Deep-Dive on Container Networking Architectures - Frans van Rooyen - Dell EMC World 2017
Download as PPTX, PDF1 like1,346 views
The document discusses container networking architectures, focusing on single and multiple host setups. It covers different network types created by Docker, such as bridge, none, and host, as well as user-defined networks and their communication limitations. Additionally, it addresses challenges with overlays and underlay networks, security solutions like Cilium, and orchestration tools such as Kubernetes and DC/OS.
Deep-Dive on Container Networking Architectures - Frans van Rooyen - Dell EMC World 2017
- 1. Deep-Dive on Container Networking Architectures Frans Van Rooyen Infrastructure Architect @jfvanrooyen Adobe
- 2. © Copyright 2017 Dell Inc.2 Agenda Container Networking • Power of Containers • Single Host • Multiple Hosts • What else I should know?
- 3. © Copyright 2017 Dell Inc.3 What’s the problem - Deploying an App My App Quality Engineering Beta Production Repo Apache Glibc
- 4. © Copyright 2017 Dell Inc.4 Deploying a Docker App Quality Engineering Beta Production Docker Repo Docker Server App Docker Server App Docker Server App Docker Server AppApp App App AppApp
- 5. © Copyright 2017 Dell Inc.5 Foundations – Single Host When you install Docker, it creates three networks automatically. Bridge: The bridge network represents the docker0 network present in all Docker installations. Unless you specify otherwise with the docker run --network=<NETWORK> option, the Docker daemon connects containers to this network by default. None: The none network adds a container to a container-specific network stack. That container lacks a network interface. Host: The host network adds a container on the hosts network stack. You’ll find the network configuration inside the container is identical to the host.
- 6. © Copyright 2017 Dell Inc.6 The default Bridge network in detail
- 7. © Copyright 2017 Dell Inc.7 User-defined networks • You can create a new bridge network, overlay network or MACVLAN network. • You can also create a network plugin or remote network written to your own specifications. • You can create multiple networks. • You can add containers to more than one network. Containers can only communicate within networks but not across networks. • A container attached to two networks can communicate with member containers in either network.
- 8. © Copyright 2017 Dell Inc.8 What happens when we do this on thousands of hosts… Not Simple: Lots of manual configuration per host Not Scalable: Hard to keep track off and maintain Not Secure: No ability to define policies
- 9. © Copyright 2017 Dell Inc.9 Overlay • Overlays use networking tunnels to deliver communication across hosts • This allows containers to behave as if they are on the same machine by tunneling network subnets from one host to the next; in essence, spanning one network across multiple hosts • Many tunneling technologies exist, such as virtual extensible local area network (VXLAN)
- 10. © Copyright 2017 Dell Inc.10 Issues with Overlays Not Simple: Complex to deploy and operate Limited Scalable: Limitations on controllers Performance: Extra hot because of encapsulation
- 11. © Copyright 2017 Dell Inc.11 Underlay Underlay network drivers expose host interfaces (i.e., the physical network interface at eth0) directly to containers or VMs running on the host. MACvlan Ipvlan Direct Routing Fan Networking Point-to-Point
- 12. © Copyright 2017 Dell Inc.12 Direct Routing Simple: L3 + BGP FTW Scalable: BGP? Performance: NO L2! Secure: Policy based routing
- 13. © Copyright 2017 Dell Inc.13 Public Services? (Service Discovery) New service comes up at random port How do we get to it programmatically? Tools used to do this: Etcd Consul Zookeeper
- 14. © Copyright 2017 Dell Inc.14 Load Balancing in a Micro-service World Internal HAProxy Ngnix Marathon-LB External AVI
- 15. © Copyright 2017 Dell Inc.15 Security for Containers • Cilium is open source software for providing and transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. • At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of BPF bytecode into the Linux kernel. Cilium generates individual BPF programs for each container to provide networking, security and visibility.
- 16. © Copyright 2017 Dell Inc.16 A word about Orchestrators DC/OS, K8S, Swarm
- 17. © Copyright 2017 Dell Inc.17 Adobe Use Case – Project Ethos Developer Build and Deploy AWS Azure Private CoreOS CoreOS CoreOS Infrastructure Service Discovery LB Consumer QE ClusterDev Cluster Prod Cluster Platform
Editor's Notes
- #13: Uses BGP to distribute routes for every network — specifically to that workload using a /32 — which allows it to seamlessly integrate with existing data center infrastructure without the need for overlays. Without the overhead of overlays or encapsulation, the result is networking with exceptional performance and scale. Routable IP addresses for containers expose the IP address to the rest of the world; hence, ports are inherently exposed to the outside world. Network engineers trained and accustomed to deploying, diagnosing and operating networks using routing protocols may find direct routing easier to digest. However, it’s worth noting that Calico doesn’t support overlapping IP addresses.
- #14: The basic idea behind service discovery is that any new instance of an application should be able to programmatically identify the details of its current environment. This is required in order for the new instance to be able to "plug in" to the existing application environment without manual intervention. Service discovery tools are generally implemented as a globally accessible registry that stores information about the instances or services that are currently operating. Most of the time, in order to make this configuration fault tolerant and scalable, the registry is distributed among the available hosts in the infrastructure.