Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Compare OCI Runtimes
Search
Gosuke Miyashita
PRO
March 22, 2019
Technology
2
1.4k
Compare OCI Runtimes
Gosuke Miyashita
PRO
March 22, 2019
Tweet
Share
More Decks by Gosuke Miyashita
See All by Gosuke Miyashita
Serverspec(をつくった自分)のそれまでとその後
mizzy
PRO
8
3.1k
A method for separating policy definition and behavior control by an intermediate language to achieve optimal server configuration management according to the situation
mizzy
PRO
3
240
Past and future of Infrastructure as Code
mizzy
PRO
0
160
Configuration Managementツールのポリシー定義用中間言語に関する考察/Considerations about an intermediate language of configuration management tools
mizzy
PRO
0
440
Infrastructure as Codeのこれまでとこれから/Infra Study Meetup #1
mizzy
PRO
29
13k
エンジニアかつ研究者としての今後のキャリアについて/My Career As An Engineer And A Researcher
mizzy
PRO
0
390
Serverspec and OSS at IEICE Society Conference 2018
mizzy
PRO
2
280
House Meetup
mizzy
PRO
7
3.1k
Rust + Ruby/mruby
mizzy
PRO
0
1.7k
Other Decks in Technology
See All in Technology
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
350
EDRの検知の仕組みと検知回避について
chayakonanaika
12
5.2k
開発者のための FinOps/FinOps for Engineers
oracle4engineer
PRO
2
240
生成AI×財務経理:PoCで挑むSlack AI Bot開発と現場巻き込みのリアル
pohdccoe
1
800
OPENLOGI Company Profile for engineer
hr01
1
20k
Oracle Database Technology Night #87-1 : Exadata Database Service on Exascale Infrastructure(ExaDB-XS)サービス詳細
oracle4engineer
PRO
1
210
What's new in Go 1.24?
ciarana
1
120
AIエージェント入門
minorun365
PRO
33
19k
Snowflakeの開発・運用コストをApache Icebergで効率化しよう!~機能と活用例のご紹介~
sagara
1
520
ウォンテッドリーのデータパイプラインを支える ETL のための analytics, rds-exporter / analytics, rds-exporter for ETL to support Wantedly's data pipeline
unblee
0
140
Ruby on Railsで持続可能な開発を行うために取り組んでいること
am1157154
3
160
入門 PEAK Threat Hunting @SECCON
odorusatoshi
0
180
Featured
See All Featured
Producing Creativity
orderedlist
PRO
344
40k
Visualization
eitanlees
146
15k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Six Lessons from altMBA
skipperchong
27
3.6k
Facilitating Awesome Meetings
lara
53
6.3k
Designing Experiences People Love
moore
140
23k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Unsuck your backbone
ammeep
669
57k
Transcript
͘͞ΒΠϯλʔωοτגࣜձࣾ (C) Copyright 1996-2019 SAKURA Internet Inc ͘͞ΒΠϯλʔωοτݚڀॴ OCIϥϯλΠϜൺֱͷͨΊʹ ͍ͬͯΔ͜ͱ͋Ε͜Ε
2019/03/22 ٬һݚڀһ ٶԼ ߶ี runc, gVisor, Kata Containers Nabla Containers, Firecrackerൺֱ
1. ͡Ίʹ
3 ɾݱࡏOCIϥϯλΠϜͷൺֱʹऔΓΜͰ͍Δ ɾൺֱ߲ɺىಈ࣌ؒɺϝϞϦαΠζɺύϑΥʔϚϯεͳͲ ɾϥϯλΠϜຖʹบ͕͋Γɺಉ݅͡Ͱൺֱ͢Δͷ͕؆୯Ͱͳ͍ ɾ۩ମతʹͬͨ͜ͱɺͱ͘ʹ·ͬͨ͜ͱڞ༗͍ͨ͠ ɾܭଌ݁Ռͷڞ༗͜ͷൃදͷతͰͳ͍ ɾݱࡏͷܭଌ݁Ռʹ͍ͭͯmatsumotory͞ΜͷεϥΠυࢀর ɾhttps://speakerdeck.com/matsumoto_r/chao-ge-ti-xing- detasentaostoocirantaimu ͓͢͠Δ༰
1. ܭଌ४උͰ·ͬͨ͜ͱ
ίϯςφͰಈ͔͢όΠφϦ࡞
6 ɾൺֱ݅Λἧ͑ΔͷͱɺϥϯλΠϜͦͷͷͷੑ࣭Λଌఆ͍ͨ͠ͷ Ͱɺ୯७ͳϓϩάϥϜΛ༻ҙ ɾhello.c ɾHelloͱදࣔ͢Δ͚ͩͷϓϩάϥϜ ɾىಈ࣌ؒଌఆ༻ ɾloop.c ɾແݶϧʔϓ͢ΔϓϩάϥϜ ɾϝϞϦαΠζଌఆ༻ ίϯςφͰಈ͔͢όΠφϦ
7 hello.c #include <stdio.h> void main() { printf("Hello\n"); }
8 loop.c #include <stdio.h> void main() { int i =
0; while(1) { printf("%d\n", i++); } }
9 ɾNabla ContainersϥΠϒϥϦOSʢϢχΧʔωϧʣܕΞϓϩʔνͷ ϥϯλΠϜ ɾ࣮ߦόΠφϦͱΧʔωϧ͕ҰମԽ ɾͳͷͰNabla Containers༻όΠφϦผʹ༻ҙ͢Δඞཁ͕͋Δ ɾx86_64-rumprun-netbsd-gcc -o hello.out
hello.c ɾrumprun-bake solo5_ukvm_seccomp hello.nabla hello.out ɾ৽͠ͷϦϏδϣϯͩͱsolo5_ukvm_seccompͰͳ͘spt Nabla Containers༻όΠφϦ
10 ɾnabla-containers/solo5ΛίϯύΠϧͯ͠Ͱ͖ͨsolo5.oΛ/usr/lib/ libsolo5_seccomp.aʹίϐʔ ɾnabla-containers/runnc ϦϏδϣϯb78fe29Λར༻ ɾnabla-containers/rumprunϦϏδϣϯ8b01b3Λར༻ ɾߋʹҎԼͷύονΛ͋ͯΔ ɾhttps://github.com/rumpkernel/rumprun/issues/122 ɾhttps://github.com/rumpkernel/rumprun/pull/118 Nabla༻όΠφϦͷϏϧυ
11 ɾrumprun-bakeίϚϯυʹύον ɾ࠷ޙʹ࣮ߦͯ͠ΔίϚϯυʹ-L/usr/libΛՃ ɾhttps://blog.cloudkernels.net/posts/build-a-nabla-docker-image/ ɾ͜ͷखॱʹ͕ͨͬͯ͠࠷৽ͷϦϏδϣϯͰϏϧυͯ͠͏·͘ಈ͔ ͳ͔ͬͨ ɾSolo5: ABORT: spt/net.c:36: Assertion
`netfd >= 0' failed Nabla༻όΠφϦͷϏϧυʢ͖ͭͮʣ
Kata Containersͷόʔδϣϯ
13 ɾhttps://github.com/kata-containers/documentation/blob/master/ install/ubuntu-installation-guide.md ɾܭଌ༻ϗετʹUbuntuΛར༻ͨ͠ͷͰ͜ͷखॱʹैͬͨ ɾhttp://download.opensuse.org/repositories/home:/ katacontainers:/releases:/${ARCH}:/master/xUbuntu_$ (lsb_release -rs)/ ͕aptϦϙδτϦͱͯ͠ઃఆ͞ΕΔ ɾ͕ɺ͜Εͩͱ1.6rc1͕Πϯετʔϧ͞Ε·ͱʹಈ͔ͳ͔ͬͨ
ɾs/master/stable-1.5/ Ͱղܾ Kata ContainersͷΠϯετʔϧ
1. ܭଌ࣌ʹ·ͬͨ͜ͱ
ϥϯλΠϜίϚϯυ࣮ߦͰͷܭଌ
16 ɾ༨ͳϨΠϠʔΛল͍ͯͳΔ͘ૉͷঢ়ଶͰͷܭଌ͕త ɾOCI Filesystem BundleΛ༻ҙ ɾdocker export `docker create mizzy/hello`
| tar -C bundle/rootfs - xvf - Ͱrootfsੜ ɾrunc specͰconfig.jsonੜ ϥϯλΠϜίϚϯυ࣮ߦͰͷܭଌ
17 ɾrunc, gVisor, Kata Containers, Nabla ContainersʹOCI Filesystem BundleΛ࣮ߦ͢ΔίϚϯυ͕͋Δ ɾFirecrackerʹ(·ͩ?)ଘࡏ͠ͳ͍ͬΆ͍
ɾͳͷͰFirecracker࣮ߦํࣜͰܭଌͰ͖ͳ͔ͬͨ ɾkata-fc͑Ͱ͖ͦ͏ʢະணखʣ ɾhttps://github.com/kata-containers/documentation/wiki/Initial- release-of-Kata-Containers-with-Firecracker-support OCI Filesystem Bundle࣮ߦίϚϯυ
18 ɾrunncଞͷίϚϯυͱҧ͍runαϒίϚϯυ͕ͳ͍ ɾcreateͯ͠start͢Δඞཁ͕͋Δ ɾtime runnc startͰܭଌ͠Α͏ͱ͢Δͱίϯςφ࣮ߦऴྃલʹtime ͷ݁Ռ͕ฦΔ → ྑ͍ܭଌํ๏ࡧத ɾconfig.jsonͷhooks.prestartͰωοτϫʔΫ·ΘΓͷઃఆΛߦ͏ඞ
ཁ͕͋Δ ɾhttps://github.com/nabla-containers/runnc/issues/53 ɾconfig.jsonͰࢦఆ͢Δroot.path͕૬ରύεͩͱಈ͔ͳ͍ Nabla Containersׂ͕ͱۂऀ
containerdͷctrίϚϯυͰͷܭଌ
20 ɾϥϯλΠϜίϚϯυ࣮ߦͰͯ͢ͷϥϯλΠϜΛܭଌͰ͖ͳ ͔ͬͨͷͰҧ͏ΞϓϩʔνͰܭଌ ɾ͜͜ͰNabla Containersͷนཱ͕͔ͪͩΔ ɾଞͷϥϯλΠϜShim API v2ʹରԠ͍ͯ͠Δ ɾctr run
—runtime=io.containerd.kata.v2 Έ͍ͨʹ࣮ߦͰ͖Δ ɾrunncShim API v2ʹରԠ͍ͯ͠ͳ͍ containerdͷctrίϚϯυͰͷܭଌ
21 ɾ/etc/containerd/config.toml ɾctr run --runtime io.containerd.runtime.v1.linux Ͱ࣮ߦ ผͷํ๏Ͱ࣮ߦΛࢼΈΔ [plugins] [plugins.linux]
shim = "containerd-shim" runtime = "/usr/local/bin/runnc"
22 ɾctr: OCI runtime create failed: runnc did not terminate
sucessfully: unknown ɾrunnc͕panic: Insufficient uniqueness in IDΛు͍ͯΔ ɾཁ͢Δʹίϯςφ໊͕͍ ɾϩάʹ͜Ε͕ݟ͋ͨΒͳ͍ͷͰΘ͔Γʹ͍͘ ɾERR: could not create tapabcdefg12345: no master interface: Link not found ɾίϯςφ໊Λ͘͢Δͱࠓ͜ͷΤϥʔ ɾ͜ΕҎ্·ͩௐࠪͰ͖͍ͯͳ͍ ࣮ߦ݁Ռ
dockerίϚϯυͰͷܭଌ
24 ɾϥϯλΠϜίϚϯυ࣮ߦͰͷܭଌɺctrίϚϯυͰͷܭଌɺͱ ʹͯ͢ͷϥϯλΠϜΛܭଌ͢Δ͜ͱ͕Ͱ͖ͳ͔ͬͨ ɾͷͰ࣍dockerίϚϯυͰτϥΠ dockerίϚϯυͰͷܭଌ
25 ɾFirecrackerͷಈ͔͠ํ͚ͩΘ͔ΒΜɺͱࢥͬͨΒudzura͞ΜʹΑΔ φΠεࢿྉ͕ ɾhttps://speakerdeck.com/udzura/firecracker-from-low-layer-to- hight?slide=14 ɾKata ContainersͰFirecrackerΛಈ͔͢kata-fcΛར༻ ɾhttps://github.com/kata-containers/documentation/wiki/Initial- release-of-Kata-Containers-with-Firecracker-support ɾDockerͷdevicemapperαϙʔτ͕ඞཁ͕ͩɺݱࡏ࠷৽ͷ18.09͕
devicemapperରԠ͍ͯ͠ͳ͍ͷͰɺ18.06Λར༻͢Δඞཁ͋Γ Docker + Firecraker
26 ɾ࠷ॳҙຯ͕Θ͔Βͳ͔ͬͨ ɾ͑ɺͲͬͪOCIϥϯλΠϜ͡Όͳ͍ͷʁ ɾFiracrackerϚΫϩͳࢹͰݟΔͱOCIϥϯλΠϜͱͯ͠ݟΔ͜ͱ Ͱ͖Δ͕ϛΫϩͳࢹͰݟΔͱVMM ɾKata ContainersVMͰίϯςφΛىಈ͢ΔΞϓϩʔνͷOCIϥ ϯλΠϜ ɾVMMͱͯ͠σϑΥϧτͰQEMUΛར༻͢Δ͕ࠩ͠ସ͑Մೳ ɾͭ·ΓKata
ConͷVMMΛFirecrackerʹࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ Kata Containers + Firecracker?
ctrͱdockerͰFirecrackerͷ ىಈ͕࣌ؒఆͱҟͳΔ
28 ɾctr: real 0m6.320s ɾdocker: real 0m4.105s ɾdockerͷํ͕ɺdockerdΛܦ༝͢Δ͘ͳΓͦ͏ͳͷʹͳͥʁ ɾctrnaive snapshotterΛར༻
ɾdockerdevicemapperΛར༻ ɾctrͰdevmapper snapshotterΛར༻͢Εಉ݅͡ͰൺֱͰ͖ͦ͏ ɾ→ ະணख ctrͱdockerͰͷFirecrackerىಈ࣌ؒ
1. ίετ
30 ɾݕূڥΛVagrant+VirtualBoxͰߏங ɾKataͱFirecrackerKVM͕ඞཁ ɾVirtualBoxͰKVMಈ͔ͳ͍ ɾVMWare Fusion + Vagrant VMWare ProviderΛߪೖ
ɾVMWare Fusion: 9,925ԁ ɾVagrant VMWare Provider: $79 per seat ׂͱ͓͕͔͔ۚΔ (on macOS)
31 ɾVagrant + VMWare FusionͰmodprobe vhost_vsock͕Τϥʔʹ ͳͬͯ͠·͏ͷͰAWS EC2্Ͱݕূ ɾKVMΛಈ͔ͨ͢ΊʹϕΞϝλϧΠϯελϯε͕ඞཁ ɾi3.metalͰ4.992USD/࣌ؒ
ɾ1ͰBilling AlertඈΜͰདྷͨ ׂͱ͓͕͔͔ۚΔ (on AWS)
1. ࢀߟࢿྉ
33 ɾhttps://github.com/mizzy/container-playground ɾmeasurements/ ɾVagrant + VMWare FusionͰಈ͔ͯ͠Δͭ ɾcompare_on_i3_metal/ ɾVagrant +
AWS EC2 i3.metalΠϯελϯεͰಈ͔ͯ͠Δͭ ɾཧͰ͖ͯͳ͍͠ɺ௨͠Ͱvagrant provisionͯ͠ͳ͍ͷͰಈ͔ͳ ͍ͱ͜Ζ͋Γͦ͏ ɾࢼͯ͠ΈͯΘ͔Βͳ͍͜ͱ͕͋ΕԿͰฉ͍͍ͯͩ͘͞ ܭଌ༻ϦϙδτϦ
34 ɾࠓͷ͍Ζ͍ΖͳίϯςφϥϯλΠϜΛൺֱͯ͠Έͨ ɾhttps://www.slideshare.net/KoheiTokunaga/ss-123664087 ɾ֤छϥϯλΠϜͷಛൺֱͳͲͱͯࢀߟʹͳΔ ɾNabla ContainersΛಈ͔͢ʹ͋ͨͬͯͱͯࢀߟʹͳͬͨ ɾࢿྉͰܭଌʹkubernetes-sigs/cri-toolsΛར༻͍ͯ͠ΔͷͰ͜Ε ࢼͯ͠Έ͍ͨ ࢀߟࢿྉ