container networking
play

Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff - PowerPoint PPT Presentation

Feb 01, 2023 •95 likes •680 views

Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff Engineer Gaetano Borgione Senior Staff Engineer Cloud Native Applications VMWare SDN Technologies @ PLUMgrid Data Center Networking @ Cisco

  1. Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff Engineer

  2. Gaetano Borgione Senior Staff Engineer Cloud Native Applications VMWare SDN Technologies @ PLUMgrid Data Center Networking @ Cisco Passionate Engineer with special interests on: Networking Architecture Engineering Leadership Product Management Customer Advocacy + …new Networking / Virtualization ideas !!!

  3. Agenda

  4. Agenda § Containers, Microservices § Container Interfaces, Network Connectivity § Service Discovery, Load Balancing § Multi-Tenancy, Container Isolation, Micro-Segmentation § On-Premise Private Cloud design 4 2017

  5. Containers && Microservices

  6. Containers • A container image is a lightweight, stand-alone, executable unit of software • Includes everything needed to run it: code, runtime, system tools, system libraries, settings • Containerized software run regardless of the environment (i.e. Host OS distro) • Containers isolate software from its surroundings – “smooth out” differences between development and staging environments • Help reduce conflicts between teams running different software on the same infrastructure What Developers Want: What IT Ops Needs: + Security Consistent Network Data Rich Portable Fast Light Isolation Management Services Persistence SLAs 6 2017

  7. Containers “at-a-glance” Abstraction at the OS layer rather than hardware layer Containers are isolated , but share OS and (where appropriate) bins/libraries App A App B Bins/Libraries Bins/Libraries App A App B Guest OS Guest OS Bins/Libraries Bins/Libraries VM VM Hypervisor Container Engine Host OS Host OS Server Server Physical Server Physical Server with with VMs Containers 7 2017

  8. Microservices: Application Design is changing !!! Properties of a Microservice ü Small code base ü Easy to scale, deploy and throw away ü Autonomous ü Resilient Benefits of a Microservices Architecture ü A highly resilient, scalable and resource efficient application ü Enables smaller development teams ü Teams free to use the right languages and tools for the job ü Rapid application development 8 2017

  9. Cloud Native Application Applications built using the “Microservices” architecture pattern • Loosely coupled distributed application Application tier is decomposed into multiple web services Web UI Mobile API GW • Datastore Each micro service typically has its own datastore • Packaging Each microservice is typically packaged in a “Container” User mgmt. Payments Inventory image • Teams Typically a team owns one or more Microservices Billing Delivery Notification 9 2017

  10. More on Microservices…. • Microservices != Containers • The idea behind Microservices is to separate functionality into small parts that are created independently, by different teams, and possibly even in very different languages • Microservices communicate with each other using language-agnostic APIs (e.g. REST) • The host for each Microservice could be a VM, but containers are seen are ideal packaging unit to deploy a Microservice => low footprint https://upload.wikimedia.org/wikipedia/commons/9/9b/ Social_Network_Analysis_Visualization.png 2017 10

  11. Challenges of running Microservices… • Service Discovery • Operational Overhead (100s+ of Services !!!) • Distributed System... inherently complex • Service Dependencies – service fan-out – dependency services running “hot” • Traffic / Load each service can handle • Service Health / Fault Tolerance • Auto-Scale 11 2017

  12. Service B Applications and Micro-Services Service B Instance #1 Service B Instance #2 Users accessing services Service B Instance #3 Service A Service A Instance #1 Internet Service C Service A Instance #2 Service C Service A Instance #1 Instance #3 External Network Service C Instance #2 System Administrator 12 2017

  13. Container Interfaces && Network Connectivity

  14. Basics of Container Networking Bare Metal / Virtual Machine Bare Metal / VM Minimalist Networking requirements: • IP Connectivity in Container’s Network • IP Address Management (IPAM) and Network Device Creation • External Connectivity via Host NAT or OS Networking OS Networking Route Advertisement 14 2017

  15. Container Interfaces && Network Connectivity Docker

  16. Docker is a “Shipping Container” for Code 16 2017

  17. Docker: The Container Network Model (CNM) Interfacing Container Host Container Host Container Host Endpoint Backend Container Frontend Container App Container Network Network Network Sandbox Sandbox Sandbox External Network GW Bridge GW Bridge GW Bridge Backend Network Frontend Network • Sandbox – A Sandbox contains the configuration of a container's network stack. This includes management of the container's interfaces, routing table and DNS settings. An implementation of a Sandbox could be a Linux Network Namespace, a FreeBSD Jail or other similar concept. • Endpoint – An Endpoint joins a Sandbox to a Network. An implementation of an Endpoint could be a veth pair, an Open vSwitch internal port or similar • Network – A Network is a group of Endpoints that are able to communicate with each-other directly. An implementation of a Network could be a VXLAN Segment, a Linux bridge, a VLAN, etc. 2017 17

  18. Container Network Model (CNM) • The intention is for CNM (aka libnetwork) to implement and use any kind of networking technology to connect and discover containers • Partitioning, Isolation, and Traffic Segmentation are achieved by dividing network addresses • CNM does not specify one preferred methodology for any network overlay scheme 18 2017

  19. Docker networking – Using the defaults Docker Host (VM) Linux 192.168.178.0/24 Bridge ‘docker0’ int Iptables container Firewall Iptables veth0f00eed Firewall int docker 0 int 172.17.0.2/16 eth0 int container 172.17.42.1/16 veth27e6b05 192.168.178.100 Iptables Firewall 172.17.0.1/16 Linux Kernel Routing 2017 19

  20. Docker Swarm && libnetwork – Built-In Overlay model Admin-Clients Each container has two interfaces docker network … • eth0 = Plugs into the overlay Distributed Key-Value • eth1 = Plugs into a local bridge for Store node(s) NAT internet / uplink access nodes write endpoints seen Swarm Master master writes with all their available details into kvs global overlay networks in kvs Nodes create the networks seen in kvs Swarm Node (Docker Host) Swarm Node (Docker Host) as new lx bridges Overlay networks are docker_gwbridge docker_gwbridge User_defined_net implemented with fixed User_defined_net / static MAC to VTEP int int mappings eth0 eth0 Datacenter of public cloud provider Network 2017 20

  21. Docker Networking – key points • Docker adopts the Container Network Model (CNM), providing the following contract between networks and containers: • All containers on the same network can communicate freely with each other • Multiple networks are the way to segment traffic between containers and should be supported by all drivers • Multiple endpoints per container are the way to join a container to multiple networks • An endpoint is added to a network sandbox to provide it with network connectivity • Docker Engine can create overlay networks on a single host. Docker Swarm can create overlay networks that span hosts in the cluster • A container can be assigned an IP on an overlay network. Containers that use the same overlay network can communicate, even if they are running on different hosts • By default, nodes in the swarm encrypt traffic between themselves and other nodes. Connections between nodes are automatically secured through TLS authentication with certificates 21 2017

  22. Container Interfaces && Network Connectivity Kubernetes

  23. Kubernetes Architectural overview Users accessing services Admin-Clients (kubectl, ..) Kubernetes Kubernetes Node (Minion) Nodes Kubelet Kube-Proxy Kubernetes Node (Minion) (Minions) Kubernetes Master Authentication / Authorization APIs Docker engine Pod REST interface Scheduling Control Pod Pod (pods, services, actuator rep. controllers) cadvisor Pause skyDNS Controller Manager scheduler (replication controller, etc) Distributed Key-Value Store Master components are colocated or node(s) (etcd) spread across machines 2017 23

  24. Quick Overview of Kubernetes Kubernetes (k8s) = Open Source Container Cluster Manager • Pods: tightly coupled group of containers • Replication controller: ensures that a specified number of pod "replicas" are running at any one time. • Networking: Each pod gets its own IP address • Service: Load balanced endpoint for a set of pods with internal and external IP endpoints • Service Discovery : Using env variable injection or SkyDNS with the Service • Uses etcd as distributed key-value store • Has its roots in ‘borg’, Google’s internal container cluster management 2017 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Simplify Container Networking With iCAN Huawei Cloud Network Lab Container Network Defined By

Simplify Container Networking With iCAN Huawei Cloud Network Lab Container Network Defined By

Simplify Container Networking With iCAN Huawei Cloud Network Lab Container Network Defined By Application 2 What we face today Automation Deployment and Orchestration: Automate deploy resource for application based on Application SLA

561 views • 18 slides
Networking approaches in a Container World Who we are Flavio Castelli Neil Jerram Antoni

Networking approaches in a Container World Who we are Flavio Castelli Neil Jerram Antoni

Networking approaches in a Container World Who we are Flavio Castelli Neil Jerram Antoni Segura Puimedon Engineering Manager Senior Sw. Engineer Principal Sw. Engineer Disclaimer There a many container engines, well focus on Docker

489 views • 36 slides
Scalable VM and Container Networking using /32bit subnets and BGP routing Andrew Yongjoon Kong 2

Scalable VM and Container Networking using /32bit subnets and BGP routing Andrew Yongjoon Kong 2

L.T.H. Scalable VM and Container Networking using /32bit subnets and BGP routing Andrew Yongjoon Kong 2 nd largest search and portal The Peaceful operation When were running out of resources ( cpu, memory, disk ), Just add new( or

628 views • 33 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA

458 views • 31 slides
eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017

eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017

eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017 University of Amsterdam Introduction Figure 1: Microservices and Containers 1 1

309 views • 30 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Plastic Bags Ban and Container Deposits The story so far, and why doesn t everyone do this? Container Deposit Legislation Remember 1975? Source: Adelaide Now Adelaide Oval Cricket test 1973 Football Grand Final 1973Adelaide Cans

658 views • 18 slides
The NSX Terraform Provider The NSX Terraform provider gives the NSX administrator a way to

The NSX Terraform Provider The NSX Terraform provider gives the NSX administrator a way to

The NSX Terraform Provider The NSX Terraform provider gives the NSX administrator a way to automate NSX to provide virtualized networking and security services using both ESXi and KVM based hypervisor hosts as well as container networking and

1.68k views • 150 slides
A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the speakers and team Follow along - @sargun @tomaszbak_ca @fabiokung @aspyker @amit_joshee @anwleung 2 Netflixs container management platform

808 views • 44 slides
Using Your Network 10-07-16 Networking & You What is networking? Benefits of

Using Your Network 10-07-16 Networking & You What is networking? Benefits of

Jordan Borrell Networking & Bioengineering Program Using Your Network 10-07-16 Networking & You What is networking? Benefits of networking. Who do I network with? Family/Friends/Neighbors School Connections

395 views • 14 slides
Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh, Director, AT&T Uday T Kumar, Solution Architect, Ericsson There is no such thing as Container Networking Kelsey Hightower,

928 views • 9 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley

Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley

Mini-Bulk/IBC Pesticide Container Collection Program EPA Sponsored California San Joaquin Valley Jim Bise Director of Sales Myers Container/CMS jbise@myerscontainer.com 1 Myers Container Myers Container Myers Container, LLC has been

635 views • 8 slides
Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics

Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics

Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics Discuss APIs Trace how a packet gets from the network device to the application (and back) Understand Receive livelock and NAPI 4

761 views • 48 slides
Welcome to EUROGATE Container Terminal Limassol Ltd. AGENDA 1. Introduction: EUROGATE Container

Welcome to EUROGATE Container Terminal Limassol Ltd. AGENDA 1. Introduction: EUROGATE Container

EUROGATE MOVING THE GLOBAL ECONOMY Welcome to EUROGATE Container Terminal Limassol Ltd. AGENDA 1. Introduction: EUROGATE Container Terminal Limassol Ltd. 2. Operational Concept of EUROGATE Container Terminal Limassol Ltd. Changed

1.75k views • 31 slides
Metrics and Best Practices for Host-based Access Control to Ensure System Integrity and

Metrics and Best Practices for Host-based Access Control to Ensure System Integrity and

Metrics and Best Practices for Host-based Access Control to Ensure System Integrity and Availability Urpo Kaila, Marco Passerini and Joni Virtanen CSC Tieteen tietotekniikan keskus Oy CSC IT Center for Science Ltd. Outline

374 views • 35 slides
DUNE Host Lab Responsibilities Stu Fuess / Scientific Computing Division 2019 ICAC 15 October

DUNE Host Lab Responsibilities Stu Fuess / Scientific Computing Division 2019 ICAC 15 October

DUNE Host Lab Responsibilities Stu Fuess / Scientific Computing Division 2019 ICAC 15 October 2019 DISCLAIMER What is presented here is a summary of internal Fermilab discussions Starting point for discussions with the broader

455 views • 16 slides
Wireless Networks L ecture 21: Wireless and the Internet Peter Steenkiste CS and ECE, Carnegie

Wireless Networks L ecture 21: Wireless and the Internet Peter Steenkiste CS and ECE, Carnegie

Wireless Networks L ecture 21: Wireless and the Internet Peter Steenkiste CS and ECE, Carnegie Mellon University Peking University, Summer 2016 1 Peter A. Steenkiste Outline The Internet 102 Wireless and the Internet Mobility:

160 views • 15 slides
Better Bug Reporting with Better Privacy M.Cast ro, M.Cost a, JP . Mart in Present ed by Horat

Better Bug Reporting with Better Privacy M.Cast ro, M.Cost a, JP . Mart in Present ed by Horat

Better Bug Reporting with Better Privacy M.Cast ro, M.Cost a, JP . Mart in Present ed by Horat iu Jula Imagine a crash Report the crash Bug reporting today Stack trace, memory dumps May be insufficient S olution: send path

822 views • 13 slides
Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle,

Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle,

Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle, dnelle@uni-potsdam.de Thomas Scheffler, thomas.scheffler@htw-berlin.de ANRW 2019, Montreal, July 22nd 2019 Outline Security issues in ICMPv6 Stateless

663 views • 21 slides
Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of

655 views • 43 slides
9/30/2013 Conflict of Interest Statement Behavioral Interventions for Hot 2 Flashes. The

9/30/2013 Conflict of Interest Statement Behavioral Interventions for Hot 2 Flashes. The

9/30/2013 Conflict of Interest Statement Behavioral Interventions for Hot 2 Flashes. The author of this presentation has no financial or commercial conflicts of interest pertinent to this 1 presentation within the last 12 months. GARY R.

409 views • 5 slides
FlexFS: A Flexible Flash File System for MLC NAND Flash Memory Sungjin Lee , Keonsoo Ha, Kangwon

FlexFS: A Flexible Flash File System for MLC NAND Flash Memory Sungjin Lee , Keonsoo Ha, Kangwon

FlexFS: A Flexible Flash File System for MLC NAND Flash Memory Sungjin Lee , Keonsoo Ha, Kangwon Zhang, Jihong Kim, and Junghwan Kim* School of Computer Science and Engineering Seoul National University * Samsung Advanced Institute of Technology

852 views • 53 slides

More recommend