Download pdf - Metaswitch Project Calico

THE BRAINS OF THE NEW GLOBAL NETWORK

CALICO AND CONTAINERS – SIMPLE IP NETWORKING

Peter White 19th March 2015

!  A bit about Calico !  what it is !  motivation !  how it works !  what it does

!  Containers with Calico

AGENDA

Metaswitch Networks | Proprietary and confidential | © 2014 | 2

!  Open source (Apache licensed) project

!  Networking of workloads in a data center / cloud environment

!  Sponsored by Metaswitch

WHAT IS CALICO?


Simple Scale Open

Thousands of servers, 100k’s of workloads

Don’t demand users to be networking experts

Open source and open standards

!  You shouldn’t need to know or care! !  (up to a point)

!  Networking needs to just work and not get in the way

!  But there’s a risk that containers get as hard as VMs !  and that is very very bad indeed

WHY SHOULD I CARE ABOUT NETWORKING?


Virtual L2 segments, implemented in software by virtual switch

TRADITIONAL VIRTUALISED NETWORKING MODEL


vSwitch vSwitch vSwitch

Linux Linux Linux

Encap / de-encap

(& flooding!)

Outer MAC

Outer IP

Outer UDP VXLAN VM

MAC VM IP

VM TCP/UDP

VM Data

Router service

required to hop between

tenants

NAT required for public Internet access

On/off-ramp required to get to NAS,

etc.

Virtual L2 segments, implemented in software by virtual switch

☹  Complexity

☹  Scale / performance issues

☹  Operational overhead

☹  Inefficient resource utilization

☹  Difficulty troubleshooting

☹  Demands placed on everybody to be networking experts

THIS LEADS TO…


… It doesn’t have to be this way!


WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?


IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

Router

Router

Router

BGP BGP

Hosts

WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?


IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

IP

App

BGP BGP Compute Node Compute Node

VMs / LXCs

Router

Router

Router

VMs / LXCs

ADVANTAGES OF THE CALICO MODEL

!  More scalable !  Based on proven Internet-style

architecture

!  More efficient !  Simplified data path between

VMs and physical network !  Equal Cost Multi-Path (ECMP)

enables full utilization of physical links

!  Easier to troubleshoot !  Eliminates nested IP stacks

needed for overlay-based networking

!  More secure !  Applies traffic isolation rules at

both egress and ingress points

!  More interoperable !  Supports direct connectivity between

VMs, Linux Containers (LXCs) and physical devices

!  Does not require “On/Off ramps” for non-virtualized network elements

!  More robust !  Load-balancing and resilience easily

provided by Anycast

!  More straightforward !  1:1 NAT and floating IPs are no

longer strict requirements

!  More distributable !  Supports geographically distributed

service chains straightforwardly


!  We did it for OpenStack first

!  But the same problems apply in container-land !  Complexity !  Diagnosability !  Scale !  Performance

!  Only potentially much worse !  More containers per host (100s, not 10s) !  Shorter lifetimes (hours vs. days)

CONTAINERS VS. VMS


!  Each container gets an IP

!  Each container gets a veth interface for that IP

!  Routing “just happens” !  Calico components set up rules in the Linux kernel for the interface !  BGP replicates those rules around between hosts

!  ACLs are implemented using iptables / ipsets !  For example, disallowing containers in tenant A to access containers in

tenant B !  For example, allowing incoming traffic based on source, port, protocol

CONTAINERS WITH CALICO


!  Install some Calico components

!  When you create a container, assign an IP address !  We use powerstrip, so ordinary Docker commands just work

!  Containers must be assigned to security groups !  Simplified security model for now; underlying code supports more

WHAT DOES THIS LOOK LIKE TO AN ORCHESTRATOR?


!  Your containers each have an IP address

!  All of your containers can contact one another !  regardless of whether they are on the same host !  but not containers of other tenants !  more complex security models are supported by Calico

WHAT DOES THIS LOOK LIKE TO A TENANT?


!  Fire up an etcd cluster

!  Download the Calico Docker binaries from GitHub

!  Set up the hosts !  under the covers, this fires up some Calico containers to do the work !  these automatically download the main Calico code

!  Start up containers as usual, with a new “CALICO_IP” argument

!  Use a command line tool (or RESTful API) to configure groups and security

WHAT DOES THIS LOOK LIKE TO A DEVELOPER?


RESOURCES

!  Main project website: www.projectcalico.org

!  Github !  https://github.com/Metaswitch/

calico-docker !  https://github.com/Metaswitch/

calico

!  Mailing list: !  http://lists.projectcalico.org/

listinfo/calico

!  Download and try it out

!  We welcome your feedback and contributions
