Slide 1
Slide 1 text
MackerelίϯςφΤʔδΣϯτʹΑΔ
ίϯςφࢹʹ͍ͭͯ
.BDLFSFM.FFUVQ
JEIBZBKP@
Slide 2
Slide 2 text
ࣗݾհ
• ࠓҪ൏ਓ(id:hayajo_77)
• MackerelνʔϜ SRE
• 201711݄ೖࣾ
• ίϯςφཁૉٕज़ɺपลٕज़
ίϯςφٕज़ೖԾԽͱͷҧ͍ΛΓɺཁૉٕज़Λ৮ֶͬͯ΅͏
IUUQTFNQMPZNFOUFOKBQBODPNFOHJOFFSIVCFOUSZ
Slide 3
Slide 3 text
ΞδΣϯμ
• MackerelίϯςφΤʔδΣϯτͷհ
• ϝτϦοΫऔಘઓུղઆ
• ࠓޙͷίϯςφΤʔδΣϯτ
• ·ͱΊ
Slide 4
Slide 4 text
MackerelίϯςφΤʔδΣϯτͷհ
Slide 5
Slide 5 text
MackerelίϯςφΤʔδΣϯτ
ʢύϒϦοΫϕʔλʣΛެ։͠·ͨ͠
https://mackerel.io/ja/blog/entry/weekly/20190218
Slide 6
Slide 6 text
ύϒϦοΫϕʔλͱ
• কདྷతʹਖ਼ࣜͳαʔϏεϦϦʔεΛߦ͏༧ఆ͕͋ΔػೳΛઌߦͯ͠
ެ։
• ׆ൃʹมߋΛߦ͍ɺ৽͍͠όʔδϣϯΛఏڙ
• ࣄલࠂͷ্Ͱඇޓमਖ਼Λ࣮ࢪ
Slide 7
Slide 7 text
OSSͱͯ͠ެ։
• DockerHub
• mackerel/mackerel-container-agent
• GitHub
• mackerelio/mackerel-container-agent
• IssuePRݪଇӳޠͰ͓ئ͍͠·͢
Slide 8
Slide 8 text
ίϯςφઐ༻ͷܰྔΤʔδΣϯτ
• ίϯςφઐ༻ͱͯ͠࠶ઃܭ
• Amazon ECS, AWS Fargate, KubernetesʹରԠ
• 1λεΫ/Podʹ͖ͭ1ϗετͱͯ͠Χϯτ
• ʰγεςϜΛߏ͢Δ࠷খ୯Ґ(ͩͱγεςϜΛཧ͢Δ্ͰΈͳ
͖͢ͷ)ʱ
• see. ʮFAQɾϗετͷܭࢉํ๏ʹ͍ͭͯ - Mackerel ϔϧϓʯ
Slide 9
Slide 9 text
αΠυΧʔίϯςφͱͯ͠σϓϩΠ
• ϓϥοτϑΥʔϜʹΑͬͯઃఆ͕ҟͳΔ
• ECS(EC2/Bridge, EC2/Host)
• ECS(EC2/awsvpc, Fargate)
• Kubernetes
• see. ʮίϯςφΛࢹ͢Δ - Mackerel ϔϧϓʯ
Slide 10
Slide 10 text
Web UI/ϗετҰཡ
Slide 11
Slide 11 text
Web UI/ϗετৄࡉ
Slide 12
Slide 12 text
Web UI/ϩʔϧάϥϑ
Slide 13
Slide 13 text
Δ͜ͱ
• λεΫ/Podͷͯ͢ͷίϯςφͷϝτϦοΫΛγεςϜϝτϦοΫ
ͱͯ͠ߘ
• CPUɺϝϞϦɺωοτϫʔΫ
• αʔϏε/ϩʔϧͷׂΓͯ
• ϓϥάΠϯͷར༻
• ϓϥάΠϯΛΠϯετʔϧͨ͠DockerΠϝʔδͷ४උ͕ඞཁ
Slide 14
Slide 14 text
Βͳ͍͜ͱ
• ΫϥελϊʔυͷϝτϦοΫऩू͠ͳ͍
• ϊʔυɺλεΫ/Pod, etc.
• ϊʔυͷCPUɺϝϞϦɺωοτϫʔΫɺσΟεΫͳͲ
• mackerel-agentΛར༻
• αϙʔτ͢ΔϓϥοτϑΥʔϜҎ֎ͷίϯςφͷࢹ
• DockerʮDockerΛϞχλϦϯά͢Δ - Mackerel ϔϧϓʯ
Slide 15
Slide 15 text
αΠυΧʔύλʔϯͷ࠾༻
• FargateͷΑ͏ͳɺΠϯϑϥετϥΫνϟͷཧ͕ෆཁͳίϯςφ
ར༻͕ओྲྀʹͳΔͱߟ͍͑ͯΔ
• Mackerelʹ͓͚ΔϗετͷఆٛͱλεΫ/PodͷϥΠϑαΠΫϧ
• ίϯςφؒͷϦιʔεڞ༗
• ࢹରͷΞϓϦέʔγϣϯ༷ʹ͍ۙࢹઃఆ͕Մೳ
Slide 16
Slide 16 text
ϝτϦοΫऔಘઓུղઆ
Slide 17
Slide 17 text
ϝτϦοΫऔಘΞʔΩςΫνϟ
Slide 18
Slide 18 text
ECS/Fargate
Slide 19
Slide 19 text
ECS/FargateͷAPI
&$#SJEHF &$)PTU &$BXTWQD 'BSHBUF
*OUSPTQFDUJPO
"1*
˔ ˔ ☓ ☓
5BTL.FUBEBUB
&OEQPJOUW
☓ ☓ ˔ ˔
5BTL.FUBEBUB
&OEQPJOUW
˔ ˔ ˔ ☓
Slide 20
Slide 20 text
Introspection API
• λεΫͷϝλσʔλΛฦ͢
• λεΫͷARNεςʔλεɺ֤ίϯςφͷDockerIDͳͲ
• ίϯςφͷϝτϦοΫCPUɺϝϞϦLIMITऔಘͰ͖ͳ͍
• Docker stats API(docker.sock)cgroupfsͰΧόʔ
• EC2/Bridge, EC2/HostͰར༻
• Task Metadata Endpoint v3ʹରԠ༧ఆ
Slide 21
Slide 21 text
Task Metadata Endpoint v2/v3
• λεΫϝλσʔλɺίϯςφϝτϦοΫΛฦ͢
• ϝτϦοΫDocker stats APIͦͷͷΛฦ͢
• v2/v3ͰऔಘͰ͖Δσʔλʹେ͖ͳҧ͍ͳ͍
• EC2/awsvpc, FargateͰv2Λར༻
• EC2/awsvpcv3ʹҠߦ༧ఆ
Slide 22
Slide 22 text
ECS/FargateͷωοτϫʔΫϝτϦοΫ
• ωοτϫʔΫϝτϦοΫ͕औಘͰ͖ΔͷEC2/Bridge͚ͩ......
• Docker stats API(libnetwork)bridgeϞʔυͷͱ͖͔͠ϝτϦοΫ
͕औΕͳ͍ͬΆ͍
• ࣮ʹৄ͍͠ํɺͥͻ࠙ձͰ͓͠·͠ΐ͏ʂ
Slide 23
Slide 23 text
root@ebb5c8c90634:/# curl -s $
{ECS_CONTAINER_METADATA_URI}/stats | jq .networks
{
"eth0": {
"rx_bytes": 17331985,
"tx_packets": 932,
"rx_packets": 1353,
"tx_bytes": 77755
}
}
e.g. EC2/Bridge w/ TMEv3
Slide 24
Slide 24 text
root@ip-10-0-10-144:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \
> jq .networks
null
e.g. EC2/Host, EC2/awsvpc w/ TMEv3
root@9ea93ec5d92b:/# curl -s ${ECS_CONTAINER_METADATA_URI}/stats | \
> jq .networks
null
Slide 25
Slide 25 text
-bash-4.2# CID=$(basename $(head -n1 /proc/self/
cgroup | cut -d: -f3))
-bash-4.2# curl -s 169.254.170.2/v2/stats/${CID} |
jq .networks
null
e.g. Fargate w/ TMEv2
Slide 26
Slide 26 text
EC2/BridgeͷωοτϫʔΫελοΫ
• ωοτϫʔΫελοΫλεΫͷίϯςφ͝ͱʹҟͳΔ
Slide 27
Slide 27 text
EC2/HostωοτϫʔΫελοΫ
• ϗετͷωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗
Slide 28
Slide 28 text
EC2/awsvpc, FargateωοτϫʔΫελοΫ
• ωοτϫʔΫελοΫΛλεΫͷίϯςφؒͰڞ༗
Slide 29
Slide 29 text
ίϯςφΤʔδΣϯτʹ͓͚ΔECS/Fargateͷ
ωοτϫʔΫϝτϦοΫͷऔಘ
• EC2/BridgeϞʔυͷ߹ɺDocker stats API͔Β֤ίϯςφͷωο
τϫʔΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠ߘ
• EC2/Host, EC2/awsvpc, FargateͰɺίϯςφಉ࢜ωοτϫʔ
ΫελοΫΛڞ༗͢ΔͷͰɺίϯςφΤʔδΣϯτࣗͷωοτϫʔ
ΫϝτϦοΫΛऔಘͯ͠λεΫͷϝτϦοΫͱͯ͠ߘ
Slide 30
Slide 30 text
• ಉ͡ίϯςφఆٛͰɺىಈλΠϓɺωοτϫʔΫϞʔυͰΠϯλʔ
ϑΣʔεͷݟ͑ํ͕ҟͳΔ
λεΫͷInterfaceάϥϑ
&$#SJEHF &$)PTU &$BXTWQD
'BSHBUF
Slide 31
Slide 31 text
• ىಈλΠϓɺωοτϫʔΫϞʔυʹΑͬͯར༻Ͱ͖ΔAPI͕ҟͳΔ
• EC2ىಈλΠϓTask Metadata Endpoint v3ʹରԠத
• ωοτϫʔΫϞʔυʹΑͬͯωοτϫʔΫϝτϦοΫͷऔಘํ๏͕
ҟͳΔ
ECS/Fargateʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ
Slide 32
Slide 32 text
Kubernetes
Slide 33
Slide 33 text
KubernetesͷCore metrics pipeline
Slide 34
Slide 34 text
kubelet API
• PodͷϝλσʔλϝτϦοΫɺϩάΛऔಘɺίϚϯυͷϩʔΧϧ
࣮ߦͷͨΊͷAPI
• kubelet port(10250/HTTPS)ͱread-only port(10255/HTTP)Ͱ
LISTEN
• read-only port͕ແޮͳڥ͋Δ
Slide 35
Slide 35 text
kubelet APIͷAuthN/AuthZ
• kubelet portͰೝূ/ೝՄΛઃఆͰ͖Δ
• Authentication
• ಗ໊ΞΫηεɺΫϥΠΞϯτূ໌ॻೝূɺτʔΫϯೝূ
• Authorization
• AlwaysAllow, Webhook
• SubjectAccessReview APIʹΑΔݖݶνΣοΫ
• see. ʮKubelet authentication/authorization - Kubernetesʯ
Slide 36
Slide 36 text
ίϯςφΤʔδΣϯτͱkubelet API
• σϑΥϧτͰread-only portΛར༻
• ઃఆͰkubelet portʹΓସ͑Մೳ
• τʔΫϯೝূΛαϙʔτ
• "nodes/proxy", "nodes/stats", "nodes/spec"ʹgetΞΫηε
• ͏·͍͔͘ͳ͍߹automountServiceAccountTokenઃఆνΣοΫ
• see. ʮKubernetesʹmackerel-container-agentΛηοτΞοϓ͢Δ -
Mackerel ϔϧϓʯ
Slide 37
Slide 37 text
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mackerel-container-agent
rules:
- apiGroups: [""]
resources: ["nodes/proxy", "nodes/stats", "nodes/spec"]
verbs: ["get"]
e.g. RBACઃఆ(ClusterRole)
Slide 38
Slide 38 text
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: mackerel-container-agent-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mackerel-container-agent
subjects:
- kind: ServiceAccount
name: my-service-account
namespace: default
e.g. RBACઃఆ(ClusterRoleBinding)
Slide 39
Slide 39 text
• kubelet API͔ΒϝτϦοΫΛऔಘ͢Δ
• σϑΥϧτread-only PortΛར༻
• kubelet portͰτʔΫϯೝূʹରԠ
• ඞཁʹԠͯ͡RBACΛઃఆ
Kubernetesʹ͓͚ΔϝτϦοΫऔಘ·ͱΊ
Slide 40
Slide 40 text
ࠓޙͷίϯςφΤʔδΣϯτ
Slide 41
Slide 41 text
ۙରԠ༧ఆ
• Task Metadata Endpoint v3ରԠ
• EC2/Bridge, EC2/Host, EC2/awspvc
• docker.sockcgroupfsͷґଘΛͳ͘͢
• rootϢʔβඞཁͳ͠
• cgroupfsͷϚϯτϙΠϯτͷҧ͍Λؾʹ͠ͳͯ͘Α͍
Slide 42
Slide 42 text
లͱߏ
• ϓϥάΠϯར༻ͷརศੑ্
• ϓϥάΠϯಉࠝΠϝʔδͷఏڙͳͲ
• ΧελϜϝτϦοΫͷѻ͍
• ϗετಉ༷ʹୀޙɺҰఆظؒܦաͰඇදࣔͱͳΔ
• PrometheusServiceMeshͱͷ࿈ܞ
Slide 43
Slide 43 text
·ͱΊ
Slide 44
Slide 44 text
·ͱΊ
• ίϯςφΤʔδΣϯτʢύϒϦοΫϕʔλʣΛϦϦʔε
• λεΫ/PodΛࢹ͢ΔαΠυΧʔίϯςφ
• ϓϥοτϑΥʔϜ͕ఏڙ͢ΔAPI͔ΒϝτϦοΫΛऩू
• see. ʮίϯςφΛࢹ͢Δ - Mackerel ϔϧϓʯ
Slide 45
Slide 45 text
ϑΟʔυόοΫΛ͓͍ͪͯ͠·͢
Slide 46
Slide 46 text
No content