@projectcalico Project Calico is sponsored by Sponsored by Project Calico: a Pure Layer 3 Approach to Docker Networking FOR DOCKER LONDON MEETUP Ed Harrison @eepyaich May 5, 2015
@projectcalico Project Calico is sponsored by Ed Harrison Dev Manager, Project Calico @eepyaich Metaswitch Sequoia-backed software company SDN & IP Multimedia Communications 1,000+ global customers Project Calico Open source project, sponsored by Metaswitch Pure Layer 3 cloud networking solution Containers, virtual machines & bare metal Introductions
@projectcalico Project Calico is sponsored by Docker Networking Today: Two Main Models Port forwarding / NAT Simple Works “out of the box” Easily understood … but not “real IP networking” Won’t work with all applications (e.g. IPsec) Onerous port assignment constraints on applications Overlay networks Give each container its own private IP address (or subnet) Separate “overlay” domain over “underlay” network with GRE, MPLS, VXLAN, or proprietary tunneling protocols But…
@projectcalico Project Calico is sponsored by Virtual L2 segments, implemented in software by virtual switch The Standard Overlay Virtual Networking Model vSwitch vSwitch vSwitch Linux Linux Linux Encap / de- encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN Inner MAC Inner IP Inner TCP/UDP Payload Data Router services required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch
@projectcalico Project Calico is sponsored by ☹ Unnecessary complexity ☹ Low scale limits ☹ Performance issues ☹ Inefficient resource utilization ☹ Difficulty troubleshooting ☹ Demands placed on application developers to be networking experts This leads to… ALL solutions that use overlay / underlay model suffer from these effects, however they are mitigated. These issues become critical with containers due to the higher scale than VMs (100s vs 10s per server) … It doesn’t have to be this way!
@projectcalico Project Calico is sponsored by What if we built a Data Center like the Internet? IP App IP App IP App IP App IP App IP App IP App IP App Router Router Router BGP BGP Hosts
@projectcalico Project Calico is sponsored by What if we built a Data Center like the Internet? IP App IP App IP App IP App IP App IP App IP App IP App BGP BGP Compute Node Compute Node VMs / LXCs Router Router Router VMs / LXCs … this is Project Calico!
@projectcalico Project Calico is sponsored by Key Design Concepts IP Perform layer 3 forwarding at each compute node Leverage Linux kernel’s efficient IP forwarding engine – no separate vSwitch BGP Distribute routes using proven Border Gateway Protocol, with route reflectors for scale Program routes into Linux kernel on each host (and into physical fabric if required) Separate policy decisions from routing information Translate global policy into distributed firewall on each host, enabling tenant isolation & more
@projectcalico Project Calico is sponsored by Corollary: Other Advantages of the Calico Approach With Overlays Pure Layer 3 (Calico) Simplified Diagnostics. What is happening is “obvious” – traceroute, ping, etc., work as expected EXIT No on/off ramp required. Path from workload to non-virtual device or public internet (or even between data centers) is just a route Other IP techniques “just work”. E.g. Equal Cost Multi-Path (ECMP) & Anycast enable scalable resilience and full utilization of physical links
@projectcalico Project Calico is sponsored by Get Involved! Main project website: www.projectcalico.org Github https://github.com/Metaswitch/ calico (and /calico-docker) Mailing lists: http://lists.projectcalico.org Download & try it out We welcome your feedback and contributions Follow us @projectcalico
@projectcalico Project Calico is sponsored by Demo Time… Core 1 Policy Group 1 (“GROUP1”) L2 Policy Group 2 Core 2 Felix BIRD calico-node Container Felix BIRD calico-node Container Linux 172.17.8.101 Linux 172.17.8.102 Container B 192.168.1.2 Container A 192.168.1.1 Workloads Container C 192.168.1.3 Container E 192.168.1.5 Workloads Container D 192.168.1.4
@projectcalico Project Calico is sponsored by Demo Time… Core 1 Policy Group 1 (“GROUP1”) L2 Policy Group 2 Core 2 Linux 172.17.8.101 Linux 172.17.8.102 Felix BIRD calico-node Container Felix BIRD calico-node Container Container B 192.168.1.2 Container A 192.168.1.1 Workloads Container C 192.168.1.3 Container E 192.168.1.5 Workloads Container D 192.168.1.4
@projectcalico Project Calico is sponsored by Container B 192.168.1.2 Container A 192.168.1.1 Workloads Container C 192.168.1.3 Demo Time… Core 1 Policy Group 1 (“GROUP1”) L2 Policy Group 2 Core 2 Linux 172.17.8.101 Linux 172.17.8.102 Felix BIRD calico-node Container Felix BIRD calico-node Container Container E 192.168.1.5 Workloads Container D 192.168.1.4
@projectcalico Project Calico is sponsored by Calico enables you to give your Docker containers real, routable IP addresses, with security/policy built-in TL;DR
@projectcalico Project Calico is sponsored by Get Involved! Main project website: www.projectcalico.org Github https://github.com/Metaswitch/ calico (and /calico-docker) Mailing lists: http://lists.projectcalico.org Download & try it out We welcome your feedback and contributions Follow us @projectcalico
eepyaich
tacck
inesmontani
junkifurukawa
tarappo
trycycle
leekwangsoo1995
forcia_dev_pr
globis_gdp
skrb
oracle4engineer
ohmori_yusuke
irof
csswizardry
maggiecrowley
dougneiner
mclloyd
jrom
mthomps
philnash
danielanewman
stephaniewalter
keithpitt
lara
reverentgeek