Kubernetes pod:
DEEP DIVE

ContainerDays 2019

Hamburg, 26/06/2019

whoami

DARIO TRANCHITELLA

  • Father
  • Developer
  • DevOps
  • Gopher
  • former drummer

 

CLOUD DEVOPS ENGINEER
NAMECHEAP (NC Cloud Team)

this
talk
IS ABOUT...

AND WHY THIS TALK?

THIS TALK IS NOT MADE
OF COPY-PASTED QUOTE

- Dario Tranchitella (ContainerDay 2018)

what is a pod?

kubernetes.io

A pod (as in a pod of whales or pea pod) is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers. A pod’s contents are always co-located and co-scheduled, and run in a shared context. A pod models an application-specific “logical host” - it contains one or more application containers which are relatively tightly coupled — in a pre-container world, being executed on the same physical or virtual machine would mean being executed on the same logical host.

 

https://kubernetes.io/docs/concepts/workloads/pods/pod/

the definition implementation

apiVersion: v1
kind: Pod
metadata:
  name: containerdays
spec:
  containers:
  - name: foo
    image: nginx:alpine
    resources:
      limits:
        cpu: "500m"
        memory: "256Mi"
      requests:
        cpu: "250m"
        memory: "128Mi"
  - name: bar
    image: redis:alpine
    resources:
      limits:
        cpu: "500m"
        memory: "256Mi"
      requests:
        cpu: "250m"
        memory: "128Mi"

...keep in mind that a container is made of:

  • namespace
  • cgroup
  • copy on write FS

 

MORE INFO?
Giulio De Donato: Isoliamo un Processo senza Container (ContainerDay 2016)

K8S_POD_<NAME> AND PAUSE?

what is the pause container?

kuberentes pause container

https://github.com/kubernetes/kubernetes/blob/master/build/pause/pause.c

sigaction

examine and change a signal action:  returns 0 on success, -1 on error.

SIGINT (2)

Interrupt from keyboard

SIGTERM (15)

Termination signal

SIGCHLD (20,17,18)

Child stopped or terminated

...what about 42?

Answer to the Ultimate Question of Life, the Universe, and Everything!

openshift pause container (< v4)

https://github.com/openshift/origin/blob/v4.0.0-alpha.0/images/pod/pod.go

signal.Notify

Go signal notification works by sending os.Signal values on a channe

os.Interrupt

It's sigint (2)

syscall.SIGTERM

It's sigterm (15)

os.Kill

It's sigkill (9)

PLEASE
ADD LITTLE
COMPLEXITY

...so, it's demo time!

 

START YOUR OWN POD

docker run \
    -d \
    --rm \
    --name containerdays \
k8s.gcr.io/pause-amd64:3.1

docker run \
    -d \
    --rm \
    --name containerdays_foo \
    --network container:containerdays \
    --cpu-shares 512 \
    --cpu-quota 75000 \
    --ipc container:containerdays \
nginx:alpine

docker run \
    -d \
    --rm \
    --name containerdays_bar \
    --network container:containerdays \
    --cpu-shares 512 \
    --cpu-quota 75000 \
    --ipc container:containerdays \
redis:alpine
apiVersion: v1
kind: Pod
metadata:
  name: containerdays
spec:
  containers:
  - name: foo
    image: nginx:alpine
    resources:
      limits:
        cpu: "750m"
        memory: "256Mi"
      requests:
        cpu: "500m"
        memory: "128Mi"
  - name: bar
    image: redis:alpine
    resources:
      limits:
        cpu: "750m"
        memory: "256Mi"
      requests:
        cpu: "500m"
        memory: "128Mi"

...wut, something's missing

  • MEMORY REQUEST
    memory request is primarily useful to the scheduler, which uses it to find a node with at least that many memory available
     
  • SECURITY CONTEXT
    • --user
    • --group-add
    • --cap-{add,drop}
    • --privileged
    • --security-opt
    • ...and so on

PLEASE
ADD MORE
COMPLEXITY

edamame.POD.service

[Unit]
Description=EdamamePod, awesome and tasty pod
Requires=docker.service

[Service]
ExecStartPre=/usr/bin/echo "This could be a init script, WDYT?"
ExecStartPre=/usr/bin/docker volume create edamame_volume
ExecStart=/usr/bin/docker run --rm --name edamame k8s.gcr.io/pause-amd64:3.1
ExecStop=/usr/bin/docker stop edamame
Restart=always

[Install]
WantedBy=multi-user.target

EDAMAME.foo.service

[Unit]
Description=edamame.foo, aka Redis
PartOf=edamame.pod.service

[Service]
TimeoutStartSec=0
ExecStart=/usr/bin/docker run --rm --name edamame.foo -v edamame_volume:/etc/edamame --network container:edamame redis:alpine
ExecStop=/usr/bin/docker stop edamame.foo
Restart=always

[Install]
WantedBy=multi-user.target

EDAMAME.bar.service

[Unit]
Description=edamame.bar, aka NGINX
PartOf=edamame.pod.service

[Service]
TimeoutStartSec=0
ExecStart=/usr/bin/docker run --rm --name edamame.bar -v edamame_volume:/etc/edamame --network container:edamame nginx:alpine
ExecStop=/usr/bin/docker stop edamame.bar
Restart=always

[Install]
WantedBy=multi-user.target

...mmm, where are container patterns?

designing distributed systems (brendan burns)

ambassador

https://github.com/prometherion/openshift-prometheus-grafana-ambassador

...any question?

Made with Slides.com