Upload
codemotion
View
14
Download
1
Embed Size (px)
Citation preview
1© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Contiv: Network Policies for Microservices
Luca Relandini @lucarelandini
ROME 24-25 MARCH 2017
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction: Microservices and Containers... Though you already know them
3BRKDCT-2023
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containers and Microservices
container
Your codeYour startup scriptsCode dependencies
Should deploy with exactly the same behavior on any host/VM that can run containers
Orders
Wishlist
Payment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Native
FROM
TO
Microservices - Impact on IT Operations
DevOpsShared Responsibility
Common Incentives, Tools, Process and Culture
Not My ProblemSeparate Tools,
Varied Incentives, Opaque Process
Continuous DeliveryRelease Early and Often
Higher Quality of Code
Release Once Every 6 MonthsMore Bugs in Production
MicroservicesLoosely Coupled ComponentsAutomated Deploy Without Waiting on Individual
Components
Tightly Coupled ComponentsSlow Deployment Cycles Waiting
on Integrated Tests Teams
Traditional IT
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containers Help to Achieve Agile App Development
Stage/ProductionTestDevelopment
VersionControl
SysAdmin
QA/QEDeveloper
BRKDCT-2023 7
Different players in the game
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
But... There are Concerns in Containers AdoptionWhat slows an organization’s use of containers?
75% 71% 64% 62% 61%
Security Networking Performance Integration Management
Source: n= 124 to-date, IDC custom survey, study commissioned by Cisco
6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialNeed for production-grade infrastructure
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
HW Integration
Can not leverage performance and security by natively integrating with HW
Networking In The New Container World
Physical NetworkHypervisorHypervisor
Physical Network
Virtual Switching or Overlay Network
C1 Cn
Guest OS - Bridged
Overlay Network - VXLAN
Physical Network
Hypervisor Hypervisor
Host 1 Host 2 Host 2Host 1
VM1
C1 Cn
Guest OS - Bridged
VM2
C1 Cn
Guest OS - Bridged
Overlay Network - VXLAN
C1 Cn
Guest OS - Bridged
Connectivity
Network services, e.g. Load balancer, Firewall
Performance
Encap over encap over encap affects performance
VM1 VM2
Bare Metal VM Containers in VM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Container Networking Abstractions:only 3 slides
11DEVNET-1195
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VM or BM
Basics of Container Networking
Minimally it provides:
- IP Connectivity in Container’s Network Namespace
- IPAM, and Network Device Creation (eth0)
- Route Advertisement or Host NAT for external connectivity
Container
eth0
Container
eth0
Physical Network
Linux/Windows OS Networking
ensp0
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Container Network Model (CNM)
Docker Container
Endpoint
Network Sandbox
Green Network
Docker Container
Endpoint
Network Sandbox
Blue Network
• Proposed by Docker to provide networking abstractions/API for container networking
• Sandbox contains configuration of a container's network stack (Linux network namespace)
• An endpoint is a container's interface into a network (veth pair)
• A network is collection of arbitrary endpoints that can communicate with each other
• A container can belong to multiple endpoints (and therefore multiple networks)
CNM provides Driver APIs for IPAM and Endpoint creation/deletion
IPAM Driver APIs: - Create/Delete Pool, - Allocate/Free IP Address
Network Driver APIs: - Network Create/Delete, - Endpoint Create/Delete/Join/Leave
eth0 eth1
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Container Network Interface (CNI)
• Proposed by CoreOS as part of appc specification, used also by Kubernetes
• Common interface between container run time and network plugin
• Gives driver freedom to manipulate network namespace
• Network described by JSON config
• Plugins support two commands:- Add Container to Network- Remove Container from Network
Container
Network namespace
Driver plumbing
Differences (from CNM):- Gives Driver freedom to manipulate network namespace- Provide Container Id, Params to drivers- Just 2 API: Add Container to Network, Delete Container from Network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction – Why Contiv?
15BRKDCT-2023
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Today’s Infrastructure Needs
16BRKDCT-2023
Mike, IT AdminSally, Dev/Test
1. Develop and test fast2. Agility and Elasticity3. Does not care about other users
1. Manage infrastructure2. Stability and Security3. Isolation and Compliance
Challenge: Conflicting goals and priorities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKDCT-2023
How can we achieve these goals?Key: Policy-based Container Networking
Declarative Tags (simpler)Manage Groups instead of single objects (faster)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Contiv?
18BRKDCT-2023
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containerized Apps on Shared Infrastructure
ApplicationIntent
Compute Compute
Operational Intent
Contiv Is an Open Source Solution to Define and Enforce Distributed Policies Across Infrastructure
NETWORK
Compute
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Intent with Operation Intent
PLACEHOLDER
version: '2' services: web: build: . label: - tier: web volumes:
- .:/code networks:
- front-tier - back-tier
db: image: mysql
App IntentPLACEHOLDER
web: environment: prod networks: security: - allow ports: 5000, 443 bandwidth: 5gbps lb selector: - tier: web db: networks: security: allow ports: 3306 from web
Ops Intent (e.g. Contiv Intent*)
Operation Intent Provides Operational Requirements and Policies for Applications
* Shown in yaml for better visualization
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv: How everything fits togetherOperational Policy Management
Developer Operations
ApplicationScheduler
Node 1 Node 2 Node-nContiv Distributed Policy Layer
...
Contiv Elements
Contiv UI/CLI/API to manage and monitor policies/usage
Distributed policy enforcement for network
Integration with physical infrastructure
Integrated with popular container schedulers
Contiv Automatically Integrates and Enforces Developer and Operations Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential100% Open Source
The Most Powerful Container Networking Fabric L2, L3, Overlay or ACI Rich Policies
DevOps IT Admin
Any NetworkingAny Platform
Any Infrastructure
Application Intent
Rich Policy Model
DeclarativeSimple Install
GUI + CLI
LDAP/RBAC
Contiv
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Integration with Underlying DC Infrastructure
Application-Centric Infrastructure (ACI)• Containers integrated with APIC policies• Physical services integration
Nexus Standalone or Any Network• VLAN handoff• BGP interop (standard routing protocol)
6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialContiv Leverages Underlying Infrastructure Capabilities
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introducing Contiv 1.0
What’s New:
LDAP+RBAC
All New User Experience
and Workflow
Kubernetes 1.4 Support
Docker 1.12 Support
OpenShiftIntegration
Simple Install
1
Commercially Supported Contiv will be announced shortly
Cisco Advances Services
Cisco Solutions Support
100% Open Source at contiv.github.io
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv’s Approach to Containers
ScaleRoute and
Policy Distribution
SpeedAutomated Scale-Out
Layer of NetworkFlat Networks
High Performance
Application-CentricIntegrated with App Blueprint
Shared ResourcesPolicies for
Resource Acquisition
Hybrid CloudConsistent Policies
SecurityTenant Isolation Security Policies
Telemetry/DiagnosticsApplication Statistics
Data Export
25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Network Components
Contiv CLI/UI
Node 1
Contiv Agent
...Node 2
Contiv Agent
Node-n
Contiv Agent
Contiv Elements
Container networking for:• Kubernetes, Mesos, Nomad, and SwamRoute distribution using BGP or JSON RPCCustom OpenFlow pipeline for host networking• Allows implementing various features (details later)Exports data about: App connectivity, stats, peer
Distributed, cluster-wide functionStateless: Useful in node failure/restart, upgradeImplements cluster-wide network and policyManage global resources: IPAM, VLAN/VXLAN pools
Tools to manipulate Contiv objectsImplements CRUD using REST I/FExpected to be used by infra/ops teamsRBAC
26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv NetworkHigh-Level Architecture
Host-1
.…Host Plug-In Distributed
KV Store
Plug-In Logic
Contiv Host Agent
Host-n
Linux Host Routing/Switching
To Physical Network
ARP/DNS Responder
Service LB
Route Distribution [ BGP | RPC ]
Container Runtime
(e.g., Docker)
[ K8s| Swarm | Mesos | Nomad ]
Master-DBPolicy EngineREST Server
IPAM/Res-Mgmt
HA Heartbeat
DistributedKV Store
[ Etcd | Consul ]
REST client (e.g. netctl)
API Calls to External Orchestration Systems e.g,. ACI, Schedulers
Health MonitoringContiv Master Cluster
.……
.…
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo
30Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tutorial on Docker and Contiv - do it yourself ;-)
A normal docker network (without Contiv) looks like it:
It’s online at http://contiv.github.io
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
33Presentation ID
Let’s create a Contiv network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Docker sees a Contiv network
Let’s attach a new container to the new network:
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
35Presentation ID
Networks are isolatedLet’s create one more container on contiv-net:
We have many containers now (contiv-c1 and contiv-c5 are on the same network):
Ping works here(same if the container is on a different host/VM)
Ping does not work here
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenants in Contiv
Two different networks, they don’t communicate
Tenants are isolated worlds, to avoid conflicts.They have separate namespaces for resources.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37Presentation ID
Applying policies between containers with Contiv
Contiv provide a way to apply isolation policies between containers groups (regardless of the tenants, eventually within the tenants).
For this, we create a simple policy called db-policy, and add some rules to it to define which ports are allowed.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policies are applied among Groups
Finally, we associate the policy with a group (a group is an arbitrary collection of containers, e.g. a tier for a microservice) and then run some containers that belong to db group
Let’s create two more containers:
The policy db-policy (ports open and closed) is applied to all the 3 containers:Managing many end points as a single object makes it easy and fast, think about auto-scaling (especially when integrated with Swarm, Kubernetes, etc.)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv is Microservices Ready
• Support for grouping Applications• Allows scale-out instances of container applications to be grouped together• Policies specified on a micro-service tier, rather than individual container workloads
• Efficient forwarding between Microservice tiers• Allows a fixed (DNS published) VIP for a micro-service• Containers within the micro-services can come and go
• Their IP addresses are mapped to the service IP for east-west traffic• Eliminates single point of forwarding (proxy) between micro-service tiers
• Application visibility at service levels (across the cluster)
Web Group
App Group
DB Group
Allow grouping of containers/pods
Specify Policies between groups or from outside
the network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Elements of Contiv Networking
Cluster-wide Connectivity
Truly Multi-tenant
Network Isolation
Traffic Prioritization
App-Composers Integrated
Network Monitoring
Scalable
Physical Network Integration: ACI | Nexus Standalone
Micro Services Ready
Leverages NIC
IPAM, Service Discovery
Contiv Networking
High Throughput
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Value Proposition
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Go and test it (easy!): http://contiv.github.io
Contiv releases - github.com/contiv/install/releasesDocuments - contiv.github.ioJoin Contiv Slack - contiv.herokuapp.comContiv Blogs - blogs.cisco.com/tag/contivRecorded demo - https://www.youtube.com/watch?v=55s4wAVbTM4Cisco DevNet community - https://developer.cisco.com/site/contiv/videos/index.gspContiv on Docker Store - https://store.docker.com/plugins/803eecee-0780-401a-a454-e9523ccf86b3?tab=description