最初に
「コンテナセキュリティ コンテナ化されたアプリケーションを保護する要素技術」を読んだ。
Chapter 3 コントロールグループ で環境構築を行ったので備忘録として記載する。
この記事のゴール
- lscgroup コマンドが実行できること
- runC コマンドを使用してコンテナを実行できること
前提条件
- OS: Amazon Linux 2
手順
lscgroup コマンド インストール
[root@ip-172-31-2-191 memory]# yum install libcgroup libcgroup-tools
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.6 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package libcgroup.x86_64 0:0.41-21.amzn2 will be installed
---> Package libcgroup-tools.x86_64 0:0.41-21.amzn2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================
Installing:
libcgroup x86_64 0.41-21.amzn2 amzn2-core 66 k
libcgroup-tools x86_64 0.41-21.amzn2 amzn2-core 100 k
Transaction Summary
===================================================================================================================================================
Install 2 Packages
Total download size: 166 k
Installed size: 390 k
Is this ok [y/d/N]: y
Downloading packages:
(1/2): libcgroup-0.41-21.amzn2.x86_64.rpm | 66 kB 00:00:00
(2/2): libcgroup-tools-0.41-21.amzn2.x86_64.rpm | 100 kB 00:00:00
---------------------------------------------------------------------------------------------------------------------------------------------------
Total 1.1 MB/s | 166 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libcgroup-0.41-21.amzn2.x86_64 1/2
Installing : libcgroup-tools-0.41-21.amzn2.x86_64 2/2
Verifying : libcgroup-tools-0.41-21.amzn2.x86_64 1/2
Verifying : libcgroup-0.41-21.amzn2.x86_64 2/2
Installed:
libcgroup.x86_64 0:0.41-21.amzn2 libcgroup-tools.x86_64 0:0.41-21.amzn2
Complete!
[root@ip-172-31-2-191 memory]# which lscgroup
/usr/bin/lscgroup
[root@ip-172-31-2-191 memory]#
runC コマンドを使用してコンテナを実行
1. Go インストール
最新のversisonは以下のリンクを参照
https://go.dev/dl/
[root@ip-172-31-2-191 ~]# wget https://go.dev/dl/go1.24.4.linux-amd64.tar.gz
--2025-06-29 01:30:51-- https://go.dev/dl/go1.24.4.linux-amd64.tar.gz
Resolving go.dev (go.dev)... 216.239.34.21, 216.239.36.21, 216.239.38.21, ...
Connecting to go.dev (go.dev)|216.239.34.21|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://dl.google.com/go/go1.24.4.linux-amd64.tar.gz [following]
--2025-06-29 01:30:51-- https://dl.google.com/go/go1.24.4.linux-amd64.tar.gz
Resolving dl.google.com (dl.google.com)... 172.217.31.142, 2404:6800:4004:81d::200e
Connecting to dl.google.com (dl.google.com)|172.217.31.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78559214 (75M) [application/x-gzip]
Saving to: ‘go1.24.4.linux-amd64.tar.gz’
100%[=========================================================================================================>] 78,559,214 91.1MB/s in 0.8s
2025-06-29 01:30:52 (91.1 MB/s) - ‘go1.24.4.linux-amd64.tar.gz’ saved [78559214/78559214]
[root@ip-172-31-2-191 ~]# ll
total 76720
-rw-r--r-- 1 root root 78559214 Jun 5 18:37 go1.24.4.linux-amd64.tar.gz
[root@ip-172-31-2-191 ~]#
[root@ip-172-31-2-191 ~]#
[root@ip-172-31-2-191 ~]# sudo tar -C /usr/local -xzf go1.24.4.linux-amd64.tar.gz
[root@ip-172-31-2-191 ~]# echo 'export PATH=$PATH:/usr/local/go/bin' >> .bash_profile
[root@ip-172-31-2-191 ~]# source ~/.bash_profile
[root@ip-172-31-2-191 ~]# go version
go version go1.24.4 linux/amd64
2. runc インストール
以下のリンクを参照
https://github.com/opencontainers/runc/blob/main/README.md
パッケージインストール
[root@ip-172-31-2-191 ~]# yum install -y make gcc kernel-headers libseccomp-devel pkg-config git
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Package 1:make-3.82-24.amzn2.x86_64 already installed and latest version
No package pkg-config available.
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:7.3.1-17.amzn2 will be installed
:
:
Dependency Installed:
cpp.x86_64 0:7.3.1-17.amzn2 git-core.x86_64 0:2.47.1-1.amzn2.0.3 git-core-doc.noarch 0:2.47.1-1.amzn2.0.3
glibc-devel.x86_64 0:2.26-64.amzn2.0.4 glibc-headers.x86_64 0:2.26-64.amzn2.0.4 libatomic.x86_64 0:7.3.1-17.amzn2
libcilkrts.x86_64 0:7.3.1-17.amzn2 libitm.x86_64 0:7.3.1-17.amzn2 libmpc.x86_64 0:1.0.1-3.amzn2.0.2
libmpx.x86_64 0:7.3.1-17.amzn2 libquadmath.x86_64 0:7.3.1-17.amzn2 libsanitizer.x86_64 0:7.3.1-17.amzn2
mpfr.x86_64 0:3.1.1-4.amzn2.0.2 perl-Error.noarch 1:0.17020-2.amzn2 perl-Git.noarch 0:2.47.1-1.amzn2.0.3
perl-TermReadKey.x86_64 0:2.30-20.amzn2.0.2
Complete!
ビルド
[root@ip-172-31-2-191 src]# cd /usr/local/go/src
[root@ip-172-31-2-191 src]# pwd
/usr/local/go/src
[root@ip-172-31-2-191 src]# mkdir -p github.com/opencontainers
[root@ip-172-31-2-191 src]# cd github.com/opencontainers/
[root@ip-172-31-2-191 opencontainers]# git clone https://github.com/opencontainers/runc
Cloning into 'runc'...
remote: Enumerating objects: 47567, done.
remote: Counting objects: 100% (328/328), done.
remote: Compressing objects: 100% (125/125), done.
remote: Total 47567 (delta 257), reused 203 (delta 203), pack-reused 47239 (from 2)
Receiving objects: 100% (47567/47567), 23.30 MiB | 21.36 MiB/s, done.
Resolving deltas: 100% (31132/31132), done.
[root@ip-172-31-2-191 opencontainers]# cd runc
[root@ip-172-31-2-191 runc]#
[root@ip-172-31-2-191 runc]# make
go build -trimpath "-buildmode=pie" -tags "seccomp urfave_cli_no_docs " -ldflags "-X main.gitCommit=v1.3.0-rc.1-171-gb1722d79 " -o runc .
[root@ip-172-31-2-191 runc]# make install
install -D -m0755 runc /usr/local/sbin/runc
runcコマンドを実行するとエラーになった...
[root@ip-172-31-2-191 runc]# runc run sh
ERROR[0000] runc run failed: JSON specification file config.json not found
ほかにもいろいろ設定が必要だったらしい...
https://qiita.com/saburou_itijiku/items/34aa0d60f4b641027e17
その他設定
[root@ip-172-31-2-191 runc]# mkdir workdir; cd workdir
[root@ip-172-31-2-191 workdir]# sudo yum -y install docker
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.6 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package docker.x86_64 0:25.0.8-1.amzn2.0.4 will be installed
:
Installed:
docker.x86_64 0:25.0.8-1.amzn2.0.4
Dependency Installed:
containerd.x86_64 0:2.0.5-1.amzn2.0.1 pigz.x86_64 0:2.3.4-1.amzn2.0.1 runc.x86_64 0:1.2.4-3.amzn2
Complete!
[root@ip-172-31-2-191 workdir]# systemctl start docker
[root@ip-172-31-2-191 workdir]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@ip-172-31-2-191 workdir]# docker export $(docker create busybox) | tar -C rootfs -xvf -
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
90b9666d4aed: Pull complete
Digest: sha256:f85340bf132ae937d2c2a763b8335c9bab35d6e8293f70f606b9c6178d84f42b
Status: Downloaded newer image for busybox:latest
.dockerenv
bin```
:
var/www/
[root@ip-172-31-2-191 workdir]#
runc コマンド実行
[root@ip-172-31-2-191 workdir]# runc run sh
/ # exit
[root@ip-172-31-2-191 workdir]#
最後に
この記事がどなたかの力になれば幸いです。
以上