Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_i...
Search
KONDO Uchio
January 28, 2021
Technology
1.4k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
ランタイムとcgroupの xxxな関係 / bpf_get_current_cgroup_id(void) and modern container runtimes
Container Runtime Meetup #3
https://runtime.connpass.com/event/198071/
KONDO Uchio
January 28, 2021
More Decks by KONDO Uchio
See All by KONDO Uchio
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
5
2.6k
Ruby x BPF in Action / RubyKaigi 2022
udzura
0
310
Narrative of Ruby & Rust
udzura
0
270
開発者生産性指標の可視化 / pepabo-four-keys
udzura
3
1.8k
Talk of RBS
udzura
0
500
Re: みなさん最近どうですか? / FGN tech meetup in 2021
udzura
0
860
Dockerとやわらかい仮想化 - ProSec-IT/SECKUN 2021 edition -
udzura
2
820
Device access filtering in cgroup v2
udzura
1
1k
"Story of Rucy" on RubyKaigi takeout 2021
udzura
0
920
Other Decks in Technology
See All in Technology
地域 SRE コミュニティ最前線 / SRE NEXT 2026 Discussion Night Track C
muziyoshiz
0
210
AI駆動開発におけるQAエンジニアの役割事例 〜AI駆動開発の現場から〜
kobayashiyorimitsu
0
500
誤解だらけの開発生産性 / Myths and Misconceptions about Developer Productivity
i35_267
1
240
Kaggleで成長するために意識したこと
prgckwb
2
310
Terraform共通モジュールをチーム横断で“変えられる”運用へ ― リリースと適用の分離
kekke_n
1
2.9k
Oracle Exadata Database Service on Cloud@Customer X11M (ExaDB-C@C) サービス概要
oracle4engineer
PRO
2
8.4k
ruby.wasmとPicoRuby.wasmに対応した仮想DOMライブラリを作ってる話 #kaigieffect_kaigi
sue445
PRO
0
140
AI時代の EM への処方箋
staka121
PRO
0
140
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
5.3k
Claude Code公式skillで 自分の仕事を少しずつ手放そう!(Claude Code開発ノウハウ大公開スペシャル by クラスメソッド)
kaym
1
290
AI時代のエンジニアキャリアについて今一度考える
sakamoto_582
2
1.5k
凡エンジニアがこの先生きのこるためには。〜TypeScript完全に理解したい〜
alchemy1115
2
180
Featured
See All Featured
Faster Mobile Websites
deanohume
310
32k
HDC tutorial
michielstock
2
740
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.8k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
550
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
450
Product Roadmaps are Hard
iamctodd
55
12k
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
190
Test your architecture with Archunit
thirion
1
2.3k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
62k
Agile that works and the tools we love
rasmusluckow
331
22k
Designing for Performance
lara
611
70k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
1
260
Transcript
bpf_get_current_cgroup_id(void) を添えて Uchio Kondo / Container Runtime Meetup #3 ランタイムとcgroupの
xxxな関係 * Photo by Fukuoka City
γχΞɾϓϦϯγύϧΤϯδχΞ ۙ౻ Ӊஐ࿕ / @udzura https://blog.udzura.jp/ Uchio Kondo ٕज़෦ ٕज़ج൫νʔϜ
#Ruby #mruby #Containers #eBPF #CRIU #Seccomp #RubyKaigi #CloudNativeDays #Zumba #γϨϯ
ToC •τϨʔγϯάͱ eBPF •ίϯςφΛτϨʔε͢ΔͨΊͷલఏࣝ •eBPF ͰͷίϯςφͱϨʔεͷ࣮ࡍ •ίϯςφϥϯλΠϜͷରԠ •ʢ͓·͚ʣBPF CO-RE
eBPF and Containers
eBPF ͷ •https://speakerdeck.com/chikuwait/learn-ebpf
eBPF ͱԿ͔ •ϢʔβۭؒͰ࡞ͬͨϓϩάϥϜΛΧʔωϧͰಈ͔ٕ͢ज़ͷͻͱͭ •ϑΟϧλϦϯά͕ಘҙʢtcpdump, seccomp, bpftraceʣ •ΧʔωϧͷใʹΞΫηεͰ͖Δ͕ɺةݥͳίʔυಈ͔ͳ͍ͳͲ ҆શੑ͕͋Δఔ୲อ͞Ε͍ͯΔ
τϨʔεπʔϧͷར༻ •bpftrace •BCC •BPF Performance Tools • execsnoop, runqlat, tcplife...
• http://www.brendangregg.com/bpf-performance-tools-book.html
ίϯςφΛτϨʔε͍ͨ͠ •લఏࣝ2ͭ •Linux Namespace •cgroup (v1/v2)
Linux Namespaceʢ໊લۭؒʣ •OSͷதͷҰ෦ͷ໊લۭؒΛΓग़͠ɺ ಠཱͨ͠Ϧιʔεʢϗετ໊ɺωοτϫʔΫɺPIDͷ࠾൪ɺϚϯτ ϙΠϯτͳͲʣΛ࣋ͨͤΔٕज़ɻ IUUQTDPOUBJOFSTFDVSJUZEFWOBNFTQBDF
cgroup (Control Groups) •ϓϩηεΛάϧʔϓԽ͠ɺͦͷ୯ҐͰϦιʔεͷར༻ʢCPUɺϝϞ ϦɺϒϩοΫI/OɺϓϩηεʣΛ੍ݶ͢Δɻ •rlimitͱҧ͍ϢʔβΛލ͍ͰॴଐՄೳɺ·ͨλεΫͷॴଐάϧʔϓ ॊೈʹม͑ΒΕΔ •v1/v2͕͋Δ (v2=2014/8~ Linux
3.16) IUUQTDPOUBJOFSTFDVSJUZEFWDHSPVQɹ
Implementations
eBPFͰίϯςφΛτϨʔε͢Δ •ઓུ͕͍͔ͭ͋͘Δ •Linux Namespace·ͨcgroup (v2)ͷใ͕ར༻Ͱ͖Δ
ઓུ(1) •task_struct→nsproxy ͔Β namespaceͷใΛ औಘͯ͠ϑΟϧλ͢Δ ʢcxrayʣ IUUQTHJUIVCDPNNSUDDYSBZCMPCNBTUFSQLHUSBDFSPQFOPQFOHP--
ઓུ(2) •BPFϓϩάϥϜͰऔಘͰ͖ͨ tidͱɺϗετͰͷtidΛ ൺֱ͠ɺҰக͠ͳ͚Ε ίϯςφͱఆ͢Δ ʢTraceeʣ • tasuk_structґଘ IUUQTHJUIVCDPNBRVBTFDVSJUZUSBDFFCMPCNBJOUSBDFFUSBDFFCQGD-ɹ
ઓུ(3) •cgroup v2ͷIDΛϗετͱൺֱ͢Δ •bpf-helpers(7)
࣮ࡍʹͬͯΈ࣮ͨྫ •udzura/copenclose(8)
6TJOHIPTUOBNF 654/4 6TJOH$(SPVQW*%
cgroup v2
ϥϯλΠϜͷରԠঢ়گ •Suda͞Μͷهࣄ͕ৄ͍͠Ͱ͢… (https://medium.com/nttlabs/cgroup-v2-596d035be4d7) •ͱ͍͑ɺ2021ݱࡏͷঢ়گΛ؆୯ʹௐࠪ͠·ͨ͠
ϥϯλΠϜͱcgroupͷઃఆ •Cgroup Driver: ίϯςφʹׂΓͯΔcgroupΛͲ͏ίϯτϩʔϧ͢Δ͔ •cgroupfs: cgroupfsͷͷϑΝΠϧૢ࡞ •systemd: systemdʹΑΔཧ •Cgroup Version:
Ϧιʔε੍ݶʹ v1/v2 ͲͪΒΛར༻͢Δ͔ •/sys/fs/cgroup ʹͲͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕͯΔ͔Ͱఆ •ʢdocker/containerd ͷ߹ɻpodmanಉ༷ʁʣ
v2ΛͲ͏͏? •ϗετΛv2Ϟʔυʹ͢ΔʹɺΧʔωϧىಈύϥϝʔλͷมߋ͕ඞཁ... •ϗετLinuxΛv1/v2ڞଘڥͰىಈ͍ͯ͠Δ߹Version=v1ͱఆ͞ΕΔ •CGroup Driver=systemdʹ͢Είϯςφv2ͷάϧʔϓʹॴଐ͢Δ Α͏ʹͳΔʂ systemd͕ͬͯ͘ΕΔ༷ʁ •੍ݶͷॻ͖ࠐΈv1ͷAPI͕ΘΕΔ •άϧʔϓIDɺී௨ʹऔಘͰ͖ΔΑ͏ʹͳΔ
֤ίϯςφϥϯλΠϜͰͷରԠঢ়گ •ߴϨϕϧϥϯλΠϜɺCgroup DriverͷઃఆมߋखॱΛܝࣔ͢Δɻ •ϨϕϧϥϯλΠϜͷରԠঢ়گΛࢀߟʹܝࡌ͢Δ
ߴϨϕϧϥϯλΠϜ •docker: •podman: σϑΥϧτͰsystemdɻ໌ࣔ: •containerd: ྫ: •FYI: ఆखॱ
ϨϕϧϥϯλΠϜ •runc, crun •Cgroup v2/systemd driverʹରԠࡁΈ •runsc (gVisor) •ରԠͷͨΊͷIssueཱ͍ͬͯΔ •ݱঢ়Τϥʔͷ༷
IUUQTHJUIVCDPNHPPHMFHWJTPSJTTVFT $ sudo podman run --runtime `which runsc` -dt -p 10184:80/tcp httpd:2.4 Error: OCI runtime error: systemd cgroup flag passed, but systemd cgroups not supported. See gvisor.dev/issue/193
·ͱΊ •֤छϥϯλΠϜ͢Ͱʹv2Ͱಈ͘ •cgroupidͷऔಘͳΒ͙͢ʹͰઃఆͯ͠Ͱ͖Δঢ়ଶ •cAdvisorͳͲରԠΛਐΊ͍ͯΔ •τϨʔεͪΖΜɺPSI͑Δ͠ rootless kubernetes ͷເ... Զ ͨͪͷݥ࢝·͔ͬͨΓͩ
IUUQTHJUIVCDPNHPPHMFDBEWJTPSQVMM
͓·͚: BPF CO-REόΠφϦ •eBPF ToolΛίϯςφ෦Ͱಈ͔͢ͷେม... •BPF CO-REͱ͍͏ٕज़ͰɺϓϨίϯύΠϧࡁΈͷBPFόΠφϦΛಈ͔ ͤΔɺΧʔωϧͷϔομϑΝΠϧclangίϚϯυʹґଘͤͣಈ࡞͢Δ •͔͠͠࠷৽ͷΧʔωϧʴ৽͍͠CONFIG͕ඞཁ...
πʔϧͷಈ࡞ڥྫ
ࢀߟ: ಈ࡞ڥ IUUQTHJTUHJUIVCDPNVE[VSBBFEDCDBEFG •ࠓݕূͨ͠ڥҎԼʹ·ͱΊ·ͨ͠ɻUbuntu 20.10ϕʔε