Escaping a chroot jail/1 | PyTux
Everybody will tell you that a chroot jail (that is, making a process think that a directory is instead the root folder, and not letting it access or modify anything outside of that) is ineffective against a process with root privileges1 (UID 0). Let’s see why. The escape basically works like this: We create a temporary folder (I named mine .42, hidden not to draw too much attention) and we chroot
GitHub - kazuho/jailing: super-easy chroot jail builder/runner for Linux
Jailing is a minimalistic, super-easy chroot jail builder/runner script. It is by no means a container service, or tries to be. It is a helper tool for running a program under a restricted environment, preventing it from making changes to other parts of the host even if gets cracked. When invoked, it automatically setups the chroot environment by doing the following, and then executes the given co
コンテナ技術入門 - 仮想化ã¨ã®é•ã„を知りã€è¦ç´ 技術を触ã£ã¦å¦ã¼ã†ï½œãƒã‚¤ã‚¯ãƒ©ã‚¹è»¢è·ãƒ»æ±‚äººæƒ…å ±ã‚µã‚¤ãƒˆ AMBI(アンビ)
コンテナ技術入門 - 仮想化ã¨ã®é•ã„を知りã€è¦ç´ 技術を触ã£ã¦å¦ã¼ã† コンテナ技術をé©åˆ‡ã«æ´»ç”¨ã™ã‚‹ã«ã¯ã€ã‚³ãƒ³ãƒ†ãƒŠãŒã€Œã©ã†ã‚„ã£ã¦ã€å‹•ã„ã¦ã„ã‚‹ã‹ã‚’å¦ã³ãŸã„ã¨ã“ã‚。ã¯ã¦ãªã®ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢hayajo_77ã•ã‚“ãŒã‚³ãƒ³ãƒ†ãƒŠã®è¦ç´ 技術ã®å‹˜æ‰€ã‚’解説ã—ã¾ã™ã€‚ ã“ã‚“ã«ã¡ã¯ã€‚æ ªå¼ä¼šç¤¾ã¯ã¦ãªã§ã‚µãƒ¼ãƒãƒ¼ç›£è¦–サービス「Mackerelã€ã®SREã‚’å‹™ã‚ã‚‹hayajo_77( @hayajo )ã§ã™ã€‚ ã•ã¦ã€ã‚³ãƒ³ãƒ†ãƒŠæŠ€è¡“ã¯Dockerã®ç™»å ´ãŒãã£ã‹ã‘ã¨ãªã‚Šã€æœ¬æ ¼çš„ã«æ´»ç”¨ãŒå§‹ã¾ã‚Šã¾ã—ãŸã€‚ç¾åœ¨ã¯Kubernetesを始ã‚ã¨ã™ã‚‹ã‚³ãƒ³ãƒ†ãƒŠã‚ªãƒ¼ã‚±ã‚¹ãƒˆãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ãƒ„ールや AWS, GCP, Azure ãªã©ã®ã‚¯ãƒ©ã‚¦ãƒ‰ã‚µãƒ¼ãƒ“スã§æä¾›ã•ã‚Œã‚‹ã‚³ãƒ³ãƒ†ãƒŠãƒžãƒã‚¸ãƒ¡ãƒ³ãƒˆã‚µãƒ¼ãƒ“スを採用ã—ãŸã‚µãƒ¼ãƒ“スé‹ç”¨äº‹ä¾‹ãŒæ•°å¤šã紹介ã•ã‚Œã¦ãŠã‚Šã€ã‚³ãƒ³ãƒ†ãƒŠæŠ€è¡“ã¯ã€Œç†è§£ã™ã‚‹ã€ãƒ•ã‚§ã‚¤ã‚ºã‹ã‚‰ã€Œåˆ©ç”¨ã™ã‚‹ã€ãƒ•ã‚§ã‚¤ã‚ºã«ç§»ã£ã¦ãã¦ã„ã¾ã™ã€‚ コンテナãã®ã‚‚ã®ã¯ä¸Šè¨˜ã®ãƒ„ールやサービスã«ã‚ˆã‚Š
Dockerã¨chrootを組ã¿åˆã‚ã›ãŸã‚·ãƒ³ãƒ—ルãªã‚³ãƒ³ãƒ†ãƒŠãƒ‡ãƒ—ãƒã‚¤ãƒ„ール - ゆã†ã†ãブãƒã‚°
ã“ã®è¨˜äº‹ã¯ã¯ã¦ãªã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚¢ãƒ‰ãƒ™ãƒ³ãƒˆã‚«ãƒ¬ãƒ³ãƒ€ãƒ¼2015ã®1日目ã§ã™ã€‚今回ã¯ã€æ—¢å˜ã®é‹ç”¨ãƒ•ãƒãƒ¼ã«ä¹—ã›ã‚„ã™ã„Dockerイメージã¸ã®chrootã«ã‚ˆã‚‹ãƒ‡ãƒ—ãƒã‚¤ã®è€ƒãˆæ–¹ã¨è‡ªä½œã®ã‚³ãƒ³ã‚»ãƒ—トツール droot を紹介ã—ã¾ã™ã€‚ github.com 背景 Docker 本番導入ã®èª²é¡Œ Docker å°Žå…¥ã®ç›®çš„ Docker + chroot ã®ã‚¢ã‚¤ãƒ‡ã‚¢ droot: Dockerイメージã«chrootã™ã‚‹ã‚³ãƒ³ãƒ†ãƒŠãƒ„ール droot ã®ä½¿ã„æ–¹ droot push: Dockerイメージをtar ball化ã—S3ã«pushã™ã‚‹ droot pull: S3ã«pushã—ãŸã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’ダウンãƒãƒ¼ãƒ‰ã—展開ã™ã‚‹ droot run: 展開先ã®ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«chrootã™ã‚‹ droot ã®å®Ÿè£… droot push/pull ã®å®Ÿè£… droot run ã®å®Ÿè£… ã‚ã‚ã›ã¦èªã¿ãŸã„ ã‚ã¨ãŒã 背景 DockerãŒãƒªãƒªãƒ¼
1
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
{{#tags}}- {{label}}
{{/tags}}