Merge pull request #32237 from tengqm/tweak-shared-proc-ns

k8s-ci-robot · web-flow · commit d39b19af447d · 2022-06-16T22:54:32.000-07:00
Tweak the share process namespace page
diff --git a/content/en/docs/tasks/configure-pod-container/share-process-namespace.md b/content/en/docs/tasks/configure-pod-container/share-process-namespace.md
@@ -1,6 +1,5 @@
 ---
 title: Share Process Namespace between Containers in a Pod
-min-kubernetes-server-version: v1.10
 reviewers:
 - verb
 - yujuhong
@@ -11,64 +10,69 @@ weight: 160
 
 <!-- overview -->
 
-{{< feature-state state="stable" for_k8s_version="v1.17" >}}
-
 This page shows how to configure process namespace sharing for a pod. When
 process namespace sharing is enabled, processes in a container are visible
-to all other containers in that pod.
+to all other containers in the same pod.
 
 You can use this feature to configure cooperating containers, such as a log
 handler sidecar container, or to troubleshoot container images that don't
 include debugging utilities like a shell.
 
-
-
 ## {{% heading "prerequisites" %}}
 
-
-{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
-
-
+{{< include "task-tutorial-prereqs.md" >}}
 
 <!-- steps -->
 
 ## Configure a Pod
 
-Process Namespace Sharing is enabled using the `shareProcessNamespace` field of
-`v1.PodSpec`. For example:
+Process namespace sharing is enabled using the `shareProcessNamespace` field of
+`.spec` for a Pod. For example:
 
 {{< codenew file="pods/share-process-namespace.yaml" >}}
 
 1. Create the pod `nginx` on your cluster:
 
-    ```shell
-    kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml
-    ```
+   ```shell
+   kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml
+   ```
 
 1. Attach to the `shell` container and run `ps`:
 
-    ```shell
-    kubectl attach -it nginx -c shell
-    ```
+   ```shell
+   kubectl attach -it nginx -c shell
+   ```
+
+   If you don't see a command prompt, try pressing enter. In the container shell:
+
+   ```shell
+   # run this inside the "shell" container
+   ps ax
+   ```
 
-    If you don't see a command prompt, try pressing enter.
+   The output is similar to this:
 
-    ```
-    / # ps ax
-    PID   USER     TIME  COMMAND
-        1 root      0:00 /pause
-        8 root      0:00 nginx: master process nginx -g daemon off;
-       14 101       0:00 nginx: worker process
-       15 root      0:00 sh
-       21 root      0:00 ps ax
-    ```
+   ```none
+   PID   USER     TIME  COMMAND
+       1 root      0:00 /pause
+       8 root      0:00 nginx: master process nginx -g daemon off;
+      14 101       0:00 nginx: worker process
+      15 root      0:00 sh
+      21 root      0:00 ps ax
+   ```
 
 You can signal processes in other containers. For example, send `SIGHUP` to
-nginx to restart the worker process. This requires the `SYS_PTRACE` capability.
+`nginx` to restart the worker process. This requires the `SYS_PTRACE` capability.
 
+```shell
+# run this inside the "shell" container
+kill -HUP 8   # change "8" to match the PID of the nginx leader process, if necessary
+ps ax
 ```
-/ # kill -HUP 8
-/ # ps ax
+
+The output is similar to this:
+
+```none
 PID   USER     TIME  COMMAND
     1 root      0:00 /pause
     8 root      0:00 nginx: master process nginx -g daemon off;
@@ -77,12 +81,18 @@ PID   USER     TIME  COMMAND
    23 root      0:00 ps ax
 ```
 
-It's even possible to access another container image using the
+It's even possible to access the file system of another container using the
 `/proc/$pid/root` link.
 
+```shell
+# run this inside the "shell" container
+# change "8" to the PID of the Nginx process, if necessary
+head /proc/8/root/etc/nginx/nginx.conf
 ```
-/ # head /proc/8/root/etc/nginx/nginx.conf
 
+The output is similar to this:
+
+```none
 user  nginx;
 worker_processes  1;
 
@@ -94,21 +104,19 @@ events {
     worker_connections  1024;
 ```
 
-
-
 <!-- discussion -->
 
-## Understanding Process Namespace Sharing
+## Understanding process namespace sharing
 
 Pods share many resources so it makes sense they would also share a process
-namespace. Some container images may expect to be isolated from other
-containers, though, so it's important to understand these differences:
+namespace. Some containers may expect to be isolated from others, though,
+so it's important to understand the differences:
 
-1. **The container process no longer has PID 1.** Some container images refuse
+1. **The container process no longer has PID 1.** Some containers refuse
    to start without PID 1 (for example, containers using `systemd`) or run
    commands like `kill -HUP 1` to signal the container process. In pods with a
-   shared process namespace, `kill -HUP 1` will signal the pod sandbox.
-   (`/pause` in the above example.)
+   shared process namespace, `kill -HUP 1` will signal the pod sandbox
+   (`/pause` in the above example).
 
 1. **Processes are visible to other containers in the pod.** This includes all
    information visible in `/proc`, such as passwords that were passed as arguments
@@ -118,6 +126,3 @@ containers, though, so it's important to understand these differences:
    `/proc/$pid/root` link.** This makes debugging easier, but it also means
    that filesystem secrets are protected only by filesystem permissions.
 
-
-
-
