Calico at Docker Edinburgh, 20150319

Transcript

1. THE BRAINS OF THE NEW GLOBAL NETWORK CALICO AND CONTAINERS

   – SIMPLE IP NETWORKING Peter White 19th March 2015

2.  A bit about Calico  what it is 

   motivation  how it works  what it does  Containers with Calico AGENDA Metaswitch Networks | Proprietary and confidential | © 2014 | 2

3.  Open source (Apache licensed) project  Networking of workloads

   in a data center / cloud environment  Sponsored by Metaswitch WHAT IS CALICO? Metaswitch Networks | Proprietary and confidential | © 2014 | 3 Simple Scale Open Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Open source and open standards

4.  You shouldn’t need to know or care!  (up

   to a point)  Networking needs to just work and not get in the way  But there’s a risk that containers get as hard as VMs  and that is very very bad indeed WHY SHOULD I CARE ABOUT NETWORKING? Metaswitch Networks | Proprietary and confidential | © 2014 | 4

5. Virtual L2 segments, implemented in software by virtual switch TRADITIONAL

   VIRTUALISED NETWORKING MODEL Metaswitch Networks | Proprietary and confidential | © 2014 | 5 vSwitch vSwitch vSwitch Linux Linux Linux Encap / de- encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN VM MAC VM IP VM TCP/UDP VM Data Router service required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch

6. ☹ Complexity ☹ Scale / performance issues ☹ Operational overhead

   ☹ Inefficient resource utilization ☹ Difficulty troubleshooting ☹ Demands placed on everybody to be networking experts THIS LEADS TO… Metaswitch Networks | Proprietary and confidential | © 2014 | 6 … It doesn’t have to be this way!

7. Metaswitch Networks | Proprietary and confidential | © 2014 |

   7

8. WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?

   Metaswitch Networks | Proprietary and confidential | © 2014 | 8 IP App IP App IP App IP App IP App IP App IP App IP App Router Router Router BGP BGP Hosts

9. WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?

   Metaswitch Networks | Proprietary and confidential | © 2014 | 9 IP App IP App IP App IP App IP App IP App IP App IP App BGP BGP Compute Node Compute Node VMs / LXCs Router Router Router VMs / LXCs

10. ADVANTAGES OF THE CALICO MODEL  More scalable  Based

    on proven Internet-style architecture  More efficient  Simplified data path between VMs and physical network  Equal Cost Multi-Path (ECMP) enables full utilization of physical links  Easier to troubleshoot  Eliminates nested IP stacks needed for overlay-based networking  More secure  Applies traffic isolation rules at both egress and ingress points  More interoperable  Supports direct connectivity between VMs, Linux Containers (LXCs) and physical devices  Does not require “On/Off ramps” for non-virtualized network elements  More robust  Load-balancing and resilience easily provided by Anycast  More straightforward  1:1 NAT and floating IPs are no longer strict requirements  More distributable  Supports geographically distributed service chains straightforwardly Metaswitch Networks | Proprietary and confidential | © 2014 | 10

11.  We did it for OpenStack first  But the

    same problems apply in container-land  Complexity  Diagnosability  Scale  Performance  Only potentially much worse  More containers per host (100s, not 10s)  Shorter lifetimes (hours vs. days) CONTAINERS VS. VMS Metaswitch Networks | Proprietary and confidential | © 2014 | 11

12.  Each container gets an IP  Each container gets

    a veth interface for that IP  Routing “just happens”  Calico components set up rules in the Linux kernel for the interface  BGP replicates those rules around between hosts  ACLs are implemented using iptables / ipsets  For example, disallowing containers in tenant A to access containers in tenant B  For example, allowing incoming traffic based on source, port, protocol CONTAINERS WITH CALICO Metaswitch Networks | Proprietary and confidential | © 2014 | 12

13.  Install some Calico components  When you create a

    container, assign an IP address  We use powerstrip, so ordinary Docker commands just work  Containers must be assigned to security groups  Simplified security model for now; underlying code supports more WHAT DOES THIS LOOK LIKE TO AN ORCHESTRATOR? Metaswitch Networks | Proprietary and confidential | © 2014 | 13

14.  Your containers each have an IP address  All

    of your containers can contact one another  regardless of whether they are on the same host  but not containers of other tenants  more complex security models are supported by Calico WHAT DOES THIS LOOK LIKE TO A TENANT? Metaswitch Networks | Proprietary and confidential | © 2014 | 14

15.  Fire up an etcd cluster  Download the Calico

    Docker binaries from GitHub  Set up the hosts  under the covers, this fires up some Calico containers to do the work  these automatically download the main Calico code  Start up containers as usual, with a new “CALICO_IP” argument  Use a command line tool (or RESTful API) to configure groups and security WHAT DOES THIS LOOK LIKE TO A DEVELOPER? Metaswitch Networks | Proprietary and confidential | © 2014 | 15

16. RESOURCES  Main project website: www.projectcalico.org  Github  https://github.com/Metaswitch/

    calico-docker  https://github.com/Metaswitch/ calico  Mailing list:  http://lists.projectcalico.org/listi nfo/calico  Download and try it out  We welcome your feedback and contributions Metaswitch Networks | Proprietary and confidential | © 2014 | 16