Skip to content

Instantly share code, notes, and snippets.

@hayajo

hayajo/README.md

Last active May 9, 2018 12:59
Show Gist options
  • Save hayajo/be882c07b4c3b1d529f7a7d0a47c128c to your computer and use it in GitHub Desktop.
Save hayajo/be882c07b4c3b1d529f7a7d0a47c128c to your computer and use it in GitHub Desktop.
Download ZIP
Vagrant で gVisor を試す
Raw
README.md

Vagrant で gVisor を試す

Requirement

  • virtualbox
  • vagrant

Usage

プロビジョニングにめっちゃ時間かかります。 メモリをそこそこ割り当てないとビルドに失敗するっぽいです。

$ vagrant up
$ vagrant ssh
vagrant$ docker run -it --runtime=runsc hello-world
vagrant$ ls -l /tmp/runsc/

.create(goferとsandbox(コンテナ)の起動ログ)と.boot(sandboxのstrace(sentry?)ログ)、.gofer(OSのシステムコールログ?)が面白い感じです。

runsc単品で使う場合

rootファイルシステムとconfig.jsonを用意してrunsc runを実行します。

vagrant$ cd
vagrant$ mkdir rootfs
vagrant$ sudo docker export $(sudo docker create alpine /bin/sh) | tar xf - -C rootfs
vagrant$ runc spec
vagrant$ sudo runsc run hello-runsc
alpine$ ...
alpine$ ...
alpine$ ...
alpine$ exit
vagrant$ sudo runsc delete hello-runsc
Raw
docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd://
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
Environment=GODEBUG=netdns=cgo
[Install]
WantedBy=multi-user.target
Raw
docker_daemon.json
{
"dns": ["8.8.8.8"],
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": [
"--debug-log-dir=/tmp/runsc",
"--debug",
"--strace",
"--log-packets"
]
}
}
}
Raw
provisioner.sh
#!/bin/sh
# golang
add-apt-repository -y ppa:gophers/archive
echo "deb [arch=amd64] http://storage.googleapis.com/bazel-apt stable jdk1.8" | tee /etc/apt/sources.list.d/bazel.list
# bazel
curl https://bazel.build/bazel-release.pub.gpg | apt-key add -
# docker
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
# install packages
apt-get -y -q update
apt-get -y -q install golang-1.10-go openjdk-8-jdk bazel python docker-ce build-essential make git apt-transport-https ca-certificates software-properties-common binutils-gold
# runc
wget -qO- https://github.com/opencontainers/runc/releases/download/v1.0.0-rc5/runc.amd64 > /usr/local/bin/runc
chmod +x /usr/local/bin/runc
# gvisor
mkdir /usr/local/go
export GOPATH=/usr/local/go
git clone https://gvisor.googlesource.com/gvisor gvisor
cd gvisor
bazel build runsc
cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin
cp --backup /vagrant/docker.service /lib/systemd/system/docker.service
cp --backup /vagrant/docker_daemon.json /etc/docker/daemon.json
systemctl daemon-reload
systemctl restart docker
Raw
Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "ubuntu/xenial64"
config.vm.provider "virtualbox" do |vb|
vb.memory = "4096"
end
config.vm.provision "shell", path: "provisioner.sh"
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment