Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
gVisorで実現するこれからのコンテナセキュリティ
Search
moricho
June 13, 2020
Technology
6
5k
gVisorで実現するこれからのコンテナセキュリティ
moricho
June 13, 2020
Tweet
Share
More Decks by moricho
See All by moricho
Enhance Kubernetes Security with Gatekeeper
moricho
3
1k
Deep Dive into Runtime Shim
moricho
3
2.1k
Recap: Zero Trust Service Mesh with Calico, SPIRE, and Envoy
moricho
1
1.1k
Deep dive into sync.Pool
moricho
2
1.2k
Write Kubernetes CustomController in Go
moricho
1
200
Other Decks in Technology
See All in Technology
Infrastructure as Prompt実装記 〜Bedrock AgentCoreで作る自然言語インフラエージェント〜
yusukeshimizu
1
160
AI関数が早くなったので試してみよう
kumakura
0
330
プロジェクトマネジメントは不確実性との対話だ
hisashiwatanabe
0
130
Segment Anything Modelの最新動向:SAM2とその発展系
tenten0727
0
920
GCASアップデート(202506-202508)
techniczna
0
180
LTに影響を受けてテンプレリポジトリを作った話
hol1kgmg
0
380
Delegate authentication and a lot more to Keycloak with OpenID Connect
ahus1
0
240
[OCI Technical Deep Dive] OracleのAI戦略(2025年8月5日開催)
oracle4engineer
PRO
1
230
プロダクトエンジニアリングで開発の楽しさを拡張する話
barometrica
0
210
GISエンジニアよ 現場に行け!
sudataka
1
140
Jamf Connect ZTNAとMDMで実現! 金融ベンチャーにおける「デバイストラスト」実例と軌跡 / Kyash Device Trust
rela1470
1
210
「Roblox」の開発環境とその効率化 ~DAU9700万人超の巨大プラットフォームの開発 事始め~
keitatanji
0
140
Featured
See All Featured
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
1k
Speed Design
sergeychernyshev
32
1.1k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.6k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
131
19k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
How to Think Like a Performance Engineer
csswizardry
25
1.8k
Building an army of robots
kneath
306
45k
Mobile First: as difficult as doing things right
swwweet
223
9.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
268
13k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Transcript
gVisorͰ࣮ݱ͢Δ ͜Ε͔Βͷ ίϯςφηΩϡϦςΟ Morito Ikeda | 13 June 2020
ABOUT ME ా ਓ(@_moricho_) - Go, Kubernetes, Rust, … -
gVisorFirecrackerͳͲOSSͷί ϯτϦϏϡʔτ - GoʹΑΔίϯςφϥϯλΠϜࣗ࡞ͷ ిࢠॻ੶ΛΠϯϓϨε͞Μ͔Βग़൛ ༧ఆͰ͢
gVisorͷ֓ཁ: ɾϢʔβʔϥϯυʹΧʔωϧΛ࠶࣮ ɾGoogle͕ओಋ ɾίϯςφϥϯλΠϜ(runsc) + ηΩϡΞͳSandboxڥ
gVisorͷ֓ཁ: ɾ࣮CloudFunctionGAEgVisor͕ϕʔε ɾGKEͰSandboxػೳ͕GA, gVisorΛ༻Մೳ
ͳͥgVisor͕ඞཁͳͷ͔ʁ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ — ੬ऑੑʹΑΓݖݶ͕ୣऔ͞ΕΔͱɺ ϗετଞίϯςφʹӨڹ — ֤ίϯςφϗετͷσόΠεͱΧʔωϧΛڞ༗
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม — ಉҰΫϥελʹෳͷηΩϡϦςΟϨϕϧͷMicroservice Ϛϧνςφϯτͳέʔε૿͍͑ͯΔ — PodSecurityPolicyRBACʹΑΔࡉ੍͔͍ޚ — AppArmorSELinuxͳͲͷηΩϡϦςΟ Ϟδϡʔϧ
ͦ͜ͰgVisorʂ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶃ: ɾίϯςφ/ϗετؒͷ͕͍ => ϢʔβʔϥϯυΧʔωϧΛט·ͤΔ ɾϢʔβʔۭؒʹΧʔωϧΛ࠶࣮ ɾϗετͱίϯςφͷΛߴΊΔ ɾةݥͳγεςϜίʔϧͷfilterͳͲ
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม
ैདྷͷίϯςφͷηΩϡϦςΟ໘Ͱͷ՝ᶄ: ɾࡉ͔͍ϙϦγʔઃఆ/ΞΫηε੍ޚ͕େม => gVisorଆͰٵऩ ɾSentry: ϢʔβϥϯυΧʔωϧ - Podʹ͝ͱʹੜ - syscallͷϋϯυϧ
ɾGofer: disk I/O Λϋϯυϧ - memoryCPUͷཧ - Sentryͱ9P protocolͰ௨৴
·ͱΊ: ɾैདྷΑΓϗετ/ΞϓϦέʔγϣϯؒͷUP ɾNo Configuration(σϑΥϧτ)ͰηΩϡΞʹ ɾGCPͷ༷ʑͳͱ͜ΖͰ༻͞Ε͍ͯΔ ͥͻgVisorͷϒϩάιʔείʔυΛ͍ͯΈ͍ͯͩ͘͞ ɾ·ͨػձ͕͋ΕΑΓਂ͍෦Λ͍ͨ͠
ࢀߟ: ɾʮ·ͱΊͯɺ·ΔΘ͔ΓɺGoogle Cloud Ͱ࣮ݱ͢Δ ɹɹΞϓϦέʔγϣϯ ϞμφΠθʔγϣϯʯ https://www.youtube.com/watch?v=-uWe4r8k4l4
ࢀߟ: ɾgVisor Security Basics - Part 1 ɾContainer Isolation at
Scale (... and introducing gVisor) https://gvisor.dev/blog/2019/11/18/gvisor-security-basics-part-1/ https://schd.ws/hosted_files/kccnceu18/47/Container%20Isolation%20at%20Scale.pdf ɾgVisor in depth https://blog.loof.fr/2018/06/gvisor-in-depth.html