?? ?? ???? ??? 2?
1 like329 views
"?? ?? ???? ??? 2?" ???. 1?? ??? chroot? ?? ???? ?????? ????? ???? ?? ??? ???????.
![Vagrantfile
¡ñ ???? ???? ???? ?
¡ñ ??? Vagrantfile? ????
???? ???.
¡ñ vagrant ???? ?????
??? ???
https://www.vagrantup.com/docs/i
ndex
??? ?? ?? ?? ?? BOX_IMAGE = "bento/ubuntu-18.04"
HOST_NAME = "ubuntu1804"
$pre_install = <<-SCRIPT
echo ">>>> pre-install <<<<<<"
sudo apt-get update &&
sudo apt-get -y install gcc &&
sudo apt-get -y install make &&
sudo apt-get -y install pkg-config &&
sudo apt-get -y install libseccomp-dev &&
sudo apt-get -y install tree &&
sudo apt-get -y install jq &&
sudo apt-get -y install bridge-utils
echo ">>>> install go <<<<<<"
curl -O https://storage.googleapis.com/golang/go1.15.7.linux-amd64.tar.gz > /dev/null 2>&1 &&
tar xf go1.15.7.linux-amd64.tar.gz &&
sudo mv go /usr/local/ &&
echo 'PATH=$PATH:/usr/local/go/bin' | tee /home/vagrant/.bash_profile
echo ">>>>> install docker <<<<<<"
sudo apt-get -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common > /dev/null 2>&1 &&
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - &&
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" &&
sudo apt-get update &&
sudo apt-get -y install docker-ce docker-ce-cli containerd.io > /dev/null 2>&1
SCRIPT
Vagrant.configure("2") do |config|
config.vm.define HOST_NAME do |subconfig|
subconfig.vm.box = BOX_IMAGE
subconfig.vm.hostname = HOST_NAME
subconfig.vm.network :private_network, ip: "192.168.104.2"
subconfig.vm.provider "virtualbox" do |v|
v.memory = 1536
v.cpus = 2
end
subconfig.vm.provision "shell", inline: $pre_install
end
end](https://image.slidesharecdn.com/makecontainerwithoutdocker2-210427125956/85/2-4-320.jpg)
![pivot_root
¡ñ pivot_root [new-root] [old-root]
¡ð ??? root filesystem (new-root)
¡ð ?? root filesystem ¡ú old-root (mount)
?? ???? ?????
??? ??? ?????? :-)
???? ????? ~ new-root? old-root ??? ?? ???
pivot_root?
- ??? new-root? ¡®/¡¯? ???,
- ?? root filesystem? old-root? ? ~ ??????.](https://image.slidesharecdn.com/makecontainerwithoutdocker2-210427125956/85/2-12-320.jpg)
![pivot_root
mount : https://man7.org/linux/man-pages/man8/mount.8.html
¡ñ mount -t [filesystem type] [device_name] [directory - mount point]
¡ñ root filesystem tree? ?? ?????? ??? ??
?? ???? ?????
-t : filesystem type ex) -t tmpfs (temporary filesystem : ??? ???? ???)
-o : ?? ex) -o size=1m (?? ?? ? ¡)
??)
* /proc/filesystems ?? ???? filesystem type ?? ??](https://image.slidesharecdn.com/makecontainerwithoutdocker2-210427125956/85/2-13-320.jpg)
![pivot_root
unshare : https://man7.org/linux/man-pages/man1/unshare.1.html
¡ñ unshare [options] [program [arguments] ]
¡ñ creates new namespaces and then
¡ñ executes the specified program (default : ${SHELL} )
?? ???? ?????
unshare ?
¡°??? ??????? ??? ?? ????? ??¡± ?? ??????
?? ? ? ???? ?? ?? ?????. ?? ???? pivot_root ???? ;-)](https://image.slidesharecdn.com/makecontainerwithoutdocker2-210427125956/85/2-14-320.jpg)
![Mount Namespace
# unshare -m /bin/bash
??? #1
mount namespace? ??? ???
unshare -m [???]
-m ??? ?? [???]? mount namespace?
isolation ?? ?????](https://image.slidesharecdn.com/makecontainerwithoutdocker2-210427125956/85/2-33-320.jpg)
![UTS Namespace
UTS ? UNIX Time-sharing System , ??? ???
?? ??? ?? ?? ????? ...
# unshare -u
# hostname
ubuntu1804
# hostname <your-name>
# hostname
<your-name>
unshare -u [???]
-u ??? ?? [???]? UTS namespace?
isolation ?? ?????
* [???]? ???? ??? ???? $SHELL ?
?????](https://image.slidesharecdn.com/makecontainerwithoutdocker2-210427125956/85/2-39-320.jpg)
![PID Namespace
??? #1
# echo $$
# unshare -fp --mount-proc
# echo $$
unshare -p [???]
-p ??? ?? [???]? PID namespace?
isolation ?? ?????
* PID namespace? child process? ??? ???????
???? ??? -f (fork) ??? ????? ps ????
????? /proc ? mount ?? ?? ??? --mount-proc
??? ?????
??? ??? ? ??? ???? ?????](https://image.slidesharecdn.com/makecontainerwithoutdocker2-210427125956/85/2-42-320.jpg)
?? ?? ???? ??? 2?
- 1. ?? ?? ???? ??? 2? Sam.0 ??? ?? ?????
- 2. ????? ?? ¡ ? ???? 1?? ???? ???? ???????. ??? ?? ? ??? ??? 1?? ?? ???? ?????? 1? ?? ??
- 3. ??? . . . ¡ñ ? ???? VirtualBox + Vagrant ???? ??????? ¡ð ? ??? OS ??? ?????? ¡ð ??? ??? ??? ¡ð ¡°VirtualBox or VMware + Vagrant¡±? ??????. ¡ñ ???? ??? ?? Vagrantfile? ?????. ??? ?? ?? ?? ??
- 4. Vagrantfile ¡ñ ???? ???? ???? ? ¡ñ ??? Vagrantfile? ???? ???? ???. ¡ñ vagrant ???? ????? ??? ??? https://www.vagrantup.com/docs/i ndex ??? ?? ?? ?? ?? BOX_IMAGE = "bento/ubuntu-18.04" HOST_NAME = "ubuntu1804" $pre_install = <<-SCRIPT echo ">>>> pre-install <<<<<<" sudo apt-get update && sudo apt-get -y install gcc && sudo apt-get -y install make && sudo apt-get -y install pkg-config && sudo apt-get -y install libseccomp-dev && sudo apt-get -y install tree && sudo apt-get -y install jq && sudo apt-get -y install bridge-utils echo ">>>> install go <<<<<<" curl -O https://storage.googleapis.com/golang/go1.15.7.linux-amd64.tar.gz > /dev/null 2>&1 && tar xf go1.15.7.linux-amd64.tar.gz && sudo mv go /usr/local/ && echo 'PATH=$PATH:/usr/local/go/bin' | tee /home/vagrant/.bash_profile echo ">>>>> install docker <<<<<<" sudo apt-get -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common > /dev/null 2>&1 && sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - && sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" && sudo apt-get update && sudo apt-get -y install docker-ce docker-ce-cli containerd.io > /dev/null 2>&1 SCRIPT Vagrant.configure("2") do |config| config.vm.define HOST_NAME do |subconfig| subconfig.vm.box = BOX_IMAGE subconfig.vm.hostname = HOST_NAME subconfig.vm.network :private_network, ip: "192.168.104.2" subconfig.vm.provider "virtualbox" do |v| v.memory = 1536 v.cpus = 2 end subconfig.vm.provision "shell", inline: $pre_install end end
- 5. # sudo -Es ?? ?? (root) # cd /tmp ?? ?? vagrant + virtual vm ubuntu 18.04 docker 20.10.5 * ?? ??? ???? ? ???? ??? ?? ??? ?????. ?? ??? ? ~ tree, jq, brctl, ¡ ? ??? ?? ? Vagrantfile ?? ?? ??? ?? ?? ?? ??
- 6. change root directory ¡® / ¡¯ chroot bin boot chroot etc lib proc usr var / (root filesystem) bin lib home usr / (Fake root) Hacker In Jail Hacker ?? ???? ??? root? ??? ? ??? ?? ??? ????? ?? ? ??? ?? ?? ~
- 7. nginx-root nginx image tarball ????? ???? ??? ¡°??? ??/?????" tarball ???. chroot ??? ???? ?? ????? ???
- 8. chroot ?? ???? root ????? ??? ? ?? ???? ??? ? ????. # chroot nginx-root /bin/sh # nginx -g ¡°daemon off;¡± bin boot nginx-root etc lib proc usr var / (root filesystem) bin lib home usr / (Fake root) Hacker In Jail
- 9. chroot ??? isolation ?? ?? : ???? filesystems, process tree, network, ipc, ¡ ? ?? ?? root ?? ?? : root ??? ?? ?? ?? ?? ?? ?? resource ??? : cpu, memory, i/o, network, ¡ ???? ??? ?? ?? ?? ?? But ¡ ¡°root ????¡±? ??? ??? ???? ?
- 10. bin boot nginx-root etc lib proc usr var / (root filesystem) bin escape_root home lib / (Fake root) Angry Hacker chroot ??? ???? ¡ ??? ????? ## ????
- 11. pivot_root changes the ¡°root filesystem¡± * chroot? changes the ¡°root path¡± ?? ¡°root filesystem? ???¡± ??? ?? ??
- 12. pivot_root ¡ñ pivot_root [new-root] [old-root] ¡ð ??? root filesystem (new-root) ¡ð ?? root filesystem ¡ú old-root (mount) ?? ???? ????? ??? ??? ?????? :-) ???? ????? ~ new-root? old-root ??? ?? ??? pivot_root? - ??? new-root? ¡®/¡¯? ???, - ?? root filesystem? old-root? ? ~ ??????.
- 13. pivot_root mount : https://man7.org/linux/man-pages/man8/mount.8.html ¡ñ mount -t [filesystem type] [device_name] [directory - mount point] ¡ñ root filesystem tree? ?? ?????? ??? ?? ?? ???? ????? -t : filesystem type ex) -t tmpfs (temporary filesystem : ??? ???? ???) -o : ?? ex) -o size=1m (?? ?? ? ¡) ??) * /proc/filesystems ?? ???? filesystem type ?? ??
- 14. pivot_root unshare : https://man7.org/linux/man-pages/man1/unshare.1.html ¡ñ unshare [options] [program [arguments] ] ¡ñ creates new namespaces and then ¡ñ executes the specified program (default : ${SHELL} ) ?? ???? ????? unshare ? ¡°??? ??????? ??? ?? ????? ??¡± ?? ?????? ?? ? ? ???? ?? ?? ?????. ?? ???? pivot_root ???? ;-)
- 15. # cd /tmp # mkdir nginx-root # docker export $(docker create nginx:latest) | tar -C nginx-root -xvf - (??1) pivot_root ?? ?? ??? ?? ?????. ?? 1?? ??? ??? 1? ?? ?? 1? ?? ?? ??? ?? ???? ??? ???
- 16. # gcc -o nginx-root/escape_chroot escape_chroot.c (??1) pivot_root ?? ?? ??? ?? ?????. ?? 1?? ??? ??? 1? ?? ?? ¡°????¡±? ????? bin boot nginx-root etc lib proc usr var / (root filesystem) bin boot . . . escape_chroot home . . .
- 17. # chroot nginx-root /bin/sh # ls / # cd / && cd ../../../../../ # ls (??1) pivot_root ?? ?? ??? ?? ?????. ?? 1?? ??? ??? ?? ??? ??? ??? ¡°????¡±? ?????? bin escape_chroot home . . . / (Fake root) bin boot nginx-root etc lib proc usr var / (root filesystem) Hacker In Jail 1? ?? ??
- 18. # ./escape_chroot # ls / (??1) pivot_root ?? ?? ??? ?? ?????. ?? 1?? ??? ??? ??? ???? ~ ?? ??? ?????? 1? ?? ?? bin escape_root home lib / (Fake root) Angry Hacker
- 19. # exit; exit; # pwd /tmp # ls ./nginx-root (??1) pivot_root ?? ?? ¡°??" ??? ?? ?????. exit ?? ?? ????? ??? ???
- 20. # mkdir ./new-root # mount -n -t tmpfs -o size=800M none ./new-root (??1) pivot_root ?? ?? ¡°??¡± ??? ?? ?????. bin boot tmp etc lib proc usr var / (root filesystem) . . . new-root (tmpfs 800M) nginx-root . . . mount point new-root ??? ??? (800?? ??) tmpfs ?????? new-root? ?????. ?? ? ???? ? ???? ??? ???
- 21. # cp -r nginx-root/* ./new-root # mkdir ./new-root/old-root # tree -L 1 ./new-root (??1) pivot_root ?? ?? ¡°??" ??? ?? ?????. ?? mount? new-root ??? nginx-root? ???? ??? ??? pivot_root ?? ??? root filesystem? mount ? mount point ? old-root ? new-root ?? ??? ???
- 22. # cd ./new_root # unshare -m (??1) pivot_root ?? ?? ¡°??" ??? ?? ?????. unshare ??? -m ??? (??? ??) mount namespace? ???? ????? ??? ??? pivot_root ? ???? ????? root filesystem? mount point? ???? ??? ???? ??? ?? ?? ??? unshare -m? ???? ???? mount namespace? ???????
- 23. # pivot_root . old-root # cd / # ls # cd / && cd ../../../../ # ls (??1) pivot_root ?? ?? ¡°??" ??? ?? ?????. ??? pivot_root? ???????. ¡°????" ? ??? ??. cd ? root ??? ???? ??? ???
- 24. # ls # ./escape_chroot # ls (??1) pivot_root ???? ??? ?? ???? ????? root filesystem ??? ????? ????
- 25. bin escape_chroot home . . . / (REAL root) pivot_root? root filesystem? mount point? ??? ????? ??????? (??1) pivot_root ???? Solved (pivot_root) Hacker In Jail F a k e
- 26. fake root path : ??? ??? isolation ?? ?? : ???? filesystems, process tree, network, ipc, ¡ ? ?? ?? root ?? ?? : root ??? ?? ?? ?? ?? ?? ?? resource ??? : cpu, memory, i/o, network, ¡ ???? ??? ?? ?? ?? ?? ??? ¡ ?? ???? ? ???? ?????? Solved (pivot_root)
- 27. chroot ??? ??? ?? Namespace Cgroup ?????? (cpu, mem, ..) Host Namespace Namespace A Namespace B Cgroup A Cgroup B fake root path isolation ?? ?? root ?? ?? resource ??? Solved (pivot_root)
- 28. Namespaces ??????? ????? ??? ??? ???? ????? ?????? ???? ??? ??? ???????? ???? ?? ???????? ??? ???? https://man7.org/linux/man-pages/man7/namespaces.7.html Namespace A Namespace B Host Namespace
- 29. Namespaces Linux kernel feature (2002, Linux 2.4.19) "container ready" (2013, kernel version 3.8) https://man7.org/linux/man-pages/man7/namespaces.7.html ??? ?? ??? ??????? ?? ??? ? ?? 2002? ??? ?? ??? ? ?? ??? ??? ???? ??? ?? ?? 2013? ???.
- 30. Namespaces Namespace? ??? process? ?? ~ ?? process ?? namespace type?? ?? ??????? ???? ~ Child Process? Parent process? namespace? ?????? ~ process? ?????? ???? ??? host(root) namespace? ??? container? namespace? ??? ?? ? ???? ?) pid, network, mount namespace? ????? ??????? ????, ???? ???? ??????? ??? ??? ? ???? https://man7.org/linux/man-pages/man7/namespaces.7.html
- 31. Namespace ?? https://man7.org/linux/man-pages/man7/namespaces.7.html 7 namespaces ¡ñ mnt (CLONE_NEWNS) ¡ñ pid (CLONE_NEWPID) ¡ñ net (CLONE_NEWNET) ¡ñ ipc (CLONE_NEWIPC) ¡ñ uts (CLONE_NEWUTS) ¡ñ user (CLONE_NEWUSER) ¡ñ cgroup (CLONE_NEWCGROUP) ¡ñ time, syslog (2016, not fully implemented)
- 32. 1979 chroot 2000 Jails 2013 2002 mount ns 2006 uts, ipc ns 2009 net ns 2012 user ns LXC (LinuX Containers) 2008 pid ns, cgroup Mount Namespace 2002? ??? ?????? Mount Namespace : isolates mount points
- 33. Mount Namespace # unshare -m /bin/bash ??? #1 mount namespace? ??? ??? unshare -m [???] -m ??? ?? [???]? mount namespace? isolation ?? ?????
- 34. Mount Namespace # mkdir /tmp/mount_ns # mount -n -t tmpfs tmpfs /tmp/mount_ns ??? #1 mount namespace? ??? ??? ??? ??? ??? ?? ??? mount point? ?? tmpfs (?? ???????)? ?????? ??? (pivot_root) ?? ?????? :-) ??????? mount namespace? ????? ¡°??¡±?? ?? ???? ??? ?? ??? ???? ??? ?? ????.
- 35. Mount Namespace # df -h | grep mount_ns # mount | grep mount_ns ??? #1 mount namespace? ??? ??? ???? ? ??? ??? ???
- 36. Mount Namespace # df -h | grep mount_ns # mount | grep mount_ns # df -h | grep mount_ns # mount | grep mount_ns ??? #1 (mount namespace) ??? #2 (???) ???(#2)? ?? ? ??? ???? ??? ??? ???#1? ??? ??? ????, ???(???#2)?? mount_ns? ??? ????
- 37. Mount Namespace # readlink /proc/$$/ns/mnt # readlink /proc/$$/ns/mnt ??? #1 (mount namespace) ??? #2 (???) ???(#2)? ?? ? ??? ???? ??? ??? ¡°? ????? ?????? ??¡±? /proc/{pid}/ns ?? ??? ? ???? $$ ? ?? ???? id (pid)?? readlink /proc/$$/ns/mnt ? ??? ?? ????? mount namespace inode ?? ??? ? ?? ? ?? ???? ??? ?????? ??? ?????
- 38. 1979 chroot 2000 Jails 2013 2002 mount ns 2006 Linux 2.6.19 uts, ipc ns 2009 net ns 2012 user ns LXC (LinuX Containers) 2008 pid ns, cgroup UTS Namespace, IPC Namespace UTS Namespace : isolates Hostname and domain name IPC Namespace : isolates System V IPC, Posix message queues
- 39. UTS Namespace UTS ? UNIX Time-sharing System , ??? ??? ?? ??? ?? ?? ????? ... # unshare -u # hostname ubuntu1804 # hostname <your-name> # hostname <your-name> unshare -u [???] -u ??? ?? [???]? UTS namespace? isolation ?? ????? * [???]? ???? ??? ???? $SHELL ? ?????
- 40. 1979 chroot 2000 Jails 2013 2002 mount ns 2006 Linux 2.6.19 uts, ipc ns 2009 net ns 2012 user ns LXC (LinuX Containers) 2008 pid ns, cgroup PID Namespace, Cgroup Namespace PID Namespace : isolates Process IDs Cgroup Namespace : isolates Cgroup root directory
- 41. 6(1) 7(2) 8(3) 9(4) PID Namespace PID ? Process ID - parent-child? nested ?? - parent tree? id? subtree? id ? ?? ?? - child process? pid namespace? pid1 - pid1 (init)? ???? pid namespace? ?? 1 2 3 4 5 PID namespace (child) PID namespace (parent)
- 42. PID Namespace ??? #1 # echo $$ # unshare -fp --mount-proc # echo $$ unshare -p [???] -p ??? ?? [???]? PID namespace? isolation ?? ????? * PID namespace? child process? ??? ??????? ???? ??? -f (fork) ??? ????? ps ???? ????? /proc ? mount ?? ?? ??? --mount-proc ??? ????? ??? ??? ? ??? ???? ?????
- 43. PID Namespace # ps aux ??? #1 # ps aux ??? #2 (???)
- 44. PID Namespace # readlink /proc/$$/ns/pid ??? #1 # readlink /proc/<target pid>/ns/pid ??? #2 (???) <target pid>? PID namespace? process (pid=1)? ??? ???? pid? ?????. ??? ?? unshare ???? child? ??? ??? # ps -ef PID namespace??? pid? ??? ????????? pid 2?? ????
- 45. 1979 chroot 2000 Jails 2013 2002 mount ns 2006 Linux 2.6.19 uts, ipc ns 2009 net ns 2012 user ns LXC (LinuX Containers) 2008 pid ns, cgroup NET Namespace NET Namespace : isolates Network (devices, stacks, ports, ¡)
- 46. NET Namespace # unshare -n # ip a # lsns -p $$ # lsns -p 1 ??? #1
- 47. NET Namespace # unshare -n # ip a # lsns -p $$ # lsns -p 1 ??? #1 # ip netns add mynet # ip netns list # ls /var/run/netns # ip a # nsenter --net=/var/run/netns/mynet # ip a # lsns -p $$ # lsns -p 1 ??? #2
- 48. 1979 chroot 2000 Jails 2013 2002 mount ns 2006 Linux 2.6.19 uts, ipc ns 2009 net ns 2012 Linux 3.5 user ns LXC (LinuX Containers) 2008 pid ns, cgroup USER Namespace USER Namespace : isolates User and group IDs
- 49. USER Namespace ¡ñ ?? ? ?? ¡ñ ????? ¡°root ??" ??? ?? ¡ñ ?????? ?? ?? UID/GID? ??? ??? ? ?? ¡ð ??? ???? ??? ?? ?? ??? ???? ???? ?? ??? ??? ? ? ??
- 50. USER Namespace # unshare -U # whoami # id # ls -al /proc/$$/ns # lsns -p $$ ??? #1 # whoami # id # ls -al /proc/$$/ns # lsns -p $$ ??? #2 (???)
- 51. ?? Namespaces? ??? isolation ?? ?? ??????? fake root path isolation ?? ?? root ?? ?? resource ??? Solved Solved Solved Namespace Flag Isolates Mount CLONE_NEWNS Mount points Network CLONE_NEWNET Network devices, stacks, ports, . . . Pid CLONE_NEWPID Process IDs Hierarchy User CLONE_NEWUSER User and group IDs IPC CLONE_NEWIPC System V IPC, POSIX message queues UTS CLONE_NEWUTS Hostname and NIS domain name
- 52. Cgroup HW??? "??"?? ??? ? ?? ??? ?? CPU, MEMORY, NETWORK, DISK IO . . . ?????? (cpu, mem, ..) 40% 35% 25%
- 53. Cgroup ?? ?? ??? ??? ??? ??? ?? ?? ?? ????? ???? ???? ??? cgroup? ??? ?? ???? Core i7 memory |||||||||||||||| CPU GROUP A cpu.share cpu.stat CPU GROUP B cpu.share cpu.stat Memory GROUP C memory.stat Network GROUP D memory.stat
- 55. Cgroup # apt install -y cgroup-tools # apt install -y stress ?? ??
- 56. Cgroup # stress -c 1 ??? #1 # top ??? #2
- 57. Cgroup # cgcreate -a root -g cpu:mycgroup # ls -al /sys/fs/cgroup/cpu/ | grep mycgroup # cgset -r cpu.cfs_quota_us=30000 mycgroup # cgexec -g cpu:mycgroup stress -c 1 ??? #1 # top ??? #2 cpu ??? (%CPU) cpu.cfs_quota_us / cpu.cfs_period_us * 100 * 1ms = 1000us
- 58. Cgroup ???? ??(cpu 30%) ?? chroot ?? stress -c 1 ? ??? ???
- 59. ???? ... fake root path isolation ?? ?? root ?? ?? resource ??? Solved Solved Solved Solved chroot ? ???? ????? ??? ????? pivot_root, namespaces, cgroup ? ??? ??? ??? ??? ???????
- 60. ????? ... > ¡°Containers are processes¡± , born from tarballs, anchored to namespaces, controlled by cgroups" ??: https://twitter.com/jpetazzo/status/1047179436959956992 https://twitter.com/b0rk
- 61. 3? ?? 1?? 2?? ??? ????? ??? ??? ???? ??? ????? ?????? ????? ? ? deep ~ ?? ??? ????? ???. 3???? ¡°???? ??????¡±? ??? ????? ?????.
- 62. END