ۙ౻͏͓ͪ(.01FQBCP *OD 4FSWFSMFTT.FFUVQ'VLVPLB 'JSFDSBDLFSɺ Լ͔ΒݟΔ͔ʁ ্͔ΒݟΔ͔ʁ

γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ

No content

No content

Լ͔Β

'JSFDSBDLFS "NB[POΑΓൃද͞Εͨ ʮϚΠΫϩ7.ʯΛ࡞੒ɾ؅ཧ͢ ΔϥϯλΠϜɻ ,7.Λར༻ͨ͠7.. 7JSUVBM .BDIJOF.POJUPS ʹ෼ྨ͞ΕΔ

ʮίϯςφʯϥϯλΠϜ w࣮͸͍Ζ͍Ζ͋Δʢ͍ΘΏΔ௿ϨϕϧϥϯλΠϜத৺ʹʣ ϓϩηε ϋΠύʔόΠβ .JDSP7. αϯυϘοΫε ϢχΧʔωϧ

'JSFDSBDLFSͷಛ௃ wηΩϡΞԾ૝ϚγϯΛ࡞੒͢ΔͷͰִ཭ੑ͕ߴ͍ wϋΠύϑΟΦʔϚϯεىಈϛϦඵʢެশʣ w࣮੷-BNCEBɺ'BSHBUFͷόοΫΤϯυʂ w௿Φʔόϔου7.͋ͨΓ໿.J#ͷϝϞϦΛফඅʢެশʣ w044ʢ"QBDIF-JDFOTFʣ w3VTUͷେن໛ɾϓϩμΫγϣϯϢʔεϓϩδΣΫτͱͯ͠΋ڵຯਂ͍

ಋೖ IUUQTHJUIVCDPNpSFDSBDLFSNJDSPWNpSFDSBDLFSCMPCNBTUFSEPDTHFUUJOHTUBSUFENE

ಋೖ࣌ͷϝϞ w-JOVY w6CVOUV#JPOJDͷͳͲ w,7.ར༻Մೳ wύϒϦοΫΫϥ΢υͳΒ"84ͷϕΞϝλϧ΍ɺ($&Ͱ/FTUFE,7. ༗ޮͷΠϯελϯεͳͲ

KBJMFS w'JSFDSBDLFSࣗମ͸ྫ͑͹OFUOT΍DHSPVQͳͲΛΑ͠ͳʹ͸͠ͳ͍ͷ ͰɺKBJMFSͱ͍͏؆қίϯςφϥούʔΛט·ͤΔͷ͕͍͍Β͍͠ wޙड़͢Δ,BUB$POUBJOFSΛܦ༝ͯ͠΋͍͍ JAIL_ID=$(uuidgen) jailer --id $JAIL_ID \ --exec-file /usr/local/bin/firecracker \ --netns /var/run/netns/fc-test-1 \ --node 0 --uid=10001 --gid=1000

ωοτϫʔΫελοΫࣗ࡞੎޲͚

,BUB$POUBJOFS w'JSFDSBDLFSΛݱ࣮తʹಈ্͔͢Ͱ͸ɺ,BUB$POUBJOFSͷΞμϓλΛ ར༻ͯ͠EPDLFSίϚϯυܦ༝ͰίϯςφΛ࡞Δͷ͕͍͍ͷͰ͸ w͜͏͍͏ײ͡ [docker cli] -> [dockerd] -> [kata-containerͷshim] -> [firecracker]

,BUB$POLBUBGD w ΧλίϯςφΛೖΕɺ%PDLFSΛηοτΞοϓ w pSFDSBDLFSೖΓͷLBUBDPOUBJOFSUBSCBMMΛམͱͯ͠ల։ w LBUBGDΛϥϯλΠϜʹ࢖͏Α͏%PDLFSΛઃఆ w͜ΕͰಈ͘ɻৄࡉ͸ɺ׬શʹ௕͍खॱͳͷͰɺϒϩάʹ͠·͢

)FMMPXPSME root@firecracker-test-1:~# docker run -ti --runtime=kata-fc hello-world Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal.

௒؆қతͳ ൺֱ

࣮ݧ؀ڥ wϗετ$16$PSF .FNPSZ(# w/FTUFE,7.༗ޮʢ͢ͳΘͪɺϗετ΋7.ʣ wDQVJOGPˠ wͦͷଞඋߟ wઃఆ౳͸μ΢ϯϩʔυ
 ηοτΞοϓ࣌σϑΥ w/PUVOJOH

344 wEFCJBOTMJNͰTMFFQίϚϯυΛಈ͔ͨ͠ঢ়ଶ

344 3VOUJNF WFSTJPO΄͔ ʢҎԼͷൺֱ΋ಉ͡ʣ 344 SVOD SDEFW ,# TMFFQϓϩηε LBUBSVOUJNF SD LBUBTIJN.# LBUBQSPYZ.# RFNV.# LBUBGD LBUBDPOUBJOFSಉࠝ LBUBTIJN.# pSFDSBDLFS.#

ىಈ଎౓ time docker run -ti --runtime=$RUNTIME hello-world 3VOUJNF 5JNF SFBM SVOD NT LBUBSVOUJNF NT LBUBGD NT

ύϑΥʔϚϯε΁ͷӨڹ wͦΕͧΕͷϥϯλΠϜͰAhttpd:2.4-alpineAΛ͋͛Δ wͦ͜ʹҎԼͷ৚݅ͰBC ab -n 10000 -c 10 http://localhost:$BOUND_PORT/

݁Ռʢൈਮʣ SVOD LBUBSVOUJNF LBUBGD

্͔Β

,VCFSOFUFT͔Β 'JSFDSBDLFSΛ࢖͑ͳ͍ͷʁ

ϥϯλΠϜͷϨΠϠΘ͚ ,VCFSOFUFT ߴϨϕϧϥϯλΠϜ ௿ϨϕϧϥϯλΠϜ $3* 0$*

ϨΠϠΛͭͳ͍Ͱ͍͘ ,VCFSOFUFT ߴϨϕϧϥϯλΠϜ ௿ϨϕϧϥϯλΠϜ $3* 0$*

,VCFSOFUFT͔Β 'JSFDSBDLFSΛ࢖͏

ઓུ w,VCFSOFUFTࣗମΛͲ͏ೖΕΔ wNJDSPLTΛ࢖ͬͯΠϯετʔϧʴΧελϚΠζ wϕʔλ൛ͷϦιʔε3VOUJNF$MBTTΛ࢖͑͹͍͍ͷͰ͸ wίϯςφϥϯλΠϜΛࣗ෼Ͱબ΂Δʁ wߴϨϕϧϥϯλΠϜʹɺͲͷ௿ϨϕϧϥϯλΠϜΛ࢖͏͔ࢦࣔͰ͖Δ Β͍͠

NJDSPLTͷϋοΫ wઃఆΛมߋͯ͠TOBQDSBGU͠௚͢͜ͱͰɺ΅͚ͩ͘ͷ͍͖͞ΐ͏ͷ ,VCFSOFUFT؀ڥ͕Ͱ͖Δ wҎԼͷΑ͏ʹ͍͡Δ w'FBUVSF(BUFTͰ3VOUJNF$MBTTΛ༗ޮʹ͢Δ wNJDSPLTͷ%PDLFSͰ͸ͳࣗ͘෼ͨͪ؅ཧͷ%PDLFSʹ͢Δ wͳ͔ͥJQUBCMFTͷϦϯΫ͕ࣦഊ͢ΔɺMJCOFUpMUFS@DPOOUSBDLΛ ࣗ෼ͰೖΕͳ͍ͱ͍͚ͳ͍

EJ⒎ w͜Ε΋ϒϩάʹ·ͱΊΔΜͰ

'FBUVSF(BUFT w,VCFSOFUFT͸ɺϕʔλ΍ΞϧϑΝͷػೳʹ͍ͭͯɺσϑΥϧτͰ͸ ͢΂͕ͯ༗ޮͳΘ͚Ͱ͸ͳ͍ɻ໌ࣔతʹ༗ޮʹ͢ΔͨΊͷػߏ

3VOUJNF$MBTF$3% w$VTUPN3FTPVSDF%FpOJUJPOͷҰͭͱͯ͠,VCFSOFUFTʹؚ·Ε͍ͯ Δɺ1PEͳͲ࡞੒࣌ͷϥϯλΠϜΛબ΂ΔΑ͏ʹ͢Δػೳ w"MQIBεςʔδͷػೳ

3VOUJNF$MBTTͷରԠঢ়گ wਖ਼֬ʹ͸ɺ$3*ͷΠϯλϑΣʔεΛܦ༝ͯ͠ɺ1PE࡞੒࣌ʹߴϨϕϧ ϥϯλΠϜʹAruntime_classAͱ͍͏ύϥϝʔλΛૹΕΔ wߴϨϕϧϥϯλΠϜଆͰͦΕΛݟͯ௿ϨϕϧϥϯλΠϜΛબͿɺͭ· ΓɺߴϨϕϧଆͰͷઃఆ͕ඞཁ wEPDLFSE͸Ͳ͜Ͱઃఆͯ͠ΔΜͩΘ͔ΒΜ
 ʢDSJPͷηοτΞοϓ·Ͱ͸࣌ؒ੾Εʣ

ઓུ w,VCFSOFUFTࣗମ wNJDSPLTΛ࢖ͬͯΠϯετʔϧʴΧελϚΠζ wϕʔλ൛ͷϦιʔε3VOUJNF$MBTTΛ࢖͑͹͍͍ͷͰ͸ wߴϨϕϧϥϯλΠϜʹɺͲͷ௿ϨϕϧϥϯλΠϜΛ࢖͏͔ࢦࣔͰ͖Δ Β͍͠ wखݩͷ%PDLFSΛݟΔΑ͏ʹ͸Ͱ͖ͯΔͷͰɺͦͷσϑΥϧτϥϯλ ΠϜΛLBUBGDʹ͢Ε͹Α͘Ͷʁ

Ͱ͖ͨ

%FNP

·ͱΊ

'JSFDSBDLFSΛҰ௨Γ͍ͬͯ͡Έͯ w΋͏࢖͓͏ͱࢥ͑͹࢖͑Δʢʁʣ w0$* $3*ͳͲͷن໿͕ਁಁ͖ͯͯ͠ɺͭͳ͗͜Έ͕༰қʹͳ͍ͬͯΔ ͷΛײͨ͡ wӡ༻໘ɺύϑΥʔϚϯεͷվળ΍ϊ΢ϋ΢͸͜Ε͔Βʁ

No content

;͘͹Ͷͯ͢
 ! .PO ԙதऱ઒୺