Upgrade to Pro — share decks privately, control downloads, hide ads and more …

chroot-network-uts-container

masayoshi
June 17, 2017
Technology
6
750

 chroot-network-uts-container

chroot ✕ netowork namespace ✕UTS namespace

masayoshi

June 17, 2017
Tweet

More Decks by masayoshi

See All by masayoshi
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
9
8.4k
Developers Summit 2021 summer
masayoshi
15
28k
2021-06-cloud-native-reg-event
masayoshi
8
2.4k
SRE_Culture_Organization
masayoshi
17
9.8k
cloudnative-kansai-2019
masayoshi
1
650
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.4k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.7k
はてなのインフラストラクチャ設計構想 / The Concept of Hatena Infrastructure
masayoshi
1
5.3k
はてなのインフラ環境を自宅で再現する
masayoshi
7
12k

Other Decks in Technology

See All in Technology
心が動くエンジニアリング ── 私が夢中になる理由
16bitidol
0
100
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
890
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.5k
Lexical Analysis
shigashiyama
1
150
Taming you application's environments
salaboy
0
190
AGIについてChatGPTに聞いてみた
blueb
0
130
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
複雑なState管理からの脱却
sansantech
PRO
1
150
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
210
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
130

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Making Projects Easy
brettharned
115
5.9k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Documentation Writing (for coders)
carmenintech
65
4.4k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Music & Morning Musume
bryan
46
6.2k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k

Transcript

  1. chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾ૝Խͷ৘ใަ׵ձˏେࡕ

  2. ࣗݾ঺հ • id:masayoshi • ͸ͯͳˏژ౎ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌୅͸SDNؔ࿈ͷݚڀ

  3. ࠓ೔࿩͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS

    namespace

  4. ࠓ೔࿩͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯ΋Β͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠

  5. ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦෼ɺ࣮૷ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯ࢖ͬͯΈΔͱҧ͍ͳͲ͕Α͘෼͔Δ •

    खݩͰͷωοτϫʔΫςετ؀ڥ • ࡉ͔͘มߋ͢ΔͷͰࣗ෼Ͱ৮Γ΍͍͢ํ͕ྑ͍

  6. chroot network namespace UTS namespace

  7. ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ࢖͏ͱγϯϓϧ͕ͩҙ֎ͱ͓΋͠Ζ͍෺͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͘࢖͍ͬͯͨ • ωοτϫʔΫͰ༡Ϳͱ͖͸͜ͷߏ੒Λ࢖͍ͬͯΔ • chroot

    namespaceͷҰ෦ͷΈͷ૊Έ߹Θͤ͸ଟ͘ͳͦ͞͏ • 1ͭ1ͭ΍શͯΛ૊Έ߹Θ࣮ͤͨ૷ྫ͸৭ʑ͋Δ

  8. ͜ͷ3ͭͰ΋໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •

    ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ؅ཧ্ͷརศੑ

  9. ྫ͑͹ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό

    • ؂ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ؂ࢹ + ؅ཧ • ಉҰͷ෺ཧαʔόͰ্هͷίϯςφΛෳ਺ىಈՄೳ • network͸Linux BridgeͰϒϦοδ઀ଓ

  10. #SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE    TTI 

    IUUQE  TTI   WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU

  11. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

  12. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU

  13. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞੒ʹίϚϯυ JNBHFͷ࡞੒͸আ͘

  14. σϞ͠ͳ͕Βݟ͍ͯ͘

  15. imageͷ࡞੒ • dockerͳΒdocker export Ͱ • build, ship͸dockerͰ΍Δͱָͦ͏ • ࠓճ͸run෦෼Ͱ༡Ϳ

    • dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճ͸debootstrapͰ࡞੒ͨ͠΍ͭΛར༻

  16. namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns ഑Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>͸ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ

  17. namespaceͷӬଓԽ • bindϚ΢ϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυ͸ӬଓԽָ͕

  18. UTS namespace • ओʹ؅ཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ࢖͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU

  19. Networkͷ࡞੒ • veth࡞ͬͯbridgeʹ઀ଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ͸)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen

    vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτ΢ΣΞϧʔλʹ઀ଓͨ͠Γ • KVMͷVMͱ઀ଓͨ͠Γ • ෳ਺NIC + mptcp؀ڥ

  20. Networkͷ࡞੒ • Network͸ϙʔλϏϦςΟʹӨڹ͕ग़΍͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͢΂͖Օॴ͕ͨ͘͞Μ͋Δ໘ന͍෼໺

    • ΦϑϩʔσΟϯά, SR-IOVͳͲߴ଎Խ • VXLANͳͲͷϓϩτίϧٕज़

  21. chroot؀ڥͷ࡞੒ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

    TZTUFNE؀ڥͰ͸CJOEϚ΢ϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ

  22. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲ΋ىಈ͢Δ

  23. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ • chroot഑ԼͰ͸systemd͸ಈ࡞͠ͳ͍ͷͰ஫ҙ͕ඞཁ • chrootͷ୅ΘΓʹsystemd-nspawnΛ࢖ͬͯಈ͔͢ํ ๏΋͋Δ • ͦͷ৔߹ޙड़ͷPID namespaceΛ࢖͏͜ͱʹͳΔ

  24. PID namespace • PID෼཭͢Δͱੜ੒͞Εͨࢠϓϩηε͸ͦͷۭؒͰ͸init(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •

    docker 1.13Ͱ runʹ initΦϓγϣϯ͕෇͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબ୒ࢶ΋૿͑Δ • ࠓճͷ༻్Ͱ͸͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹ͸ඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝Ͱؾܰʹ΍ΔͳΒল͘ͱָ

  25. PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕෼཭͞Εͳ͍ • ίϯςφ಺ɺίϯςφ֎͔Βݟ์୊ • initʹͿΒԼ͕Δdaemon •

    UST, networkͷnamespace͸෼཭͞Ε͍ͯΔ • ϓϩηεੜ੒࣌ʹ෼཭͠ͳ͚Ε͹ܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ෼཭͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ

  26. ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

    IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

  27. ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE

     -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE  TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE  -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE

  28. curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY

  29. SSH TTI DBUFUDEFCJBO@WFSTJPO  TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE

  30. ·ͱΊΔͱ… • image಺ͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφ಺Ͱෳ਺ͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍͸Ͱ͖ͦ͏ •

    ൺֱతރΕ͍ͯΔ΋ͷ͔͠࢖͍ͬͯͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͸͍ͯͦ͠͏

  31. ͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ
 ࣗ෼Ͱ࣮૷͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • image؅ཧ • Netoworkߏ੒ • PIDͷ؅ཧ,

    ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ

  32. • imageͷ؅ཧػೳ • snapshot΍ɺόʔδϣχϯά͸? • imageͷҠಈ͸Ͳ͏͢Δ? • Networkߏ੒ • αϒωοτ΋ݻఆͰIP΋खಈͳͷͰҠಈ͸Ͳ͏͢Δʁɹ

    • ҟͳΔαϒωοτͱͷ௨৴͸? • PID෼཭ɺϓϩηεॲཧ • PID͸෼཭͢Δ or ͠ͳ͍? • ίϯςφ಺ͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?

  33. ·ͱΊ • ίϯςφࣗ࡞͸ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏࿩͸͋Δ͕ namespace͸ؾܰʹ࢖͑Δ • طଘίϯςφٕज़΁ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζ΋ݟ͑ͯ͘Δ

    • Ұճ͸৮͓ͬͯ͘ͱྑͦ͞͏