Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Metaswitch Project Calico

Andrew Kennedy
Andrew Kennedy

This document discusses Calico and how it provides networking for containers. Calico uses an Internet-like architecture where each container gets its own IP address and routing happens between containers and hosts. Calico components set up firewall rules in Linux kernels and use BGP to replicate these rules across hosts for isolation between tenants. Developers can easily set up Calico on their hosts to network containers without complex overlay networking and provide security between groups.

1 of 16
THE BRAINS OF THE NEW GLOBAL NETWORK CALICO AND CONTAINERS – SIMPLE IP NETWORKING Peter White 19th March 2015
!  A bit about Calico !  what it is !  motivation !  how it works !  what it does !  Containers with Calico AGENDA Metaswitch Networks | Proprietary and confidential | © 2014 | 2
!  Open source (Apache licensed) project !  Networking of workloads in a data center / cloud environment !  Sponsored by Metaswitch WHAT IS CALICO? Metaswitch Networks | Proprietary and confidential | © 2014 | 3 SimpleScale Open Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Open source and open standards
!  You shouldn’t need to know or care! !  (up to a point) !  Networking needs to just work and not get in the way !  But there’s a risk that containers get as hard as VMs !  and that is very very bad indeed WHY SHOULD I CARE ABOUT NETWORKING? Metaswitch Networks | Proprietary and confidential | © 2014 | 4
Virtual L2 segments, implemented in software by virtual switch TRADITIONAL VIRTUALISED NETWORKING MODEL Metaswitch Networks | Proprietary and confidential | © 2014 | 5 vSwitch vSwitch vSwitch Linux Linux Linux Encap / de- encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN VM MAC VM IP VM TCP/UDP VM Data Router service required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch
☹  Complexity ☹  Scale / performance issues ☹  Operational overhead ☹  Inefficient resource utilization ☹  Difficulty troubleshooting ☹  Demands placed on everybody to be networking experts THIS LEADS TO… Metaswitch Networks | Proprietary and confidential | © 2014 | 6 … It doesn’t have to be this way!
Metaswitch Networks | Proprietary and confidential | © 2014 | 7
WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET? Metaswitch Networks | Proprietary and confidential | © 2014 | 8 IP App IP App IP App IP App IP App IP App IP App IP App Router Router Router BGP BGP Hosts
WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET? Metaswitch Networks | Proprietary and confidential | © 2014 | 9 IP App IP App IP App IP App IP App IP App IP App IP App BGP BGP Compute NodeCompute Node VMs / LXCs Router Router Router VMs / LXCs
ADVANTAGES OF THE CALICO MODEL !  More scalable !  Based on proven Internet-style architecture !  More efficient !  Simplified data path between VMs and physical network !  Equal Cost Multi-Path (ECMP) enables full utilization of physical links !  Easier to troubleshoot !  Eliminates nested IP stacks needed for overlay-based networking !  More secure !  Applies traffic isolation rules at both egress and ingress points !  More interoperable !  Supports direct connectivity between VMs, Linux Containers (LXCs) and physical devices !  Does not require “On/Off ramps” for non-virtualized network elements !  More robust !  Load-balancing and resilience easily provided by Anycast !  More straightforward !  1:1 NAT and floating IPs are no longer strict requirements !  More distributable !  Supports geographically distributed service chains straightforwardly Metaswitch Networks | Proprietary and confidential | © 2014 | 10
!  We did it for OpenStack first !  But the same problems apply in container-land !  Complexity !  Diagnosability !  Scale !  Performance !  Only potentially much worse !  More containers per host (100s, not 10s) !  Shorter lifetimes (hours vs. days) CONTAINERS VS. VMS Metaswitch Networks | Proprietary and confidential | © 2014 | 11
!  Each container gets an IP !  Each container gets a veth interface for that IP !  Routing “just happens” !  Calico components set up rules in the Linux kernel for the interface !  BGP replicates those rules around between hosts !  ACLs are implemented using iptables / ipsets !  For example, disallowing containers in tenant A to access containers in tenant B !  For example, allowing incoming traffic based on source, port, protocol CONTAINERS WITH CALICO Metaswitch Networks | Proprietary and confidential | © 2014 | 12
!  Install some Calico components !  When you create a container, assign an IP address !  We use powerstrip, so ordinary Docker commands just work !  Containers must be assigned to security groups !  Simplified security model for now; underlying code supports more WHAT DOES THIS LOOK LIKE TO AN ORCHESTRATOR? Metaswitch Networks | Proprietary and confidential | © 2014 | 13
!  Your containers each have an IP address !  All of your containers can contact one another !  regardless of whether they are on the same host !  but not containers of other tenants !  more complex security models are supported by Calico WHAT DOES THIS LOOK LIKE TO A TENANT? Metaswitch Networks | Proprietary and confidential | © 2014 | 14
!  Fire up an etcd cluster !  Download the Calico Docker binaries from GitHub !  Set up the hosts !  under the covers, this fires up some Calico containers to do the work !  these automatically download the main Calico code !  Start up containers as usual, with a new “CALICO_IP” argument !  Use a command line tool (or RESTful API) to configure groups and security WHAT DOES THIS LOOK LIKE TO A DEVELOPER? Metaswitch Networks | Proprietary and confidential | © 2014 | 15
RESOURCES !  Main project website: www.projectcalico.org !  Github !  https://github.com/Metaswitch/ calico-docker !  https://github.com/Metaswitch/ calico !  Mailing list: !  http://lists.projectcalico.org/ listinfo/calico !  Download and try it out !  We welcome your feedback and contributions Metaswitch Networks | Proprietary and confidential | © 2014 | 16

More Related Content

Metaswitch Project Calico

  • 1. THE BRAINS OF THE NEW GLOBAL NETWORK CALICO AND CONTAINERS – SIMPLE IP NETWORKING Peter White 19th March 2015
  • 2. !  A bit about Calico !  what it is !  motivation !  how it works !  what it does !  Containers with Calico AGENDA Metaswitch Networks | Proprietary and confidential | © 2014 | 2
  • 3. !  Open source (Apache licensed) project !  Networking of workloads in a data center / cloud environment !  Sponsored by Metaswitch WHAT IS CALICO? Metaswitch Networks | Proprietary and confidential | © 2014 | 3 SimpleScale Open Thousands of servers, 100k’s of workloads Don’t demand users to be networking experts Open source and open standards
  • 4. !  You shouldn’t need to know or care! !  (up to a point) !  Networking needs to just work and not get in the way !  But there’s a risk that containers get as hard as VMs !  and that is very very bad indeed WHY SHOULD I CARE ABOUT NETWORKING? Metaswitch Networks | Proprietary and confidential | © 2014 | 4
  • 5. Virtual L2 segments, implemented in software by virtual switch TRADITIONAL VIRTUALISED NETWORKING MODEL Metaswitch Networks | Proprietary and confidential | © 2014 | 5 vSwitch vSwitch vSwitch Linux Linux Linux Encap / de- encap (& flooding!) Outer MAC Outer IP Outer UDP VXLAN VM MAC VM IP VM TCP/UDP VM Data Router service required to hop between tenants NAT required for public Internet access On/off-ramp required to get to NAS, etc. Virtual L2 segments, implemented in software by virtual switch
  • 6. ☹  Complexity ☹  Scale / performance issues ☹  Operational overhead ☹  Inefficient resource utilization ☹  Difficulty troubleshooting ☹  Demands placed on everybody to be networking experts THIS LEADS TO… Metaswitch Networks | Proprietary and confidential | © 2014 | 6 … It doesn’t have to be this way!
  • 7. Metaswitch Networks | Proprietary and confidential | © 2014 | 7
  • 8. WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET? Metaswitch Networks | Proprietary and confidential | © 2014 | 8 IP App IP App IP App IP App IP App IP App IP App IP App Router Router Router BGP BGP Hosts
  • 9. WHAT IF WE BUILT A DATA CENTER LIKE THE INTERNET? Metaswitch Networks | Proprietary and confidential | © 2014 | 9 IP App IP App IP App IP App IP App IP App IP App IP App BGP BGP Compute NodeCompute Node VMs / LXCs Router Router Router VMs / LXCs
  • 10. ADVANTAGES OF THE CALICO MODEL !  More scalable !  Based on proven Internet-style architecture !  More efficient !  Simplified data path between VMs and physical network !  Equal Cost Multi-Path (ECMP) enables full utilization of physical links !  Easier to troubleshoot !  Eliminates nested IP stacks needed for overlay-based networking !  More secure !  Applies traffic isolation rules at both egress and ingress points !  More interoperable !  Supports direct connectivity between VMs, Linux Containers (LXCs) and physical devices !  Does not require “On/Off ramps” for non-virtualized network elements !  More robust !  Load-balancing and resilience easily provided by Anycast !  More straightforward !  1:1 NAT and floating IPs are no longer strict requirements !  More distributable !  Supports geographically distributed service chains straightforwardly Metaswitch Networks | Proprietary and confidential | © 2014 | 10
  • 11. !  We did it for OpenStack first !  But the same problems apply in container-land !  Complexity !  Diagnosability !  Scale !  Performance !  Only potentially much worse !  More containers per host (100s, not 10s) !  Shorter lifetimes (hours vs. days) CONTAINERS VS. VMS Metaswitch Networks | Proprietary and confidential | © 2014 | 11
  • 12. !  Each container gets an IP !  Each container gets a veth interface for that IP !  Routing “just happens” !  Calico components set up rules in the Linux kernel for the interface !  BGP replicates those rules around between hosts !  ACLs are implemented using iptables / ipsets !  For example, disallowing containers in tenant A to access containers in tenant B !  For example, allowing incoming traffic based on source, port, protocol CONTAINERS WITH CALICO Metaswitch Networks | Proprietary and confidential | © 2014 | 12
  • 13. !  Install some Calico components !  When you create a container, assign an IP address !  We use powerstrip, so ordinary Docker commands just work !  Containers must be assigned to security groups !  Simplified security model for now; underlying code supports more WHAT DOES THIS LOOK LIKE TO AN ORCHESTRATOR? Metaswitch Networks | Proprietary and confidential | © 2014 | 13
  • 14. !  Your containers each have an IP address !  All of your containers can contact one another !  regardless of whether they are on the same host !  but not containers of other tenants !  more complex security models are supported by Calico WHAT DOES THIS LOOK LIKE TO A TENANT? Metaswitch Networks | Proprietary and confidential | © 2014 | 14
  • 15. !  Fire up an etcd cluster !  Download the Calico Docker binaries from GitHub !  Set up the hosts !  under the covers, this fires up some Calico containers to do the work !  these automatically download the main Calico code !  Start up containers as usual, with a new “CALICO_IP” argument !  Use a command line tool (or RESTful API) to configure groups and security WHAT DOES THIS LOOK LIKE TO A DEVELOPER? Metaswitch Networks | Proprietary and confidential | © 2014 | 15
  • 16. RESOURCES !  Main project website: www.projectcalico.org !  Github !  https://github.com/Metaswitch/ calico-docker !  https://github.com/Metaswitch/ calico !  Mailing list: !  http://lists.projectcalico.org/ listinfo/calico !  Download and try it out !  We welcome your feedback and contributions Metaswitch Networks | Proprietary and confidential | © 2014 | 16