Pause Container
Puase Container: Pod에 묶인 컨테이너들을 생성할때 리소스 제한을 시키고 공유하기 위해서 쓰이는 컨테이너다. PID 1인 프로세서와 유사하다.
- 1번 프로세스와 비슷함, 네잌스페이스를 만들고 파드내 다른 컨테이너들과 공유한다. 해당 컨테이너들은 모두 같은 IP를 가진다. 그래서 파드를 만들 수 있게 된다.
- 모든 파드에 들어가므로 가장 많이 쓰이는 컨테이너
- 파드내 모든 컨테이너의 부모 컨테이너 및 부모 프로세스
- linux namesapce 공유의 기반이 되는 역할을 맡는다
- PID1 역할로 좀비 프로세스를 삭제한다
실습환경(with Kind)
# '컨트롤플레인, 워커 노드 1대' 클러스터 배포 : 파드에 접속하기 위한 포트 맵핑 설정
cat <<EOT> kind-2node.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
extraPortMappings:
- containerPort: 30000
hostPort: 30000
- containerPort: 30001
hostPort: 30001
EOT
kind create cluster --config kind-2node.yaml --name myk8s
# 툴 설치
docker exec -it myk8s-control-plane sh -c 'apt update && apt install tree jq psmisc lsof wget bridge-utils tcpdump htop git nano -y'
docker exec -it myk8s-worker sh -c 'apt update && apt install tree jq psmisc lsof wget bridge-utils tcpdump htop -y'
# 확인
kubectl get nodes -o wide
docker ps
docker port myk8s-worker
docker exec -it myk8s-control-plane ip -br -c -4 addr
docker exec -it myk8s-worker ip -br -c -4 addr
# kube-ops-view
helm repo add geek-cookbook https://geek-cookbook.github.io/charts/
helm install kube-ops-view geek-cookbook/kube-ops-view --version 1.2.2 --set service.main.type=NodePort,service.main.ports.http.nodePort=30000 --set env.TZ="Asia/Seoul" --namespace kube-system
# 설치 확인
kubectl get deploy,pod,svc,ep -n kube-system -l app.kubernetes.io/instance=kube-ops-view
설치된 kube-ops-view
Pod 배포 및 격리
# metrics server 배포
helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
helm upgrade --install metrics-server metrics-server/metrics-server --set 'args[0]=--kubelet-insecure-tls' -n kube-system
# 워커노드 컨테이너에 bash로 진입
docker exec -it myk8s-worker bash
# enabled된 서비스 확인
root@myk8s-worker:/# systemctl list-unit-files | grep 'enabled enabled'
containerd.service enabled enabled
kubelet.service enabled enabled
open-iscsi.service enabled enabled
undo-mount-hacks.service enabled enabledpause container 확인해보면 pause가 보인다. 해당 프로세스가 pasue container.
root@myk8s-worker:/# pstree -aclnpsS
`-containerd-shim,1418 -namespace k8s.io -id 0f4c6e69fdcfc9e74405cd8f3478e6b33a98d957fe00e988c855b22295824b66 -address /run/containerd/containerd.sock
|-{containerd-shim},1420
|-{containerd-shim},1421
|-{containerd-shim},1422
|-{containerd-shim},1423
|-{containerd-shim},1424
|-{containerd-shim},1425
|-{containerd-shim},1426
|-{containerd-shim},1427
|-{containerd-shim},1428
|-pause,1440,ipc,mnt,net,pid,uts
|-metrics-server,1517,cgroup,ipc,mnt,net,pid,uts --secure-port=10250 --cert-dir=/tmp --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --kubelet-use-node-status-port --metric-resolution=15s --kubelet-insecure-tls
| |-{metrics-server},1536
| |-{metrics-server},1537
| |-{metrics-server},1538
| |-{metrics-server},1539
| |-{metrics-server},1540
| |-{metrics-server},1541
| |-{metrics-server},1542
| `-{metrics-server},1543
|-{containerd-shim},1529
`-{containerd-shim},1558pause container 가 PID 1440 이다. PID1과 얼마나 다른지 확인해 보자
time, user, cgroup 을 빼곤 모두 다른 네임스페이스를 쓰는걸 확인 할 수 있따.
# PID 1의 네임스페이스 목록
root@myk8s-worker:/# lsns -p 1
NS TYPE NPROCS PID USER COMMAND
4026531834 time 18 1 root /sbin/init
4026531837 user 18 1 root /sbin/init
4026532293 mnt 10 1 root /sbin/init
4026532294 uts 14 1 root /sbin/init
4026532295 ipc 10 1 root /sbin/init
4026532296 pid 10 1 root /sbin/init
4026532297 net 14 1 root /sbin/init
4026532355 cgroup 15 1 root /sbin/init
# PID1440 인 pause container의 네임스페이스 목록
root@myk8s-worker:/# lsns -p 1440
NS TYPE NPROCS PID USER COMMAND
4026531834 time 18 1 root /sbin/init
4026531837 user 18 1 root /sbin/init
4026532355 cgroup 15 1 root /sbin/init
4026532669 net 2 1440 65535 /pause
4026532728 mnt 1 1440 65535 /pause
4026532729 uts 2 1440 65535 /pause
4026532730 ipc 2 1440 65535 /pause
4026532731 pid 1 1440 65535 /pause테스트파드 배포
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: myweb
spec:
containers:
- image: **nginx:alpine**
name: myweb-container
ports:
- containerPort: 80
protocol: TCP
terminationGracePeriodSeconds: 0
EOF
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: **myweb2**
spec:
**containers**:
- name: **myweb2-nginx**
image: nginx
ports:
- containerPort: 80
protocol: TCP
- name: **myweb2-netshoot**
image: nicolaka/netshoot
command: ["/bin/bash"]
args: ["-c", "while true; do sleep 5; curl localhost; done"] # 포드가 종료되지 않도록 유지합니다
terminationGracePeriodSeconds: 0
EOF
myweb2의 컨테이너의 IP가 모두 같음을 확인
myweb2-nginx와 myweb2-netshoot가 둘다 같은 ip를 가지고 있다.
# 컨테이너1 (myweb2-nginx)
ubuntu@MyServer:~$ kubectl exec myweb2 -c myweb2-nginx -- apt update
ubuntu@MyServer:~$ kubectl exec myweb2 -c myweb2-nginx -- apt install -y net-tools
ubuntu@MyServer:~$ kubectl exec myweb2 -c myweb2-nginx -- ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.244.1.5 netmask 255.255.255.0 broadcast 10.244.1.255
inet6 fe80::9c9a:d9ff:fec8:7a1e prefixlen 64 scopeid 0x20<link>
ether 9e:9a:d9:c8:7a:1e txqueuelen 0 (Ethernet)
RX packets 314 bytes 9505493 (9.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 196 bytes 14946 (14.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 768 bytes 115520 (112.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 768 bytes 115520 (112.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# 컨테이너2 (myweb2=netshoot)
ubuntu@MyServer:~$ kubectl exec myweb2 -c myweb2-netshoot -- ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 9e:9a:d9:c8:7a:1e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.244.1.5/24 brd 10.244.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::9c9a:d9ff:fec8:7a1e/64 scope link proto ke그리고 Namespace 비교해보면 time,user,net 네임스페이스가 같은걸 확인할 수 이다.
# nginx를 실행하는 pod가 2개여서 2개로 보임
# my-web2은 두번쨰 프로세스
# my-web2의 첫번째 컨테이너 확인
root@myk8s-worker:/# ps -ef | grep 'nginx -g' | grep -v grep
root 2402 2318 0 20:03 ? 00:00:00 nginx: master process nginx -g daemon off;
root 2643 2560 0 20:08 ? 00:00:00 nginx: master process nginx -g daemon off;
root@myk8s-worker:/# lsns -p 2643
NS TYPE NPROCS PID USER COMMAND
4026531834 time 34 1 root /sbin/init
4026531837 user 34 1 root /sbin/init
4026532801 net 8 2579 65535 /pause
4026532861 uts 8 2579 65535 /pause
4026532862 ipc 8 2579 65535 /pause
4026532864 mnt 5 2643 root nginx: master process nginx -g daemon off;
4026532865 pid 5 2643 root nginx: master process nginx -g daemon off;
4026532866 cgroup 5 2643 root nginx: master process nginx -g daemon off;
# 두번쨰 컨테이너
root@myk8s-worker:/# ps -ef | grep 'curl' | grep -v grep
root 2767 2560 0 20:09 ? 00:00:00 /bin/bash -c while true; do sleep 5; curl localhost; done
root@myk8s-worker:/# lsns -p 2767
NS TYPE NPROCS PID USER COMMAND
4026531834 time 34 1 root /sbin/init
4026531837 user 34 1 root /sbin/init
4026532801 net 8 2579 65535 /pause
4026532861 uts 8 2579 65535 /pause
4026532862 ipc 8 2579 65535 /pause
4026532867 mnt 2 2767 root /bin/bash -c while true; do sleep 5; curl localhost; done
4026532868 pid 2 2767 root /bin/bash -c while true; do sleep 5; curl localhost; done
4026532869 cgroup 2 2767 root /bin/bash -c while true; do sleep 5; curl localhost; done이렇게 PID기준으로 IP를 확인해 봐도 IP가 같은걸 확인 할 수 있다.
root@myk8s-worker:/# nsenter -t 2643 -n ip -c addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 9e:9a:d9:c8:7a:1e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.244.1.5/24 brd 10.244.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::9c9a:d9ff:fec8:7a1e/64 scope link
valid_lft forever preferred_lft forever
root@myk8s-worker:/# nsenter -t 2767 -n ip -c addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 9e:9a:d9:c8:7a:1e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.244.1.5/24 brd 10.244.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::9c9a:d9ff:fec8:7a1e/64 scope link
valid_lft forever preferred_lft forever