mesos networking with project calico
play

Mesos Networking with Project Calico Ed Harrison and Neil Jerram - PowerPoint PPT Presentation

Nov 23, 2022 •35 likes •285 views

Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike Curtis, Kapil Arya, Dan Osborne, Connor Doyle, Niklas Nielsen, Tarak Parekh, Alex Pollitt The State of Mesos Networking Containers share the slave

  1. Mesos Networking with Project Calico Ed Harrison and Neil Jerram Christos Kozyrakis, Spike Curtis, Kapil Arya, Dan Osborne, Connor Doyle, Niklas Nielsen, Tarak Parekh, Alex Pollitt

  2. The State of Mesos Networking Containers share the slave agent’s IP address Containers can use any port on the agent Service discovery using per-agent proxies localhost:8888 on any agent redirects to a specific service

  3. This was OK Initially For clusters where – a single framework manages all services – there are only a few, long-running services – there is a single version of each service

  4. But it’s Problematic Now For clusters where – services are launched by tens of frameworks – there are thousands of services with high churn – multiple version of each service prod/test/dev, US/EMEA/Asia , …

  5. Problem #1: Port Conflicts If two apps want to use same port on an agent one fails to start Alternative: port isolator enforces non-overlapping port ranges  service discovery problem for the app that does not get standard port Alternative: bridged networking  service discovery problem for the app behind the bridge

  6. Problem #2: No Isolation How do we stop a test app from connecting with a prod app? How we isolate different users, services, or divisions? How do we stop DoS attacks within the cluster?

  7. Problem #3: Service Discovery How do multiple frameworks manage proxy settings? How do clients know which version of a service is at each port? Do we update the proxies in 10K agents every time a service starts?

  8. This makes no sense…

  9. Mesos Networking Redux Per-container IP addresses Routable within and, if needed, outside the cluster No port conflicts Network isolation Based on coarse-grain or fine-grain security policies DNS-based service discovery Discovery using hostnames (A & SRV records, HTTP interface)

  10. Implementation One feature set, many pluggable implementations Different network virtualization technologies (L2 or L3) Different IP address management schemes Different DNS servers First implementation based on Project Calico L3-based network virtualization & isolation Simple, scalable, open-source

  12. Build the DC network like the Internet Service Service Service Service Service Service Service Service IP IP IP IP IP IP IP IP Router Router BGP BGP Router

  13. Build the DC network like the Internet Service Service Service Service Service Service Service Service IP IP IP IP IP IP IP IP Router Router Mesos Agent Mesos Agent BGP BGP Router

  14. Calico Data Plane Linux Kernel Routing (you already have this!) 10.0.0.1 default via 192.168.0.1 dev eth0 192.168.0.0/24 dev eth0 src 10.0.2.15 eth0 cali34 10.0.0.1/32 dev cali34 scope global 10.0.0.2/32 dev cali89 scope global 10.0.1.40/32 via 192.168.0.29 dev eth0 10.0.2.53/32 via 192.168.0.131 dev eth0 Executor Namespace eth0 IP 192.168.0.45 10.0.0.2 Containers on Containers on eth0 cali89 this agent other agents Executor Namespace Root Namespace Mesos Agent veth pair (kernel version 2.6.24+)

  15. Calico Data Plane Linux Kernel Filtering (iptables) (you already have this!) 10.0.0.1 Per-container distributed eth0 cali34 firewall Executor Namespace eth0 IP 192.168.0.45 10.0.0.2 eth0 cali89 Executor Namespace Root Namespace Mesos Agent

  16. Calico Control Plane 10.0.0.1 Route eth0 cali34 Reflector BGP Client Executor Namespace eth0 IP 192.168.0.45 10.0.0.2 eth0 cali89 Felix Executor Namespace Root Namespace Mesos Agent

  17. Mesos – Calico Integration NetworkInfo protobuf Networking isolator Calico IP address management – IPAM (plug-in) Calico network virtualizer (plug-in) Master cleanup module

  18. Networking Workflow Framework Master Agent Plug-in (Calico) Launch task (NetworkInfo) Launch task (NetworkInfo) IPAM Get IP Task update (NetworkInfo) Update Isolate (IP, policy) task state Network Task update (NetworkInfo) virtualizer Isolator module Cleanup module Mesos module Network plug-in

  19. NetworkInfo protobuf message NetworkInfo { enum Protocol { IPv4 = 1; IPv6 = 2; } optional Protocol protocol = 1; // Requested IP or assigned IP (on task update) optional string ip_address = 2; // Network isolation group. repeated string groups = 3; // To tag certain metadata to be used by Isolator/IPAM, e.g., rack, etc. optional Labels labels = 4; };

  20. Mesos-DNS ① Watch ZK for master changes Mesos Mesos Master DNS ② Pull task state Generate DNS records ③ DNS & HTTP based discovery … Agent Agent Agent Agent Agent nginx_prod.marathon.mesos  10.13.17.95 _nginx_prod._tcp.marathon.mesos  10.13.17.95:8181

  21. Networking Demo Mesos cluster with 2 slaves agents Launching 4 probe tasks Each probe listens to port 9000 Each probe tries to reach all other probes We want all 4 to launch successfully (no port conflicts) We want to isolate them into two groups of 2 probes

  22. Networking Demo

  23. Roadmap Code release (Mesos 0.25) Integration with Mesosphere DCOS Interfaces for coarse-grain and fine-grain isolation policies Other plug-in implementations Flexible task naming in Mesos-DNS Network QoS

  24. Summary Mesos networking features Per-container IP addresses DNS-based service discovery Network isolation 1 st implementation using Project Calico Try it and contribute!

  25. References https://mesosphere.com/ http://www.projectcalico.org/ https://github.com/mesosphere/net-modules https://github.com/mesosphere/mesos-dns

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge, Developer Advocate for Project Calico What prompted the team to add another dataplane to Calico? Calicos Pluggable Dataplane What is eBPF?

312 views • 20 slides
Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh, Director, AT&T Uday T Kumar, Solution Architect, Ericsson There is no such thing as Container Networking Kelsey Hightower,

928 views • 9 slides
Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and

Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and

Fault Domains in Mesos Vinod Kone (vinodkone@apache.org) About me Apache Mesos PMC and Committer Engineering Manager for Mesos team @ Mesosphere Previously Tech Lead for Mesos team @ Twitter PhD in Computer Science @

429 views • 24 slides
APACHE COTTON MySQL on Mesos Yan Xu xujyan 1 SHORT HISTORY Mesos: cornerstone of

APACHE COTTON MySQL on Mesos Yan Xu xujyan 1 SHORT HISTORY Mesos: cornerstone of

APACHE COTTON MySQL on Mesos Yan Xu xujyan 1 SHORT HISTORY Mesos: cornerstone of Twitters compute platform. MySQL: backbone of Twitters data platform. Mysos: started as a hackweek project @twitter. Apache Cotton:

686 views • 35 slides
MESOS & CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation

MESOS & CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation

MESOS & CONTAINERS Overview of Mesos containerization and upcoming filesystem isolation support (a.k.a the docker like thing) Yan Xu xujyan WHAT IS A CONTAINER Loosely defined: a lightweight VM / OS-level virtualization /

620 views • 34 slides
Secrets Management in Mesos Vinod Kone ( vinodkone@apache.org ) MesosCon EU 2017 About me

Secrets Management in Mesos Vinod Kone ( vinodkone@apache.org ) MesosCon EU 2017 About me

Secrets Management in Mesos Vinod Kone ( vinodkone@apache.org ) MesosCon EU 2017 About me Apache Mesos PMC and Committer Engineering Manager for Mesos team @ Mesosphere Previously Tech Lead for Mesos team @ Twitter PhD in

397 views • 27 slides
CS 744: MESOS Shivaram Venkataraman Fall 2020 ADMINISTRIVIA - Assignment 1: How did it go? -

CS 744: MESOS Shivaram Venkataraman Fall 2020 ADMINISTRIVIA - Assignment 1: How did it go? -

CS 744: MESOS Shivaram Venkataraman Fall 2020 ADMINISTRIVIA - Assignment 1: How did it go? - Assignment 2 out tonight - Project details - Create project groups - Bid for projects/Propose your own - Work on Introduction COURSE FORMAT

935 views • 24 slides
CS 744: MESOS Shivaram Venkataraman Fall 2020 ADMINISTRIVIA lie poll ! fill out -

CS 744: MESOS Shivaram Venkataraman Fall 2020 ADMINISTRIVIA lie poll ! fill out -

! morning good CS 744: MESOS Shivaram Venkataraman Fall 2020 ADMINISTRIVIA lie poll ! fill out - Assignment 1: How did it go? distributed - Assignment 2 out tonight ML - Project details - N 3 students - Create project

753 views • 25 slides
Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
Facebook Networking & the Open Compute Project (OCP) March 16, 2016 - Open Networking Summit

Facebook Networking & the Open Compute Project (OCP) March 16, 2016 - Open Networking Summit

Facebook Networking & the Open Compute Project (OCP) March 16, 2016 - Open Networking Summit Omar Baldonado Facebook Network Team OCP Networking Project Co-Chair Launched Live Video Supports millions of concurrent viewers for a

752 views • 36 slides
Challenges in Optimizing Job Scheduling on Mesos Alex Gaudio Who Am I? Data Scientist and

Challenges in Optimizing Job Scheduling on Mesos Alex Gaudio Who Am I? Data Scientist and

Challenges in Optimizing Job Scheduling on Mesos Alex Gaudio Who Am I? Data Scientist and Engineer at Sailthru Mesos User Creator of Relay.Mesos Who Am I? Data Scientist and Engineer at Sailthru Distributed Computation

1.67k views • 137 slides
M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A

M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A

M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A P I S Scheduler API Executor API Internal API S l a v e S c h e d u l e r M a s t e r E x e c u t o r Operator API D E P E N D E N C E O N

481 views • 34 slides
Nvidia GPU Support on Mesos: Bridging Mesos Containerizer and Docker Containerizer MesosCon Asia

Nvidia GPU Support on Mesos: Bridging Mesos Containerizer and Docker Containerizer MesosCon Asia

Nvidia GPU Support on Mesos: Bridging Mesos Containerizer and Docker Containerizer MesosCon Asia - 2016 Yubo Li Research Stuff Member, IBM Research - China Email: liyubobj@cn.ibm.com 1 Dr. Yubo Li is a Researcher Stuff Member at IBM

486 views • 35 slides
Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1

Docker & Mesos/Marathon in production at OVH Balthazar Rouberol https://ovh.to/6bRrkAn 1 About Docker at OVH 2014-2015: Home-made container orchestrator, Sailabove, based on LXC 2016: Switch to Docker & Mesos/Marathon 6

487 views • 19 slides
Serenity MESOS OVERSUBSCRIPTION MODULE Szymon Konefa SOFTWARE ENGINEER INTEL CORPORATION

Serenity MESOS OVERSUBSCRIPTION MODULE Szymon Konefa SOFTWARE ENGINEER INTEL CORPORATION

Serenity MESOS OVERSUBSCRIPTION MODULE Szymon Konefa SOFTWARE ENGINEER INTEL CORPORATION Agenda Oversubscription Basics Oversubscription in Mesos Serenity Architecture Next steps for Serenity & Mesos Oversubscription

626 views • 24 slides
An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier

An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier

An introduction to the Mesos Framework Zoo Benjamin Bannier Benjamin Bannier benjamin.bannier@mesosphere.io Software engineer at Mesosphere working on Mesos Distributed columnar databases at ParStream (now Cisco ParStream) Experimental High

755 views • 32 slides
Inductive Analysis of the Internet Protocol TLS Lawrence C. Paulson Computer Laboratory

Inductive Analysis of the Internet Protocol TLS Lawrence C. Paulson Computer Laboratory

Inductive Analysis of TLS 1 L. C. Paulson Inductive Analysis of the Internet Protocol TLS Lawrence C. Paulson Computer Laboratory University of Cambridge Inductive Analysis of TLS 2 L. C. Paulson TLS: An Internet

725 views • 15 slides
The Flexlab Approach To Realistic Evaluation of Networked Systems Robert Ricci, Jonathon Duerig,

The Flexlab Approach To Realistic Evaluation of Networked Systems Robert Ricci, Jonathon Duerig,

The Flexlab Approach To Realistic Evaluation of Networked Systems Robert Ricci, Jonathon Duerig, Pramod Sanaga, Daniel Gebhardt, Mike Hibler, Kevin Atkinson, Junxing Zhang, Sneha Kasera, and Jay Lepreau NSDI 2007 April 12, Cambridge, MA

1.08k views • 68 slides
Dhruv Batra Long-term Goal Physical agent Is there smoke in any room capable of taking around

Dhruv Batra Long-term Goal Physical agent Is there smoke in any room capable of taking around

Habitat: A Platform for Embodied AI Research Dhruv Batra Long-term Goal Physical agent Is there smoke in any room capable of taking around you? actions in the world and talking to humans Yes, in one room in natural language Go there and

1.72k views • 158 slides
DJ-MC: A Reinforcement Learning Agent for Music Playlist Recommendation Elad Liebman Maytal

DJ-MC: A Reinforcement Learning Agent for Music Playlist Recommendation Elad Liebman Maytal

DJ-MC: A Reinforcement Learning Agent for Music Playlist Recommendation Elad Liebman Maytal Saar-Tsechansky Peter Stone University of Texas at Austin May 11, 2015 1 / 35 Background & Motivation Many Internet radio services (Pandora,

362 views • 35 slides
Public Goods, Bounded Attention Spans and Equilibrium in the Internet Economy John P. Conley

Public Goods, Bounded Attention Spans and Equilibrium in the Internet Economy John P. Conley

Public Goods, Bounded Attention Spans and Equilibrium in the Internet Economy John P. Conley Vanderbilt University Paul J. Healy Ohio State University SWET14 - Paris - June 2014 1 Introduction The only justification for thinking about

586 views • 43 slides
Outline 1 Organisation Context M oise + 2 Reorganisation Group Phases 3 Programming with

Outline 1 Organisation Context M oise + 2 Reorganisation Group Phases 3 Programming with

Organisation Reorganisation Programming with (re)organisation Programming MAS reorganisation with M oise + ubner 1 Olivier Boissier 2 Jaime S. Sichman 3 Jomi F. H 1 Department of Computer Science University of Blumenau 2 Multi-Agent Systems

659 views • 50 slides
Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura Outline Authorizing local network and Internet access for IoT devices Cloud-managed network-access authoriza=on Bootstrapping security between device and cloud

328 views • 20 slides
SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian

SoK: Security Evaluation of Home-based IoT Deployments Omar Alrawi , Chaz Lever, Fabian Monrose, Manos Antonakakis 1 2 Alexa, unlock the front door. 3 Internet of Things 4 Internet of Things 4 Internet of Things 4 Internet of Things

1.12k views • 77 slides

More recommend