Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
FargateのPID namespace sharing を試してみた
Search
kamadakohei
October 16, 2023
Programming
0
1.3k
FargateのPID namespace sharing を試してみた
JAWS-UG コンテナ支部 × JAWS-UG 千葉支部 #1 今知りたいコンテナセキュリティ
kamadakohei
October 16, 2023
Tweet
Share
More Decks by kamadakohei
See All by kamadakohei
Amazon CloudWatch Syntheticsで始める合成監視
kamadakohei
0
540
Amazon VPC Latticeを触ってみた!
kamadakohei
0
980
ECS Service Connect By Terraform
kamadakohei
0
1.3k
AIアプリ作ってみた
kamadakohei
0
440
LINEBot作ってみた
kamadakohei
0
74
Other Decks in Programming
See All in Programming
Android16 Migration Stories ~Building a Pattern for Android OS upgrades~
reoandroider
0
140
Pythonに漸進的に型をつける
nealle
1
130
スキーマ駆動で、Zod OpenAPI Honoによる、API開発するために、Hono Takibiというライブラリを作っている
nakita628
0
320
AIと人間の共創開発!OSSで試行錯誤した開発スタイル
mae616
2
810
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
640
「ちょっと古いから」って避けてた技術書、今だからこそ読もう
mottyzzz
12
7.2k
CSC509 Lecture 06
javiergs
PRO
0
270
CSC305 Lecture 08
javiergs
PRO
0
280
CSC305 Lecture 11
javiergs
PRO
0
270
NIKKEI Tech Talk#38
cipepser
0
240
TFLintカスタムプラグインで始める Terraformコード品質管理
bells17
2
450
釣り地図SNSにおける有料機能の実装
nokonoko1203
0
200
Featured
See All Featured
Optimising Largest Contentful Paint
csswizardry
37
3.5k
The Cult of Friendly URLs
andyhume
79
6.6k
Become a Pro
speakerdeck
PRO
29
5.6k
Balancing Empowerment & Direction
lara
5
700
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
Navigating Team Friction
lara
190
15k
KATA
mclloyd
PRO
32
15k
BBQ
matthewcrist
89
9.9k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
YesSQL, Process and Tooling at Scale
rocio
173
15k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Transcript
© 2022 SRE Holdings Corporation 1 2980 © 2022 SRE
Holdings Corporation Fargate PID namespace sharing 2023/10/16
© 2022 SRE Holdings Corporation 2 • • SRE Holdings
• ⁃ Web ⁃ Twitter: Lam(@boy_hap)
© 2022 SRE Holdings Corporation 3 • namespace • Fargate
PID namespace sharing • • •
© 2022 SRE Holdings Corporation 4 SRE Holdings 2014 2019
SRE / AI DX DX IT
© 2022 SRE Holdings Corporation 5 namespace • Linux •
PID namespace namespace 名前 機能 network namespace ネットワークの分離 pid namespace プロセスIDの分離 uts namespace ホスト、ドメインの分離 mount namespace マウントポイントの分離
© 2022 SRE Holdings Corporation 6 9.5 namespace • namespace
: 9.5 namespace • namespace • PID namespace
© 2022 SRE Holdings Corporation 7 Fargate PID namespace •
ECS on EC2 ⾒ pid namespace • ECS on Fargate ⾒ namespace • Fargete
© 2022 SRE Holdings Corporation 8 Fargate pid namespace sharing
• pidMode task pid namespace sharing ⾒ pid namespace = • pid namespace sharing ⁃ ⁃
© 2022 SRE Holdings Corporation 9 • Fargate ⾒ ⁃
⁃ 引⽤)https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ 引⽤)https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b
© 2022 SRE Holdings Corporation 10 AWS • nginx sleeper
⁃ nginx nginx main ⁃ sleeper sleep in nity sleeper ecs exec nginx pid Mode
© 2022 SRE Holdings Corporation 11 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512" }
© 2022 SRE Holdings Corporation 12 pidMode ⾒ sleeper •
• ID 1
© 2022 SRE Holdings Corporation 13 pidMode ⾒ nginx •
• ID 1
© 2022 SRE Holdings Corporation 14 (pidMode { … "containerDefinitions":
[ { "name": "nginx", "image": "public.ecr.aws/nginx/nginx:1.25-perl", "essential": true }, { "name": "sleeper", "image": "public.ecr.aws/amazonlinux/amazonlinux:2", "essential": true, "command": [ "sleep", "infinity" ], … "cpu": "256", "memory": "512", "pidMode": "task" }
© 2022 SRE Holdings Corporation 15 pidMode task ⾒ sleeper)
• • pause PID 1 pause https://text.superbrothers.dev/200328-how-to-avoid-pid-1-problem-in-kubernetes/ • ID ID
© 2022 SRE Holdings Corporation 16 • /proc/( PID)/root •
© 2022 SRE Holdings Corporation 17 strace
© 2022 SRE Holdings Corporation 18 kill kill
© 2022 SRE Holdings Corporation 19 • Fargate ⾒ pidMode=task
pid namespace • •
© 2022 SRE Holdings Corporation 20 • "NB[PO&$4PO"84'BSHBUFͰઃఆՄೳͳ-JOVYύϥϝʔλͷՃ https://aws.amazon.com/jp/blogs/news/announcing-additional-linux-controls-for-amazon-ecs-tasks-on-aws-fargate/ •
λεΫఆٛύϥϝʔλ https://docs.aws.amazon.com/ja_jp/AmazonECS/latest/developerguide/task_de nition_parameters.html#other_task_de nition_params • 'BSHBUFͰ1*%OBNFTQBDFڞ༗Λࢼ͢ https://qiita.com/hoogee/items/1555312b385605246253 • &$4PO'BSHBUFͰαΠυΧʔ͔ΒϓϩηεγεςϜίʔϧࢹ͕؆୯ʹͰ͖ΔΑ͏ʹͳΓ·ͨ͠ʂ https://dev.classmethod.jp/articles/ecs-on-fargate-support-shared-pid-namespace/
© 2022 SRE Holdings Corporation 21 • &$4'BSHBUFͰແྉͰূཧ͍ͨ͠ https://paper.dropbox.com/doc/ECS-Fargate-CyCA4uBm581OgeBIYq37b •
4FSWFSMFTT"HFOUTΛར༻ͯ͠&$4'BSHBUFڥͰ4ZTEJH4FDVSFΛར༻ͯ͠Έͨʙ5FSSBGPSNฤʙ https://dev.classmethod.jp/articles/sysdig-secure-ecs-fargate-setting-up-terraform-overview/ • &$4PO'BSHBUFͷηΩϡϦςΟରࡦԿΛΔ͖ʁ։ൃऀઢͰߟ͑Δ https://speakerdeck.com/tomoki10/security-for-ecs-on-fargate-secjawsdays