Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

もうひとつのコンテナ実行環境 runq のご紹介

1,288 views

Published on

https://paas.connpass.com/event/96015/
Cloud Foundry/Kubernetes などのコンテナ基盤を利用し、サービスを開発する機会が増えています。開発の生産性向上やサービス運用の利便性の高まりから、コンテナ基盤を自社に導入を検討する会社も増えて来ていると思われます。反面、2018年発覚した仮想通貨盗難事件や、CPUバグ(Meltdown/Spectre) 起因のメモリー情報漏えいの危険性などからもわかるように、サービス業者はセキュリティー対策も必要になって来ています。 今回は仮想通貨などに利用されるブロックチェーン基盤やセキュアなコンテナ実行環境を提供する目的でIBMが開発した、軽量のコンテナランタイムrunq をご紹介します。

Published in: Software
  • Be the first to comment

もうひとつのコンテナ実行環境 runq のご紹介

  1. 1. © IBM Corporation 1 runq
  2. 2. © IBM Corporation 2 bT i ( e ( /. G ac I g B @hd ): . M / : .
  3. 3. © IBM Corporation 3 – ( ) • Docker runc • lxc – Docker / Cloud Foundry / Kubernetes • Docker containerd • Cloud Foundry garden-runc • Kubernetes cri-o, cri-containerd cri-o containerd OCI spec Cloud Foundry Kubernetes
  4. 4. © IBM Corporation 4 - CRI (Container Runtime Interface) – Kubernetes CRI ( Container Runtime Interface)
  5. 5. © IBM Corporation 5 - Cloud Foundry Container Runtime – Cloud Foundry Kubernetes
  6. 6. © IBM Corporation 6 – OCI (Open Container Initiative) • https://github.com/opencontainers/runtime-spec • runc – OCI • OCI runq
  7. 7. © IBM Corporation 7 Docker Recap (Linux) – dockerd • docker • (network, volume, security, etc) –docker-containerd • –docker-containerd-shim • containerd runc ) –docker-runc • ( containerd (docker-containerd) containerd-shim (docker-containerd-shim) containerd-shim (docker-containerd-shim) runc (docker-runc) runc (docker-runc)
  8. 8. © IBM Corporation 8 runc – OCI (Docker export – runc spec spec (config.json) – runc run $ docker export $(docker create nginx) | tar -C rootfs -xvf - $ docker-runc spec --rootless $ docker-runc --root /tmp/runc run nginx $ sudo docker-runc --root /tmp/runc/ list ID PID STATUS BUNDLE CREATED OWNER nginx 30595 running /home/amnt/Demos/nginx-rootfs 2018-07-18T03:52:16.585610379Z amnt Docker runc docker-runc runc
  9. 9. © IBM Corporation 9 runq – qemu/kvm VM – Docker – runc / runq – 2018 3 IBM OSS https://github.com/gotoz/runq – VM OCI containerd-shim runq qemu / kvm image rootfs Linux kernel VM
  10. 10. © IBM Corporation 10 – • Dump • – OS • root –Docker (Blockchain) IBM
  11. 11. © IBM Corporation 11 – Kata Container (Intel, Hyper) • Clear Container + runv • 2018 5 v1.0 • OpenStack Foundation – gVisor (Google) • runsc (OCI ) • (KVM • 2018 5 – Nabla Container (IBM Research ) • unikernel (Solo5) • runnc • Docker Nabla • 2018 6 (?) runq runc https://github.com/google/gvisor https://nabla-containers.github.io/
  12. 12. © IBM Corporation 12 runq – /etc/docker/daemon.json { "runtimes": { "runq": { "path": "/var/lib/runq/runq", "runtimeArgs": [ "--cpu", "1", "--mem", "256", "--dns", "8.8.8.8,8.8.4.4", "--nestedvm" ] } } } nestedvm VM on VM CPU / Memory docker run
  13. 13. © IBM Corporation 13 Docker (runc ) – Docker (runc) $ docker run -d -p 8080:80 --rm --name nginx-runc nginx 2e57121d00c15fb47f884ed83424d4a793d525d4d74273e011502e01c8a18c71 $ curl -s http://localhost:8080 | head -4 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> $ ps -ef | grep nginx root 3899 3881 0 14:28 ? 00:00:00 nginx: master process nginx -g daemon off; syslog 3939 3899 0 14:28 ? 00:00:00 nginx: worker process amnt 3957 1580 0 14:29 pts/0 00:00:00 grep --color=auto nginx $ docker stop nginx-runc
  14. 14. © IBM Corporation 14 Docker (runq ) – (nginx) qemu $ docker run --runtime runq -d -p 9090:80 --rm --name nginx-runq nginx 774cdacfcae3219b9fc369edaadbc18a145313b62d69a5ddde86a1693aaf5a7d $ curl -s http://localhost:9090 | head -4 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> $ ps -ef | grep nginx amnt 4758 1580 0 14:35 pts/0 00:00:00 grep --color=auto nginx $ ps -ef | grep qemu root 4680 4659 0 14:35 ? 00:00:00 /qemu/proxy -name 774cdacfcae3 ... root 4733 4680 0 14:35 ? 00:00:00 /usr/bin/qemu-system-x86_64 -device virtio-9p- pci,fsdev=rootfs_dev,mount_tag=rootfs,disable-modern=true -chardev ... amnt 4964 1580 0 14:39 pts/0 00:00:00 grep --color=auto qemu
  15. 15. © IBM Corporation 15 –IBM Cloud Hyper Protect Containers • Kubernetes • LinuxOne • Early Program –https://www-01.ibm.com/marketing/iwm/iwmdocs/web/cc/earlyprograms/hyper.shtml LinuxOne
  16. 16. © IBM Corporation 16 – • Kata Container, gVisor, Nabla Container, runq –runq • VM • Docker
  17. 17. © IBM Corporation 17

×