Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
chroot-network-uts-container
Search
masayoshi
June 17, 2017
Technology
6
830
chroot-network-uts-container
chroot ✕ netowork namespace ✕UTS namespace
masayoshi
June 17, 2017
Tweet
Share
More Decks by masayoshi
See All by masayoshi
Perlアプリケーションで トレースを実装するまでの 工夫と苦労話
masayoshi
1
520
これからSREになる人と、これからもSREをやっていく人へ
masayoshi
6
5.4k
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
8
11k
Developers Summit 2021 summer
masayoshi
15
30k
2021-06-cloud-native-reg-event
masayoshi
8
2.5k
SRE_Culture_Organization
masayoshi
17
10k
cloudnative-kansai-2019
masayoshi
1
720
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.7k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.9k
Other Decks in Technology
See All in Technology
なぜスクラムはこうなったのか?歴史が教えてくれたこと/Shall we explore the roots of Scrum
sanogemaru
5
1.6k
開発者を支える Internal Developer Portal のイマとコレカラ / To-day and To-morrow of Internal Developer Portals: Supporting Developers
aoto
PRO
1
450
RSCの時代にReactとフレームワークの境界を探る
uhyo
10
3.4k
複数サービスを支えるマルチテナント型Batch MLプラットフォーム
lycorptech_jp
PRO
0
320
「何となくテストする」を卒業するためにプロダクトが動く仕組みを理解しよう
kawabeaver
0
390
なぜSaaSがMCPサーバーをサービス提供するのか?
sansantech
PRO
8
2.8k
DDD集約とサービスコンテキスト境界との関係性
pandayumi
3
280
5分でカオスエンジニアリングを分かった気になろう
pandayumi
0
230
実践!カスタムインストラクション&スラッシュコマンド
puku0x
0
370
Rustから学ぶ 非同期処理の仕組み
skanehira
1
130
なぜテストマネージャの視点が 必要なのか? 〜 一歩先へ進むために 〜
moritamasami
0
220
DevIO2025_継続的なサービス開発のための技術的意思決定のポイント / how-to-tech-decision-makaing-devio2025
nologyance
1
380
Featured
See All Featured
Typedesign – Prime Four
hannesfritz
42
2.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Become a Pro
speakerdeck
PRO
29
5.5k
Six Lessons from altMBA
skipperchong
28
4k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
13k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
580
Context Engineering - Making Every Token Count
addyosmani
1
37
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
Transcript
chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾԽͷใަձˏେࡕ
ࣗݾհ • id:masayoshi • ͯͳˏژ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌SDNؔ࿈ͷݚڀ
ࠓ͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS
namespace
ࠓ͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯΒ͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠
ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦ɺ࣮ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯͬͯΈΔͱҧ͍ͳͲ͕Α͔͘Δ •
खݩͰͷωοτϫʔΫςετڥ • ࡉ͔͘มߋ͢ΔͷͰࣗͰ৮Γ͍͢ํ͕ྑ͍
chroot network namespace UTS namespace
ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ͏ͱγϯϓϧ͕ͩҙ֎ͱ͓͠Ζ͍͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͍ͬͯͨ͘ • ωοτϫʔΫͰ༡Ϳͱ͖͜ͷߏΛ͍ͬͯΔ • chroot
namespaceͷҰ෦ͷΈͷΈ߹Θͤଟ͘ͳͦ͞͏ • 1ͭ1ͭશͯΛΈ߹Θ࣮ͤͨྫ৭ʑ͋Δ
͜ͷ3ͭͰ໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •
ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ཧ্ͷརศੑ
ྫ͑ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό
• ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ࢹ + ཧ • ಉҰͷཧαʔόͰ্هͷίϯςφΛෳىಈՄೳ • networkLinux BridgeͰϒϦοδଓ
#SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE TTI
IUUQE TTI WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞ʹίϚϯυ JNBHFͷ࡞আ͘
σϞ͠ͳ͕Βݟ͍ͯ͘
imageͷ࡞ • dockerͳΒdocker export Ͱ • build, shipdockerͰΔͱָͦ͏ • ࠓճrun෦Ͱ༡Ϳ
• dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճdebootstrapͰ࡞ͨͭ͠Λར༻
namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ
namespaceͷӬଓԽ • bindϚϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυӬଓԽָ͕
UTS namespace • ओʹཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU
Networkͷ࡞ • veth࡞ͬͯbridgeʹଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen
vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτΣΞϧʔλʹଓͨ͠Γ • KVMͷVMͱଓͨ͠Γ • ෳNIC + mptcpڥ
Networkͷ࡞ • NetworkϙʔλϏϦςΟʹӨڹ͕ग़͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͖͢Օॴ͕ͨ͘͞Μ͋Δ໘ന͍
• ΦϑϩʔσΟϯά, SR-IOVͳͲߴԽ • VXLANͳͲͷϓϩτίϧٕज़
chrootڥͷ࡞ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
TZTUFNEڥͰCJOEϚϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ
ίϯςφͰͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲىಈ͢Δ
ίϯςφͰͷϓϩηεͷ࣮ߦ • chrootԼͰsystemdಈ࡞͠ͳ͍ͷͰҙ͕ඞཁ • chrootͷΘΓʹsystemd-nspawnΛͬͯಈ͔͢ํ ๏͋Δ • ͦͷ߹ޙड़ͷPID namespaceΛ͏͜ͱʹͳΔ
PID namespace • PID͢Δͱੜ͞ΕͨࢠϓϩηεͦͷۭؒͰinit(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •
docker 1.13Ͱ runʹ initΦϓγϣϯ͕͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબࢶ૿͑Δ • ࠓճͷ༻్Ͱ͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝ͰؾܰʹΔͳΒল͘ͱָ
PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕͞Εͳ͍ • ίϯςφɺίϯςφ֎͔Βݟ์ • initʹͿΒԼ͕Δdaemon •
UST, networkͷnamespace͞Ε͍ͯΔ • ϓϩηεੜ࣌ʹ͠ͳ͚Εܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ
ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE
-*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE
curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY
SSH TTI DBUFUDEFCJBO@WFSTJPO TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE
·ͱΊΔͱ… • imageͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφͰෳͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍Ͱ͖ͦ͏ •
ൺֱతރΕ͍ͯΔͷ͔͍ͬͯ͠ͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͍ͯͦ͠͏
͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ ࣗͰ࣮͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • imageཧ • Netoworkߏ • PIDͷཧ,
ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ
• imageͷཧػೳ • snapshotɺόʔδϣχϯά? • imageͷҠಈͲ͏͢Δ? • Networkߏ • αϒωοτݻఆͰIPखಈͳͷͰҠಈͲ͏͢Δʁɹ
• ҟͳΔαϒωοτͱͷ௨৴? • PIDɺϓϩηεॲཧ • PID͢Δ or ͠ͳ͍? • ίϯςφͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?
·ͱΊ • ίϯςφࣗ࡞ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏͋Δ͕ namespaceؾܰʹ͑Δ • طଘίϯςφٕज़ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζݟ͑ͯ͘Δ
• Ұճ৮͓ͬͯ͘ͱྑͦ͞͏