Weitere ähnliche Inhalte Ähnlich wie Microservices and containers networking: Contiv, an industry leading open source solution from Cisco - Luca Relandini - Codemotion Amsterdam 2017 (20) Kürzlich hochgeladen (20) Microservices and containers networking: Contiv, an industry leading open source solution from Cisco - Luca Relandini - Codemotion Amsterdam 2017 1. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Contiv:
Network Policies for Microservices
Luca Relandini @lucarelandini
AMSTERDAM 16 - 17 MAY 2017
2. • Containers and Microservices in production
• Introduction – Why Contiv?
• What is Contiv?
• Demo
• Summary
Agenda
4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Use Cases for Containers and Microservices
Cloud Microservices
Cloud Migration
Hybrid Cloud
Multi-Cloud
Containerization
Microservices
App Modernization
DevOps
CI/CD
Self Service
DevOps
5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containers and Microservices
container
Your code
Your startup scripts
Code dependencies
Should deploy with exactly
the same behavior on any
host/VM that can run
containers
Orders
Wishlist
Payment
6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Native
FROM
TO
Microservices - Impact on IT Operations
DevOps
Shared Responsibility
Common Incentives,
Tools, Process and Culture
Not My Problem
Separate Tools,
Varied Incentives, Opaque Process
Continuous Delivery
Release Early and Often
Higher Quality of Code
Release Once Every 6 Months
More Bugs in Production
Microservices
Loosely Coupled Components
Automated Deploy Without Waiting on Individual
Components
Tightly Coupled Components
Slow Deployment Cycles Waiting
on Integrated Tests Teams
Traditional IT
7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containers Help to Achieve Agile App Development
Stage/
Production
TestDevelopment
Version
Control
SysAdmin
QA/QEDeveloper
Different players in the game
8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
But... There are Concerns in Containers Adoption
What slows an organization’s use of containers?
75% 71% 64% 62% 61%
Security Networking Performance Integration Management
Source: n= 124 to-date, IDC custom survey, study commissioned by Cisco
Need for production-grade infrastructure
9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HW Integration
Can not leverage performance and
security by natively integrating with HW
Networking In The New Container World
Physical Network
HypervisorHypervisor
Physical Network
Virtual Switching or
Overlay Network
C1 Cn
Guest OS -
Bridged
Overlay Network - VXLAN
Physical Network
Hypervisor Hypervisor
Host 1 Host 2
Host 2Host 1
VM1
C1 Cn
Guest OS -
Bridged
VM2
C1 Cn
Guest OS -
Bridged
Overlay Network - VXLAN
C1 Cn
Guest OS -
Bridged
Connectivity
Network services, e.g.
Load balancer, Firewall
Performance
Encap over encap over encap
affects performance
VM1 VM2
Bare Metal VM Containers in VM
10. BINS/LIBS
APP APP APP APP APP APP APP APP APPAPP APP
Container Challenges
Tasks per Node and at Scale
Server Settings
Distributed Data Paths
Multi-Tenancy
Scalability
Management
Backup Connectivity
External Storage Access
Predictable?
Efficient?
Simple?
Reliable?
Additional Work
Host OS Host OS Host OS Host OS Host OS
Docker Engine Docker Engine Docker Engine Docker Engine Docker Engine
BINS/LIBS BINS/LIBS BINS/LIBS BINS/LIBS BINS/LIBS BINS/LIBS BINS/LIBS BINS/LIBS BINS/LIBS BINS/LIBS
12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VM or BM
Basics of Container Networking
Minimally it provides:
- IP Connectivity in Container’s
Network Namespace
- IPAM, and Network Device
Creation (eth0)
- Route Advertisement or Host
NAT for external connectivity
Container
eth0
Container
eth0
Physical Network
Linux/Windows OS Networking
ensp0
13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Container Network Model (CNM)
Docker Container
Endpoint
Network
Sandbox
Green Network
Docker Container
Endpoint
Network
Sandbox
Blue Network
• Proposed by Docker to provide networking
abstractions/API for container networking
• Sandbox contains configuration of a container's
network stack (Linux network namespace)
• An endpoint is a container's interface into a
network (veth pair)
• A network is collection of arbitrary endpoints
that can communicate with each other
• A container can belong to multiple endpoints
(and therefore multiple networks)
CNM provides Driver APIs for IPAM and
Endpoint creation/deletion
IPAM Driver APIs:
- Create/Delete Pool,
- Allocate/Free IP Address
Network Driver APIs:
- Network Create/Delete,
- Endpoint Create/Delete/Join/Leave
eth0 eth1
14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Container Network Interface (CNI)
• Proposed by CoreOS as part of appc specification,
used also by Kubernetes
• Common interface between container run time and
network plugin
• Gives driver freedom to manipulate network
namespace
• Network described by JSON config
• Plugins support two commands:
- Add Container to Network
- Remove Container from Network
Container
Network
namespace
Driver
plumbing
Differences (from CNM):
- Gives Driver freedom to manipulate network namespace
- Provides Container Id, Params to drivers
- Just 2 API:
- Add Container to Network,
- Delete Container from Network
16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Today’s Infrastructure Needs
Mike, IT AdminSally, Dev/Test
1. Develop and test fast
2. Agility and Elasticity
3. Does not care about other users
1. Manage infrastructure
2. Stability and Security
3. Isolation and Compliance
Challenge: Conflicting goals and priorities
17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
How can we achieve these goals?
Key: Policy-based Container Networking
Declarative Tags (simpler)
Manage Groups instead of single objects (faster)
19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containerized Apps on Shared Infrastructure
Application
Intent
Compute Compute
Operational
Intent
Contiv Is an Open Source Solution to Define and
Enforce Distributed Policies Across Infrastructure
NETWORK
Compute
20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Intent with Operation Intent
PLACEHOLDER
version: '2'
services:
web:
build: .
label:
- tier: web
volumes:
- .:/code
networks:
- front-tier
- back-tier
db:
image: mysql
App Intent
PLACEHOLDER
web:
environment: prod
networks:
security: -
allow ports: 5000, 443
bandwidth: 5gbps
lb selector:
- tier: web
db:
networks:
security:
allow ports: 3306 from web
Ops Intent (e.g. Contiv Intent*)
Operation Intent Provides Operational Requirements and Policies for Applications
* Shown in yaml for better visualization
21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv: How everything fits together
Operational Policy Management
Developer Operations
Application
Scheduler
Node 1 Node 2 Node-n
Contiv Distributed Policy Layer
...
Contiv Elements
Contiv UI/CLI/API to manage
and monitor policies/usage
Distributed policy enforcement for
network
Integration with physical
infrastructure
Integrated with popular
container schedulers
Contiv Automatically Integrates and Enforces Developer and Operations Policies
22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
100% Open Source
The Most Powerful Container Networking Fabric
L2, L3, Overlay or ACI
Rich Policies
DevOps IT Admin
Any NetworkingAny Platform
Any Infrastructure
Application
Intent
Rich Policy Model
Declarative
Simple Install
GUI + CLI
LDAP/RBAC
Contiv – an industry leading (open source) project
23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Integration with Underlying DC Infrastructure
Application-Centric Infrastructure (ACI)
• Containers integrated with APIC policies
• Physical services integration
Nexus Standalone or Any Network
• VLAN handoff
• BGP interop (standard routing protocol)
Contiv Leverages Underlying Infrastructure Capabilities
24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introducing Contiv 1.0
What’s New:
LDAP+
RBAC
All New User
Experience
and Workflow
Kubernetes
1.4 Support
Docker 1.12
Support
OpenShift
Integration
Simple Install
1
Commercially
Supported Contiv
will be announced shortly
Cisco Advances
Services
Cisco Solutions
Support
100% Open Source at contiv.github.io
25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv’s Approach to Containers
Scale
Route and
Policy Distribution
Speed
Automated Scale-Out
Layer of Network
Flat Networks
High Performance
Application-Centric
Integrated with
App Blueprint
Shared Resources
Policies for
Resource Acquisition
Hybrid Cloud
Consistent Policies
Security
Tenant Isolation
Security Policies
Telemetry/Diagnostics
Application Statistics
Data Export
26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Features
Contiv CLI/UI
Node 1
Contiv Agent
...Node 2
Contiv Agent
Node-n
Contiv Agent
Container networking for:
• Kubernetes, Mesos, Nomad, and Swam
Route distribution using BGP or JSON RPC
Custom OpenFlow pipeline for host networking
• Allows implementing various features (details later)
Exports data about: App connectivity, stats, peer
Distributed, cluster-wide function
Stateless: Useful in node failure/restart, upgrade
Implements cluster-wide network and policy
Manage global resources: IPAM, VLAN/VXLAN pools
Tools to manipulate Contiv objects
Implements CRUD using REST I/F
Expected to be used by infra/ops teams
RBAC
27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Architecture
High-Level Architecture
Host-1
.…
Host Plug-In
Distributed
KV Store
Plug-In Logic
Contiv Host Agent
Host-n
Linux Host Routing/Switching
To Physical Network
ARP/DNS
Responder
Service LB
Route Distribution
[ BGP | RPC ]
Container
Runtime
(e.g., Docker)
[ K8s| Swarm | Mesos | Nomad ]
Master-DBPolicy EngineREST Server
IPAM/
Res-Mgmt
HA
Heartbeat
Distributed
KV Store
[ Etcd | Consul ]
REST client (e.g. netctl)
API Calls to External Orchestration Systems e.g,. ACI, Schedulers
Health Monitoring
Contiv Master Cluster
.……
.…
28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Network
To Physical Network
Input Table VLAN Table Dest Group Policy IP Table MAC Dest
1 2 3 4 5 6
User Space
Container’s Network Namespace
Application1
Socket
Lib/Syscalls
Kernel
TCP/IP Stack
eth0
Kernel
TCP/IP Stack
eth0
Application2
Socket
Lib/Syscalls
Host’s Network Namespace
Kernel Space
Container-1 Container-n
eth0 (host’s)
Contiv Host DataPath
Host Forwarding – Plumbing Details
28
29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Network Deployment Options
Cloud L2+ L3 Native Cisco ACI
IP Address Requirements #Hosts #Containers #Containers #Containers
Multi-Destination Traffic No Yes No/Maybe Yes
Performance (Throughput) Not Good Very Good Very Good Very Good (VLAN EPG)
Automated Multi-Tenancy Yes No No Yes
Ease of External Access Not Good Good Good Good
Greenfield Deployment No difference As per Scale Very Good Recommended
Scale (#Nodes) Good Agg Device Very Good Very Good
Favorable Physical Topology All Look Same Access/Agg. L3 CLOS ACI
Choices
29
31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tutorial on Docker and Contiv - do it yourself ;-)
A normal docker network (without Contiv) looks like it:
It’s online at http://contiv.github.io
32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Docker sees a Contiv network
Let’s attach a new container to the new network:
35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Networks are isolated
Let’s create one more container on contiv-net:
We have many containers now (contiv-c1 and contiv-c5 are on the same network):
Ping works here (same if the
container is on a different host/VM)
Ping does not work here
36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenants in Contiv
Two different networks (with same name), they don’t communicate
Tenants are isolated worlds, to avoid conflicts.
They have separate namespaces for resources.
37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenants in Contiv
Two different networks (with same name), they don’t communicate
Tenants are isolated worlds, to avoid conflicts.
They have separate namespaces for resources.
38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38Presentation ID
Applying policies between containers with Contiv
Contiv provide a way to apply isolation policies between containers groups
(regardless of the tenants, eventually within the tenants).
For this, we create a simple policy called db-policy, and add some rules to it to
define which ports are allowed.
39. Policies are applied to Groups
Finally, we associate the policy with a group (a group is an arbitrary collection of containers,
e.g. a tier for a microservice) and then run some containers that belong to db group
Let’s create two more containers:
The policy db-policy (ports open and closed) is applied to all the 3 containers:
Managing many end points as a single object makes it easy and fast, think about auto-scaling
(especially when integrated with Swarm, Kubernetes, etc.)
40. Contiv is Microservices Ready
• Support for grouping Applications
• Allows scale-out instances of container applications to be grouped together
• Policies specified on a micro-service tier, rather than individual container workloads
• Efficient forwarding between Microservice tiers
• Allows a fixed (DNS published) VIP for a micro-service
• Containers within the micro-services can come and go
• Their IP addresses are mapped to the service IP for east-west traffic
• Eliminates single point of forwarding (proxy) between micro-service tiers
• Application visibility at service levels (across the cluster)
Web
Group
App
Group
DB
Group
Allow grouping of
containers/pods
Specify Policies
between groups or
from outside the
network
41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Elements of Contiv Networking
Cluster-wide Connectivity
Truly Multi-tenant
Network Isolation
Traffic Prioritization
App-Composers Integrated
Network Monitoring
Scalable
Physical Network Integration: ACI | Nexus Standalone
Micro Services Ready
Leverages NIC
IPAM, Service Discovery
Contiv
Networking
High Throughput
42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Value Proposition
43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Integration
44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Go and test it (easy!): http://contiv.github.io
Contiv releases - github.com/contiv/install/releases
Documents - contiv.github.io
Join Contiv Slack - contiv.herokuapp.com
Contiv Blogs - blogs.cisco.com/tag/contiv
Recorded demo - https://www.youtube.com/watch?v=55s4wAVbTM4
Cisco DevNet community - https://developer.cisco.com/site/contiv/videos/index.gsp
Contiv on Docker Store - https://store.docker.com/plugins/803eecee-0780-401a-a454-e9523ccf86b3?tab=description