Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
chroot-network-uts-container
Search
masayoshi
June 17, 2017
Technology
890
6
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
chroot-network-uts-container
chroot ✕ netowork namespace ✕UTS namespace
masayoshi
June 17, 2017
More Decks by masayoshi
See All by masayoshi
Perlアプリケーションで トレースを実装するまでの 工夫と苦労話
masayoshi
1
800
これからSREになる人と、これからもSREをやっていく人へ
masayoshi
6
6.1k
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
8
12k
Developers Summit 2021 summer
masayoshi
15
32k
2021-06-cloud-native-reg-event
masayoshi
8
2.6k
SRE_Culture_Organization
masayoshi
16
11k
cloudnative-kansai-2019
masayoshi
1
790
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
4k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
3.2k
Other Decks in Technology
See All in Technology
プライバシー保護の理論と実践
lycorptech_jp
PRO
1
250
DMM.com 購入改善推進チーム におけるCodeRabbitを用いた レビューフロー改善の一例
ysknsid25
2
570
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
8.1k
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
390
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
2.2k
生成AIの活用/high_school2026
okana2ki
0
110
ZOZOTOWNの進化と信頼性を両立する負荷試験
zozotech
PRO
1
150
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
2.3k
Docker Desktop不要の時代が来る? WSL標準の「wslc」で Linuxコンテナを動かしてみた.
ueponx
0
840
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
4.8k
AIで政治は変わるのか? — 中高生と考えたAI時代の民主主義(東海高校サタデープログラム)
eitarosuda
0
410
次世代ランサムウェア対策の考察 / 20260704 Mitsutoshi Matsuo
shift_evolve
PRO
5
1.7k
Featured
See All Featured
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
210
How Software Deployment tools have changed in the past 20 years
geshan
0
34k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
320
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.5k
Visualization
eitanlees
152
17k
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
4.1k
Building Flexible Design Systems
yeseniaperezcruz
330
40k
Joys of Absence: A Defence of Solitary Play
codingconduct
1
410
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.5k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
180
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
270
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Transcript
chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾԽͷใަձˏେࡕ
ࣗݾհ • id:masayoshi • ͯͳˏژ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌SDNؔ࿈ͷݚڀ
ࠓ͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS
namespace
ࠓ͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯΒ͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠
ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦ɺ࣮ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯͬͯΈΔͱҧ͍ͳͲ͕Α͔͘Δ •
खݩͰͷωοτϫʔΫςετڥ • ࡉ͔͘มߋ͢ΔͷͰࣗͰ৮Γ͍͢ํ͕ྑ͍
chroot network namespace UTS namespace
ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ͏ͱγϯϓϧ͕ͩҙ֎ͱ͓͠Ζ͍͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͍ͬͯͨ͘ • ωοτϫʔΫͰ༡Ϳͱ͖͜ͷߏΛ͍ͬͯΔ • chroot
namespaceͷҰ෦ͷΈͷΈ߹Θͤଟ͘ͳͦ͞͏ • 1ͭ1ͭશͯΛΈ߹Θ࣮ͤͨྫ৭ʑ͋Δ
͜ͷ3ͭͰ໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •
ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ཧ্ͷརศੑ
ྫ͑ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό
• ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ࢹ + ཧ • ಉҰͷཧαʔόͰ্هͷίϯςφΛෳىಈՄೳ • networkLinux BridgeͰϒϦοδଓ
#SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE TTI
IUUQE TTI WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞ʹίϚϯυ JNBHFͷ࡞আ͘
σϞ͠ͳ͕Βݟ͍ͯ͘
imageͷ࡞ • dockerͳΒdocker export Ͱ • build, shipdockerͰΔͱָͦ͏ • ࠓճrun෦Ͱ༡Ϳ
• dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճdebootstrapͰ࡞ͨͭ͠Λར༻
namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ
namespaceͷӬଓԽ • bindϚϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυӬଓԽָ͕
UTS namespace • ओʹཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU
Networkͷ࡞ • veth࡞ͬͯbridgeʹଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen
vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτΣΞϧʔλʹଓͨ͠Γ • KVMͷVMͱଓͨ͠Γ • ෳNIC + mptcpڥ
Networkͷ࡞ • NetworkϙʔλϏϦςΟʹӨڹ͕ग़͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͖͢Օॴ͕ͨ͘͞Μ͋Δ໘ന͍
• ΦϑϩʔσΟϯά, SR-IOVͳͲߴԽ • VXLANͳͲͷϓϩτίϧٕज़
chrootڥͷ࡞ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
TZTUFNEڥͰCJOEϚϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ
ίϯςφͰͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲىಈ͢Δ
ίϯςφͰͷϓϩηεͷ࣮ߦ • chrootԼͰsystemdಈ࡞͠ͳ͍ͷͰҙ͕ඞཁ • chrootͷΘΓʹsystemd-nspawnΛͬͯಈ͔͢ํ ๏͋Δ • ͦͷ߹ޙड़ͷPID namespaceΛ͏͜ͱʹͳΔ
PID namespace • PID͢Δͱੜ͞ΕͨࢠϓϩηεͦͷۭؒͰinit(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •
docker 1.13Ͱ runʹ initΦϓγϣϯ͕͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબࢶ૿͑Δ • ࠓճͷ༻్Ͱ͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝ͰؾܰʹΔͳΒল͘ͱָ
PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕͞Εͳ͍ • ίϯςφɺίϯςφ֎͔Βݟ์ • initʹͿΒԼ͕Δdaemon •
UST, networkͷnamespace͞Ε͍ͯΔ • ϓϩηεੜ࣌ʹ͠ͳ͚Εܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ
ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE
-*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE
curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY
SSH TTI DBUFUDEFCJBO@WFSTJPO TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE
·ͱΊΔͱ… • imageͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφͰෳͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍Ͱ͖ͦ͏ •
ൺֱతރΕ͍ͯΔͷ͔͍ͬͯ͠ͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͍ͯͦ͠͏
͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ ࣗͰ࣮͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • imageཧ • Netoworkߏ • PIDͷཧ,
ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ
• imageͷཧػೳ • snapshotɺόʔδϣχϯά? • imageͷҠಈͲ͏͢Δ? • Networkߏ • αϒωοτݻఆͰIPखಈͳͷͰҠಈͲ͏͢Δʁɹ
• ҟͳΔαϒωοτͱͷ௨৴? • PIDɺϓϩηεॲཧ • PID͢Δ or ͠ͳ͍? • ίϯςφͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?
·ͱΊ • ίϯςφࣗ࡞ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏͋Δ͕ namespaceؾܰʹ͑Δ • طଘίϯςφٕज़ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζݟ͑ͯ͘Δ
• Ұճ৮͓ͬͯ͘ͱྑͦ͞͏