networking for nested containers: magnum, kuryr, neutron integration
TRANSCRIPT
-
Magnum, Kuryr, Neutron IntegrationNetworking for Nested Containers
Fawad Khaliq - @fawadkhaliq Antoni Segura @celebdor Gal Sagie - @GalSagie
-
Copyright PLUMgrid, Inc. 2011-2016
IntroductionSpeakers
Sr. Software Engineer PLUMgrid
KhaliqFawad
2
Senior Engineer Midokura
SeguraAntoni
Architect Huawei
SagieGal
-
Copyright PLUMgrid, Inc. 2011-2016
Magnum, Neutron Kuryr Nested Containers and Networking Problem Nested Containers Networking Solution/Design Capabilities and considerations Current Status Next Steps Q&A
Agenda
3
-
MagnumContainer-as-a-service in OpenStack
4
-
Copyright PLUMgrid, Inc. 2011-2016
MagnumContainer-as-a-service in OpenStack
5
Docker Swarm (Bay)
Nova Instance
Container
Container
Container
Nova Instance
Container
Container
Container
-
Copyright PLUMgrid, Inc. 2011-2016
MagnumContainer-as-a-service in OpenStack
6
Kubernetes (Bay)
Nova Instance
Pod
Container
Container
Nova Instance
Pod
Container
Container
-
Copyright PLUMgrid, Inc. 2011-20167
-
NeutronNetworking in OpenStack
8
-
Copyright PLUMgrid, Inc. 2011-2016
Provides network as a service Provides rich network topologies Technology agnostic; pluggable networking backends Extensible Offers advanced services like LBaas, VPNaas, FWaas etc
Neutron
9
-
KuryrContainer Networking in OpenStack
10
-
Copyright PLUMgrid, Inc. 2011-2016
Kuryr
11
Neutron as the production-ready networking abstraction containers need
-
Copyright PLUMgrid, Inc. 2011-2016
VM/Container Networking: Similar Concepts
12
Docker C1 Docker C2 Docker C3
libNetwork
Endpoint Endpoint EndpointEndpoint
Frontend Network
Backend Network
Network Sandbox Network Sandbox Network Sandbox
VM2
192.168.1.7 192.168.5.2
VM1
Tenant A Net1 192.168.1.0/0
Tenant A Net2 192.168.5.0/0
192.168.1.5
Neutron
-
Copyright PLUMgrid, Inc. 2011-2016
Open source Part of OpenStack Big-Tent Brings the Neutron networking model to containers Aims to support different Container Runtimes (docker, rkt, etc)
E.g. Kubernetes, Mesos, Docker Swarm Weekly IRC meetings Working together with OpenStack community
Neutron, Magnum, Kolla
Kuryr Project Overview
13
-
Copyright PLUMgrid, Inc. 2011-2016
Kuryr Components
14
Configuration ManagementKuryr libNetwork
Network Plugin
K8S CNI Driver
Keystone Authentication & Neutron Client Interface
Generic VIF Binding
Kuryr libNetwork IPAM Plugin
-
Problems with current Nested ContainersWhy do we need to consider this as a special scenario?
15
-
Copyright PLUMgrid, Inc. 2011-2016
Two Separate networking infrastructures Hard to enforce network policy (N-tier applications) Security and Isolation Performance and unneeded overhead
Problems with Current Nested Containers Networking
16
-
Copyright PLUMgrid, Inc. 2011-2016
Problems with Current Nested Containers Networking
17
Docker 0
OVS
VXLAN Overlay
VM
Docker 0
Neutron Plugin
VXLAN Overlay
VM
SDN Overlay
Neutron Overlay
-
Copyright PLUMgrid, Inc. 2011-2016
Problems with Current Nested Containers Networking
18
Neutron Networks
VMVM VM
Tenant A Net1 192.168.1.0/0
-
Copyright PLUMgrid, Inc. 2011-2016
Problems with Current Nested Containers Networking
19
Container Networks
VMVM VM
Backend Network 10.2.0.0/24
Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint
Frontend Network 10.1.0.0/24
-
Nested Container Networking SolutionDesign for the nested container networking in OpenStack
20
-
Copyright PLUMgrid, Inc. 2011-2016
Nested/baremetal container to nested/baremetal container same/different hosts
Nested/baremetal container to virtual machine communication Nested/baremetal container to baremetal communication Container networking as a first class entity in Neutron Consistent policy enforcement across containers, VMs, bare metal Enable advanced networking services like FWaas, LBaas, VPNaas
etc
Nested Container Networking Use Cases
21
-
Copyright PLUMgrid, Inc. 2011-2016
Nested Container Networking Design Magnum, Kuryr, Neutron Integration
22
VLAN:100 VLAN:200 VLAN:400 VLAN:100
-
Copyright PLUMgrid, Inc. 2011-2016
Neutron Trunk Ports
23
Nova Instance
port-1
port-0
port-2
network-1
network-0
network-2Port combined into one vif by turning port-0 into trunk and other ports into supports of the trunk
-
Copyright PLUMgrid, Inc. 2011-201624
-
Capabilities and Considerations
25
-
Copyright PLUMgrid, Inc. 2011-2016
Neutron resources spec approved and patches under review Trunk Subport
Subports bring isolation to container-in-VM use cases Port forwarding can take us further
Vendors can implement new segmentation types Tagged traffic that does not match a sub port, is considered of the
trunk port
Capabilities and Considerations
26
-
Copyright PLUMgrid, Inc. 2011-2016
Limitations Policy is applied at the Host level Initial only VLAN tags for segmentation type Tags are unique per trunk port scope VM users can alter subport traffic Logging of VM actions is dependent on integration Can't work with current OVS
Capabilities and Considerations
27
-
Current Status
28
-
Copyright PLUMgrid, Inc. 2011-2016
Trunk Port Extension spec approved and code in progress Binding profile workaround to proceed in parallel
Nested Container networking spec approved in Kuryr Docker Swarm Integration completed Kubernetes in progress Mesos in design stages
Current Status
29
-
Next Steps
30
-
Copyright PLUMgrid, Inc. 2011-2016
Follow up on the Neutron Trunk port implementation Finish COE baremetal integration
Policy translation Make Neutron resources available through native APIs
Magnum deployment prototype of worker VM with Kuryr agent Magnum administrator VM that communicates with Neutron
Next Steps
31
-
Questions
32
-
Join us at #openstack-kuryr
THANK YOU!
irc: #openstack-kuryr @ freenode