---
title: 在 Pod 中的容器之间共享进程命名空间
content_type: task
weight: 200
---
<!--
---
title: Share Process Namespace between Containers in a Pod
reviewers:
- verb
- yujuhong
- dchen1107
content_type: task
weight: 200
---
-->

<!-- overview -->

<!--
This page shows how to configure process namespace sharing for a pod. When
process namespace sharing is enabled, processes in a container are visible
to all other containers in the same pod.
-->
此页面展示如何为 Pod 配置进程命名空间共享。
当启用进程命名空间共享时，容器中的进程对同一 Pod 中的所有其他容器都是可见的。

<!--
You can use this feature to configure cooperating containers, such as a log
handler sidecar container, or to troubleshoot container images that don't
include debugging utilities like a shell.
-->
你可以使用此功能来配置协作容器，比如日志处理 sidecar 容器，
或者对那些不包含诸如 shell 等调试实用工具的镜像进行故障排查。

## {{% heading "prerequisites" %}}

{{< include "task-tutorial-prereqs.md" >}}

<!-- steps -->

<!--
## Configure a Pod
-->
## 配置 Pod

<!--
Process namespace sharing is enabled using the `shareProcessNamespace` field of
`.spec` for a Pod. For example:
-->
使用 Pod `.spec` 中的 `shareProcessNamespace` 字段可以启用进程命名空间共享。例如：

{{% code_sample file="pods/share-process-namespace.yaml" %}}

<!--
1. Create the pod `nginx` on your cluster:
-->
1. 在集群中创建 `nginx` Pod：

   ```shell
   kubectl apply -f https://k8s.io/examples/pods/share-process-namespace.yaml
   ```

<!--
1. Attach to the `shell` container and run `ps`:
-->
2. 获取容器 `shell`，执行 `ps`：

   ```shell
   kubectl exec -it nginx -c shell -- /bin/sh
   ```

   <!--
   If you don't see a command prompt, try pressing enter. In the container shell:

   ```shell
   # run this inside the "shell" container
   ps ax
   ```
   -->
   如果没有看到命令提示符，请按 enter 回车键。在容器 shell 中：

   ```shell
   # 在 “shell” 容器中运行以下命令
   ps ax
   ```

   <!--
   The output is similar to this:
   -->
   输出类似于：

   ```none
   PID   USER     TIME  COMMAND
       1 root      0:00 /pause
       8 root      0:00 nginx: master process nginx -g daemon off;
      14 101       0:00 nginx: worker process
      15 root      0:00 sh
      21 root      0:00 ps ax
   ```

<!--
You can signal processes in other containers. For example, send `SIGHUP` to
`nginx` to restart the worker process. This requires the `SYS_PTRACE` capability.

```shell
# run this inside the "shell" container
kill -HUP 8   # change "8" to match the PID of the nginx leader process, if necessary
ps ax
```
-->
你可以在其他容器中对进程发出信号。例如，发送 `SIGHUP` 到 `nginx` 以重启工作进程。
此操作需要 `SYS_PTRACE` 权能。

```shell
# 在 “shell” 容器中运行以下命令
kill -HUP 8   # 如有必要，更改 “8” 以匹配 nginx 领导进程的 PID
ps ax
```

<!--
The output is similar to this:
-->
输出类似于：

```none
PID   USER     TIME  COMMAND
    1 root      0:00 /pause
    8 root      0:00 nginx: master process nginx -g daemon off;
   15 root      0:00 sh
   22 101       0:00 nginx: worker process
   23 root      0:00 ps ax
```

<!--
It's even possible to access the file system of another container using the
`/proc/$pid/root` link.

```shell
# run this inside the "shell" container
# change "8" to the PID of the Nginx process, if necessary
head /proc/8/root/etc/nginx/nginx.conf
```
-->
甚至可以使用 `/proc/$pid/root` 链接访问另一个容器的文件系统。

```shell
# 在 “shell” 容器中运行以下命令
# 如有必要，更改 “8” 为 Nginx 进程的 PID
head /proc/8/root/etc/nginx/nginx.conf
```

<!--
The output is similar to this:
-->
输出类似于：

```none
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
```

<!-- discussion -->

<!--
## Understanding process namespace sharing
-->
## 理解进程命名空间共享

<!--
Pods share many resources so it makes sense they would also share a process
namespace. Some containers may expect to be isolated from others, though,
so it's important to understand the differences:
-->
Pod 共享许多资源，因此它们共享进程命名空间是很有意义的。
不过，有些容器可能希望与其他容器隔离，因此了解这些差异很重要:

<!--
1. **The container process no longer has PID 1.** Some containers refuse
   to start without PID 1 (for example, containers using `systemd`) or run
   commands like `kill -HUP 1` to signal the container process. In pods with a
   shared process namespace, `kill -HUP 1` will signal the pod sandbox
   (`/pause` in the above example).
-->
1. **容器进程不再具有 PID 1。** 在没有 PID 1 的情况下，一些容器拒绝启动
   （例如，使用 `systemd` 的容器)，或者拒绝执行 `kill -HUP 1` 之类的命令来通知容器进程。
   在具有共享进程命名空间的 Pod 中，`kill -HUP 1` 将通知 Pod 沙箱（在上面的例子中是 `/pause`）。

<!--
1. **Processes are visible to other containers in the pod.** This includes all
   information visible in `/proc`, such as passwords that were passed as arguments
   or environment variables. These are protected only by regular Unix permissions.
-->
2. **进程对 Pod 中的其他容器可见。** 这包括 `/proc` 中可见的所有信息，
   例如作为参数或环境变量传递的密码。这些仅受常规 Unix 权限的保护。

<!--
1. **Container filesystems are visible to other containers in the pod through the
   `/proc/$pid/root` link.** This makes debugging easier, but it also means
   that filesystem secrets are protected only by filesystem permissions.
-->
3. **容器文件系统通过 `/proc/$pid/root` 链接对 Pod 中的其他容器可见。** 这使调试更加容易，
   但也意味着文件系统安全性只受文件系统权限的保护。