Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
コンテナの仕組みとエコシステム - Haconiwaを通じて眺めてみる /container-...
Search
KONDO Uchio
October 23, 2017
Technology
7
1.6k
コンテナの仕組みとエコシステム - Haconiwaを通じて眺めてみる /container-ecosystem-and-haconiwa
@日本OSS推進フォーラム主催 第9回アプリケーション部会勉強会
https://connpass.com/event/68096/
KONDO Uchio
October 23, 2017
Tweet
Share
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.3k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
220
Narrative of Ruby & Rust
udzura
0
190
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.6k
Talk of RBS
udzura
0
410
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
740
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
700
Device access filtering in cgroup v2
udzura
1
820
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
770
Other Decks in Technology
See All in Technology
Cracking the Coding Interview 6th Edition
gdplabs
14
28k
AI自体のOps 〜LLMアプリの運用、AWSサービスとOSSの使い分け〜
minorun365
PRO
9
750
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
19k
20250304_赤煉瓦倉庫_DeepSeek_Deep_Dive
hiouchiy
2
110
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
330
サバイバルモード下でのエンジニアリングマネジメント
konifar
6
1.4k
ディスプレイ広告(Yahoo!広告・LINE広告)におけるバックエンド開発
lycorptech_jp
PRO
0
500
DeepSeekとは?何がいいの? - Databricksと学ぶDeepSeek! 〜これからのLLMに備えよ!〜
taka_aki
1
160
DevinでAI AWSエンジニア製造計画 序章 〜CDKを添えて〜/devin-load-to-aws-engineer
tomoki10
0
190
AWS Well-Architected Frameworkで学ぶAmazon ECSのセキュリティ対策
umekou
2
150
IAMのマニアックな話2025
nrinetcom
PRO
6
1.3k
Amazon Q Developerの無料利用枠を使い倒してHello worldを表示させよう!
nrinetcom
PRO
2
120
Featured
See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k
Speed Design
sergeychernyshev
27
810
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
21
2.5k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Raft: Consensus for Rubyists
vanstee
137
6.8k
The Language of Interfaces
destraynor
156
24k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
YesSQL, Process and Tooling at Scale
rocio
172
14k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Transcript
)BDPOJXBΛ௨ͯ͡ோΊͯΈΔ ۙ౻͏͓ͪ(.01FQBCP *OD ຊ044ਪਐϑΥʔϥϜओ࠵ୈճΞϓϦέʔγϣϯ෦ձษڧձ ίϯςφͷΈͱΤίγεςϜ
ΤϯδχΞ ۙ౻͏͓ͪ!VE[VSB (.0ϖύϘٕज़෦ٕज़ج൫νʔϜ IUUQIBDPOJXBNSVCZPSH
!VE[VSBུྺ &$αΠτɺιʔγϟϧήʔϜͷ։ൃͳͲΛܦͯɺ ΑΓ(.0ϖύϘٕज़ج൫νʔϜɺ ಉԬʹҠॅɻ͖ͳΧϨʔ5JLJɻ ஶॻʹʰύʔϑΣΫτ3VCZPO3BJMTʱ΄͔ɻ 3VCZ,BJHJʹࣗ࡞ίϯςφϥϯλΠϜ ʮ)BDPOJXBʯͷ͕࠾͞ΕΔɻ ΄͔ɺ3VCZίϯςφʹؔ͢Δ׆ಈଟɻ
Ԭ3VCZձٞ! IUUQSFHJPOBMSVCZLBJHJPSHGVLVPLB ҰൠνέοτDPNJOHTPPO
ϋογϡλά IBDPOJXBSC
ࠓͷΰʔϧ
ίϯςφͷҰาઌͷཧղΛ wʮͨͩ͏ʯ͚ͩͰͳ͍ɺίϯςφͷຊ࣭తͳͱ͜ΖΛ͔ͭΉɻ wίϯςφͷར༻γʔϯʹؔ͢Δ༷ʑͳϥϯλΠϜɺιϑτΣΞɺ ϛυϧΣΞɺن֨ͳͲΛཧ͢Δɻ w͔ͬ͠Γͱͨ͠جૅࣝΛ͚ͭͯɺʮΘΕΔʯͰͳ͘ʮ͏ʯͨ Ίʹίϯςφʹ৮ΕΒΕΔΑ͏ʹͳΓ·͠ΐ͏ʂ
ίϯςφͷҰาઌͷཧղΛ wʮͨͩ͏ʯ͚ͩͰͳ͍ɺίϯςφͷຊ࣭తͳͱ͜ΖΛ͔ͭΉɻ wίϯςφͷར༻γʔϯʹؔ͢Δ༷ʑͳϥϯλΠϜɺιϑτΣΞɺ ϛυϧΣΞɺن֨ͳͲΛཧ͢Δɻ w͔ͬ͠Γͱͨ͠جૅࣝΛ͚ͭͯɺʮΘΕΔʯͰͳ͘ʮ͏ʯͨ Ίʹίϯςφʹ৮ΕΒΕΔΑ͏ʹͳΓ·͠ΐ͏ʂ Ұॹʹษڧ͠·͠ΐ͏
)BDPOJXBͷհ
)BDPOJXB
)BDPOJXBͱɻ w-JOVYίϯςφϥϯλΠϜͷҰͭɻ w1BB4αʔϏεͰͷίϯςφར༻ͷܦݧΛͱʹ։ൃ͞Εͨ wಛ wNSVCZʹΑΓ։ൃ͞Ε͍ͯΔ w%4-ʹΑΓίϯςφͷઃఆ͕هड़Ͱ͖Δ w͞Βʹɺ༷ʑͳϑοΫΛϓϩάϥϛϯάͰ੍ޚՄೳͰ͋Δ
-JOVYίϯςφϥϯλΠϜͱʁ w0$*ʢޙड़ʣͷఆٛΛഈआ wʮઃఆΛಡΈࠐΈɺίϯςφϓϩηεΛ࡞͠ɺఀࢭɺআͳͲ༷ʑ ͳΞΫγϣϯΛߦ͏࣮ʯ w(MPTTBSZΑΓ wIUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFDCMPC NBTUFSHMPTTBSZNESVOUJNF
l*USFBETUIFDPOpHVSBUJPOpMFTGSPNB CVOEMF VTFTUIBUJOGPSNBUJPOUPDSFBUF BDPOUBJOFS MBVODIFTBQSPDFTTJOTJEF UIFDPOUBJOFS BOEQFSGPSNTPUIFS MJGFDZDMFBDUJPOTz IUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFD
NSVCZͱʁ wF.CFEEFE3VCZ w͍ΘΏΔΈࠐΈػث͚ͷ3VCZͱͯ͠։ൃ͞Εͨʮܰྔʯ3VCZ wͦͷ݁ՌɺόΠϯσΟϯά͕ඇৗʹॻ͖͘͢ɺϛυϧΣΞͳͲʹ ΈࠐΈ͕༰қͰ͋Δͱ͍͏ಛੑ͕͋Δɻ wݱࡏ"QBDIF)551%ɺ/HJOYͦͷଞͷʮ$POpHVSBUJPOBT$PEFʯ ͷ༻్ʹ·ΓΛݟ͍ͤͯΔ wDG-VB
FHOHY@NSVCZ wIUUQOHYNSVCZPSH w͜Ε͚ͩͷίʔυͰɺಈతͳϦόʔεϓϩΩγʹɻ
%4-ͱʁʁ w%4-%PNBJO4QFDJpD-BOHVBHFɺ͋ΔతʹಛԽͨ͠ݴޠ w)BDPOJXBͰɺ3VCZΛίϯςφ੍ޚͷͨΊͷ%4-ͱͯ͑͠Δɻ w%4-Λܦ༝ͯ͠ wίϯςφͷઃఆΛಈతʹܾఆ w༷ʑͳϑοΫʢϥΠϑαΠΫϧɺλΠϜΞτɺγάφϧϋϯυϥɺ ఆظ࣮ߦʣΛهड़
ίϯςφͷઃఆͷಈత੍ޚ wίϯςφͷߏཁૉͦͦಈతʹΈ߹Θ͕ͤՄೳͰ͋Δɻ ʢߏཁૉޙड़ʣͳͷͰɺίʔυͰܾఆͰ͖ΔͱศརͰ͋Δɻ Haconiwa.define do |c| #... client = Redis.new
"127.0.0.1", 6379, 2 data = JSON.parse(client.get(ENV[‘CONTAINER_ID’])) c.cgroup :v1 do |cg| cg[‘cpu.cfs_period_us’] = data[‘period’] cg[‘cpu.cfs_quota_us’] = data[‘quota’] end end ྫ͑ɺىಈ࣌ʹ3FEJT͔Β ίϯςφͷใΛͱ͖ͬͯͯ ಈతʹ$16ׂͷઃఆ͕Մೳ
ϑοΫͷϓϩάϥϛϯά wίϯςφىಈఀࢭϥΠϑαΠΫϧʹԠͨ͡ॲཧ w·ͨɺγάφϧϋϯυϥɺίϯςφ͕ىಈͨ͠Ұఆ࣌ؒޙʹಛఆͷॲ ཧΛΒͤΔʢλΠϜΞτʣɺఆظ࣮ߦ͢ΔॲཧΛهड़Մೳ Haconiwa.define do |c| #... c.add_handler :TTOU
do |b, _| cpu = ::Cgroup::CPU.new(b.name) cpu.cfs_quota_us = cpu.cfs_quota_us + 10000 cpu.modify end end 4*(5506Λ εʔύόΠβʔʹૹΔͱ $16ׂ࣌ؒΛ্͛Δ
ϑοΫʹΑΔ ίϯςφࣗମͷϥΠϑαΠΫϧ
ϥΠϑαΠΫϧͷ੍ޚ wίϯςφ͕ɺ͕ࣗੜ·Εɺͦͯ͠ऴྃ͢ΔαΠΫϧΛࣗͰ ੍ޚՄೳͳੈքΛߟ͑Δ w)BDPOJXBʹ͓͍ͯɺҰఆ͕࣌ؒܦաͨ͠Βࣗࣗʹ4*(5&3. ΛૹΔ͜ͱͰɺϥΠϑαΠΫϧͷ͋ΔίϯςφΛ࣮ݱͰ͖Δ c.add_async_hook min: 30 do |b|
# b.pid = ίϯςφͷPID=1 ::Process.kill :TERM, b.pid end Ͱ ࣗʹ4*(5&3.ΛૹΔ
'BTU$POUBJOFSΞʔΩςΫνϟ wϖύݚদຊࢯఏҊͷ'BTU$POUBJOFSΞʔΩςΫνϟ w'BTU$(*Λώϯτʹͨ͠ίϯςφཧετϥςδ wϓϩηεΛͭʹྨʢ*NNPSUBM.PSUBM4IPSU-JWFEʣ wʮϦΞΫςΟϒʹ্ཱ͕ͪΓɺҰఆظؒॲཧΛଓ͚Δʯ ίϯςφΛఆٛɾ࡞͢Δ wؔ࿈ൃද͝ࢀর ʮίϯςφ࣌ͷ8FCαʔϏεج൫Ϟσϧ'BTU$POUBJOFSͷݚڀൃදΛ͖ͯ͠·ͨ͠ʯ IUUQTSBOEQFQBCPDPNBSUJDMFJPUNBUTVNPUPSZ
ίϯςφϥϯλΠϜͷൺֱ
"1*ͷެ։ํ w%PDLFS ଞ0$*ʔεͷͷ ɺ-9%)551ϕʔεͰ͋Δ w-9$ɺ$ͷΠϯλϑΣʔε͕͋ΔʢMJCMYDʣɻ͔͜͠͠ͷϥΠϒϥϦ ࣗମίϯςφઃఆΛ͍͡ΔͨΊͷ"1*Λ࣋ͨͳ͍ɻ w)BDPOJXB3VCZͷΠϯλʔϑΣʔε͕͋ΓɺϓϩάϥϜͰ͖Δɻ ઃఆϑοΫ"1*Λ༻ҙ͓ͯ͠Γɺૢ࡞Մೳ wMJCIBDPOJXBతͳͷݕ౼͍ͯ͠Δஈ֊
ϑοΫͷ࣮ݱܗࣜ w%PDLFS ଞ0$*ʔεͷͷ ϥΠϑαΠΫϧ"1*ͷࢹͱ͍͏ܗͰ ࣮ݱ͢Δܗʹͳ͍ͬͯΔɻผ్ࢹˠϑοΫͷ࣮͕ඞཁɻ w-9$ઃఆʹϥΠϑαΠΫϧϑοΫ͕͋Δ wˠίϚϯυܗࣜͰɺҾͷࢦఆ w)BDPOJXB"1* %4-ͷ༷
ࣗମʹ֤छϑοΫ͕࣮͞Ε͓ͯΓɺ 3VCZͰ֤ॲཧΛهड़ՄೳɻઃఆϑοΫಉ͡ݴޠͰɻ IUUQTMJOVYDPOUBJOFSTPSHKBMYDNBOQBHFTNBOMYDDPOUBJOFSDPOGIUNMMC#$
ϑοΫͷछྨ w%PDLFSɺ-9$ʹϥΠϑαΠΫϧϑοΫͷΈͷαϙʔτ w)BDPOJXBϥΠϑαΠΫϧͷଞɺҎԼαϙʔτ wλΠϜΞτϑοΫ wఆظ࣮ߦϑοΫ wγάφϧϋϯυϥ wʢλΠϜΞτఆظ࣮ߦʹΑΓ'BTU$POUBJOFS͕࣮ݱ͍͢͠໘ʣ
Πϝʔδͱͷ࿈ܞ w%PDLFS%PDLFSIVC͔Βམͱ͔͢ɺ0$*ޓͷUBSΛར༻ w-9$ࣗͷΤίγεςϜʹMYDUFNQMBUFTΛ͍࣋ͬͯΔ wDG3BJMDBS ಠࣗͷNJDSPDPOUBJOFSTܗࣜɺπʔϧ PSBDMFTNJUI Λఏএ͍ͯ͠Δ w)BDPOJXB%4-ͰΠϝʔδ࡞αϙʔτ͢Δ wEFCPPUTUSBQMYDUBNQMBUFTͷྲྀ༻ɺHJUSFQPͷνΣοΫΞτɺ UBSͰݻΊͨSPPUGTͳͲʢ0$*ޓΠϝʔδͷαϙʔτೖΕ͍ͨʣ
·ͱΊɿද هड़ݴޠ ίϯςφઃఆ "1* ϑοΫ࣮ ϑοΫͷछྨ Πϝʔδઓུ %PDLFS SVOD (PMBOH
%PDLFSpMF ίϚϯυϥΠϯ )551"1* ϥΠϑαΠΫϧ ࢹ ϥΠϑλΠϜ %PDLFSIVC 0$*४ڌ -9$ $ JOJpMF MJCMYD ϑοΫઃఆ߲ ϥΠϑλΠϜ MYDUFNQMBUF -9% (PMBOH 1SPpMF )551"1* 3BJM$BS 3VTU 0$*४ڌ KTPO 0$*४ڌ KTPO ະαϙʔτ 0$*४ڌ NJDSPDPOUBJOFST )BDPOJXB NSVCZ $ 3VCZ%4- 3VCZ%4- 3VCZ%4- ϥΠϑλΠϜ λΠϜΞτଞछ MYDUFNQMBUF ྲྀ༻ଞ
)BDPOJXBͷࢦ͢ੈք
%PDLFS0$*ͳͲͷํੑ w͜͜·ͰͷൺֱͰɺ%PDLFSͳͲͱ)BDPOJXBͷҧ͍Λྻڍͨ͠ wݸਓతʹɺ%PDLFSͷࢦ͢ํʮ7.ͷ࠶ൃ໌ʯతʹࢥ͑Δ wϢʔβʔ͔ΒɺʮԾڥʯͷৄࡉӅ͞Ε͍ͯͯɺ ܾ·ͬͨ"1*Λܦ༝ͯ͠σϓϩΠɾΦʔέετϨʔγϣϯΛߦ͏ wDG,VCFSOFUFT#PSHʢ͜Εޙड़ʣ wͦ͏͍͏நԽࣗମɺҰͭͷํੑͰ͋Δ
$POUBJOFS&DPTZTUFNBT$PEF w)BDPOJXBͱɺͦͷपลͰࢦ͍ͨ͠ͱ͜Ζ wجຊతͳϦιʔεׂݖݶͳͲͷઃఆίʔυԽͰ͖Δ w·ͨɺଞͷϥϯλΠϜͱൺͯ๛ͳϑοΫΛ༻ҙ͠ɺίϯςφͷ ৼΔ͍ɾϥΠϑαΠΫϧΛίʔυԽͰ͖Δ w͔͜͜ΒɺίʔυԽͷൣғΛΊ͍͖͍ͯͨɻ ྫ͑ωοτϫʔΫɺϑΝΠϧγεςϜؔɺ04ͷηΩϡϦςΟɾ ࠪͷΈʢ-JOVYͷ-4.ʣͳͲίʔυԽͷൣғʹͰ͖ͳ͍͔ʁ
ίϯςφΤίγεςϜʹ ίʔυͰ౿ΈࠐΉೖΓޱʹͳΔ
͜ΕΒΛ౿·͑ͯ ίϯςφͷੈքΛπΞʔ͠·͠ΐ͏
վΊͯ ίϯςφͱԿ͔
ίϯςφొਓ͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥυαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺཧ͠·͢
ίϯςφొਓ͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥυαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺཧ͠·͢ ·ͣ ͜͜Λԡ͑͞Δ
ԾԽͱʁ wྫϋΠύʔόΠβܕʢωΠςΟϒϋΠύʔόΠβʣ wઐ༻ͷ04ɺ-JOVY,FSOFMࣗମΛϋΠύʔόΠβͱ͍ͯ͠ɺͦͷ ্Ͱ04ΛΒͤΔ wྫϗετ04ܕʢϗετϋΠύʔόΠβʣ w൚༻తͳ04ͷ্ʹɺ7JSUVBM#PYͷΑ͏ͳԾԽͷͨΊͷઐ༻ιϑτ ΣΞΛೖΕͯΒͤΔ wίϯςφܕˠ
ʮίϯςφԾԽʯ w͍ΘΏΔ,7.9FO7.XBSFW4QIFSF7JSUVBM#PYͷར༻ͱɺ wίϯςφʹΑΔʮԾԽʯɺҰઢΛը͍ͯ͠Δ wϋʔυΣΞΛԾԽ͢ΔΘ͚Ͱͳ͍ wΧʔωϧΛબΔΘ͚Ͱͳ͍ wͰɺͲ͏ͬͯಠཱͨ͠ڥΛ࡞͍ͬͯΔʁ
ίϯςφ ϓϩηεͰ͋Δ
ίϯςφ ʮʓʓʯ ͨ͠ϓϩηεͰ͋Δ
ϓϩηεΛ ίϯςφʹ͢Δ
04ϦιʔεΛϗετ͔Β͢Δ wϧʔτϑΝΠϧγεςϜʢSPPUGTʣͷಠཱԽ wDISPPU ͱ͍͏ίϚϯυΛ༻͍ͯɺ͋ΔαϒπϦʔʹ࡞ͬͨϑΝΠ ϧπϦʔʹೖΓࠐΉ͜ͱ͕Ͱ͖Δɻ wCJOENPVOUΛ༻͍ͯɺ ͦͷSPPUGTΛ͍͔ͭ͘ͷ֎෦ͷ σΟϨΫτϦͰߏஙՄೳ
wΑΓ݅ݫ͍͕͠ɺ҆શʹͳΔQJWPU@SPPU Λ͏͜ͱ͋Δ IUUQTXXXBRVJDLMPPLBUDPNMJOVYMJOVYEFWFMPQFSDISPPU
04ϦιʔεΛϗετ͔Β͢Δ w-JOVYOBNFTQBDF wϗετͱಠཱͨ͠04ͱͯ͠ͷϦιʔεΛ࣋ͨͤΔ͜ͱ͕Ͱ͖Δɻ ྫ͑ɿ wϗετ໊ w*1$ͷϦιʔε wωοτϫʔΫ IUUQTTQFBLFSEFDLDPNVE[VSBDSFBUJOHDPOUBJOFSTXJUIHPMBOH
ྫωοτϫʔΫ໊લۭؒ FUI EPDLFS WFUIIPTU WFUIHVFTU WFUIIPTU WFUIHVFTU WFUIIPTU WFUIHVFTU FH
FH ඞཁʹԠ͡/"5ͳͲ /FUXPSL/BNFTQBDFʹΑΓɺ ίϯςφϓϩηε͕ϗετͱผͷ/*$*1ΛೝࣝͰ͖Δ ͻͱͭͷ)PTU CSJEHF
04ϦιʔεΛ੍ݶ͢Δ wDHSPVQ $POUSPM(SPVQ wϓϩηεʢεϨουΛؚΉ߹͋ΔʣΛάϧʔϐϯάͯ͠ɺͦͷ୯ ҐͰϦιʔεͷར༻ঢ়گͳͲΛ੍ݶɺ͋Δ͍౷ܭใΛऔಘͰ͖Δ wDGVMJNJU SMJNJUϓϩηεʢࢠؚΉʣ୯Ґ w੍ݶͰ͖Δͷ$16ɺϝϞϦɺ*0ɺϓϩηεͳͲ
ίϯςφͷϓϩηεΛ੍ݶ͢Δྫ w·ͨGPSLCPNCରࡦ wEPDLFSͳΒ--pids-limitͰར༻ग़དྷΔ
ݖݶΛ੍ݶ͠ɺηΩϡΞʹ͢Δ w-JOVYΧʔωϧʹ͍͔ͭ͘ɺͦ͏͍͏Έ͕ଘࡏ͠ɺͦΕΒ͕ Έ߹Θ͍ͬͯ͞Δɻ wSPPUͷݖݶΛׂ͠ɺҰ෦ͷΈΛ͢ʢ-JOVYDBQBCJMJUZʣ wγεςϜίʔϧͷݺͼग़͠ΛϑΟϧλʔ͢ΔʢTFDDPNQʣ wڧ੍ΞΫηε੍ޚʢ."$FH4&-JOVYɺ"QQ"SNPSʣ
':*εΠενʔζϞσϧ wҰͭҰͭʹ͕ۭ͍͍݀ͯͨͱͯ͠ɺ ͨ͘͞ΜॏͶΔ͜ͱͰɺશͯͷ݀Λൈ͚Δ͜ͱ ඇৗʹ͘͠ͳΔɻ *NBHF$$IUUQTQJYBCBZDPNQ
ʮʓʓʯͨ͠ϓϩηε wίϯςφͷਖ਼ମɺ-JOVYΧʔωϧͷ༷ʑͳػೳΛ༻͍ͯɺ w04Ϧιʔεͷ w04Ϧιʔεͷར༻੍ݶ wݖݶͷߜΓࠐΈ wΛߦ͍ɺϗετͱಠཱ҆͠શͳঢ়ଶʹͨ͠ϓϩηεͰ͋Δͱݴ͑Δ
࣮ࡍʹͲ͏ͳ͍ͬͯΔ͔ ͍ͯΈ·͠ΐ͏
%PDLFS IUUQTXXXqJDLSDPNQIPUPT!/$$CZTB
%PDLFSͰίϯςφΛ࡞Ζ͏ w൚༻తͳ-JOVYʢࠓճ6CVOUV[FTUZʣͰ w%PDLFSΛೖΕɺίϯςφΛ࡞ͬͯΈΔ
ϓϩηε͕ग़དྷ্͕Δ wEPDLFSE aDPOUBJOFSE aSVOD
ϓϩηεͷؾ࣋ͪʹͳΔʹ wQSPDϑΝΠϧγεςϜ w͍ͯΈͨ͜ͱ͋Γ·͔͢ʁ
/BNFTQBDFΛ͍ͯΈΔ wQSPD1*%OTσΟϨΫτϦ wͦ͜ʹɺ/4Λදݱ͢ΔϑΝΠϧͷγϯϘϦοΫϦϯΫ͕͋Δɻ w௨ৗͷϓϩηεͱ͍ࠩͯ͠Δͷ͕ҧ͏ͱΘ͔Δ %FGBVMU/BNFTQBDF $POUBJOFS/BNFTQBDF
ॴଐ͢ΔDHSPVQΛ͍ͯΈΔ wQSPD1*%DHSPVQʹ͋ΔʢWͷ߹ʣɻ wରԠ͢ΔDHSPVQΛૢ࡞͢Δ͜ͱͰ͖ͨΓɻ
ݖݶ͕ߜΒΕ͍ͯΔͷΛ͍ͯΈΔ wQSPD1*%TUBUVT w$BQ ͱ͍͏ߦ͕ɺී௨ͷSPPUͱҧ͏ͱ֬ೝͰ͖Δ w͜ͷͦΕͧΕͷϏοτ͕ɺҰͭҰͭ$BQBCJMJUZʹରԠ %FGBVMUSPPU $POUBJOFSSPPU
ίϯςφͷػೳΛ୯ମͰ͏͜ͱͰ͖Δ wVOTIBSF ίϚϯυͷྫ w1*%/BNFTQBDFɺ.PVOU/BNFTQBDFɺ654/BNFTQBDFΛ ͨ͠৽͍͠γΣϧ্ཱ͕͕ͪΔɻ࣮ࡍɺQSPDͳͲΛϚϯτ͠ ͢ͱɺ1*%͕͔Βʹ wϗετ໊ಠཱ $ unshare
--fork --pid --mount --uts
ίϯςφͷػೳΛ୯ମͰ͏͜ͱͰ͖Δ wDBQTI ίϚϯυͷྫ w্ཱͪ͛ͨγΣϧͰɺSPPUͰ͋Δ͕ϗετͷ࣌ؒͷૢ࡞ʹࣦഊ ͢ΔɻʮݖݶΛ੍ݶ͞ΕͨSPPUʯͱͳΔ $ sudo capsh --drop==cap_sys_time
-- -l
͜ͷষͷ·ͱΊ wίϯςφɺʮϗετ͔ΒϦιʔεΛɾ੍ݶ͠ɺݖݶΛߜͬͯ҆ શʹʯͨ͠ϓϩηεͰ͋Δɻ wͲͷΑ͏ͳ࣮ʢ%PDLFSɺ-9$ɺͦͷଞʣͰڞ௨ͯ͠ɺͦͷΑ͏ ͳϓϩηεΛ࡞ͬͯίϯςφͱ͍ͯ͠Δɻ
ίϯςφք۾ͷۙگ
ίϯςφొਓ͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥυαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺཧ͠·͢
ίϯςφొਓ͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥυαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺཧ͠·͢ ͜ͷষ͜͜
֤छίϯςφϥϯλΠϜͷొ wίϯςφͷ࣮࣮ͦΜͳʹ͘͠ͳ͍ w؆୯ʹྨ͢Δͱ w6/*9తπʔϧʢDISPPUJQOFUOTʣɺ-9$ w%PDLFSϓϩδΣΫτͱ͔ͦ͜Βग़͖ͯͨ.PCZ wSLU$3*0ͳͲͷ։ൃɺͦΕʹ͙࣍3BJM$BS wࣗͷͨΊͷίϯςφʢKBJMJOHɺESPPUଞʣ
֤छίϯςφϥϯλΠϜͷొ wίϯςφͷ࣮࣮ͦΜͳʹ͘͠ͳ͍ w؆୯ʹྨ͢Δͱ w6/*9తπʔϧʢDISPPUJQOFUOTʣɺ-9$ w%PDLFSϓϩδΣΫτͱ͔ͦ͜Βग़͖ͯͨ.PCZ wSLU$3*0ͳͲͷ։ൃɺͦΕʹ͙࣍3BJM$BS wࣗͷͨΊͷίϯςφʢKBJMJOHɺESPPUଞʣ 0QFO$POUBJOFS*OJUJBUJWF ४ڌͷίϯςφͨͪ ʢ·ͨͦΕΛࢦ͢ͷʣ
ίϯςφͷඪ४Խ
ίϯςφͷඪ४Խ w0QFO$POUBJOFS*OJUJBUJWF IUUQTXXXPQFODPOUBJOFSTPSHɹ
0QFO$POUBJOFS*OJUJBUJWF wίϯςφͷඪ४༷Λࡦఆ͢ΔͨΊͷஂମ wϝϯόʔ$PSF04ɺ%PDLFSɺ3FE)BUɺ.JDSPTPGUɺ(PPHMF w%PDLFSͷ͍༷͕࣋ͬͯͨ͜ͷஂମʹدଃ͞ΕɺͦΕΛͱʹ ݄ʹ0$*W͕ࡦఆ͞Εͨ wྫ͑ɺίϯςφ͕ຬ͖ͨ͢γεςϜతཁ݅ɺઃఆͰ͖Δ͖߲ɺ αϙʔτ͢ΔϥΠϑαΠΫϧɺΠϝʔδͷϑΥʔϚοτͳͲΛఆٛ IUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFD
0$*ͷنΛຬͨ͢ͱ wྫ͑ɺEPDLFSίϚϯυΛܦ༝ͯͦ͠ͷϥϯλΠϜΛ্ཱͪ͛ΒΕΔ wEPDLFS͔ΒσϑΥϧτͰ্ཱ͕ͪΔSVODɺ0$*४ڌͷίϯςφͷ Ұͭʹա͗ͳ͍ͱݟ၏͢͜ͱ͕Ͱ͖Δɻ w3BJMDBSͷྫ $ dockerd ...--add-runtime "railcar=/path/to/railcar" $
docker run -it --rm --runtime railcar hello
ΦʔέετϨʔγϣϯπʔϧͷོ w,VCFSOFUFTͱ/PNBE͕දతɻ,VCFSOFUFT͕ͱʹ͔͘ڧ͍ɻ ଞʹɺ%PDLFS$PNQPTF4XBSNͳͲؚ·ΕΔ͔͠Εͳ͍ɻ w,VCFSOFUFTͱ/PNBEɺ(PPHMFࣾͷࣾج൫ʮ#PSHʯΛϕʔεʹ ։ൃ͞Ε͍ͯΔɻ
DG*OGSBTUSVDUVSFBT$PEF w%ZOBNJD*OGSBTUSBDUVSF ͷίʔυԽͷ Ԇઢ্ʹɺίϯςφΠϯϑϥͷ ίʔυԽ͕͋Δ͔͠Εͳ͍ɻ IUUQNJ[[ZPSHCMPH
#PSHQBQFS wಛɺૂ͍ͳͲ w ϦιʔεϚωδϝϯτΤϥʔॲཧΛϢʔβ͔ΒӅ͢ w ඇৗʹߴ͍৴པՄ༻ੑఏڙ͢Δ w ສͷϚγϯΛޮΑ͍͘δϣϒΛ࣮ߦ͢Δ w43&ຊʹɺ#PSH#PSHNPOͷ͕ग़͍ͯΔͦ͏ w1BYPTͷΘΓʹ3BGU
FUDE ɺ#PSHMFUͱ1PEͳͲɺӨڹ͕ਵॴʹ IUUQTTUBUJDHPPHMFVTFSDPOUFOUDPNNFEJBSFTFBSDIHPPHMFDPNKBQVCTBSDIJWFQEG
l,VCFSOFUFTUSBDFTJUTMJOFBHFEJSFDUMZ GSPN#PSHz IUUQCMPHLVCFSOFUFTJPCPSHQSFEFDFTTPSUP LVCFSOFUFTIUNM
ίϯςφΞʔΩςΫνϟͷ ϨΠϠԽ
ίϯςφΞʔΩςΫνϟͷϨΠϠԽ w֤ॴͰఏҊ͕ࢼ͞Ε͍ͯΔɻFH.PCZ1SPKFDU wίϯϙωϯτΛϥϯλΠϜɺΦʔέετϨʔγϣϯͳͲϨΠϠԽ͠ɺ Έ߹Θ͍ͤͨ IUUQTNPCZQSPKFDUPSH
ྫϖύݚͷఏҊϞσϧ wετϥςδͷಋೖ w'BTU$POUBJOFSɺ 3BODIFSͳͲͷҐஔ͚ IUUQTSBOEQFQBCPDPNBSUJDMFJPUNBUTVNPUPSZ
ಉ࢜ͷ༷ͷఆٛͷҰྫ w,VCFSOFUFTͷ$3*ͷྫ wEach container runtime has it own strengths wKubelet
communicates with the container runtime... over Unix sockets using the gRPC framework w$3*ʹԊ࣮ͬͯ͢Εɺྫ͑,VCFSOFUFTͷ্Ͱ)BDPOJXBΛಈ͔ ͢͜ͱͰ͖ΔͰ͋Ζ͏ɻ IUUQCMPHLVCFSOFUFTJPDPOUBJOFSSVOUJNFJOUFSGBDFDSJJOLVCFSOFUFTIUNM
͜ΕΒΛ౿·͑ͯ վΊͯ
ࠞಱͱ͢Δίϯςφؔ࿈ιϑτΣΞଞ EPDLFS SVOD DSJP MYD MYE SBJMDBS IBDPOJXB LVCFSOFUFT OPNBE
VOTIBSF SLU TXBSN (,& .BHOVN DISPPU &$4 "$* SLUMFU SBODIFS NPCZ
ͷ͏ͪɺʮϥϯλΠϜʯͷօ͞Μ EPDLFS SVOD DSJP MYD MYE SBJMDBS IBDPOJXB LVCFSOFUFT OPNBE
VOTIBSF SLU TXBSN (,& .BHOVN DISPPU &$4 "$* SLUMFU SBODIFS NPCZ
ϥϯλΠϜʹ ྨ͕ඞཁ
վΊͯEPDLFSEͷϓϩηεπϦʔͷྫ /usr/bin/dockerd --debug -l debug -H fd:// --... \_ docker-containerd
-l unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash
/usr/bin/dockerd --debug -l debug -H fd:// --... \_ docker-containerd -l
unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳׂ୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ
/usr/bin/dockerd --debug -l debug -H fd:// --... \_ docker-containerd -l
unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳׂ୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ DPOUBJOFSEEPDLFSE͔ΒͷϦΫΤετΛड͚औΓ ίϯςφڥΛηοτΞοϓͯ͠DPOUBJOFSETIJNʹ͢
/usr/bin/dockerd --debug -l debug -H fd:// --... \_ docker-containerd -l
unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳׂ୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ DPOUBJOFSEEPDLFSE͔ΒͷϦΫΤετΛड͚औΓ ίϯςφڥΛηοτΞοϓͯ͠DPOUBJOFSETIJNʹ͢ DPOUBJOFSETIJNܾ·ͬͨϓϩτίϧͰSVODଞϥϯλΠϜΛىಈ͢Δ
/usr/bin/dockerd --debug -l debug -H fd:// --... \_ docker-containerd -l
unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳׂ୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ DPOUBJOFSEEPDLFSE͔ΒͷϦΫΤετΛड͚औΓ ίϯςφڥΛηοτΞοϓͯ͠DPOUBJOFSETIJNʹ͢ DPOUBJOFSETIJNܾ·ͬͨϓϩτίϧͰSVODଞϥϯλΠϜΛىಈ͢Δ ίϯςφԽͨ͠ϓϩηεࣗମ
͜͏͍͏࣮Λ౿·͚͑ͯͯΈͨ EPDLFSE DPOUBJOFSE NPCZ DPOUBJOFSE DSJP SLUMFU SVOD SLU SBJMDBS
MYE MYD IBDPOJXB
͜͏͍͏࣮Λ౿·͚͑ͯͯΈͨ %PDLFS"1*ɺ$3*ͳͲΛ ड͚औͬͯίϯςφͷͨΊͷ४උͱ ىಈϓϩηεΛ୲͢Δ EPDLFSE DPOUBJOFSE NPCZ DPOUBJOFSE DSJP SLUMFU
SVOD SLU SBJMDBS MYE MYD IBDPOJXB ࣮ࡍʹɺΧʔωϧͷ γεςϜίʔϧΛݺͿͳͲͯ͠ ίϯςφϓϩηεΛ࡞͢Δ
͜͏͍͏࣮Λ౿·͚͑ͯͯΈͨ %PDLFS"1*ɺ$3*ͳͲΛ ड͚औͬͯίϯςφͷͨΊͷ४උͱ ىಈϓϩηεΛ୲͢Δ $PNNVOJDBUPS Ծ -PDBUFS Ծ EPDLFSE DPOUBJOFSE
NPCZ DPOUBJOFSE DSJP SLUMFU SVOD SLU SBJMDBS MYE MYD IBDPOJXB ࣮ࡍʹɺΧʔωϧͷ γεςϜίʔϧΛݺͿͳͲͯ͠ ίϯςφϓϩηεΛ࡞͢Δ
͜ͷষͷ·ͱΊ wίϯςφʹؔ͢Δಈ͖ɺίϯςφࣗͷ࣮ͷ༰Χʔωϧత ͱͱʹɺೋͭͷΛԡ͑͞Δͱྑ͍ͩΖ͏ɻ w ίϯςφʹඪ४Խͷಈ͖͕͋Γɺඪ४ʹԊͬͯతͷͨΊͷί ϯςφΛ࡞͍ͬͯ͘ಈ͖͕Մೳʹͳ͍ͬͯ͘ w ίϯςφͷΤίγεςϜɺͦΕͧΕͷίϯϙωϯτ͕ϨΠϠԽ͞ Ε࣮͕ͯू͞Ε͍ͯ͘Ͱ͋Ζ͏ɻϨΠϠࣗମɺ,VCFSOFUFTͷ $3*ͷΑ͏ͳɺϨΠϠಉ࢜ͷΠϯλʔϑΣʔεඋ͞ΕΔɻͣ
)BDPOJXBͷࠓޙ
ຊ෦ձɺιϑτ։ൃεΩϧ͕اۀʹด͡ɺۀքશମͷεΩ ϧ্ʹͳ͓ͬͯΒͣɺ͔ͭɺຊൃͷάϩʔόϧڝۀྗͷ͋ Διϑτ͕গͳ͍ݱঢ়Λةዧ͠ɺຊͷಛΛ׆͔ͨ͠044Ξ ϓϦέʔγϣϯΛ։ൃ͠ɺར༻ऀͷཱͰϏδωεϞσϧΛఏ Ҋͯ͠ɺ044ͷීٴɺ͓Αͼɺιϑτ։ൃऀͷεΩϧ্ͷ ߩݙΛࢦ͢ͷͰ͋Δ ΞϓϦέʔγϣϯ෦ձʮతͱഎܠʯΑΓ
ϏζχεϞσΡ
ϩϦϙοϓʂ ϚωʔδυΫϥυ
)BDPOJXBΛόοΫΤϯυʹ࠾༻ wͱͱʮ1BB4ϗεςΟϯάΛͬͱ͍͍ײ͡ʹ͍ͨ͠ʯͱ͍͏ Ϟνϕʔγϣϯ͔Β࢝·ͬͨ044Ͱ͋Δ͜ͱͱগͭ͠ͳ͕Δ w'BTU$POUBJOFSʴ)BDPOJXBͰɺΓ͍ͨ8FCαʔϏεΛ࡞Δ IUUQTQFQBCPDPNOFXTQSFTT
भେֶͱͷڞಉݚڀ
Ϋϥυେن࣮ݧͷج൫ͱͯ͠ wlίϯςφܕԾԽٕज़Λج൫ʹ༻͍ͨΫϥυϗεςΟϯάʹؔ͢ Δڞಉݚڀ։ൃΛ։࢝z wͪΖΜɺ͜ͷlίϯςφܕԾԽٕज़zͷॏཁͳҰ͕)BDPOJXB Ͱ͋Δʂʂʂ̍ʢઌड़ͷϚωʔδυΫϥυͷԠ༻ͳͷͰʣ wৄࡉϓϨεϦϦʔε Ͱɻࠓޙ͍͖ͬͯ·͢ IUUQTQFQBCPDPNOFXTQSFTT IUUQTXXXLZVTIVVBDKQG@@QEG
)BDPOJXBͷ ࢦ͢ੈք
࠶ܝ%PDLFS0$*ͳͲͷํੑ w͜͜·ͰͷൺֱͰɺ%PDLFSͳͲͱ)BDPOJXBͷҧ͍Λྻڍͨ͠ wݸਓతʹɺ%PDLFSͷࢦ͢ํʮ7.ͷ࠶ൃ໌ʯతʹࢥ͑Δ wϢʔβʔ͔ΒɺʮԾڥʯͷৄࡉӅ͞Ε͍ͯͯɺ ܾ·ͬͨ"1*Λܦ༝ͯ͠σϓϩΠɾΦʔέετϨʔγϣϯΛߦ͏ wDG,VCFSOFUFT#PSHʢ͜Εޙड़ʣ wͦ͏͍͏நԽࣗମɺҰͭͷํੑͰ͋Δ ΤίγεςϜͷಈ͖ɺ ͜͜Λิڧ͍ͯ͠Δͱ ཧղ͢ΔͱΘ͔Γ͍ͣ͢
࠶ܝ$POUBJOFS&DPTZTUFNBT$PEF w)BDPOJXBͱɺͦͷपลͰࢦ͍ͨ͠ͱ͜Ζ wجຊతͳϦιʔεׂݖݶͳͲͷઃఆίʔυԽͰ͖Δ w·ͨɺଞͷϥϯλΠϜͱൺͯ๛ͳϑοΫΛ༻ҙ͠ɺίϯςφͷ ৼΔ͍ɾϥΠϑαΠΫϧΛίʔυԽͰ͖Δ w͔͜͜ΒɺίʔυԽͷൣғΛΊ͍͖͍ͯͨɻ ྫ͑ωοτϫʔΫɺ04ͷηΩϡϦςΟɾࠪͷΈʢ-JOVY ͷ-4.ʣͳͲίʔυԽͷൣғʹͰ͖ͳ͍͔ʁ
ࠓίʔυԽ͍ͯ͠Δͱ͜Ζ Χʔωϧࣗମ Χʔωϧ֦ுͳͲ γεςϜίʔϧ /BNFTQBDF DHSPVQ $BQBCJMJUZ DISPPU TFDDPNQ
)PPLT /FUXPSLؔ࿈ઃఆ ΦʔέετϨʔγϣϯͱͷ࿈ܞ )BDPOJXB %4-
͜Ε͔Β Χʔωϧࣗମ Χʔωϧ֦ுͳͲ γεςϜίʔϧ /BNFTQBDF DHSPVQ $BQBCJMJUZ DISPPU TFDDPNQ
)PPLT /FUXPSLؔ࿈ઃఆ ΦʔέετϨʔγϣϯͱͷ࿈ܞ ίʔυԽͰ͖Δ ൣғΛ૿͢ ίϯςφϋοΫ ͷͨΊͷ ೖΓޱʹ
͍͖͍ͬͯͨ w҆ఆԽʂʢಛʹɺUISFBEपΓʣ wωοτϫʔΫपΓͷ%4-ͷ࣮ w0$*ͷରԠʢίϚϯυϓϩτίϧɺΠϝʔδαϙʔτଞʣ w)551"1*ϨΠϠ$PNNVOJDBUPSͷಋೖ w)BDPOJXBपลͷ-JOVY֦ுͷ࣮ʢQSPDGTతͳ)BDPOJXBGTͱ͔ɺ )BDPOJXBʹ౷߹͞Εͨ-4.Έ͍ͨͳͷΛ૾தʣ
ऴΘΓʹ
ϑΫΦΧ3VCZେͰޠͬͨ͜ͱ wंྠͷ࠶ൃ໌ΛڪΕ͗͢ͳ͍͜ͱ
ࣗͷதʹ นΛ࡞Βͳ͍ Ұาઌʹ౿ΈࠐΉ
ຊͷ͜ͱΛ Γ͚ͨΕ खΛಈ͔͔͢͠ͳ͍ʂ
13 9
ίϯςφϨΠϠͷࣄ ԬͰͷࠊΛਾٕ͑ͨज़త ͝ڵຯ͕͋Ε ͬͦ͜Γ͝૬ஊʹΓ·͢