Menu
On this page in the Kubernetes docs Pods, it states
The context of the pod can be defined as the conjunction of several Linux namespaces:
PID namespace (applications within the pod can see each other's processes) network namespace (applications within the pod have access to the same IP and port space)
IPC namespace (applications within the pod can use SystemV IPC or POSIX message queues to communicate)
UTS namespace (applications within the pod share a hostname)
However, it then says that
In terms of Docker constructs, a pod consists of a colocated group of Docker containers with shared volumes. PID namespace sharing is not yet implemented with Docker.
So does this mean that pods cannot see processes in other containers or perform any kind of IPC between containers running in the same pod? How would I send a signal to a process running in another pod?
490
Within a Pod, containers share an IP address and port space, and can find each other via localhost . The containers in a Pod can also communicate with each other using standard inter-process communications like SystemV semaphores or POSIX shared memory.
Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on. Kubernetes gives every pod its own cluster-private IP address, so you do not need to explicitly create links between pods or map container ports to host ports.
Every container in a pod shares the same IP. You can `ping localhost` inside a pod. Two containers in the same pod share an IP and a network namespace and They are both localhost to each other.
The key thing about pods is that when a pod does contain multiple containers, all of them are always run on a single worker node—it never spans multiple worker nodes, as shown in figure 3.1.
Yeah, we wish that they could share the PID namespace, but as you say, it is not currently supported by Docker. Once we have support in Docker, we will rapidly add it to Kubernetes.
This means that you can't use signal to signal other processes in the Pod.
You can, however, use IPC mechanisms like pipes and shared memory.
73
does this mean that pods cannot see processes in other containers or perform any kind of IPC between containers running in the same pod?
Recent Kubernetes 1.12 (Q3 2018) announcements do include:
Configurable pod process namespace sharing is moving to beta, meaning users can configure containers within a pod to share a common PID namespace by setting an option in the PodSpec.
See kubernetes/feature 495 "Configurable Pod Process Namespace Sharing" (and its PR 66507, commit 8ebc84e), and its documentation: "Share Process Namespace between Containers in a Pod".
Warning, with this:
The container process no longer has PID 1. Some container images refuse to start without PID 1 (for example, containers using systemd) or run commands like
kill -HUP 1to signal the container process. In pods with a shared process namespace,kill -HUP 1will signal the pod sandbox.Processes are visible to other containers in the pod. This includes all information visible in
/proc, such as passwords that were passed as arguments or environment variables. These are protected only by regular Unix permissions.Container filesystems are visible to other containers in the pod through the
/proc/$pid/rootlink. This makes debugging easier, but it also means that filesystem secrets are protected only by filesystem permissions.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
