Lying, Cheating, and Winning with Containers in Networking

© 2016 Mesosphere, Inc. All Rights Reserved.

LYING, CHEATING, AND WINNING WITH CONTAINERS IN NETWORKING

1

Sargun Dhillon, 2016


WHO AM I?

2


WHO DO I WORK FOR?

3


DC/OS

4


NETWORKING

A HISTORY

5


IT, IN THE YEAR 2000

6

• Applications mostly client / server

• Mostly desktops, controlled by central IT

• Local storage, on-site

• Low bandwidth, high latency

© 2016 Mesosphere, Inc. All Rights Reserved. 7

The Transformation


OLD WORLD

8


NEW WORLD

9


BYOD: BRING YOUR OWN DEVICE

10

•Real gains by allowing employees to use their own device

•Productivity

•Morale

•Cost

•End node security problems


OLD WORLD

11


OLD WORLD

12


OLD WORLD

13


RISE OF SOFTWARE AS A SERVICE

14

•3rd Party provided apps:

•Hosted applications

•Hosted email

•Hosted file storage

•Elastic services for an elastic work force

•Amortization of cost over time


NEED

15

• More applications need to be hosted

• Better utilization of computer hardware

• Greater need for faster reactivity

• Greater need for “reliability”

• Greater need for elasticity

• Greater need for scalability


ENABLING TECHNOLOGIES

16

•Hardware-assisted virtualization

•Guest oblivious

•Paravirtualization

•Guest assisted

•Proprietary Storage Hardware

•Proprietary Networking Hardware


The Private “Cloud”


Networking’s Answer?


“Software Defined Networking”


Openflow









Never Panned out


Virtualization Kept Becoming More Common


And then something happened…



EXPLOSION OF THE SOFTWARE DEFINED NETWORKS

32

• Offerings

• Cisco Nexus

• Juniper Contrail

• Plumgrid

• Nuage

• Calico

• Also replicated state


And after a couple years…



(Or more generically, “containers”)


NETWORKING SOLUTIONS COMPARED

36

Containers:

•Calico

•Plumgrid

•Cisco Contiv

•Contrail

•Weave

Openstack:

•Calico

•Plumgrid

•Cisco Contiv

•Contrail

•Cisco Nexus 1000V


NETWORKING SOLUTIONS COMPARED

37

Containers:

•Calico

•Plumgrid

•Cisco Contiv

•Contrail

•Weave

Openstack:

•Calico

•Plumgrid

•Cisco Contiv

•Contrail

•Cisco Nexus 1000V


Containers are all about abstraction


Containers are UX


WHERE THE RUBBER MEETS THE ROAD

40

• Namespaces for abstraction

• Mount

• PID

• User

• UTS

• Network

• CGroups for resource isolation

• Memory

• Blkio

• CPU


MOUNT NAMESPACE

41


PID NAMESPACE

42


UTS NAMESPACE

43


NETWORK NAMESPACE

44


NETWORK NAMESPACE

45


NETWORK NAMESPACE

46


NETWORK NAMESPACE

47


NETWORK NAMESPACE

48


Somehow we brought the blight with us


Why do we need this abstraction?


Why do we need network namespaces at all?





Peering inside



Ok, so well, what’s some memory?


Performance


REDIS PERFORMANCE

59


MySQL Performance with Containers

0

75000

150000

225000

300000

Container-free Host Mode Bridged Overlay

Transactions / Sec


ENTER: CHECMATE

61

IPTables for sys calls


First try: LD_PRELOAD


How does connect() work?




How does connect() work on LD_PRELOAD?






…But no


Static Linking


What else is there?


This seems familiar


Something new


Something new(-ish)




EBPF: EXTENDED BERKELEY PACKET FILTER

79

• Stems from BPF (“port 80 and protocol tcp” look familiar)

• JIT’d to X86-64 code

• Or custom hardware (see Mellanox, Netronome)

• Safe

• No jumping backwards

• No unsafe access

• Programmed in C




Advanced Usecases


How do I prevent my containers from exhausting ephemeral ports?


IPTables?




Load Balancing



What about performance?


Redis Operations / Second

Ops/Sec

0 1250 2500 3750 5000

Bridged Checmate

More is better


Redis Latency

Milliseconds

0 0.55 1.1 1.65 2.2

Bridged Checmate

Less is better


What about debugging?


STANDARD BSD API

93

• getpeername() work

• Makes “ALGs” less relevant

• Makes connection-less protocols more sane

• recvfrom()

• sendto()



How long until this ends up in your living room datacentre?


Kernel Patches in Development


Interest in Developing Higher Level Language


Functional Programming?



More Natural


Need help with usecases, and testers


Development of Control Plane


Kernel Upgrades


What did we learn?


We’re probably doing it wrong (today)


The future looks bright


With programmable filtering, what would you do?

Technology

Lying, Cheating, and Winning with Containers in Networking