PFIセミナー資料 H27.10.22
•
0 likes•604 views
コマンドを叩いて遊ぶ コンテナ仮想、その裏側 youtube: https://youtu.be/DAaUWSwQSOw
Recommended
More Related Content
What's hot
What's hot (18)
Similar to PFIセミナー資料 H27.10.22
Similar to PFIセミナー資料 H27.10.22 (20)
Recently uploaded
Recently uploaded (20)
PFIセミナー資料 H27.10.22
- 2. ● ● ● ●
- 3. ● ● ● ✔ ● ✔ ● ✘ ● VM
- 4. ● ● ● ● Docker ● Go ● 1 1 ● LXC libcontainer ● ● root docker pull
- 5. ● CentOS/Rocket ● Docker ● ● systemd-nspawn ● systemd ● Rocket ● MINCS ● shell script ●
- 8. ● ● ● ● ● $ ll /proc/$$/ns 0 lrwxrwxrwx. 1 takei takei 0 10 17 20:57 ipc -> ipc:[4026531839] lrwxrwxrwx. 1 takei takei 0 10 17 20:57 mnt -> mnt:[4026531840] lrwxrwxrwx. 1 takei takei 0 10 17 20:57 net -> net:[4026531992] lrwxrwxrwx. 1 takei takei 0 10 17 20:57 pid -> pid:[4026531836]
- 9. ● ● $ readlink /proc/$$/ns/mnt # mount mnt:[4026531840] $ sudo unshare --mount /bin/bash # mount # readlink /proc/$$/ns/mnt # mount mnt:[4026532249] # mkdir mnt; mount -t tmpfs tmpfs mnt # mount # # exit
- 10. ● ● ● $ mkdir src dest src/{master,slave} # mount --bind src dest # src dest bind # mount --make-slave dest # master slave # mount -t tmpfs tmpfs src/master # (src) # mount -t tmpfs tmpfs dest/slave # (dest) $ mount tmpfs on /home/alice/src/master type tmpfs (rw,relatime,seclabel)
- 11. ● ● ● ● ● ● ● ●
- 12. ● ● $ sudo unshare --mount /bin/bash # mount # mkdir mnt # mount --make-private / # # mount -t tmpfs tmpfs mnt # mount --make-shared / # # mount # # exit $ mount #
- 13. ● ● ● ● ● ● ● ●
- 14. ● ● $ hostname ip-172-31-13-102.ap-northeast-1.compute.internal $ sudo unshare --uts # hostname wonderland # hostname wonderland # logout $ hostname ip-172-31-13-102.ap-northeast-1.compute.internal
- 15. ● ● ● $ sudo ip netns add test # test netns $ sudo ip netns list # test $ sudo ip netns exec test /bin/bash # test # readlink /proc/$$/ns/net # netns net:[4026532219] # ls -li /var/run/netns/test # /var/run/netns 4026532219 -r--r--r--. 1 root root 0 Oct 18 03:02 /run/netns/test # ip addr # lo
- 16. ● ● $ sudo ip link add name master type veth peer name slave # veth $ sudo ip addr # 6: slave: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 3a:64:e8:80:03:5f brd ff:ff:ff:ff:ff:ff 7: master: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 86:cf:cc:26:74:e4 brd ff:ff:ff:ff:ff:ff $ sudo ip link set slave netns test # netns test $ sudo ip addr # 7: master: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 86:cf:cc:26:74:e4 brd ff:ff:ff:ff:ff:ff $ sudo ip netns exec test ip addr 6: slave: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 3a:64:e8:80:03:5f brd ff:ff:ff:ff:ff:ff
- 17. ● eth (veth) ● 2. IP & $ sudo ip addr add 192.168.50.101/24 dev master # master IP $ sudo ip link set dev master up # $ sudo ip netns exec test /bin/bash # bash # ip addr add 192.168.50.102/24 dev slave # slave IP # ip link set dev slave up # # ping 192.168.50.101 -c1 # PING 192.168.50.101 (192.168.50.101) 56(84) bytes of data. 64 bytes from 192.168.50.101: icmp_seq=1 ttl=64 time=0.047 ms # exit $ ping 192.168.50.102 -c1
- 18. net - : veth ● eth (veth) ● 3. IP & $ sudo ip netns exec test /bin/bash # ip route add default via 192.168.50.101 dev slave # default gw # ip route default via 192.168.50.101 dev slave 192.168.50.0/24 dev slave proto kernel scope link src 192.168.50.102 # exit $ # IP $ sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE $ sudo ip netns exec test /bin/bash # ping 8.8.8.8 -c1 # PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=2.18 ms
- 20. ● ● ● ● ● ● mkdir new-root sudo yum -y --releasever=7Server --installroot=${PWD}/new-root install @Core @Base redhat-release-server vim-enhanced
- 21. ● ● ● ● ● $ sudo unshare -m -p -f /bin/bash # pid/mnt # mount --make-rprivate / # off # mount -o loop /root.img /mnt/new-root/ # root # cd /mnt/new-root/ # mkdir .old # root # pivot_root . .old # pivot!
- 22. ● ● ● ● ●
- 23. ● ● ● $ mkdir upper work # $ sudo mount -t overlay -o lowerdir=/,upperdir=upper,workdir=work overlayfs new-root $ touch /home/alice/file1 new-root/home/alice/file2 $ ls -l new-root/home/alice/file* # -rw-rw-r--. 1 alice alice 0 Oct 18 12:30 new-root/home/alice/file1 -rw-rw-r--. 1 alice alice 0 Oct 18 12:30 new-root/home/alice/file2 $ rm new-root/home/alice/file1 # $ ll upper/home/alice/file* # upper
- 24. ● ● ● ● ● ●
- 25. ● Docker ● 1. loop back dm-thin pool ● /var/lib/docker/devicemapper/devicemapper/{,meta}data $ sudo systemctl start docker # docker $ losetup # loop pool NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE /dev/loop0 0 0 1 0 /var/lib/docker/devicemapper/devicemapper/data /dev/loop1 0 0 1 0 /var/lib/docker/devicemapper/devicemapper/metadata $ sudo ls -hl /var/lib/docker/devicemapper/devicemapper/ # 100G 2G ( ) total 4.5G -rw-------. 1 root root 100G Oct 19 04:54 data -rw-------. 1 root root 2.0G Oct 19 04:56 metadata
- 26. ● ● ● ● $ sudo du -h /var/lib/docker/devicemapper/devicemapper/data 4.4G/var/lib/docker/devicemapper/devicemapper/data $ sudo ls -lh /var/lib/docker/devicemapper/devicemapper/data -rw-------. 1 root root 100G Oct 19 04:54 /var/lib/docker/devicemapper/devicemapper/data $ fallocate -o 9223372036854775807 -l 1 huge # fallocate $ ls -lh huge; du -h huge # 8EB( )!! -rw-r--r--. 1 alice alice 8.0E Oct 19 05:10 huge
- 27. ● 2. ● 10G (RHEL7 default) $ docker run -d centos:centos7 /sbin/init # $ docker ps # ID CONTAINER ID IMAGE COMMAND ... b90ed5b981ae centos:centos7 "/sbin/init" ... $ lsblk # NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 30G 0 disk ─xvda1 202:1 0 1M 0 part └─xvda2 202:2 0 30G 0 part / loop0 7:0 0 100G 0 loop └─docker-202:2-62765-pool 253:0 0 100G 0 dm └─docker-202:2-62765-b90ed5b981ae9d06...ee67 253:1 0 10G 0 dm loop1 7:1 0 2G 0 loop
- 28. ● $ # id $ sudo jq . /var/lib/docker/repositories-devicemapper { "Repositories": { "test": { "latest": "a02698bf3...e5c42b" } }, "ConfirmDefPush": true } $ # dm-thin $ sudo jq . /var/lib/docker/devicemapper/metadata/a02698bf3...e5c42b { "device_id": 352, "size": 10737418240, "transaction_id": 582,
- 29. ● $ # device_id size $ sudo jq . /var/lib/docker/devicemapper/metadata/a02698bf...5c42b ... "device_id": 352, "size": 10737418240, ... $ # $ lsblk loop0 └─docker-202:2-62765-pool $ # dm $ sudo dmsetup create dockervol --table "0 $((10737418240 / 512)) thin /dev/mapper/docker-202:2-62765-pool 352" $ # dm $ ll /dev/mapper/dockervol lrwxrwxrwx. 1 root root 7 Oct 19 06:10 /dev/mapper/dockervol -> ../dm-3
- 30. ● ( ) docker 30 $ ll mnt/ # total 24 -rw-------. 1 root root 64 Aug 26 23:08 id drwx------. 2 root root 16384 Aug 26 22:58 lost+found $ ll mnt/rootfs/ # docker (OS) total 64 lrwxrwxrwx. 1 root root 7 Jun 18 08:34 bin -> usr/bin drwxr-xr-x. 3 root root 4096 Oct 18 12:56 boot : $ sudo cat mnt/id # id id f1b10cd842498c23d206ee0cbeaa9de8d2ae09ff3c7af2723a9e337a6965d639 $ docker history test:latest IMAGE CREATED CREATED BY ... a02698bf3120 17 hours ago /bin/sh -c yum install -y httpd a6673f7926d7 7 weeks ago /bin/sh -c #(nop) MAINTAINER TAKEI Yuya <take
- 31. ● ● ● ● ● ● ● ●
- 32. ● ● ● ● ● ● ● TenForward - MINCS (1) ● http://d.hatena.ne.jp/defiant/20150701/1435749116 ● ● ● ● ● ●