FargateのPID namespace sharing を試してみた

Transcript

1. © 2022 SRE Holdings Corporation 1 2980 © 2022 SRE

   Holdings Corporation Fargate PID namespace sharing 2023/10/16

2. © 2022 SRE Holdings Corporation 2 • • SRE Holdings

   • ⁃ Web ⁃ Twitter: Lam（@boy_hap）

3. © 2022 SRE Holdings Corporation 3 • namespace • Fargate

   PID namespace sharing • • •

4. © 2022 SRE Holdings Corporation 4 SRE Holdings 2014 2019

   SRE / AI DX DX IT

5. © 2022 SRE Holdings Corporation 5 namespace • Linux •

   PID namespace namespace 名前 機能 network namespace ネットワークの分離 pid namespace プロセスIDの分離 uts namespace ホスト、ドメインの分離 mount namespace マウントポイントの分離

6. © 2022 SRE Holdings Corporation 6 9.5 namespace • namespace

   : 9.5 namespace • namespace • PID namespace

7. © 2022 SRE Holdings Corporation 7 Fargate PID namespace •

   ECS on EC2 ⾒ pid namespace • ECS on Fargate ⾒ namespace • Fargete

8. © 2022 SRE Holdings Corporation 8 Fargate pid namespace sharing

   • pidMode task pid namespace sharing ⾒ pid namespace = • pid namespace sharing ⁃ ⁃

9. © 2022 SRE Holdings Corporation 9 • Fargate ⾒ ⁃

   ⁃ 引⽤）https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ 引⽤）https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b

10. © 2022 SRE Holdings Corporation 10 AWS • nginx sleeper

    ⁃ nginx nginx main ⁃ sleeper sleep in nity sleeper ecs exec nginx pid Mode

11. © 2022 SRE Holdings Corporation 11 (pidMode { … "containerDefinitions":

    [ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512" }

12. © 2022 SRE Holdings Corporation 12 pidMode ⾒ sleeper •

    • ID 1

13. © 2022 SRE Holdings Corporation 13 pidMode ⾒ nginx •

    • ID 1

14. © 2022 SRE Holdings Corporation 14 (pidMode { … "containerDefinitions":

    [ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512", "pidMode": "task" }

15. © 2022 SRE Holdings Corporation 15 pidMode task ⾒ sleeper)

    • • pause PID 1 pause https://text.superbrothers.dev/200328-how-to-avoid-pid-1-problem-in-kubernetes/ • ID ID

16. © 2022 SRE Holdings Corporation 16 • /proc/( PID)/root •

17. © 2022 SRE Holdings Corporation 17 strace

18. © 2022 SRE Holdings Corporation 18 kill kill

19. © 2022 SRE Holdings Corporation 19 • Fargate ⾒ pidMode=task

    pid namespace • •

20. © 2022 SRE Holdings Corporation 20 • "NB[PO
    &$4
    PO
    "84
    'BSHBUF
    ͰઃఆՄೳͳ
    -JOVY
    ύϥϝʔλͷ௥Ճ https://aws.amazon.com/jp/blogs/news/announcing-additional-linux-controls-for-amazon-ecs-tasks-on-aws-fargate/ •

    λεΫఆٛύϥϝʔλ https://docs.aws.amazon.com/ja_jp/AmazonECS/latest/developerguide/task_de nition_parameters.html#other_task_de nition_params • 'BSHBUFͰ1*%
    OBNFTQBDFڞ༗Λࢼ͢ https://qiita.com/hoogee/items/1555312b385605246253 • &$4
    PO
    'BSHBUFͰαΠυΧʔ͔ΒϓϩηεγεςϜίʔϧ؂ࢹ͕؆୯ʹͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂ https://dev.classmethod.jp/articles/ecs-on-fargate-support-shared-pid-namespace/

21. © 2022 SRE Holdings Corporation 21 • &$4
    'BSHBUFͰ΋ແྉͰূ੻؅ཧ͍ͨ͠ https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b •

    4FSWFSMFTT
    "HFOUTΛར༻ͯ͠&$4
    'BSHBUF؀ڥͰ4ZTEJH
    4FDVSFΛར༻ͯ͠Έͨʙ5FSSBGPSNฤʙ https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ • &$4
    PO
    'BSHBUF
    ͷηΩϡϦςΟରࡦ͸ԿΛ΍Δ΂͖ʁ։ൃऀ໨ઢͰߟ͑Δ https://speakerdeck.com/tomoki10/security-for-ecs-on-fargate-secjawsdays