Linuxコンテナ入門 〜コンテナの基礎と最新情報〜 (2013/10/05)

Transcript

1. Linux ίϯςφೖ໳ ίϯςφͷجૅͱ࠷৽৘ใ Ճ౻ହจ ୈ2ճ ίϯςφܕԾ૝Խͷ৘ใަ׵ձˏ౦ژ

2. ͜ͷࢿྉʹ͍ͭͯ ͜ͷࢿྉ͸ 10/5 ʹߦͬͨʰୈ2ճ ίϯςφܕԾ૝Խͷ৘ใަ׵ձˏ౦ژʱͰͷൃද ࢿྉʹҰ෦ՃචΛߦͳ͓ͬͯΓ·͢ɽ 3/52

3. ࣗݾ঺հ ໊લ: Ճ౻ହจ ॴଐ: OSS ؔ܎׆ಈ · http://www.ten-forward.ws/ twitter: @ten_forward

   g+: http://gplus.to/tenforward http://d.hatena.ne.jp/defiant (ٕज़ܥωλͷϒϩά) - - - - · ϑΝʔεταʔόגࣜձࣾ ։ൃ෦ - · Plamo Linux ϝϯςφɼWeb ϖʔδίϯςϯπ؅ཧ lxc man pages ຋༁ Jetspeed 2 υΩϡϝϯτ຋༁ - - - 4/52

4. ࠓ೔ͷ໨ඪ (ॳ৺ऀͷํ޲͚) ίϯςφͷ֓ཁͱ LXC ͷ؆୯ͳ࢖͍ํΛཧղ͍ͨͩ͘ Linux Kernel ͷίϯςφؔ࿈ػೳͱ LXC ͷߋ৽৘ใʹ͍ͭͯ঺հ͢Δ

   Χʔωϧ΋ LXC ΋ࣗ෼͕ڵຯͷ͋Δ෦෼Λݟ͍ͯΔ͚ͩͳͷͰɼؒҧ͍΍ൈ͚΋ ͋Δ͔΋͠Ε·ͤΜɽ ίϯςφؔ࿈ͷ࠷৽৘ใ͸͘͝࠷ۙͷॏཁͳ΋ͷΛ঺հ͠·͢ɽͦΕҎ֎͸ୈҰ ճษڧձͷࢿྉΛ͝ࢀর͍ͩ͘͞ɽ εϥΠυதʹ͸ࢀߟจݙ΁ͷϦϯΫΛషͬͯ͋Γ·͢ɽޙ೔ެ։͢ΔࢿྉͰ֬͝ ೝ͍ͩ͘͞ɽ · · લճษڧձࢿྉ͔Βͷ Update Λத৺ʹ (kernel 3.8~, LXC 1.0) - · · · 5/52

5. Agenda ίϯςφͷجૅ Linux ʹ͓͚Δίϯςφͷ࣮૷ Linux ίϯςφ͜ͱ͸͡Ί Linux ʹ͓͚Δίϯςφͷ࢓૊Έ Linux Kernel

   ࠷৽ಈ޲ LXC ࠷৽ಈ޲ ࠷ޙʹ · · · · · · · 6/52

6. ίϯςφͷجૅ 7/52

7. ίϯςφͱ͸ OS ϨϕϧͷԾ૝Խ ΧʔωϧͷػೳͰ (ෳ਺ͷ) ಠཱۭͨؒ͠Λ࡞Γग़͠ɼϦιʔεΛ෼ׂɾ෼഑͢Δ · · ϓϩηεΛάϧʔϓԽͯ͠ଞͷάϧʔϓͱϦιʔεۭؒΛִ཭ άϧʔϓԽͨ͠ϓϩηεʹର͢ΔϦιʔε੍ݶ

   - - 8/52

8. ίϯςφͷಛ௃ ߴີ౓Խ͕Մೳ Φʔόʔϔου͕খ͍͞ ىಈ͕ૣ͍ ඞͣ͠΋γεςϜΛಈ͔͢ඞཁ͸ͳ͍ (ΞϓϦέʔγϣϯίϯςφ) Ծ૝Ϛγϯͷ্Ͱ΋໰୊ͳ͘ಈͥ͘!w ҟͳΔ OS ͷγεςϜ

   / ϓϩάϥϜ͸ಈ͔ͤͳ͍ ΧʔωϧʹؔΘΔૢ࡞͸Ͱ͖ͳ͍ · ← 1 ͭͷ OS (Χʔωϧ) ͷΈ͕ಈ࡞͍ͯ͠Δ - · ← ϋʔυ΢ΣΞͷԾ૝Խ͕ෆཁ - · · ྫ͑͹ίϯςφ಺Ͱ͸ httpd ͷΈ͕ಈ͍͍ͯΔ - · · · ίϯςφຖʹϩʔυ͢ΔϞδϡʔϧΛม͑ΔͳͲ - 9/52

9. Linux ʹ͓͚Δίϯςφͷ࣮૷ 10/52

10. Linux ʹ͓͚Δίϯςφ࣮૷ Χʔωϧͷػೳ (+ ύον) + ΧʔωϧͷػೳΛ࢖͏ userspace πʔϧ Χʔωϧ

    + ύον + userspace πʔϧ Χʔωϧ + userspace πʔϧ · OpenVZ / Virtuozzo(঎༻) Linux VServer - - · LXC libvirt (lxc υϥΠό) systemd(systemd-nspawn) vzctl for upstream kernel - - - - 11/52

11. LXC LXC (http://lxc.sourceforge.net/) libvirt (ͷLXCίϯςφυϥΠό) (http://libvirt.org/) ͲͪΒ΋ಉ͡ "LXC" ͱ͍͏໊લΛ࢖͍ͬͯΔ͕ɼઃఆϑΝΠϧ͸ผʑɽΧʔωϧ ͷಉ͡ػೳΛ࢖ͬͨผͷ࣮૷ɽ

    ͜ͷηογϣϯͰ͸ɼ"LXC" ͸લऀΛࢦͯ͠࢖͍·͢ɽޙऀ͸ "libvirt" ͱ͠· ͢ɽ · Linux ͷίϯςφΛૢ࡞͢Δ userspace πʔϧ (ίϚϯυ܈) ݱࡏͷ stable ͸ 0.9.0 ʰUbuntuʱͷίϯςφπʔϧΩοτͷੑ͕֨ڧ͍ - - - · LXC ଆͰʰΦϨͨͪͷ API Ͱ libvirt ͷίϯςφυϥΠόΛॻ͖௚ͦ͏ʱΈͨ ͍ͳ࿩͸͋Δ ݱ࣌఺Ͱ·ͩಈ͖͸ඍົ... - - · · 12/52

12. Linux ίϯςφ͜ͱ͸͡Ί 13/52

13. Ubuntu ͰͱΓ͋͑ͣίϯςφΛىಈͯ͠ΈΔ ݱࡏͷ LXC ͷࣄ্࣮ͷ։ൃϓϥοτϑΥʔϜ lxc σϕϩούʔ = Ubuntu σϕϩούʔ

    ͓ͦΒ͘ Ubuntu ͕ओཁͳ։ൃͷϕʔεɽͦΕҎ֎͸ޙ௥͍ɽ · · · # apt-get install lxc # lxc-create -n ct01 -t ubuntu # lxc-start -n ct01 -d # lxc-console -n ct01 12.04LTS Λ࢖ͬͯΔ৔߹ Ubuntu ࠷৽൛ͷ kernel ͷόοΫϙʔτͰ͋Δ linux- current-generic ΛೖΕΔͱ޾͔ͤ΋? · ೖΕͳͯ͘΋ͪΌΜͱಈ͖·͢ 3.8 kernel ͕ೖΔͷͰɼ৭ʑͳ໘ͰศརʹͳΔՄೳੑ͕͋Γ·͢ (3.8 kernel ʹ͍ͭͯ͸ޙड़) - - # apt-get install linux-current-generic 14/52

14. ίϯςφͷϓϩηεͷ༷ࢠ ਌؀ڥ্ͰίϯςφͷϓϩηεΛݟΔͱ... ίϯςφ಺ͰݟΔͱ # pstree -p init(1)!"!acpid(1041) :(snip) #!lxc-start(15592)!!!init(15597)!"!cron(15877) $

    #!dhclient3(15817) $ #!getty(15867) $ #!getty(15871) :(snip) init(1)-+-cron(252) |-dhclient3(192) |-getty(242) |-getty(246) :(snip) 15/52

15. ΞϓϦέʔγϣϯίϯςφ ίϯςφ಺Ͱ /sbin/init Λىಈ͠ͳͯ͘΋ɼ໨తͷϓϩάϥϜͷΈىಈՄೳ (͜ͷྫ ͸ແཧ໼ཧײ͋Γ·͢w)ɽ # lxc-start -n ct01

    -- /usr/sbin/apache2 -DFOREGROUND # pstree -p 15535 bash(15535)!"!lxc-start(19577) %!lxc-start(19708)!!!apache2(19714)!"!apache2(19740)!"!{apache2}(19771) $ #!{apache2}(19772) $ #!{apache2}(19773) :(snip) docker ͸ 0.6 ΑΓલ͸ΞϓϦέʔγϣϯίϯςφઐ༻Ͱͨ͠ (γεςϜͷ /sbin/init ͸࣮ߦͰ͖ͳ͔ͬͨ)ɽ · 16/52

16. CentOS 6 Ͱಈ͔͍ͨ͠ΜͰ͚͢Ͳ... ύοέʔδ͸ͳ͠ ࠷৽Ͱͳ͘ɼ0.8.0 or 0.7.5 ลΓΛιʔε͔ΒίϯύΠϧͯ͠ೖΕ·͠ΐ͏ɽ ඪ४ʹ͸ςϯϓϨʔτ (lxc-centos)

    ؚ͕·Εͳ͍ɽgithub/gist Λ୳Ε͹͋Γ·͢ → lxc-centos RedHat ͸ libvirt ࿏ઢͬΆ͍... · · CentOS 6 ͷ kernel ͸ 2.6.32 ͰɼίϯςφతʹݟΔͱଠݹͷੲɽഇࢭ͞Εͨ ػೳͱ͔ɼະ࣮૷ͷػೳͱ͔... ͳͷͰੲͷ࣌఺Ͱͷόʔδϣϯͷํ͕͖ͪΜͱςετ͞Ε͍ͯͯಈ͖·͢ɽ ҰԠ࠷৽ (0.9.0) Ͱ΋ಈ͘Α͏ʹ͸࣮૷͞Ε͍ͯ·͕͢... ࣮૷͕ෆे෼ͳ net_prio, perf_event cgroup ͸Ϛ΢ϯτ͠ͳ͍ - ns(namespace) cgroup (3.0 Ͱഇࢭ) - - - · · RHEL7 ͸ίϯςφαϙʔτͱݴΘΕͯ·͢ͷͰɼlibvirt Ͱ͖ͪΜͱಈ͘Α͏ ʹௐ੔ͯ͠ग़ՙ͞ΕΔ? - 17/52

17. Linux ʹ͓͚Δίϯςφͷ࢓૊Έ 18/52

18. Linux ͰίϯςφΛ࣮ݱ͢ΔͨΊͷػೳ ϓϩηεΛάϧʔϓԽͯ͠ଞͷάϧʔϓͱִ཭ άϧʔϓԽͨ͠ϓϩηεʹର͢ΔϦιʔε੍ݶ ͦͷଞ · → Namespace (໊લۭؒ) -

    · → Cgroups (control groups) - · ωοτϫʔΫ (veth, macvlan) έʔύϏϦςΟ Checkpoint/Restore (CRIU) ͳͲͳͲ... - - - - 19/52

19. Namespace ͷछྨ (1) Mount Namespace: 2.4.19 UTS Namespace: 2.6.19 PID

    Namespace: 2.6.24 · ϓϩηε͔Βݟ͍͑ͯΔϚ΢ϯτͷू߹ɼૢ࡞Λ෼཭͢ΔɽNamespace ಺ ͷ mount, umount ͸ଞͷ Namespace ʹ͸Өڹ͠ͳ͍ (ࢀߟ) Ϛ΢ϯτ໊લۭؒΛద༻͢Δ(IBM developerWorks) - - · ϗετ໊ͳͲɼuname(2) ͕ฦ͢஋ͷू߹Λ෼཭ɽsetdomainname(2), sethostname(2) Ͱ Namespace ಺ͷ஋ͷΈมߋͰ͖Δ - · PID ۭؒͷ෼཭ɽ৽͍͠ PID NamespaceͰ͸ PID 1 ͔Β࢝·Δ PID ׂ͕Γ ౰ͯΒΕΔɽ਌͔Βࢠͷ PID Namespace ͸ݟ͑Δ (਌ͷۭؒͷ PID Λ࣋ͭ) ͕ɼࢠ͔Β਌͸ݟ͑ͳ͍ - 20/52

20. Namespace ͷछྨ (2) IPC Namespace: 2.6.19 User Namespace: 2.6.23 ~

    3.8 Network Namespace: 2.6.26 · SysV IPC ΦϒδΣΫτɼPOSIX ϝοηʔδΩϡʔͷִ཭ - · ಠཱͨ͠ UID/GID ۭؒͱ֎෦ۭؒͷϚοϐϯά (ྫ͑͹ɼִ཭ۭؒͰ͸ uid/gid 0/0ɼ֎෦Ͱ͸ 1000/1000 ͱ͔ՄೳʹͳΔ) - · ωοτϫʔΫϦιʔεͷִ཭ɽωοτϫʔΫσόΠεɼΞυϨεɼϧʔςΟ ϯάςʔϒϧɼιέοτɼϑΟϧλϦϯά - 21/52

21. Namespace ͷૢ࡞ clone(2) Ͱ৽͍͠ϓϩηε Λੜ੒ unshare(2) Ͱ৽͍͠ϓϩ ηεΛੜ੒ͤͣʹ࣮ߦίϯςΩετΛ੍ޚ͢Δ setns(2) ͰϓϩηεΛطଘ

    ͷNamespaceʹؔ࿈෇͚Δ · · unshareͷ࢖༻ྫ - · 22/52

22. Cgroup (1) ϓϩηεΛάϧʔϓԽ͠ɼάϧʔϓʹରͯ͠Ϧιʔε੍ݶΛߦ͏ɽผʹίϯςφઐ ༻ͷ࢓૊ΈͰ͸ͳ͍ɽ cpu cpuacct cpuset · CFS(Completely Fair

    Scheduler) bandwidth controlɽ୯Ґ࣌ؒ಺ͷάϧʔϓ ಺ͷλεΫ͕࣮ߦͰ͖Δ߹ܭ࣌ؒΛ੍ݶ͢Δ (3.2 Ͱ࣮૷) ૬ର഑෼ɽάϧʔϓؒͷ CPU ࣌ؒͷׂ౰ͷׂ߹Λࢦఆ͢Δɽྫ͑͹ GroupA=100, GroupB=50 ͱ͢Δͱ A:B = 2:1 - (ࢀߟ) Linux 3.2 ͷ CFS bandwidth control - - · άϧʔϓ಺ͷ CPU ϦιʔεͷϨϙʔτ (CPU ࣌ؒ) - · ׂΓ౰ͯΔ CPU, ϝϞϦϊʔυͷׂ౰ - 23/52

23. Cgroup (2) device freezer memory blkio (Block IO) · σόΠε΁ͷΞΫηεڐՄɼ੍ݶͷࢦఆ

    - · άϧʔϓ಺ͷϓϩηεΛશͯҰ࣌ఀࢭ͢Δ - · ϝϞϦϦιʔεͷ੍ݶ (ϢʔβϝϞϦɼΧʔωϧϝϞϦ) - · I/O weight controller (2.6.33 Ҏ߱) άϧʔϓͷ༏ઌ౓Λࢦఆ͢Δ I/O throttling (2.6.37 Ҏ߱) άϧʔϓ಺ͷϓϩηεͷσόΠεʹର͢Δ bytes/second ͷ߹ܭͷࢦఆ - - (ࢀߟ) Linux 2.6.37 ͷ৽ػೳ "I/O throttling" - 24/52

24. Cgroup (3) hugetlb perf_event net_cls net_prio · hugetlb ʹର͢Δ੍ݶ (3.6

    Ҏ߱) mm/hugetlb: add new HugeTLB cgroup - - · άϧʔϓ୯ҐͰ perf πʔϧͰϞχλϦϯά (ύϑΥʔϚϯεղੳ) - · ύέοτʹࣝผࢠΛ͚ͭɼτϥϑΟοΫίϯτϩʔϧ (tc) ͰίϯτϩʔϧՄ ೳʹ - · άϧʔϓؒͰͷωοτϫʔΫͷ༏ઌ౓ΛΠϯλʔϑΣʔεຖʹࢦఆ͢Δ Linux 3.3 ͷ৽ػೳ Network priority cgroup Linux 3.3 ͷ৽ػೳ Network priority cgroup (2) - - - 25/52

25. Cgroup (4) Cgroup ͸ίϯςφͱؔ܎ͳ͘࢖༻Մೳ # mount -t tmpfs cgroup_root /sys/fs/cgroup

    # mkdir /sys/fs/cgroup/memory # mount -t cgroup -o memory cgroup /sys/fs/cgroup/memory (ϝϞϦαϒγεςϜͷϚ΢ϯτ) # mkdir /sys/fs/cgroup/memory/test01 ("test01" ͱ͍͏άϧʔϓͷ࡞੒) # echo $$ > /sys/fs/cgroup/memory/test01/tasks (ϓϩηεΛάϧʔϓʹొ࿥) # cat /sys/fs/cgroup/memory/test01/tasks (άϧʔϓ಺ͷϓϩηεͷ֬ೝ) 2824 2837 # echo 30M > /sys/fs/cgroup/memory/test01/memory.limit_in_bytes (άϧʔϓʹରͯ͠ϝϞϦ্ݶ 30M ͱ͍͏੍ݶΛઃఆ) # cat /sys/fs/cgroup/memory/test01/memory.limit_in_bytes (੍ݶ஋ͷ֬ೝ) 31457280 # cat /sys/fs/cgroup/memory/test01/memory.usage_in_bytes (ݱࡏͷ࢖༻ྔͷ֬ೝ) 565248 26/52

26. LXC Ͱ࢖͏ωοτϫʔΫػೳ ʙ veth OpenVZ/Virtuozzo ༝དྷͷػೳ ରͱͳΔΠϯλʔϑΣʔεΛੜ੒͠ɼΠϯλʔ ϑΣʔεؒͰ௨৴Λߦ͏ (Layer2 ͷτϯωϧ)

    ରͷยํΛϗετଆͷϒϦοδʹɼยํΛίϯ ςφʹ઀ଓ (ίϯςφଆͷΠϯλʔϑΣʔε͸ ίϯςφͷ Network Namespace ʹଐ͢ΔΑ͏ ʹઃఆ͞ΕΔͷͰϗετ͔Β͸ݟ͑ͳ͍) · · · 27/52

27. LXC Ͱ࢖͏ωοτϫʔΫػೳ ʙ macvlan ෺ཧΠϯλʔϑΣʔεʹผͷ MAC ΞυϨε͕෇͍ͨ৽͍͠ΠϯλʔϑΣʔεΛ ࡞੒ɽ͜ͷΠϯλʔϑΣʔεΛίϯςφʹׂ౰ ෺ཧΠϯλʔϑΣʔεΛͦͷ··࢖͏ͷʹ͍ۙͷͰෛՙ͕௿͘ɼύϑΥʔϚϯε ͕ྑ͍܏޲

    (ࢀߟ) macvlanΛ࢖ͬͯΈΔ (ᱜӍͷΧʔωϧ୳ݕୂʢ୞ࠓૺ೉த͆) lxc ͷԾ૝ωοτϫʔΫͷύϑΥʔϚϯεଌఆ · ෺ཧΠϯλʔϑΣʔεΛ promiscuous Ϟʔυʹͯ֘͠౰ MAC ΞυϨεͷύ έοτΛड͚औΔ Ϟʔυͷઃఆ͕ଘࡏ: private, vepa, bridge - - · · · 28/52

28. Linux Kernel ࠷৽ಈ޲ 29/52

29. Linux 3.8 LXC తͳࢹ఺͔Β͢Δͱɼίϯςφ࣮ݱʹඞཁͳओཁػೳ͕ἧͬͨόʔδϣϯɽ 30/52

30. Linux 3.8 ͷ৽ػೳ - User Namespace User Namespace · LXC

    ͷηΩϡϦςΟ͸? ͱ͍͏ FAQ ʹର͢Δճ౴ ͨͩ͠ɼ3.8 ͰͱΓ͋͑ͣ׬੒ͨ͠΋ͷͷɼରԠ͢Δ࣮૷͕ͳ͞Ε͍ͯͳ͍ filesystem ͕ଟ͘ɼࣄ্࣮࢖͑ͳ͍ঢ়ଶɽ3.9 Ͱ XFS Λআ͍࣮ͯ૷׬ྃ /proc/PID/uid_map, /proc/PID/gid_map ϑΝΠϧʹϚοϐϯά৘ใΛॻ͘ - - - 0 100000 10000 (Namespace಺ͷIDͷ։࢝ Namespace֎ͷIDͷ։࢝ ൣғ) Linux 3.8 ͷ User Namespace ػೳ(1), (2), (3), (4) · 31/52

31. Linux 3.8 ͷ৽ػೳ - setns(2) ͕࣮༻తʹ (1) ࣮͸ User Namespace

    Ҏ্ʹॏཁͳ৽ػೳ Namespace Λࢦࣔ͢͠ಛघͳϑΝΠϧ͕ /proc/PID/ns ҎԼʹଘࡏ͢Δɽ3.8 Α Γલ͸͜ͷϑΝΠϧ͕ ipc, net, uts ͷΈ͔͠ଘࡏ͠ͳ͔ͬͨ ϓϩηεΛطଘͷ Namespace ʹೖΕΔʹ͸ setns ʹ͜ͷಛघͳϑΝΠϧͷϑΝ ΠϧσΟεΫϦϓλΛ༩͑Δඞཁ͕͋Δ · · -r-------- 1 root root 0 Mar 1 15:41 ipc -r-------- 1 root root 0 Mar 1 15:41 net -r-------- 1 root root 0 Mar 1 15:41 uts · ͭ·Γ 3.8 ΑΓલ͸ Namespace ֎෦͔Β Namespace ಺ͰίϚϯυΛ࣮ߦ ͢Δࣄ͕Ͱ͖ͳ͍έʔε͕΄ͱΜͲͩͬͨ - 32/52

32. Linux 3.8 ͷ৽ػೳ - setns(2) ͕࣮༻తʹ (2) 3.8 Ͱશͯͷ Namespace

    ʹର͢ΔಛघͳϦϯΫ͕ଘࡏ͢ΔΑ͏ʹͳͬͨ · lrwxrwxrwx 1 root root 0 3݄ 1೔ 14:59 ipc -> ipc:[4026532301] lrwxrwxrwx 1 root root 0 3݄ 1೔ 15:06 mnt -> mnt:[4026532299] lrwxrwxrwx 1 root root 0 3݄ 1೔ 15:06 net -> net:[4026532304] lrwxrwxrwx 1 root root 0 3݄ 1೔ 15:06 pid -> pid:[4026532302] lrwxrwxrwx 1 root root 0 3݄ 1೔ 15:06 uts -> uts:[4026532300] 3.8 ͰͲͷ Namespace ʹରͯ͠΋ setns ͕࣮ߦͰ͖ΔΑ͏ʹͳΓɼίϯςφ֎ ෦͔Β಺෦ͷίϚϯυΛ࣮ߦՄೳʹͳͬͨɽ ಉ͡ Namespace ʹଐ͍ͯ͠Δ৔߹ɼϦϯΫ͸ಉ͡ inode Λࢦ͢ (stat() Ͱ؆୯ʹ ௐ΂ΒΕΔ) Linux 3.8 Ͱվྑ͞Εͨ Namespace ػೳͱ lxc-attach ίϚϯυ · · · 33/52

33. Linux 3.8 ͷ৽ػೳ - Memory Cgroup ͷ Kernel Memory αϙʔτ

    TCP Buffer ʹର͢Δ੍ݶ͸ 3.3 Ͱ࣮૷ (ଞͷ Memory controller ͷ࣮૷ͱ͸͔ͳ Γҧ͏) ελοΫͱεϥϒͷΞΧ΢ϯςΟϯάΛαϙʔτ Linux 3.8 Ͱվྑ͞Εͨ memory cgroup (2) · Linux 3.3 ͷ৽ػೳ Per-cgroup TCP buffer limits, (2), (3) - · · 34/52

34. Linux 3.9 ͷ৽ػೳ User Namespace ػೳͷ༷ʑͳ෦෼΁ͷ࣮૷͕ਐΉ blkio ͷ I/O weight

    controller ͷ׬શ֊૚ߏ଄αϙʔτ · userns: Allow the unprivileged users to mount mqueue fs userns: Allow the userns root to mount of devpts userns: Allow the userns root to mount ramfs. userns: Allow the userns root to mount tmpfs. userns: Allow unprivileged reboot ͦͷଞɼxfs Λআ֤͘छϑΝΠϧγεςϜͳͲ - - - - - - · 35/52

35. Linux 3.10 ͷ৽ػೳ perf_event cgroup ͷ֊૚ߏ଄αϙʔτ device cgroup ͷΞΫηεݖมߋ࣌ͷࢠଙํ޲΁ͷ఻ൖ sane_behavior

    Φϓγϣϯ memory cgroup ͷ memory pressure Ϩϕϧͷ௨஌αϙʔτ · · · · 36/52

36. Linux 3.10 ͷ৽ػೳ memory cgroup ͷ memory pressure Ϩϕϧͷ௨஌ ैདྷ͔Β͋Δ

    eventfd Λ࢖ͬͨ௨஌ͱಉ༷ͷํ๏ͰϝϞϦͷ Pressure Ϩϕϧͷ ௨஌͕ड͚ΒΕΔΑ͏ʹͳͬͨɽ "low", "medium", "critical" ͷ 3 Ϩϕϧ Linux 3.10 Ͱ memory cgroup ʹ௥Ճ͞Εͨ Memory Pressure ௨஌ػೳ · ैདྷ͸ɼϝϞϦͷ͖͍͠஋Λઃఆͯ͠஋Λ·͍ͨͩ࣌ɼOOM Killer ͕ൃಈ͠ ͨ࣌ͷ௨஌ - · · 37/52

37. Linux 3.11 ͷ৽ػೳ blkio I/O throttling ͷ׬શ֊૚ߏ଄αϙʔτ · ͨͩ͠ɼ"sane_behavior" ΦϓγϣϯΛ෇͚ͨͱ͖ͷΈ

    - 38/52

38. cgroup ࠶ઃܭ ʙ ݱࡏͷ cgroup ͷ໰୊఺ ࠓͷ cgroup ͸·ͱ΋͡Όͳ͍! (ࢀߟ)

    Linux Χʔωϧͷ͢΂ͯ: cgroup ͷ࠶ઃܭ (ݪจ) (ࢀߟ) Changes coming for systemd and control groups · ඪ४తͳΧʔωϧͷ API ͔Β͔ͳΓҳ୤͍ͯ͠Δ ϑΝΠϧγεςϜ͔ͩΒΞΫηεݖ͑͋͞Ε͹୭Ͱ΋ΧʔωϧΛ੍ޚͰ͖Δ αϒγεςϜຖʹগͣͭ͠ಈ͖͕ҧͬͨΓ ৭ʑͳॴʹϚ΢ϯτͰ͖ͨΓ ෆඞཁʹෳࡶ - - - - - · · 39/52

39. cgroup ࠶ઃܭ Ͱ΋ࠓͷ cgroup ͱޓ׵ੑΛอͬͨ··શ෦·ͱ΋ʹ͢Δͷ͸ෆՄೳ ͡Ό͋ɼͱΓ͋͑ͣग़དྷͦ͏ͳॴΛ΍Ζ͏ · · ୯Ұ֊૚ߏ଄ sane_behavior

    Φϓγϣϯ - cgroup ͸ systemd (΍ଞͷιϑτ) ͕࡞੒ͯ͠؅ཧ͢ΔΑ͏ʹͯ͠ɼ୭Ͱ ΋ cgroup Λ௚઀͍͡Δ͜ͱ͕Ͱ͖ͳ͍Α͏ʹ͠Α͏! - - αϒγεςϜಠಛͷมͳػೳΛࢭΊͯҰ؏ੑͷ͋Δಈ͖Λڧ੍͢Δ cgroupfs ͷϚ΢ϯτΦϓγϣϯ noprefix ͱ clone_children ͕ڐՄ͞Ε ͳ͘ͳΔ remount Ͱ͖ͳ͍ ͳͲ (ࢀߟ) cgroup: introduce sane_behavior mount option - - - - 40/52

40. Kernel ͷίϯςφؔ܎ػೳͷࠓޙ ~ ͦͷଞ XFS ͷ User Namespace ରԠ (3.12)

    quota Device Namespace · · ఆظతʹ༙͍ͯग़ͯ͘Δ࿩୊ container disk quota (2012೥5݄) ͦͷޙͲ͏ͳͬͨͷ͔௥͍ͬͯ·ͤΜ - - - · DeviceNamespace (Cellrox) - Android ͳͲͷϞόΠϧσόΠεͰෳ਺ͷ؀ڥΛ੾Γସ͑ͳ͕Β࢖͏ͷ Λ໨తʹ։ൃ͞Ε͍ͯΔΑ͏ͩ Device Namespaces (lxc-devel, containers ML) ลΓ͔Βٞ࿦͕੝Γ্ ͕͍ͬͯΔ - - 41/52

41. Kernel ͷίϯςφؔ܎ػೳͷࠓޙ ~ ͦͷଞ Syslog Namespace /proc ͷ memory ͳͲͷ౷ܭ஋

    checkpoint/restore ؔ܎ػೳͷػೳ௥Ճ͕සൟʹߦΘΕ͍ͯΔ · Stepping closer to practical containers: "syslog" namespaces (lwn.net) Add namespace support for syslog - - · · 42/52

42. LXC ࠷৽ಈ޲ 43/52

43. LXC ͷݱঢ় Ubuntu 12.04LTS ࠷৽൛ 0.9.0 · 0.7.5 ͕ͩɼத਎͸΄΅ 0.8.0

    ηΩϡϦςΟతʹϠό͍ॴ͸ AppArmor Ͱ཈͑͜ΜͰͻͱ·ͣ࠷௿ݶ࢖͑Δ ঢ়ଶʹ ࣗ෼Ͱίϯςφ࡞੒ɼىಈͯࣗ͠෼Ͱܰ͘࢖͏ʹ͸े෼ - - - · API ެ։(liblxc)ɼpython3, lua όΠϯσΟϯά seccomp αϙʔτ ίϯςφىಈɼఀࢭ࣌ͷ֤ஈ֊ͰͷϑοΫ͕Մೳʹ - - - 44/52

44. LXC ։ൃͷݱঢ় ։ൃମ੍ͷมߋ 1.0 ʹ޲͚ͯઈࢍ࢓্͛த · ϝΠϯͷϝϯςφ͕ɼDaniel Lezcano ࢯଟ๩ͷͨΊɼSerge Hallyn,

    Stéphane Graber ྆ࢯ (Ubuntu) ʹมߋ ϦϙδτϦ΋ sourceforge ͔Β github ΁ - - · ݱࡏ 1.0 alpha1 (Linux Plumbers ʹ޲͚ͯͱΓ͋͑ͣ·ͱΊͨײ) 10݄: alpha2ɼ11݄: alpha3ɼ12݄: rc1ɼ1݄: rc2ɼ2݄ 1.0final Ubuntu ͷ࣍ͷ LTS ͕λʔήοτɽ(= 1.0 ͸ 5 ೥ؒαϙʔτ͞ΕΔ) - alpha1 ͷλά͕ଧͨΕͨޙ΋ɼ·ͩ·ͩ৽ػೳ͕௥Ճ͞Ε·͍ͬͯ͘Δ ͷͰɼ1.0 ʹͳΔ࣌ʹͲ͏ͳΔ͔͸ಡΊͯ·ͤΜ (^_^;) - - - 45/52

45. lxc-1.0 (1) ໨৽͍͠ػೳͱ͍͏ΑΓ͸ɼ1.0 ͱͯ͠;͞Θ͘͠ͳΔΑ͏ʹॾʑ੔උΛ͍ͯ͠Δײ ͡ɽ API ͷ੔උ (stable ͳ API

    ΁) ͱ֤ίϚϯυΛ API ϕʔεͰॻ͖௚͠ Ϋϩʔϯɼεφοϓγϣοτػೳͷ৽͍࣮͠૷ console ͷѻ͍ͷվྑ ςϯϓϨʔτͷվྑɼόάϑΟοΫε ඇಛݖίϯςφʹ޲͚ͯͷ࠷ॳͷҰา (User Namespace) · · announcing lxc-snapshot (S3hh's Blog) - · · · (ࢀߟ) Creating and using containers – without privilege (S3hh's Blog) ... ࢼ ͯ͠Έͨ΋ͷͷ͏·͍͔͘ͳ͔ͬͨ (;_;) lxc-user-nic (veth ϖΞ࡞ΔͷʹϗετଆͰ͸ಛݖඞཁ) lxc-usernsexec (ఆٛ͞Εͨ uid/gid ϚοϐϯάΛ࢖ͬͯϢʔβ Namespace ͰϓϩάϥϜΛىಈ) shadow ΋ಉ࣌ʹ্͛Δඞཁ͕͋Δ (newuidmap, newgidmap ίϚϯυ) - - - - 46/52

46. lxc-1.0 (2) ετϨʔδόοΫΤϯυ ϞχλϦϯάͷվྑ Android NDK ͰͷϏϧυ ೔ຊޠ man (!!)

    · ࠶ઃܭɼ੔උ overlayfs ରԠɼoverlayfs Λ࢖ͬͨ clone zfs ରԠ (create, clone, snapshot) - - - · ࠓ·Ͱಉ࣌ʹෳ਺ͷίϯςφͷϞχλϦϯάͱ͔Ͱ͖ͳ͔ͬͨ - · · 47/52

47. ࠷ޙʹ 48/52

48. ϝʔϦϯάϦετ / ຋༁ lxc JP άϧʔϓ lxc man pages ຋༁

    · ίϯςφͷ࿩Λ·ͬͨΓ΍͍ͬͯ·͢ɽͨ·ʔʹ͔͠ϝʔϧ͸དྷ·ͤΜɽ lxc-jp ͱ͍͏໊લͰ͕͢ɼ࿩୊͸ LXC ʹݶΒͣԿͰ΋ OK Ͱ͢ɽ - · https://github.com/tenforward/lxc-doc-ja Ͱ΍ͬͯ·͕ͨ͠ɼlxc ຊՈʹϚ ʔδ͞ΕͨͷͰͲ͏຋༁Λ͢͢Ί͍͔ͯ͘ߟ͑ͯ·͢ɽڠྗ௖͚Δํ͕͍Β ͬ͠ΌΕ͹͝࿈བྷ͍͚ͨͩΕ͹ͱࢥ͍·͢ɽ຋༁࡞ۀࣗମ͸ผͷॴͰ΍ͬͯ ͔Β͋Δఔ౓·ͱΊͯຊՈʹ Pull Request ͨ͠ํ͕ྑ͍͔ͱࢥ͍ͬͯ·͢ɽ - 49/52

49. ࠓޙฉ͍ͯΈ͍ͨ࿩ RHEL7 / libvirt ͷίϯςφ࣮૷ docker ํ໘ͷॾʑ ׆༻ࣄྫ ίϯςφؔ࿈࣮૷ͷ΋ͬͱਂ͍࿩ Apache

    Mesos CRIU · · · · · · 50/52

50. <Thank You!> Important contact information goes here. twitter @ten_forward www

    www.ten-forward.ws/ github github.com/tenforward