Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mackerelコンテナエージェントによる コンテナ監視について / Mackerel Meetup #13 Tokyo

Hayato Imai
March 01, 2019
Technology
1
6.3k

Mackerelコンテナエージェントによる コンテナ監視について / Mackerel Meetup #13 Tokyo

2019/03/01 https://mackerelio.connpass.com/event/118995/

Hayato Imai

March 01, 2019
Tweet

More Decks by Hayato Imai

See All by Hayato Imai
Kubernetes撤退、 その後のはてなの取り組み / kubernetes meetup tokyo number 52
hayajo
8
6.4k
Mackerelにおける Cloud Nativeへの取り組みと チームへ与えた変化 / CloudNative Days Tokyo 2020
hayajo
2
1.2k
MackerelにおけるKubernetes利用の取組みとこれから / Kubernetes Meetup Tokyo #22
hayajo
20
8.4k
Mackerelチームのコンテナ開発における戦略とこれから / 190722-cndt2019
hayajo
1
1.6k
AWSコンテナサービス入門 / nds60-jaws-ug
hayajo
0
2.6k
コンテナのメトリクスと モニタリングパターン / 190320-sakura-event
hayajo
6
1.4k
Docker for Mac/Windows ではじめる Kubernetes / NDS55 Docker with Kubernetes
hayajo
16
13k
Terrafromで構築するマルチクラウドプラットフォームインフラストラクチャ / NDS53 Terraform
hayajo
0
290
Ncatをつかおう / Use Ncat
hayajo
1
3.2k

Other Decks in Technology

See All in Technology
竹芝地区のデジタルツイン開発と3D人流シミュレーション開発
sbtechnight
PRO
0
290
チーム開発における様々なボトルネックの整理 / Organization of bottlenecks in Team Development
stefafafan
0
300
チームにスクラムを導入してみた
sbtechnight
PRO
0
300
Showcase2023_進化し続けるサイバーセキュリティ脅威を防ぐSaaSソリューション.pdf
sakaitakeshi
0
380
インターネットの最新技術をモバイル網に持ち込んで最強のエッジコンピューティング基盤を作ってみた
sbtechnight
PRO
0
310
JAWS-UG 朝会 #43 登壇資料
takakuni
0
390
エンジニアのためのドキュメントライティング / Docs for Developers
iwashi86
16
5k
DevRel/Japan CONFERENCE 2023
1ftseabass
PRO
0
400
AmebaにおけるQAコスト改善施策〜テスト項目の整理とAutify for Mobileによる自動化
sosuiiii
0
160
LINE Blockchain Developers APIではじめるWeb3
sbtechnight
PRO
0
310
技育祭2023春 ちゅらデータ講演資料
foursue
1
320
「新卒エンジニアが1年間で顔を売るために取った行動100連発」/YAPC::Kyoto 2023 前日祭 ネコトーストラボ杯争奪東西対抗LTマッチ
arthur1
0
170

Featured

See All Featured
Designing with Data
zakiwarfel
91
4.2k
The Pragmatic Product Professional
lauravandoore
21
3.6k
Designing for humans not robots
tammielis
245
24k
Done Done
chrislema
178
15k
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
BBQ
matthewcrist
75
8.2k
Documentation Writing (for coders)
carmenintech
51
3k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Design by the Numbers
sachag
271
18k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.2k
Git: the NoSQL Database
bkeepers
PRO
419
60k
The Cult of Friendly URLs
andyhume
70
5.1k

Transcript

  1. MackerelίϯςφΤʔδΣϯτʹΑΔ
    ίϯςφ؂ࢹʹ͍ͭͯ
    .BDLFSFM.FFUVQ
    [email protected]

    View Slide

  2. ࣗݾ঺հ
    • ࠓҪ൏ਓ(id:hayajo_77)
    • MackerelνʔϜ SRE
    • 2017೥11݄ೖࣾ
    • ίϯςφཁૉٕज़ɺपลٕज़
    ίϯςφٕज़ೖ໳Ծ૝Խͱͷҧ͍Λ஌Γɺཁૉٕज़Λ৮ֶͬͯ΅͏
    IUUQTFNQMPZNFOUFOKBQBODPNFOHJOFFSIVCFOUSZ

    View Slide

  3. ΞδΣϯμ
    • MackerelίϯςφΤʔδΣϯτͷ঺հ
    • ϝτϦοΫऔಘઓུղઆ
    • ࠓޙͷίϯςφΤʔδΣϯτ
    • ·ͱΊ

    View Slide

  4. MackerelίϯςφΤʔδΣϯτͷ঺հ

    View Slide

  5. MackerelίϯςφΤʔδΣϯτ
    ʢύϒϦοΫϕʔλʣΛެ։͠·ͨ͠
    https://mackerel.io/ja/blog/entry/weekly/20190218

    View Slide

  6. ύϒϦοΫϕʔλͱ͸
    • কདྷతʹਖ਼ࣜͳαʔϏεϦϦʔεΛߦ͏༧ఆ͕͋ΔػೳΛઌߦͯ͠
    ެ։
    • ׆ൃʹมߋΛߦ͍ɺ৽͍͠όʔδϣϯΛఏڙ
    • ࣄલࠂ஌ͷ্Ͱඇޓ׵मਖ਼Λ࣮ࢪ

    View Slide

  7. OSSͱͯ͠ެ։
    • DockerHub
    • mackerel/mackerel-container-agent
    • GitHub
    • mackerelio/mackerel-container-agent
    • Issue΍PR͸ݪଇӳޠͰ͓ئ͍͠·͢

    View Slide

  8. ίϯςφઐ༻ͷܰྔΤʔδΣϯτ
    • ίϯςφઐ༻ͱͯ͠࠶ઃܭ
    • Amazon ECS, AWS Fargate, KubernetesʹରԠ
    • 1λεΫ/Podʹ͖ͭ1ϗετͱͯ͠Χ΢ϯτ
    • ʰγεςϜΛߏ੒͢Δ࠷খ୯Ґ(ͩͱγεςϜΛ؅ཧ͢Δ্ͰΈͳ
    ͢΂͖΋ͷ)ʱ
    • see. ʮFAQɾϗετ਺ͷܭࢉํ๏ʹ͍ͭͯ - Mackerel ϔϧϓʯ

    View Slide

  9. αΠυΧʔίϯςφͱͯ͠σϓϩΠ
    • ϓϥοτϑΥʔϜʹΑͬͯઃఆ͕ҟͳΔ
    • ECS(EC2/Bridge, EC2/Host)
    • ECS(EC2/awsvpc, Fargate)
    • Kubernetes
    • see. ʮίϯςφΛ؂ࢹ͢Δ - Mackerel ϔϧϓʯ

    View Slide

  10. Web UI/ϗετҰཡ

    View Slide

  11. Web UI/ϗετৄࡉ

    View Slide

  12. Web UI/ϩʔϧάϥϑ

    View Slide

  13. ΍Δ͜ͱ
    • λεΫ/Podͷ͢΂ͯͷίϯςφͷϝτϦοΫΛγεςϜϝτϦοΫ
    ͱͯ͠౤ߘ
    • CPUɺϝϞϦɺωοτϫʔΫ
    • αʔϏε/ϩʔϧͷׂΓ౰ͯ
    • ϓϥάΠϯͷར༻
    • ϓϥάΠϯΛΠϯετʔϧͨ͠DockerΠϝʔδͷ४උ͕ඞཁ

    View Slide

  14. ΍Βͳ͍͜ͱ
    • Ϋϥελ΍ϊʔυͷϝτϦοΫ͸ऩू͠ͳ͍
    • ϊʔυ਺ɺλεΫ/Pod਺, etc.
    • ϊʔυͷCPUɺϝϞϦɺωοτϫʔΫɺσΟεΫͳͲ
    • mackerel-agentΛར༻
    • αϙʔτ͢ΔϓϥοτϑΥʔϜҎ֎ͷίϯςφͷ؂ࢹ
    • Docker͸ʮDockerΛϞχλϦϯά͢Δ - Mackerel ϔϧϓʯ

    View Slide

  15. αΠυΧʔύλʔϯͷ࠾༻
    • FargateͷΑ͏ͳɺΠϯϑϥετϥΫνϟͷ؅ཧ͕ෆཁͳίϯςφ
    ར༻͕ओྲྀʹͳΔͱߟ͍͑ͯΔ
    • Mackerelʹ͓͚ΔϗετͷఆٛͱλεΫ/PodͷϥΠϑαΠΫϧ
    • ίϯςφؒͷϦιʔεڞ༗
    • ؂ࢹର৅ͷΞϓϦέʔγϣϯ࢓༷ʹ͍ۙ؂ࢹઃఆ͕Մೳ

    View Slide

  16. ϝτϦοΫऔಘઓུղઆ

    View Slide

  17. ϝτϦοΫऔಘΞʔΩςΫνϟ

    View Slide

  18. ECS/Fargate

    View Slide

  19. ECS/FargateͷAPI
    &$#SJEHF &$)PTU &$BXTWQD 'BSHBUF
    *OUSPTQFDUJPO
    "1*
    ˔ ˔ ☓ ☓
    5BTL.FUBEBUB
    &OEQPJOUW
    ☓ ☓ ˔ ˔
    5BTL.FUBEBUB
    &OEQPJOUW
    ˔ ˔ ˔ ☓

    View Slide

  20. Introspection API
    • λεΫͷϝλσʔλΛฦ͢
    • λεΫͷARN΍εςʔλεɺ֤ίϯςφͷDockerIDͳͲ
    • ίϯςφͷϝτϦοΫ΍CPUɺϝϞϦLIMIT͸औಘͰ͖ͳ͍
    • Docker stats API(docker.sock)΍cgroupfsͰΧόʔ
    • EC2/Bridge, EC2/HostͰར༻
    • Task Metadata Endpoint v3ʹରԠ༧ఆ

    View Slide

  21. Task Metadata Endpoint v2/v3
    • λεΫϝλσʔλɺίϯςφϝτϦοΫΛฦ͢
    • ϝτϦοΫ͸Docker stats APIͦͷ΋ͷΛฦ͢
    • v2/v3ͰऔಘͰ͖Δσʔλʹେ͖ͳҧ͍͸ͳ͍
    • EC2/awsvpc, FargateͰv2Λར༻
    • EC2/awsvpc͸v3ʹҠߦ༧ఆ

    View Slide

  22. ECS/FargateͷωοτϫʔΫϝτϦοΫ
    • ωοτϫʔΫϝτϦοΫ͕औಘͰ͖Δͷ͸EC2/Bridge͚ͩ......
    • Docker stats API(libnetwork)͸bridgeϞʔυͷͱ͖͔͠ϝτϦοΫ
    ͕औΕͳ͍ͬΆ͍
    • ࣮૷ʹৄ͍͠ํɺͥͻ࠙਌ձͰ͓࿩͠·͠ΐ͏ʂ

    View Slide

  23. [email protected]:/# curl -s $
    {ECS_CONTAINER_METADATA_URI}/stats | jq .networks
    {
    "eth0": {
    "rx_bytes": 17331985,
    "tx_packets": 932,
    "rx_packets": 1353,
    "tx_bytes": 77755
    }
    }
    e.g. EC2/Bridge w/ TMEv3

    View Slide

  24. [email protected]:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \
    > jq .networks
    null
    e.g. EC2/Host, EC2/awsvpc w/ TMEv3
    [email protected]:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \
    > jq .networks
    null

    View Slide

  25. -bash-4.2# CID=$(basename $(head -n1 /proc/self/
    cgroup | cut -d: -f3))
    -bash-4.2# curl -s 169.254.170.2/v2/stats/${CID} |
    jq .networks
    null
    e.g. Fargate w/ TMEv2

    View Slide

  26. EC2/BridgeͷωοτϫʔΫελοΫ
    • ωοτϫʔΫελοΫ͸λεΫͷίϯςφ͝ͱʹҟͳΔ

    View Slide

  27. EC2/HostωοτϫʔΫελοΫ
    • ϗετͷωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗

    View Slide

  28. EC2/awsvpc, FargateωοτϫʔΫελοΫ
    • ωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗

    View Slide

  29. ίϯςφΤʔδΣϯτʹ͓͚ΔECS/Fargateͷ
    ωοτϫʔΫϝτϦοΫͷऔಘ
    • EC2/BridgeϞʔυͷ৔߹ɺDocker stats API͔Β֤ίϯςφͷωο
    τϫʔΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠౤ߘ
    • EC2/Host, EC2/awsvpc, FargateͰ͸ɺίϯςφಉ࢜͸ωοτϫʔ
    ΫελοΫΛڞ༗͢ΔͷͰɺίϯςφΤʔδΣϯτࣗ਎ͷωοτϫʔ
    ΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠౤ߘ

    View Slide

  30. • ಉ͡ίϯςφఆٛͰ΋ɺىಈλΠϓɺωοτϫʔΫϞʔυͰΠϯλʔ
    ϑΣʔεͷݟ͑ํ͕ҟͳΔ
    λεΫͷInterfaceάϥϑ
    &$#SJEHF &$)PTU &$BXTWQD 'BSHBUF

    View Slide

  31. • ىಈλΠϓɺωοτϫʔΫϞʔυʹΑͬͯར༻Ͱ͖ΔAPI͕ҟͳΔ
    • EC2ىಈλΠϓ͸Task Metadata Endpoint v3ʹରԠத
    • ωοτϫʔΫϞʔυʹΑͬͯωοτϫʔΫϝτϦοΫͷऔಘํ๏͕
    ҟͳΔ
    ECS/Fargateʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ

    View Slide

  32. Kubernetes

    View Slide

  33. KubernetesͷCore metrics pipeline

    View Slide

  34. kubelet API
    • Podͷϝλσʔλ΍ϝτϦοΫɺϩάΛऔಘɺίϚϯυͷϩʔΧϧ
    ࣮ߦͷͨΊͷAPI
    • kubelet port(10250/HTTPS)ͱread-only port(10255/HTTP)Ͱ
    LISTEN
    • read-only port͕ແޮͳ؀ڥ΋͋Δ

    View Slide

  35. kubelet APIͷAuthN/AuthZ
    • kubelet portͰ͸ೝূ/ೝՄΛઃఆͰ͖Δ
    • Authentication
    • ಗ໊ΞΫηεɺΫϥΠΞϯτূ໌ॻೝূɺτʔΫϯೝূ
    • Authorization
    • AlwaysAllow, Webhook
    • SubjectAccessReview APIʹΑΔݖݶνΣοΫ
    • see. ʮKubelet authentication/authorization - Kubernetesʯ

    View Slide

  36. ίϯςφΤʔδΣϯτͱkubelet API
    • σϑΥϧτͰ͸read-only portΛར༻
    • ઃఆͰkubelet portʹ੾Γସ͑Մೳ
    • τʔΫϯೝূΛαϙʔτ
    • "nodes/proxy", "nodes/stats", "nodes/spec"ʹgetΞΫηε
    • ͏·͍͔͘ͳ͍৔߹͸automountServiceAccountTokenઃఆ΋νΣοΫ
    • see. ʮKubernetesʹmackerel-container-agentΛηοτΞοϓ͢Δ -
    Mackerel ϔϧϓʯ

    View Slide

  37. apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: mackerel-container-agent
    rules:
    - apiGroups: [""]
    resources: ["nodes/proxy", "nodes/stats", "nodes/spec"]
    verbs: ["get"]
    e.g. RBACઃఆ(ClusterRole)

    View Slide

  38. apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: mackerel-container-agent-binding
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: mackerel-container-agent
    subjects:
    - kind: ServiceAccount
    name: my-service-account
    namespace: default
    e.g. RBACઃఆ(ClusterRoleBinding)

    View Slide

  39. • kubelet API͔ΒϝτϦοΫΛऔಘ͢Δ
    • σϑΥϧτ͸read-only PortΛར༻
    • kubelet portͰ͸τʔΫϯೝূʹରԠ
    • ඞཁʹԠͯ͡RBACΛઃఆ
    Kubernetesʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ

    View Slide

  40. ࠓޙͷίϯςφΤʔδΣϯτ

    View Slide

  41. ۙ೔ରԠ༧ఆ
    • Task Metadata Endpoint v3ରԠ
    • EC2/Bridge, EC2/Host, EC2/awspvc
    • docker.sock΍cgroupfs΁ͷґଘΛͳ͘͢
    • rootϢʔβඞཁͳ͠
    • cgroupfsͷϚ΢ϯτϙΠϯτͷҧ͍Λؾʹ͠ͳͯ͘Α͍

    View Slide

  42. ల๬ͱߏ૝
    • ϓϥάΠϯར༻ͷརศੑ޲্
    • ϓϥάΠϯಉࠝΠϝʔδͷఏڙͳͲ
    • ΧελϜϝτϦοΫͷѻ͍
    • ϗετಉ༷ʹୀ໾ޙɺҰఆظؒܦաͰඇදࣔͱͳΔ
    • Prometheus΍ServiceMeshͱͷ࿈ܞ

    View Slide

  43. ·ͱΊ

    View Slide

  44. ·ͱΊ
    • ίϯςφΤʔδΣϯτʢύϒϦοΫϕʔλʣΛϦϦʔε
    • λεΫ/PodΛ؂ࢹ͢ΔαΠυΧʔίϯςφ
    • ϓϥοτϑΥʔϜ͕ఏڙ͢ΔAPI͔ΒϝτϦοΫΛऩू
    • see. ʮίϯςφΛ؂ࢹ͢Δ - Mackerel ϔϧϓʯ

    View Slide

  45. ϑΟʔυόοΫΛ͓଴͍ͪͯ͠·͢

    View Slide

  46. View Slide