Linux namespaces are fundamental to isolating system resources for processes. Each namespace type isolates a different system resource:
- PID namespace: Isolates the process ID number space, meaning that processes in different PID namespaces can have the same PID.
- Network namespace (NET): Provides isolation of network controllers, system resources associated with networking, firewall rules, and routing tables.
- Mount namespace (MNT): Isolates the set of filesystem mount points seen by a group of processes so that processes in different mount namespaces can have different views of the filesystem hierarchy.
- Interprocess Communication namespace (IPC): Separates the system resources associated with System V IPC and POSIX message queues.
- User namespace (USER): Isolates the user and group ID number spaces, meaning that a process’s user and group IDs can be different inside and outside a user namespace.
- UTS namespace: Allows each container to have its own hostname and domain name, isolating the system identifiers nodename and domainname.
The Role of Container Runtime
Container runtime, on the other hand, is the software that executes containers and manages container images on a node. Container runtimes provide the necessary interfaces to interact with the Linux kernel namespaces, cgroups, and other components to create containers.
In the context of Kubernetes, it uses a container runtime to create and manage containers. Kubernetes supports several container runtimes: Docker, containerd, CRI-O, and any implementation of the Kubernetes CRI (Container Runtime Interface).
How Kubernetes Creates Containers Using Namespaces
In Kubernetes, a Pod is the smallest and simplest unit that you deploy on a Kubernetes cluster. A Pod represents a single instance of a running process in a cluster and can contain one or more containers. These containers in a Pod share the same network, IPC, and optionally UTS and PID namespaces. It’s essentially a co-located group of applications that share the same context and resources.
When a Pod gets scheduled on a worker node, the kubelet on that node will ask the configured container runtime (let’s assume Docker for this example) to start the containers defined in the PodSpec. Docker will then interact with the Linux kernel to create the necessary namespaces and isolate the resources for each container in the pod.
YAML to Create Sample Pods
Now let’s create a sample Kubernetes pod that hosts a single container. Below is an example of a simple Pod configuration in YAML.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: nginx
To create this Pod, save the YAML in a file named mypod.yaml and then apply it with kubectl:
kubectl apply -f mypod.yamlInspecting Container Processes
Assume that the Pod is scheduled and running. We can inspect the running processes of the “mypod” using a few commands.
First, we need to identify the container’s runtime ID. This can be done with the following command:
kubectl describe pod mypodThe output will be something like:
bashCopy code
Name: mypod ... Containers: mycontainer: Container ID: docker://f0fb8a8a97ec9a9b6b14116f6391255771c5f1fd2f31d752c29660f5a9d96b1a Image: nginx ...The Container ID is what we are interested in. In this case, it is f0fb8a8a97ec9a9b6b14116f6391255771c5f1fd2f31d752c29660f5a9d96b1a.
Now, let’s inspect the running processes in this container using the Docker ‘top’ command:
docker top f0fb8a8a97ec9a9b6b14116f6391255771c5f1fd2f31d752c29660f5a9d96b1aYou’ll see something like:
PID USER TIME COMMAND 5317 root 0:00 nginx: master process nginx -g daemon off; 5370 101 0:00 nginx: worker processThis shows us the processes running inside our container.
Finally, if you want to check the container’s PID namespace, use the following command:
docker inspect --format '{{.State.Pid}}' f0fb8a8a97ec9a9b6b14116f6391255771c5f1fd2f31d752c29660f5a9d96b1aThis might return a value like 5315, which corresponds to the PID namespace in which the container’s processes are running.
Understanding the relationship between Linux namespaces, container runtime, and Kubernetes’ orchestration can offer invaluable insight into the internal workings of containerized applications, enabling effective management and troubleshooting.
Hardik Darji 