Dispatches from /dev/null

Where We're Going, We Don't Need VMs: An example showing containers are Namespaced, not Virtualized

Where We're Going, We Don't Need VMs: An example showing containers are Namespaced, not Virtualized

Matthew Ivancic's photo
Matthew Ivancic
·

2 min read

Sometimes, you just gotta go on an adventure.

Take, for example, the below YAML manifest:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: flux-capacitor
    powerNeeds: 121Gigawatts
  name: flux-capacitor
spec:
  containers:
  - args:
    - date
    - -s
    - "19851026 1:15"
    image: ubuntu
    name: flux-capacitor
    resources: {}
    securityContext:
      capabilities:
        add: ["SYS_TIME"]
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

This YAML file provisions a Kubernetes pod which contains 1 container that will run the command date -s "19851026 1:15" upon which, the container will then terminate. To those unfamiliar, this command will set the system clock within the Ubuntu container to 1:15 AM on October 26th, 1985, the perfect time to go shopping for a sports almanac.

We create and run the container like so:

and whoa, what happened?

Let's take a look at the pod that we just created

That's certainly strange, but I'm sure it's just my Minikube cluster acting up...

Great Scott! We've gone back to 1985! If instead of a container, we had issued the command in an Ubuntu VM, we would expect the to have changed the system time within the VM, while the system time of the hypervisor would have remained unchanged. Compared to the process of virtualization, where a VM has its own fully virtualized kernel and background processes, a container is instead considered what we would consider Namespaced.

Namespaces are a feature of the Linux kernel that isolate processes. Processes in one namespace are not able to be viewed by processes in another namespace. Namespaces are inherent to the Linux kernel and are necessary for containerization technology to function. Since the container utilizes the same kernel as the host system (albeit within a namespace that isolates it from most other processes), when the container makes changes on a kernel level, those changes apply to the entire system.

Now, if you paid attention to our flux-capacitor container from earlier, it's a one-way trip. The container takes us back to the future, then exits. And since our cluster thinks we're in 1985, the certificate won't allow us to spin up a new container that will reset our system clock to 2023. To fix this:

And that's the Power of Love. Until next time.

containersKubernetes#namespaces