Share Process Namespace between Containers in a Pod
how to configure process namespace sharing for a pod.
When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.
You can use this feature to configure cooperating containers, such as a log handler sidecar container, or to troubleshoot container images that don’t include debugging utilities like a shell
Before you begin
Your Kubernetes server must be version v1.10. To check the version, enter kubectl version.
A special alpha feature gate PodShareProcessNamespace must be set to true across the system: --feature-gates=PodShareProcessNamespace=true
Configure a Pod
Process Namespace Sharing is enabled using the ShareProcessNamespace field of v1.PodSpec.
apiVersion: v1kind: Podmetadata: ?name: nginxspec: ?shareProcessNamespace: true ?containers: ?- name: nginx ???image: nginx ?- name: shell ???image: busybox ???securityContext: ?????capabilities: ???????add: ???????- SYS_PTRACE ???stdin: true ???tty: true
#Create the pod nginx on your cluster:$ kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/share-process-namespace.yaml#Attach to the shell container and run ps:$ kubectl attach -it nginx -c shellIf you don‘t see a command prompt, try pressing enter./ # ps axPID ??USER ????TIME ?COMMAND ???1 root ?????0:00 /pause ???8 root ?????0:00 nginx: master process nginx -g daemon off; ??14 101 ??????0:00 nginx: worker process ??15 root ?????0:00 sh ??21 root ?????0:00 ps ax#You can signal processes in other containers. For example, send SIGHUP to nginx to restart the worker process. This requires the SYS_PTRACE capability. ???/ # kill -HUP 8 ???/ # ps ax ???PID ??USER ????TIME ?COMMAND ???????1 root ?????0:00 /pause ???????8 root ?????0:00 nginx: master process nginx -g daemon off; ??????15 root ?????0:00 sh ??????22 101 ??????0:00 nginx: worker process ??????23 root ?????0:00 ps ax#It’s even possible to access another container image using the /proc/$pid/root link./ # head /proc/8/root/etc/nginx/nginx.conf ???user ?nginx; ???worker_processes ?1; ???error_log ?/var/log/nginx/error.log warn; ???pid ???????/var/run/nginx.pid; ???events { ???????worker_connections ?1024;
Understanding Process Namespace Sharing
Pods share many resources so it makes sense they would also share a process namespace.
Some container images may expect to be isolated from other containers, though, so it’s important to understand these differences:
The container process no longer has PID 1.
Some container images refuse to start without PID 1 (for example, containers using
systemd) or run commands likekill -HUP 1to signal the container process.In pods with a shared process namespace,
kill -HUP 1will signal the pod sandbox. (/pausein the above example.)
Processes are visible to other containers in the pod.
This includes all information visible in
/proc, such as passwords that were passed as arguments or environment variables.These are protected only by regular Unix permissions.
Container filesystems are visible to other containers in the pod through the
/proc/$pid/rootlink.This makes debugging easier, but it also means that filesystem secrets are protected only by filesystem permissions.
Translate a Docker Compose File to Kubernetes Resources
Kubernetes + Compose = Kompose
What’s Kompose?
It’s a conversion tool for all things compose (namely Docker Compose) to container orchestrators (Kubernetes or OpenShift).
More information can be found on the Kompose website at http://kompose.io.
#1. Take a sample docker-compose.yaml fileversion: "2"services: ?redis-master: ???image: k8s.gcr.io/redis:e2e ????ports: ?????- "6379" ?redis-slave: ???image: gcr.io/google_samples/gb-redisslave:v1 ???ports: ?????- "6379" ???environment: ?????- GET_HOSTS_FROM=dns ?frontend: ???image: gcr.io/google-samples/gb-frontend:v4 ???ports: ?????- "80:80" ???environment: ?????- GET_HOSTS_FROM=dns ???labels: ?????kompose.service.type: LoadBalancer#2. Run kompose up in the same directory$ kompose upWe are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application. If you need different kind of resources, use the ‘kompose convert‘ and ‘kubectl create -f‘ commands instead. INFO Successfully created Service: redis ?????????INFO Successfully created Service: web ???????????INFO Successfully created Deployment: redis ??????INFO Successfully created Deployment: web ????????Your application has been deployed to Kubernetes. You can run ‘kubectl get deployment,svc,pods,pvc‘ for details.#Alternatively, you can run kompose convert and deploy with kubectl#2.1. Run kompose convert in the same directory$ kompose convert ??????????????????????????INFO Kubernetes file "frontend-service.yaml" created ????????INFO Kubernetes file "redis-master-service.yaml" created ????INFO Kubernetes file "redis-slave-service.yaml" created ?????INFO Kubernetes file "frontend-deployment.yaml" created ?????INFO Kubernetes file "redis-master-deployment.yaml" created ?INFO Kubernetes file "redis-slave-deployment.yaml" created ??#2.2. And start it on Kubernetes!$ kubectl create -f frontend-service.yaml,redis-master-service.yaml,redis-slave-service.yaml,frontend-deployment.yaml,redis-master-deployment.yaml,redis-slave-deployment.yamlservice "frontend" createdservice "redis-master" createdservice "redis-slave" createddeployment "frontend" createddeployment "redis-master" createddeployment "redis-slave" created#Now that your service has been deployed, let’s access it.#3. View the newly deployed service#3.1 If you’re already using minikube for your development process:$ minikube service frontend#3.2 Otherwise, let’s look up what IP your service is using!$ kubectl describe svc frontendName: ??????????????????frontendNamespace: ?????????????defaultLabels: ????????????????service=frontendSelector: ??????????????service=frontendType: ??????????????????LoadBalancerIP: ????????????????????10.0.0.183LoadBalancer Ingress: ??123.45.67.89Port: ??????????????????80 ?????80/TCPNodePort: ??????????????80 ?????31144/TCPEndpoints: ?????????????172.17.0.4:80Session Affinity: ??????NoneNo events.#If you’re using a cloud provider, your IP will be listed next to LoadBalancer Ingress.$ curl http://123.45.67.89
Installation
We have multiple ways to install Kompose. Our preferred method is downloading the binary from the latest GitHub release.
GitHub release : Kompose is released via GitHub on a three-week cycle, you can see all current releases on the GitHub release page.
Go : Installing using go get pulls from the master branch with the latest development changes.
CentOS:
- Kompose is in EPEL CentOS repository. If you don’t have EPEL repository already installed and enabled you can do it by running
sudo yum install epel-release - if you have EPEL enabled in your system, you can install Kompose like any other package.
Fedora:Kompose is in Fedora 24, 25 and 26 repositories. You can install it just like any other package.
macOS:On macOS you can install latest release via Homebrew:
User Guide
Kompose has support for two providers: OpenShift and Kubernetes.
You can choose a targeted provider using global option --provider.
If no provider is specified, Kubernetes is set by default.
kompose convert
Kompose supports conversion of V1, V2, and V3 Docker Compose files into Kubernetes and OpenShift objects.
Kubernetes
$ kompose --file docker-voting.yml convertWARN Unsupported key networks - ignoringWARN Unsupported key build - ignoringINFO Kubernetes file "worker-svc.yaml" createdINFO Kubernetes file "db-svc.yaml" createdINFO Kubernetes file "redis-svc.yaml" createdINFO Kubernetes file "result-svc.yaml" createdINFO Kubernetes file "vote-svc.yaml" createdINFO Kubernetes file "redis-deployment.yaml" createdINFO Kubernetes file "result-deployment.yaml" createdINFO Kubernetes file "vote-deployment.yaml" createdINFO Kubernetes file "worker-deployment.yaml" createdINFO Kubernetes file "db-deployment.yaml" created$ lsdb-deployment.yaml ?docker-compose.yml ????????docker-gitlab.yml ?redis-deployment.yaml ?result-deployment.yaml ?vote-deployment.yaml ?worker-deployment.yamldb-svc.yaml ????????docker-voting.yml ?????????redis-svc.yaml ????result-svc.yaml ???????vote-svc.yaml ??????????worker-svc.yaml
You can also provide multiple docker-compose files at the same time:
$ kompose -f docker-compose.yml -f docker-guestbook.yml convertINFO Kubernetes file "frontend-service.yaml" created ????????INFO Kubernetes file "mlbparks-service.yaml" created ????????INFO Kubernetes file "mongodb-service.yaml" created ?????????INFO Kubernetes file "redis-master-service.yaml" created ????INFO Kubernetes file "redis-slave-service.yaml" created ?????INFO Kubernetes file "frontend-deployment.yaml" created ?????INFO Kubernetes file "mlbparks-deployment.yaml" created ?????INFO Kubernetes file "mongodb-deployment.yaml" created ??????INFO Kubernetes file "mongodb-claim0-persistentvolumeclaim.yaml" created INFO Kubernetes file "redis-master-deployment.yaml" created ?INFO Kubernetes file "redis-slave-deployment.yaml" created ??$ lsmlbparks-deployment.yaml ?mongodb-service.yaml ??????????????????????redis-slave-service.jsonmlbparks-service.yaml ?frontend-deployment.yaml ?mongodb-claim0-persistentvolumeclaim.yaml ?redis-master-service.yamlfrontend-service.yaml ????mongodb-deployment.yaml ???????????????????redis-slave-deployment.yamlredis-master-deployment.yaml
When multiple docker-compose files are provided the configuration is merged.
Any configuration that is common will be over ridden by subsequent file.
kompose up
Kompose supports a straightforward way to deploy your “composed” application to Kubernetes or OpenShift via kompose up.
Kubernetes
$ kompose --file ./examples/docker-guestbook.yml upWe are going to create Kubernetes deployments and services for your Dockerized application.If you need different kind of resources, use the ‘kompose convert‘ and ‘kubectl create -f‘ commands instead.INFO Successfully created service: redis-master ??INFO Successfully created service: redis-slave ???INFO Successfully created service: frontend ??????INFO Successfully created deployment: redis-masterINFO Successfully created deployment: redis-slaveINFO Successfully created deployment: frontend ???Your application has been deployed to Kubernetes. You can run ‘kubectl get deployment,svc,pods‘ for details.$ kubectl get deployment,svc,podsNAME ??????????????????????????????DESIRED ??????CURRENT ??????UP-TO-DATE ??AVAILABLE ??AGEdeploy/frontend ???????????????????1 ????????????1 ????????????1 ???????????1 ??????????4mdeploy/redis-master ???????????????1 ????????????1 ????????????1 ???????????1 ??????????4mdeploy/redis-slave ????????????????1 ????????????1 ????????????1 ???????????1 ??????????4mNAME ??????????????????????????????CLUSTER-IP ???EXTERNAL-IP ??PORT(S) ?????AGEsvc/frontend ??????????????????????10.0.174.12 ??<none> ???????80/TCP ??????4msvc/kubernetes ????????????????????10.0.0.1 ?????<none> ???????443/TCP ?????13dsvc/redis-master ??????????????????10.0.202.43 ??<none> ???????6379/TCP ????4msvc/redis-slave ???????????????????10.0.1.85 ????<none> ???????6379/TCP ????4mNAME ??????????????????????????????READY ????????STATUS ???????RESTARTS ????AGEpo/frontend-2768218532-cs5t5 ??????1/1 ??????????Running ??????0 ???????????4mpo/redis-master-1432129712-63jn8 ??1/1 ??????????Running ??????0 ???????????4mpo/redis-slave-2504961300-nve7b ???1/1 ??????????Running ??????0 ???????????4m
Note:
- You must have a running Kubernetes cluster with a pre-configured kubectl context.
- Only deployments and services are generated and deployed to Kubernetes.
If you need different kind of resources, use the ‘kompose convert’ and ‘kubectl create -f’ commands instead.
kompose down
Once you have deployed “composed” application to Kubernetes, $ kompose down will help you to take the application out by deleting its deployments and services.
If you need to remove other resources, use the ‘kubectl’ command.
$ kompose --file docker-guestbook.yml downINFO Successfully deleted service: redis-master ??INFO Successfully deleted deployment: redis-masterINFO Successfully deleted service: redis-slave ???INFO Successfully deleted deployment: redis-slaveINFO Successfully deleted service: frontend ??????INFO Successfully deleted deployment: frontend
Note:
- You must have a running Kubernetes cluster with a pre-configured kubectl context
Build and Push Docker Images
Kompose supports both building and pushing Docker images. When using the build key within your Docker Compose file, your image will:
- Automatically be built with Docker using the
imagekey specified within your file - Be pushed to the correct Docker repository using local credentials (located at
.docker/config)
Using an example Docker Compose file:
version: "2"services: ???foo: ???????build: "./build" ???????image: docker.io/foo/bar
Using kompose up with a build key:
$ kompose upINFO Build key detected. Attempting to build and push image ‘docker.io/foo/bar‘ INFO Building image ‘docker.io/foo/bar‘ from directory ‘build‘ INFO Image ‘docker.io/foo/bar‘ from directory ‘build‘ built successfully INFO Pushing image ‘foo/bar:latest‘ to registry ‘docker.io‘ INFO Attempting authentication credentials ‘https://index.docker.io/v1/ INFO Successfully pushed image ‘foo/bar:latest‘ to registry ‘docker.io‘ INFO We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application. If you need different kind of resources, use the ‘kompose convert‘ and ‘kubectl create -f‘ commands instead. ?INFO Deploying application in "default" namespace INFO Successfully created Service: foo ???????????INFO Successfully created Deployment: foo ????????Your application has been deployed to Kubernetes. You can run ‘kubectl get deployment,svc,pods,pvc‘ for details.
In order to disable the functionality, or choose to use BuildConfig generation (with OpenShift) --build (local|build-config|none) can be passed.
# Disable building/pushing Docker images$ kompose up --build none# Generate Build Config artifacts for OpenShift$ kompose up --provider openshift --build build-config
Alternative Conversions
The default kompose transformation will generate Kubernetes Deployments and Services, in yaml format.
You have alternative option to generate json with -j.
Also, you can alternatively generate Replication Controllers objects, Daemon Sets, or Helm charts.
$ kompose convert -jINFO Kubernetes file "redis-svc.json" createdINFO Kubernetes file "web-svc.json" createdINFO Kubernetes file "redis-deployment.json" createdINFO Kubernetes file "web-deployment.json" created
The *-deployment.json files contain the Deployment objects.
$ kompose convert --replication-controllerINFO Kubernetes file "redis-svc.yaml" createdINFO Kubernetes file "web-svc.yaml" createdINFO Kubernetes file "redis-replicationcontroller.yaml" createdINFO Kubernetes file "web-replicationcontroller.yaml" created
The *-deployment.json files contain the Deployment objects.
$ kompose convert --replication-controllerINFO Kubernetes file "redis-svc.yaml" createdINFO Kubernetes file "web-svc.yaml" createdINFO Kubernetes file "redis-replicationcontroller.yaml" createdINFO Kubernetes file "web-replicationcontroller.yaml" created
The *-replicationcontroller.yaml files contain the Replication Controller objects. If you want to specify replicas (default is 1), use --replicas flag:
$ kompose convert --replication-controller --replicas 3
$ kompose convert --daemon-setINFO Kubernetes file "redis-svc.yaml" createdINFO Kubernetes file "web-svc.yaml" createdINFO Kubernetes file "redis-daemonset.yaml" createdINFO Kubernetes file "web-daemonset.yaml" created
The *-daemonset.yaml files contain the Daemon Set objects
If you want to generate a Chart to be used with Helm simply do:
$ kompose convert -c INFO Kubernetes file "web-svc.yaml" createdINFO Kubernetes file "redis-svc.yaml" createdINFO Kubernetes file "web-deployment.yaml" createdINFO Kubernetes file "redis-deployment.yaml" createdchart created in "./docker-compose/"$ tree docker-compose/docker-compose├── Chart.yaml├── README.md└── templates ???├── redis-deployment.yaml ???├── redis-svc.yaml ???├── web-deployment.yaml ???└── web-svc.yaml
The chart structure is aimed at providing a skeleton for building your Helm charts.
Labels
kompose supports Kompose-specific labels within the docker-compose.yml file in order to explicitly define a service’s behavior upon conversion.
- kompose.service.type defines the type of service to be created.
version: "2"services: ??nginx: ???image: nginx ???dockerfile: foobar ???build: ./foobar ???cap_add: ?????- ALL ???container_name: foobar ???labels: ??????kompose.service.type: nodeport
kubernetes 实战6_命令_Share Process Namespace between Containers in a Pod&Translate a Docker Compose File to Kubernetes Resources
原文地址:https://www.cnblogs.com/panpanwelcome/p/9141071.html