投稿時間:2022-10-16 08:07:41 RSSフィード2022-10-16 08:00 分まとめ(7件)
カテゴリー等 | サイト名等 | 記事タイトル・トレンドワード等 | リンクURL | 頻出ワード・要約等/検索ボリューム | 登録日 |
---|---|---|---|---|---|
Docker | dockerタグが付けられた新着投稿 - Qiita | Nvidia のimage を docker pull しようとしたら少しハマったのでメモ | https://qiita.com/onocchi0073/items/8e737f4ca58777019148 | ontenddockerfilevfailedto | 2022-10-16 07:06:13 |
Ruby | Railsタグが付けられた新着投稿 - Qiita | Render.comでRailsアプリの本番環境を作成する方法をどこよりも優しく伝える! | https://qiita.com/ysk91_engineer/items/b7db950f4739fa896f57 | heroku | 2022-10-16 07:15:40 |
海外TECH | DEV Community | Containers: Under the Hood | https://dev.to/aws-builders/containers-under-the-hood-37k0 | Containers Under the Hood IntroductionNowadays in software engineering we take containers for granted We rely on them for day to day work we build highly available and highly scalable production environments with them But many of us software engineers are struggling to understand and consequently what containers fundamentally are Usually when explaining to others we point out that they are not virtual machines which is true but we struggle to precisely state what they are In this article we will try to have a more in depth understanding of what containers are how they work and how can we leverage them for building industry standard systems Environment Set UpTo understand containers we would want to play around with some container runtimes Docker is the most popular implementation of a container runtime we will use that for this article There are several other implementations out there for example Podman LXC LXD rkt and many others Moving on with our setup we would want to use a Linux Ubuntu machine on which we can install Docker Engine following the steps from the Docker documentation We would want to specifically use Docker Engine and not Docker Desktop Docker Desktop will utilize a virtual machine for the host we don t want to have that virtual machine for our current purposes Process IsolationContainers are not virtual machines VMs Despite having their own hostname filesystem process space and networking stack they are not VMs They do not have a standalone kernel and they cannot have separate kernel modules or device drives installed They can have multiple processes which are isolated from the host machine s running processes On our Ubuntu host we can run the following command to get information about the kernel root ip uname s rLinux awsFrom the output we can see that the name of the kernel currently in use is Linux with the release version of the kernel aws The aws prefix comes from the fact that I m using an EC machine on AWS Let s output some more information about our Linux distribution root ip cat etc os releasePRETTY NAME Ubuntu LTS NAME Ubuntu VERSION ID VERSION LTS Jammy Jellyfish VERSION CODENAME jammyID ubuntuID LIKE debianHOME URL SUPPORT URL BUG REPORT URL PRIVACY POLICY URL UBUNTU CODENAME jammyNow let s run Rocky Linux from a Docker container using the following command docker run ti rockylinux The ti flag will run the container in an interactive mode prompting us to a shell inside the container Let s fetch some OS information root add cat etc os releaseNAME Rocky Linux VERSION Green Obsidian ID rocky ID LIKE rhel centos fedora VERSION ID PLATFORM ID platform el PRETTY NAME Rocky Linux Green Obsidian ANSI COLOR CPE NAME cpe o rocky rocky GA HOME URL BUG REPORT URL ROCKY SUPPORT PRODUCT Rocky Linux ROCKY SUPPORT PRODUCT VERSION REDHAT SUPPORT PRODUCT Rocky Linux REDHAT SUPPORT PRODUCT VERSION It seems like we are connected to a different machine But if we get information about the kernel we will get something familiar root add uname s rLinux awsWe can notice that it is the same as for the host machine We can conclude that the container and the Ubuntu host machine are sharing the same kernel Containers rely on the ability of the host operating system to isolate one program from another while allowing these programs to share resources between them such as CPU memory storage and networking resources This is accomplished by a capability of the Linux kernel named namespaces Linux namespaces are not a new technology or a recently added feature of the kernel they have been available for many years The role of a process namespace is to isolate the processes running inside of it so they should not be able to see things they shouldn t To watch process namespaces created by container runtimes in action we will use containerd If we followed the installation link from above we should have containerd installed with Docker Engine Docker uses containerd under the hood as its container runtime A container runtime container engine provides low level functionalities to execute containerized processes To access containerd we can use ctr command For example to check if containerd was installed and works correctly we can run ctr images ls which should return a list of images in case of success or an error At this point we most likely don t have any images pulled so should get an empty response To pull a busybox image we can do the following ctr image pull docker io library busybox latestWe can check again the existing images with ctr images ls which should list the busybox image We can run this image using ctr run t rm docker io library busybox latest vThis command will start the image in interactive mode meaning that we will be provided with an input shell waiting for commands Now if we want to grab the list of currently running tasks from the host machine we should get the following answer TASK PID STATUSv RUNNINGIf we take the PID of the running container we can get hold of the parent process of it root ip ps ef grep grep v greproot pts shroot ip ps ef grep grep v greproot usr bin containerd shim runc v namespace default id v address run containerd containerd sockroot pts shAs we might have expected the parent process is containerd We can get the process namespaces created by containerd as well root ip lsns grep mnt root sh uts root sh ipc root sh pid root sh net root shcontainerd is launched five different types of namespaces for isolating processes running in our busybox container These are the following mnt mount points uts Unix time sharing ipc interprocess communication pid process identifiers net network interfaces routing tables and firewalls Network Isolationcontainerd is using network namespaces to have network isolation and to simplify configuration In a lot of cases our containers act as web servers For being able to run a web server we need to choose a network interface and port on which the server will listen on To solve the issue of port collision two or more processes listening on the same interface on the same port container runtimes use virtual network interfaces If we would want to see the network namespace created by containerd we will run into an issue Unfortunately network namespaces created by containerd are invisible This means if we execute ip netns list to list all the network namespaces present on our host machine we most likely get no output We can still get hold of the namespace created by containerd if we do the following Get the PID of the currently running container root ip ctr task lsTASK PID STATUSv RUNNINGCreate an empty file in var run netns location with the container identifier we will use the container PID as the identifier mkdir p var run netnstouch var run netns Bind the net process namespace to this file mount o bind proc ns net var run netns Now if we run ip netns list we get the following root ip ip netns listWe also can look at the interfaces on the network namespace root ip ip netns exec ip addr list lo lt LOOPBACK UP LOWER UP gt mtu qdisc noqueue state UNKNOWN group default qlen link loopback brd inet scope host lo valid lft forever preferred lft forever inet scope host valid lft forever preferred lft foreverRunning ip a from inside the busybox container we get similar output lo lt LOOPBACK UP LOWER UP gt mtu qdisc noqueue qlen link loopback brd inet scope host lo valid lft forever preferred lft forever inet scope host valid lft forever preferred lft forever Filesystem IsolationThe idea of process isolation involves preventing a process from seeing things it should not In terms of files and folders Linux provides filesystem permissions The Linux kernel associates an owner and group to each file and folder on top of that it manages read write and execute permissions This permissions system works well although if a process manages to elevate its privileges it could see files and folders which should have been forbidden A more advanced solution for isolation provided by a Linux kernel is to run a process in an isolated filesystem This can be achieved by an approach known as change root The chroot command changes the apparent root directory for the current running process and its children For example we can download Alpine Linux inside a folder and launch an isolated shell using chroot ssm user ip lsssm user ip mkdir alpinessm user ip cd alpinessm user ip alpine curl o alpine tar gz Total Received Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed k k M Mssm user ip alpine lsalpine tar gzLet s unpack the archive ssm user ip alpine tar xf alpine tar gzssm user ip alpine lsalpine tar gz bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr varssm user ip alpine rm alpine tar gzssm user ip alpine lsbin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr varWe can recognize these folders from any other Linux distribution The alpine folder has the necessary resources to be used as the root folder We can run an isolated Alpine shell as follows ssm user ip alpine cd ssm user ip sudo chroot alpine sh lsbin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var Container runtimes such as containerd or Docker implement a similar approach to chroot for filesystem isolation On top of that they provide a more practical way of setup for the isolation by using container images Container images are ready to use bundles that contain all the required files and folders for the base filesystem metadata environment variables arguments and other executables Building Container ImagesBefore building a container image ourselves let s step a little bit back and investigate how are other popular images built We will use Docker to pull an Apache httpd image which we will take it apart to see its content Let s pull the image from the Docker registry ssm user ip docker pull httpdUsing default tag latestlatest Pulling from library httpdbdebb Already existsdcfd Pull completebedabb Pull completefebfa Pull completeabbecba Pull completeDigest sha fbcdddcefeecfabafdfaeStatus Downloaded newer image for httpd latestdocker io library httpd latestWe can launch a container based on this image and connect to a shell using the command below ssm user ip docker run it httpd bin bashHaving a shell we can navigate to the root of the container and list all the files and folders root d usr local apache cd root d ls larttotal drwxr xr x root root Sep homedrwxr xr x root root Sep bootdrwxr xr x root root Oct vardrwxr xr x root root Oct usrdrwxr xr x root root Oct srvdrwxr xr x root root Oct sbindrwxr xr x root root Oct rundrwx root root Oct rootdrwxr xr x root root Oct optdrwxr xr x root root Oct mntdrwxr xr x root root Oct mediadrwxr xr x root root Oct libdrwxrwxrwt root root Oct tmpdrwxr xr x root root Oct libdrwxr xr x root root Oct bindrwxr xr x root root Oct etc rwxr xr x root root Oct dockerenvdrwxr xr x root root Oct drwxr xr x root root Oct dr xr xr x root root Oct sysdr xr xr x root root Oct procdrwxr xr x root root Oct devThe Apache httpd image we are using is based on a Debian base image This means it has a filesystem similar to what we would expect from the Debian Linux distribution It contains all the necessary files and folders which would be expected by the Apache webserver to function correctly Also if we take another look at the output of the docker pull command we can observe that a bunch of layers was downloaded Some layers are skipped with the message that they already exist on the host machine Container images are made up of layers that can be shared between images The reason why a layer is skipped during a pull is that was already downloaded during a pull for another image or a previous version of the same image Docker detects that more than one image has the same layer and it does not retrieve it twice Layers are used to save space and to speed up the builds and pulls pushes Layers are created when images are built Usually we rely on other base images when building our image As an example we use the httpd base image on top of which we add our website essentially creating another layer Base images also should come from somewhere usually they are built from a minimal Linux filesystem The Alpine Linux resources downloaded and used for chroot could be used as the base for a container image There are several ways to build images the most popular would be the Docker approach with the usage of Dockerfiles A minimal Dockerfile for using httpd as the base image would look like this FROM httpd RUN mkdir p usr local apache conf sites COPY my httpd conf usr local apache conf httpd confCOPY public html usr local apache htdocs Many possible commands can be used when building Docker images For more information we would want to check out the Docker documentation Some widely used commands from a Dockerfile would be the following FROM specifies the base image for the current buildENV specifies an environment variableRUN a command executed inside of the container while being builtCOPY used to copy over files from the host machine to the container while it is being builtENTRYPOINT specifies the initial process for the containerCMD sets the default parameters for the initial process ConclusionsIn this article we have seen what containers are They are not virtual machines they are essentially a group of isolated processes with their own isolated filesystem and networking They share the kernel modules with the host machine Because of this they can be lightweight compared to a fully fledged virtual machine They can be part of an agile architecture since they can be spawned up and torn down quickly Links and ReferencesInstall Docker Engine on Ubuntu Linux Namespaces Docker Container Network Namespace is Invisible chroot Dockerfile reference Additional ReadingBuilding containers by hand using namespaces The net namespace Basics of Container Isolation This article is heavily inspired by these books Alan Hohn The Book of Kubernetes Liz Rice Container Security Fundamental Technology Concepts that Protect Containerized Applications | 2022-10-15 22:44:43 |
Apple | AppleInsider - Frontpage News | How to use Hot Corners in macOS | https://appleinsider.com/inside/macos/tips/how-to-use-hot-corners-in-macos?utm_medium=rss | How to use Hot Corners in macOSApple s macOS can perform actions without needing to press a button by moving your cursor to a corner Here s how to get started with Hot Corners in macOS Hot Corners in macOSThere are many ways to perform actions on a Mac with macOS offering numerous options to trigger actions However you may not need to set up a custom keyboard shortcut to get something working as in some cases you don t necessarily need to use the keyboard at all Read more | 2022-10-15 22:13:16 |
ニュース | BBC News - Home | Claressa Shields v Savannah Marshall: American produces career-best performance in historic fight | https://www.bbc.co.uk/sport/boxing/63273495?at_medium=RSS&at_campaign=KARANGA | women | 2022-10-15 22:34:05 |
北海道 | 北海道新聞 | 今村駿介がオムニアム6位 世界自転車第4日 | https://www.hokkaido-np.co.jp/article/745978/ | 今村駿介 | 2022-10-16 07:14:23 |
北海道 | 北海道新聞 | ロシアがミサイル攻撃継続 キーウでインフラ損壊、節電要請 | https://www.hokkaido-np.co.jp/article/745997/ | 要請 | 2022-10-16 07:14:00 |
コメント
コメントを投稿