Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Mackerelコンテナエージェントによる コンテナ監視について / Mackerel Me...
Search
Hayato Imai
March 01, 2019
Technology
1
9.1k
Mackerelコンテナエージェントによる コンテナ監視について / Mackerel Meetup #13 Tokyo
2019/03/01
https://mackerelio.connpass.com/event/118995/
Hayato Imai
March 01, 2019
Tweet
Share
More Decks by Hayato Imai
See All by Hayato Imai
Kubernetes撤退、 その後のはてなの取り組み / kubernetes meetup tokyo number 52
hayajo
9
7.2k
Mackerelにおける Cloud Nativeへの取り組みと チームへ与えた変化 / CloudNative Days Tokyo 2020
hayajo
2
1.5k
MackerelにおけるKubernetes利用の取組みとこれから / Kubernetes Meetup Tokyo #22
hayajo
20
9.7k
Mackerelチームのコンテナ開発における戦略とこれから / 190722-cndt2019
hayajo
1
1.8k
AWSコンテナサービス入門 / nds60-jaws-ug
hayajo
0
2.9k
コンテナのメトリクスと モニタリングパターン / 190320-sakura-event
hayajo
6
1.7k
Docker for Mac/Windows ではじめる Kubernetes / NDS55 Docker with Kubernetes
hayajo
16
15k
Terrafromで構築するマルチクラウドプラットフォームインフラストラクチャ / NDS53 Terraform
hayajo
0
410
Ncatをつかおう / Use Ncat
hayajo
1
3.6k
Other Decks in Technology
See All in Technology
脳波を用いた嗜好マッチングシステム
hokkey621
0
170
AI エージェント開発を支える MaaS としての Azure AI Foundry
ryohtaka
6
630
PHPで印刷所に入稿できる名札データを作る / Generating Print-Ready Name Tag Data with PHP
tomzoh
0
140
IAMポリシーのAllow/Denyについて、改めて理解する
smt7174
2
160
【詳説】コンテンツ配信 システムの複数機能 基盤への拡張
hatena
0
100
室長と気ままに学ぶマイクロソフトのビジネスアプリケーションとビジネスプロセス
ryoheig0405
0
370
RSNA2024振り返り
nanachi
0
620
管理者しか知らないOutlookの裏側のAIを覗く#AzureTravelers
hirotomotaguchi
2
510
わたしのOSS活動
kazupon
2
300
現場で役立つAPIデザイン
nagix
35
13k
エンジニアのためのドキュメント力基礎講座〜構造化思考から始めよう〜(2025/02/15jbug広島#15発表資料)
yasuoyasuo
18
7.1k
Classmethod AI Talks(CATs) #17 司会進行スライド(2025.02.19) / classmethod-ai-talks-aka-cats_moderator-slides_vol17_2025-02-19
shinyaa31
0
160
Featured
See All Featured
Code Reviewing Like a Champion
maltzj
521
39k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.1k
4 Signs Your Business is Dying
shpigford
182
22k
Typedesign – Prime Four
hannesfritz
40
2.5k
What's in a price? How to price your products and services
michaelherold
244
12k
Product Roadmaps are Hard
iamctodd
PRO
50
11k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.5k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Designing for humans not robots
tammielis
250
25k
The Cult of Friendly URLs
andyhume
78
6.2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.2k
Transcript
MackerelίϯςφΤʔδΣϯτʹΑΔ ίϯςφࢹʹ͍ͭͯ .BDLFSFM.FFUVQ JEIBZBKP@
ࣗݾհ • ࠓҪ൏ਓ(id:hayajo_77) • MackerelνʔϜ SRE • 201711݄ೖࣾ • ίϯςφཁૉٕज़ɺपลٕज़
ίϯςφٕज़ೖԾԽͱͷҧ͍ΛΓɺཁૉٕज़Λ৮ֶͬͯ΅͏ IUUQTFNQMPZNFOUFOKBQBODPNFOHJOFFSIVCFOUSZ
ΞδΣϯμ • MackerelίϯςφΤʔδΣϯτͷհ • ϝτϦοΫऔಘઓུղઆ • ࠓޙͷίϯςφΤʔδΣϯτ • ·ͱΊ
MackerelίϯςφΤʔδΣϯτͷհ
MackerelίϯςφΤʔδΣϯτ ʢύϒϦοΫϕʔλʣΛެ։͠·ͨ͠ https://mackerel.io/ja/blog/entry/weekly/20190218
ύϒϦοΫϕʔλͱ • কདྷతʹਖ਼ࣜͳαʔϏεϦϦʔεΛߦ͏༧ఆ͕͋ΔػೳΛઌߦͯ͠ ެ։ • ׆ൃʹมߋΛߦ͍ɺ৽͍͠όʔδϣϯΛఏڙ • ࣄલࠂͷ্Ͱඇޓमਖ਼Λ࣮ࢪ
OSSͱͯ͠ެ։ • DockerHub • mackerel/mackerel-container-agent • GitHub • mackerelio/mackerel-container-agent •
IssuePRݪଇӳޠͰ͓ئ͍͠·͢
ίϯςφઐ༻ͷܰྔΤʔδΣϯτ • ίϯςφઐ༻ͱͯ͠࠶ઃܭ • Amazon ECS, AWS Fargate, KubernetesʹରԠ •
1λεΫ/Podʹ͖ͭ1ϗετͱͯ͠Χϯτ • ʰγεςϜΛߏ͢Δ࠷খ୯Ґ(ͩͱγεςϜΛཧ͢Δ্ͰΈͳ ͖͢ͷ)ʱ • see. ʮFAQɾϗετͷܭࢉํ๏ʹ͍ͭͯ - Mackerel ϔϧϓʯ
αΠυΧʔίϯςφͱͯ͠σϓϩΠ • ϓϥοτϑΥʔϜʹΑͬͯઃఆ͕ҟͳΔ • ECS(EC2/Bridge, EC2/Host) • ECS(EC2/awsvpc, Fargate) •
Kubernetes • see. ʮίϯςφΛࢹ͢Δ - Mackerel ϔϧϓʯ
Web UI/ϗετҰཡ
Web UI/ϗετৄࡉ
Web UI/ϩʔϧάϥϑ
Δ͜ͱ • λεΫ/Podͷͯ͢ͷίϯςφͷϝτϦοΫΛγεςϜϝτϦοΫ ͱͯ͠ߘ • CPUɺϝϞϦɺωοτϫʔΫ • αʔϏε/ϩʔϧͷׂΓͯ • ϓϥάΠϯͷར༻
• ϓϥάΠϯΛΠϯετʔϧͨ͠DockerΠϝʔδͷ४උ͕ඞཁ
Βͳ͍͜ͱ • ΫϥελϊʔυͷϝτϦοΫऩू͠ͳ͍ • ϊʔυɺλεΫ/Pod, etc. • ϊʔυͷCPUɺϝϞϦɺωοτϫʔΫɺσΟεΫͳͲ • mackerel-agentΛར༻
• αϙʔτ͢ΔϓϥοτϑΥʔϜҎ֎ͷίϯςφͷࢹ • DockerʮDockerΛϞχλϦϯά͢Δ - Mackerel ϔϧϓʯ
αΠυΧʔύλʔϯͷ࠾༻ • FargateͷΑ͏ͳɺΠϯϑϥετϥΫνϟͷཧ͕ෆཁͳίϯςφ ར༻͕ओྲྀʹͳΔͱߟ͍͑ͯΔ • Mackerelʹ͓͚ΔϗετͷఆٛͱλεΫ/PodͷϥΠϑαΠΫϧ • ίϯςφؒͷϦιʔεڞ༗ • ࢹରͷΞϓϦέʔγϣϯ༷ʹ͍ۙࢹઃఆ͕Մೳ
ϝτϦοΫऔಘઓུղઆ
ϝτϦοΫऔಘΞʔΩςΫνϟ
ECS/Fargate
ECS/FargateͷAPI &$#SJEHF &$)PTU &$BXTWQD 'BSHBUF *OUSPTQFDUJPO "1* ˔ ˔ ☓
☓ 5BTL.FUBEBUB &OEQPJOUW ☓ ☓ ˔ ˔ 5BTL.FUBEBUB &OEQPJOUW ˔ ˔ ˔ ☓
Introspection API • λεΫͷϝλσʔλΛฦ͢ • λεΫͷARNεςʔλεɺ֤ίϯςφͷDockerIDͳͲ • ίϯςφͷϝτϦοΫCPUɺϝϞϦLIMITऔಘͰ͖ͳ͍ • Docker
stats API(docker.sock)cgroupfsͰΧόʔ • EC2/Bridge, EC2/HostͰར༻ • Task Metadata Endpoint v3ʹରԠ༧ఆ
Task Metadata Endpoint v2/v3 • λεΫϝλσʔλɺίϯςφϝτϦοΫΛฦ͢ • ϝτϦοΫDocker stats APIͦͷͷΛฦ͢
• v2/v3ͰऔಘͰ͖Δσʔλʹେ͖ͳҧ͍ͳ͍ • EC2/awsvpc, FargateͰv2Λར༻ • EC2/awsvpcv3ʹҠߦ༧ఆ
ECS/FargateͷωοτϫʔΫϝτϦοΫ • ωοτϫʔΫϝτϦοΫ͕औಘͰ͖ΔͷEC2/Bridge͚ͩ...... • Docker stats API(libnetwork)bridgeϞʔυͷͱ͖͔͠ϝτϦοΫ ͕औΕͳ͍ͬΆ͍ • ࣮ʹৄ͍͠ํɺͥͻ࠙ձͰ͓͠·͠ΐ͏ʂ
root@ebb5c8c90634:/# curl -s $ {ECS_CONTAINER_METADATA_URI}/stats | jq .networks { "eth0":
{ "rx_bytes": 17331985, "tx_packets": 932, "rx_packets": 1353, "tx_bytes": 77755 } } e.g. EC2/Bridge w/ TMEv3
root@ip-10-0-10-144:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \ > jq .networks null
e.g. EC2/Host, EC2/awsvpc w/ TMEv3 root@9ea93ec5d92b:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \ > jq .networks null
-bash-4.2# CID=$(basename $(head -n1 /proc/self/ cgroup | cut -d: -f3))
-bash-4.2# curl -s 169.254.170.2/v2/stats/${CID} | jq .networks null e.g. Fargate w/ TMEv2
EC2/BridgeͷωοτϫʔΫελοΫ • ωοτϫʔΫελοΫλεΫͷίϯςφ͝ͱʹҟͳΔ
EC2/HostωοτϫʔΫελοΫ • ϗετͷωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗
EC2/awsvpc, FargateωοτϫʔΫελοΫ • ωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗
ίϯςφΤʔδΣϯτʹ͓͚ΔECS/Fargateͷ ωοτϫʔΫϝτϦοΫͷऔಘ • EC2/BridgeϞʔυͷ߹ɺDocker stats API͔Β֤ίϯςφͷωο τϫʔΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠ߘ • EC2/Host, EC2/awsvpc,
FargateͰɺίϯςφಉ࢜ωοτϫʔ ΫελοΫΛڞ༗͢ΔͷͰɺίϯςφΤʔδΣϯτࣗͷωοτϫʔ ΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠ߘ
• ಉ͡ίϯςφఆٛͰɺىಈλΠϓɺωοτϫʔΫϞʔυͰΠϯλʔ ϑΣʔεͷݟ͑ํ͕ҟͳΔ λεΫͷInterfaceάϥϑ &$#SJEHF &$)PTU &$BXTWQD 'BSHBUF
• ىಈλΠϓɺωοτϫʔΫϞʔυʹΑͬͯར༻Ͱ͖ΔAPI͕ҟͳΔ • EC2ىಈλΠϓTask Metadata Endpoint v3ʹରԠத • ωοτϫʔΫϞʔυʹΑͬͯωοτϫʔΫϝτϦοΫͷऔಘํ๏͕ ҟͳΔ
ECS/Fargateʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ
Kubernetes
KubernetesͷCore metrics pipeline
kubelet API • PodͷϝλσʔλϝτϦοΫɺϩάΛऔಘɺίϚϯυͷϩʔΧϧ ࣮ߦͷͨΊͷAPI • kubelet port(10250/HTTPS)ͱread-only port(10255/HTTP)Ͱ LISTEN
• read-only port͕ແޮͳڥ͋Δ
kubelet APIͷAuthN/AuthZ • kubelet portͰೝূ/ೝՄΛઃఆͰ͖Δ • Authentication • ಗ໊ΞΫηεɺΫϥΠΞϯτূ໌ॻೝূɺτʔΫϯೝূ •
Authorization • AlwaysAllow, Webhook • SubjectAccessReview APIʹΑΔݖݶνΣοΫ • see. ʮKubelet authentication/authorization - Kubernetesʯ
ίϯςφΤʔδΣϯτͱkubelet API • σϑΥϧτͰread-only portΛར༻ • ઃఆͰkubelet portʹΓସ͑Մೳ • τʔΫϯೝূΛαϙʔτ
• "nodes/proxy", "nodes/stats", "nodes/spec"ʹgetΞΫηε • ͏·͍͔͘ͳ͍߹automountServiceAccountTokenઃఆνΣοΫ • see. ʮKubernetesʹmackerel-container-agentΛηοτΞοϓ͢Δ - Mackerel ϔϧϓʯ
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mackerel-container-agent rules: - apiGroups:
[""] resources: ["nodes/proxy", "nodes/stats", "nodes/spec"] verbs: ["get"] e.g. RBACઃఆ(ClusterRole)
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mackerel-container-agent-binding roleRef: apiGroup: rbac.authorization.k8s.io
kind: ClusterRole name: mackerel-container-agent subjects: - kind: ServiceAccount name: my-service-account namespace: default e.g. RBACઃఆ(ClusterRoleBinding)
• kubelet API͔ΒϝτϦοΫΛऔಘ͢Δ • σϑΥϧτread-only PortΛར༻ • kubelet portͰτʔΫϯೝূʹରԠ •
ඞཁʹԠͯ͡RBACΛઃఆ Kubernetesʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ
ࠓޙͷίϯςφΤʔδΣϯτ
ۙରԠ༧ఆ • Task Metadata Endpoint v3ରԠ • EC2/Bridge, EC2/Host, EC2/awspvc
• docker.sockcgroupfsͷґଘΛͳ͘͢ • rootϢʔβඞཁͳ͠ • cgroupfsͷϚϯτϙΠϯτͷҧ͍Λؾʹ͠ͳͯ͘Α͍
లͱߏ • ϓϥάΠϯར༻ͷརศੑ্ • ϓϥάΠϯಉࠝΠϝʔδͷఏڙͳͲ • ΧελϜϝτϦοΫͷѻ͍ • ϗετಉ༷ʹୀޙɺҰఆظؒܦաͰඇදࣔͱͳΔ •
PrometheusServiceMeshͱͷ࿈ܞ
·ͱΊ
·ͱΊ • ίϯςφΤʔδΣϯτʢύϒϦοΫϕʔλʣΛϦϦʔε • λεΫ/PodΛࢹ͢ΔαΠυΧʔίϯςφ • ϓϥοτϑΥʔϜ͕ఏڙ͢ΔAPI͔ΒϝτϦοΫΛऩू • see. ʮίϯςφΛࢹ͢Δ
- Mackerel ϔϧϓʯ
ϑΟʔυόοΫΛ͓͍ͪͯ͠·͢
None