To get a full understanding of Kubernetes, we need to first understand what is behind the Docker and POD concepts. I'll try to summarize some of the important concepts, because on internet you can find more detailed articles!
Many of you have heard about Docker first, and then containers, but the core idea is the container concept, not Docker, and the next question is why we need another abstraction like POD?!?!?
Let's talk about containers! Containers are a concept introduced in Linux Kernel a long time ago. A term to describe the combination of two important features of the Linux Kernel:
cgroups and namespace are first class objects used to create an isolated process with their own view of the host resources such as: network and disk and limit host resource usage for example how much memory this process can manage.
To create a container without the help of docker we can use the syscall "
unshare" :
- unshare --fork --pid --mount-proc bash
this command create a bash with the pid namespace , if I ran ps -aux
root@michele:~# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 17723 2396 pts/6 S 23:01 0:00 bash
root 2 0.0 0.0 18992 3157 pts/6 R+ 23:01 0:00 ps aux
as you can see only two process are active in this container : )
From the network namespace perspective a container has a new ip address different from the host ip, if your host has 100 containers they must have 100 different ip address!!
Now you can understand why docker is an important piece in manage containers, with docker is really simple run a container "image" like ubuntu , debian or redis, but I kindly suggest to read these articles to understand how to mount a debian container from
scratch without docker , and the same steps with
Docker.
Docker not only simplify containers management, but you can create your own images in a standard way so all can people in your company or outside can contribute in fix bugs or improve it, and recently you can run the same image in different operative system.
Why POD abstraction?
From Linux / Windows perspective container (remember is not really true) is the first small unit, for Kubernetes POD is the smallest unit. A POD in Kubernetes can "contain" different "containers" ( I like the joke in this statement ) How it's possible? How it works in Kubernetes?
How it's possible? when you create via unshare or docker a container you can create a second container that share namespace across the first, in docker this is possible in this way:
- docker run -d --name=first_container busybox sleep 3600
- docker run -d --name=second_container_with_same_ip --net=container:first_container busybox sleep 3600
Now if we execute ifconfig on the second container with docker exec -ti second_container_with_same_ip ifconfig you should see the second container inherited the same IP from the first container because with the --net option we are able to interact with the network namespace via docker.
How it works in Kubernetes? When we group different containers under the same POD, these containers share the network namespace with a particular standard container called "pause container". In Kubernetes, the pause container is used as the parent container like in my past example for all of the containers in the POD. This container has two important mission:
- Sharing namespace of all containers in the pod.
- With PID namespace shared, can clean all the zombie process because the PID 1 is in the pause container.
This is great because grouping containers it seems like to create a small virtual machine, all container in the same POD communicate via localhost and route all the network traffic from the IP of the inherited by the pause container. In other words kubernetes shift the ip model from one IP per container to one IP per POD which is a good simplification!
On the next post I'll explain some core aspect about networking in Kubernetes.