Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
FargateのPID namespace sharing を試してみた
Search
kamadakohei
October 16, 2023
Programming
0
1.3k
FargateのPID namespace sharing を試してみた
JAWS-UG コンテナ支部 × JAWS-UG 千葉支部 #1 今知りたいコンテナセキュリティ
kamadakohei
October 16, 2023
Tweet
Share
More Decks by kamadakohei
See All by kamadakohei
Amazon CloudWatch Syntheticsで始める合成監視
kamadakohei
0
530
Amazon VPC Latticeを触ってみた!
kamadakohei
0
970
ECS Service Connect By Terraform
kamadakohei
0
1.3k
AIアプリ作ってみた
kamadakohei
0
440
LINEBot作ってみた
kamadakohei
0
73
Other Decks in Programming
See All in Programming
Rancher と Terraform
fufuhu
2
200
兎に角、コードレビュー
mitohato14
0
170
プロポーザル駆動学習 / Proposal-Driven Learning
mackey0225
2
600
Processing Gem ベースの、2D レトロゲームエンジンの開発
tokujiros
2
120
Google I/O recap web編 大分Web祭り2025
kponda
0
2.9k
More Approvers for Greater OSS and Japan Community
tkikuc
1
110
Kiroで始めるAI-DLC
kaonash
2
520
1から理解するWeb Push
dora1998
4
1.3k
レガシープロジェクトで最大限AIの恩恵を受けられるようClaude Codeを利用する
tk1351
4
1.6k
テストカバレッジ100%を10年続けて得られた学びと品質
mottyzzz
2
450
KessokuでDIでもgoroutineを活用する / Go Connect #6
mazrean
0
140
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
200
Featured
See All Featured
BBQ
matthewcrist
89
9.8k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Being A Developer After 40
akosma
90
590k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.4k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
GitHub's CSS Performance
jonrohan
1032
460k
How GitHub (no longer) Works
holman
315
140k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
800
Transcript
© 2022 SRE Holdings Corporation 1 2980 © 2022 SRE
Holdings Corporation Fargate PID namespace sharing 2023/10/16
© 2022 SRE Holdings Corporation 2 • • SRE Holdings
• ⁃ Web ⁃ Twitter: Lam(@boy_hap)
© 2022 SRE Holdings Corporation 3 • namespace • Fargate
PID namespace sharing • • •
© 2022 SRE Holdings Corporation 4 SRE Holdings 2014 2019
SRE / AI DX DX IT
© 2022 SRE Holdings Corporation 5 namespace • Linux •
PID namespace namespace 名前 機能 network namespace ネットワークの分離 pid namespace プロセスIDの分離 uts namespace ホスト、ドメインの分離 mount namespace マウントポイントの分離
© 2022 SRE Holdings Corporation 6 9.5 namespace • namespace
: 9.5 namespace • namespace • PID namespace
© 2022 SRE Holdings Corporation 7 Fargate PID namespace •
ECS on EC2 ⾒ pid namespace • ECS on Fargate ⾒ namespace • Fargete
© 2022 SRE Holdings Corporation 8 Fargate pid namespace sharing
• pidMode task pid namespace sharing ⾒ pid namespace = • pid namespace sharing ⁃ ⁃
© 2022 SRE Holdings Corporation 9 • Fargate ⾒ ⁃
⁃ 引⽤)https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ 引⽤)https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b
© 2022 SRE Holdings Corporation 10 AWS • nginx sleeper
⁃ nginx nginx main ⁃ sleeper sleep in nity sleeper ecs exec nginx pid Mode
© 2022 SRE Holdings Corporation 11 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512" }
© 2022 SRE Holdings Corporation 12 pidMode ⾒ sleeper •
• ID 1
© 2022 SRE Holdings Corporation 13 pidMode ⾒ nginx •
• ID 1
© 2022 SRE Holdings Corporation 14 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512", "pidMode": "task" }
© 2022 SRE Holdings Corporation 15 pidMode task ⾒ sleeper)
• • pause PID 1 pause https://text.superbrothers.dev/200328-how-to-avoid-pid-1-problem-in-kubernetes/ • ID ID
© 2022 SRE Holdings Corporation 16 • /proc/( PID)/root •
© 2022 SRE Holdings Corporation 17 strace
© 2022 SRE Holdings Corporation 18 kill kill
© 2022 SRE Holdings Corporation 19 • Fargate ⾒ pidMode=task
pid namespace • •
© 2022 SRE Holdings Corporation 20 • "NB[PO&$4PO"84'BSHBUFͰઃఆՄೳͳ-JOVYύϥϝʔλͷՃ https://aws.amazon.com/jp/blogs/news/announcing-additional-linux-controls-for-amazon-ecs-tasks-on-aws-fargate/ •
λεΫఆٛύϥϝʔλ https://docs.aws.amazon.com/ja_jp/AmazonECS/latest/developerguide/task_de nition_parameters.html#other_task_de nition_params • 'BSHBUFͰ1*%OBNFTQBDFڞ༗Λࢼ͢ https://qiita.com/hoogee/items/1555312b385605246253 • &$4PO'BSHBUFͰαΠυΧʔ͔ΒϓϩηεγεςϜίʔϧࢹ͕؆୯ʹͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂ https://dev.classmethod.jp/articles/ecs-on-fargate-support-shared-pid-namespace/
© 2022 SRE Holdings Corporation 21 • &$4'BSHBUFͰແྉͰূཧ͍ͨ͠ https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b •
4FSWFSMFTT"HFOUTΛར༻ͯ͠&$4'BSHBUFڥͰ4ZTEJH4FDVSFΛར༻ͯ͠Έͨʙ5FSSBGPSNฤʙ https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ • &$4PO'BSHBUFͷηΩϡϦςΟରࡦԿΛΔ͖ʁ։ൃऀઢͰߟ͑Δ https://speakerdeck.com/tomoki10/security-for-ecs-on-fargate-secjawsdays