Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_i...
Search
KONDO Uchio
January 28, 2021
Technology
0
1.3k
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_id(void) and modern container runtimes
Container Runtime Meetup #3
https://runtime.connpass.com/event/198071/
KONDO Uchio
January 28, 2021
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.4k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
250
Narrative of Ruby & Rust
udzura
0
220
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.7k
Talk of RBS
udzura
0
450
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
780
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
730
Device access filtering in cgroup v2
udzura
1
920
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
840
Other Decks in Technology
See All in Technology
ClaudeCode_vs_GeminiCLI_Terraformで比較してみた
tkikuchi
1
150
助けて! XからWaylandに移行しないと新しいGNOMEが使えなくなっちゃう 2025-07-12
nobutomurata
2
180
How to Quickly Call American Airlines®️ U.S. Customer Care : Full Guide
flyaahelpguide
0
240
Four Keysから始める信頼性の改善 - SRE NEXT 2025
ozakikota
0
310
Digitization部 紹介資料
sansan33
PRO
1
4.5k
ClaudeCodeにキレない技術
gtnao
1
800
安定した基盤システムのためのライブラリ選定
kakehashi
PRO
3
120
Figma Dev Mode MCP Serverを用いたUI開発
zoothezoo
0
160
公開初日に Gemini CLI を試した話や FFmpeg と組み合わせてみた話など / Gemini CLI 初学者勉強会(#AI道場)
you
PRO
0
1.2k
SREの次のキャリアの道しるべ 〜SREがマネジメントレイヤーに挑戦して、 気づいたこととTips〜
coconala_engineer
1
3.9k
AI エージェントと考え直すデータ基盤
na0
19
7.6k
AWS 怖い話 WAF編 @fillz_noh #AWSStartup #AWSStartup_Kansai
fillznoh
0
110
Featured
See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Facilitating Awesome Meetings
lara
54
6.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Code Review Best Practice
trishagee
69
19k
Become a Pro
speakerdeck
PRO
29
5.4k
Bash Introduction
62gerente
613
210k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Transcript
bpf_get_current_cgroup_id(void) を添えて Uchio Kondo / Container Runtime Meetup #3 ランタイムとcgroupの
xxxな関係 * Photo by Fukuoka City
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
#Ruby #mruby #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ
ToC •τϨʔγϯάͱ eBPF •ίϯςφΛτϨʔε͢ΔͨΊͷલఏࣝ •eBPF ͰͷίϯςφͱϨʔεͷ࣮ࡍ •ίϯςφϥϯλΠϜͷରԠ •ʢ͓·͚ʣBPF CO-RE
eBPF and Containers
eBPF ͷ •https://speakerdeck.com/chikuwait/learn-ebpf
eBPF ͱԿ͔ •ϢʔβۭؒͰ࡞ͬͨϓϩάϥϜΛΧʔωϧͰಈ͔ٕ͢ज़ͷͻͱͭ •ϑΟϧλϦϯά͕ಘҙʢtcpdump, seccomp, bpftraceʣ •ΧʔωϧͷใʹΞΫηεͰ͖Δ͕ɺةݥͳίʔυಈ͔ͳ͍ͳͲ ҆શੑ͕͋Δఔ୲อ͞Ε͍ͯΔ
τϨʔεπʔϧͷར༻ •bpftrace •BCC •BPF Performance Tools • execsnoop, runqlat, tcplife...
• http://www.brendangregg.com/bpf-performance-tools-book.html
ίϯςφΛτϨʔε͍ͨ͠ •લఏࣝ2ͭ •Linux Namespace •cgroup (v1/v2)
Linux Namespaceʢ໊લۭؒʣ •OSͷதͷҰ෦ͷ໊લۭؒΛΓग़͠ɺ ಠཱͨ͠Ϧιʔεʢϗετ໊ɺωοτϫʔΫɺPIDͷ࠾൪ɺϚϯτ ϙΠϯτͳͲʣΛ࣋ͨͤΔٕज़ɻ IUUQTDPOUBJOFSTFDVSJUZEFWOBNFTQBDF
cgroup (Control Groups) •ϓϩηεΛάϧʔϓԽ͠ɺͦͷ୯ҐͰϦιʔεͷར༻ʢCPUɺϝϞ ϦɺϒϩοΫI/OɺϓϩηεʣΛ੍ݶ͢Δɻ •rlimitͱҧ͍ϢʔβΛލ͍ͰॴଐՄೳɺ·ͨλεΫͷॴଐάϧʔϓ ॊೈʹม͑ΒΕΔ •v1/v2͕͋Δ (v2=2014/8~ Linux
3.16) IUUQTDPOUBJOFSTFDVSJUZEFWDHSPVQɹ
Implementations
eBPFͰίϯςφΛτϨʔε͢Δ •ઓུ͕͍͔ͭ͋͘Δ •Linux Namespace·ͨcgroup (v2)ͷใ͕ར༻Ͱ͖Δ
ઓུ(1) •task_struct→nsproxy ͔Β namespaceͷใΛ औಘͯ͠ϑΟϧλ͢Δ ʢcxrayʣ IUUQTHJUIVCDPNNSUDDYSBZCMPCNBTUFSQLHUSBDFSPQFOPQFOHP--
ઓུ(2) •BPFϓϩάϥϜͰऔಘͰ͖ͨ tidͱɺϗετͰͷtidΛ ൺֱ͠ɺҰக͠ͳ͚Ε ίϯςφͱఆ͢Δ ʢTraceeʣ • tasuk_structґଘ IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFFCMPCNBJOUSBDFFUSBDFFCQGD-ɹ
ઓུ(3) •cgroup v2ͷIDΛϗετͱൺֱ͢Δ •bpf-helpers(7)
࣮ࡍʹͬͯΈ࣮ͨྫ •udzura/copenclose(8)
6TJOHIPTUOBNF 654/4 6TJOH$(SPVQW*%
cgroup v2
ϥϯλΠϜͷରԠঢ়گ •Suda͞Μͷهࣄ͕ৄ͍͠Ͱ͢… (https://medium.com/nttlabs/cgroup-v2-596d035be4d7) •ͱ͍͑ɺ2021ݱࡏͷঢ়گΛ؆୯ʹௐࠪ͠·ͨ͠
ϥϯλΠϜͱcgroupͷઃఆ •Cgroup Driver: ίϯςφʹׂΓͯΔcgroupΛͲ͏ίϯτϩʔϧ͢Δ͔ •cgroupfs: cgroupfsͷͷϑΝΠϧૢ࡞ •systemd: systemdʹΑΔཧ •Cgroup Version:
Ϧιʔε੍ݶʹ v1/v2 ͲͪΒΛར༻͢Δ͔ •/sys/fs/cgroup ʹͲͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕͯΔ͔Ͱఆ •ʢdocker/containerd ͷ߹ɻpodmanಉ༷ʁʣ
v2ΛͲ͏͏? •ϗετΛv2Ϟʔυʹ͢ΔʹɺΧʔωϧىಈύϥϝʔλͷมߋ͕ඞཁ... •ϗετLinuxΛv1/v2ڞଘڥͰىಈ͍ͯ͠Δ߹Version=v1ͱఆ͞ΕΔ •CGroup Driver=systemdʹ͢Είϯςφv2ͷάϧʔϓʹॴଐ͢Δ Α͏ʹͳΔʂ systemd͕ͬͯ͘ΕΔ༷ʁ •੍ݶͷॻ͖ࠐΈv1ͷAPI͕ΘΕΔ •άϧʔϓIDɺී௨ʹऔಘͰ͖ΔΑ͏ʹͳΔ
֤ίϯςφϥϯλΠϜͰͷରԠঢ়گ •ߴϨϕϧϥϯλΠϜɺCgroup DriverͷઃఆมߋखॱΛܝࣔ͢Δɻ •ϨϕϧϥϯλΠϜͷରԠঢ়گΛࢀߟʹܝࡌ͢Δ
ߴϨϕϧϥϯλΠϜ •docker: •podman: σϑΥϧτͰsystemdɻ໌ࣔ: •containerd: ྫ: •FYI: ఆखॱ
ϨϕϧϥϯλΠϜ •runc, crun •Cgroup v2/systemd driverʹରԠࡁΈ •runsc (gVisor) •ରԠͷͨΊͷIssueཱ͍ͬͯΔ •ݱঢ়Τϥʔͷ༷
IUUQTHJUIVCDPNHPPHMFHWJTPSJTTVFT $ sudo podman run --runtime `which runsc` -dt -p 10184:80/tcp httpd:2.4 Error: OCI runtime error: systemd cgroup flag passed, but systemd cgroups not supported. See gvisor.dev/issue/193
·ͱΊ •֤छϥϯλΠϜ͢Ͱʹv2Ͱಈ͘ •cgroupidͷऔಘͳΒ͙͢ʹͰઃఆͯ͠Ͱ͖Δঢ়ଶ •cAdvisorͳͲରԠΛਐΊ͍ͯΔ •τϨʔεͪΖΜɺPSI͑Δ͠ rootless kubernetes ͷເ... Զ ͨͪͷݥ࢝·͔ͬͨΓͩ
IUUQTHJUIVCDPNHPPHMFDBEWJTPSQVMM
͓·͚: BPF CO-REόΠφϦ •eBPF ToolΛίϯςφ෦Ͱಈ͔͢ͷେม... •BPF CO-REͱ͍͏ٕज़ͰɺϓϨίϯύΠϧࡁΈͷBPFόΠφϦΛಈ͔ ͤΔɺΧʔωϧͷϔομϑΝΠϧclangίϚϯυʹґଘͤͣಈ࡞͢Δ •͔͠͠࠷৽ͷΧʔωϧʴ৽͍͠CONFIG͕ඞཁ...
πʔϧͷಈ࡞ڥྫ
ࢀߟ: ಈ࡞ڥ IUUQTHJTUHJUIVCDPNVE[VSBBFEDCDBEFG •ࠓݕূͨ͠ڥҎԼʹ·ͱΊ·ͨ͠ɻUbuntu 20.10ϕʔε