Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_i...
Search
KONDO Uchio
January 28, 2021
Technology
0
1.2k
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_id(void) and modern container runtimes
Container Runtime Meetup #3
https://runtime.connpass.com/event/198071/
KONDO Uchio
January 28, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.3k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
200
Narrative of Ruby & Rust
udzura
0
180
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.6k
Talk of RBS
udzura
0
400
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
710
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
680
Device access filtering in cgroup v2
udzura
1
780
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
730
Other Decks in Technology
See All in Technology
統計データで2024年の クラウド・インフラ動向を眺める
ysknsid25
2
840
マイクロサービスにおける容易なトランザクション管理に向けて
scalar
0
120
PHPからGoへのマイグレーション for DMMアフィリエイト
yabakokobayashi
1
170
re:Invent をおうちで楽しんでみた ~CloudWatch のオブザーバビリティ機能がスゴい!/ Enjoyed AWS re:Invent from Home and CloudWatch Observability Feature is Amazing!
yuj1osm
0
120
NilAway による静的解析で「10 億ドル」を節約する #kyotogo / Kyoto Go 56th
ytaka23
3
380
WACATE2024冬セッション資料(ユーザビリティ)
scarletplover
0
190
LINEヤフーのフロントエンド組織・体制の紹介【24年12月】
lycorp_recruit_jp
0
530
Jetpack Composeで始めるServer Cache State
ogaclejapan
2
170
生成AIをより賢く エンジニアのための RAG入門 - Oracle AI Jam Session #20
kutsushitaneko
4
220
Fanstaの1年を大解剖! 一人SREはどこまでできるのか!?
syossan27
2
160
小学3年生夏休みの自由研究「夏休みに Copilot で遊んでみた」
taichinakamura
0
150
私なりのAIのご紹介 [2024年版]
qt_luigi
1
120
Featured
See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.9k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Raft: Consensus for Rubyists
vanstee
137
6.7k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
For a Future-Friendly Web
brad_frost
175
9.4k
VelocityConf: Rendering Performance Case Studies
addyosmani
326
24k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Making Projects Easy
brettharned
116
5.9k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
127
18k
How STYLIGHT went responsive
nonsquared
95
5.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
66k
Transcript
bpf_get_current_cgroup_id(void) を添えて Uchio Kondo / Container Runtime Meetup #3 ランタイムとcgroupの
xxxな関係 * Photo by Fukuoka City
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
#Ruby #mruby #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ
ToC •τϨʔγϯάͱ eBPF •ίϯςφΛτϨʔε͢ΔͨΊͷલఏࣝ •eBPF ͰͷίϯςφͱϨʔεͷ࣮ࡍ •ίϯςφϥϯλΠϜͷରԠ •ʢ͓·͚ʣBPF CO-RE
eBPF and Containers
eBPF ͷ •https://speakerdeck.com/chikuwait/learn-ebpf
eBPF ͱԿ͔ •ϢʔβۭؒͰ࡞ͬͨϓϩάϥϜΛΧʔωϧͰಈ͔ٕ͢ज़ͷͻͱͭ •ϑΟϧλϦϯά͕ಘҙʢtcpdump, seccomp, bpftraceʣ •ΧʔωϧͷใʹΞΫηεͰ͖Δ͕ɺةݥͳίʔυಈ͔ͳ͍ͳͲ ҆શੑ͕͋Δఔ୲อ͞Ε͍ͯΔ
τϨʔεπʔϧͷར༻ •bpftrace •BCC •BPF Performance Tools • execsnoop, runqlat, tcplife...
• http://www.brendangregg.com/bpf-performance-tools-book.html
ίϯςφΛτϨʔε͍ͨ͠ •લఏࣝ2ͭ •Linux Namespace •cgroup (v1/v2)
Linux Namespaceʢ໊લۭؒʣ •OSͷதͷҰ෦ͷ໊લۭؒΛΓग़͠ɺ ಠཱͨ͠Ϧιʔεʢϗετ໊ɺωοτϫʔΫɺPIDͷ࠾൪ɺϚϯτ ϙΠϯτͳͲʣΛ࣋ͨͤΔٕज़ɻ IUUQTDPOUBJOFSTFDVSJUZEFWOBNFTQBDF
cgroup (Control Groups) •ϓϩηεΛάϧʔϓԽ͠ɺͦͷ୯ҐͰϦιʔεͷར༻ʢCPUɺϝϞ ϦɺϒϩοΫI/OɺϓϩηεʣΛ੍ݶ͢Δɻ •rlimitͱҧ͍ϢʔβΛލ͍ͰॴଐՄೳɺ·ͨλεΫͷॴଐάϧʔϓ ॊೈʹม͑ΒΕΔ •v1/v2͕͋Δ (v2=2014/8~ Linux
3.16) IUUQTDPOUBJOFSTFDVSJUZEFWDHSPVQɹ
Implementations
eBPFͰίϯςφΛτϨʔε͢Δ •ઓུ͕͍͔ͭ͋͘Δ •Linux Namespace·ͨcgroup (v2)ͷใ͕ར༻Ͱ͖Δ
ઓུ(1) •task_struct→nsproxy ͔Β namespaceͷใΛ औಘͯ͠ϑΟϧλ͢Δ ʢcxrayʣ IUUQTHJUIVCDPNNSUDDYSBZCMPCNBTUFSQLHUSBDFSPQFOPQFOHP--
ઓུ(2) •BPFϓϩάϥϜͰऔಘͰ͖ͨ tidͱɺϗετͰͷtidΛ ൺֱ͠ɺҰக͠ͳ͚Ε ίϯςφͱఆ͢Δ ʢTraceeʣ • tasuk_structґଘ IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFFCMPCNBJOUSBDFFUSBDFFCQGD-ɹ
ઓུ(3) •cgroup v2ͷIDΛϗετͱൺֱ͢Δ •bpf-helpers(7)
࣮ࡍʹͬͯΈ࣮ͨྫ •udzura/copenclose(8)
6TJOHIPTUOBNF 654/4 6TJOH$(SPVQW*%
cgroup v2
ϥϯλΠϜͷରԠঢ়گ •Suda͞Μͷهࣄ͕ৄ͍͠Ͱ͢… (https://medium.com/nttlabs/cgroup-v2-596d035be4d7) •ͱ͍͑ɺ2021ݱࡏͷঢ়گΛ؆୯ʹௐࠪ͠·ͨ͠
ϥϯλΠϜͱcgroupͷઃఆ •Cgroup Driver: ίϯςφʹׂΓͯΔcgroupΛͲ͏ίϯτϩʔϧ͢Δ͔ •cgroupfs: cgroupfsͷͷϑΝΠϧૢ࡞ •systemd: systemdʹΑΔཧ •Cgroup Version:
Ϧιʔε੍ݶʹ v1/v2 ͲͪΒΛར༻͢Δ͔ •/sys/fs/cgroup ʹͲͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕͯΔ͔Ͱఆ •ʢdocker/containerd ͷ߹ɻpodmanಉ༷ʁʣ
v2ΛͲ͏͏? •ϗετΛv2Ϟʔυʹ͢ΔʹɺΧʔωϧىಈύϥϝʔλͷมߋ͕ඞཁ... •ϗετLinuxΛv1/v2ڞଘڥͰىಈ͍ͯ͠Δ߹Version=v1ͱఆ͞ΕΔ •CGroup Driver=systemdʹ͢Είϯςφv2ͷάϧʔϓʹॴଐ͢Δ Α͏ʹͳΔʂ systemd͕ͬͯ͘ΕΔ༷ʁ •੍ݶͷॻ͖ࠐΈv1ͷAPI͕ΘΕΔ •άϧʔϓIDɺී௨ʹऔಘͰ͖ΔΑ͏ʹͳΔ
֤ίϯςφϥϯλΠϜͰͷରԠঢ়گ •ߴϨϕϧϥϯλΠϜɺCgroup DriverͷઃఆมߋखॱΛܝࣔ͢Δɻ •ϨϕϧϥϯλΠϜͷରԠঢ়گΛࢀߟʹܝࡌ͢Δ
ߴϨϕϧϥϯλΠϜ •docker: •podman: σϑΥϧτͰsystemdɻ໌ࣔ: •containerd: ྫ: •FYI: ఆखॱ
ϨϕϧϥϯλΠϜ •runc, crun •Cgroup v2/systemd driverʹରԠࡁΈ •runsc (gVisor) •ରԠͷͨΊͷIssueཱ͍ͬͯΔ •ݱঢ়Τϥʔͷ༷
IUUQTHJUIVCDPNHPPHMFHWJTPSJTTVFT $ sudo podman run --runtime `which runsc` -dt -p 10184:80/tcp httpd:2.4 Error: OCI runtime error: systemd cgroup flag passed, but systemd cgroups not supported. See gvisor.dev/issue/193
·ͱΊ •֤छϥϯλΠϜ͢Ͱʹv2Ͱಈ͘ •cgroupidͷऔಘͳΒ͙͢ʹͰઃఆͯ͠Ͱ͖Δঢ়ଶ •cAdvisorͳͲରԠΛਐΊ͍ͯΔ •τϨʔεͪΖΜɺPSI͑Δ͠ rootless kubernetes ͷເ... Զ ͨͪͷݥ࢝·͔ͬͨΓͩ
IUUQTHJUIVCDPNHPPHMFDBEWJTPSQVMM
͓·͚: BPF CO-REόΠφϦ •eBPF ToolΛίϯςφ෦Ͱಈ͔͢ͷେม... •BPF CO-REͱ͍͏ٕज़ͰɺϓϨίϯύΠϧࡁΈͷBPFόΠφϦΛಈ͔ ͤΔɺΧʔωϧͷϔομϑΝΠϧclangίϚϯυʹґଘͤͣಈ࡞͢Δ •͔͠͠࠷৽ͷΧʔωϧʴ৽͍͠CONFIG͕ඞཁ...
πʔϧͷಈ࡞ڥྫ
ࢀߟ: ಈ࡞ڥ IUUQTHJTUHJUIVCDPNVE[VSBBFEDCDBEFG •ࠓݕূͨ͠ڥҎԼʹ·ͱΊ·ͨ͠ɻUbuntu 20.10ϕʔε