コンテナの仕組みとエコシステム - Haconiwaを通じて眺めてみる /container-ecosystem-and-haconiwa

)BDPOJXBΛ௨ͯ͡ோΊͯΈΔ ۙ౻͏͓ͪ(.01FQBCP *OD ೔ຊ044ਪਐϑΥʔϥϜओ࠵ୈճΞϓϦέʔγϣϯ෦ձษڧձ ίϯςφͷ࢓૊ΈͱΤίγεςϜ

ΤϯδχΞ ۙ౻͏͓ͪ!VE[VSB (.0ϖύϘٕज़෦ٕज़ج൫νʔϜ IUUQIBDPOJXBNSVCZPSH

!VE[VSBུྺ &$αΠτɺιʔγϟϧήʔϜͷ։ൃͳͲΛܦͯɺ  ೥ΑΓ(.0ϖύϘٕज़ج൫νʔϜɺ  ಉ೥෱ԬʹҠॅɻ޷͖ͳΧϨʔ͸5JLJɻ ஶॻʹʰύʔϑΣΫτ3VCZPO3BJMTʱ΄͔ɻ 3VCZ,BJHJʹࣗ࡞ίϯςφϥϯλΠϜ  ʮ)BDPOJXBʯͷ࿩͕࠾୒͞ΕΔɻ ΄͔ɺ3VCZ΍ίϯςφʹؔ͢Δ׆ಈଟ਺ɻ

෱Ԭ3VCZձٞ! IUUQSFHJPOBMSVCZLBJHJPSHGVLVPLB ҰൠνέοτDPNJOHTPPO

ϋογϡλά IBDPOJXBSC

ࠓ೔ͷΰʔϧ

ίϯςφͷҰาઌͷཧղΛ wʮͨͩ࢖͏ʯ͚ͩͰ͸ͳ͍ɺίϯςφͷຊ࣭తͳͱ͜ΖΛ͔ͭΉɻ wίϯςφͷར༻γʔϯʹؔ͢Δ༷ʑͳϥϯλΠϜɺιϑτ΢ΣΞɺ  ϛυϧ΢ΣΞɺن֨ͳͲΛ੔ཧ͢Δɻ w͔ͬ͠Γͱͨ͠جૅ஌ࣝΛ͚ͭͯɺʮ࢖ΘΕΔʯͰ͸ͳ͘ʮ࢖͏ʯͨ Ίʹίϯςφʹ৮ΕΒΕΔΑ͏ʹͳΓ·͠ΐ͏ʂ

ίϯςφͷҰาઌͷཧղΛ wʮͨͩ࢖͏ʯ͚ͩͰ͸ͳ͍ɺίϯςφͷຊ࣭తͳͱ͜ΖΛ͔ͭΉɻ wίϯςφͷར༻γʔϯʹؔ͢Δ༷ʑͳϥϯλΠϜɺιϑτ΢ΣΞɺ  ϛυϧ΢ΣΞɺن֨ͳͲΛ੔ཧ͢Δɻ w͔ͬ͠Γͱͨ͠جૅ஌ࣝΛ͚ͭͯɺʮ࢖ΘΕΔʯͰ͸ͳ͘ʮ࢖͏ʯͨ Ίʹίϯςφʹ৮ΕΒΕΔΑ͏ʹͳΓ·͠ΐ͏ʂ Ұॹʹษڧ͠·͠ΐ͏

)BDPOJXBͷ঺հ

)BDPOJXB

)BDPOJXBͱ͸ɻ w-JOVYίϯςφϥϯλΠϜͷҰͭɻ w1BB4αʔϏεͰͷίϯςφར༻ͷܦݧΛ΋ͱʹ։ൃ͞Εͨ wಛ௃ wNSVCZʹΑΓ։ൃ͞Ε͍ͯΔ w%4-ʹΑΓίϯςφͷઃఆ͕هड़Ͱ͖Δ w͞Βʹɺ༷ʑͳϑοΫΛϓϩάϥϛϯάͰ੍ޚՄೳͰ͋Δ

-JOVYίϯςφϥϯλΠϜͱ͸ʁ w0$*ʢޙड़ʣͷఆٛΛഈआ wʮઃఆΛಡΈࠐΈɺίϯςφϓϩηεΛ࡞੒͠ɺఀࢭɺ࡟আͳͲ༷ʑ ͳΞΫγϣϯΛߦ͏࣮૷ʯ w(MPTTBSZΑΓ wIUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFDCMPC NBTUFSHMPTTBSZNESVOUJNF

l*USFBETUIFDPOpHVSBUJPOpMFTGSPNB CVOEMF VTFTUIBUJOGPSNBUJPOUPDSFBUF BDPOUBJOFS MBVODIFTBQSPDFTTJOTJEF UIFDPOUBJOFS BOEQFSGPSNTPUIFS MJGFDZDMFBDUJPOTz IUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFD

NSVCZͱ͸ʁ wF.CFEEFE3VCZ w͍ΘΏΔ૊ΈࠐΈػث޲͚ͷ3VCZͱͯ͠։ൃ͞Εͨʮܰྔʯ3VCZ wͦͷ݁ՌɺόΠϯσΟϯά͕ඇৗʹॻ͖΍͘͢ɺϛυϧ΢ΣΞͳͲʹ ΋૊ΈࠐΈ͕༰қͰ͋Δͱ͍͏ಛੑ͕͋Δɻ wݱࡏ"QBDIF)551%ɺ/HJOYͦͷଞͷʮ$POpHVSBUJPOBT$PEFʯ ͷ༻్ʹ΋޿·ΓΛݟ͍ͤͯΔ wDG-VB

FHOHY@NSVCZ wIUUQOHYNSVCZPSH w͜Ε͚ͩͷίʔυͰɺಈతͳϦόʔεϓϩΩγʹɻ

%4-ͱ͸ʁʁ w%4-%PNBJO4QFDJpD-BOHVBHFɺ͋Δ໨తʹಛԽͨ͠ݴޠ w)BDPOJXBͰ͸ɺ3VCZΛίϯςφ੍ޚͷͨΊͷ%4-ͱͯ͠࢖͑Δɻ w%4-Λܦ༝ͯ͠ wίϯςφͷઃఆΛಈతʹܾఆ w༷ʑͳϑοΫʢϥΠϑαΠΫϧɺλΠϜΞ΢τɺγάφϧϋϯυϥɺ ఆظ࣮ߦʣΛهड़

ίϯςφͷઃఆͷಈత੍ޚ wίϯςφͷߏ੒ཁૉ͸ͦ΋ͦ΋ಈతʹ૊Έ߹Θ͕ͤՄೳͰ͋Δɻ  ʢߏ੒ཁૉ͸ޙड़ʣͳͷͰɺίʔυͰܾఆͰ͖ΔͱศརͰ͋Δɻ Haconiwa.define do |c| #... client = Redis.new
"127.0.0.1", 6379, 2 data = JSON.parse(client.get(ENV[‘CONTAINER_ID’])) c.cgroup :v1 do |cg| cg[‘cpu.cfs_period_us’] = data[‘period’] cg[‘cpu.cfs_quota_us’] = data[‘quota’] end end ྫ͑͹ɺىಈ࣌ʹ3FEJT͔Β ίϯςφͷ৘ใΛͱ͖ͬͯͯ ಈతʹ$16ׂ౰ͷઃఆ͕Մೳ

ϑοΫͷϓϩάϥϛϯά wίϯςφىಈఀࢭ౳ϥΠϑαΠΫϧʹԠͨ͡ॲཧ w·ͨɺγάφϧϋϯυϥɺίϯςφ͕ىಈͨ͠Ұఆ࣌ؒޙʹಛఆͷॲ ཧΛ૸ΒͤΔʢλΠϜΞ΢τʣɺఆظ࣮ߦ͢ΔॲཧΛهड़Մೳ Haconiwa.define do |c| #... c.add_handler :TTOU
do |b, _| cpu = ::Cgroup::CPU.new(b.name) cpu.cfs_quota_us = cpu.cfs_quota_us + 10000 cpu.modify end end 4*(5506Λ εʔύόΠβʔʹૹΔͱ $16ׂ࣌ؒ౰Λ্͛Δ

ϑοΫʹΑΔ ίϯςφࣗମͷϥΠϑαΠΫϧ

ϥΠϑαΠΫϧͷ੍ޚ wίϯςφ͕ɺࣗ෼͕ੜ·Εɺͦͯ͠ऴྃ͢ΔαΠΫϧΛࣗ෼Ͱ  ੍ޚՄೳͳੈքΛߟ͑Δ w)BDPOJXBʹ͓͍ͯ͸ɺҰఆ͕࣌ؒܦաͨ͠Βࣗ෼ࣗ਎ʹ4*(5&3. ΛૹΔ͜ͱͰɺϥΠϑαΠΫϧͷ͋ΔίϯςφΛ࣮ݱͰ͖Δ c.add_async_hook min: 30 do |b|
# b.pid = ίϯςφͷPID=1 ::Process.kill :TERM, b.pid end ෼Ͱ ࣗ෼ʹ4*(5&3.ΛૹΔ

'BTU$POUBJOFSΞʔΩςΫνϟ΁ wϖύݚদຊࢯఏҊͷ'BTU$POUBJOFSΞʔΩςΫνϟ w'BTU$(*Λώϯτʹͨ͠ίϯςφ؅ཧετϥςδ wϓϩηεΛͭʹ෼ྨʢ*NNPSUBM.PSUBM4IPSU-JWFEʣ wʮϦΞΫςΟϒʹ্ཱ͕ͪΓɺҰఆظؒॲཧΛଓ͚Δʯ  ίϯςφΛఆٛɾ࡞੒͢Δ wؔ࿈ൃද΋͝ࢀর ʮίϯςφ࣌୅ͷ8FCαʔϏεج൫Ϟσϧ'BTU$POUBJOFSͷݚڀൃදΛ͖ͯ͠·ͨ͠ʯ  IUUQTSBOEQFQBCPDPNBSUJDMFJPUNBUTVNPUPSZ

ίϯςφϥϯλΠϜͷൺֱ

"1*ͷެ։ํ਑ w%PDLFS ଞ0$*΂ʔεͷ΋ͷ ɺ-9%͸)551ϕʔεͰ͋Δ w-9$͸ɺ$ͷΠϯλϑΣʔε͕͋ΔʢMJCMYDʣɻ͔͜͠͠ͷϥΠϒϥϦ ࣗମ͸ίϯςφઃఆΛ͍͡ΔͨΊͷ"1*Λ࣋ͨͳ͍ɻ w)BDPOJXB͸3VCZͷΠϯλʔϑΣʔε͕͋ΓɺϓϩάϥϜͰ͖Δɻ  ઃఆ΋ϑοΫ΋"1*Λ༻ҙ͓ͯ͠Γɺૢ࡞Մೳ wMJCIBDPOJXBతͳ΋ͷ͸ݕ౼͍ͯ͠Δஈ֊

ϑοΫͷ࣮ݱܗࣜ w%PDLFS ଞ0$*΂ʔεͷ΋ͷ ͸ϥΠϑαΠΫϧ"1*ͷ؂ࢹͱ͍͏ܗͰ ࣮ݱ͢Δܗʹͳ͍ͬͯΔɻผ్؂ࢹˠϑοΫͷ࣮૷͕ඞཁɻ w-9$͸ઃఆʹϥΠϑαΠΫϧϑοΫ͕͋Δ wˠίϚϯυܗࣜͰɺҾ਺ͷࢦఆ w)BDPOJXB͸"1* %4-ͷ࢓༷
ࣗମʹ֤छϑοΫ͕࣮૷͞Ε͓ͯΓɺ 3VCZͰ֤ॲཧΛهड़Մೳɻઃఆ΋ϑοΫ΋ಉ͡ݴޠͰɻ IUUQTMJOVYDPOUBJOFSTPSHKBMYDNBOQBHFTNBOMYDDPOUBJOFSDPOGIUNMMC#$

ϑοΫͷछྨ w%PDLFSɺ-9$ʹ͸ϥΠϑαΠΫϧϑοΫͷΈͷαϙʔτ w)BDPOJXB͸ϥΠϑαΠΫϧͷଞɺҎԼ΋αϙʔτ wλΠϜΞ΢τϑοΫ wఆظ࣮ߦϑοΫ wγάφϧϋϯυϥ wʢλΠϜΞ΢τఆظ࣮ߦʹΑΓ'BTU$POUBJOFS͕࣮ݱ͠΍͍͢໘ʣ

Πϝʔδͱͷ࿈ܞ w%PDLFS͸%PDLFSIVC͔Βམͱ͔͢ɺ0$*ޓ׵ͷUBSΛར༻ w-9$͸ࣗ෼ͷΤίγεςϜʹMYDUFNQMBUFTΛ͍࣋ͬͯΔ wDG3BJMDBS  ಠࣗͷNJDSPDPOUBJOFSTܗࣜɺπʔϧ PSBDMFTNJUI Λఏএ͍ͯ͠Δ w)BDPOJXB͸%4-ͰΠϝʔδ࡞੒΋αϙʔτ͢Δ wEFCPPUTUSBQMYDUBNQMBUFTͷྲྀ༻ɺHJUSFQPͷνΣοΫΞ΢τɺ  UBSͰݻΊͨSPPUGTͳͲʢ0$*ޓ׵Πϝʔδͷαϙʔτ΋ೖΕ͍ͨʣ

·ͱΊɿද هड़ݴޠ ίϯςφઃఆ "1* ϑοΫ࣮૷ ϑοΫͷछྨ Πϝʔδઓུ %PDLFS SVOD (PMBOH
%PDLFSpMF ίϚϯυϥΠϯ )551"1* ϥΠϑαΠΫϧ  ؂ࢹ ϥΠϑλΠϜ %PDLFSIVC  0$*४ڌ -9$ $ JOJpMF MJCMYD ϑοΫઃఆ߲໨ ϥΠϑλΠϜ MYDUFNQMBUF -9% (PMBOH 1SPpMF )551"1* 3BJM$BS 3VTU 0$*४ڌ  KTPO 0$*४ڌ KTPO ະαϙʔτ 0$*४ڌ NJDSPDPOUBJOFST )BDPOJXB NSVCZ $ 3VCZ%4- 3VCZ%4- 3VCZ%4- ϥΠϑλΠϜ   λΠϜΞ΢τଞछ MYDUFNQMBUF  ྲྀ༻ଞ

)BDPOJXBͷ໨ࢦ͢ੈք

%PDLFS0$*ͳͲͷํ޲ੑ w͜͜·ͰͷൺֱͰɺ%PDLFSͳͲͱ)BDPOJXBͷҧ͍Λྻڍͨ͠ wݸਓతʹɺ%PDLFSͷ໨ࢦ͢ํ޲͸ʮ7.ͷ࠶ൃ໌ʯతʹࢥ͑Δ wϢʔβʔ͔ΒɺʮԾ૝؀ڥʯͷৄࡉ͸Ӆ͞Ε͍ͯͯɺ  ܾ·ͬͨ"1*Λܦ༝ͯ͠σϓϩΠɾΦʔέετϨʔγϣϯΛߦ͏ wDG,VCFSOFUFT#PSHʢ͜Ε΋ޙड़ʣ wͦ͏͍͏ந৅Խࣗମ͸ɺҰͭͷํ޲ੑͰ͸͋Δ

$POUBJOFS&DPTZTUFNBT$PEF w)BDPOJXBͱɺͦͷपลͰ໨ࢦ͍ͨ͠ͱ͜Ζ wجຊతͳϦιʔεׂ౰΍ݖݶ෼཭ͳͲͷઃఆ͸ίʔυԽͰ͖Δ w·ͨɺଞͷϥϯλΠϜͱൺ΂ͯ΋๛෋ͳϑοΫΛ༻ҙ͠ɺίϯςφͷ ৼΔ෣͍ɾϥΠϑαΠΫϧΛίʔυԽͰ͖Δ w͔͜͜ΒɺίʔυԽͷൣғΛ޿Ί͍͖͍ͯͨɻ  ྫ͑͹ωοτϫʔΫ૚΍ɺϑΝΠϧγεςϜؔ܎ɺ04ͷηΩϡϦςΟɾ ؂ࠪͷ࢓૊Έʢ-JOVYͷ-4.ʣͳͲ΋ίʔυԽͷൣғʹͰ͖ͳ͍͔ʁ

ίϯςφΤίγεςϜʹ  ίʔυͰ౿ΈࠐΉೖΓޱʹͳΔ

͜ΕΒΛ౿·͑ͯ ίϯςφͷੈքΛπΞʔ͠·͠ΐ͏

վΊͯ ίϯςφͱ͸Կ͔

ίϯςφ͸ొ৔ਓ෺͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥ΢υαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺ੔ཧ͠·͢

ίϯςφ͸ొ৔ਓ෺͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥ΢υαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺ੔ཧ͠·͢ ·ͣ͸ ͜͜Λԡ͑͞Δ

Ծ૝Խͱ͸ʁ wྫϋΠύʔόΠβܕʢωΠςΟϒϋΠύʔόΠβʣ wઐ༻ͷ04΍ɺ-JOVY,FSOFMࣗମΛϋΠύʔόΠβͱͯ͠࢖͍ɺͦͷ ্Ͱ04Λ૸ΒͤΔ wྫϗετ04ܕʢϗετϋΠύʔόΠβʣ w൚༻తͳ04ͷ্ʹɺ7JSUVBM#PYͷΑ͏ͳԾ૝ԽͷͨΊͷઐ༻ιϑτ ΢ΣΞΛೖΕͯ૸ΒͤΔ wίϯςφܕˠ

ʮίϯςφԾ૝Խʯ w͍ΘΏΔ,7.΍9FO΍7.XBSFW4QIFSF΍7JSUVBM#PYͷར༻ͱɺ wίϯςφʹΑΔʮԾ૝Խʯ͸ɺҰઢΛը͍ͯ͠Δ wϋʔυ΢ΣΞΛԾ૝Խ͢ΔΘ͚Ͱ͸ͳ͍ wΧʔωϧΛબ΂ΔΘ͚Ͱ͸ͳ͍ wͰ͸ɺͲ͏΍ͬͯಠཱͨ͠؀ڥΛ࡞͍ͬͯΔʁ

ίϯςφ͸  ϓϩηεͰ͋Δ

ίϯςφ͸  ʮʓʓʯ  ͨ͠ϓϩηεͰ͋Δ

ϓϩηεΛ ίϯςφʹ͢Δ

04ϦιʔεΛϗετ͔Β෼཭͢Δ wϧʔτϑΝΠϧγεςϜʢSPPUGTʣͷಠཱԽ wDISPPU ͱ͍͏ίϚϯυΛ༻͍ͯɺ͋ΔαϒπϦʔʹ࡞ͬͨϑΝΠ ϧπϦʔʹೖΓࠐΉ͜ͱ͕Ͱ͖Δɻ wCJOENPVOUΛ༻͍ͯɺ  ͦͷSPPUGTΛ͍͔ͭ͘ͷ֎෦ͷ  σΟϨΫτϦͰߏஙՄೳ
wΑΓ৚݅͸ݫ͍͕͠ɺ҆શʹͳΔQJWPU@SPPU Λ࢖͏͜ͱ΋͋Δ IUUQTXXXBRVJDLMPPLBUDPNMJOVYMJOVYEFWFMPQFSDISPPU

04ϦιʔεΛϗετ͔Β෼཭͢Δ w-JOVYOBNFTQBDF wϗετͱಠཱͨ͠04ͱͯ͠ͷϦιʔεΛ࣋ͨͤΔ͜ͱ͕Ͱ͖Δɻ  ྫ͑͹ɿ wϗετ໊ w*1$ͷϦιʔε wωοτϫʔΫ IUUQTTQFBLFSEFDLDPNVE[VSBDSFBUJOHDPOUBJOFSTXJUIHPMBOH

ྫωοτϫʔΫ໊લۭؒ FUI EPDLFS WFUIIPTU WFUIHVFTU WFUIIPTU WFUIHVFTU WFUIIPTU WFUIHVFTU FH
FH ඞཁʹԠ͡/"5ͳͲ /FUXPSL/BNFTQBDFʹΑΓɺ ίϯςφϓϩηε͕ϗετͱ͸ผͷ/*$*1ΛೝࣝͰ͖Δ ͻͱͭͷ)PTU CSJEHF

04ϦιʔεΛ੍ݶ͢Δ wDHSPVQ $POUSPM(SPVQ wϓϩηεʢεϨουΛؚΉ৔߹΋͋ΔʣΛάϧʔϐϯάͯ͠ɺͦͷ୯ ҐͰϦιʔεͷར༻ঢ়گͳͲΛ੍ݶɺ͋Δ͍͸౷ܭ৘ใΛऔಘͰ͖Δ wDGVMJNJU SMJNJUϓϩηεʢࢠؚΉʣ୯Ґ w੍ݶͰ͖Δ΋ͷ$16ɺϝϞϦɺ*0ɺϓϩηε਺ͳͲ

ίϯςφͷϓϩηε਺Λ੍ݶ͢Δྫ w·ͨ͸GPSLCPNCରࡦ wEPDLFSͳΒ--pids-limitͰར༻ग़དྷΔ

ݖݶΛ੍ݶ͠ɺηΩϡΞʹ͢Δ w-JOVYΧʔωϧʹ͸͍͔ͭ͘ɺͦ͏͍͏࢓૊Έ͕ଘࡏ͠ɺͦΕΒ͕૊ Έ߹Θ͍ͬͯ͞Δɻ wSPPUͷݖݶΛ෼ׂ͠ɺҰ෦ͷΈΛ౉͢ʢ-JOVYDBQBCJMJUZʣ wγεςϜίʔϧͷݺͼग़͠ΛϑΟϧλʔ͢ΔʢTFDDPNQʣ wڧ੍ΞΫηε੍ޚʢ."$FH4&-JOVYɺ"QQ"SNPSʣ

':*εΠενʔζϞσϧ wҰͭҰͭʹ͕ۭ͍͍݀ͯͨͱͯ͠΋ɺ  ͨ͘͞ΜॏͶΔ͜ͱͰɺશͯͷ݀Λൈ͚Δ͜ͱ͸  ඇৗʹ೉͘͠ͳΔɻ *NBHF$$IUUQTQJYBCBZDPNQ

ʮʓʓʯͨ͠ϓϩηε wίϯςφͷਖ਼ମ͸ɺ-JOVYΧʔωϧͷ༷ʑͳػೳΛ༻͍ͯɺ w04Ϧιʔεͷ෼཭ w04Ϧιʔεͷར༻੍ݶ wݖݶͷߜΓࠐΈ wΛߦ͍ɺϗετͱಠཱ҆͠શͳঢ়ଶʹͨ͠ϓϩηεͰ͋Δͱݴ͑Δ

࣮ࡍʹͲ͏ͳ͍ͬͯΔ͔ ೷͍ͯΈ·͠ΐ͏

%PDLFS IUUQTXXXqJDLSDPNQIPUPT!/$$CZTB

%PDLFSͰίϯςφΛ࡞Ζ͏ w൚༻తͳ-JOVYʢࠓճ͸6CVOUV[FTUZʣͰ w%PDLFSΛೖΕɺίϯςφΛ࡞ͬͯΈΔ

ϓϩηε͕ग़དྷ্͕Δ wEPDLFSE  aDPOUBJOFSE  aSVOD

ϓϩηεͷؾ࣋ͪʹͳΔʹ͸ wQSPDϑΝΠϧγεςϜ w೷͍ͯΈͨ͜ͱ͋Γ·͔͢ʁ

/BNFTQBDFΛ೷͍ͯΈΔ wQSPD1*%OTσΟϨΫτϦ wͦ͜ʹɺ/4Λදݱ͢ΔϑΝΠϧ΁ͷγϯϘϦοΫϦϯΫ͕͋Δɻ w௨ৗͷϓϩηεͱ͍ࠩͯ͠Δ΋ͷ͕ҧ͏ͱΘ͔Δ %FGBVMU/BNFTQBDF $POUBJOFS/BNFTQBDF

ॴଐ͢ΔDHSPVQΛ೷͍ͯΈΔ wQSPD1*%DHSPVQʹ͋ΔʢWͷ৔߹ʣɻ wରԠ͢ΔDHSPVQΛ௚઀ૢ࡞͢Δ͜ͱ΋Ͱ͖ͨΓɻ

ݖݶ͕ߜΒΕ͍ͯΔͷΛ೷͍ͯΈΔ wQSPD1*%TUBUVT w$BQ ͱ͍͏ߦ͕ɺී௨ͷSPPUͱҧ͏ͱ֬ೝͰ͖Δ w͜ͷͦΕͧΕͷϏοτ͕ɺҰͭҰͭ$BQBCJMJUZʹରԠ %FGBVMUSPPU $POUBJOFSSPPU

ίϯςφͷػೳΛ୯ମͰ࢖͏͜ͱ΋Ͱ͖Δ wVOTIBSF ίϚϯυͷྫ w1*%/BNFTQBDFɺ.PVOU/BNFTQBDFɺ654/BNFTQBDFΛ  ෼཭ͨ͠৽͍͠γΣϧ্ཱ͕͕ͪΔɻ࣮ࡍɺQSPDͳͲΛϚ΢ϯτ͠ ௚͢ͱɺ1*%͕͔Βʹ wϗετ໊΋ಠཱ $ unshare
--fork --pid --mount --uts

ίϯςφͷػೳΛ୯ମͰ࢖͏͜ͱ΋Ͱ͖Δ wDBQTI ίϚϯυͷྫ w্ཱͪ͛ͨγΣϧͰ͸ɺSPPUͰ͸͋Δ͕ϗετͷ࣌ؒͷૢ࡞ʹࣦഊ ͢ΔɻʮݖݶΛ੍ݶ͞ΕͨSPPUʯͱͳΔ $ sudo capsh --drop==cap_sys_time
-- -l

͜ͷষͷ·ͱΊ wίϯςφ͸ɺʮϗετ͔ΒϦιʔεΛ෼཭ɾ੍ݶ͠ɺݖݶΛߜͬͯ҆ શʹʯͨ͠ϓϩηεͰ͋Δɻ wͲͷΑ͏ͳ࣮૷ʢ%PDLFSɺ-9$ɺͦͷଞʣͰ΋ڞ௨ͯ͠ɺͦͷΑ͏ ͳϓϩηεΛ࡞ͬͯίϯςφͱ͍ͯ͠Δɻ

ίϯςφք۾ͷۙگ

ίϯςφ͸ొ৔ਓ෺͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥ΢υαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺ੔ཧ͠·͢

ίϯςφ͸ొ৔ਓ෺͕ଟ͗͢Δ w-JOVYΧʔωϧࣗମɺγεςϜίʔϧ w֤छίϯςφϥϯλΠϜ wΦʔέετϨʔγϣϯπʔϧ܈ wΫϥ΢υαʔϏεͦͷଞ wͳͲͳͲ wˠશମ؍Λࣔͭͭ͠ɺ੔ཧ͠·͢ ͜ͷষ͸͜͜

֤छίϯςφϥϯλΠϜͷొ৔ wίϯςφͷ࣮૷͸࣮͸ͦΜͳʹ೉͘͠ͳ͍ w؆୯ʹ෼ྨ͢Δͱ w6/*9తπʔϧʢDISPPU΍JQOFUOTʣɺ-9$ w%PDLFSϓϩδΣΫτͱ͔ͦ͜Βग़͖ͯͨ.PCZ wSLU΍$3*0ͳͲͷ։ൃɺͦΕʹ͙࣍3BJM$BS wࣗ෼ͷͨΊͷίϯςφʢKBJMJOHɺESPPUଞʣ

֤छίϯςφϥϯλΠϜͷొ৔ wίϯςφͷ࣮૷͸࣮͸ͦΜͳʹ೉͘͠ͳ͍ w؆୯ʹ෼ྨ͢Δͱ w6/*9తπʔϧʢDISPPU΍JQOFUOTʣɺ-9$ w%PDLFSϓϩδΣΫτͱ͔ͦ͜Βग़͖ͯͨ.PCZ wSLU΍$3*0ͳͲͷ։ൃɺͦΕʹ͙࣍3BJM$BS wࣗ෼ͷͨΊͷίϯςφʢKBJMJOHɺESPPUଞʣ 0QFO$POUBJOFS*OJUJBUJWF ४ڌͷίϯςφͨͪ ʢ·ͨ͸ͦΕΛ໨ࢦ͢΋ͷʣ

ίϯςφͷඪ४Խ

ίϯςφͷඪ४Խ w0QFO$POUBJOFS*OJUJBUJWF IUUQTXXXPQFODPOUBJOFSTPSHɹ

0QFO$POUBJOFS*OJUJBUJWF wίϯςφͷඪ४࢓༷Λࡦఆ͢ΔͨΊͷஂମ wϝϯόʔ͸$PSF04ɺ%PDLFSɺ3FE)BUɺ.JDSPTPGUɺ(PPHMF w%PDLFSͷ͍࣋ͬͯͨ࢓༷͕͜ͷஂମʹدଃ͞ΕɺͦΕΛ΋ͱʹ ೥݄ʹ0$*W͕ࡦఆ͞Εͨ wྫ͑͹ɺίϯςφ͕ຬͨ͢΂͖γεςϜతཁ݅ɺઃఆͰ͖Δ΂͖߲໨ɺ αϙʔτ͢ΔϥΠϑαΠΫϧɺΠϝʔδͷϑΥʔϚοτͳͲΛఆٛ IUUQTHJUIVCDPNPQFODPOUBJOFSTSVOUJNFTQFD

0$*ͷن໿Λຬͨ͢ͱ wྫ͑͹ɺEPDLFSίϚϯυΛܦ༝ͯͦ͠ͷϥϯλΠϜΛ্ཱͪ͛ΒΕΔ wEPDLFS͔ΒσϑΥϧτͰ্ཱ͕ͪΔSVOD΋ɺ0$*४ڌͷίϯςφͷ Ұͭʹա͗ͳ͍ͱݟ၏͢͜ͱ͕Ͱ͖Δɻ w3BJMDBSͷྫ $ dockerd ...--add-runtime "railcar=/path/to/railcar" $
docker run -it --rm --runtime railcar hello

ΦʔέετϨʔγϣϯπʔϧͷོ੝ w,VCFSOFUFTͱ/PNBE͕୅දతɻ,VCFSOFUFT͕ͱʹ͔͘ڧ͍ɻ  ଞʹɺ%PDLFS$PNQPTF4XBSNͳͲ΋ؚ·ΕΔ͔΋͠Εͳ͍ɻ w,VCFSOFUFTͱ/PNBE͸ɺ(PPHMFࣾͷࣾ಺ج൫ʮ#PSHʯΛϕʔεʹ ։ൃ͞Ε͍ͯΔɻ

DG*OGSBTUSVDUVSFBT$PEF w%ZOBNJD*OGSBTUSBDUVSF ͷίʔυԽͷ  Ԇ௕ઢ্ʹɺίϯςφΠϯϑϥͷ  ίʔυԽ͕͋Δ͔΋͠Εͳ͍ɻ IUUQNJ[[ZPSHCMPH

#PSHQBQFS wಛ௃ɺૂ͍ͳͲ w ϦιʔεϚωδϝϯτ΍ΤϥʔॲཧΛϢʔβ͔ΒӅ͢ w ඇৗʹߴ͍৴པ౓΍Մ༻ੑ΍ఏڙ͢Δ w ਺ສ୆ͷϚγϯΛޮ཰Α͘࢖͍δϣϒΛ࣮ߦ͢Δ w43&ຊʹ΋ɺ#PSH΍#PSHNPOͷ࿩͕ग़͍ͯΔͦ͏ w1BYPTͷ୅ΘΓʹ3BGU
FUDE ɺ#PSHMFUͱ1PEͳͲɺӨڹ͕ਵॴʹ IUUQTTUBUJDHPPHMFVTFSDPOUFOUDPNNFEJBSFTFBSDIHPPHMFDPNKBQVCTBSDIJWFQEG

l,VCFSOFUFTUSBDFTJUTMJOFBHFEJSFDUMZ GSPN#PSHz IUUQCMPHLVCFSOFUFTJPCPSHQSFEFDFTTPSUP LVCFSOFUFTIUNM

ίϯςφΞʔΩςΫνϟͷ ϨΠϠԽ

ίϯςφΞʔΩςΫνϟͷϨΠϠԽ w֤ॴͰఏҊ͕ࢼ͞Ε͍ͯΔɻFH.PCZ1SPKFDU wίϯϙωϯτΛϥϯλΠϜɺΦʔέετϨʔγϣϯͳͲϨΠϠԽ͠ɺ  ૊Έ߹Θ͍ͤͨ IUUQTNPCZQSPKFDUPSH

ྫϖύݚͷఏҊϞσϧ wετϥςδ૚ͷಋೖ w'BTU$POUBJOFSɺ  3BODIFSͳͲͷҐஔ෇͚ IUUQTSBOEQFQBCPDPNBSUJDMFJPUNBUTVNPUPSZ

૚ಉ࢜ͷ࢓༷ͷఆٛͷҰྫ w,VCFSOFUFTͷ$3*ͷྫ wEach container runtime has it own strengths wKubelet
communicates with the container runtime... over Unix sockets using the gRPC framework w$3*ʹԊ࣮ͬͯ૷͢Ε͹ɺྫ͑͹,VCFSOFUFTͷ্Ͱ)BDPOJXBΛಈ͔ ͢͜ͱ΋Ͱ͖ΔͰ͋Ζ͏ɻ IUUQCMPHLVCFSOFUFTJPDPOUBJOFSSVOUJNFJOUFSGBDFDSJJOLVCFSOFUFTIUNM

͜ΕΒΛ౿·͑ͯ վΊͯ

ࠞಱͱ͢Δίϯςφؔ࿈ιϑτ΢ΣΞଞ EPDLFS SVOD DSJP MYD MYE SBJMDBS IBDPOJXB LVCFSOFUFT OPNBE
VOTIBSF SLU TXBSN (,& .BHOVN DISPPU &$4 "$* SLUMFU SBODIFS NPCZ

ͷ͏ͪɺʮϥϯλΠϜʯͷօ͞Μ EPDLFS SVOD DSJP MYD MYE SBJMDBS IBDPOJXB LVCFSOFUFT OPNBE
VOTIBSF SLU TXBSN (,& .BHOVN DISPPU &$4 "$* SLUMFU SBODIFS NPCZ

ϥϯλΠϜʹ΋ ෼ྨ͕ඞཁ

վΊͯEPDLFSEͷϓϩηεπϦʔͷྫ /usr/bin/dockerd --debug -l debug -H fd:// --... \_ docker-containerd
-l unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash

/usr/bin/dockerd --debug -l debug -H fd:// --... \_ docker-containerd -l
unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳ໾ׂ෼୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ

unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳ໾ׂ෼୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ DPOUBJOFSEEPDLFSE͔ΒͷϦΫΤετΛड͚औΓ  ίϯςφ؀ڥΛηοτΞοϓͯ͠DPOUBJOFSETIJNʹ౉͢

unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳ໾ׂ෼୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ DPOUBJOFSEEPDLFSE͔ΒͷϦΫΤετΛड͚औΓ  ίϯςφ؀ڥΛηοτΞοϓͯ͠DPOUBJOFSETIJNʹ౉͢ DPOUBJOFSETIJNܾ·ͬͨϓϩτίϧͰSVODଞϥϯλΠϜΛىಈ͢Δ

unix:///var/run/docker/... \_ docker-containerd-shim 95b86b... docker-runc \_ /bin/bash େ·͔ͳ໾ׂ෼୲ EPDLFSEIUUQϦΫΤετΛड͚औΔ DPOUBJOFSEEPDLFSE͔ΒͷϦΫΤετΛड͚औΓ  ίϯςφ؀ڥΛηοτΞοϓͯ͠DPOUBJOFSETIJNʹ౉͢ DPOUBJOFSETIJNܾ·ͬͨϓϩτίϧͰSVODଞϥϯλΠϜΛىಈ͢Δ ίϯςφԽͨ͠ϓϩηεࣗମ

͜͏͍͏࣮૷Λ౿·͑ͯ෼͚ͯΈͨ EPDLFSE DPOUBJOFSE NPCZ DPOUBJOFSE DSJP SLUMFU SVOD SLU SBJMDBS
MYE MYD IBDPOJXB

͜͏͍͏࣮૷Λ౿·͑ͯ෼͚ͯΈͨ %PDLFS"1*ɺ$3*ͳͲΛ ड͚औͬͯίϯςφͷͨΊͷ४උͱ ىಈϓϩηεΛ୲౰͢Δ EPDLFSE DPOUBJOFSE NPCZ DPOUBJOFSE DSJP SLUMFU
SVOD SLU SBJMDBS MYE MYD IBDPOJXB ࣮ࡍʹɺΧʔωϧͷ γεςϜίʔϧΛݺͿͳͲͯ͠ ίϯςφϓϩηεΛ࡞੒͢Δ

͜͏͍͏࣮૷Λ౿·͑ͯ෼͚ͯΈͨ %PDLFS"1*ɺ$3*ͳͲΛ ड͚औͬͯίϯςφͷͨΊͷ४උͱ ىಈϓϩηεΛ୲౰͢Δ $PNNVOJDBUPS Ծ -PDBUFS Ծ EPDLFSE DPOUBJOFSE
NPCZ DPOUBJOFSE DSJP SLUMFU SVOD SLU SBJMDBS MYE MYD IBDPOJXB ࣮ࡍʹɺΧʔωϧͷ γεςϜίʔϧΛݺͿͳͲͯ͠ ίϯςφϓϩηεΛ࡞੒͢Δ

͜ͷষͷ·ͱΊ wίϯςφʹؔ͢Δಈ͖͸ɺίϯςφࣗ਎ͷ࣮૷ͷ಺༰Χʔωϧత࿩ ୊ͱͱ΋ʹɺೋͭͷ఺Λԡ͑͞Δͱྑ͍ͩΖ͏ɻ w ίϯςφʹ͸ඪ४Խͷಈ͖͕͋Γɺඪ४ʹԊͬͯ໨తͷͨΊͷί ϯςφΛ࡞͍ͬͯ͘ಈ͖͕Մೳʹͳ͍ͬͯ͘ w ίϯςφͷΤίγεςϜ͸ɺͦΕͧΕͷίϯϙωϯτ͕ϨΠϠԽ͞ Ε࣮ͯ૷͕ू໿͞Ε͍ͯ͘Ͱ͋Ζ͏ɻϨΠϠࣗମ΍ɺ,VCFSOFUFTͷ $3*ͷΑ͏ͳɺϨΠϠಉ࢜ͷΠϯλʔϑΣʔε΋੔උ͞ΕΔɻ͸ͣ

)BDPOJXBͷࠓޙ

ຊ෦ձ͸ɺιϑτ։ൃεΩϧ͕اۀ಺ʹด͡ɺۀքશମͷεΩ ϧ޲্ʹͳ͓ͬͯΒͣɺ͔ͭɺ೔ຊൃͷάϩʔόϧڝۀྗͷ͋ Διϑτ͕গͳ͍ݱঢ়Λةዧ͠ɺ೔ຊͷಛ௃Λ׆͔ͨ͠044Ξ ϓϦέʔγϣϯΛ։ൃ͠ɺར༻ऀͷཱ৔ͰϏδωεϞσϧΛఏ Ҋͯ͠ɺ044ͷීٴɺ͓Αͼɺιϑτ։ൃऀͷεΩϧ޲্΁ͷ ߩݙΛ໨ࢦ͢΋ͷͰ͋Δ ΞϓϦέʔγϣϯ෦ձʮ໨తͱഎܠʯΑΓ

ϏζχεϞσΡ

ϩϦϙοϓʂ ϚωʔδυΫϥ΢υ

)BDPOJXBΛόοΫΤϯυʹ࠾༻ w΋ͱ΋ͱʮ1BB4ϗεςΟϯάΛ΋ͬͱ͍͍ײ͡ʹ͍ͨ͠ʯͱ͍͏  Ϟνϕʔγϣϯ͔Β࢝·ͬͨ044Ͱ͋Δ͜ͱͱগͭ͠ͳ͕Δ w'BTU$POUBJOFSʴ)BDPOJXBͰɺ΍Γ͍ͨ8FCαʔϏεΛ࡞Δ IUUQTQFQBCPDPNOFXTQSFTT

۝भେֶͱͷڞಉݚڀ

Ϋϥ΢υେن໛࣮ݧͷج൫ͱͯ͠ wlίϯςφܕԾ૝Խٕज़Λج൫ʹ༻͍ͨΫϥ΢υϗεςΟϯάʹؔ͢ Δڞಉݚڀ։ൃΛ։࢝z w΋ͪΖΜɺ͜ͷlίϯςφܕԾ૝Խٕज़zͷॏཁͳҰ୺͕)BDPOJXB  Ͱ͋Δʂʂʂ̍ʢઌड़ͷϚωʔδυΫϥ΢υͷԠ༻ͳͷͰʣ wৄࡉ͸ϓϨεϦϦʔε Ͱɻࠓޙ΋΍͍͖ͬͯ·͢ IUUQTQFQBCPDPNOFXTQSFTT IUUQTXXXLZVTIVVBDKQG@@QEG

)BDPOJXBͷ ໨ࢦ͢ੈք

࠶ܝ%PDLFS0$*ͳͲͷํ޲ੑ w͜͜·ͰͷൺֱͰɺ%PDLFSͳͲͱ)BDPOJXBͷҧ͍Λྻڍͨ͠ wݸਓతʹɺ%PDLFSͷ໨ࢦ͢ํ޲͸ʮ7.ͷ࠶ൃ໌ʯతʹࢥ͑Δ wϢʔβʔ͔ΒɺʮԾ૝؀ڥʯͷৄࡉ͸Ӆ͞Ε͍ͯͯɺ  ܾ·ͬͨ"1*Λܦ༝ͯ͠σϓϩΠɾΦʔέετϨʔγϣϯΛߦ͏ wDG,VCFSOFUFT#PSHʢ͜Ε΋ޙड़ʣ wͦ͏͍͏ந৅Խࣗମ͸ɺҰͭͷํ޲ੑͰ͸͋Δ ΤίγεςϜͷಈ͖͸ɺ ͜͜Λิڧ͍ͯ͠Δͱ ཧղ͢ΔͱΘ͔Γ΍͍͢͸ͣ

࠶ܝ$POUBJOFS&DPTZTUFNBT$PEF w)BDPOJXBͱɺͦͷपลͰ໨ࢦ͍ͨ͠ͱ͜Ζ wجຊతͳϦιʔεׂ౰΍ݖݶ෼཭ͳͲͷઃఆ͸ίʔυԽͰ͖Δ w·ͨɺଞͷϥϯλΠϜͱൺ΂ͯ΋๛෋ͳϑοΫΛ༻ҙ͠ɺίϯςφͷ ৼΔ෣͍ɾϥΠϑαΠΫϧΛίʔυԽͰ͖Δ w͔͜͜ΒɺίʔυԽͷൣғΛ޿Ί͍͖͍ͯͨɻ  ྫ͑͹ωοτϫʔΫ૚΍ɺ04ͷηΩϡϦςΟɾ؂ࠪͷ࢓૊Έʢ-JOVY ͷ-4.ʣͳͲ΋ίʔυԽͷൣғʹͰ͖ͳ͍͔ʁ

ࠓίʔυԽ͍ͯ͠Δͱ͜Ζ Χʔωϧࣗମ Χʔωϧ֦ுͳͲ γεςϜίʔϧ /BNFTQBDF DHSPVQ $BQBCJMJUZ DISPPU౳ TFDDPNQ
)PPLT /FUXPSLؔ࿈ઃఆ ΦʔέετϨʔγϣϯ૚ͱͷ࿈ܞ )BDPOJXB %4-

͜Ε͔Β Χʔωϧࣗମ Χʔωϧ֦ுͳͲ γεςϜίʔϧ /BNFTQBDF DHSPVQ $BQBCJMJUZ DISPPU౳ TFDDPNQ
)PPLT /FUXPSLؔ࿈ઃఆ ΦʔέετϨʔγϣϯ૚ͱͷ࿈ܞ ίʔυԽͰ͖Δ ൣғΛ૿΍͢ ίϯςφϋοΫ  ͷͨΊͷ ೖΓޱʹ

΍͍͖͍ͬͯͨ w҆ఆԽʂʢಛʹɺUISFBEपΓʣ wωοτϫʔΫपΓͷ%4-ͷ࣮૷ w0$*΁ͷରԠʢίϚϯυϓϩτίϧɺΠϝʔδαϙʔτଞʣ w)551"1*ϨΠϠ$PNNVOJDBUPS૚ͷಋೖ w)BDPOJXBपลͷ-JOVY֦ுͷ࣮૷ʢQSPDGTతͳ)BDPOJXBGTͱ͔ɺ )BDPOJXBʹ౷߹͞Εͨ-4.Έ͍ͨͳͷΛ૝૾தʣ

ऴΘΓʹ

ϑΫΦΧ3VCZେ৆Ͱޠͬͨ͜ͱ wंྠͷ࠶ൃ໌ΛڪΕ͗͢ͳ͍͜ͱ

ࣗ෼ͷதʹ นΛ࡞Βͳ͍ Ұาઌʹ౿ΈࠐΉ

ຊ౰ͷ͜ͱΛ ஌Γ͚ͨΕ͹ खΛಈ͔͔͢͠ͳ͍ʂ

ίϯςφ௿ϨΠϠͷ࢓ࣄ ෱ԬͰͷࠊΛਾٕ͑ͨज़త੒௕ ͝ڵຯ͕͋Ε͹ ͬͦ͜Γ͝૬ஊʹ৐Γ·͢

コンテナの仕組みとエコシステム - Haconiwaを通じて眺めてみる /container-...

コンテナの仕組みとエコシステム - Haconiwaを通じて眺めてみる /container-ecosystem-and-haconiwa

More Decks by KONDO Uchio

Other Decks in Technology

Featured

Transcript