Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
chroot-network-uts-container
Search
masayoshi
June 17, 2017
Technology
6
710
chroot-network-uts-container
chroot ✕ netowork namespace ✕UTS namespace
masayoshi
June 17, 2017
Tweet
Share
More Decks by masayoshi
See All by masayoshi
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
8
4.7k
Developers Summit 2021 summer
masayoshi
15
27k
2021-06-cloud-native-reg-event
masayoshi
8
2.4k
SRE_Culture_Organization
masayoshi
17
9.6k
cloudnative-kansai-2019
masayoshi
1
610
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.3k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.5k
はてなのインフラストラクチャ設計構想 / The Concept of Hatena Infrastructure
masayoshi
1
5.2k
はてなのインフラ環境を自宅で再現する
masayoshi
7
12k
Other Decks in Technology
See All in Technology
VPoEの視点から見た、ヘンリーがサーバーサイドKotlinを使う理由 / Why Server-side Kotlin 2024
cho0o0
1
420
[NIKKEI Tech Talk] KDDI/KAG Scrum & Community for Engineering Training
curanosuke
2
220
コンテナ・K8s研修 - 前半 コンテナ基礎・ハンズオン【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
170
セキュリティ研修 Day1【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
160
What is DRE? - Road to SRE NEXT@広島
chanyou0311
3
630
Scaling Technical Excellence at 104: Evolution in AWS and Developer Empowerment
scotthsieh825
1
150
累計ダウンロード数1億8000万を超えるアプリケーションプラットフォームのレガシーシステム脱却とモダン化への道
kmitsuhashi
0
120
エンジニアの生存戦略 〜クラウド潮流の経験から紐解く技術トレンドのメカニズムと乗りこなし方〜
shimy
9
1.9k
Flutter研修【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
160
運用改善、不都合な真実 / 20240722-ssmjp-kaizen
opelab
17
8k
開発生産性をむしろ向上させる セキュリティパートナーの作り方 / Dev Productivity Con 2024
flatt_security
0
360
スレットハンティングについて知っておきたいこと
hacket
0
130
Featured
See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
34
1.9k
Automating Front-end Workflow
addyosmani
1362
200k
StorybookのUI Testing Handbookを読んだ
zakiyama
15
4.9k
Ruby is Unlike a Banana
tanoku
96
10k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
19k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Code Reviewing Like a Champion
maltzj
517
39k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
13
430
Done Done
chrislema
179
15k
Building Adaptive Systems
keathley
34
2k
Making the Leap to Tech Lead
cromwellryan
127
8.7k
Statistics for Hackers
jakevdp
792
220k
Transcript
chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾԽͷใަձˏେࡕ
ࣗݾհ • id:masayoshi • ͯͳˏژ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌SDNؔ࿈ͷݚڀ
ࠓ͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS
namespace
ࠓ͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯΒ͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠
ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦ɺ࣮ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯͬͯΈΔͱҧ͍ͳͲ͕Α͔͘Δ •
खݩͰͷωοτϫʔΫςετڥ • ࡉ͔͘มߋ͢ΔͷͰࣗͰ৮Γ͍͢ํ͕ྑ͍
chroot network namespace UTS namespace
ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ͏ͱγϯϓϧ͕ͩҙ֎ͱ͓͠Ζ͍͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͍ͬͯͨ͘ • ωοτϫʔΫͰ༡Ϳͱ͖͜ͷߏΛ͍ͬͯΔ • chroot
namespaceͷҰ෦ͷΈͷΈ߹Θͤଟ͘ͳͦ͞͏ • 1ͭ1ͭશͯΛΈ߹Θ࣮ͤͨྫ৭ʑ͋Δ
͜ͷ3ͭͰ໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •
ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ཧ্ͷརศੑ
ྫ͑ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό
• ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ࢹ + ཧ • ಉҰͷཧαʔόͰ্هͷίϯςφΛෳىಈՄೳ • networkLinux BridgeͰϒϦοδଓ
#SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE TTI
IUUQE TTI WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU
UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ
JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞ʹίϚϯυ JNBHFͷ࡞আ͘
σϞ͠ͳ͕Βݟ͍ͯ͘
imageͷ࡞ • dockerͳΒdocker export Ͱ • build, shipdockerͰΔͱָͦ͏ • ࠓճrun෦Ͱ༡Ϳ
• dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճdebootstrapͰ࡞ͨͭ͠Λར༻
namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ
namespaceͷӬଓԽ • bindϚϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυӬଓԽָ͕
UTS namespace • ओʹཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU
Networkͷ࡞ • veth࡞ͬͯbridgeʹଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen
vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτΣΞϧʔλʹଓͨ͠Γ • KVMͷVMͱଓͨ͠Γ • ෳNIC + mptcpڥ
Networkͷ࡞ • NetworkϙʔλϏϦςΟʹӨڹ͕ग़͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͖͢Օॴ͕ͨ͘͞Μ͋Δ໘ന͍
• ΦϑϩʔσΟϯά, SR-IOVͳͲߴԽ • VXLANͳͲͷϓϩτίϧٕज़
chrootڥͷ࡞ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW
TZTUFNEڥͰCJOEϚϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ
ίϯςφͰͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲىಈ͢Δ
ίϯςφͰͷϓϩηεͷ࣮ߦ • chrootԼͰsystemdಈ࡞͠ͳ͍ͷͰҙ͕ඞཁ • chrootͷΘΓʹsystemd-nspawnΛͬͯಈ͔͢ํ ๏͋Δ • ͦͷ߹ޙड़ͷPID namespaceΛ͏͜ͱʹͳΔ
PID namespace • PID͢Δͱੜ͞ΕͨࢠϓϩηεͦͷۭؒͰinit(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •
docker 1.13Ͱ runʹ initΦϓγϣϯ͕͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબࢶ૿͑Δ • ࠓճͷ༻్Ͱ͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝ͰؾܰʹΔͳΒল͘ͱָ
PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕͞Εͳ͍ • ίϯςφɺίϯςφ֎͔Βݟ์ • initʹͿΒԼ͕Δdaemon •
UST, networkͷnamespace͞Ε͍ͯΔ • ϓϩηεੜ࣌ʹ͠ͳ͚Εܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ
ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT
ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE
-*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ ɹVTFST OHJOY QJE GE -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE
curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY
SSH TTI DBUFUDEFCJBO@WFSTJPO TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE
·ͱΊΔͱ… • imageͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφͰෳͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍Ͱ͖ͦ͏ •
ൺֱతރΕ͍ͯΔͷ͔͍ͬͯ͠ͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͍ͯͦ͠͏
͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ ࣗͰ࣮͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • imageཧ • Netoworkߏ • PIDͷཧ,
ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ
• imageͷཧػೳ • snapshotɺόʔδϣχϯά? • imageͷҠಈͲ͏͢Δ? • Networkߏ • αϒωοτݻఆͰIPखಈͳͷͰҠಈͲ͏͢Δʁɹ
• ҟͳΔαϒωοτͱͷ௨৴? • PIDɺϓϩηεॲཧ • PID͢Δ or ͠ͳ͍? • ίϯςφͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?
·ͱΊ • ίϯςφࣗ࡞ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏͋Δ͕ namespaceؾܰʹ͑Δ • طଘίϯςφٕज़ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζݟ͑ͯ͘Δ
• Ұճ৮͓ͬͯ͘ͱྑͦ͞͏