Linux コンテナの基礎 / 11th CTStudy

Transcript

1. Linux ίϯςφͷجૅ ୈ 11 ճίϯςφܕԾ૝Խͷ৘ใަ׵ձˏେࡕ Ճ౻ହจ 2017-06-17 1

2. ࣗݾ঺հ Ճ౻ହจ • http://www.ten-forward.ws/ • @ten forward • http://gplus.to/tenforward •

   https://github.com/tenforward • http://d.hatena.ne.jp/defiant/ (ٕज़ϒϩά) 2

3. ࣗݾ঺հ ϑΝʔεταʔόɹج൫։ൃ෦ɹॴଐ 3

4. ࣗݾ঺հ • Plamo Linux ϝϯςφ • LXC ͰֶͿίϯςφೖ໳ɹʔܰྔԾ૝Խ؀ڥΛ࣮ݱ͢Δٕज़ gihyo.jp Ͱ࿈ࡌ

   4

5. ࣗݾ঺հ • LXC/LXD ͷ։ൃʹগ͠ࢀՃ • man page ͷ೔ຊޠ༁ • ެࣜϖʔδ

   (linuxcontainers.org) ຋༁ • όάϑΟοΫεͳͲগ͚ͩ͠ίʔυʹ΋ߩݙ • LXD ೔ຊޠϝοηʔδ 5

6. ࠓ೔ͷ໨ඪ ͜ͷޙͷൃද಺༰͕ཧղͰ͖ΔΑ͏ͳલఏ஌ࣝΛ਎ʹ͚ͭΔ • ίϯςφͷ֓ཁΛཧղ͢Δ • Linux Χʔωϧ͕࣋ͭίϯςφΛߏ੒͢ΔͨΊͷओཁͳػೳ Λ֮͑Δ 6

7. ࠓ೔ͷ಺༰ • ίϯςφͷ֓ཁ • Linux ʹ͓͚Δίϯςφͷ࢓૊Έ • Namespace • cgroup

   • ίϯςφͷϑΝΠϧγεςϜ • ·ͱΊ 7

8. ίϯςφ֓ཁ 8

9. ίϯςφͱ͸ ΧʔωϧͷػೳͰ • ִ཭͞ΕۭͨؒͰϓϩηεΛ࣮ߦ͢Δ • ϓϩηεʹରͯ͠Ϧιʔε੍ݶΛઃఆ͢Δ 9

10. ίϯςφͱ͸ • Χʔωϧ͔ΒݟΔͱී௨ʹϓϩηε͕ىಈ͢Δ͚ͩ • ىಈ͢Δࡍʹִ཭Λࢦࣔ͢Δ • ΧʔωϧͷػೳͰ (ෳ਺ͷ) ಠཱۭͨؒ͠Λ࡞Γग़͠ɼϦιʔ εΛ෼ׂɾ෼഑͢Δ

    • ϓϩηεΛάϧʔϓԽͯ͠ଞͱϦιʔεۭؒΛִ཭ • άϧʔϓԽͨ͠ϓϩηεʹର͢ΔϦιʔε੍ݶ • Ծ૝Խͱ͍͏ΑΓʮִ཭Խʯͱݴͬͨ΄͏͕Θ͔Γ΍͍͢ ͔΋ • Ծ૝తͳίϯϐϡʔλɾγεςϜΛ࠶ݱ͢ΔԾ૝Ϛγϯʹର ͯ͠ɺԾ૝తͳ OS ؀ڥΛఏڙ͢Δ • ˠ OS ϨϕϧͷԾ૝Խ 10

11. ىಈͤ͞Δϓϩηε͔ΒΈͨίϯςφ • γεςϜίϯςφ • init Λىಈ͢Δɻී௨ʹ OS ͕ىಈ͢Δͷͱಉ༷ • ΞϓϦέʔγϣϯίϯςφ

    • ୯ҰͷϓϩηεͷΈىಈɻඞཁͳΞϓϦέʔγϣϯͷΈִ཭ ͞Εͨ؀ڥͰ࣮ߦɻ 11

12. ࠓ೔ͷ಺༰ • ίϯςφͷ֓ཁ • Linux ʹ͓͚Δίϯςφͷ࢓૊Έ • Namespace • cgroup

    • ίϯςφͷϑΝΠϧγεςϜ • ωοτϫʔΫؔ࿈ػೳ • ίϯςφͰ࢖͑Δ໘ന͍ػೳ • ·ͱΊ 12

13. Linuxʹ͓͚Δίϯςφͷ࢓ ૊Έ 13

14. Linux ʹ͓͚Δίϯςφ͸Χʔωϧʹʰίϯςφʱ ͱ͍͏୯Ұͷػೳ͕࣮૷͞Ε࣮ͯݱ͍ͯ͠ΔΘ͚ Ͱ͸͋Γ·ͤΜ 14

15. Linux ͰίϯςφΛ࣮ݱ͢ΔͨΊͷػೳ Linux Χʔωϧʹؚ·ΕΔ৭ʑͳػೳΛ૊Έ߹Θͤͯίϯςφ؀ ڥΛ࡞੒͢ΔɻͦΕͧΕͷػೳ͸ίϯςφઐ༻ͷػೳͱ͍͏Θ͚ Ͱ͸ͳ͍ɻ • ϓϩηεΛάϧʔϓԽͯ͠ଞͷάϧʔϓͱִ཭ • OS

    Ϧιʔεͷִ཭ • ˠ Namespace (໊લۭؒ) • άϧʔϓԽͨ͠ϓϩηεʹର͢ΔϦιʔε੍ݶ • ϗετͷ෺ཧϦιʔεʹର͢Δ੍ݶ • ˠ cgroup (control group) 15

16. Linux ͰίϯςφΛ࣮ݱ͢ΔͨΊͷػೳ • ͦͷଞ • ωοτϫʔΫ (veth, macvlan ͳͲ) •

    έʔύϏϦςΟ • chroot (pivot root) • bind mount • Checkpoint/Restore (CRIU) • ͳͲͳͲ 16

17. ࠓ೔ͷ಺༰ • ίϯςφͷ֓ཁ • Linux ʹ͓͚Δίϯςφͷ࢓૊Έ • Namespace • cgroup

    • ίϯςφͷϑΝΠϧγεςϜ • ωοτϫʔΫؔ࿈ػೳ • ίϯςφͰ࢖͑Δ໘ന͍ػೳ • ·ͱΊ 17

18. Linux ʹ͓͚Δίϯςφͷ࢓૊Έ Namespace 18

19. Namespace(໊લۭؒ) • ִ཭͍ͨ͠ OS Ϧιʔε͝ͱʹ Namespace ͕४උ͞ΕΔ • Ұ෦ͷ Namespace

    ͚ͩ࢖༻ִͯ͠཭؀ڥΛ࡞Δ͜ͱ͕Ͱ ͖Δ 19

20. Mount Namespace (2.4.19ʙ) • ϓϩηε͔Βݟ͍͑ͯΔϚ΢ϯτͷू߹ɼૢ࡞Λ෼཭͢Δɽ Namespace ಺ͷ mount, umount ͕ଞͷ

    Namespace ʹӨ ڹΛ༩͑ͳ͍Α͏ʹͰ͖Δ (༩͑ΔΑ͏ʹ΋Ͱ͖Δ) ˠ private/shared/slave • ࢀߟ: • Ϛ΢ϯτ໊લۭؒΛద༻͢Δ (IBM developerWorks) • Mount Namespace and shared subtrees (lwn.net) • Mount namespaces, mount propagation, and unbindable mounts (lwn.net) • Χʔωϧෟଐจॻ (Documentation/filesystems/sharedsubtree.txt) • σϑΥϧτ͸ private ͕ͩɺsystemd ͸/Λ shared ͰϚ΢ϯ τ͢Δ 20

21. UTS Namespace (2.6.19ʙ) • ϗετ໊ͳͲɼuname(2) ͕ฦ͢஋ͷू߹Λ෼཭ɽ setdomainname(2), sethostname(2) Ͱ Namespace

    ಺ͷ ஋ͷΈมߋͰ͖Δ   user$ hostname enterprise --- (͜͜·Ͱϗετͷ Namespace) --- user$ sudo unshare --uts (৽͍͠ Namespace ࡞੒) root# hostname enterprise (ॳظ஋͸ϗετͱಉ͡) root# hostname utsns (ϗετ໊มߋ) root# hostname utsns root# exit logout --- (͔͜͜Βϗετͷ Namespace) --- user$ hostname enterprise   21

22. PID Namespace (2.6.24ʙ) • PID ۭؒͷ෼཭ɽ৽͍͠ PID Namespace Ͱ͸ PID

    1 ͔Β ࢝·Δ PID ׂ͕Γ౰ͯΒΕΔɽ਌͔Βࢠͷ PID Namespace ͸ݟ͑Δ (਌ͷۭؒͷ PID Λ࣋ͭ) ͕ɼࢠ͔Β਌͸ݟ͑ͳ͍ 22

23. IPC Namespace (2.6.19ʙ) • SysV IPC ΦϒδΣΫτɼPOSIX ϝοηʔδΩϡʔͷִ཭  

    # ipcs -q (ϗετͷ Namespace ্ͰϝοηʔδΩϡʔͷ֬ೝ) ------ Message Queues -------- key msqid owner perms used-bytes messages 0x4b79e805 32768 root 644 0 0 # unshare --ipc (৽ͨʹ IPC Namespace ࡞੒) # ipcs -q (৽ͨʹ࡞ͬͨ Namespace ͰΩϡʔΛ֬ೝ͢Δͱଘࡏ͠ͳ͍) ------ Message Queues -------- key msqid owner perms used-bytes messages   23

24. User Namespace (3.8ʙ) • ಠཱͨ͠ UID/GID ۭؒͱ֎෦ۭؒͷϚοϐϯά (ྫ͑͹ɼ ִ཭ۭؒͰ͸ uid/gid

    0/0ɼ֎෦Ͱ͸ 1000/1000 ͱ͔Մೳ ʹͳΔ) • User Namespace ͸ҰൠϢʔβͰ࡞੒Ͱ͖ɺNamespace ಺ ͷಛݖϢʔβ͸ଞͷ Namespace Λ࡞੒Ͱ͖Δ (User Namespace Ҏ֎ͷ Namespace ͸ಛݖ͕ඞཁ) 24

25. Network Namespace (2.6.26ʙ) • ωοτϫʔΫϦιʔεͷִ཭ • ωοτϫʔΫσόΠε • ϧʔςΟϯάςʔϒϧ •

    ιέοτ • ϑΟϧλϦϯά • ΞυϨε 25

26. cgroup Namespace (4.6ʙ) • cgroup ͷִ཭ • /proc/$PID/cgroup ϑΝΠϧ಺ͷ cgroup

    ύε • namespace ಺ͰϚ΢ϯτͨ͠ cgroupfs πϦʔ • (͜ͷ Namespace Ͱ clone(2) ʹ༩͑Δϑϥά (32bit ੔਺) Λ࢖͍͖Γ·ͨ͠ :-) • Ubuntu 16.04 ͷ 4.4 Χʔωϧʹ͸όοΫϙʔτࡁ 26

27. ࠓ೔ͷ಺༰ • ίϯςφͷ֓ཁ • Linux ʹ͓͚Δίϯςφͷ࢓૊Έ • Namespace • cgroup

    • ίϯςφͷϑΝΠϧγεςϜ • ωοτϫʔΫؔ࿈ػೳ • ίϯςφͰ࢖͑Δ໘ന͍ػೳ • ·ͱΊ 27

28. Linux ʹ͓͚Δίϯςφͷ࢓૊Έ cgroup 28

29. cgroup ͱ͸ ϓϩηεΛάϧʔϓԽ͠ɺάϧʔϓʹରͯ͠Ϧιʔε੍ݶΛߦ ͏ɻίϯςφઐ༻ͷ࢓૊ΈͰ͸ͳ͍ɻ 29

30. cgroup ͷαϒγεςϜ • cpu: 2.6.24 • CFS(Completely Fair Scheduler) bandwidth

    controlɽ୯Ґ ࣌ؒ಺ͷάϧʔϓ಺ͷλεΫ͕࣮ߦͰ͖Δ߹ܭ࣌ؒΛ੍ݶ͢ Δ (3.2 Ͱ࣮૷) • ૬ର഑෼ɽάϧʔϓؒͷ CPU ࣌ؒͷׂ౰ͷׂ߹Λࢦఆ͢Δɽ ྫ͑͹ GroupA=100,GroupB=50 ͱ͢Δͱ A:B=2:1 • cpuacct: 2.6.24 • άϧʔϓ಺ͷ CPU ϦιʔεͷϨϙʔτ (CPU ࣌ؒ) • cpuset: 2.6.24 • ׂΓ౰ͯΔ CPU, ϝϞϦϊʔυͷׂ౰ 30

31. cgroup ͷαϒγεςϜ • device: 2.6.26 • σόΠε΁ͷΞΫηεڐՄɼ੍ݶͷࢦఆ • freezer: 2.6.28

    • άϧʔϓ಺ͷϓϩηεΛશͯҰ࣌ఀࢭ͢Δ • memory: 2.6.29 • ϝϞϦϦιʔεͷ੍ݶ (ϢʔβϝϞϦɼΧʔωϧϝϞϦ) • blkio (Block IO): • I/O weight controller(2.6.33 Ҏ߱) άϧʔϓͷ༏ઌ౓Λࢦ ఆ͢Δ • I/O throttling(2.6.37 Ҏ߱) άϧʔϓ಺ͷϓϩηεͷσόΠ εʹର͢Δૢ࡞਺ͷ߹ܭͷࢦఆ • (ࢀߟ)Linux2.6.37 ͷ৽ػೳ “I/O throttling” 31

32. cgroup ͷαϒγεςϜ • hugetlb: 3.6 • cgroup ͔Βͷ hugetlb ͷ࢖༻

    • perf event: 2.6.39 • άϧʔϓ୯ҐͰ perf πʔϧͰϞχλϦϯά (ύϑΥʔϚϯε ղੳ) • net cls: 2.6.29 • ύέοτʹࣝผࢠΛ͚ͭɼτϥϑΟοΫίϯτϩʔϧ (tc) ͱ netfilter(3.14 Ҏ߱) ͰίϯτϩʔϧՄೳʹ • Linux 3.14 Ͱ net cls cgroup ʹ௥Ճ͞Εͨ netfilter ରԠ • net prio: 3.3 • άϧʔϓؒͰͷωοτϫʔΫͷ༏ઌ౓ΛΠϯλʔϑΣʔεຖ ʹࢦఆ͢Δ • Linux 3.3 ͷ৽ػೳ Network priority cgroup • Linux 3.3 ͷ৽ػೳ Network priority cgroup (2) 32

33. cgroup ͷαϒγεςϜ • pids: 4.3 • fork() ΍ clone() ͰىಈͰ͖Δϓϩηε਺Λ੍ݶ͢Δ

    • LXC ͰֶͿίϯςφೖ໳ ୈ 30 ճ Linux Χʔωϧͷίϯς φػೳ [8] ʔ cgroup ͷ pids αϒγεςϜ • rdma: 4.11 • Remote Direct Memory Access 33

34. ࠓ೔ͷ಺༰ • ίϯςφͷ֓ཁ • Linux ʹ͓͚Δίϯςφͷ࢓૊Έ • Namespace • Cgroup

    • ίϯςφͷϑΝΠϧγεςϜ • ωοτϫʔΫؔ࿈ػೳ • ίϯςφͰ࢖͑Δ໘ന͍ػೳ • ·ͱΊ 34

35. Linux ʹ͓͚Δίϯςφͷ࢓૊Έ ίϯςφͷϑΝΠϧγεςϜ 35

36. ίϯςφͷϑΝΠϧγεςϜ • ϗετͱಉ͡ϑΝΠϧγεςϜɾσΟϨΫτϦπϦʔΛ࢖͑ Δ৔߹͸ߟྀͷඞཁ͸ͳ͍͕ʜ • ίϯςφ಺ͰͷΈ࢖͑Διϑτ΢ΣΞ΍ϥΠϒϥϦΛೖΕ ͍ͨʜ • ίϯςφઐ༻ͷπϦʔΛ࣋ͬͯಠࣗͷύοέʔδ؅ཧ͕͠ ͍ͨʜ

    36

37. chroot chroot = “Change Root”ɻΈ͔͚ͷϧʔτσΟϨΫτϦΛผͷ σΟϨΫτϦʹҠಈͤ͞Δɻ • ͋ΔσΟϨΫτϦҎԼʹಠཱͨ͠σΟϨΫτϦπϦʔΛߏங ͢Δ •

    ͋Β͔͡Ί४උ͞ΕͨΠϝʔδϑΝΠϧΛऔಘͯ͠ల։ • debootstrap ίϚϯυͳͲͷπʔϧΛ࢖༻ͯ͠࡞੒ • ͦͷσΟϨΫτϦΛ root(/) ʹ͢Δ • ࣮ࡍͷίϯςφ࣮૷Ͱ͸ chroot Ͱ͸ͳ͘ɺpivot root ͕࢖ ΘΕͨΓ͢Δ • pivot root: root ϑΝΠϧγεςϜͷมߋ (man 2 pivot root) 37

38. chroot   $ sudo mkdir -p /path/to/test/rootfs $ cd

    /path/to/test $ sudo wget https://download.openvz.org/template/precreated/debian-7.0-x86_64-minimal.tar.gz $ cd rootfs && tar xvf ../debian-7.0-x86_64-minimal.tar.gz $ sudo chroot $PWD /bin/bash # lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.11 (wheezy) Release: 7.11 Codename: wheezy   38

39. bind mount • Ϛ΢ϯτ͞Ε͍ͯΔπϦʔͷҰ෦Λผͷ৔ॴʹϚ΢ϯτ͢Δ ྫ) ΧϨϯτσΟϨΫτϦҎԼʹ/usr,/lib64,/bin Λ bind mount ͠ɺͦͷޙ

    chroot ͢Δ   $ sudo mkdir -p /tmp/test/{usr,lib64,bin} $ cd /tmp/test $ sudo mount --bind /bin ./bin $ sudo mount --bind /usr ./usr $ sudo mount --bind /lib64 ./lib64 $ sudo chroot $PWD /bin/bash # ls -F bin/ lib64/ usr/   39

40. ·ͱΊ 40

41. ·ͱΊ • ίϯςφͷ֓ཁ • Linux ʹ͓͚Δίϯςφͷ࢓૊Έ • ίϯςφ͸Χʔωϧʹ࣮૷͞Ε͍ͯΔ৭ʑͳػೳͷ૊Έ߹Θ ͤͰ࣮ݱ͞Ε͍ͯΔ •

    Namespace • OS Ϧιʔεͷִ཭ • cgroup • ϗετͷ෺ཧϦιʔεͷ੍ݶ • ίϯςφͷϑΝΠϧγεςϜ • chroot/pivot root • bind mount • ωοτϫʔΫؔ࿈ػೳ • veth • macvlan • ίϯςφͰ࢖͑Δ໘ന͍ػೳ 41

42. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ 42