Click here to load reader

Metaswitch Project Calico

  • View
    247

  • Download
    2

Embed Size (px)

Text of Metaswitch Project Calico

  • THE BRAINS OF THE NEW GLOBAL NETWORK

    CALICO AND CONTAINERS SIMPLE IP NETWORKING

    Peter White 19th March 2015

  • ! A bit about Calico ! what it is ! motivation ! how it works ! what it does

    ! Containers with Calico

    AGENDA

    Metaswitch Networks | Proprietary and confidential | 2014 | 2

  • ! Open source (Apache licensed) project ! Networking of workloads in a data

    center / cloud environment

    ! Sponsored by Metaswitch

    WHAT IS CALICO?

    Metaswitch Networks | Proprietary and confidential | 2014 | 3

    Simple Scale Open

    Thousands of servers, 100ks of workloads

    Dont demand users to be networking experts

    Open source and open standards

  • ! You shouldnt need to know or care! ! (up to a point)

    ! Networking needs to just work and not get in the way ! But theres a risk that containers get as hard as VMs

    ! and that is very very bad indeed

    WHY SHOULD I CARE ABOUT NETWORKING?

    Metaswitch Networks | Proprietary and confidential | 2014 | 4

  • Virtual L2 segments, implemented in software by virtual switch

    TRADITIONAL VIRTUALISED NETWORKING MODEL

    Metaswitch Networks | Proprietary and confidential | 2014 | 5

    vSwitch vSwitch vSwitch

    Linux Linux Linux

    Encap / de-encap

    (& flooding!)

    Outer MAC

    Outer IP

    Outer UDP VXLAN

    VM MAC

    VM IP

    VM TCP/UDP

    VM Data

    Router service

    required to hop between

    tenants

    NAT required for public Internet access

    On/off-ramp required to get to NAS,

    etc.

    Virtual L2 segments, implemented in software by virtual switch

  • Complexity Scale / performance issues Operational overhead Inefficient resource utilization Difficulty troubleshooting Demands placed on

    everybody to be networking experts

    THIS LEADS TO

    Metaswitch Networks | Proprietary and confidential | 2014 | 6

    It doesnt have to be this way!

  • Metaswitch Networks | Proprietary and confidential | 2014 | 7

  • WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?

    Metaswitch Networks | Proprietary and confidential | 2014 | 8

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    Router

    Router

    Router

    BGP BGP

    Hosts

  • WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET?

    Metaswitch Networks | Proprietary and confidential | 2014 | 9

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    IP

    App

    BGP BGP Compute Node Compute Node

    VMs / LXCs

    Router

    Router

    Router

    VMs / LXCs

  • ADVANTAGES OF THE CALICO MODEL

    ! More scalable ! Based on proven Internet-style

    architecture

    ! More efficient ! Simplified data path between

    VMs and physical network ! Equal Cost Multi-Path (ECMP)

    enables full utilization of physical links

    ! Easier to troubleshoot ! Eliminates nested IP stacks

    needed for overlay-based networking

    ! More secure ! Applies traffic isolation rules at

    both egress and ingress points

    ! More interoperable ! Supports direct connectivity between

    VMs, Linux Containers (LXCs) and physical devices

    ! Does not require On/Off ramps for non-virtualized network elements

    ! More robust ! Load-balancing and resilience easily

    provided by Anycast

    ! More straightforward ! 1:1 NAT and floating IPs are no

    longer strict requirements

    ! More distributable ! Supports geographically distributed

    service chains straightforwardly

    Metaswitch Networks | Proprietary and confidential | 2014 | 10

  • ! We did it for OpenStack first ! But the same problems apply in container-land

    ! Complexity ! Diagnosability ! Scale ! Performance

    ! Only potentially much worse ! More containers per host (100s, not 10s) ! Shorter lifetimes (hours vs. days)

    CONTAINERS VS. VMS

    Metaswitch Networks | Proprietary and confidential | 2014 | 11

  • ! Each container gets an IP ! Each container gets a veth interface for that IP ! Routing just happens

    ! Calico components set up rules in the Linux kernel for the interface ! BGP replicates those rules around between hosts

    ! ACLs are implemented using iptables / ipsets ! For example, disallowing containers in tenant A to access containers in

    tenant B ! For example, allowing incoming traffic based on source, port, protocol

    CONTAINERS WITH CALICO

    Metaswitch Networks | Proprietary and confidential | 2014 | 12

  • ! Install some Calico components ! When you create a container, assign an IP address

    ! We use powerstrip, so ordinary Docker commands just work ! Containers must be assigned to security groups

    ! Simplified security model for now; underlying code supports more

    WHAT DOES THIS LOOK LIKE TO AN ORCHESTRATOR?

    Metaswitch Networks | Proprietary and confidential | 2014 | 13

  • ! Your containers each have an IP address ! All of your containers can contact one another

    ! regardless of whether they are on the same host ! but not containers of other tenants ! more complex security models are supported by Calico

    WHAT DOES THIS LOOK LIKE TO A TENANT?

    Metaswitch Networks | Proprietary and confidential | 2014 | 14

  • ! Fire up an etcd cluster ! Download the Calico Docker binaries from GitHub ! Set up the hosts

    ! under the covers, this fires up some Calico containers to do the work ! these automatically download the main Calico code

    ! Start up containers as usual, with a new CALICO_IP argument

    ! Use a command line tool (or RESTful API) to configure groups and security

    WHAT DOES THIS LOOK LIKE TO A DEVELOPER?

    Metaswitch Networks | Proprietary and confidential | 2014 | 15

  • RESOURCES

    ! Main project website: www.projectcalico.org

    ! Github ! https://github.com/Metaswitch/

    calico-docker ! https://github.com/Metaswitch/

    calico

    ! Mailing list: ! http://lists.projectcalico.org/

    listinfo/calico

    ! Download and try it out ! We welcome your

    feedback and contributions

    Metaswitch Networks | Proprietary and confidential | 2014 | 16

Search related