DEVHIDE
Login Or Sign up

What is "/usr/bin/nsenter -m/proc/1/ns/mnt" in Kubernetes Daemonset?

1.8k Views Asked by At

I have read some tutorials of how to mount a volume in container and run the script on host/node directly. These are the examples given.

DeamonSet pod spec

      hostPID: true
      nodeSelector:
        cloud.google.com/gke-local-ssd: "true"
      volumes:
      - name: setup-script
        configMap:
          name: local-ssds-setup
      - name: host-mount
        hostPath:
          path: /tmp/setup
      initContainers:
      - name: local-ssds-init
        image: marketplace.gcr.io/google/ubuntu1804
        securityContext:
          privileged: true
        volumeMounts:
        - name: setup-script
          mountPath: /tmp
        - name: host-mount
          mountPath: /host
        command:
          - /bin/bash
          - -c
          - |
            set -e
            set -x

            # Copy setup script to the host
            cp /tmp/setup.sh /host

            # Copy wait script to the host 
            cp /tmp/wait.sh /host

            # Wait for updates to complete
            /usr/bin/nsenter -m/proc/1/ns/mnt -- chmod u+x /tmp/setup/wait.sh

            # Give execute priv to script
            /usr/bin/nsenter -m/proc/1/ns/mnt -- chmod u+x /tmp/setup/setup.sh

            # Wait for Node updates to complete
            /usr/bin/nsenter -m/proc/1/ns/mnt /tmp/setup/wait.sh

            # If the /tmp folder is mounted on the host then it can run the script
            /usr/bin/nsenter -m/proc/1/ns/mnt /tmp/setup/setup.sh
      containers:
      - image: "gcr.io/google-containers/pause:2.0"
        name: pause

(There is a configmap for composing the .sh files. I just skip that)

What does "/usr/bin/nsenter -m/proc/1/ns/mnt" mean? Is this a command to run something on host? what is "/proc/1/ns/mnt" ?

kubernetes daemonset nsenter
Original Q&A
1

There are 1 best solutions below

7
On

Lets start from the namepaces to understand this in detail :

Namespaces in container helps to isolate resources among the process. Namespaces controls the resources from the kernal and allocate to the process. This provides a great isolation among different containers that may run in a system.

Having said that, it will also make things complicated with these access restrictions to the namespaces. so comes the nsenter command , which will give the conatiners access to the namespaces. something similar to the sudo command. .This command can give us access to mount, UTS, IPC, Network, PID,user,cgroup, and time namespaces.

the -m in your example is --mount which will access to the mount namespace specified by that file.

Related Questions in KUBERNETES

Related Questions in DAEMONSET

Related Questions in NSENTER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.