https://event.cloudnativedays.jp/cndf2023/talks/1910
クラウドネイティブの基盤要素 コンテナの今と未来 CloudNative Days Fukuoka 2023Toru Komatsu(@utam0k)
View Slide
2Preferred Networks, Inc.社内向けオンプレML基盤の開発‧運⽤趣味でのOSS活動メンテナopencontainers/runtime-speccontainers/youkiレビュワーcontainerd/runwasi@utam0kKOMATSU Toru
3Preferred Networks, Inc.社内向けオンプレML基盤の開発‧運⽤趣味でのOSS活動メンテナopencontainers/runtime-speccontainers/youkiレビュワーcontainerd/runwasi@utam0kKOMATSU ToruWe are Hiring!!
コンテナの今400
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceKubeletの実⾏の流れ5
Kubelet Linux など Container RuntimeLow-LevelContainerRuntimeI nterface6
Kubelet Linux など Container RuntimeLow-LevelContainerRuntimeI nterfacegRPC7
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterface8
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceイメージとかコンテナ管理9
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceコンテナの作成ワンショットバイナリ10
コンテナの今?1100
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceここでは OCI Runtime Specを満たすものをコンテナと呼ぶ12
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceJSON設定ファイルとサブコマンド 例) ./runc create $idでコンテナとは何か定めている13
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterface14
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceKubeletの実行の流れ 15
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceKubeletの実行の流れ 16
ContainerRuntimeI nterfaceLow-LevelOCIRuntime Spec➔ マイクロサービス的➔ プラグイン機構17
A P I ImageServicesSnapshotServicesContainersServiceTasksService‧‧‧ContainerRuntimeI nterfaceCore BackendContentStoreplugin / localSnapshotterplugin / overlay / …Runtimev2 shim clientcontainerdshimOCIRuntimeSpecttrpc18
マイクロサービス的なアーキテクチャA P I ImageServicesSnapshotServicesContainersServiceTasksService‧‧‧ContainerRuntimeI nterfaceCoreContentStoreplugin / localSnapshotterplugin / overlay / …Runtimev2 shim clientcontainerdshimOCIRuntimeSpecttrpcBackend19
A P I ImageServicesSnapshotServicesContainersServiceTasksService‧‧‧ContainerRuntimeI nterfaceCore BackendContentStoreplugin / localSnapshotterplugin / overlay / …Runtimev2 shim clientcontainerdshimOCIRuntimeSpecttrpcワンショットバイナリ20
21Kubelet → Container Runtime → Container➔ High / Low-Level Container RuntimeSpecification➔ Container Runtime Interface➔ OCI Runtime Specificationcontainerd➔ マイクロサービス➔ プラグイン機構Recap
コンテナの未来2201
⚠ 個⼈の⾒解 ⚠23
WebAssembly2402
WebAssembly 25
WebAssembly 26Portability Small Size Security
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterface27
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterface28
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceこのあたりでWebAssemblyの対応が必要よんだ?29
30containerd/runwasicontainerd-shimによる拡張現実世界で既に実験段階Docker DesktopAzure Kubernetes Servicerunwasi
A P I ImageServicesSnapshotServicesContainersServiceTasksService‧‧‧ContainerRuntimeI nterfaceCore BackendContentStoreplugin / localSnapshotterplugin / overlay / …Runtimev2 shim clientcontainerdshimOCIRuntimeSpecttrpcこの部分の拡張31
Kubelet Linux など Container RuntimeHigh-Level Low-LevelContainerRuntimeI nterfaceWebAssembly 実行の流れ 32
33ktock/container2wasm既存のコンテナ資源の活⽤container2wasm
Lazy Pulling3403
35$ nerdctl --snapshotter=stargz run python:3.7-esgz python3 -c 'exit()'index-sha256:6a42...4948: done |++++++++++++++++++++++++++++++|manifest-sha256:1c57...20c5: done |++++++++++++++++++++++++++++++|config-sha256:f590...1df5: done |++++++++++++++++++++++++++++++|elapsed: 11.0 s total: 4.8 Ki (1.5 KiB/s)$ nerdctl run python:3.7-org python3 -c 'exit()'index-sha256:6008....1237: done |++++++++++++++++++++++++++++++|manifest-sha256:48ea...30ce7: done |++++++++++++++++++++++++++++++|config-sha256:94c9....9290: done |++++++++++++++++++++++++++++++|layer-sha256:f860....fbf6: done |++++++++++++++++++++++++++++++|layer-sha256:d779....3cc5: done |++++++++++++++++++++++++++++++|…layer-sha256:adbd....f52c: done |++++++++++++++++++++++++++++++|layer-sha256:c495....736a: done |++++++++++++++++++++++++++++++|elapsed: 41.3s total: 321.3 (16.7 MiB/s)Lazy Pulling
36$ nerdctl --snapshotter=stargz run python:3.7-esgz python3 -c 'exit()'index-sha256:6a42...4948: done |++++++++++++++++++++++++++++++|manifest-sha256:1c57...20c5: done |++++++++++++++++++++++++++++++|config-sha256:f590...1df5: done |++++++++++++++++++++++++++++++|elapsed: 11.0 s total: 4.8 Ki (1.5 KiB/s)$ nerdctl run python:3.7-org python3 -c 'exit()'index-sha256:6008....1237: done |++++++++++++++++++++++++++++++|manifest-sha256:48ea...30ce7: done |++++++++++++++++++++++++++++++|config-sha256:94c9....9290: done |++++++++++++++++++++++++++++++|layer-sha256:f860....fbf6: done |++++++++++++++++++++++++++++++|layer-sha256:d779....3cc5: done |++++++++++++++++++++++++++++++|…layer-sha256:adbd....f52c: done |++++++++++++++++++++++++++++++|layer-sha256:c495....736a: done |++++++++++++++++++++++++++++++|elapsed: 41.3s total: 321.3 Mi (16.7 MiB/s)layersがない起動までがはやい!
37cachestargz-snapshotterContainerRegistryFUSE DriverOverlayfsUserKernelopen(“file”)
A P I ImageServicesSnapshotServicesContainersServiceTasksService‧‧‧ContainerRuntimeI nterfaceCore BackendContentStoreplugin / localSnapshotterplugin / overlay / …Runtimev2 shim clientcontainerdshimOCIRuntimeSpecttrpcこの部分の拡張38
A P I ImageServicesSnapshotServicesContainersServiceTasksService‧‧‧ContainerRuntimeI nterfaceCore BackendContentStoreplugin / localSnapshotterplugin / overlay / …Runtimev2 shim clientcontainerdshimOCIRuntimeSpecttrpcstargzsnapshottergrpc39
40cachestargz-snapshotterContainerRegistryFUSE DriverOverlayfsopen(“file”)① ② ④ ③ ⑤ ⑥ ⑦ UserKernel
41cachestargz-snapshotterContainerRegistryFUSE DriverOverlayfsopen(“file”)① ② ④ ③ ⑤ ⑥ ⑦ UserKernel
42cachestargz-snapshotterContainerFUSE DriverOverlayfsopen(“file”)① ② ④ ③ ⑤ ⑥ ⑦ UserKernelRegistry
43cachestargz-snapshotterContainerRegistryFUSE DriverOverlayfsopen(“file”)① ② ④ ③ ⑤ ⑥ ⑦ UserKernel
44cachestargz-snapshotterContainerFUSE DriverOverlayfsopen(“file”)① ② ③ ⑤ ⑥ ⑦ UserKernel④ Registry
45$ nerdctl --snapshotter=stargz run python:3.7-esgz python3 -c 'exit()'index-sha256:6a42...4948: done |++++++++++++++++++++++++++++++|manifest-sha256:1c57...20c5: done |++++++++++++++++++++++++++++++|config-sha256:f590...1df5: done |++++++++++++++++++++++++++++++|elapsed: 11.0 s total: 4.8 Ki (1.5 KiB/s)$ nerdctl run python:3.7-org python3 -c 'exit()'index-sha256:6008....1237: done |++++++++++++++++++++++++++++++|manifest-sha256:48ea...30ce7: done |++++++++++++++++++++++++++++++|config-sha256:94c9....9290: done |++++++++++++++++++++++++++++++|layer-sha256:f860....fbf6: done |++++++++++++++++++++++++++++++|layer-sha256:d779....3cc5: done |++++++++++++++++++++++++++++++|…layer-sha256:adbd....f52c: done |++++++++++++++++++++++++++++++|layer-sha256:c495....736a: done |++++++++++++++++++++++++++++++|elapsed: 41.3s total: 321.3 (16.7 MiB/s)Lazy Pulling
OCI Runtime Spec v1.1.04604
Kubelet Linux など Container RuntimeHigh-Level Low-LevelOCIRuntimeSpecContainerRuntimeI nterfaceこれ!47
先⽉に3年ぶりのリリース!v1.0.2 からは21個の新しい機能cgroup v2 / idmapped mount / seccomp notify …OCI Runtime Specification v1.1.0 48
sched_setattr(2) をコンテナに適⽤されるコンテナに対してnice値とか設定可能にコンテナってプロセスなんだ...というのを強く意識させられる実装 runc#3895 , youki#1706 , crun✅Scheduler entity #1188 49
ioprio_set (2) をコンテナに適⽤されるバッチ処理とかI/Oが重たいけど重要度は⾼くない処理で書き込みで他のコンテナへの迷惑を少なくする実装 runc#3783 , youki ✅, crun ✅I/O Priority #1191 50
51WebAssembly➔ 新しい形➔ containerd-shim-wasm[edge|time]-v1Lazy Pulling➔ コンテナ起動の⾼速化➔ Snapshotter PluginOCI Runtime Specification v1.1.0➔ sched_setattr(2) : nice値を変更可能に➔ ioprio_set(2)r(2) : I/Oの優先度を変更可能にRecap
謝辞5205
stargz snapshotterの実装について丁寧に解説して頂きましたありがとうございました 53TOKUNAGA Kohei -san@ktock / @TokunagaKohei
Thanks you!54
utam0k
huffon
eiki
.png){kind=icon}
3playmarketing
nagix
gawa
imsaku
picardparis
senkin13
junjunjunk
brainpadpr
line_developers
miyakemito
quramy
robhawkes
malarkey
jensimmons
chrisshort
zakiwarfel
3n
revolveconf
jasonvnalue
tanoku
thekraken
thoeni