Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_i...
Search
KONDO Uchio
January 28, 2021
Technology
0
1.3k
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_id(void) and modern container runtimes
Container Runtime Meetup #3
https://runtime.connpass.com/event/198071/
KONDO Uchio
January 28, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.4k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
250
Narrative of Ruby & Rust
udzura
0
220
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.7k
Talk of RBS
udzura
0
450
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
780
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
730
Device access filtering in cgroup v2
udzura
1
920
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
840
Other Decks in Technology
See All in Technology
united airlines ™®️ USA Contact Numbers: Complete 2025 Support Guide
flyunitedhelp
1
470
SRE不在の開発チームが障害対応と 向き合った100日間 / 100 days dealing with issues without SREs
shin1988
2
2.1k
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
harukasakihara
2
240
An introduction to Claude Code SDK
choplin
2
1.1k
AWS 怖い話 WAF編 @fillz_noh #AWSStartup #AWSStartup_Kansai
fillznoh
0
130
ソフトウェアQAがハードウェアの人になったの
mineo_matsuya
3
200
CDK Vibe Coding Fes
tomoki10
1
630
AI Ready API ─ AI時代に求められるAPI設計とは?/ AI-Ready API - Designing MCP and APIs in the AI Era
yokawasa
8
2.1k
Delegating the chores of authenticating users to Keycloak
ahus1
0
190
サービスを止めるな! DDoS攻撃へのスマートな備えと最前線の事例
coconala_engineer
1
180
LLM拡張解体新書/llm-extension-deep-dive
oracle4engineer
PRO
23
6.3k
〜『世界中の家族のこころのインフラ』を目指して”次の10年”へ〜 SREが導いたグローバルサービスの信頼性向上戦略とその舞台裏 / Towards the Next Decade: Enhancing Global Service Reliability
kohbis
3
1.5k
Featured
See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Become a Pro
speakerdeck
PRO
29
5.4k
Being A Developer After 40
akosma
90
590k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Code Reviewing Like a Champion
maltzj
524
40k
Designing Experiences People Love
moore
142
24k
Done Done
chrislema
184
16k
Navigating Team Friction
lara
187
15k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Faster Mobile Websites
deanohume
308
31k
Designing for Performance
lara
610
69k
Transcript
bpf_get_current_cgroup_id(void) を添えて Uchio Kondo / Container Runtime Meetup #3 ランタイムとcgroupの
xxxな関係 * Photo by Fukuoka City
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
#Ruby #mruby #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ
ToC •τϨʔγϯάͱ eBPF •ίϯςφΛτϨʔε͢ΔͨΊͷલఏࣝ •eBPF ͰͷίϯςφͱϨʔεͷ࣮ࡍ •ίϯςφϥϯλΠϜͷରԠ •ʢ͓·͚ʣBPF CO-RE
eBPF and Containers
eBPF ͷ •https://speakerdeck.com/chikuwait/learn-ebpf
eBPF ͱԿ͔ •ϢʔβۭؒͰ࡞ͬͨϓϩάϥϜΛΧʔωϧͰಈ͔ٕ͢ज़ͷͻͱͭ •ϑΟϧλϦϯά͕ಘҙʢtcpdump, seccomp, bpftraceʣ •ΧʔωϧͷใʹΞΫηεͰ͖Δ͕ɺةݥͳίʔυಈ͔ͳ͍ͳͲ ҆શੑ͕͋Δఔ୲อ͞Ε͍ͯΔ
τϨʔεπʔϧͷར༻ •bpftrace •BCC •BPF Performance Tools • execsnoop, runqlat, tcplife...
• http://www.brendangregg.com/bpf-performance-tools-book.html
ίϯςφΛτϨʔε͍ͨ͠ •લఏࣝ2ͭ •Linux Namespace •cgroup (v1/v2)
Linux Namespaceʢ໊લۭؒʣ •OSͷதͷҰ෦ͷ໊લۭؒΛΓग़͠ɺ ಠཱͨ͠Ϧιʔεʢϗετ໊ɺωοτϫʔΫɺPIDͷ࠾൪ɺϚϯτ ϙΠϯτͳͲʣΛ࣋ͨͤΔٕज़ɻ IUUQTDPOUBJOFSTFDVSJUZEFWOBNFTQBDF
cgroup (Control Groups) •ϓϩηεΛάϧʔϓԽ͠ɺͦͷ୯ҐͰϦιʔεͷར༻ʢCPUɺϝϞ ϦɺϒϩοΫI/OɺϓϩηεʣΛ੍ݶ͢Δɻ •rlimitͱҧ͍ϢʔβΛލ͍ͰॴଐՄೳɺ·ͨλεΫͷॴଐάϧʔϓ ॊೈʹม͑ΒΕΔ •v1/v2͕͋Δ (v2=2014/8~ Linux
3.16) IUUQTDPOUBJOFSTFDVSJUZEFWDHSPVQɹ
Implementations
eBPFͰίϯςφΛτϨʔε͢Δ •ઓུ͕͍͔ͭ͋͘Δ •Linux Namespace·ͨcgroup (v2)ͷใ͕ར༻Ͱ͖Δ
ઓུ(1) •task_struct→nsproxy ͔Β namespaceͷใΛ औಘͯ͠ϑΟϧλ͢Δ ʢcxrayʣ IUUQTHJUIVCDPNNSUDDYSBZCMPCNBTUFSQLHUSBDFSPQFOPQFOHP--
ઓུ(2) •BPFϓϩάϥϜͰऔಘͰ͖ͨ tidͱɺϗετͰͷtidΛ ൺֱ͠ɺҰக͠ͳ͚Ε ίϯςφͱఆ͢Δ ʢTraceeʣ • tasuk_structґଘ IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFFCMPCNBJOUSBDFFUSBDFFCQGD-ɹ
ઓུ(3) •cgroup v2ͷIDΛϗετͱൺֱ͢Δ •bpf-helpers(7)
࣮ࡍʹͬͯΈ࣮ͨྫ •udzura/copenclose(8)
6TJOHIPTUOBNF 654/4 6TJOH$(SPVQW*%
cgroup v2
ϥϯλΠϜͷରԠঢ়گ •Suda͞Μͷهࣄ͕ৄ͍͠Ͱ͢… (https://medium.com/nttlabs/cgroup-v2-596d035be4d7) •ͱ͍͑ɺ2021ݱࡏͷঢ়گΛ؆୯ʹௐࠪ͠·ͨ͠
ϥϯλΠϜͱcgroupͷઃఆ •Cgroup Driver: ίϯςφʹׂΓͯΔcgroupΛͲ͏ίϯτϩʔϧ͢Δ͔ •cgroupfs: cgroupfsͷͷϑΝΠϧૢ࡞ •systemd: systemdʹΑΔཧ •Cgroup Version:
Ϧιʔε੍ݶʹ v1/v2 ͲͪΒΛར༻͢Δ͔ •/sys/fs/cgroup ʹͲͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕͯΔ͔Ͱఆ •ʢdocker/containerd ͷ߹ɻpodmanಉ༷ʁʣ
v2ΛͲ͏͏? •ϗετΛv2Ϟʔυʹ͢ΔʹɺΧʔωϧىಈύϥϝʔλͷมߋ͕ඞཁ... •ϗετLinuxΛv1/v2ڞଘڥͰىಈ͍ͯ͠Δ߹Version=v1ͱఆ͞ΕΔ •CGroup Driver=systemdʹ͢Είϯςφv2ͷάϧʔϓʹॴଐ͢Δ Α͏ʹͳΔʂ systemd͕ͬͯ͘ΕΔ༷ʁ •੍ݶͷॻ͖ࠐΈv1ͷAPI͕ΘΕΔ •άϧʔϓIDɺී௨ʹऔಘͰ͖ΔΑ͏ʹͳΔ
֤ίϯςφϥϯλΠϜͰͷରԠঢ়گ •ߴϨϕϧϥϯλΠϜɺCgroup DriverͷઃఆมߋखॱΛܝࣔ͢Δɻ •ϨϕϧϥϯλΠϜͷରԠঢ়گΛࢀߟʹܝࡌ͢Δ
ߴϨϕϧϥϯλΠϜ •docker: •podman: σϑΥϧτͰsystemdɻ໌ࣔ: •containerd: ྫ: •FYI: ఆखॱ
ϨϕϧϥϯλΠϜ •runc, crun •Cgroup v2/systemd driverʹରԠࡁΈ •runsc (gVisor) •ରԠͷͨΊͷIssueཱ͍ͬͯΔ •ݱঢ়Τϥʔͷ༷
IUUQTHJUIVCDPNHPPHMFHWJTPSJTTVFT $ sudo podman run --runtime `which runsc` -dt -p 10184:80/tcp httpd:2.4 Error: OCI runtime error: systemd cgroup flag passed, but systemd cgroups not supported. See gvisor.dev/issue/193
·ͱΊ •֤छϥϯλΠϜ͢Ͱʹv2Ͱಈ͘ •cgroupidͷऔಘͳΒ͙͢ʹͰઃఆͯ͠Ͱ͖Δঢ়ଶ •cAdvisorͳͲରԠΛਐΊ͍ͯΔ •τϨʔεͪΖΜɺPSI͑Δ͠ rootless kubernetes ͷເ... Զ ͨͪͷݥ࢝·͔ͬͨΓͩ
IUUQTHJUIVCDPNHPPHMFDBEWJTPSQVMM
͓·͚: BPF CO-REόΠφϦ •eBPF ToolΛίϯςφ෦Ͱಈ͔͢ͷେม... •BPF CO-REͱ͍͏ٕज़ͰɺϓϨίϯύΠϧࡁΈͷBPFόΠφϦΛಈ͔ ͤΔɺΧʔωϧͷϔομϑΝΠϧclangίϚϯυʹґଘͤͣಈ࡞͢Δ •͔͠͠࠷৽ͷΧʔωϧʴ৽͍͠CONFIG͕ඞཁ...
πʔϧͷಈ࡞ڥྫ
ࢀߟ: ಈ࡞ڥ IUUQTHJTUHJUIVCDPNVE[VSBBFEDCDBEFG •ࠓݕূͨ͠ڥҎԼʹ·ͱΊ·ͨ͠ɻUbuntu 20.10ϕʔε