Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PFIセミナー資料 H27.10.22

50 views

Published on

コマンドを叩いて遊ぶ
コンテナ仮想、その裏側
youtube: https://youtu.be/DAaUWSwQSOw

Published in: Technology
  • Be the first to comment

  • Be the first to like this

PFIセミナー資料 H27.10.22

  1. 1. ● ● ● ●
  2. 2. ● ● ● ✔ ● ✔ ● ✘ ● VM
  3. 3. ● ● ● ● Docker ● Go ● 1 1 ● LXC libcontainer ● ● root docker pull
  4. 4. ● CentOS/Rocket ● Docker ● ● systemd-nspawn ● systemd ● Rocket ● MINCS ● shell script ●
  5. 5. ● ● ● ● ● ● ● ●
  6. 6. ● ● ● ● ● ● ● ● ●
  7. 7. ● ● ● ● ● $ ll /proc/$$/ns 0 lrwxrwxrwx. 1 takei takei 0 10 17 20:57 ipc -> ipc:[4026531839] lrwxrwxrwx. 1 takei takei 0 10 17 20:57 mnt -> mnt:[4026531840] lrwxrwxrwx. 1 takei takei 0 10 17 20:57 net -> net:[4026531992] lrwxrwxrwx. 1 takei takei 0 10 17 20:57 pid -> pid:[4026531836]
  8. 8. ● ● $ readlink /proc/$$/ns/mnt # mount mnt:[4026531840] $ sudo unshare --mount /bin/bash # mount # readlink /proc/$$/ns/mnt # mount mnt:[4026532249] # mkdir mnt; mount -t tmpfs tmpfs mnt # mount # # exit
  9. 9. ● ● ● $ mkdir src dest src/{master,slave} # mount --bind src dest # src dest bind # mount --make-slave dest # master slave # mount -t tmpfs tmpfs src/master # (src) # mount -t tmpfs tmpfs dest/slave # (dest) $ mount tmpfs on /home/alice/src/master type tmpfs (rw,relatime,seclabel)
  10. 10. ● ● ● ● ● ● ● ●
  11. 11. ● ● $ sudo unshare --mount /bin/bash # mount # mkdir mnt # mount --make-private / # # mount -t tmpfs tmpfs mnt # mount --make-shared / # # mount # # exit $ mount #
  12. 12. ● ● ● ● ● ● ● ●
  13. 13. ● ● $ hostname ip-172-31-13-102.ap-northeast-1.compute.internal $ sudo unshare --uts # hostname wonderland # hostname wonderland # logout $ hostname ip-172-31-13-102.ap-northeast-1.compute.internal
  14. 14. ● ● ● $ sudo ip netns add test # test netns $ sudo ip netns list # test $ sudo ip netns exec test /bin/bash # test # readlink /proc/$$/ns/net # netns net:[4026532219] # ls -li /var/run/netns/test # /var/run/netns 4026532219 -r--r--r--. 1 root root 0 Oct 18 03:02 /run/netns/test # ip addr # lo
  15. 15. ● ● $ sudo ip link add name master type veth peer name slave # veth $ sudo ip addr # 6: slave: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 3a:64:e8:80:03:5f brd ff:ff:ff:ff:ff:ff 7: master: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 86:cf:cc:26:74:e4 brd ff:ff:ff:ff:ff:ff $ sudo ip link set slave netns test # netns test $ sudo ip addr # 7: master: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 86:cf:cc:26:74:e4 brd ff:ff:ff:ff:ff:ff $ sudo ip netns exec test ip addr 6: slave: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 3a:64:e8:80:03:5f brd ff:ff:ff:ff:ff:ff
  16. 16. ● eth (veth) ● 2. IP & $ sudo ip addr add 192.168.50.101/24 dev master # master IP $ sudo ip link set dev master up # $ sudo ip netns exec test /bin/bash # bash # ip addr add 192.168.50.102/24 dev slave # slave IP # ip link set dev slave up # # ping 192.168.50.101 -c1 # PING 192.168.50.101 (192.168.50.101) 56(84) bytes of data. 64 bytes from 192.168.50.101: icmp_seq=1 ttl=64 time=0.047 ms # exit $ ping 192.168.50.102 -c1
  17. 17. net - : veth ● eth (veth) ● 3. IP & $ sudo ip netns exec test /bin/bash # ip route add default via 192.168.50.101 dev slave # default gw # ip route default via 192.168.50.101 dev slave 192.168.50.0/24 dev slave proto kernel scope link src 192.168.50.102 # exit $ # IP $ sudo iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE $ sudo ip netns exec test /bin/bash # ping 8.8.8.8 -c1 # PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=2.18 ms
  18. 18. ● ● ● ● ● ● ● ● ●
  19. 19. ● ● ● ● ● ● mkdir new-root sudo yum -y --releasever=7Server --installroot=${PWD}/new-root install @Core @Base redhat-release-server vim-enhanced
  20. 20. ● ● ● ● ● $ sudo unshare -m -p -f /bin/bash # pid/mnt # mount --make-rprivate / # off # mount -o loop /root.img /mnt/new-root/ # root # cd /mnt/new-root/ # mkdir .old # root # pivot_root . .old # pivot!
  21. 21. ● ● ● ● ●
  22. 22. ● ● ● $ mkdir upper work # $ sudo mount -t overlay -o lowerdir=/,upperdir=upper,workdir=work overlayfs new-root $ touch /home/alice/file1 new-root/home/alice/file2 $ ls -l new-root/home/alice/file* # -rw-rw-r--. 1 alice alice 0 Oct 18 12:30 new-root/home/alice/file1 -rw-rw-r--. 1 alice alice 0 Oct 18 12:30 new-root/home/alice/file2 $ rm new-root/home/alice/file1 # $ ll upper/home/alice/file* # upper
  23. 23. ● ● ● ● ● ●
  24. 24. ● Docker ● 1. loop back dm-thin pool ● /var/lib/docker/devicemapper/devicemapper/{,meta}data $ sudo systemctl start docker # docker $ losetup # loop pool NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE /dev/loop0 0 0 1 0 /var/lib/docker/devicemapper/devicemapper/data /dev/loop1 0 0 1 0 /var/lib/docker/devicemapper/devicemapper/metadata $ sudo ls -hl /var/lib/docker/devicemapper/devicemapper/ # 100G 2G ( ) total 4.5G -rw-------. 1 root root 100G Oct 19 04:54 data -rw-------. 1 root root 2.0G Oct 19 04:56 metadata
  25. 25. ● ● ● ● $ sudo du -h /var/lib/docker/devicemapper/devicemapper/data 4.4G/var/lib/docker/devicemapper/devicemapper/data $ sudo ls -lh /var/lib/docker/devicemapper/devicemapper/data -rw-------. 1 root root 100G Oct 19 04:54 /var/lib/docker/devicemapper/devicemapper/data $ fallocate -o 9223372036854775807 -l 1 huge # fallocate $ ls -lh huge; du -h huge # 8EB( )!! -rw-r--r--. 1 alice alice 8.0E Oct 19 05:10 huge
  26. 26. ● 2. ● 10G (RHEL7 default) $ docker run -d centos:centos7 /sbin/init # $ docker ps # ID CONTAINER ID IMAGE COMMAND ... b90ed5b981ae centos:centos7 "/sbin/init" ... $ lsblk # NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 30G 0 disk ─xvda1 202:1 0 1M 0 part └─xvda2 202:2 0 30G 0 part / loop0 7:0 0 100G 0 loop └─docker-202:2-62765-pool 253:0 0 100G 0 dm └─docker-202:2-62765-b90ed5b981ae9d06...ee67 253:1 0 10G 0 dm loop1 7:1 0 2G 0 loop
  27. 27. ● $ # id $ sudo jq . /var/lib/docker/repositories-devicemapper { "Repositories": { "test": { "latest": "a02698bf3...e5c42b" } }, "ConfirmDefPush": true } $ # dm-thin $ sudo jq . /var/lib/docker/devicemapper/metadata/a02698bf3...e5c42b { "device_id": 352, "size": 10737418240, "transaction_id": 582,
  28. 28. ● $ # device_id size $ sudo jq . /var/lib/docker/devicemapper/metadata/a02698bf...5c42b ... "device_id": 352, "size": 10737418240, ... $ # $ lsblk loop0 └─docker-202:2-62765-pool $ # dm $ sudo dmsetup create dockervol --table "0 $((10737418240 / 512)) thin /dev/mapper/docker-202:2-62765-pool 352" $ # dm $ ll /dev/mapper/dockervol lrwxrwxrwx. 1 root root 7 Oct 19 06:10 /dev/mapper/dockervol -> ../dm-3
  29. 29. ● ( ) docker 30 $ ll mnt/ # total 24 -rw-------. 1 root root 64 Aug 26 23:08 id drwx------. 2 root root 16384 Aug 26 22:58 lost+found $ ll mnt/rootfs/ # docker (OS) total 64 lrwxrwxrwx. 1 root root 7 Jun 18 08:34 bin -> usr/bin drwxr-xr-x. 3 root root 4096 Oct 18 12:56 boot : $ sudo cat mnt/id # id id f1b10cd842498c23d206ee0cbeaa9de8d2ae09ff3c7af2723a9e337a6965d639 $ docker history test:latest IMAGE CREATED CREATED BY ... a02698bf3120 17 hours ago /bin/sh -c yum install -y httpd a6673f7926d7 7 weeks ago /bin/sh -c #(nop) MAINTAINER TAKEI Yuya <take
  30. 30. ● ● ● ● ● ● ● ●
  31. 31. ● ● ● ● ● ● ● TenForward - MINCS (1) ● http://d.hatena.ne.jp/defiant/20150701/1435749116 ● ● ● ● ● ●

×