Upgrade to Pro — share decks privately, control downloads, hide ads and more …

chroot-network-uts-container

masayoshi
June 17, 2017
Technology
6
770

 chroot-network-uts-container

chroot ✕ netowork namespace ✕UTS namespace

masayoshi

June 17, 2017
Tweet

More Decks by masayoshi

See All by masayoshi
これからSREになる人と、これからもSREをやっていく人へ
masayoshi
6
4.2k
メトリクス、ログ、トレースをうまく使い分けて可観測性を高めよう!
masayoshi
9
9.6k
Developers Summit 2021 summer
masayoshi
15
29k
2021-06-cloud-native-reg-event
masayoshi
8
2.5k
SRE_Culture_Organization
masayoshi
17
10k
cloudnative-kansai-2019
masayoshi
1
680
ミドルウェア実行環境の多様化を考慮したインフラアーキテクチャの一検討/study on web system architecture #2
masayoshi
0
3.5k
Webサービスにおけるインフラアーキテクチャの体系化と選択自動化の研究/study on web system architecture #1
masayoshi
0
2.7k
はてなのインフラストラクチャ設計構想 / The Concept of Hatena Infrastructure
masayoshi
1
5.3k

Other Decks in Technology

See All in Technology
管理者しか知らないOutlookの裏側のAIを覗く#AzureTravelers
hirotomotaguchi
2
380
組織貢献をするフリーランスエンジニアという生き方
n_takehata
1
1.3k
抽象化をするということ - 具体と抽象の往復を身につける / Abstraction and concretization
soudai
16
3.6k
Data-centric AI入門第6章:Data-centric AIの実践例
x_ttyszk
1
400
Platform Engineeringは自由のめまい
nwiizo
4
2.1k
自動テストの世界に、この5年間で起きたこと
autifyhq
10
8.5k
個人開発から公式機能へ: PlaywrightとRailsをつなげた3年の軌跡
yusukeiwaki
11
3k
データの品質が低いと何が困るのか
kzykmyzw
6
1.1k
データ資産をシームレスに伝達するためのイベント駆動型アーキテクチャ
kakehashi
PRO
2
530
一度 Expo の採用を断念したけど、 再度 Expo の導入を検討している話
ichiki1023
1
170
AndroidデバイスにFTPサーバを建立する
e10dokup
0
250
Developers Summit 2025 浅野卓也(13-B-7 LegalOn Technologies)
legalontechnologies
PRO
0
710

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.2k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
BBQ
matthewcrist
87
9.5k
A designer walks into a library…
pauljervisheath
205
24k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
630
Product Roadmaps are Hard
iamctodd
PRO
50
11k

Transcript

  1. chrootͱnetwork namespace Ͱͭ͘Δ؆қίϯςφ ୈճίϯςφܕԾ૝Խͷ৘ใަ׵ձˏେࡕ

  2. ࣗݾ঺հ • id:masayoshi • ͸ͯͳˏژ౎ • WebΦϖϨʔγϣϯΤϯδχΞ • େֶ࣌୅͸SDNؔ࿈ͷݚڀ

  3. ࠓ೔࿩͢͜ͱ • ࣗ࡞ίϯςφͷϞνϕʔγϣϯ • chroot ✕ network namespace ✕ UTS

    namespace

  4. ࠓ೔࿩͢͜ͱ • TenForwardࢯͷৄࡉͳղઆͰجૅٕज़Λཧղ͠ɺ • ࢲͷࡶͳൃදͰίϯςφࣗ࡞ʹڵຯΛ࣋ͬͯ΋Β͍ɺ • udzuraࢯͷhaconiwaͰͥͻνϟϨϯδͯ͠ཉ͍͠

  5. ίϯςφࣗ࡞ͷϞνϕʔγϣϯ • Linuxίϯςφͷษڧ • جૅ෦෼ɺ࣮૷ʹΑΒͳ͍ڞ௨ٕज़ͷษڧ • طଘίϯςφٕज़ͷ࠶֬ೝ • ࡞ͬͯ࢖ͬͯΈΔͱҧ͍ͳͲ͕Α͘෼͔Δ •

    खݩͰͷωοτϫʔΫςετ؀ڥ • ࡉ͔͘มߋ͢ΔͷͰࣗ෼Ͱ৮Γ΍͍͢ํ͕ྑ͍

  6. chroot network namespace UTS namespace

  7. ͳΜͰ͜ͷ3ͭ? • ߹Θͤͯ࢖͏ͱγϯϓϧ͕ͩҙ֎ͱ͓΋͠Ζ͍෺͕ಈ͔ͤΔ • ֶੜͷͱ͖ݚڀͰnetwork nsΛΑ͘࢖͍ͬͯͨ • ωοτϫʔΫͰ༡Ϳͱ͖͸͜ͷߏ੒Λ࢖͍ͬͯΔ • chroot

    namespaceͷҰ෦ͷΈͷ૊Έ߹Θͤ͸ଟ͘ͳͦ͞͏ • 1ͭ1ͭ΍શͯΛ૊Έ߹Θ࣮ͤͨ૷ྫ͸৭ʑ͋Δ

  8. ͜ͷ3ͭͰ΋໘ന͍͜ͱ͕ग़དྷΔ • chroot • docker exportͳͲͷల։͞ΕͨΠϝʔδͷ࣮ߦ • network namespace •

    ಛఆͷIPΞυϨε + ϙʔτͰͷLISTEN • UTS namespace • ؅ཧ্ͷརศੑ

  9. ྫ͑͹ • apache + mackerel-agent + ssh ͳίϯςφ • Webαʔό

    • ؂ࢹ༻ΤʔδΣϯτͱssh͕ಈ࡞ • ΞϓϦέʔγϣϯ + ؂ࢹ + ؅ཧ • ಉҰͷ෺ཧαʔόͰ্هͷίϯςφΛෳ਺ىಈՄೳ • network͸Linux BridgeͰϒϦοδ઀ଓ

  10. #SJEHF ϗετ໊UFTU ϗετ໊UFTU FUI IUUQE    TTI 

    IUUQE  TTI   WBSDPOUBJOFSUFTU WBSDPOUBJOFSUFTU NBDLFSFMBHFOU NBDLFSFMBHFOU

  11. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

  12. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFBEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW 654 OFUXPSL DISPPU

  13. UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU JQOFUOTBEEUFTU JQMJOLBEEOBNFUFTUCSUZQFWFUIQFFSOBNFUFTUDU CSDUMBEEJGCSUFTUCS JQMJOLTFUUFTUDUOFUOTUFTU JQOFUOTFYFDUFTUJQBEESBEEEFWUFTUDU JQOFUOTFYFDUFTUJQMJOLTFUMPVQ JQOFUOTFYFDUFTUJQMJOLTFUUFTUDUVQ JQMJOLTFUUFTUCSVQ

    JQOFUOTFYFDUFTUJQSPVUFEEEFGBVMUWJB NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW ίϯςφ࡞੒ʹίϚϯυ JNBHFͷ࡞੒͸আ͘

  14. σϞ͠ͳ͕Βݟ͍ͯ͘

  15. imageͷ࡞੒ • dockerͳΒdocker export Ͱ • build, ship͸dockerͰ΍Δͱָͦ͏ • ࠓճ͸run෦෼Ͱ༡Ϳ

    • dockerͳ͠ͳΒdebootstrapͳͲ • ࠓճ͸debootstrapͰ࡞੒ͨ͠΍ͭΛར༻

  16. namespaceͷӬଓԽ MSXYSXYSXYSPPUSPPU݄JQDJQD<> MSXYSXYSXYSPPUSPPU݄NOUNOU<> MSXYSXYSXYSPPUSPPU݄OFUOFU<> MSXYSXYSXYSPPUSPPU݄QJEQJE<> MSXYSXYSXYSPPUSPPU݄VUTVUT<> • /proc/[PID]/ns ഑Լʹ͋ΔಛघϑΝΠϧ QSPD<1*%>͸ϓϩηε͕ফ͑Δͱͳ͘ͳΔͷͰӬଓԽ͕ඞཁ

  17. namespaceͷӬଓԽ • bindϚ΢ϯτΛ͔ͭͬͯӬଓԽ͢Δ NPVOUCJOESVOVUTOTSVOVUTOT NPVOUNBLFTIBSFESVOVUTOT VOTIBSFVNPVOUCJOEQSPDTFMGOTVUTSVOVUTOT UFTU VOTIBSFVUTSVOVUTOTUFTU • ࠷ۙͷunshareίϚϯυ͸ӬଓԽָ͕

  18. UTS namespace • ओʹ؅ཧͷͨΊ • ίϯςφʹೖͬͨͱ͖ͱ͔ • γϯϓϧʹ࢖͑ΔͷͰ͓ؾܰ UPVDIWBSSVOVUTOTUFTU VOTIBSFVUTSVOVUTOTUFTUIPTUOBNFUFTU

  19. Networkͷ࡞੒ • veth࡞ͬͯbridgeʹ઀ଓ • TenForwardࢯʹΑΔσϞ͕͋Γͦ͏ͳͷͰলུ • (ࢲ͸)৭ʑมߋ͢Δ͜ͱ͕ଟ͍ • Linux BridgeΛOpen

    vSwitchʹͨ͠Γ • ࣗ࡞ͷιϑτ΢ΣΞϧʔλʹ઀ଓͨ͠Γ • KVMͷVMͱ઀ଓͨ͠Γ • ෳ਺NIC + mptcp؀ڥ

  20. Networkͷ࡞੒ • Network͸ϙʔλϏϦςΟʹӨڹ͕ग़΍͍͢ • Ұ࣌ظdocker͕ؤுͬͯͨ • VXLANʹΑΔoverlay NetworkͳͲ • վળ͢΂͖Օॴ͕ͨ͘͞Μ͋Δ໘ന͍෼໺

    • ΦϑϩʔσΟϯά, SR-IOVͳͲߴ଎Խ • VXLANͳͲͷϓϩτίϧٕज़

  21. chroot؀ڥͷ࡞੒ • proc, sys, devͳͲΛmount͢Δ NPVOUUQSPDQSPDNOUUFTUQSPD NPVOUSCJOETZTNOUUFTUTZT NPVOUNBLFSTMBWFNOUUFTUTZT NPVOUSCJOEEFWNOUUFTUEFW NPVOUNBLFSTMBWFNOUUFTUEFW

    TZTUFNE؀ڥͰ͸CJOEϚ΢ϯτ͕4)"3&%ʹͳͬͨͷͰ STMBWF͓͔ͯ͠ͳ͍ͱVNPVOU3ͨ࣌͠ʹ͓͔͘͠ͳΔ

  22. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ OTFOUFSOFUSVOOFUOTUFTUa VUTSVOVUTOTUFTUa DISPPUNOUUFTUa FUDJOJUEOHJOYTUBSU • nsenterΛ͔ͭͬͯnamespaceΛattach • ͦͷ্Ͱchroot͢Δ ಉ༷ʹTTIͳͲ΋ىಈ͢Δ

  23. ίϯςφ಺Ͱͷϓϩηεͷ࣮ߦ • chroot഑ԼͰ͸systemd͸ಈ࡞͠ͳ͍ͷͰ஫ҙ͕ඞཁ • chrootͷ୅ΘΓʹsystemd-nspawnΛ࢖ͬͯಈ͔͢ํ ๏΋͋Δ • ͦͷ৔߹ޙड़ͷPID namespaceΛ࢖͏͜ͱʹͳΔ

  24. PID namespace • PID෼཭͢Δͱੜ੒͞Εͨࢠϓϩηε͸ͦͷۭؒͰ͸init(PID=1) ͱͳΔ • init͕ࢮ͵ͱ൵͍͜͠ͱʹͳΔͷͰҡ࣋͢Δඞཁ͕͋Δ • ΑΓྑ͍initΛٻΊΔཱྀ͕࢝·Δ •

    docker 1.13Ͱ runʹ initΦϓγϣϯ͕෇͍ͯͦ͏ • ·ͨ/sbin/init Λ࣮ߦ͢Δɺ͠ͳ͍ͱ͍ͬͨબ୒ࢶ΋૿͑Δ • ࠓճͷ༻్Ͱ͸͍Βͳ͍ͷͰল͍ͨ • ࣮ࡍʹ͸ඞཁͱͳΔ͜ͱ͕ଟ͍ • ্هཧ༝Ͱؾܰʹ΍ΔͳΒল͘ͱָ

  25. PID namespaceΛར༻͠ͳ͍ͱ… • ps ݁Ռ͕෼཭͞Εͳ͍ • ίϯςφ಺ɺίϯςφ֎͔Βݟ์୊ • initʹͿΒԼ͕Δdaemon •

    UST, networkͷnamespace͸෼཭͞Ε͍ͯΔ • ϓϩηεੜ੒࣌ʹ෼཭͠ͳ͚Ε͹ܧঝ͞ΕΔ • ϓϩηεͷऴྃΛͲ͏͢Δ͔ • ss -N test01 -tlpͳͲͰLISTENΛ֬ೝ͢Δͱ෼཭͞Ε͍ͯ Δ͜ͱ͕Θ͔Δ

  26. ps ݁Ռ SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT SPPUOHJOYNBTUFSQSPDFTTVTSTCJOOHJOY IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

    IUUQa@OHJOYXPSLFSQSPDFTT IUUQa@OHJOYXPSLFSQSPDFTT

  27. ss݁Ռ TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE

     -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE  TVEPTT/UFTUMUQ 4UBUF3FDW24FOE2ɹ-PDBM"EESFTT1PSUɹ1FFS"EESFTT1PSU -*45&/ɹ IUUQɹ  ɹVTFST OHJOY QJE GE  -*45&/ɹIUUQɹ ɹVTFST OHJOY QJE GE

  28. curl DVSM UFTUDPOUBJOFSOHJOY DVSM UFTUDPOUBJOFSOHJOY

  29. SSH TTI DBUFUDEFCJBO@WFSTJPO  TTI DBUFUDEFCJBO@WFSTJPO TUSFUDITJE

  30. ·ͱΊΔͱ… • image಺ͷϥΠϒϥϦόʔδϣϯͰಈ࡞ • ίϯςφ಺Ͱෳ਺ͷΞϓϦέʔγϣϯΛىಈ • ҟͳΔIPΞυϨεͰ௨৴ • ؆୯ͳΞϓϦέʔγϣϯΛ࣮ߦ͢Δ͙Β͍͸Ͱ͖ͦ͏ •

    ൺֱతރΕ͍ͯΔ΋ͷ͔͠࢖͍ͬͯͳ͍ + γϯϓϧͳ ͷͰ҆ఆ͸͍ͯͦ͠͏

  31. ͍͚ͯͳ͍Օॴ • ͍͚ͯͳ͍Օॴͷطଘίϯςφٕज़Ͱͷղܾ๏ͱ
 ࣗ෼Ͱ࣮૷͢ΔࡍͷղܾํΛൺֱ͢Δͱָ͍͠ • image؅ཧ • Netoworkߏ੒ • PIDͷ؅ཧ,

    ϓϩηεͷॲཧํ๏ • Ϧιʔε੍ݶ • ηΩϡϦςΟ

  32. • imageͷ؅ཧػೳ • snapshot΍ɺόʔδϣχϯά͸? • imageͷҠಈ͸Ͳ͏͢Δ? • Networkߏ੒ • αϒωοτ΋ݻఆͰIP΋खಈͳͷͰҠಈ͸Ͳ͏͢Δʁɹ

    • ҟͳΔαϒωοτͱͷ௨৴͸? • PID෼཭ɺϓϩηεॲཧ • PID͸෼཭͢Δ or ͠ͳ͍? • ίϯςφ಺ͷinitͷॲཧ • γεςϜίϯςφ? ΞϓϦέʔγϣϯίϯςφ?

  33. ·ͱΊ • ίϯςφࣗ࡞͸ؾܰʹͰ͖Δ • Կ͕ίϯςφ͔ͱ͍͏࿩͸͋Δ͕ namespace͸ؾܰʹ࢖͑Δ • طଘίϯςφٕज़΁ͷཧղ͕ਂ·Δ • ͨΓͳ͍ͱ͜Ζ΋ݟ͑ͯ͘Δ

    • Ұճ͸৮͓ͬͯ͘ͱྑͦ͞͏