クラウドネイティブの基盤要素、コンテナの今と未来

Transcript

1. クラウドネイティブの基盤要素
 コンテナの今と未来 
 CloudNative Days Fukuoka 2023 Toru Komatsu(@utam0k)

2. 2 Preferred Networks, Inc. 社内向けオンプレML基盤の開発‧運⽤ 趣味でのOSS活動 メンテナ opencontainers/runtime-spec containers/youki レビュワー

   containerd/runwasi @utam0k KOMATSU Toru

3. 3 Preferred Networks, Inc. 社内向けオンプレML基盤の開発‧運⽤ 趣味でのOSS活動 メンテナ opencontainers/runtime-spec containers/youki レビュワー

   containerd/runwasi @utam0k KOMATSU Toru We are Hiring!!

4. コンテナの今 4 00

5. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

   Container Runtime I nterface Kubeletの実⾏の流れ 5

6. Kubelet
 Linux など
 Container Runtime Low-Level Container Runtime I nterface

   6

7. Kubelet
 Linux など
 Container Runtime Low-Level Container Runtime I nterface

   gRPC 7

8. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

   Container Runtime I nterface 8

9. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

   Container Runtime I nterface イメージとかコンテナ管理 9

10. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface コンテナの作成 ワンショットバイナリ 10

11. コンテナの今 ？ 11 00

12. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface ここでは OCI Runtime Spec を満たすものをコンテナと呼ぶ 12

13. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface JSON設定ファイルと サブコマンド 例) ./runc create $id でコンテナとは何か定めている 13

14. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface 14

15. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface Kubeletの実行の流れ
 15

16. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface Kubeletの実行の流れ
 16

17. Container Runtime I nterface Low-Level OCI Runtime Spec ➔ マイクロサービス的

    ➔ プラグイン機構 17

18. A
 P
 I
 Image Services Snapshot Services Containers Service Tasks

    Service ‧ ‧ ‧ Container Runtime I nterface Core Backend ContentStore plugin / local Snapshotter plugin / overlay / … Runtime v2 shim client containerd shim OCI Runtime Spec ttrpc 18

19. マイクロサービス的なアーキテクチャ A
 P
 I
 Image Services Snapshot Services Containers Service

    Tasks Service ‧ ‧ ‧ Container Runtime I nterface Core ContentStore plugin / local Snapshotter plugin / overlay / … Runtime v2 shim client containerd shim OCI Runtime Spec ttrpc Backend 19

20. A
 P
 I
 Image Services Snapshot Services Containers Service Tasks

    Service ‧ ‧ ‧ Container Runtime I nterface Core Backend ContentStore plugin / local Snapshotter plugin / overlay / … Runtime v2 shim client containerd shim OCI Runtime Spec ttrpc ワンショットバイナリ 20

21. 21 Kubelet → Container Runtime → Container ➔ High /

    Low-Level Container Runtime Specification ➔ Container Runtime Interface ➔ OCI Runtime Specification containerd ➔ マイクロサービス ➔ プラグイン機構 Recap

22. コンテナの未来 22 01

23. ⚠ 個⼈の⾒解 ⚠ 23

24. WebAssembly 24 02

25. WebAssembly
 25

26. WebAssembly
 26 Portability Small Size Security

27. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface 27

28. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface 28

29. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface このあたりでWebAssemblyの対応が必要 よんだ？ 29

30. 30 containerd/runwasi containerd-shimによる拡張 現実世界で既に実験段階 Docker Desktop Azure Kubernetes Service runwasi

31. A
 P
 I
 Image Services Snapshot Services Containers Service Tasks

    Service ‧ ‧ ‧ Container Runtime I nterface Core Backend ContentStore plugin / local Snapshotter plugin / overlay / … Runtime v2 shim client containerd shim OCI Runtime Spec ttrpc この部分の拡張 31

32. Kubelet
 Linux など
 Container Runtime High-Level Low-Level Container Runtime I

    nterface WebAssembly 実行の流れ
 32

33. 33 ktock/container2wasm 既存のコンテナ資源の活⽤ container2wasm


34. Lazy Pulling 34 03

35. 35 $ nerdctl --snapshotter=stargz run python:3.7-esgz python3 -c 'exit()' index-sha256:6a42...4948:

    done |++++++++++++++++++++++++++++++| manifest-sha256:1c57...20c5: done |++++++++++++++++++++++++++++++| config-sha256:f590...1df5: done |++++++++++++++++++++++++++++++| elapsed: 11.0 s total: 4.8 Ki (1.5 KiB/s) $ nerdctl run python:3.7-org python3 -c 'exit()' index-sha256:6008....1237: done |++++++++++++++++++++++++++++++| manifest-sha256:48ea...30ce7: done |++++++++++++++++++++++++++++++| config-sha256:94c9....9290: done |++++++++++++++++++++++++++++++| layer-sha256:f860....fbf6: done |++++++++++++++++++++++++++++++| layer-sha256:d779....3cc5: done |++++++++++++++++++++++++++++++| … layer-sha256:adbd....f52c: done |++++++++++++++++++++++++++++++| layer-sha256:c495....736a: done |++++++++++++++++++++++++++++++| elapsed: 41.3s total: 321.3 (16.7 MiB/s) Lazy Pulling


36. 36 $ nerdctl --snapshotter=stargz run python:3.7-esgz python3 -c 'exit()' index-sha256:6a42...4948:

    done |++++++++++++++++++++++++++++++| manifest-sha256:1c57...20c5: done |++++++++++++++++++++++++++++++| config-sha256:f590...1df5: done |++++++++++++++++++++++++++++++| elapsed: 11.0 s total: 4.8 Ki (1.5 KiB/s) $ nerdctl run python:3.7-org python3 -c 'exit()' index-sha256:6008....1237: done |++++++++++++++++++++++++++++++| manifest-sha256:48ea...30ce7: done |++++++++++++++++++++++++++++++| config-sha256:94c9....9290: done |++++++++++++++++++++++++++++++| layer-sha256:f860....fbf6: done |++++++++++++++++++++++++++++++| layer-sha256:d779....3cc5: done |++++++++++++++++++++++++++++++| … layer-sha256:adbd....f52c: done |++++++++++++++++++++++++++++++| layer-sha256:c495....736a: done |++++++++++++++++++++++++++++++| elapsed: 41.3s total: 321.3 Mi (16.7 MiB/s) layersがない 起動までがはやい！

37. 37 cache stargz-snapshotter Container Registry FUSE Driver Overlayfs User Kernel

    open(“file”)

38. A
 P
 I
 Image Services Snapshot Services Containers Service Tasks

    Service ‧ ‧ ‧ Container Runtime I nterface Core Backend ContentStore plugin / local Snapshotter plugin / overlay / … Runtime v2 shim client containerd shim OCI Runtime Spec ttrpc この部分の拡張 38

39. A
 P
 I
 Image Services Snapshot Services Containers Service Tasks

    Service ‧ ‧ ‧ Container Runtime I nterface Core Backend ContentStore plugin / local Snapshotter plugin / overlay / … Runtime v2 shim client containerd shim OCI Runtime Spec ttrpc stargz snapshotter grpc 39

40. 40 cache stargz-snapshotter Container Registry FUSE Driver Overlayfs open(“file”) ①


    ②
 ④
 ③
 ⑤
 ⑥
 ⑦
 User Kernel

41. 41 cache stargz-snapshotter Container Registry FUSE Driver Overlayfs open(“file”) ①


    ②
 ④
 ③
 ⑤
 ⑥
 ⑦
 User Kernel

42. 42 cache stargz-snapshotter Container FUSE Driver Overlayfs open(“file”) ①
 ②


    ④
 ③
 ⑤
 ⑥
 ⑦
 User Kernel Registry

43. 43 cache stargz-snapshotter Container Registry FUSE Driver Overlayfs open(“file”) ①


    ②
 ④
 ③
 ⑤
 ⑥
 ⑦
 User Kernel

44. 44 cache stargz-snapshotter Container FUSE Driver Overlayfs open(“file”) ①
 ②


    ③
 ⑤
 ⑥
 ⑦
 User Kernel ④
 Registry

45. 45 $ nerdctl --snapshotter=stargz run python:3.7-esgz python3 -c 'exit()' index-sha256:6a42...4948:

    done |++++++++++++++++++++++++++++++| manifest-sha256:1c57...20c5: done |++++++++++++++++++++++++++++++| config-sha256:f590...1df5: done |++++++++++++++++++++++++++++++| elapsed: 11.0 s total: 4.8 Ki (1.5 KiB/s) $ nerdctl run python:3.7-org python3 -c 'exit()' index-sha256:6008....1237: done |++++++++++++++++++++++++++++++| manifest-sha256:48ea...30ce7: done |++++++++++++++++++++++++++++++| config-sha256:94c9....9290: done |++++++++++++++++++++++++++++++| layer-sha256:f860....fbf6: done |++++++++++++++++++++++++++++++| layer-sha256:d779....3cc5: done |++++++++++++++++++++++++++++++| … layer-sha256:adbd....f52c: done |++++++++++++++++++++++++++++++| layer-sha256:c495....736a: done |++++++++++++++++++++++++++++++| elapsed: 41.3s total: 321.3 (16.7 MiB/s) Lazy Pulling


46. OCI Runtime Spec v1.1.0 46 04

47. Kubelet
 Linux など
 Container Runtime High-Level Low-Level OCI Runtime Spec

    Container Runtime I nterface これ！ 47

48. 先⽉に3年ぶりのリリース！ v1.0.2 からは21個の新しい機能 cgroup v2 / idmapped mount / seccomp

    notify … OCI Runtime Specification v1.1.0
 48

49. sched_setattr(2) をコンテナに適⽤される コンテナに対してnice値とか設定可能に コンテナってプロセスなんだ...というのを強く意識させられる 実装 runc#3895 , youki#1706 , crun✅

    Scheduler entity #1188
 49

50. ioprio_set (2) をコンテナに適⽤される バッチ処理とかI/Oが重たいけど重要度は⾼くない処理で書き 込みで他のコンテナへの迷惑を少なくする 実装 runc#3783 , youki ✅,

    crun ✅ I/O Priority #1191
 50

51. 51 WebAssembly ➔ 新しい形 ➔ containerd-shim-wasm[edge|time]-v1 Lazy Pulling ➔ コンテナ起動の⾼速化

    ➔ Snapshotter Plugin OCI Runtime Specification v1.1.0 ➔ sched_setattr(2) : nice値を変更可能に ➔ ioprio_set(2)r(2) : I/Oの優先度を変更可能に Recap

52. 謝辞 52 05

53. stargz snapshotterの実装について 丁寧に解説して頂きました ありがとうございました 
 53 TOKUNAGA Kohei -san @ktock

    / @TokunagaKohei

54. Thanks you! 54