# Volumes

We’ve said that pods are similar to logical hosts where processes running inside them share resources such as CPU, RAM, network interfaces, and others. One would expect the processes to also share disks, but that’s not the case. You’ll remember that each container in a pod has its own isolated filesystem, because the file-system comes from the container’s image.

Every new container starts off with the exact set of files that was added to the image at build time. Combine this with the fact that containers in a pod get restarted (either because the process died or because the liveness probe signaled to Kubernetes that the container wasn’t healthy anymore) and you’ll realize that the new container will not see anything that was written to the filesystem by the previous container, even though the newly started container runs in the same pod.

In certain scenarios you want the new container to continue where the last one finished, such as when restarting a process on a physical machine. You may not need (or want) the whole filesystem to be persisted, but you do want to preserve the directories that hold actual data.

Kubernetes provides this by defining storage volumes. They aren’t top-level resources like pods, but are instead defined as a part of a pod and share the same lifecycle as the pod. This means a volume is created when the pod is started and is destroyed when the pod is deleted. Because of this, a volume’s contents will persist across container restarts. After a container is restarted, the new container can see all the files that were written to the volume by the previous container. Also, if a pod contains multiple containers, the volume can be used by all of them at once.

## Introducing volumes

Kubernetes volumes are a component of a pod and are thus defined in the pod’s specification—much like containers. They aren’t a standalone Kubernetes object and cannot be created or deleted on their own. A volume is available to all containers in the pod, but it must be mounted in each container that needs to access it. In each container, you can mount the volume in any location of its filesystem.

### Explaining volumes in an example

Imagine you have a pod with three containers (shown in figure 6.1). One container runs a web server that serves HTML pages from the /var/htdocs directory and stores the access log to /var/logs. The second container runs an agent that creates HTML files and stores them in /var/html. The third container processes the logs it finds in the /var/logs directory (rotates them, compresses them, analyzes them, or whatever).

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/luksa/Figures/06fig01.jpg" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/luksa/HighResolutionFigures/figure_6-1.png" class="medium-zoom-image">



Each container has a nicely defined single responsibility, but on its own each container wouldn’t be of much use. Creating a pod with these three containers without them sharing disk storage doesn’t make any sense, because the content generator would write the generated HTML files inside its own container and the web server couldn’t access those files, as it runs in a separate isolated container. Instead, it would serve an empty directory or whatever you put in the /var/htdocs directory in its container image. Similarly, the log rotator would never have anything to do, because its /var/logs directory would always remain empty with nothing writing logs there. A pod with these three containers and no volumes basically does nothing.

But if you add two volumes to the pod and mount them at appropriate paths inside the three containers, as shown in figure 6.2, you’ve created a system that’s much more than the sum of its parts. Linux allows you to mount a filesystem at arbitrary locations in the file tree. When you do that, the contents of the mounted filesystem are accessible in the directory it’s mounted into. By mounting the same volume into two containers, they can operate on the same files. In your case, you’re mounting two volumes in three containers. By doing this, your three containers can work together and do something useful. Let me explain how.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/luksa/Figures/06fig02.jpg" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/luksa/HighResolutionFigures/figure_6-2.png" class="medium-zoom-image">

First, the pod has a volume called publicHtml. This volume is mounted in the WebServer container at /var/htdocs, because that’s the directory the web server serves files from. The same volume is also mounted in the ContentAgent container, but at /var/html, because that’s where the agent writes the files to. By mounting this single volume like that, the web server will now serve the content generated by the content agent.

Similarly, the pod also has a volume called logVol for storing logs. This volume is mounted at /var/logs in both the WebServer and the LogRotator containers. Note that it isn’t mounted in the ContentAgent container. The container cannot access its files, even though the container and the volume are part of the same pod. It’s not enough to define a volume in the pod; you need to define a VolumeMount inside the container’s spec also, if you want the container to be able to access it.

The two volumes in this example can both initially be empty, so you can use a type of volume called emptyDir. Kubernetes also supports other types of volumes that are either populated during initialization of the volume from an external source, or an existing directory is mounted inside the volume. This process of populating or mounting a volume is performed before the pod’s containers are started.

A volume is bound to the lifecycle of a pod and will stay in existence only while the pod exists, but depending on the volume type, the volume’s files may remain intact even after the pod and volume disappear, and can later be mounted into a new volume. Let’s see what types of volumes exist.

### Introducing available volume types

A wide variety of volume types is available. Several are generic, while others are specific to the actual storage technologies used underneath. Don’t worry if you’ve never heard of those technologies — I hadn’t heard of at least half of them. You’ll probably only use volume types for the technologies you already know and use. Here’s a list of several of the available volume types:

- emptyDir—A simple empty directory used for storing transient data.
- hostPath—Used for mounting directories from the worker node’s filesystem into the pod.
- gitRepo—A volume initialized by checking out the contents of a Git repository.
- nfs—An NFS share mounted into the pod.
- gcePersistentDisk (Google Compute Engine Persistent Disk), awsElasticBlockStore (Amazon Web Services Elastic Block Store Volume), azureDisk (Microsoft Azure Disk Volume)—Used for mounting cloud provider-specific storage.
- cinder, cephfs, iscsi, flocker, glusterfs, quobyte, rbd, flexVolume, vsphere-Volume, photonPersistentDisk, scaleIO—Used for mounting other types of network storage.
- configMap, secret, downwardAPI—Special types of volumes used to expose certain Kubernetes resources and cluster information to the pod.
- persistentVolumeClaim—A way to use a pre- or dynamically provisioned persistent storage. (We’ll talk about them in the last section of this chapter.)

These volume types serve various purposes. You’ll learn about some of them in the following sections. Special types of volumes (secret, downwardAPI, configMap) are covered in the next two chapters, because they aren’t used for storing data, but for exposing Kubernetes metadata to apps running in the pod.

A single pod can use multiple volumes of different types at the same time, and, as we’ve mentioned before, each of the pod’s containers can either have the volume mounted or not.

## Using volumes to share data between containers
Although a volume can prove useful even when used by a single container, let’s first focus on how it’s used for sharing data between multiple containers in a pod.

### Using an emptyDir volume
The simplest volume type is the emptyDir volume, so let’s look at it in the first example of how to define a volume in a pod. As the name suggests, the volume starts out as an empty directory. The app running inside the pod can then write any files it needs to it. Because the volume’s lifetime is tied to that of the pod, the volume’s contents are lost when the pod is deleted.

An emptyDir volume is especially useful for sharing files between containers running in the same pod. But it can also be used by a single container for when a container needs to write data to disk temporarily, such as when performing a sort operation on a large dataset, which can’t fit into the available memory. The data could also be written to the container’s filesystem itself (remember the top read-write layer in a container?), but subtle differences exist between the two options. A container’s filesystem may not even be writable (we’ll talk about this toward the end of the book), so writing to a mounted volume might be the only option.

**Using an emptyDir volume in a pod**

Let’s revisit the previous example where a web server, a content agent, and a log rotator share two volumes, but let’s simplify a bit. You’ll build a pod with only the web server container and the content agent and a single volume for the HTML.

You’ll use Nginx as the web server and the UNIX fortune command to generate the HTML content. The fortune command prints out a random quote every time you run it. You’ll create a script that invokes the fortune command every 10 seconds and stores its output in index.html. You’ll find an existing Nginx image available on Docker Hub, but you’ll need to either create the fortune image yourself or use the one I’ve already built and pushed to Docker Hub under luksa/fortune. If you want a refresher on how to build Docker images, refer to the sidebar.

**Building the fortune container image**

Here’s how to build the image. Create a new directory called fortune and then inside it, create a `fortuneloop.sh` shell script with the following contents:

    #!/bin/bash
    trap "exit" SIGINT
    while :
    do
      echo $(date) Writing fortune to /var/htdocs/index.html
      /usr/games/fortune > /var/htdocs/index.html
      sleep 10
    done

Then, in the same directory, create a file called Dockerfile containing the following:

    FROM ubuntu:latest
    RUN apt-get update ; apt-get -y install fortune
    ADD fortuneloop.sh /bin/fortuneloop.sh
    ENTRYPOINT /bin/fortuneloop.sh


The image is based on the ubuntu:latest image, which doesn’t include the fortune binary by default. That’s why in the second line of the Dockerfile you install it with apt-get. After that, you add the fortuneloop.sh script to the image’s /bin folder. In the last line of the Dockerfile, you specify that the fortuneloop.sh script should be executed when the image is run.

After preparing both files, build and upload the image to Docker Hub with the following two commands (replace luksa with your own Docker Hub user ID):

    docker build -t leon11sj/fortune .
    docker push leon11sj/fortune

**Creating the pod**

Now that you have the two images required to run your pod, it’s time to create the pod manifest. Create a file called fortune-pod.yaml with the contents shown in the following listing.

```yml
apiVersion: v1
kind: Pod
metadata:
  name: fortune
spec:
  containers:
  - image: leon11sj/fortune
    name: html-generator
    volumeMounts:
    - name: html
      mountPath: /var/htdocs
  - image: nginx:alpine
    name: web-server
    volumeMounts:
    - name: html
      mountPath: /usr/share/nginx/html
      readOnly: true
    ports:
    - containerPort: 80
      protocol: TCP
  volumes:
  - name: html
    emptyDir: {}
```

The pod contains two containers and a single volume that’s mounted in both of them, yet at different paths. When the html-generator container starts, it starts writing the output of the fortune command to the /var/htdocs/index.html file every 10 seconds. Because the volume is mounted at /var/htdocs, the index.html file is written to the volume instead of the container’s top layer. As soon as the web-server container starts, it starts serving whatever HTML files are in the /usr/share/nginx/html directory (this is the default directory Nginx serves files from). Because you mounted the volume in that exact location, Nginx will serve the index.html file written there by the container running the fortune loop. The end effect is that a client sending an HTTP request to the pod on port 80 will receive the current fortune message as the response.

    kubectl apply -f ex01-fortune-pod.yaml

**Seeing the pod in action**

To see the fortune message, you need to enable access to the pod. You’ll do that by forwarding a port from your local machine to the pod:

    kubectl port-forward fortune 8080:80

> NOTE: As an exercise, you can also expose the pod through a service instead of using port forwarding.

Now you can access the Nginx server through port 8080 of your local machine. Use curl to do that:

    curl http://localhost:8080

If you wait a few seconds and send another request, you should receive a different message. By combining two containers, you created a simple app to see how a volume can glue together two containers and enhance what each of them does.

**Specifying the medium to use for the emptyDir**

The emptyDir you used as the volume was created on the actual disk of the worker node hosting your pod, so its performance depends on the type of the node’s disks. But you can tell Kubernetes to create the emptyDir on a tmpfs filesystem (in memory instead of on disk). To do this, set the emptyDir’s medium to Memory like this:

    volumes:
      - name: html
        emptyDir:
          medium: Memory

An emptyDir volume is the simplest type of volume, but other types build upon it. After the empty directory is created, they populate it with data. One such volume type is the gitRepo volume type, which we’ll introduce next.

### Using a Git repository as the starting point for a volume

A gitRepo volume is basically an emptyDir volume that gets populated by cloning a Git repository and checking out a specific revision when the pod is starting up (but before its containers are created). Figure 6.3 shows how this unfolds.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/luksa/Figures/06fig03_alt.jpg" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/luksa/HighResolutionFigures/figure_6-3.png" class="medium-zoom-image">

> NOTE: After the gitRepo volume is created, it isn’t kept in sync with the repo it’s referencing. The files in the volume will not be updated when you push additional commits to the Git repository. However, if your pod is managed by a ReplicationController, deleting the pod will result in a new pod being created and this new pod’s volume will then contain the latest commits.

For example, you can use a Git repository to store static HTML files of your website and create a pod containing a web server container and a gitRepo volume. Every time the pod is created, it pulls the latest version of your website and starts serving it. The only drawback to this is that you need to delete the pod every time you push changes to the gitRepo and want to start serving the new version of the website.

## Accessing files on the worker node’s filesystem

Most pods should be oblivious of their host node, so they shouldn’t access any files on the node’s filesystem. But certain system-level pods (remember, these will usually be managed by a DaemonSet) do need to either read the node’s files or use the node’s filesystem to access the node’s devices through the filesystem. Kubernetes makes this possible through a hostPath volume.

### Introducing the hostPath volume

A hostPath volume points to a specific file or directory on the node’s filesystem (see figure 6.4). Pods running on the same node and using the same path in their hostPath volume see the same files.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/luksa/Figures/06fig04_alt.jpg" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/luksa/HighResolutionFigures/figure_6-4.png" class="medium-zoom-image">

hostPath volumes are the first type of persistent storage we’re introducing, because both the gitRepo and emptyDir volumes’ contents get deleted when a pod is torn down, whereas a hostPath volume’s contents don’t. If a pod is deleted and the next pod uses a hostPath volume pointing to the same path on the host, the new pod will see whatever was left behind by the previous pod, but only if it’s scheduled to the same node as the first pod.

If you’re thinking of using a hostPath volume as the place to store a database’s data directory, think again. Because the volume’s contents are stored on a specific node’s filesystem, when the database pod gets rescheduled to another node, it will no longer see the data. This explains why it’s not a good idea to use a hostPath volume for regular pods, because it makes the pod sensitive to what node it’s scheduled to.

> TIP: Remember to use hostPath volumes only if you need to read or write system files on the node. Never use them to persist data across pods.

## Using persistent storage

When an application running in a pod needs to persist data to disk and have that same data available even when the pod is rescheduled to another node, you can’t use any of the volume types we’ve mentioned so far. Because this data needs to be accessible from any cluster node, it must be stored on some type of network-attached storage (NAS).

To learn about volumes that allow persisting data, you’ll create a pod that will run the MongoDB document-oriented NoSQL database. Running a database pod without a volume or with a non-persistent volume doesn’t make sense, except for testing purposes, so you’ll add an appropriate type of volume to the pod and mount it in the MongoDB container.

### Using a GCE Persistent Disk in a pod volume

If you’ve been running these examples on Google Kubernetes Engine, which runs your cluster nodes on Google Compute Engine (GCE), you’ll use a GCE Persistent Disk as your underlying storage mechanism.

In the early versions, Kubernetes didn’t provision the underlying storage automatically—you had to do that manually. Automatic provisioning is now possible, and you’ll learn about it later in the chapter, but first, you’ll start by provisioning the storage manually. It will give you a chance to learn exactly what’s going on underneath.

**Creating a GCE Persistent Disk**

You’ll start by creating the GCE persistent disk first. You need to create it in the same zone as your Kubernetes cluster. If you don’t remember what zone you created the cluster in, you can see it by listing your Kubernetes clusters with the gcloud command like this:

    gcloud container clusters list

This shows you’ve created your cluster in zone europe-west1-b, so you need to create the GCE persistent disk in the same zone as well. You create the disk like this:

    gcloud compute disks create mongodb --size=10GiB --zone=europe-west3-a

    gcloud compute disks list

This command creates a 10 GiB large GCE persistent disk called mongodb. You can ignore the warning about the disk size, because you don’t care about the disk’s performance for the tests you’re about to run.

**Creating a pod using a gcePersistentDisk volume**

Now that you have your physical storage properly set up, you can use it in a volume inside your MongoDB pod. You’re going to prepare the YAML for the pod, which is shown in the following listing.

```yml
apiVersion: v1
kind: Pod
metadata:
  name: mongodb
spec:
  volumes:
  - name: mongodb-data
    gcePersistentDisk:
      pdName: mongodb
      fsType: ext4
  containers:
  - image: mongo
    name: mongodb
    volumeMounts:
    - name: mongodb-data
      mountPath: /data/db
    ports:
    - containerPort: 27017
      protocol: TCP
```

The pod contains a single container and a single volume backed by the GCE Persistent Disk you’ve created (as shown in figure 6.5). You’re mounting the volume inside the container at /data/db, because that’s where MongoDB stores its data.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/luksa/Figures/06fig05_alt.jpg" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/luksa/HighResolutionFigures/figure_6-5.png" class="medium-zoom-image">

    kubectl apply -f ex02-mongodb-pod-gcepd.yaml

**Writing data to the persistent storage by adding documents to your MongoDB database**

Now that you’ve created the pod and the container has been started, you can run the MongoDB shell inside the container and use it to write some data to the data store.

You’ll run the shell as shown in the following listing.

    kubectl exec -it mongodb -- mongo

MongoDB allows storing JSON documents, so you’ll store one to see if it’s stored persistently and can be retrieved after the pod is re-created. Insert a new JSON document with the following commands:

    use mystore
    db.foo.insert({name:'foo'})

You’ve inserted a simple JSON document with a single property (name: 'foo'). Now, use the find() command to see the document you inserted:

     db.foo.find()

There it is. The document should be stored in your GCE persistent disk now.

**Re-creating the pod and verifying that it can read the data persisted by the previous pod**

You can now exit the mongodb shell (type exit and press Enter), and then delete the pod and recreate it:

    kubectl delete pod mongodb
    kubectl apply -f ex02-mongodb-pod-gcepd.yaml

The new pod uses the exact same GCE persistent disk as the previous pod, so the MongoDB container running inside it should see the exact same data, even if the pod is scheduled to a different node.

> You can see what node a pod is scheduled to by running `kubectl get po -o wide`.

Once the container is up, you can again run the MongoDB shell and check to see if the document you stored earlier can still be retrieved, as shown in the following listing.

    kubectl exec -it mongodb -- mongo

    use mystore
    db.foo.find()




As expected, the data is still there, even though you deleted the pod and re-created it. This confirms you can use a GCE persistent disk to persist data across multiple pod instances.

You’re done playing with the MongoDB pod, so go ahead and delete it again, but hold off on deleting the underlying GCE persistent disk. You’ll use it again later in the chapter.

    kubectl delete pod mongodb

### Using other types of volumes with underlying persistent storage

The reason you created the GCE Persistent Disk volume is because your Kubernetes cluster runs on Google Kubernetes Engine. When you run your cluster elsewhere, you should use other types of volumes, depending on the underlying infrastructure.

If your Kubernetes cluster is running on Amazon’s AWS EC2, for example, you can use an awsElasticBlockStore volume to provide persistent storage for your pods. If your cluster runs on Microsoft Azure, you can use the azureFile or the azureDisk volume. We won’t go into detail on how to do that here, but it’s virtually the same as in the previous example. First, you need to create the actual underlying storage, and then set the appropriate properties in the volume definition.

**Using an AWS Elastic Block Store volume**

For example, to use an AWS elastic block store instead of the GCE Persistent Disk, you’d only need to change the volume definition as shown in the following listing (see those lines printed in bold).

    apiVersion: v1
    kind: Pod
    metadata:
      name: mongodb
    spec:
      volumes:
      - name: mongodb-data
        awsElasticBlockStore:
          volumeId: my-volume
          fsType: ext4
      containers:
      - ...



## Decoupling pods from the underlying storage technology

All the persistent volume types we’ve explored so far have required the developer of the pod to have knowledge of the actual network storage infrastructure available in the cluster. For example, to create a NFS-backed volume, the developer has to know the actual server the NFS export is located on. This is against the basic idea of Kubernetes, which aims to hide the actual infrastructure from both the application and its developer, leaving them free from worrying about the specifics of the infrastructure and making apps portable across a wide array of cloud providers and on-premises datacenters.

Ideally, a developer deploying their apps on Kubernetes should never have to know what kind of storage technology is used underneath, the same way they don’t have to know what type of physical servers are being used to run their pods. Infrastructure-related dealings should be the sole domain of the cluster administrator.

When a developer needs a certain amount of persistent storage for their application, they can request it from Kubernetes, the same way they can request CPU, memory, and other resources when creating a pod. The system administrator can configure the cluster so it can give the apps what they request.

### Introducing PersistentVolumes and PersistentVolumeClaims

To enable apps to request storage in a Kubernetes cluster without having to deal with infrastructure specifics, two new resources were introduced. They are Persistent-Volumes and PersistentVolumeClaims. The names may be a bit misleading, because as you’ve seen in the previous few sections, even regular Kubernetes volumes can be used to store persistent data.

Using a PersistentVolume inside a pod is a little more complex than using a regular pod volume, so let’s illustrate how pods, PersistentVolumeClaims, PersistentVolumes, and the actual underlying storage relate to each other in figure 6.6.

<img alt="" src="https://dpzbhybb2pdcj.cloudfront.net/luksa/Figures/06fig06_alt.jpg" data-action="zoom" data-zoom-src="https://dpzbhybb2pdcj.cloudfront.net/luksa/HighResolutionFigures/figure_6-6.png" class="medium-zoom-image">

Instead of the developer adding a technology-specific volume to their pod, it’s the cluster administrator who sets up the underlying storage and then registers it in Kubernetes by creating a PersistentVolume resource through the Kubernetes API server. When creating the PersistentVolume, the admin specifies its size and the access modes it supports.

When a cluster user needs to use persistent storage in one of their pods, they first create a PersistentVolumeClaim manifest, specifying the minimum size and the access mode they require. The user then submits the PersistentVolumeClaim manifest to the Kubernetes API server, and Kubernetes finds the appropriate PersistentVolume and binds the volume to the claim.

The PersistentVolumeClaim can then be used as one of the volumes inside a pod. Other users cannot use the same PersistentVolume until it has been released by deleting the bound PersistentVolumeClaim.

### Creating a PersistentVolume

Let’s revisit the MongoDB example, but unlike before, you won’t reference the GCE Persistent Disk in the pod directly. Instead, you’ll first assume the role of a cluster administrator and create a PersistentVolume backed by the GCE Persistent Disk. Then you’ll assume the role of the application developer and first claim the PersistentVolume and then use it inside your pod.

In section 6.4.1 you set up the physical storage by provisioning the GCE Persistent Disk, so you don’t need to do that again. All you need to do is create the Persistent-Volume resource in Kubernetes by preparing the manifest shown in the following listing and posting it to the API server.

```yml
apiVersion: v1
kind: PersistentVolume
metadata:
  name: mongodb-pv
spec:
  capacity:
    storage: 1Gi
  accessModes:
  - ReadWriteOnce
  - ReadOnlyMany
  persistentVolumeReclaimPolicy: Retain
  gcePersistentDisk:
    pdName: mongodb
    fsType: ext4
        
        ```