Upload
andrew-kennedy
View
254
Download
2
Tags:
Embed Size (px)
Citation preview
THE BRAINS OF THE NEW GLOBAL NETWORK
CALICO AND CONTAINERS – SIMPLE IP NETWORKING
Peter White 19th March 2015
! A bit about Calico ! what it is ! motivation ! how it works ! what it does
! Containers with Calico
AGENDA
Metaswitch Networks | Proprietary and confidential | © 2014 | 2
! Open source (Apache licensed) project
! Networking of workloads in a data center / cloud environment
! Sponsored by Metaswitch
WHAT IS CALICO?
Metaswitch Networks | Proprietary and confidential | © 2014 | 3
Simple Scale Open
Thousands of servers, 100k’s of workloads
Don’t demand users to be networking experts
Open source and open standards
! You shouldn’t need to know or care! ! (up to a point)
! Networking needs to just work and not get in the way
! But there’s a risk that containers get as hard as VMs ! and that is very very bad indeed
WHY SHOULD I CARE ABOUT NETWORKING?
Metaswitch Networks | Proprietary and confidential | © 2014 | 4
Virtual L2 segments, implemented in software by virtual switch
TRADITIONAL VIRTUALISED NETWORKING MODEL
Metaswitch Networks | Proprietary and confidential | © 2014 | 5
vSwitch vSwitch vSwitch
Linux Linux Linux
Encap / de-encap
(& flooding!)
Outer MAC
Outer IP
Outer UDP VXLAN VM
MAC VM IP
VM TCP/UDP
VM Data
Router service
required to hop between
tenants
NAT required for public Internet access
On/off-ramp required to get to NAS,
etc.
Virtual L2 segments, implemented in software by virtual switch
☹ Complexity
☹ Scale / performance issues
☹ Operational overhead
☹ Inefficient resource utilization
☹ Difficulty troubleshooting
☹ Demands placed on everybody to be networking experts
THIS LEADS TO…
Metaswitch Networks | Proprietary and confidential | © 2014 | 6
… It doesn’t have to be this way!
WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?
Metaswitch Networks | Proprietary and confidential | © 2014 | 8
IP
App
IP
App
IP
App
IP
App
IP
App
IP
App
IP
App
IP
App
Router
Router
Router
BGP BGP
Hosts
WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?
Metaswitch Networks | Proprietary and confidential | © 2014 | 9
IP
App
IP
App
IP
App
IP
App
IP
App
IP
App
IP
App
IP
App
BGP BGP Compute Node Compute Node
VMs / LXCs
Router
Router
Router
VMs / LXCs
ADVANTAGES OF THE CALICO MODEL
! More scalable ! Based on proven Internet-style
architecture
! More efficient ! Simplified data path between
VMs and physical network ! Equal Cost Multi-Path (ECMP)
enables full utilization of physical links
! Easier to troubleshoot ! Eliminates nested IP stacks
needed for overlay-based networking
! More secure ! Applies traffic isolation rules at
both egress and ingress points
! More interoperable ! Supports direct connectivity between
VMs, Linux Containers (LXCs) and physical devices
! Does not require “On/Off ramps” for non-virtualized network elements
! More robust ! Load-balancing and resilience easily
provided by Anycast
! More straightforward ! 1:1 NAT and floating IPs are no
longer strict requirements
! More distributable ! Supports geographically distributed
service chains straightforwardly
Metaswitch Networks | Proprietary and confidential | © 2014 | 10
! We did it for OpenStack first
! But the same problems apply in container-land ! Complexity ! Diagnosability ! Scale ! Performance
! Only potentially much worse ! More containers per host (100s, not 10s) ! Shorter lifetimes (hours vs. days)
CONTAINERS VS. VMS
Metaswitch Networks | Proprietary and confidential | © 2014 | 11
! Each container gets an IP
! Each container gets a veth interface for that IP
! Routing “just happens” ! Calico components set up rules in the Linux kernel for the interface ! BGP replicates those rules around between hosts
! ACLs are implemented using iptables / ipsets ! For example, disallowing containers in tenant A to access containers in
tenant B ! For example, allowing incoming traffic based on source, port, protocol
CONTAINERS WITH CALICO
Metaswitch Networks | Proprietary and confidential | © 2014 | 12
! Install some Calico components
! When you create a container, assign an IP address ! We use powerstrip, so ordinary Docker commands just work
! Containers must be assigned to security groups ! Simplified security model for now; underlying code supports more
WHAT DOES THIS LOOK LIKE TO AN ORCHESTRATOR?
Metaswitch Networks | Proprietary and confidential | © 2014 | 13
! Your containers each have an IP address
! All of your containers can contact one another ! regardless of whether they are on the same host ! but not containers of other tenants ! more complex security models are supported by Calico
WHAT DOES THIS LOOK LIKE TO A TENANT?
Metaswitch Networks | Proprietary and confidential | © 2014 | 14
! Fire up an etcd cluster
! Download the Calico Docker binaries from GitHub
! Set up the hosts ! under the covers, this fires up some Calico containers to do the work ! these automatically download the main Calico code
! Start up containers as usual, with a new “CALICO_IP” argument
! Use a command line tool (or RESTful API) to configure groups and security
WHAT DOES THIS LOOK LIKE TO A DEVELOPER?
Metaswitch Networks | Proprietary and confidential | © 2014 | 15
RESOURCES
! Main project website: www.projectcalico.org
! Github ! https://github.com/Metaswitch/
calico-docker ! https://github.com/Metaswitch/
calico
! Mailing list: ! http://lists.projectcalico.org/
listinfo/calico
! Download and try it out
! We welcome your feedback and contributions
Metaswitch Networks | Proprietary and confidential | © 2014 | 16