जीवन की आपा धापी में Jeevan Ki Aapadhapi Mein
English Translation:
In the hustle and bustle of life, when did I find any time
That I could sit at some place for a while and think
of what is good or bad in what I did, said, assumed...
On the day I claimed my consciousness, I saw
I am standing in this world-fair,
Every one here is lost in an ambiguity
Every one is busy in one's own give and take
For a while, I remained astonished, bewildered,
Where have I come, what do I do here, where do I go?
Then, from a direction, did come a push
I too began to flow in that surge
Were the mere external chaos too little
That even the internal emotions underwent a turmoil,
Whatever (I) did, was but out of a compulsion,
Whatever (I) said, was but an out-pour of the boiling thoughts,
In the hustle and bustle of life, when did I find any time,
That I could sit at some place for a while and think
of what is good or bad in what I did, said, thought.
As much was the circus energetic (flashy) and colourful,
There was enervation within the soul,
As much as one desired to accumulate,
Smaller kept going one's formed hand-bowl ,
As much one had the ambition to hold steady,
That much harder the surge would push,
Deals are done but with a cool mind
This was a snatch-act of the haste;
Now I am generally been asked, what do I say
of what values did the destitute come scattering on the path
What priceless jewel have I received?
On which I have surrendered by mind and body
This was but a matter of destiny, don't value-judge me
To whom I considered gold, was mere soil
To what I considered a teardrop, was in fact a pearl.
In the hustle and bustle of life, when did I find any time,
That I could sit at some place for a while and think
of what is good or bad in what I did, said, thought.
How much ever I forget, wander astray or be misdirected,
There's somewhere a destination that calls me
My feet may wade through how much ever ups and downs
Still every moment, it does come near to me
I have on me the gratefulness of destiny for a lot of aspects
But I am most thankful of her for -
Whether the sky hails, or the earth spews heat
The mill of time is relentless and keeps on moving,
I am not at the position I was standing at yesterday,
It is hard to find me on the same position tomorrow,
That which transforms it by its own criteria,
By mere touching the limits of time-space
The world must give upon me a judgement of what it likes
But unstoppably, I, in this journey of life
Escape a yet another aspect of life
In the hustle and bustle of life, when did I find any time,
That I could sit at some place for a while and think
of what is good or bad in what I did, said, thought.
translated by Anuj Daga
Ephemeral Containers
kubespy
* kubectl plugin
* spy container joins namespaces: pid/net/ipc/mount
+ kubespy works without the Ephemeral Containers feature
- the cluster must use docker as container runtime
- works with privileged pods
kubctl exec
Directly log in to container so all namespaces are shared.
===========================================
Ephemeral Containers
- Here net and ipc namespace are shared. optionally pid namespace can be shared using 'kubectl dbug --target' command or using shareProcessNamespace flag at pod spec.
- a list of containers
- It shall be empty, at begining
- It can be updated only once in life time of pod using PATCH (not 'kubectl edit'). We can use 'kubectl debug' also.
- The list will not get modified even after the ephemeral container terminates.
- pod level cgroups is applicable.
- mnt namespace is not shared. Workaround : Access mnt namespace of other containers /proc/<PID>/root if shareProcessNamespace = true
+ easy to use
+ non-destructive
+ powerful low level tools
Attach ephermeral container
kubectl debug -it --attach=false -c debugger --image=busybox ${POD_NAME}
This will modify pod spec and pod status. We can attach to running ephermeral container with
kubectl attach -it -c debugger ${POD_NAME}
kubectl dbug command has another good option '--copy-to "new-name" ' A new pod is created. It is not part of deployment. it is not part of k8s service. it is like canary.
we cannot mount a volume on ephermeral container using 'kubectl debug' command. To mount volume on ephermeral container, we shall use k8s API
curl localhost:8001/api/v1/namespaces/default/pods/${POD_NAME}/ephemeralcontainers \
-XPATCH \
-H 'Content-Type: application/strategic-merge-patch+json' \
-d '
{
"spec":
{
"ephemeralContainers":
[
{
"name": "debugger",
"command": ["sh"],
"image": "busybox",
"targetContainerName": "app",
"stdin": true,
"tty": true,
"volumeMounts": [{
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
"name": "kube-api-access-qnhvv",
"readOnly": true
}]
}
]
}
}'
We can also start ephermeral container with privileged mode
curl localhost:8001/api/v1/namespaces/default/pods/${POD_NAME}/ephemeralcontainers \
-XPATCH \
-H 'Content-Type: application/strategic-merge-patch+json' \
-d '
{
"spec":
{
"ephemeralContainers":
[
{
"name": "debugger",
"command": ["sh"],
"image": "busybox",
"targetContainerName": "app",
"securityContext" : { "privileged" : true }.
"stdin": true,
"tty": true,
"volumeMounts": [{
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
"name": "kube-api-access-qnhvv",
"readOnly": true
}]
}
]
}
}'
Sharing pid namespace Ephemeral Containers
- pid namespace is not shared, unless shareProcessNamespace = true
- if we change shareProcessNamespace, then pod gets restarted. If we set shareProcessNamespace = true, by default then it will reduce isolation between containers of same pod.
use 'kubectl debug' command with '-target = "target container name".
With shareProcessNamespace flag, all containers , ephemeral container will have common pid namespace. While with -target option, only ephemeral container and one of the target containers at pod will share pid namespace. Other containers at pod, will have its own namespace.
Ephemeral Containers Example
- KoolKits
--koolkit-jvm
--koolkit-node
--koolkit-python
Reference: https://hub.docker.com/r/lightruncom/koolkits
- netshoot
It has system level dignosis tools like strace, ltrace, tcpdump etc.
Reference: https://github.com/nicolaka/netshoot
Reference:
https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
https://www.youtube.com/watch?v=obasTgzhVR0
ANCIENT Invaluable INDIAN HEALTH TIPS - as Sanskrit Quotes
ANCIENT Invaluable INDIAN HEALTH TIPS - as Sanskrit Quotes :-
1.अजीर्णे भोजनं विषम् ।
If previously taken Lunch is not digested, taking Dinner will be equivalent to taking Poison. Hunger is one signal that the previous food is digested
Proper sleep cures half of the diseases.
3. मूढ़गढ़ाल्ली गढ़व्याली।
Of all the Pulses, Green grams are the best. It boosts Immunity. Other Pulses all have one or the other side effects.
4.बागनास्थी संधानकारो रसोनहा।
Garlic even joins broken Bones.
Anything consumed in Excess,just because it tastes good,is not good for Health. Be moderate.
6. नास्थिमूलम् अनौषधाम्।
No Doctor is Lord of our Longevity. Doctors have limitations.
8. चिंता व्याधि प्रकाश्य।
Worry aggravates ill health.
9. व्यायामच्छ सनैही सनैही।
Do any Exercise slowly. Speedy exercise is not good.
Chew your Food like a Goat. Never Swallow food in a hurry. Saliva aids first in digestion.
11. स्नानम् नामा मानहप्रसाधनकरम् धुस्वप्न विध्वसनम्।
13. नास्थि मेघासमाम् थोयम्।
14. अजीर्णे भेषजम् वारी।
Always prefer things that are Fresh. Old Rice and Old Servant need to be replaced with new. (Here what it actually means in respect of Servant is: Change his Duties and not terminate.)
Take complete Food that has all tastes viz: Salt, Sweet, Bitter, Sour, Astringent and Pungent).
17. जटाराम पूरायेधरधाम अन्नाहि।
Fill your Stomach half with Solids, a quarter with Water and rest leave it empty.
Never sit idle after taking Food. Walk for at least half an hour.
19. क्षुथ साधुथाम जनयथि।
Hunger increases the taste of food. In other words, eat only when hungry.
20. चिंता जर्रानाम् मनुष्याणाम्।
Linux OS namespace v/s container, pod and worker node
Namespace:
- mnt (Mount),
- IPC,
- net (Network),
- PID,
- user (user and group)
- and UTS (=Unix Time Sharing. Host name and domain name).
Within pod, each container have its own mnt space.
Within pod, each container may or may not have its own pid namespace, depending on value for shareProcessNamespace flag at pod specification.
Pause container has all 6 namespaces. Other container(s) having only pid and mnt namespace. They share net, uts, user and ipc namespace.
So containers within pod can communicate over
- Localhost IP: 127.0.0.1
- Shared domain name / host name
- IPC: shared memory, message queue etc.
- shareProcessNamespace
- hostPID
- hostNetwork
- hostIPC
- No. 0 is default case, We do not specify any flag. All four flags are set as false. So inside pod both container have its own pid namespace. Worker node has its own pid, net, ipc namespace.
- No. 1 hostIPC = true. So pod (both container) and worker node share IPC namespace
- No. 2 hostNet = true. So pod (both container) and worker node share Network namespace. Usecase: CNI plugins related pod, ingress controller pod etc.
- No. 3 hostNet = true and hostIPC = true. So pod (both container) and worker node share Network namespace and IPC namespace
- No. 4 hostPID = true . So pod (both container) and worker node share PID namespace
- No. 5 hostPID = true and hostIPC = true. So pod (both container) and worker node share PID namespace and IPC namespace
- No. 6 hostPID = true and hostNet = true. So pod (both container) and worker node share PID namespace and Network namespace
- No. 7 hostPID = true, hostNet = true and hostIPC = true. So pod (both container) and worker node share PID namespace, Network namespace and IPC namespace
- No. 8 shareProcessNamespace = true. So both containers share PID namespace
- No. 9 shareProcessNamespace = true. So both containers share PID namespace. hostIPC = true. So pod (both container) and worker node share IPC namespace
- No. 10 shareProcessNamespace = true. So both containers share PID namespace. hostNet = true. So pod (both container) and worker node share Network namespace.
- No. 11 shareProcessNamespace = true. So both containers share PID namespace. hostIPC = true. hostNet = true. So pod (both container) and worker node share Network namespace and IPC namespace
- With CRI API spec, we can scope net, pid and ipc namespace at container level OR pod level OR node level. So, hypothetically, a pod where containers (within pod) cannot talk to each other via localhost can be constructed
