Project Kuryr Here comes advanced services for containers - - PowerPoint PPT Presentation
Project Kuryr Here comes advanced services for containers networking Mohammad Banikazemi @MBanikazemi Gal Sagie @GalSagie Antoni Segura Puimedon @celebdor Outline Motivation and Introduction Current state Kubernetes
Mohammad Banikazemi @MBanikazemi Gal Sagie @GalSagie Antoni Segura Puimedon @celebdor
❏ Motivation and Introduction ❏ Current state ❏ Kubernetes ❏ Getting involved ❏ Demo
❏ Reinventing networking abstractions ❏ Changing and vendor specific solutions ❏ Hard to connect VMs, bare metal and nested containers
❏ No unified networking infrastructure
❏ Overlay2 for VM nested containers
❏
Performance, latency, SLA, management penalties ❏ Lack of isolation and policy level constructs
❏ Security ❏ 3-Tier Applications
❏ Part of OpenStack Big-Tent ❏ Connecting Containers with OpenStack Services: Networking (Neutron), Authentication (Keystone) and Storage (Cinder) ❏ Aims to support:
❏ Different container Runtimes: docker, rkt, etc ❏ Multi-host/Clustered environments: Kubernetes, Mesos, Docker Swarm
❏ Working together with OpenStack community
❏ Magnum, Kolla, Neutron, Keystone, Cinder
❏ Keystone v2 and v3 support with multiple pluggins ❏ Supports Docker networking (CNM): libnetwork
❏ Remote driver ❏ IPAM driver
❏ Partial Support for Kubernetes networking (CNI) ❏ Allows use of Security Groups (exposed ports and pod annotation) ❏ Supports use of existing Neutron resources
❏ Networks ❏ Subnets ❏ Load balancers
❏ Supports Docker Swarm*
❏ Multiple Repos
❏
❏ Configuration ❏ Binding ❏ Llibrary ❏
❏ Libnetwork remote driver ❏ Libnetwork ipam driver ❏
❏ K8s Watcher ❏ CNI plugin
❏ Part of Kuryr-lib ❏ Virtual device drivers
❏ Veths ❏ Ipvlan ❏ Macvlan ❏ vlan*
❏ Supports ovs, lb, midonet and others ❏ Used by both Docker libnetwork and CNI ❏ To be enhanced to use Oslo versioned objects and os-vif
$ docker network create -d kuryr \
08192d75a75a490163ac33434fb2c8a74a7841ad42abb985a1fdc7cde3c92f17
$ docker run -it --net=mynet alpine sh
$ neutron net-list
+--------------------------------------+--------------------+---------------------------------------------------+ | id | name | subnets | | a747d101-eefb-4aa2-9575-9c7ad181f8e0 | kuryr-net-08192d75 | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 10.10.0.0/24 |
$ neutron net-show kuryr-net-08192d75
+---------------------------+----------------------------------------------------+ | Field | Value | | id | a747d101-eefb-4aa2-9575-9c7ad181f8e0 | | name | kuryr-net-08192d75 | | subnets | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 | | tags | kuryr.net.uuid.lh:08192d75a75a490163ac33434fb2c8a7 | | | kuryr.net.uuid.uh:4a7841ad42abb985a1fdc7cde3c92f17 |
❏ network tags: associate Neutron and Docker networks
$ neutron net-create mynet $ docker network create -d kuryr \
mynet_d $ ID=$(neutron net-list | grep mynet \ | awk '{print $2}') $ docker network create -d kuryr \
$ neutron net-show mynet
+---------------------------+----------------------------------------------------+ | Field | Value | +---------------------------+----------------------------------------------------+ | tags | kuryr.net.uuid.uh:4ca3f3fc3fc48a8c9cd902ed7508f1cd | | | kuryr.net.uuid.lh:12f769bd2697f2200f27f60753bd5dad | | | kuryr.net.existing |
❏ Neutron tags added to the network ❏ Subnet if existing is used, otherwise gets created ❏ Neutron network is not deleted upon deletion of Docker network
❏ If using an old release (i.e., Liberty or earlier): ❏ Neutron network name is modified ❏ Deleting Docker network → deletion of Neutron network if no ports
$ docker run --net=mynet --expose=1234/udp -it alpine sh $ neutron port-list
+--------------------------------------+-------------------------------------------------+ | id | fixed_ips | +-------------------------------------------+--------------------------------------------+ | 53f0fbec-67ac-4432-9596-8911b7044c99 | {"subnet_id": | | | "2b3c390c-a8b2-4036-bb28-7599a6d71d4c", | | | bb28-7599a6d71d4c", "ip_address": "10.10.0.8"} |
$ neutron port-show 53f0fbec-67ac-4432-9596-8911b7044c99
+-----------------------+---------------------------------------+ | Field | Value | +-----------------------+---------------------------------------+ | security_groups | 4062dc96-0601-465c-a577-f4aef58ef99d | | | e50a0ae3-0d79-4c20-93a7-51dafd9b2311 |
❏ Docker expose supported by Neutron security groups
$ neutron security-group-list
+----------------------------+----------------------------+-----------------------------+ | id | name | security_group_rules | +----------------------------+----------------------------+-----------------------------+ | 4062dc96-0601-465c-a577-f4 | 53f0fbec-67ac-4432-9596-89 | egress, IPv4 | | aef58ef99d | 11b7044c99-exposed_ports | egress, IPv6 | | | | ingress, IPv4, 1234/udp | | e50a0ae3-0d79-4c20-93a7-51 | default | egress, IPv4 | | dafd9b2311 | | egress, IPv6 | | | | ingress, IPv4, | | | | remote_group_id: e50a0ae3- | | | | 0d79-4c20-93a7-51dafd9b2311 | | | | ingress, IPv6, | | | | remote_group_id: e50a0ae3- | | | | 0d79-4c20-93a7-51dafd9b2311 | +----------------------------+----------------------------+-----------------------------+
❏ Container orchestration engine ❏ Implemented in Go ❏ Thriving multi vendor community ❏ Main components
❏ API server ❏ Scheduler ❏ Kubelet ❏ Controller manager ❏ Etcd datastore
❏ Pluggable networking with Container Networking Interface
❏ Deployment options
❏ Kuryr watcher on the project instances ❏ Kuryr watcher on admin/tenant machine
❏ Kuryr CNI plugin only communicates with K8s API
❏ Kubelet already has a channel to the API ❏ Uses kuryr-lib for binding to the correct Neutron port
❏ Kuryr watcher updates API servers
❏ Neutron to create the resources for the Kubernetes deployment ❏ Kubernetes resource annotations to place Neutron resource info
❏ Kubelet configured with Kuryr CNI ❏ The watcher reads k8s resource event streams ❏ Events can have multiple handlers ❏ Multiple Watchers for HA*
❏ Will support net modes:
❏ Ipvlan ❏ Macvlan ❏ Trunk / subport
❏ If Neutron is routable from controller VM, watcher can go there ❏ CNI only needs to talk to k8s API ❏ Depending on vendor, lbaas will need a node with Octavia
❏ Automated container builds at https://hub.docker.com/r/kuryr/
❏ libnetwork ❏ watcher ❏ kubelet
❏ Kolla Integration ❏ Distribution packaging with systemd unit files
❏ Debian ❏ RDO
❏ Ocata cycle
❏ Kubernetes integration ❏ HA ❏ Multitenancy ❏ Policy support using security groups ❏ Nested containers and Magnum integration ❏ Oslo Versioned Objects binding interface ❏ Kuryr-Kubernetes release ❏ Kuryr-lib 1.0.0 ❏ Kuryr-libnetwork 1.0.0
❏ Kuryr as incubator for bringing native OpenStack services to containers
❏ Cinder ❏ Manila ❏ Swift ❏ Freezer
Thursday 27th Friday 28th 9:00 - 9:40 K8s services 9:50 - 10:30 K8s HA 11:00 - 11:40 Kolla and containers 11:50 - 12:30 Storage - Cinder 13:50 - 14:30 Kuryr - Magnum 16:40 - 17:30 Container-in-VM 17:30 - 18:10 Multitenancy
❏ Project Launchpad
❏ https://launchpad.net/kuryr
❏ Project Git Repository
❏ https://github.com/openstack/kuryr
❏ Weekly IRC Meeting
❏ http://eavesdrop.openstack.org/#Kuryr_Project_Meeting
❏ IRC
❏ #openstack-kuryr @ Freenode
❏ Mailing List
❏
❏ Documentation
❏ http://docs.openstack.org/developer/kuryr
❏ Getting Started Blog posts
❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/08/24/kuryr-part1/ ❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/10/10/kuryr-ovn/ ❏ https://mbanikazemi.com/2016/01/07/docker-swarm-and-kuryr/