SlideShare ist ein Scribd-Unternehmen logo

Simplify Container Networking with iCAN

L
LinuxCon ContainerCon CloudOpen China

With the booming of Container technology, it brings obvious advantages for cloud: simple and faster deployment, portability and lightweight cost. But the networking challenges are significant. Users need to restructure their network and support container deployment with current cloud framework, like container and VMs. In this presentation, we will introduce new container networking solution, which provides one management framework to work with different network componenets through Open/friendly modelling mechnism. iCAN can simplify network deployment and management with most orchestration systems and a variety of data plane components, and design extendsible architect to define and validate Service Level Agreement(SLA) for cloud native applications, which is important factor for enterprise to deliver successful and stable service via containers.

Technologie
1 von 18
Downloaden Sie, um offline zu lesen
Simplify Container Networking With iCAN Huawei Cloud Network Lab
2 Container Network Defined By Application
3 “Application to Application” Monitoring : With the development of container technologies, the virtual network becomes more complex Lack of E-to-E monitoring causes no assurance of network quality and difficulties of troubleshooting Virtual network technologies based on software make flexible and customizable monitoring possible •Automation Deployment and Orchestration: Automate deploy resource for application based on Application SLA (bandwidth / delay / security) Compatible with SDN controller Need to deal with High Density Scale (10 x than VM) More diverse and heterogeneous container network solutions, but every solution only target to solve a single problem E-to-E SLA Assurance of the Container Network:. Hope to provide applications with controllable network quality based on container platforms and systems The flexibility of the virtual network make the control of network quality very difficult because of computing and I/O resources sharing between virtual network components and applications No single SLA model applicable for all scenarios What we face today
4 What we face today  Multiple tenants  Multiple Plane  Performance Isolation  Security Isolation  Network Policies Different COE Network abstractions Container Network Complicated Networking Varied Network Technologies &Implement Different Network Infrastructure  L2 / L3  Overlay  NAT  VLAN  BGP  VM s  Physical Host
5 Existing Container Network Solutions Solution Comparison Weave Flannel (CoreOS) Contiv on ACI (Cisco) Kuryr@Neutron (Midokura) Calico (Metaswitch) iCAN Basic Networking L3 Overlay L2+L3 Overlay L3 :software Overlay L2: ACI L2 via vSwitch L3(BGP) Flexible L2 or L3 Optimized stack for Container App Private UDP Tunnel VXLAN+ Private Tunnel No No Linux IP +BGP 1. Provide high performance tunnel and stack 2. Supported acceleration via customized protocl Isolation & Security Multi-tents, APP isolation, crypto No Tent isolation and security policies via ACI ; support firewall Rely on Neutron Rely Linux Capabilities 1. Multi-tents; 2. Support isolation via network and app, basic security; 3. Support firewall Monitoring No No Just monitor in the physical network, no monitor in the application network No No Provide monitoring capability from end to end Network SLA No No ACI can provide QoS via EPG; no SLA for App No No support (Proactive)SLA base application demanding and (Reactive SLA)
6 What is iCAN iCAN(intelligent ContAiner Network) is an open source project which provides an extensible framework to manage hybrid container network for Cloud Orchestration, define an operational mechanism to address SLA between application and infrastructure. Provide flexible framework to work with multiple network components , support on-demanding network plane for multi-tents and micro-services via rich modeling mechanisms. Implement multi dimension SLA management and monitoring including bandwidth, latency, drop rate, provide rich network polices for Orchestration with performance isolation and scheduling algorithm. Support both CNI and CNM interfaces for most Container Orchestration Platforms like Kubernetes, MESOS.
7 iCAN Key Features Agile Framework Support multiple Orchestration Platforms, Kubernetes, Rancher, Mesos Easily Network deployment via templates Selectable components with profiles to support different scenarios and performance Multi-dimension SLA& Security Performance Isolation with bandwidth, latency, drop rate(Proactive Network SLA and Reactive Network SLA ) Security Isolation: VLAN/VXLAN, ACL Rich Network Support Powerful network component modeling : SNC and Modeling via Yang Rich network schemes, support L2, Overlay, NAT, VLAN, L3, BGP, VPC Accelerated Network Stack Powerful Monitoring Implement “monitoring on-demand ”and “E-to-E monitoring” based on the topology Facilitate on-demand DSL based troubleshooting Cooperate with the SLA subsystem to assess the SLA quality
8 iCAN Overall Architecture Main components include: iCAN Master Controller : -Communicate with COE -Convert network requirement to topologies , policies and configurations through templates - define network policies , distribute them to each node. - analyze and trace network failure -Provide End-to-End network SLA for applications iCAN Local Agent : -Configure local network element -Deploy policies -Create network with isolation polices SNC Plug-in Network Driver: - Support abstract network topology definition to generate container networking data path. iCAN is composed of Controller Node and Local agent node. Controller node will responsible for communication with orchestration, local node will manage local network and plicies.
9 Modeling for Container Network-SNC  SNC upward links virtual network configuration of deployment template (flexible to make virtual network topo), downward provide united interface of plugin components  SNC Modeling can simplify network management :  Enhance network performance through replacing legacy components with high performance ones;  provide network solution suitable for application according users requirements with profiles;  Customize highly flexible network solution for users;  implement global network control and monitoring through the specifications of SNC interfaces, implement network SLA and optimization. South Bound Interfaces SNC Interfaces NETCONF Substitute Standard Component freely
10 SNC Components List Class SNC name Implementation Relative SNC Capability Operation Interface L2_IF MAC Eth0, Tap Port(1:1); L2_DEV(1:n); L3_DEV(1:n) Explicit; Implicit Statistics() L3_ADDR IPA IPv4, IPv6 Addresses L2_IF(1:n); L3_DEV(1:n) PAIRED_IF DM_IF Veth-pair; CETH-Pair Port(1:1) or Port(2:1) Port Port Port vPort L2_IF(1:1) Explicit; Implicit; Device L2_DEV L2_DEV br; macvlan; ovs; Port(n:1); L2_IF(n:1); ACL, QoS, monitor Filter(port, flow) Ratelimit(port, flow, bw) Shaping(port, flow, bw) GuaranteeBW(port, flow, bw) Prioritize(port, flow, prio) Monitor(port, flow, mon_obj) L3_DEV L3_DEV IP_Stack; vRouter; IPVLAN Port(n:1) L3_ADDR(n:1) ACL, QoS, monitor OpenFlow OFD OVS Port(n:1) L2_IF(n:1) L3_ADDR(n:1) ACL, QoS, monitor Tunnel TUN VXLAN; Flannel; GRE; IPsec L2_IF(1:1) or L2_IF(2:1) L3_ADDR(1:1) or L3_ADDR(2:1) Encap, Decap get_peer_tunnel() Service Firewall FW Firefly; Port(n:1) L2_IF(n:1) L3_ADDR(n:1) NAT Get_nat_rule(old_flow, &new_flow) LB LB BigIP, ELB; LB Get_lb_rule(old_flow, &new_flow) Socket Socket SK vSocket
11 Modeling for Container Network- YANG  Node of a network specifies inventories  Can be augmented with hardware/acceleration capability and statistical information for resource scheduling  Links and termination points define network or service topologies  Can be augmented with QoS, like level stats  One network can have one or more supporting networks  Vertical layering relationships between networks define mapping between layers Reference YANG Models for Network Node
12 Network SLA modeling  iCAN provides north bound interfaces for orchestration and applications to define their requirements through PG(Pod Group: a group of pods with the same functions), Linking (network requirement between PG) , SLA Service types and Service LB Type.  Given topology and link bandwidth, evaluate the offers when deploying pods. Essentially a evaluation for pod placement, and validate the deployment.  2-Tiers Network topology management Underlay Network(Stable and Predictable) and Overlay Network (Customizable and Dynamic)  Support: bandwidth, latency and drop rate  Bandwidth <5%  Latency <10%, more non-deterministic, affected by many factors such as queuing in software switch and hardware, application response, server IO, etc Web Web DB DB Web Internet 10Mbps (x3) 5Mbps (x6) Web Web DB DBInternet 10Mbps (x2) Latency: Low User 1 User 2 Polices Deployment Scheduler validation Convert link requirement to node requirement
13 Monitoring Bases Modeling Network Node Virtual Interface s Virtual Ports Virtual Network Device Physical NIC Physical Network Device • Bandwidth Capacity • Current Bandwidth • Runtime Status • Traffic Analysis Pod to Pod Pod to vNic vNic to vNic vNic to pNic pNic to pNic • E2E Latency • E2E Bandwidth • E2E PKT Loss Rate • Traffic Analysis Tunnel Network Performanc e View SLA Monitoring Network Topology View Monitoring Usage: Point Monitoringin Agent Node: E2E Monitoring Monitoring Data Source E2E Latency Provide UDP,TCP,ICMP based one way and two ways detection E2E Bandwidth Average single point data in central E2E PKT Loss Rate Compare single point data in central Traffic Analysis IP stack statisticprogram for local Pods Multiple steps efforts for cross hosts Point Monitor Item Monitoring Data Source Bandwidth Capacity •Between vNIC and pNIC, maximum is pNic Speed •Between vNic, no fixed upper limitation. Can calculate in static mode Current Bandwidth Single point interface RX/TX packets , bytes Runtime Status Single point interface RX/TX errors, dropped, overrun Traffic Analysis Traffic filter (collecting through enable all vPorts) End to End Monitoring in Master Node:
14 Case Study: Support with Flannel via SNC == High-level topology: +---+ +---------------------+ +----------+ +-----------------------+ | C <------| Link:VNIC-pair |-----> L2:SW <------| Overlay:Flannel |------> +---+ +---------------------+ +----------+ +-----------------------+ > interface < port == Operating abstraction: - CreateSubnet() -- get subnet information via etcd API - L2:SW.CreateDevice() => "l2_sw_dev" - L2:SW.CreatePort(port_L) - L2:SW.CreatePort(port_R) - Overlay:Flannel.CreateDevice() => "flannel_dev" - Overlay:Flannel.Connect(flannel_dev.inf_L, l2_sw_dev.port_R) - Overlay:Flannel.Connect(flannel_dev.inf_R, eth0) - Link:vNIC-pair.CreateDevice() => "link_dev" - Link:vNIC-pair.Connect(link_dev.inf_R, l2_sw_dev.port_L) L2-Device:vSw Overlay: flannelLink-Device: vNIC- pair Flannel Template Port_L Port_R SNC interfaces: /* L2:SW device definition */ { /* members */ string port[]; /* methods */ CreateDevice(); // creat L2:SW device CreatePort(string port_name); } /* Overlay:Flannel device definition */ { /* members */ string inf_L; string inf_R; /* methods */ CreateDevice(); Connect(string inf, string port); } /* Link:VNIC-pair device definition */ { /* members */ string inf_L; string inf_R; /* methods */ CreateDevice(); Connect(string inf, string port) }
15 Case Study: Deploy Cluster with iCAN  SNC based, each node deploys different network components via iCAN framework  High Performance: 10% higher throughput than flannel without optimization 0.42 0.36 0.33 0.28 0.28 0.55 0.69 0.67 0.65 0.62 0.71 0.78 0.78 0.7 0.65 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 2 4 10 16 throughout(Gbps) Docker container numbers (peers) 512-bytes packet throughput base on cross vm in same host Flannel-udp Flannel-vxlan ICAN Flannel with vxLAN iCAN with OVS-vxLAN  Remark: iCAN use OVS-VxLAN, while Flannel employ udp-private and kernel VxLAN Tunnel;
16 iCAN Control Plane Integrated with Openstack Local Node Kuberlet CANAL Agent C C C C C C CANAL Master Distributed KV store (etcd) Kubernetes Master Monitoring controller SLA Manager IPAM Neutron controller Openstack Neutron Server Kuryr Agent Control Node
17 Installation and Deployment  Download:  git clone https://github.com/Huawei/iCan Page 17
18 THANK YOU

Empfohlen

There is NO Open Source Business Model
There is NO Open Source Business ModelThere is NO Open Source Business Model
There is NO Open Source Business ModelLinuxCon ContainerCon CloudOpen China
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in MesosLinuxCon ContainerCon CloudOpen China
 
Building a Better Thermostat
Building a Better ThermostatBuilding a Better Thermostat
Building a Better ThermostatLinuxCon ContainerCon CloudOpen China
 
Releasing a Distribution in the Age of DevOps.
Releasing a Distribution in the Age of DevOps. Releasing a Distribution in the Age of DevOps.
Releasing a Distribution in the Age of DevOps. LinuxCon ContainerCon CloudOpen China
 
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in DianrongLinuxCon ContainerCon CloudOpen China
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internalsLinuxCon ContainerCon CloudOpen China
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...LinuxCon ContainerCon CloudOpen China
 
Practical CNI
Practical CNIPractical CNI
Practical CNILinuxCon ContainerCon CloudOpen China
 

Empfohlen

There is NO Open Source Business Model
There is NO Open Source Business ModelThere is NO Open Source Business Model
There is NO Open Source Business ModelLinuxCon ContainerCon CloudOpen China
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in MesosLinuxCon ContainerCon CloudOpen China
 
Building a Better Thermostat
Building a Better ThermostatBuilding a Better Thermostat
Building a Better ThermostatLinuxCon ContainerCon CloudOpen China
 
Releasing a Distribution in the Age of DevOps.
Releasing a Distribution in the Age of DevOps. Releasing a Distribution in the Age of DevOps.
Releasing a Distribution in the Age of DevOps. LinuxCon ContainerCon CloudOpen China
 
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in DianrongLinuxCon ContainerCon CloudOpen China
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internalsLinuxCon ContainerCon CloudOpen China
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...LinuxCon ContainerCon CloudOpen China
 
Practical CNI
Practical CNIPractical CNI
Practical CNILinuxCon ContainerCon CloudOpen China
 
GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsLinuxCon ContainerCon CloudOpen China
 
Libvirt API Certification
Libvirt API CertificationLibvirt API Certification
Libvirt API CertificationLinuxCon ContainerCon CloudOpen China
 
Status of Embedded Linux
Status of Embedded LinuxStatus of Embedded Linux
Status of Embedded LinuxLinuxCon ContainerCon CloudOpen China
 
Hyperledger Technical Community in China.
Hyperledger Technical Community in China. Hyperledger Technical Community in China.
Hyperledger Technical Community in China. LinuxCon ContainerCon CloudOpen China
 
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 ArchitectureObstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 ArchitectureLinuxCon ContainerCon CloudOpen China
 
LiteOS
LiteOS LiteOS
LiteOS LinuxCon ContainerCon CloudOpen China
 
OpenDaylight OpenStack Integration
OpenDaylight OpenStack IntegrationOpenDaylight OpenStack Integration
OpenDaylight OpenStack IntegrationLinuxCon ContainerCon CloudOpen China
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel DevelopmentLinuxCon ContainerCon CloudOpen China
 
OpenStack on AArch64
OpenStack on AArch64OpenStack on AArch64
OpenStack on AArch64LinuxCon ContainerCon CloudOpen China
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxCon ContainerCon CloudOpen China
 
Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for ContainersLinuxCon ContainerCon CloudOpen China
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling LinuxCon ContainerCon CloudOpen China
 
64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVM64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVMLinuxCon ContainerCon CloudOpen China
 
Container Security
Container SecurityContainer Security
Container SecurityLinuxCon ContainerCon CloudOpen China
 
SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. LinuxCon ContainerCon CloudOpen China
 
Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers LinuxCon ContainerCon CloudOpen China
 
How Open Source Communities do Standardization
How Open Source Communities do StandardizationHow Open Source Communities do Standardization
How Open Source Communities do StandardizationLinuxCon ContainerCon CloudOpen China
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackLinuxCon ContainerCon CloudOpen China
 
Unikernelized Linux
Unikernelized LinuxUnikernelized Linux
Unikernelized LinuxLinuxCon ContainerCon CloudOpen China
 
Fully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementFully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementLinuxCon ContainerCon CloudOpen China
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesLinuxCon ContainerCon CloudOpen China
 
Flowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoTFlowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoTLinuxCon ContainerCon CloudOpen China
 

Weitere ähnliche Inhalte

Andere mochten auch

Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling LinuxCon ContainerCon CloudOpen China
 

Andere mochten auch (20)

GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor Graphics
 
Libvirt API Certification
Libvirt API CertificationLibvirt API Certification
Libvirt API Certification
 
Status of Embedded Linux
Status of Embedded LinuxStatus of Embedded Linux
Status of Embedded Linux
 
Hyperledger Technical Community in China.
Hyperledger Technical Community in China. Hyperledger Technical Community in China.
Hyperledger Technical Community in China.
 
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 ArchitectureObstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
 
LiteOS
LiteOS LiteOS
LiteOS
 
OpenDaylight OpenStack Integration
OpenDaylight OpenStack IntegrationOpenDaylight OpenStack Integration
OpenDaylight OpenStack Integration
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
OpenStack on AArch64
OpenStack on AArch64OpenStack on AArch64
OpenStack on AArch64
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for Containers
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling
 
64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVM64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVM
 
Container Security
Container SecurityContainer Security
Container Security
 
SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home.
 
Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers Get a Taste of 1 k+ Nodes by a Handful of Servers
Get a Taste of 1 k+ Nodes by a Handful of Servers
 
How Open Source Communities do Standardization
How Open Source Communities do StandardizationHow Open Source Communities do Standardization
How Open Source Communities do Standardization
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStack
 
Unikernelized Linux
Unikernelized LinuxUnikernelized Linux
Unikernelized Linux
 
Fully automated kubernetes deployment and management
Fully automated kubernetes deployment and managementFully automated kubernetes deployment and management
Fully automated kubernetes deployment and management
 

Mehr von LinuxCon ContainerCon CloudOpen China

Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersLinuxCon ContainerCon CloudOpen China
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...LinuxCon ContainerCon CloudOpen China
 

Mehr von LinuxCon ContainerCon CloudOpen China (13)

Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 services
 
Flowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoTFlowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoT
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Open Source Software Business Models Redux
Open Source Software Business Models ReduxOpen Source Software Business Models Redux
Open Source Software Business Models Redux
 
Running Legacy Applications with Containers
Running Legacy Applications with ContainersRunning Legacy Applications with Containers
Running Legacy Applications with Containers
 
Introduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving ContainerIntroduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving Container
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
 
Policy-based Resource Placement
Policy-based Resource PlacementPolicy-based Resource Placement
Policy-based Resource Placement
 
From Resilient to Antifragile Chaos Engineering Primer
From Resilient to Antifragile Chaos Engineering PrimerFrom Resilient to Antifragile Chaos Engineering Primer
From Resilient to Antifragile Chaos Engineering Primer
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
 
UEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS Boot
 
Rethinking the OS
Rethinking the OSRethinking the OS
Rethinking the OS
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
 

Kürzlich hochgeladen

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Kürzlich hochgeladen (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Simplify Container Networking with iCAN

  • 1. Simplify Container Networking With iCAN Huawei Cloud Network Lab
  • 3. 3 “Application to Application” Monitoring : With the development of container technologies, the virtual network becomes more complex Lack of E-to-E monitoring causes no assurance of network quality and difficulties of troubleshooting Virtual network technologies based on software make flexible and customizable monitoring possible •Automation Deployment and Orchestration: Automate deploy resource for application based on Application SLA (bandwidth / delay / security) Compatible with SDN controller Need to deal with High Density Scale (10 x than VM) More diverse and heterogeneous container network solutions, but every solution only target to solve a single problem E-to-E SLA Assurance of the Container Network:. Hope to provide applications with controllable network quality based on container platforms and systems The flexibility of the virtual network make the control of network quality very difficult because of computing and I/O resources sharing between virtual network components and applications No single SLA model applicable for all scenarios What we face today
  • 4. 4 What we face today  Multiple tenants  Multiple Plane  Performance Isolation  Security Isolation  Network Policies Different COE Network abstractions Container Network Complicated Networking Varied Network Technologies &Implement Different Network Infrastructure  L2 / L3  Overlay  NAT  VLAN  BGP  VM s  Physical Host
  • 5. 5 Existing Container Network Solutions Solution Comparison Weave Flannel (CoreOS) Contiv on ACI (Cisco) Kuryr@Neutron (Midokura) Calico (Metaswitch) iCAN Basic Networking L3 Overlay L2+L3 Overlay L3 :software Overlay L2: ACI L2 via vSwitch L3(BGP) Flexible L2 or L3 Optimized stack for Container App Private UDP Tunnel VXLAN+ Private Tunnel No No Linux IP +BGP 1. Provide high performance tunnel and stack 2. Supported acceleration via customized protocl Isolation & Security Multi-tents, APP isolation, crypto No Tent isolation and security policies via ACI ; support firewall Rely on Neutron Rely Linux Capabilities 1. Multi-tents; 2. Support isolation via network and app, basic security; 3. Support firewall Monitoring No No Just monitor in the physical network, no monitor in the application network No No Provide monitoring capability from end to end Network SLA No No ACI can provide QoS via EPG; no SLA for App No No support (Proactive)SLA base application demanding and (Reactive SLA)
  • 6. 6 What is iCAN iCAN(intelligent ContAiner Network) is an open source project which provides an extensible framework to manage hybrid container network for Cloud Orchestration, define an operational mechanism to address SLA between application and infrastructure. Provide flexible framework to work with multiple network components , support on-demanding network plane for multi-tents and micro-services via rich modeling mechanisms. Implement multi dimension SLA management and monitoring including bandwidth, latency, drop rate, provide rich network polices for Orchestration with performance isolation and scheduling algorithm. Support both CNI and CNM interfaces for most Container Orchestration Platforms like Kubernetes, MESOS.
  • 7. 7 iCAN Key Features Agile Framework Support multiple Orchestration Platforms, Kubernetes, Rancher, Mesos Easily Network deployment via templates Selectable components with profiles to support different scenarios and performance Multi-dimension SLA& Security Performance Isolation with bandwidth, latency, drop rate(Proactive Network SLA and Reactive Network SLA ) Security Isolation: VLAN/VXLAN, ACL Rich Network Support Powerful network component modeling : SNC and Modeling via Yang Rich network schemes, support L2, Overlay, NAT, VLAN, L3, BGP, VPC Accelerated Network Stack Powerful Monitoring Implement “monitoring on-demand ”and “E-to-E monitoring” based on the topology Facilitate on-demand DSL based troubleshooting Cooperate with the SLA subsystem to assess the SLA quality
  • 8. 8 iCAN Overall Architecture Main components include: iCAN Master Controller : -Communicate with COE -Convert network requirement to topologies , policies and configurations through templates - define network policies , distribute them to each node. - analyze and trace network failure -Provide End-to-End network SLA for applications iCAN Local Agent : -Configure local network element -Deploy policies -Create network with isolation polices SNC Plug-in Network Driver: - Support abstract network topology definition to generate container networking data path. iCAN is composed of Controller Node and Local agent node. Controller node will responsible for communication with orchestration, local node will manage local network and plicies.
  • 9. 9 Modeling for Container Network-SNC  SNC upward links virtual network configuration of deployment template (flexible to make virtual network topo), downward provide united interface of plugin components  SNC Modeling can simplify network management :  Enhance network performance through replacing legacy components with high performance ones;  provide network solution suitable for application according users requirements with profiles;  Customize highly flexible network solution for users;  implement global network control and monitoring through the specifications of SNC interfaces, implement network SLA and optimization. South Bound Interfaces SNC Interfaces NETCONF Substitute Standard Component freely
  • 10. 10 SNC Components List Class SNC name Implementation Relative SNC Capability Operation Interface L2_IF MAC Eth0, Tap Port(1:1); L2_DEV(1:n); L3_DEV(1:n) Explicit; Implicit Statistics() L3_ADDR IPA IPv4, IPv6 Addresses L2_IF(1:n); L3_DEV(1:n) PAIRED_IF DM_IF Veth-pair; CETH-Pair Port(1:1) or Port(2:1) Port Port Port vPort L2_IF(1:1) Explicit; Implicit; Device L2_DEV L2_DEV br; macvlan; ovs; Port(n:1); L2_IF(n:1); ACL, QoS, monitor Filter(port, flow) Ratelimit(port, flow, bw) Shaping(port, flow, bw) GuaranteeBW(port, flow, bw) Prioritize(port, flow, prio) Monitor(port, flow, mon_obj) L3_DEV L3_DEV IP_Stack; vRouter; IPVLAN Port(n:1) L3_ADDR(n:1) ACL, QoS, monitor OpenFlow OFD OVS Port(n:1) L2_IF(n:1) L3_ADDR(n:1) ACL, QoS, monitor Tunnel TUN VXLAN; Flannel; GRE; IPsec L2_IF(1:1) or L2_IF(2:1) L3_ADDR(1:1) or L3_ADDR(2:1) Encap, Decap get_peer_tunnel() Service Firewall FW Firefly; Port(n:1) L2_IF(n:1) L3_ADDR(n:1) NAT Get_nat_rule(old_flow, &new_flow) LB LB BigIP, ELB; LB Get_lb_rule(old_flow, &new_flow) Socket Socket SK vSocket
  • 11. 11 Modeling for Container Network- YANG  Node of a network specifies inventories  Can be augmented with hardware/acceleration capability and statistical information for resource scheduling  Links and termination points define network or service topologies  Can be augmented with QoS, like level stats  One network can have one or more supporting networks  Vertical layering relationships between networks define mapping between layers Reference YANG Models for Network Node
  • 12. 12 Network SLA modeling  iCAN provides north bound interfaces for orchestration and applications to define their requirements through PG(Pod Group: a group of pods with the same functions), Linking (network requirement between PG) , SLA Service types and Service LB Type.  Given topology and link bandwidth, evaluate the offers when deploying pods. Essentially a evaluation for pod placement, and validate the deployment.  2-Tiers Network topology management Underlay Network(Stable and Predictable) and Overlay Network (Customizable and Dynamic)  Support: bandwidth, latency and drop rate  Bandwidth <5%  Latency <10%, more non-deterministic, affected by many factors such as queuing in software switch and hardware, application response, server IO, etc Web Web DB DB Web Internet 10Mbps (x3) 5Mbps (x6) Web Web DB DBInternet 10Mbps (x2) Latency: Low User 1 User 2 Polices Deployment Scheduler validation Convert link requirement to node requirement
  • 13. 13 Monitoring Bases Modeling Network Node Virtual Interface s Virtual Ports Virtual Network Device Physical NIC Physical Network Device • Bandwidth Capacity • Current Bandwidth • Runtime Status • Traffic Analysis Pod to Pod Pod to vNic vNic to vNic vNic to pNic pNic to pNic • E2E Latency • E2E Bandwidth • E2E PKT Loss Rate • Traffic Analysis Tunnel Network Performanc e View SLA Monitoring Network Topology View Monitoring Usage: Point Monitoringin Agent Node: E2E Monitoring Monitoring Data Source E2E Latency Provide UDP,TCP,ICMP based one way and two ways detection E2E Bandwidth Average single point data in central E2E PKT Loss Rate Compare single point data in central Traffic Analysis IP stack statisticprogram for local Pods Multiple steps efforts for cross hosts Point Monitor Item Monitoring Data Source Bandwidth Capacity •Between vNIC and pNIC, maximum is pNic Speed •Between vNic, no fixed upper limitation. Can calculate in static mode Current Bandwidth Single point interface RX/TX packets , bytes Runtime Status Single point interface RX/TX errors, dropped, overrun Traffic Analysis Traffic filter (collecting through enable all vPorts) End to End Monitoring in Master Node:
  • 14. 14 Case Study: Support with Flannel via SNC == High-level topology: +---+ +---------------------+ +----------+ +-----------------------+ | C <------| Link:VNIC-pair |-----> L2:SW <------| Overlay:Flannel |------> +---+ +---------------------+ +----------+ +-----------------------+ > interface < port == Operating abstraction: - CreateSubnet() -- get subnet information via etcd API - L2:SW.CreateDevice() => "l2_sw_dev" - L2:SW.CreatePort(port_L) - L2:SW.CreatePort(port_R) - Overlay:Flannel.CreateDevice() => "flannel_dev" - Overlay:Flannel.Connect(flannel_dev.inf_L, l2_sw_dev.port_R) - Overlay:Flannel.Connect(flannel_dev.inf_R, eth0) - Link:vNIC-pair.CreateDevice() => "link_dev" - Link:vNIC-pair.Connect(link_dev.inf_R, l2_sw_dev.port_L) L2-Device:vSw Overlay: flannelLink-Device: vNIC- pair Flannel Template Port_L Port_R SNC interfaces: /* L2:SW device definition */ { /* members */ string port[]; /* methods */ CreateDevice(); // creat L2:SW device CreatePort(string port_name); } /* Overlay:Flannel device definition */ { /* members */ string inf_L; string inf_R; /* methods */ CreateDevice(); Connect(string inf, string port); } /* Link:VNIC-pair device definition */ { /* members */ string inf_L; string inf_R; /* methods */ CreateDevice(); Connect(string inf, string port) }
  • 15. 15 Case Study: Deploy Cluster with iCAN  SNC based, each node deploys different network components via iCAN framework  High Performance: 10% higher throughput than flannel without optimization 0.42 0.36 0.33 0.28 0.28 0.55 0.69 0.67 0.65 0.62 0.71 0.78 0.78 0.7 0.65 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 2 4 10 16 throughout(Gbps) Docker container numbers (peers) 512-bytes packet throughput base on cross vm in same host Flannel-udp Flannel-vxlan ICAN Flannel with vxLAN iCAN with OVS-vxLAN  Remark: iCAN use OVS-VxLAN, while Flannel employ udp-private and kernel VxLAN Tunnel;
  • 16. 16 iCAN Control Plane Integrated with Openstack Local Node Kuberlet CANAL Agent C C C C C C CANAL Master Distributed KV store (etcd) Kubernetes Master Monitoring controller SLA Manager IPAM Neutron controller Openstack Neutron Server Kuryr Agent Control Node
  • 17. 17 Installation and Deployment  Download:  git clone https://github.com/Huawei/iCan Page 17