kubernetes 实战6_命令_Share Process Namespace between Containers in a Pod&Translate a Docker Compose File to Kubernetes Resources

Share Process Namespace between Containers in a Pod

how to configure process namespace sharing for a pod.

When process namespace sharing is enabled, processes in a container are visible to all other containers in that pod.

You can use this feature to configure cooperating containers, such as a log handler sidecar container, or to troubleshoot container images that don’t include debugging utilities like a shell

Before you begin

Your Kubernetes server must be version v1.10. To check the version, enter kubectl version.

A special alpha feature gate PodShareProcessNamespace must be set to true across the system: --feature-gates=PodShareProcessNamespace=true

Configure a Pod

Process Namespace Sharing is enabled using the ShareProcessNamespace field of v1.PodSpec.

apiVersion: v1

kind: Pod

metadata:

  name: nginx

spec:

  shareProcessNamespace: true

  containers:

  - name: nginx

    image: nginx

  - name: shell

    image: busybox

    securityContext:

      capabilities:

        add:

        - SYS_PTRACE

    stdin: true

    tty: true

#Create the pod nginx on your cluster:

$ kubectl create -f https://k8s.io/docs/tasks/configure-pod-container/share-process-namespace.yaml

#Attach to the shell container and run ps:

$ kubectl attach -it nginx -c shell

If you don't see a command prompt, try pressing enter.

/ # ps ax

PID   USER     TIME  COMMAND

    1 root      0:00 /pause

    8 root      0:00 nginx: master process nginx -g daemon off;

   14 101       0:00 nginx: worker process

   15 root      0:00 sh

   21 root      0:00 ps ax

#You can signal processes in other containers. For example, send SIGHUP to nginx to restart the worker process. This requires the SYS_PTRACE capability.

    / # kill -HUP 8

    / # ps ax

    PID   USER     TIME  COMMAND

        1 root      0:00 /pause

        8 root      0:00 nginx: master process nginx -g daemon off;

       15 root      0:00 sh

       22 101       0:00 nginx: worker process

       23 root      0:00 ps ax

#It’s even possible to access another container image using the /proc/$pid/root link.

/ # head /proc/8/root/etc/nginx/nginx.conf

    user  nginx;

    worker_processes  1;

    error_log  /var/log/nginx/error.log warn;

    pid        /var/run/nginx.pid;

    events {

        worker_connections  1024;

Understanding Process Namespace Sharing

Pods share many resources so it makes sense they would also share a process namespace.

Some container images may expect to be isolated from other containers, though, so it’s important to understand these differences:

The container process no longer has PID 1.
- Some container images refuse to start without PID 1 (for example, containers using systemd) or run commands like kill -HUP 1 to signal the container process.
- In pods with a shared process namespace, kill -HUP 1 will signal the pod sandbox. (/pause in the above example.)
Processes are visible to other containers in the pod.
- This includes all information visible in /proc, such as passwords that were passed as arguments or environment variables.
- These are protected only by regular Unix permissions.
Container filesystems are visible to other containers in the pod through the /proc/$pid/root link.
- This makes debugging easier, but it also means that filesystem secrets are protected only by filesystem permissions.

Translate a Docker Compose File to Kubernetes Resources

Kubernetes + Compose = Kompose

What’s Kompose?

It’s a conversion tool for all things compose (namely Docker Compose) to container orchestrators (Kubernetes or OpenShift).

More information can be found on the Kompose website at http://kompose.io.

#1. Take a sample docker-compose.yaml file

version: "2"

services:

  redis-master:

    image: k8s.gcr.io/redis:e2e

    ports:

      - "6379"

  redis-slave:

    image: gcr.io/google_samples/gb-redisslave:v1

    ports:

      - "6379"

    environment:

      - GET_HOSTS_FROM=dns

  frontend:

    image: gcr.io/google-samples/gb-frontend:v4

    ports:

      - "80:80"

    environment:

      - GET_HOSTS_FROM=dns

    labels:

      kompose.service.type: LoadBalancer

#2. Run kompose up in the same directory

$ kompose up

We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application.

If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead. 

INFO Successfully created Service: redis

INFO Successfully created Service: web

INFO Successfully created Deployment: redis

INFO Successfully created Deployment: web         

Your application has been deployed to Kubernetes. You can run 'kubectl get deployment,svc,pods,pvc' for details.

#Alternatively, you can run kompose convert and deploy with kubectl

#2.1. Run kompose convert in the same directory

$ kompose convert

INFO Kubernetes file "frontend-service.yaml" created

INFO Kubernetes file "redis-master-service.yaml" created

INFO Kubernetes file "redis-slave-service.yaml" created

INFO Kubernetes file "frontend-deployment.yaml" created

INFO Kubernetes file "redis-master-deployment.yaml" created

INFO Kubernetes file "redis-slave-deployment.yaml" created   

#2.2. And start it on Kubernetes!

$ kubectl create -f frontend-service.yaml,redis-master-service.yaml,redis-slave-service.yaml,frontend-deployment.yaml,redis-master-deployment.yaml,redis-slave-deployment.yaml

service "frontend" created

service "redis-master" created

service "redis-slave" created

deployment "frontend" created

deployment "redis-master" created

deployment "redis-slave" created

#Now that your service has been deployed, let’s access it.

#3. View the newly deployed service

#3.1 If you’re already using minikube for your development process:

$ minikube service frontend

#3.2 Otherwise, let’s look up what IP your service is using!

$ kubectl describe svc frontend

Name:                   frontend

Namespace:              default

Labels:                 service=frontend

Selector:               service=frontend

Type:                   LoadBalancer

IP:                     10.0.0.183

LoadBalancer Ingress:   123.45.67.89

Port:                   80      80/TCP

NodePort:               80      31144/TCP

Endpoints:              172.17.0.4:80

Session Affinity:       None

No events.

#If you’re using a cloud provider, your IP will be listed next to LoadBalancer Ingress.

$ curl http://123.45.67.89

Installation

We have multiple ways to install Kompose. Our preferred method is downloading the binary from the latest GitHub release.

GitHub release : Kompose is released via GitHub on a three-week cycle, you can see all current releases on the GitHub release page.

Go : Installing using go get pulls from the master branch with the latest development changes.

CentOS:

Kompose is in EPEL CentOS repository. If you don’t have EPEL repository already installed and enabled you can do it by running sudo yum install epel-release
if you have EPEL enabled in your system, you can install Kompose like any other package.

Fedora:Kompose is in Fedora 24, 25 and 26 repositories. You can install it just like any other package.

macOS:On macOS you can install latest release via Homebrew:

User Guide

Kompose has support for two providers: OpenShift and Kubernetes.

You can choose a targeted provider using global option --provider.

If no provider is specified, Kubernetes is set by default.

kompose convert

Kompose supports conversion of V1, V2, and V3 Docker Compose files into Kubernetes and OpenShift objects.

Kubernetes

$ kompose --file docker-voting.yml convert

WARN Unsupported key networks - ignoring

WARN Unsupported key build - ignoring

INFO Kubernetes file "worker-svc.yaml" created

INFO Kubernetes file "db-svc.yaml" created

INFO Kubernetes file "redis-svc.yaml" created

INFO Kubernetes file "result-svc.yaml" created

INFO Kubernetes file "vote-svc.yaml" created

INFO Kubernetes file "redis-deployment.yaml" created

INFO Kubernetes file "result-deployment.yaml" created

INFO Kubernetes file "vote-deployment.yaml" created

INFO Kubernetes file "worker-deployment.yaml" created

INFO Kubernetes file "db-deployment.yaml" created

$ ls

db-deployment.yaml  docker-compose.yml         docker-gitlab.yml  redis-deployment.yaml  result-deployment.yaml  vote-deployment.yaml  worker-deployment.yaml

db-svc.yaml         docker-voting.yml          redis-svc.yaml     result-svc.yaml        vote-svc.yaml           worker-svc.yaml

You can also provide multiple docker-compose files at the same time:

$ kompose -f docker-compose.yml -f docker-guestbook.yml convert

INFO Kubernetes file "frontend-service.yaml" created

INFO Kubernetes file "mlbparks-service.yaml" created

INFO Kubernetes file "mongodb-service.yaml" created

INFO Kubernetes file "redis-master-service.yaml" created

INFO Kubernetes file "redis-slave-service.yaml" created

INFO Kubernetes file "frontend-deployment.yaml" created

INFO Kubernetes file "mlbparks-deployment.yaml" created

INFO Kubernetes file "mongodb-deployment.yaml" created

INFO Kubernetes file "mongodb-claim0-persistentvolumeclaim.yaml" created

INFO Kubernetes file "redis-master-deployment.yaml" created

INFO Kubernetes file "redis-slave-deployment.yaml" created   

$ ls

mlbparks-deployment.yaml  mongodb-service.yaml                       redis-slave-service.jsonmlbparks-service.yaml

frontend-deployment.yaml  mongodb-claim0-persistentvolumeclaim.yaml  redis-master-service.yaml

frontend-service.yaml     mongodb-deployment.yaml                    redis-slave-deployment.yaml

redis-master-deployment.yaml

When multiple docker-compose files are provided the configuration is merged.

Any configuration that is common will be over ridden by subsequent file.

kompose up

Kompose supports a straightforward way to deploy your “composed” application to Kubernetes or OpenShift via kompose up.

Kubernetes

$ kompose --file ./examples/docker-guestbook.yml up

We are going to create Kubernetes deployments and services for your Dockerized application.

If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead.

INFO Successfully created service: redis-master

INFO Successfully created service: redis-slave

INFO Successfully created service: frontend

INFO Successfully created deployment: redis-master

INFO Successfully created deployment: redis-slave

INFO Successfully created deployment: frontend    

Your application has been deployed to Kubernetes. You can run 'kubectl get deployment,svc,pods' for details.

$ kubectl get deployment,svc,pods

NAME                               DESIRED       CURRENT       UP-TO-DATE   AVAILABLE   AGE

deploy/frontend                    1             1             1            1           4m

deploy/redis-master                1             1             1            1           4m

deploy/redis-slave                 1             1             1            1           4m

NAME                               CLUSTER-IP    EXTERNAL-IP   PORT(S)      AGE

svc/frontend                       10.0.174.12   <none>        80/TCP       4m

svc/kubernetes                     10.0.0.1      <none>        443/TCP      13d

svc/redis-master                   10.0.202.43   <none>        6379/TCP     4m

svc/redis-slave                    10.0.1.85     <none>        6379/TCP     4m

NAME                               READY         STATUS        RESTARTS     AGE

po/frontend-2768218532-cs5t5       1/1           Running       0            4m

po/redis-master-1432129712-63jn8   1/1           Running       0            4m

po/redis-slave-2504961300-nve7b    1/1           Running       0            4m

Note:

- You must have a running Kubernetes cluster with a pre-configured kubectl context.

- Only deployments and services are generated and deployed to Kubernetes.

If you need different kind of resources, use the ‘kompose convert’ and ‘kubectl create -f’ commands instead.

kompose down

Once you have deployed “composed” application to Kubernetes, $ kompose down will help you to take the application out by deleting its deployments and services.

If you need to remove other resources, use the ‘kubectl’ command.

$ kompose --file docker-guestbook.yml down

INFO Successfully deleted service: redis-master

INFO Successfully deleted deployment: redis-master

INFO Successfully deleted service: redis-slave

INFO Successfully deleted deployment: redis-slave

INFO Successfully deleted service: frontend

INFO Successfully deleted deployment: frontend

Note:

- You must have a running Kubernetes cluster with a pre-configured kubectl context

Build and Push Docker Images

Kompose supports both building and pushing Docker images. When using the build key within your Docker Compose file, your image will:

Automatically be built with Docker using the image key specified within your file
Be pushed to the correct Docker repository using local credentials (located at .docker/config)

Using an example Docker Compose file:

version: "2"

services:

    foo:

        build: "./build"

        image: docker.io/foo/bar

Using kompose up with a build key:

$ kompose up

INFO Build key detected. Attempting to build and push image 'docker.io/foo/bar'

INFO Building image 'docker.io/foo/bar' from directory 'build'

INFO Image 'docker.io/foo/bar' from directory 'build' built successfully

INFO Pushing image 'foo/bar:latest' to registry 'docker.io'

INFO Attempting authentication credentials 'https://index.docker.io/v1/

INFO Successfully pushed image 'foo/bar:latest' to registry 'docker.io'

INFO We are going to create Kubernetes Deployments, Services and PersistentVolumeClaims for your Dockerized application. If you need different kind of resources, use the 'kompose convert' and 'kubectl create -f' commands instead. 

INFO Deploying application in "default" namespace

INFO Successfully created Service: foo

INFO Successfully created Deployment: foo         

Your application has been deployed to Kubernetes. You can run 'kubectl get deployment,svc,pods,pvc' for details.

In order to disable the functionality, or choose to use BuildConfig generation (with OpenShift) --build (local|build-config|none) can be passed.

# Disable building/pushing Docker images

$ kompose up --build none

# Generate Build Config artifacts for OpenShift

$ kompose up --provider openshift --build build-config

Alternative Conversions

The default kompose transformation will generate Kubernetes Deployments and Services, in yaml format.

You have alternative option to generate json with -j.

Also, you can alternatively generate Replication Controllers objects, Daemon Sets, or Helm charts.

$ kompose convert -j

INFO Kubernetes file "redis-svc.json" created

INFO Kubernetes file "web-svc.json" created

INFO Kubernetes file "redis-deployment.json" created

INFO Kubernetes file "web-deployment.json" created

The *-deployment.json files contain the Deployment objects.

$ kompose convert --replication-controller

INFO Kubernetes file "redis-svc.yaml" created

INFO Kubernetes file "web-svc.yaml" created

INFO Kubernetes file "redis-replicationcontroller.yaml" created

INFO Kubernetes file "web-replicationcontroller.yaml" created

　The *-deployment.json files contain the Deployment objects.　

$ kompose convert --replication-controller

INFO Kubernetes file "redis-svc.yaml" created

INFO Kubernetes file "web-svc.yaml" created

INFO Kubernetes file "redis-replicationcontroller.yaml" created

INFO Kubernetes file "web-replicationcontroller.yaml" created

　　The *-replicationcontroller.yaml files contain the Replication Controller objects. If you want to specify replicas (default is 1), use --replicas flag:

$ kompose convert --replication-controller --replicas 3

$ kompose convert --daemon-set

INFO Kubernetes file "redis-svc.yaml" created

INFO Kubernetes file "web-svc.yaml" created

INFO Kubernetes file "redis-daemonset.yaml" created

INFO Kubernetes file "web-daemonset.yaml" created

　　The *-daemonset.yaml files contain the Daemon Set objects

If you want to generate a Chart to be used with Helm simply do:

$ kompose convert -c

INFO Kubernetes file "web-svc.yaml" created

INFO Kubernetes file "redis-svc.yaml" created

INFO Kubernetes file "web-deployment.yaml" created

INFO Kubernetes file "redis-deployment.yaml" created

chart created in "./docker-compose/"

$ tree docker-compose/

docker-compose

├── Chart.yaml

├── README.md

└── templates

    ├── redis-deployment.yaml

    ├── redis-svc.yaml

    ├── web-deployment.yaml

    └── web-svc.yaml

　　The chart structure is aimed at providing a skeleton for building your Helm charts.

Labels

kompose supports Kompose-specific labels within the docker-compose.yml file in order to explicitly define a service’s behavior upon conversion.

kompose.service.type defines the type of service to be created.

version: "2"

services:

  nginx:

    image: nginx

    dockerfile: foobar

    build: ./foobar

    cap_add:

      - ALL

    container_name: foobar

    labels:

      kompose.service.type: nodeport

kompose.service.expose :defines if the service needs to be made accessible from outside the cluster or not. If the value is set to “true”, the provider sets the endpoint automatically, and for any other value, the value is set as the hostname. If multiple ports are defined in a service, the first one is chosen to be the exposed.

For the Kubernetes provider, an ingress resource is created and it is assumed that an ingress controller has already been configured.
For the OpenShift provider, a route is created.

version: "2"

services:

  web:

    image: tuna/docker-counter23

    ports:

     - "5000:5000"

    links:

     - redis

    labels:

      kompose.service.expose: "counter.example.com"

  redis:

    image: redis:3.0

    ports:

     - "6379"

The currently supported options are:

Key	Value
kompose.service.type	nodeport / clusterip / loadbalancer
kompose.service.expose	true / hostname

Note:

kompose.service.type label should be defined with ports only, otherwise kompose will fail.

Restart

If you want to create normal pods without controllers you can use restart construct of docker-compose to define that.

Follow table below to see what happens on the restart value.

`docker-compose` `restart`	object created	Pod `restartPolicy`
`""`	controller object	`Always`
`always`	controller object	`Always`
`on-failure`	Pod	`OnFailure`
`no`	Pod	`Never`

Note:

controller object could be deployment or replicationcontroller, etc.

For e.g. pival service will become pod down here. This container calculated value of pi.

version: '2'

services:

  pival:

    image: perl

    command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]

    restart: "on-failure"

Warning about Deployment Config’s

If the Docker Compose file has a volume specified for a service, the Deployment (Kubernetes) or DeploymentConfig (OpenShift) strategy is changed to “Recreate” instead of “RollingUpdate” (default).

This is done to avoid multiple instances of a service from accessing a volume at the same time.

If the Docker Compose file has service name with _ in it (eg.web_service), then it will be replaced by - and the service name will be renamed accordingly (eg.web-service). Kompose does this because “Kubernetes” doesn’t allow _ in object name.

Please note that changing service name might break some docker-compose files.

Docker Compose Versions

Kompose supports Docker Compose versions: 1, 2 and 3. We have limited support on versions 2.1 and 3.2 due to their experimental nature.

A full list on compatibility between all three versions is listed in our conversion document including a list of all incompatible Docker Compose keys.