查看k8s的node节点中的容器时,发现其上有大量的pause容器,如下:
pause container的主要职责
1. 是pod中其他容器共享linux namespace的基础,基础设施 PID命名空间:Pod中的不同应用程序可以看到其他应用程序的进程ID。 网络命名空间:Pod中的多个容器能够访问同一个IP和端口范围。 IPC命名空间:Pod中的多个容器能够使用SystemV IPC或POSIX消息队列进行通信。 UTS命名空间:Pod中的多个容器共享一个主机名;Volumes(共享存储卷): Pod中的各个容器可以访问在Pod级别定义的Volumes 2. 负责处理僵尸进程pause容器的Dockerfile,地址:
https://github.com/kubernetes/kubernetes/blob/master/build/pause/Dockerfile
FROM scratch ARG ARCH ADD bin/pause-${ARCH} /pause ENTRYPOINT ["/pause"]pause容器内运行一个非常简单的进程来处理僵尸进程,逻辑如下
/* Copyright 2016 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> static void sigdown(int signo) { psignal(signo, "Shutting down, got signal"); exit(0); } static void sigreap(int signo) { while (waitpid(-1, NULL, WNOHANG) > 0); } int main() { if (getpid() != 1) /* Not an error because pause sees use outside of infra containers. */ fprintf(stderr, "Warning: pause should be the first process\n"); if (sigaction(SIGINT, &(struct sigaction){.sa_handler = sigdown}, NULL) < 0) return 1; if (sigaction(SIGTERM, &(struct sigaction){.sa_handler = sigdown}, NULL) < 0) return 2; if (sigaction(SIGCHLD, &(struct sigaction){.sa_handler = sigreap, .sa_flags = SA_NOCLDSTOP}, NULL) < 0) return 3; for (;;) pause(); fprintf(stderr, "Error: infinite loop terminated\n"); return 42; }参考:
https://www.ianlewis.org/en/almighty-pause-container
