Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙...
Transcript of Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙...
![Page 1: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/1.jpg)
Containerizing Network ServicesAlex Bikfalvi ∙ Xavier León
![Page 2: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/2.jpg)
2
Network Services
Neutron
LBaaS
VPNaaS FWaaS
Dynamic Routing
![Page 3: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/3.jpg)
3
Why Containers?
LBaaS
VPNaaS FWaaS
Dynamic Routing
![Page 4: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/4.jpg)
4
Why Containers?
Similar lifecycle Virtualizing networks functions requires lightweight isolation
Scalability Scale-out according to the compute resources
Resiliency Container health detection and fail-over
Multi-vendor or project Alternative solutions can be leveraged side-by-side
Management Allow operators to adjust container workload across hardware infrastructure
VPN
VPN
LB
FW
BGP
BGP
![Page 5: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/5.jpg)
5
Service Containers
OpenStack ∙ Neutron
Neutron Plugin
Compute Servers
LBaaS FWaaS VPNaaS BGP1
2
Service Containers
3
4
Service ContainersHAProxy
Ryu BGP
Quagga
LibreSwan
OpenSwan
BaGPipe
![Page 6: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/6.jpg)
6
Key Requirements
Scalability Containers scale-out with the number of available compute nodes
1
High Availability Seamless failover on container or compute failure
2
Container Health Report the running status of the network service software
Container Migration Cloud operator tools to manage network service containers
Scheduling Policies Container affinity, host selection and fate-sharing
3
4
5
![Page 7: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/7.jpg)
7
Containers in MidoNet
Layer 2
Router Peering
NAT
LBaaS
VPNaaS Layer 3
Layer 2 & 3
Gateways Firewall
Service Containers
![Page 8: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/8.jpg)
8
OpenStack with MidoNetOpenStack ∙ Neutron
MidoNet PluginNorthbound
Southbound
MidoNet Controller
Southbound Database
Compute with MidoNet Agent
Instances
Control Plane Network
Data Plane Network
NEUTRON model
MIDONET model
![Page 9: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/9.jpg)
9
Intelligence at the Edge
Private IP Network
State ClusterGateway
Compute Hosts
Internet
1
VM 1
VM 2
MidoNet Agent
VM 1
MidoNet Agent
Linux Kernel
VM 1 VM 2
Virtual Tenant Router A
Virtual Switch A1
Virtual Provider Router
Virtual Switch A2
1
2
2
3
4
3
4
VM 1 sends a packet through the virtual network
MN Agent fetches the virtual topology/state
It simulates the packet through the virtual network
It installs a flow rule in the kernel at the ingress host
Tunnel
5 Tunnel packets to egress host
5
![Page 10: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/10.jpg)
10
Peeking Under the Hood
Virtual Machine
VM 1
MidoNet Agent
OVS Kernel Module
Linux Kernel
Ingress Compute
Virtual Machine
VM 2
MidoNet Agent
OVS Kernel Module
Linux Kernel
Egress Compute
Private IP Network
VXLAN / GREUPDIPv4Outer Ethernet
VM 1 VM 2
Virtual Tenant Router A
Virtual Switch A1
Virtual Topology
Physical Topology
Packet
Packet
Virtual Switch A2
User Mode
Kernel Mode
1
2
3
4
Packet sent by VM1 misses the OVS datapath
Packet sent to the MidoNet Agent via Netlink
The MidoNet Agent processes and simulates the packet
It installs a flow in the kernel at the ingress host
5 Tunnel packets to egress host
1 2
3
4
5
![Page 11: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/11.jpg)
Northbound
Southbound
11
MidoNet with Containers
Southbound Database
Compute with MidoNet Agent
Instances
OpenStack ∙ Neutron
MidoNet Plugin
PORT Router or Network, Container Reference
SERVICE CONTAINER Container Configuration
SERVICE CONTAINER GROUP Scheduling Policy
SERVICE LBaaS, VPNaaS, BGP
MidoNet Controller
![Page 12: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/12.jpg)
Northbound
Southbound
12
MidoNet with Containers
Southbound Database
Compute with MidoNet Agent
Instances
OpenStack ∙ Neutron
MidoNet Plugin
Container Service
Container Service
Container Service
Container Service
Container Service
MidoNet Controller
![Page 13: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/13.jpg)
13
MidoNet with Containers
Southbound Database
Compute with MidoNet Agent
Instances
OpenStack ∙ Neutron
MidoNet Plugin
MidoNet Controller
1 Northbound to southbound translation
1
2 Scheduler container at a compute node
2
3 Launch container
34 Computes report the container status
4
5 Controller monitors the status
5
![Page 14: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/14.jpg)
14
Live DemoVPNaaS with Service Containers
![Page 15: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/15.jpg)
15
Physical LayerCONTROLLER 10.0.0.10
COMPUTE-1 10.0.0.11
COMPUTE-2 10.0.0.12
COMPUTE
MIDONET agent NOVA compute
CONTROLLER
MIDONET agent NOVA compute
MIDONET cluster
DATABASE zookeeper
NEUTRON NOVA api
GLANCE api KEYSTONE
![Page 16: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/16.jpg)
16
Virtual Topology
MERCURY 192.168.1.0/24
VENUS 192.168.2.0/24
Instances
PUBLIC 1.0.0.0/24
192.168.1.2
192.168.1.3
192.168.2.2
192.168.2.3
1.0.0.2
1.0.0.3
Tenant Routers
IPSec Container
IPSec Container
![Page 17: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/17.jpg)
17
Service Translation
Northbound Database
Southbound Database
MERCURY 192.168.1.0/24
VENUS 192.168.2.0/24
1.0.0.2
1.0.0.3
Mercury
Venus
VPN SERVICE mercury LOCAL NETWORK 192.168.1.0/24
IPSEC SITE CONNECTION to-venus PEER ROUTER 1.0.0.3 PEER NETWORK 192.168.2.0/24
VPN SERVICE venus LOCAL NETWORK 192.168.2.0/24
IPSEC SITE CONNECTION to-mercury PEER ROUTER 1.0.0.2 PEER NETWORK 192.168.1.0/24
![Page 18: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/18.jpg)
18
Service Translation
Northbound Database
Southbound Database
MERCURY 192.168.1.0/24
VENUS 192.168.2.0/24
1.0.0.2
1.0.0.3
Mercury
Venus
VPN SERVICE mercury LOCAL NETWORK 192.168.1.0/24
IPSEC SITE CONNECTION to-venus PEER ROUTER 1.0.0.3 PEER NETWORK 192.168.2.0/24
MERCURY 192.168.1.0/24
1Router port for the service container Includes routes that forward packets to the container
169.254.X.Y/302
Redirect rules matching traffic between peer networks Match IPSec (protocol 50) and IKE (UDP ports 500 and 4500)
3Container and container group policy Include container type and configuration
4Bind the container port to a compute host Tells the compute to launch the container
![Page 19: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/19.jpg)
19
Service Translation
Northbound Database
Southbound Database
MERCURY 192.168.1.0/24
VENUS 192.168.2.0/24
1.0.0.2
1.0.0.3
Mercury
Venus
VPN SERVICE mercury LOCAL NETWORK 192.168.1.0/24
IPSEC SITE CONNECTION to-venus PEER ROUTER 1.0.0.3 PEER NETWORK 192.168.2.0/24
169.254.X.Y/30
ROUTE Source 192.168.1.0/24 Destination 192.168.2.0/24
RULE REDIRECT Protocol 50
RULE REDIRECT Protocol 17 Port 500
RULE REDIRECT Protocol 17 Port 4500
IKE
IPSec
MERCURY 192.168.1.0/24Clear
![Page 20: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/20.jpg)
20
Traffic and IPSec Containers
MERCURY 192.168.1.0/24
VENUS 192.168.2.0/24
Instances
PUBLIC 1.0.0.0/24
192.168.1.2
192.168.1.3
192.168.2.2
192.168.2.3
1.0.0.2
1.0.0.3
Tenant Routers
IPSec Container
IPSec Container
192.168.1.0/24
192.168.2.0/24
![Page 21: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/21.jpg)
21
Live DemoVPNaaS with Service Containers
![Page 22: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/22.jpg)
22
Container SchedulingController Servers
Compute Servers
Container Scheduler
Controller nodes coordinate in an active-passive fashion and are restart tolerant
![Page 23: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/23.jpg)
23
Container SchedulingController Servers
Compute Servers
1 Select a compute host when creating a new container Host eligibility is determined by availability and the operator or service policy
![Page 24: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/24.jpg)
24
Container SchedulingController Servers
Compute Servers
1 Select a compute host when creating a new container Host eligibility is determined by availability and the operator or service policy
2 Monitor container health Containers report their status to their supervising agent
Failover
![Page 25: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/25.jpg)
25
Container SchedulingController Servers
Compute Servers
1 Select a compute host when creating a new container Host eligibility is determined by availability and the operator or service policy
2 Monitor container health Containers report their status to their supervising agent
Failover
3 Monitor compute host health and availability Agents reports their running status to the controllers via the southbound messaging channel
Failover
![Page 26: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/26.jpg)
26
Container SchedulingController Servers
Compute Servers
1 Select a compute host when creating a new container Host eligibility is determined by availability and the operator or service policy
2 Monitor container health Containers report their status to their supervising agent
3 Monitor compute host health and availability Agents reports their running status to the controllers via the southbound messaging channel
4 Allow operator orchestration of containers Manage scheduling via policies or manual migration
![Page 27: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/27.jpg)
27
Group Scheduling Policies1 Affinity Policies
Define the set of computes that can host a container for a particular network service
![Page 28: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/28.jpg)
ANYWHERE affinity
28
Group Scheduling Policies1 Affinity Policies
Define the set of computes that can host a container for a particular network service
![Page 29: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/29.jpg)
HOST-GROUP affinity
29
Group Scheduling Policies1 Affinity Policies
Define the set of computes that can host a container for a particular network service
![Page 30: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/30.jpg)
PORT-GROUP affinity
30
Group Scheduling Policies1 Affinity Policies
Define the set of computes that can host a container for a particular network service
vPort0 vPort1 vPort2 vPort3
Edge Provider Router
Tenant Routers
vPort0Uplink Ports
vPort1 vPort2 vPort3
![Page 31: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/31.jpg)
31
Group Scheduling Policies2 Selection Policies
Choosing a particular compute for a container
based on a static or dynamic metric
![Page 32: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/32.jpg)
32
Group Scheduling Policies2 Selection Policies
Choosing a particular compute for a container based on a static or live
metric
WEIGHTED policy
1 1 0 0
5 5 2 2
host host0 set container-weight 5 host host6 set container-weight 0
Static metric
![Page 33: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/33.jpg)
0 1 0
33
Group Scheduling Policies2 Selection Policies
Choosing a particular compute for a container based on a static or live
metric
LEAST policy
5 5 2 0
host host0 set container-limit 5 host host3 set container-limit 0
Controller Server
Live metric
-1Container
Quota
![Page 34: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/34.jpg)
34
Live DemoContainer Scheduling
![Page 35: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/35.jpg)
35
Test Drive
Quickstart midonet.org Packages builds.midonet.org
GitHub github.com/midonet Chat slack.midonet.org
![Page 36: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/36.jpg)
Q&A36
![Page 37: Containerizing Network Servicesalex.bikfalvi.com/download/OpenStackAustin2016.pdf · OpenStack ∙ Neutron Neutron Plugin Compute Servers 1 LBaaS FWaaS VPNaaS BGP 2 Service Containers](https://reader033.fdocuments.us/reader033/viewer/2022042403/5f181089ed0c0c14b26e926a/html5/thumbnails/37.jpg)
Content licensed under a Creative-Commons Attribution license. Cover photo by Tristan Schmurr.