPखಈͳͷͰҠಈͲ͏͢Δʁɹ
• ҟͳΔαϒωοτͱͷ௨৴? • PIDɺϓϩηεॲཧ • PID͢Δ or ͠ͳ͍? • ίϯςφͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?
·ͱΊ • ίϯςφࣗ࡞ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏͋Δ͕ namespaceؾܰʹ͑Δ • طଘίϯςφٕज़ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζݟ͑ͯ͘Δ
• Ұճ৮͓ͬͯ͘ͱྑͦ͞͏