Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Mackerelコンテナエージェントによる コンテナ監視について / Mackerel Me...
Search
Hayato Imai
March 01, 2019
Technology
1
9.6k
Mackerelコンテナエージェントによる コンテナ監視について / Mackerel Meetup #13 Tokyo
2019/03/01
https://mackerelio.connpass.com/event/118995/
Hayato Imai
March 01, 2019
Tweet
Share
More Decks by Hayato Imai
See All by Hayato Imai
Kubernetes撤退、 その後のはてなの取り組み / kubernetes meetup tokyo number 52
hayajo
9
7.3k
Mackerelにおける Cloud Nativeへの取り組みと チームへ与えた変化 / CloudNative Days Tokyo 2020
hayajo
2
1.5k
MackerelにおけるKubernetes利用の取組みとこれから / Kubernetes Meetup Tokyo #22
hayajo
20
10k
Mackerelチームのコンテナ開発における戦略とこれから / 190722-cndt2019
hayajo
1
1.9k
AWSコンテナサービス入門 / nds60-jaws-ug
hayajo
0
3k
コンテナのメトリクスと モニタリングパターン / 190320-sakura-event
hayajo
6
1.7k
Docker for Mac/Windows ではじめる Kubernetes / NDS55 Docker with Kubernetes
hayajo
16
15k
Terrafromで構築するマルチクラウドプラットフォームインフラストラクチャ / NDS53 Terraform
hayajo
0
430
Ncatをつかおう / Use Ncat
hayajo
1
3.7k
Other Decks in Technology
See All in Technology
Modern_Data_Stack最新動向クイズ_買収_AI_激動の2025年_.pdf
sagara
0
170
タスクって今どうなってるの?3.14の新機能 asyncio ps と pstree でasyncioのデバッグを (PyCon JP 2025)
jrfk
1
210
PLaMoの事後学習を支える技術 / PFN LLMセミナー
pfn
PRO
9
3.6k
SOC2取得の全体像
shonansurvivors
1
350
後進育成のしくじり〜任せるスキルとリーダーシップの両立〜
matsu0228
2
1.1k
ACA でMAGI システムを社内で展開しようとした話
mappie_kochi
0
150
KAGのLT会 #8 - 東京リージョンでGAしたAmazon Q in QuickSightを使って、報告用の資料を作ってみた
0air
0
190
PLaMo2シリーズのvLLM実装 / PFN LLM セミナー
pfn
PRO
2
900
「技術負債にならない・間違えない」 権限管理の設計と実装
naro143
35
10k
OCI Network Firewall 概要
oracle4engineer
PRO
1
7.7k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
11
77k
BirdCLEF+2025 Noir 5位解法紹介
myso
0
180
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
Six Lessons from altMBA
skipperchong
28
4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Git: the NoSQL Database
bkeepers
PRO
431
66k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
114
20k
GitHub's CSS Performance
jonrohan
1032
460k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.1k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
Designing for Performance
lara
610
69k
Transcript
MackerelίϯςφΤʔδΣϯτʹΑΔ ίϯςφࢹʹ͍ͭͯ .BDLFSFM.FFUVQ JEIBZBKP@
ࣗݾհ • ࠓҪ൏ਓ(id:hayajo_77) • MackerelνʔϜ SRE • 201711݄ೖࣾ • ίϯςφཁૉٕज़ɺपลٕज़
ίϯςφٕज़ೖԾԽͱͷҧ͍ΛΓɺཁૉٕज़Λ৮ֶͬͯ΅͏ IUUQTFNQMPZNFOUFOKBQBODPNFOHJOFFSIVCFOUSZ
ΞδΣϯμ • MackerelίϯςφΤʔδΣϯτͷհ • ϝτϦοΫऔಘઓུղઆ • ࠓޙͷίϯςφΤʔδΣϯτ • ·ͱΊ
MackerelίϯςφΤʔδΣϯτͷհ
MackerelίϯςφΤʔδΣϯτ ʢύϒϦοΫϕʔλʣΛެ։͠·ͨ͠ https://mackerel.io/ja/blog/entry/weekly/20190218
ύϒϦοΫϕʔλͱ • কདྷతʹਖ਼ࣜͳαʔϏεϦϦʔεΛߦ͏༧ఆ͕͋ΔػೳΛઌߦͯ͠ ެ։ • ׆ൃʹมߋΛߦ͍ɺ৽͍͠όʔδϣϯΛఏڙ • ࣄલࠂͷ্Ͱඇޓमਖ਼Λ࣮ࢪ
OSSͱͯ͠ެ։ • DockerHub • mackerel/mackerel-container-agent • GitHub • mackerelio/mackerel-container-agent •
IssuePRݪଇӳޠͰ͓ئ͍͠·͢
ίϯςφઐ༻ͷܰྔΤʔδΣϯτ • ίϯςφઐ༻ͱͯ͠࠶ઃܭ • Amazon ECS, AWS Fargate, KubernetesʹରԠ •
1λεΫ/Podʹ͖ͭ1ϗετͱͯ͠Χϯτ • ʰγεςϜΛߏ͢Δ࠷খ୯Ґ(ͩͱγεςϜΛཧ͢Δ্ͰΈͳ ͖͢ͷ)ʱ • see. ʮFAQɾϗετͷܭࢉํ๏ʹ͍ͭͯ - Mackerel ϔϧϓʯ
αΠυΧʔίϯςφͱͯ͠σϓϩΠ • ϓϥοτϑΥʔϜʹΑͬͯઃఆ͕ҟͳΔ • ECS(EC2/Bridge, EC2/Host) • ECS(EC2/awsvpc, Fargate) •
Kubernetes • see. ʮίϯςφΛࢹ͢Δ - Mackerel ϔϧϓʯ
Web UI/ϗετҰཡ
Web UI/ϗετৄࡉ
Web UI/ϩʔϧάϥϑ
Δ͜ͱ • λεΫ/Podͷͯ͢ͷίϯςφͷϝτϦοΫΛγεςϜϝτϦοΫ ͱͯ͠ߘ • CPUɺϝϞϦɺωοτϫʔΫ • αʔϏε/ϩʔϧͷׂΓͯ • ϓϥάΠϯͷར༻
• ϓϥάΠϯΛΠϯετʔϧͨ͠DockerΠϝʔδͷ४උ͕ඞཁ
Βͳ͍͜ͱ • ΫϥελϊʔυͷϝτϦοΫऩू͠ͳ͍ • ϊʔυɺλεΫ/Pod, etc. • ϊʔυͷCPUɺϝϞϦɺωοτϫʔΫɺσΟεΫͳͲ • mackerel-agentΛར༻
• αϙʔτ͢ΔϓϥοτϑΥʔϜҎ֎ͷίϯςφͷࢹ • DockerʮDockerΛϞχλϦϯά͢Δ - Mackerel ϔϧϓʯ
αΠυΧʔύλʔϯͷ࠾༻ • FargateͷΑ͏ͳɺΠϯϑϥετϥΫνϟͷཧ͕ෆཁͳίϯςφ ར༻͕ओྲྀʹͳΔͱߟ͍͑ͯΔ • Mackerelʹ͓͚ΔϗετͷఆٛͱλεΫ/PodͷϥΠϑαΠΫϧ • ίϯςφؒͷϦιʔεڞ༗ • ࢹରͷΞϓϦέʔγϣϯ༷ʹ͍ۙࢹઃఆ͕Մೳ
ϝτϦοΫऔಘઓུղઆ
ϝτϦοΫऔಘΞʔΩςΫνϟ
ECS/Fargate
ECS/FargateͷAPI &$#SJEHF &$)PTU &$BXTWQD 'BSHBUF *OUSPTQFDUJPO "1* ˔ ˔ ☓
☓ 5BTL.FUBEBUB &OEQPJOUW ☓ ☓ ˔ ˔ 5BTL.FUBEBUB &OEQPJOUW ˔ ˔ ˔ ☓
Introspection API • λεΫͷϝλσʔλΛฦ͢ • λεΫͷARNεςʔλεɺ֤ίϯςφͷDockerIDͳͲ • ίϯςφͷϝτϦοΫCPUɺϝϞϦLIMITऔಘͰ͖ͳ͍ • Docker
stats API(docker.sock)cgroupfsͰΧόʔ • EC2/Bridge, EC2/HostͰར༻ • Task Metadata Endpoint v3ʹରԠ༧ఆ
Task Metadata Endpoint v2/v3 • λεΫϝλσʔλɺίϯςφϝτϦοΫΛฦ͢ • ϝτϦοΫDocker stats APIͦͷͷΛฦ͢
• v2/v3ͰऔಘͰ͖Δσʔλʹେ͖ͳҧ͍ͳ͍ • EC2/awsvpc, FargateͰv2Λར༻ • EC2/awsvpcv3ʹҠߦ༧ఆ
ECS/FargateͷωοτϫʔΫϝτϦοΫ • ωοτϫʔΫϝτϦοΫ͕औಘͰ͖ΔͷEC2/Bridge͚ͩ...... • Docker stats API(libnetwork)bridgeϞʔυͷͱ͖͔͠ϝτϦοΫ ͕औΕͳ͍ͬΆ͍ • ࣮ʹৄ͍͠ํɺͥͻ࠙ձͰ͓͠·͠ΐ͏ʂ
root@ebb5c8c90634:/# curl -s $ {ECS_CONTAINER_METADATA_URI}/stats | jq .networks { "eth0":
{ "rx_bytes": 17331985, "tx_packets": 932, "rx_packets": 1353, "tx_bytes": 77755 } } e.g. EC2/Bridge w/ TMEv3
root@ip-10-0-10-144:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \ > jq .networks null
e.g. EC2/Host, EC2/awsvpc w/ TMEv3 root@9ea93ec5d92b:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \ > jq .networks null
-bash-4.2# CID=$(basename $(head -n1 /proc/self/ cgroup | cut -d: -f3))
-bash-4.2# curl -s 169.254.170.2/v2/stats/${CID} | jq .networks null e.g. Fargate w/ TMEv2
EC2/BridgeͷωοτϫʔΫελοΫ • ωοτϫʔΫελοΫλεΫͷίϯςφ͝ͱʹҟͳΔ
EC2/HostωοτϫʔΫελοΫ • ϗετͷωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗
EC2/awsvpc, FargateωοτϫʔΫελοΫ • ωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗
ίϯςφΤʔδΣϯτʹ͓͚ΔECS/Fargateͷ ωοτϫʔΫϝτϦοΫͷऔಘ • EC2/BridgeϞʔυͷ߹ɺDocker stats API͔Β֤ίϯςφͷωο τϫʔΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠ߘ • EC2/Host, EC2/awsvpc,
FargateͰɺίϯςφಉ࢜ωοτϫʔ ΫελοΫΛڞ༗͢ΔͷͰɺίϯςφΤʔδΣϯτࣗͷωοτϫʔ ΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠ߘ
• ಉ͡ίϯςφఆٛͰɺىಈλΠϓɺωοτϫʔΫϞʔυͰΠϯλʔ ϑΣʔεͷݟ͑ํ͕ҟͳΔ λεΫͷInterfaceάϥϑ &$#SJEHF &$)PTU &$BXTWQD 'BSHBUF
• ىಈλΠϓɺωοτϫʔΫϞʔυʹΑͬͯར༻Ͱ͖ΔAPI͕ҟͳΔ • EC2ىಈλΠϓTask Metadata Endpoint v3ʹରԠத • ωοτϫʔΫϞʔυʹΑͬͯωοτϫʔΫϝτϦοΫͷऔಘํ๏͕ ҟͳΔ
ECS/Fargateʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ
Kubernetes
KubernetesͷCore metrics pipeline
kubelet API • PodͷϝλσʔλϝτϦοΫɺϩάΛऔಘɺίϚϯυͷϩʔΧϧ ࣮ߦͷͨΊͷAPI • kubelet port(10250/HTTPS)ͱread-only port(10255/HTTP)Ͱ LISTEN
• read-only port͕ແޮͳڥ͋Δ
kubelet APIͷAuthN/AuthZ • kubelet portͰೝূ/ೝՄΛઃఆͰ͖Δ • Authentication • ಗ໊ΞΫηεɺΫϥΠΞϯτূ໌ॻೝূɺτʔΫϯೝূ •
Authorization • AlwaysAllow, Webhook • SubjectAccessReview APIʹΑΔݖݶνΣοΫ • see. ʮKubelet authentication/authorization - Kubernetesʯ
ίϯςφΤʔδΣϯτͱkubelet API • σϑΥϧτͰread-only portΛར༻ • ઃఆͰkubelet portʹΓସ͑Մೳ • τʔΫϯೝূΛαϙʔτ
• "nodes/proxy", "nodes/stats", "nodes/spec"ʹgetΞΫηε • ͏·͍͔͘ͳ͍߹automountServiceAccountTokenઃఆνΣοΫ • see. ʮKubernetesʹmackerel-container-agentΛηοτΞοϓ͢Δ - Mackerel ϔϧϓʯ
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mackerel-container-agent rules: - apiGroups:
[""] resources: ["nodes/proxy", "nodes/stats", "nodes/spec"] verbs: ["get"] e.g. RBACઃఆ(ClusterRole)
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mackerel-container-agent-binding roleRef: apiGroup: rbac.authorization.k8s.io
kind: ClusterRole name: mackerel-container-agent subjects: - kind: ServiceAccount name: my-service-account namespace: default e.g. RBACઃఆ(ClusterRoleBinding)
• kubelet API͔ΒϝτϦοΫΛऔಘ͢Δ • σϑΥϧτread-only PortΛར༻ • kubelet portͰτʔΫϯೝূʹରԠ •
ඞཁʹԠͯ͡RBACΛઃఆ Kubernetesʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ
ࠓޙͷίϯςφΤʔδΣϯτ
ۙରԠ༧ఆ • Task Metadata Endpoint v3ରԠ • EC2/Bridge, EC2/Host, EC2/awspvc
• docker.sockcgroupfsͷґଘΛͳ͘͢ • rootϢʔβඞཁͳ͠ • cgroupfsͷϚϯτϙΠϯτͷҧ͍Λؾʹ͠ͳͯ͘Α͍
లͱߏ • ϓϥάΠϯར༻ͷརศੑ্ • ϓϥάΠϯಉࠝΠϝʔδͷఏڙͳͲ • ΧελϜϝτϦοΫͷѻ͍ • ϗετಉ༷ʹୀޙɺҰఆظؒܦաͰඇදࣔͱͳΔ •
PrometheusServiceMeshͱͷ࿈ܞ
·ͱΊ
·ͱΊ • ίϯςφΤʔδΣϯτʢύϒϦοΫϕʔλʣΛϦϦʔε • λεΫ/PodΛࢹ͢ΔαΠυΧʔίϯςφ • ϓϥοτϑΥʔϜ͕ఏڙ͢ΔAPI͔ΒϝτϦοΫΛऩू • see. ʮίϯςφΛࢹ͢Δ
- Mackerel ϔϧϓʯ
ϑΟʔυόοΫΛ͓͍ͪͯ͠·͢
None