Upload
antoni-puimedon
View
660
Download
3
Embed Size (px)
Citation preview
Project Kuryr Docker delivered, Kubernetes Next!
Mohammad Banikazemi @MBanikazemiGal Sagie @GalSagieAntoni Segura Puimedon @celebdor
What Are the Problems?❏ Reinventing networking abstractions❏ Changing and vendor specific solutions❏ Overlay2 for VM nested containers
❏ Performance, latency, SLA, management penalties❏ Lack of isolation and policy level constructs
❏ Security❏ 3-Tier Applications
❏ Hard to connect VMs, bare metal and nested containers❏ No unified networking infrastructure
Kuryr Project Overview❏ Open source❏ Part of OpenStack Big-Tent❏ Brings the Neutron networking model to containers❏ Aims to support different Container Runtimes (docker, rkt, etc)
❏ E.g. Kubernetes, Mesos, Docker Swarm
❏ Weekly IRC meetings❏ Working together with OpenStack community
❏ Neutron, Magnum, Kolla
Current Supported Features❏ Utilizes Neutron and Keystone❏ Supports Docker networking
❏ Network Plugin❏ IPAM Plugin
❏ Allows for out of band use of Security Groups❏ Supports use of existing Neutron resources
❏ Networks❏ Subnets❏ Load balancers
❏ Supports Docker Swarm
New features for containers� Security Groups� Subnet Pools� NAT (SNAT / DNAT – Floating IP)� Port Security (ARP Spoofing)� QoS� Quota Management� Neutron pluggable IPAM� Provide well-integrated COE Load balancing through Neutron� FWaaS for Containers� Plugging into existing Neutron networks
How to Use: Docker Native API$ docker network create -d kuryr \
--ipam-driver=kuryr \
--subnet=10.10.0.0/24 \
--gateway=10.10.0.1 mynet08192d75a75a490163ac33434fb2c8a74a7841ad42abb985a1fdc7cde3c92f17
$ docker run -it --net=mynet alpine
$ neutron net-list+--------------------------------------+--------------------+---------------------------------------------------+
| id | name | subnets |
| a747d101-eefb-4aa2-9575-9c7ad181f8e0 | kuryr-net-08192d75 | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 10.10.0.0/24 |
$ neutron net-show kuryr-net-08192d75+---------------------------+----------------------------------------------------+| Field | Value || id | a747d101-eefb-4aa2-9575-9c7ad181f8e0 || name | kuryr-net-08192d75 || subnets | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 || tags | kuryr.net.uuid.lh:08192d75a75a490163ac33434fb2c8a7 || | kuryr.net.uuid.uh:4a7841ad42abb985a1fdc7cde3c92f17 |
Behind the Scene: Neutron Network
❏ Neutron network tags: associate Neutron and Docker networks
Existing Neutron Networks$ neutron net-create mynet$ docker network create -d kuryr \ --ipam-driver=kuryr \ --subnet=10.10.0.0/24 \ --gateway=10.10.0.1 \ -o neutron.net.name=mynet \ mynet_d
$ ID=$(neutron net-list | grep mynet \ | awk '{print $2}')$ docker network create -d kuryr \ --ipam-driver=kuryr \ --subnet=10.10.0.0/24 \ --gateway=10.10.0.1 \ -o neutron.net.uuid=$ID mynet_d
$ neutron net-show mynet+---------------------------+----------------------------------------------------+| Field | Value |+---------------------------+----------------------------------------------------+| tags | kuryr.net.uuid.uh:4ca3f3fc3fc48a8c9cd902ed7508f1cd || | kuryr.net.uuid.lh:12f769bd2697f2200f27f60753bd5dad |
| | kuryr.net.existing |
Existing Neutron Networks (Cont’d)
❏ Neutron tags added to the network❏ Subnet if existing is used, otherwise gets created❏ Neutron network is not deleted upon deletion of Docker network
❏ If not using Mitaka release (i.e., Liberty or earlier):❏ Neutron network name is modified❏ Deleting Docker network → deletion of Neutron network if no ports
Kubernetes Integration❏ Secure connection to the Neutron API Server
❏ Kuryr watcher on admin/tenant machine
❏ Kuryr CNI plugin only communicates with K8s API❏ Kubelet must already have a channel to the API❏ Only performs the binding to the correct Neutron port
❏ Raven updates policy using Neutron❏ Policy information gets translated into security groups
Packaging❏ Automated container builds at https://hub.docker.com/r/kuryr/
❏ Libnetwork❏ Raven❏ Kubelet
❏ Kolla Integration❏ Under review
❏ Distribution packaging with systemd unit files❏ Debian❏ RDO
❏ Heat Templates❏ Magnum Integration
Kuryr Roadmap❏ Newton cycle
❏ Kubernetes integration❏ CNI and watcher parts upstreaming❏ Policy support using security groups
❏ Nested containers and Magnum integration❏ Neutron advanced services (FWaaS VPNaaS)❏ DNS integration and Port Forwarding❏ Docker exposed ports❏ Packaging and Deployment❏ Mesos
Kuryr and Storage❏ Kuryr as incubator for bringing native OpenStack services to containers
❏ Cinder❏ Manila❏ Swift❏ Freezer❏ Smaug
Join us! Be the Kuryr!❏ Project Launchpad
❏ https://launchpad.net/kuryr
❏ Project Git Repository❏ https://github.com/openstack/kuryr
❏ Weekly IRC Meeting❏ http://eavesdrop.openstack.org/#Kuryr_Project_Meeting
❏ IRC❏ #openstack-kuryr @ Freenode
❏ Mailing List❏ [email protected] ([Neutron][Kuryr])
Join us! Be the Kuryr!❏ Documentation
❏ http://docs.openstack.org/developer/kuryr
❏ Getting Started Blog posts❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/08/24/kuryr-part1/❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/10/10/kuryr-ovn/❏ https://mbanikazemi.com/2016/01/07/docker-swarm-and-kuryr/