Share Process Namespace between Containers in a Pod
how to configure process namespace sharing for a pod.
When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
You can use this feature to configure cooperating containers, such as a log handler sidecar container, or to troubleshoot container images that don’t include debugging utilities like a shell
Before you begin
Your Kubernetes server must be version v1.10. To check the version, enter kubectl version.
A special alpha feature gate PodShareProcessNamespace must be set to true across the system: --feature-gates=PodShareProcessNamespace=true
Configure a Pod
Process Namespace Sharing is enabled using the ShareProcessNamespace field of v1.PodSpec.
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
shareProcessNamespace: true
containers:
- name: nginx
image: nginx
- name: shell
image: busybox
securityContext:
capabilities:
add:
- SYS_PTRACE
stdin: true
tty: true
#Create the pod nginx on your cluster:
$ kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/share-process-namespace.yaml
#Attach to the shell container and run ps:
$ kubectl attach -it nginx -c shell
If you don't see a command prompt, try pressing enter.
/ # ps ax
PID USER TIME COMMAND
1 root 0:00 /pause
8 root 0:00 nginx: master process nginx -g daemon off;
14 101 0:00 nginx: worker process
15 root 0:00 sh
21 root 0:00 ps ax
#You can signal processes in other containers. For example, send SIGHUP to nginx to restart the worker process. This requires the SYS_PTRACE capability.
/ # kill -HUP 8
/ # ps ax
PID USER TIME COMMAND
1 root 0:00 /pause
8 root 0:00 nginx: master process nginx -g daemon off;
15 root 0:00 sh
22 101 0:00 nginx: worker process
23 root 0:00 ps ax
#It’s even possible to access another container image using the /proc/$pid/root link.
/ # head /proc/8/root/etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
Understanding Process Namespace Sharing
Pods share many resources so it makes sense they would also share a process namespace.
Some container images may expect to be isolated from other containers, though, so it’s important to understand these differences:
-
The container process no longer has PID 1.
-
Some container images refuse to start without PID 1 (for example, containers using
systemd) or run commands likekill -HUP 1to signal the container process. -
In pods with a shared process namespace,
kill -HUP 1will signal the pod sandbox. (/pausein the above example.)
-
-
Processes are visible to other containers in the pod.
-
This includes all information visible in
/proc, such as passwords that were passed as arguments or environment variables. -
These are protected only by regular Unix permissions.
-
-
Container filesystems are visible to other containers in the pod through the
/proc/$pid/rootlink.-
This makes debugging easier, but it also means that filesystem secrets are protected only by filesystem permissions.
-
Translate a Docker Compose File to Kubernetes Resources
Kubernetes + Compose = Kompose
What’s Kompose?
It’s a conversion tool for all things compose (namely Docker Compose) to container orchestrators (Kubernetes or OpenShift).
More information can be found on the Kompose website at http://kompose.io.
#1. Take a sample docker-compose.yaml file
version: "2"
services:
redis-master:
image: k8s.gcr.io/redis:e2e
ports:
- "6379"
redis-slave:
image: gcr.io/google_samples/gb-redisslave:v1
ports:
- "6379"
environment:
- GET_HOSTS_FROM=dns
frontend:
image: gcr.io/google-samples/gb-frontend:v4
ports:
- "80:80"
environment:
- GET_HOSTS_FROM=dns
labels:
kompose.service.type: LoadBalancer
#2. Run kompose up in the same directory
$ kompose up
We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application.
If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead.
INFO Successfully created Service: redis
INFO Successfully created Service: web
INFO Successfully created Deployment: redis
INFO Successfully created Deployment: web
Your application has been deployed to Kubernetes. You can run 'kubectl get deployment,svc,pods,pvc' for details.
#Alternatively, you can run kompose convert and deploy with kubectl
#2.1. Run kompose convert in the same directory
$ kompose convert
INFO Kubernetes file "frontend-service.yaml" created
INFO Kubernetes file "redis-master-service.yaml" created
INFO Kubernetes file "redis-slave-service.yaml" created
INFO Kubernetes file "frontend-deployment.yaml" created
INFO Kubernetes file "redis-master-deployment.yaml" created
INFO Kubernetes file "redis-slave-deployment.yaml" created
#2.2. And start it on Kubernetes!
$ kubectl create -f frontend-service.yaml,redis-master-service.yaml,redis-slave-service.yaml,frontend-deployment.yaml,redis-master-deployment.yaml,redis-slave-deployment.yaml
service "frontend" created
service "redis-master" created
service "redis-slave" created
deployment "frontend" created
deployment "redis-master" created
deployment "redis-slave" created
#Now that your service has been deployed, let’s access it.
#3. View the newly deployed service
#3.1 If you’re already using minikube for your development process:
$ minikube service frontend
#3.2 Otherwise, let’s look up what IP your service is using!
$ kubectl describe svc frontend
Name: frontend
Namespace: default
Labels: service=frontend
Selector: service=frontend
Type: LoadBalancer
IP: 10.0.0.183
LoadBalancer Ingress: 123.45.67.89
Port: 80 80/TCP
NodePort: 80 31144/TCP
Endpoints: 172.17.0.4:80
Session Affinity: None
No events.
#If you’re using a cloud provider, your IP will be listed next to LoadBalancer Ingress.
$ curl http://123.45.67.89
Installation
We have multiple ways to install Kompose. Our preferred method is downloading the binary from the latest GitHub release.
GitHub release : Kompose is released via GitHub on a three-week cycle, you can see all current releases on the GitHub release page.
Go : Installing using go get pulls from the master branch with the latest development changes.
CentOS:
- Kompose is in EPEL CentOS repository. If you don’t have EPEL repository already installed and enabled you can do it by running
sudo yum install epel-release - if you have EPEL enabled in your system, you can install Kompose like any other package.
Fedora:Kompose is in Fedora 24, 25 and 26 repositories. You can install it just like any other package.
macOS:On macOS you can install latest release via Homebrew:
User Guide
Kompose has support for two providers: OpenShift and Kubernetes.
You can choose a targeted provider using global option --provider.
If no provider is specified, Kubernetes is set by default.
kompose convert
Kompose supports conversion of V1, V2, and V3 Docker Compose files into Kubernetes and OpenShift objects.
Kubernetes
$ kompose --file docker-voting.yml convert WARN Unsupported key networks - ignoring WARN Unsupported key build - ignoring INFO Kubernetes file "worker-svc.yaml" created INFO Kubernetes file "db-svc.yaml" created INFO Kubernetes file "redis-svc.yaml" created INFO Kubernetes file "result-svc.yaml" created INFO Kubernetes file "vote-svc.yaml" created INFO Kubernetes file "redis-deployment.yaml" created INFO Kubernetes file "result-deployment.yaml" created INFO Kubernetes file "vote-deployment.yaml" created INFO Kubernetes file "worker-deployment.yaml" created INFO Kubernetes file "db-deployment.yaml" created $ ls db-deployment.yaml docker-compose.yml docker-gitlab.yml redis-deployment.yaml result-deployment.yaml vote-deployment.yaml worker-deployment.yaml db-svc.yaml docker-voting.yml redis-svc.yaml result-svc.yaml vote-svc.yaml worker-svc.yaml
You can also provide multiple docker-compose files at the same time:
$ kompose -f docker-compose.yml -f docker-guestbook.yml convert INFO Kubernetes file "frontend-service.yaml" created INFO Kubernetes file "mlbparks-service.yaml" created INFO Kubernetes file "mongodb-service.yaml" created INFO Kubernetes file "redis-master-service.yaml" created INFO Kubernetes file "redis-slave-service.yaml" created INFO Kubernetes file "frontend-deployment.yaml" created INFO Kubernetes file "mlbparks-deployment.yaml" created INFO Kubernetes file "mongodb-deployment.yaml" created INFO Kubernetes file "mongodb-claim0-persistentvolumeclaim.yaml" created INFO Kubernetes file "redis-master-deployment.yaml" created INFO Kubernetes file "redis-slave-deployment.yaml" created $ ls mlbparks-deployment.yaml mongodb-service.yaml redis-slave-service.jsonmlbparks-service.yaml frontend-deployment.yaml mongodb-claim0-persistentvolumeclaim.yaml redis-master-service.yaml frontend-service.yaml mongodb-deployment.yaml redis-slave-deployment.yaml redis-master-deployment.yaml
When multiple docker-compose files are provided the configuration is merged.
Any configuration that is common will be over ridden by subsequent file.
kompose up
Kompose supports a straightforward way to deploy your “composed” application to Kubernetes or OpenShift via kompose up.
Kubernetes
$ kompose --file ./examples/docker-guestbook.yml up We are going to create Kubernetes deployments and services for your Dockerized application. If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead. INFO Successfully created service: redis-master INFO Successfully created service: redis-slave INFO Successfully created service: frontend INFO Successfully created deployment: redis-master INFO Successfully created deployment: redis-slave INFO Successfully created deployment: frontend Your application has been deployed to Kubernetes. You can run 'kubectl get deployment,svc,pods' for details. $ kubectl get deployment,svc,pods NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE deploy/frontend 1 1 1 1 4m deploy/redis-master 1 1 1 1 4m deploy/redis-slave 1 1 1 1 4m NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/frontend 10.0.174.12 <none> 80/TCP 4m svc/kubernetes 10.0.0.1 <none> 443/TCP 13d svc/redis-master 10.0.202.43 <none> 6379/TCP 4m svc/redis-slave 10.0.1.85 <none> 6379/TCP 4m NAME READY STATUS RESTARTS AGE po/frontend-2768218532-cs5t5 1/1 Running 0 4m po/redis-master-1432129712-63jn8 1/1 Running 0 4m po/redis-slave-2504961300-nve7b 1/1 Running 0 4m
Note:
- You must have a running Kubernetes cluster with a pre-configured kubectl context.
- Only deployments and services are generated and deployed to Kubernetes.
If you need different kind of resources, use the ‘kompose convert’ and ‘kubectl create -f’ commands instead.
kompose down
Once you have deployed “composed” application to Kubernetes, $ kompose down will help you to take the application out by deleting its deployments and services.
If you need to remove other resources, use the ‘kubectl’ command.
$ kompose --file docker-guestbook.yml down INFO Successfully deleted service: redis-master INFO Successfully deleted deployment: redis-master INFO Successfully deleted service: redis-slave INFO Successfully deleted deployment: redis-slave INFO Successfully deleted service: frontend INFO Successfully deleted deployment: frontend
Note:
- You must have a running Kubernetes cluster with a pre-configured kubectl context
Build and Push Docker Images
Kompose supports both building and pushing Docker images. When using the build key within your Docker Compose file, your image will:
- Automatically be built with Docker using the
imagekey specified within your file - Be pushed to the correct Docker repository using local credentials (located at
.docker/config)
Using an example Docker Compose file:
version: "2"
services:
foo:
build: "./build"
image: docker.io/foo/bar
Using kompose up with a build key:
$ kompose up INFO Build key detected. Attempting to build and push image 'docker.io/foo/bar' INFO Building image 'docker.io/foo/bar' from directory 'build' INFO Image 'docker.io/foo/bar' from directory 'build' built successfully INFO Pushing image 'foo/bar:latest' to registry 'docker.io' INFO Attempting authentication credentials 'https://index.docker.io/v1/ INFO Successfully pushed image 'foo/bar:latest' to registry 'docker.io' INFO We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application. If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead. INFO Deploying application in "default" namespace INFO Successfully created Service: foo INFO Successfully created Deployment: foo Your application has been deployed to Kubernetes. You can run 'kubectl get deployment,svc,pods,pvc' for details.
In order to disable the functionality, or choose to use BuildConfig generation (with OpenShift) --build (local|build-config|none) can be passed.
# Disable building/pushing Docker images $ kompose up --build none # Generate Build Config artifacts for OpenShift $ kompose up --provider openshift --build build-config
Alternative Conversions
The default kompose transformation will generate Kubernetes Deployments and Services, in yaml format.
You have alternative option to generate json with -j.
Also, you can alternatively generate Replication Controllers objects, Daemon Sets, or Helm charts.
$ kompose convert -j INFO Kubernetes file "redis-svc.json" created INFO Kubernetes file "web-svc.json" created INFO Kubernetes file "redis-deployment.json" created INFO Kubernetes file "web-deployment.json" created
The *-deployment.json files contain the Deployment objects.
$ kompose convert --replication-controller INFO Kubernetes file "redis-svc.yaml" created INFO Kubernetes file "web-svc.yaml" created INFO Kubernetes file "redis-replicationcontroller.yaml" created INFO Kubernetes file "web-replicationcontroller.yaml" created
The *-deployment.json files contain the Deployment objects.
$ kompose convert --replication-controller INFO Kubernetes file "redis-svc.yaml" created INFO Kubernetes file "web-svc.yaml" created INFO Kubernetes file "redis-replicationcontroller.yaml" created INFO Kubernetes file "web-replicationcontroller.yaml" created
The *-replicationcontroller.yaml files contain the Replication Controller objects. If you want to specify replicas (default is 1), use --replicas flag:
$ kompose convert --replication-controller --replicas 3
$ kompose convert --daemon-set INFO Kubernetes file "redis-svc.yaml" created INFO Kubernetes file "web-svc.yaml" created INFO Kubernetes file "redis-daemonset.yaml" created INFO Kubernetes file "web-daemonset.yaml" created
The *-daemonset.yaml files contain the Daemon Set objects
If you want to generate a Chart to be used with Helm simply do:
$ kompose convert -c
INFO Kubernetes file "web-svc.yaml" created
INFO Kubernetes file "redis-svc.yaml" created
INFO Kubernetes file "web-deployment.yaml" created
INFO Kubernetes file "redis-deployment.yaml" created
chart created in "./docker-compose/"
$ tree docker-compose/
docker-compose
├── Chart.yaml
├── README.md
└── templates
├── redis-deployment.yaml
├── redis-svc.yaml
├── web-deployment.yaml
└── web-svc.yaml
The chart structure is aimed at providing a skeleton for building your Helm charts.
Labels
kompose supports Kompose-specific labels within the docker-compose.yml file in order to explicitly define a service’s behavior upon conversion.
- kompose.service.type defines the type of service to be created.
version: "2"
services:
nginx:
image: nginx
dockerfile: foobar
build: ./foobar
cap_add:
- ALL
container_name: foobar
labels:
kompose.service.type: nodeport
kompose.service.expose :defines if the service needs to be made accessible from outside the cluster or not. If the value is set to “true”, the provider sets the endpoint automatically, and for any other value, the value is set as the hostname. If multiple ports are defined in a service, the first one is chosen to be the exposed.
- For the Kubernetes provider, an ingress resource is created and it is assumed that an ingress controller has already been configured.
- For the OpenShift provider, a route is created.
version: "2"
services:
web:
image: tuna/docker-counter23
ports:
- "5000:5000"
links:
- redis
labels:
kompose.service.expose: "counter.example.com"
redis:
image: redis:3.0
ports:
- "6379"
The currently supported options are:
| Key | Value |
|---|---|
| kompose.service.type | nodeport / clusterip / loadbalancer |
| kompose.service.expose | true / hostname |
Note:
kompose.service.type label should be defined with ports only, otherwise kompose will fail.
Restart
If you want to create normal pods without controllers you can use restart construct of docker-compose to define that.
Follow table below to see what happens on the restart value.
docker-compose restart | object created | Pod restartPolicy |
|---|---|---|
"" |
controller object | Always |
always |
controller object | Always |
on-failure |
Pod | OnFailure |
no |
Pod | Never |
Note:
controller object could be deployment or replicationcontroller, etc.
For e.g. pival service will become pod down here. This container calculated value of pi.
version: '2'
services:
pival:
image: perl
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restart: "on-failure"
Warning about Deployment Config’s
If the Docker Compose file has a volume specified for a service, the Deployment (Kubernetes) or DeploymentConfig (OpenShift) strategy is changed to “Recreate” instead of “RollingUpdate” (default).
This is done to avoid multiple instances of a service from accessing a volume at the same time.
If the Docker Compose file has service name with _ in it (eg.web_service), then it will be replaced by - and the service name will be renamed accordingly (eg.web-service). Kompose does this because “Kubernetes” doesn’t allow _ in object name.
Please note that changing service name might break some docker-compose files.
Docker Compose Versions
Kompose supports Docker Compose versions: 1, 2 and 3. We have limited support on versions 2.1 and 3.2 due to their experimental nature.
A full list on compatibility between all three versions is listed in our conversion document including a list of all incompatible Docker Compose keys.