runc やってみる
コンテナランタイムの全体像をつかむ
これが分かり易かった medium.com
はじめてのrunC
次にこれを読んでやることを確認 qiita.com
runc をビルド+インストール
ここみながら
make で失敗
$ go get github.com/opencontainers/runc $ cd $GOPATH/src/github.com/opencontainers/runc $ make go build -buildmode=pie -ldflags "-X main.gitCommit="51f2a861da7fb1d4f6f8370a60258c6f315956ef" -X main.version=1.0.0-rc8+dev " -tags "seccomp" -o runc . # pkg-config --cflags -- libseccomp libseccomp Package libseccomp was not found in the pkg-config search path. Perhaps you should add the directory containing `libseccomp.pc' to the PKG_CONFIG_PATH environment variable No package 'libseccomp' found Package libseccomp was not found in the pkg-config search path. Perhaps you should add the directory containing `libseccomp.pc' to the PKG_CONFIG_PATH environment variable No package 'libseccomp' found pkg-config: exit status 1 make: *** [runc] エラー 2
libseccomp はなくてもいいらしい。
$ make BUILDTAGS='' go build -buildmode=pie -ldflags "-X main.gitCommit="51f2a861da7fb1d4f6f8370a60258c6f315956ef" -X main.version=1.0.0-rc8+dev " -tags "" -o runc . $ sudo make install install -D -m0755 runc /usr/local/sbin/runc $ runc --version runc version 1.0.0-rc8+dev commit: 51f2a861da7fb1d4f6f8370a60258c6f315956ef spec: 1.0.1-dev
Using runc
ここみながら
busybox のイメージが ./mycontainer/rootfs に展開される。
# create the top most bundle directory mkdir ./mycontainer cd ./mycontainer # create the rootfs directory mkdir rootfs # export busybox via Docker into the rootfs directory docker export $(docker create busybox) | tar -C rootfs -xvf -
runc spec で config.json が生成される。
runc spec
config.json
{ "ociVersion": "1.0.1-dev", "process": { "terminal": true, "user": { "uid": 0, "gid": 0 }, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ], "cwd": "/", "capabilities": { "bounding": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "effective": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "inheritable": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "permitted": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ], "ambient": [ "CAP_AUDIT_WRITE", "CAP_KILL", "CAP_NET_BIND_SERVICE" ] }, "rlimits": [ { "type": "RLIMIT_NOFILE", "hard": 1024, "soft": 1024 } ], "noNewPrivileges": true }, "root": { "path": "rootfs", "readonly": true }, "hostname": "runc", "mounts": [ { "destination": "/proc", "type": "proc", "source": "proc" }, { "destination": "/dev", "type": "tmpfs", "source": "tmpfs", "options": [ "nosuid", "strictatime", "mode=755", "size=65536k" ] }, { "destination": "/dev/pts", "type": "devpts", "source": "devpts", "options": [ "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5" ] }, { "destination": "/dev/shm", "type": "tmpfs", "source": "shm", "options": [ "nosuid", "noexec", "nodev", "mode=1777", "size=65536k" ] }, { "destination": "/dev/mqueue", "type": "mqueue", "source": "mqueue", "options": [ "nosuid", "noexec", "nodev" ] }, { "destination": "/sys", "type": "sysfs", "source": "sysfs", "options": [ "nosuid", "noexec", "nodev", "ro" ] }, { "destination": "/sys/fs/cgroup", "type": "cgroup", "source": "cgroup", "options": [ "nosuid", "noexec", "nodev", "relatime", "ro" ] } ], "linux": { "resources": { "devices": [ { "allow": false, "access": "rwm" } ] }, "namespaces": [ { "type": "pid" }, { "type": "network" }, { "type": "ipc" }, { "type": "uts" }, { "type": "mount" } ], "maskedPaths": [ "/proc/acpi", "/proc/asound", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/sys/firmware", "/proc/scsi" ], "readonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] } }
runc run。sh だ。config.json の process:args:sh だろうか。readonly。
sudo runc run mycontainerid / # pwd / / # touch asdf touch: asdf: Read-only file system
別ターミナルでrunc listとrunc state
$ sudo runc list
ID PID STATUS BUNDLE CREATED OWNER
mycontainerid 31581 running /home/tjtjtj/workspace/runc/mycontainer 2019-09-04T12:02:30.617630175Z root
$ sudo runc state mycontainerid
{
"ociVersion": "1.0.1-dev",
"id": "mycontainerid",
"pid": 31581,
"status": "running",
"bundle": "/home/tjtjtj/workspace/runc/mycontainer",
"rootfs": "/home/tjtjtj/workspace/runc/mycontainer/rootfs",
"created": "2019-09-04T12:02:30.617630175Z",
"owner": ""
}
config.json 編集
"terminal": false and "args": ["sleep", "5"] に従い config.json 編集
{
"ociVersion": "1.0.1-dev",
"process": {
"terminal": false,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"sleep", "5"
],
:
runc runすると 5秒後に終了する。
$ sudo runc run sleep5con
急いで list と state を見る。
$ sudo runc list
ID PID STATUS BUNDLE CREATED OWNER
sleep5con 15300 running /home/tjtjtj/workspace/runc/mycontainer 2019-09-04T12:09:29.813327585Z root
$ sudo runc state sleep5con
{
"ociVersion": "1.0.1-dev",
"id": "sleep5con",
"pid": 15300,
"status": "running",
"bundle": "/home/tjtjtj/workspace/runc/mycontainer",
"rootfs": "/home/tjtjtj/workspace/runc/mycontainer/rootfs",
"created": "2019-09-04T12:09:29.813327585Z",
"owner": ""
}
docker run しているような感覚。
