Side Gadgets

Kubernetes 101 : Shared "Process ID" namespace between containers in a pod


ByPosted at
Share

Usually containers within the same pod share the IPC and the Network namespace.

Containers in the same pod communicate via IPC - Inter-process Communication -, the loopback interface or even through a shared volume that is accessible to the containers living inside a pod.

Namespaces is a Linux concept that allow us to isolate resources - IPC, cgroup, Mount, PID, ... -.

PID namespaces allow us to have two processes with the same process IDs if they live in different PID namespaces.
We could have for example a process on the host with PID=1 - systemd - and in another PID namespace, we could also have a different process with the same PID=1.

The "shareProcessNamespace" option allows containers within the some pod to have access to the same PID namespace.

The "shareProcessNamespace" could be set in the Yaml file of the pod as we can see below:


With that option set, the processes in one container can see the processes in the other container because they are running in the same process namespace or PID namespace within the "shared_pod" pod.

Processes communicate through signals.


Below are example of the most commonly used signals:

  • SIGHUP : Hangup, is sent to a prrocess when closing the terminal it is attached to.
  • SIGINT : Interrupt terminate, equivalent to <CTRL+C>
  • SIGKILL : Kill signal, forces the termination of a process, it can't be blocked.
  • SIGTERM : Terminate a process, it can be ignored or handled.
We could get the full list of signals by using the below command:


Since our pod and its containers are already running, we can attach to the shell of one of the running containers - nginx_container - for example to be able to run command inside it, using the below command:


  • -c : because we have two containers, we use that parameter to refer to the container we attach to.
  • -i : refers to the "stdin" data input stream which is passed to the container.
  • -t : refers to the TTY terminal which is stdin.
Once inside the "nginx_containercontainer, we could list the processes and their PIDs using the below command:


We could see all the processes including the ones running in the "debian_container" container, since both containers "live" in the same PID namespace.

We could also use the below command to send a signal from to one of the processes of the - nginx_container - container to one of the processes running inside the debian_container - container using its process ID:


The "SIGNAL" could be SIGKILL or SIGHUP for example.

Post a Comment
Labels
Random thoughts, and observations about our daily lives, to make us reflect about life in general.

Comments

Leave as a comment:

Archive