|
| 1 | +--- |
| 2 | +title: Share Process Namespace between Containers in a Pod |
| 3 | +min-kubernetes-server-version: v1.10 |
| 4 | +approvers: |
| 5 | +- dawnchen |
| 6 | +- verb |
| 7 | +--- |
| 8 | + |
| 9 | +{% capture overview %} |
| 10 | + |
| 11 | +{% include feature-state-alpha.md %} |
| 12 | + |
| 13 | +This page shows how to configure process namespace sharing for a pod. When |
| 14 | +process namespace sharing is enabled, processes in a container will be visible |
| 15 | +to all other containers in that pod. |
| 16 | + |
| 17 | +This can be useful for cooperating containers, such as a log handler sidecar |
| 18 | +container, or troubleshooting container images that don't include debugging |
| 19 | +utilities like a shell. |
| 20 | + |
| 21 | +{% endcapture %} |
| 22 | + |
| 23 | +{% capture prerequisites %} |
| 24 | + |
| 25 | +* {% include task-tutorial-prereqs.md %} |
| 26 | +* A special **alpha** feature gate `PodShareProcessNamespace` has to be set to |
| 27 | + true across the system: `--feature-gates=PodShareProcessNamespace=true`. |
| 28 | + |
| 29 | +{% endcapture %} |
| 30 | + |
| 31 | +{% capture steps %} |
| 32 | + |
| 33 | +## Configure a Pod |
| 34 | + |
| 35 | +Process Namespace Sharing is enabled using the `ShareProcessNamespace` field of |
| 36 | +`v1.PodSpec`. For example: |
| 37 | + |
| 38 | +{% include code.html language="yaml" file="share-process-namespace.yaml" ghlink="/docs/tasks/configure-pod-container/share-process-namespace.yaml" %} |
| 39 | + |
| 40 | +1. Create the pod `nginx` on your cluster: |
| 41 | + |
| 42 | + $ kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/share-process-namespace.yaml |
| 43 | + |
| 44 | +1. Attach to the `shell` container and run `ps`: |
| 45 | + |
| 46 | + $ kc attach -it nginx -c shell |
| 47 | + If you don't see a command prompt, try pressing enter. |
| 48 | + / # ps ax |
| 49 | + PID USER TIME COMMAND |
| 50 | + 1 root 0:00 /pause |
| 51 | + 8 root 0:00 nginx: master process nginx -g daemon off; |
| 52 | + 14 101 0:00 nginx: worker process |
| 53 | + 15 root 0:00 sh |
| 54 | + 21 root 0:00 ps ax |
| 55 | + |
| 56 | +1. It's possible to signal processes in other containers. Sending `SIGHUP` to |
| 57 | + nginx causes it to restart the worker process (this requires the `SYS_PTRACE` |
| 58 | + capability): |
| 59 | + |
| 60 | + / # kill -HUP 8 |
| 61 | + / # ps ax |
| 62 | + PID USER TIME COMMAND |
| 63 | + 1 root 0:00 /pause |
| 64 | + 8 root 0:00 nginx: master process nginx -g daemon off; |
| 65 | + 15 root 0:00 sh |
| 66 | + 22 101 0:00 nginx: worker process |
| 67 | + 23 root 0:00 ps ax |
| 68 | + |
| 69 | +1. It's even possible to access another container image using the |
| 70 | + `/proc/$pid/root` link: |
| 71 | + |
| 72 | + / # head /proc/8/root/etc/nginx/nginx.conf |
| 73 | + |
| 74 | + user nginx; |
| 75 | + worker_processes 1; |
| 76 | + |
| 77 | + error_log /var/log/nginx/error.log warn; |
| 78 | + pid /var/run/nginx.pid; |
| 79 | + |
| 80 | + |
| 81 | + events { |
| 82 | + worker_connections 1024; |
| 83 | + |
| 84 | +{% endcapture %} |
| 85 | + |
| 86 | +{% capture discussion %} |
| 87 | + |
| 88 | +## Understanding Process Namespace Sharing |
| 89 | + |
| 90 | +Pods share many resources so it makes sense they would also share a process |
| 91 | +namespace. Some container images may expect to be isolated from other |
| 92 | +containers, though, so it's important to understand these differences: |
| 93 | + |
| 94 | +1. **The container process no longer has PID 1.** Some container images refuse |
| 95 | + to start without PID 1 (e.g. containers using `systemd`) or run commands like |
| 96 | + `kill -HUP 1` to signal the container process. In pods with a shared process |
| 97 | + namespace, `kill -HUP 1` will signal the pod sandbox. (`/pause` in the above |
| 98 | + example.) |
| 99 | + |
| 100 | +1. **Processes are visible to other containers in the pod.** This includes all |
| 101 | + information visible in `/proc`, such as passwords that were passed as arguments |
| 102 | + or environment variables. These will be protected only by regular Unix |
| 103 | + permissions. |
| 104 | + |
| 105 | +1. **Container filesystems are visible to other containers in the pod through the |
| 106 | + `/proc/$pid/root` link.** This makes debugging easier, but it also means |
| 107 | + that filesystem secrets are protected only by filesystem permissions. |
| 108 | + |
| 109 | +{% endcapture %} |
| 110 | + |
| 111 | +{% include templates/task.md %} |
0 commit comments