enabling production grade containerized applications through policy based infrastructure
TRANSCRIPT
1© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enabling Production-Grade Container Applications
Balaji SivasubramanianDirector, ProductCisco
2© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Requirements for Production Deployment
Agenda
Contiv – Open Source Solution
Cloud Native Strategy
3© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Requirements for Production Grade
Container Applications
4© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deploying Containerized Applications on Shared Infrastructure is Best Effort
Meskel Square [ Source: Reddit.com ]
The Status QuoVariety of Applications:dev, test, production, secure, high performance storage, lower latency, higher performance
But No Policy:No Rules, No Governance, No Enforcement, Best Effort
4© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Many Requirements Exist for Production Containerized
Application Deployment
5© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Differentiated Application Performance
TYPE:
NETWORK:
SECURITY:
COMPUTE:
STORAGEPERFORMANCE:
Production AppNetwork HighHighStateless/None
DevelopmentMinimumMediumLow
Stateless/ None
TYPE:
NETWORK:
SECURITY:
COMPUTE:
STORAGEPERFORMANCE:
Production DBHighHighHighStateful (1M IOPS/Sec)
TYPE:
NETWORK:
SECURITY:
COMPUTE:
STORAGEPERFORMANCE:
CONTAINER 1
CONTAINER 2CONTAINER 3
Ability to Differentiate Between Applications in a Shared Infrastructure
6© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Predictable Performance - No Noisy Neighbor
BANDWIDTH8% 79%
DELELOPER
PRODUCTION
LOW PRIORITY NETWORK
28%72%
13%
Application Performance Needs to be Ensured Throughout the Life of Application
7© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mixed Mode Applications (External Connectivity)
VM VM
Bare Metal
Web
App
DB
Application Level Policy and Monitoring for Overall Application is Required
Policy
Policy
8© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Flexible Connectivity To Place Containers AnywhereNative Connectivity
Infra Policy: [ Bridged | Routed ]
VLAN | IP (BGP) Handoff to Access Node
APP1 APP2APP3 APP4
Host-1 Host-n
.…
Overlay Connectivity
Infra Policy: [ Overlay ] [ Bridge | Routed ]
Overlays for Inter-container Traffic
APP1 APP2APP3 APP4
Host-1 Host-n
.…
Any Network Topology & Container Visibility Across Physical Network
Use Case:Private Cloud
Use Case:Private CloudPublic Cloud
9© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scalable Secure Microservices Deployments
Micro-Services isolated within the Network
Micro ServiceWeb
Group
AppGroup
DB Group
Allow grouping of containers/pods
1
Specify Policies between groups or from outside the network
2
Ability to Provide Granular Microservice Security in a Scalable Way
10© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Applications with Varied Storage Performance Requirement
Ability to Manage and Connect Various to Types of Backend Storage
STORAGEPERFORMANCE
SSD HDD NVMe
High(100K IOPS/sec)
Low(<10K IOPS/sec)
Very High(1M IOPS/sec)
11© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Persistent Distributed Storage for Stateful Applications
Ceph Ceph Ceph
-v: volume …-v: volume … -v: volume …
CONTAINER 1 CONTAINER 2 CONTAINER 3
Ability to Flexibly Schedule Stateful Containers on Any Node
12© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SSD FLASH NAS
Multi-Tenancy – Separation of Policy/Network
Tenant 210.1.1.0/24
Tenant 310.1.1.0/24Tenant 1
10.1.1.0/24
Ability to Support Many Secure Tenants with Individual Policies or Overlapping IP
13© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Cluster–Node Lifecycle Management
DOCKEROS
DOCKEROS
DOCKEROS
DOCKEROS
MANAGEMENTSTATION
DOCKEROS
DOCKEROS
Ability to Automatically Bring Up a Cluster from Power-on and Manage It
14© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Telemetry and Monitoring
Svc1, Web
Svc1, App
Svc1, Db
Svc2, Web
Svc3, Ux
Live Application Connectivity Graph
Ability to Troubleshoot Microservice Application
15© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Cluster Management Differentiated performance – prioritization, resource guarantees etc Flexible connectivity between microservices Network Isolation and Security for Applications Groups Mixed mode applications (integrate with non-container workloads/network) Storage –Differentiated performance and Persistency Telemetry & Monitoring Delivered in automated, scalable and consistent/reliance fashion
Production Ready Micro Services Deployments
16© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Project Contiv – Open
Source Solution – Policies
for Infrastructure
17© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Contiv Enables Running Containerized Apps in Production Modein a Shared Infrastructure
NETWORK
ApplicationIntent
Compute Storage Compute
Operational Intent
Contiv is an Open Source Solution to Define and Enforce Distributed Policies Across Infrastructure
18© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Intent with Operation Intent
PLACEHOLDERversion: '2' services: web: build: . label: - tier: web volumes:
- .:/code networks:
- front-tier - back-tier
db: image: mysql
Docker ComposePLACEHOLDER
web: environment: prod networks: security: - allow ports: 5000, 443 bandwidth: 5gbps lb selector: - tier: web db: networks: security: allow ports: 3306 from web volumes: pool: SSD IOPS: 10000
Ops Intent
Operation Intent Provide Operational Requirements and Policies for Applications
19© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Contiv Architecture: Operational Policy Management
Developer Operations
ApplicationScheduler
Node 1 Node 2 Node-nContiv Distributed Policy Layer
...
Contiv Elements
Contiv UI to Manage/Monitor Policies/Usage
Policy Enforcement for compute, network and Storage
Integration with Physical Infrastructure
Contiv Policy Distribution using state store
Contiv Automatically Integrates and Enforces Developer and Operations Policies
20© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Integration Through Network/Volume PluginCluster Wide Functions Nodes
RHEL/Ubuntu Container OS
API/Authentication
Swarm Master
Data Store
Docker-Compose
Policy Management
Container OS
Container OS Container OS
Physical Infrastructure
Swarm Cluster
RHEL/Ubuntu
Docker Engine
Swarm Master
Policy Enforcement
Apps
Contiv Integrates with Docker to Provide Policy Management and Enforcement
21© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Contiv–Modules and FeaturesConnectivity, Security, Load Balancing, Visibility, Prioritization, Performance, Scale, External Connectivity, Multi-Tenancy
Persistent Storage (Ceph/NFS), Allocation, Snapshots, Disk Management, Garbage Collection, IO Limits, Quotas, Monitoring
Node Life Cycle: Discovery, Commissioning, Decommissioning Cluster Management: Health Monitoring, Management
UI for Ops Policies and Cluster Management: CLI, REST, and Graphical User Interface, Role Based Access
Network
Storage
Cluster
Contiv Manager
Available at http://contiv.github.io
22© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Production Grade Network and Security Policies
Multi-Tenant Multi-Host Network Connectivity
Network Security and Isolation (White/Black
List Rules)
Traffic Prioritization and Bandwidth Allocation
Network Monitoring (Live Connectivity Graphs and Stats)
Integration with External Network (Cloud | Nexus |
Cisco ACI)
Micro-services Load Balancing
Integrated IPAM, Service Discovery
Performance and Scale
Available at https://github.com/contiv/netplugin
23© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Production Grade Storage Policies
Allocation (on demandwithin policy domain)
Snapshots (with frequency and interval) and Restore
IO Guarantees and Rate Limiting
Persistent Storage for Stateful microservices
Multiple Storage Backend: Ceph, NFS
Disk Management, Storage Class Pooling
Garbage Collection (policy driven)
Monitoring, Stats and Quotas
Available at https://github.com/contiv/volplugin
24© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Contiv Cluster: Node LifeCycle Management
Node Discovery (leverages physical proximity)
Commissioning, Decommissioning
Integrated with Docker-UCP Health Monitoring and Cluster Management
Provisioning: OS Boot (with UCS) and infrastructure
install
CLI, REST Interface for Automation
Available at https://github.com/contiv/cluster
25© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Contiv Manager for Operations Policy Management
Integrated Dashboard for DevOps Admin
Ops Policies: Application Groups, Network, Storage
Policies for all features
Visibility: Application Connectivity and Monitoring
Role Based Access Control to various functions
Physical Node Management: Node Discovery/Management
Planned future integration with Docker UCP, other
management tools
Compatible CLI tool for all Operations
REST Interface for Automation
To Get Early Access Email [email protected]
26© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Contiv Integration with Cisco Products
Application Centric Infrastructure (ACI)• Containers Integrated with APIC Policies• Physical Services Integration
Nexus Standalone or any network• BGP Interop (standard routing protocol)• EVPN based multi-tenancy and automation
Unified Compute Systems: B and C Series• Leveraging vNICs for control, data, management, and storage traffic• Offload encapsulation function
Contiv Leverages Underlying Infrastructure Capabilities for Applications
27© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Need predictable application performance• Need to avoid port conflict and do service discovery• Need hardened isolation for applications for security & compliance• Need automated security policies for microservices• Need distributed persistent storage for stateful applications• Need to use open source tools that offer best in class flexible
network connectivity and integration into physical network• Need integration into Cisco ACI or Nexus or UCS.
Contiv Use Cases
28© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Summary Contiv Benefits
Infrastructure Policies are created on demand and scaled as microservices applications scale
Infrastructure Automation at the Speed of Microservices Applications
Automated Security Policy creation for better scale of cloud native applications
Multi-tenancy, Hardware based isolation, end to end visibility ensure secure clouds
Security and Isolation for Microservices Applications
Allows flexible connectivity options integrating best with existing infrastructure
Allows production grade policies (app performance requirements to be defined and enforced consistently
Allows monitoring of the application performance
Predictable – Production Grade Shared Infrastructure
Contiv is Open Source and Available at contiv.github.io
29© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Contiv is an open Source communityeffort. Contribute at contiv.github.io
Join the conversation via Contiv slack channel at contiv.slack.com
For engagement with the team contributing to Contiv open-source initiative, send emailto [email protected]
For tech preview of Cisco Docker Integration, visit us at Booth #P2
For More Information
30© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Native Strategy
Ken OwensCTO, Cloud Solutions EngineeringCisco
31© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Digital Transformation is a paradigm shift• NGDC & NG Applications cloud trends
• Microservices Architecture (Container)• Opensource technologies driving innovation• DevOps• Container Stacks – K8s & docker• Container Orchestration & PaaS convergence• commodization of the infrastructure (Compute and
network)
• Happening faster than Virtualization• Still a Multi-year transformation
32© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Open Source Project Participation ~ 2 years
33© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Native Computing Foundation Reference Arch
34© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Components of a Cloud Native Strategy• Containers, Containerization of NGDC
• Distributed Orchestration and Management
• Micro-services Architecture
• Application Composition (Devs build as they always have – support common software and Eclipse))
• Application Delivery (Deploy the application into different environments (dev, test, prod), locations (private and public cloud(s)), in a CI/CD and hybrid model
• Provide governance, security, networking, and application policy intent framework (ops)
• Provide common single control panel for running of the services and ops policies
35© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Definition & DX
Proxy / Load Balancer
Distributed Systems Services(Service Discovery)
Application Orchestration
Resource Scheduling
Container Runtime
Resource Management (SDN, SDS)
Provisioning
IaaS
Traefik
Consul
Marathon, Kubernetes
Chronos
Docker
Mesos
Terraform and Ansible
AWS, OpenStack, vSphere, Bare Metal
Cisco Open Source initiative for Cloud-Native Applications
Mantl
Shipped
36© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s Open-Source Contribution to the Next Generation Data Center