enabling production grade containerized applications through policy based infrastructure

1© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Enabling Production-Grade Container Applications

Balaji SivasubramanianDirector, ProductCisco


Requirements for Production Deployment

Agenda

Contiv – Open Source Solution

Cloud Native Strategy


Requirements for Production Grade

Container Applications


Deploying Containerized Applications on Shared Infrastructure is Best Effort

Meskel Square [ Source: Reddit.com ]

The Status QuoVariety of Applications:dev, test, production, secure, high performance storage, lower latency, higher performance

But No Policy:No Rules, No Governance, No Enforcement, Best Effort


Many Requirements Exist for Production Containerized

Application Deployment


Differentiated Application Performance

TYPE:

NETWORK:

SECURITY:

COMPUTE:

STORAGEPERFORMANCE:

Production AppNetwork HighHighStateless/None

DevelopmentMinimumMediumLow

Stateless/ None

TYPE:

NETWORK:

SECURITY:

COMPUTE:

STORAGEPERFORMANCE:

Production DBHighHighHighStateful (1M IOPS/Sec)

TYPE:

NETWORK:

SECURITY:

COMPUTE:

STORAGEPERFORMANCE:

CONTAINER 1

CONTAINER 2CONTAINER 3

Ability to Differentiate Between Applications in a Shared Infrastructure


Predictable Performance - No Noisy Neighbor

BANDWIDTH8% 79%

DELELOPER

PRODUCTION

LOW PRIORITY NETWORK

28%72%

13%

Application Performance Needs to be Ensured Throughout the Life of Application


Mixed Mode Applications (External Connectivity)

VM VM

Bare Metal

Web

App

DB

Application Level Policy and Monitoring for Overall Application is Required

Policy

Policy


Flexible Connectivity To Place Containers AnywhereNative Connectivity

Infra Policy: [ Bridged | Routed ]

VLAN | IP (BGP) Handoff to Access Node

APP1 APP2APP3 APP4

Host-1 Host-n

.…

Overlay Connectivity

Infra Policy: [ Overlay ] [ Bridge | Routed ]

Overlays for Inter-container Traffic

APP1 APP2APP3 APP4

Host-1 Host-n

.…

Any Network Topology & Container Visibility Across Physical Network

Use Case:Private Cloud

Use Case:Private CloudPublic Cloud


Scalable Secure Microservices Deployments

Micro-Services isolated within the Network

Micro ServiceWeb

Group

AppGroup

DB Group

Allow grouping of containers/pods

1

Specify Policies between groups or from outside the network

2

Ability to Provide Granular Microservice Security in a Scalable Way


Applications with Varied Storage Performance Requirement

Ability to Manage and Connect Various to Types of Backend Storage

STORAGEPERFORMANCE

SSD HDD NVMe

High(100K IOPS/sec)

Low(<10K IOPS/sec)

Very High(1M IOPS/sec)


Persistent Distributed Storage for Stateful Applications

Ceph Ceph Ceph

-v: volume …-v: volume … -v: volume …

CONTAINER 1 CONTAINER 2 CONTAINER 3

Ability to Flexibly Schedule Stateful Containers on Any Node


SSD FLASH NAS

Multi-Tenancy – Separation of Policy/Network

Tenant 210.1.1.0/24

Tenant 310.1.1.0/24Tenant 1

10.1.1.0/24

Ability to Support Many Secure Tenants with Individual Policies or Overlapping IP


Automated Cluster–Node Lifecycle Management

DOCKEROS

DOCKEROS

DOCKEROS

DOCKEROS

MANAGEMENTSTATION

DOCKEROS

DOCKEROS

Ability to Automatically Bring Up a Cluster from Power-on and Manage It


Telemetry and Monitoring

Svc1, Web

Svc1, App

Svc1, Db

Svc2, Web

Svc3, Ux

Live Application Connectivity Graph

Ability to Troubleshoot Microservice Application


Automated Cluster Management Differentiated performance – prioritization, resource guarantees etc Flexible connectivity between microservices Network Isolation and Security for Applications Groups Mixed mode applications (integrate with non-container workloads/network) Storage –Differentiated performance and Persistency Telemetry & Monitoring Delivered in automated, scalable and consistent/reliance fashion

Production Ready Micro Services Deployments


Project Contiv – Open

Source Solution – Policies

for Infrastructure


Contiv Enables Running Containerized Apps in Production Modein a Shared Infrastructure

NETWORK

ApplicationIntent

Compute Storage Compute

Operational Intent

Contiv is an Open Source Solution to Define and Enforce Distributed Policies Across Infrastructure


Application Intent with Operation Intent

PLACEHOLDERversion: '2' services: web: build: . label: - tier: web volumes:

- .:/code networks:

- front-tier - back-tier

db: image: mysql

Docker ComposePLACEHOLDER

web: environment: prod networks: security: - allow ports: 5000, 443 bandwidth: 5gbps lb selector: - tier: web db: networks: security: allow ports: 3306 from web volumes: pool: SSD IOPS: 10000

Ops Intent

Operation Intent Provide Operational Requirements and Policies for Applications


Contiv Architecture: Operational Policy Management

Developer Operations

ApplicationScheduler

Node 1 Node 2 Node-nContiv Distributed Policy Layer

...

Contiv Elements

Contiv UI to Manage/Monitor Policies/Usage

Policy Enforcement for compute, network and Storage

Integration with Physical Infrastructure

Contiv Policy Distribution using state store

Contiv Automatically Integrates and Enforces Developer and Operations Policies


Docker Integration Through Network/Volume PluginCluster Wide Functions Nodes

RHEL/Ubuntu Container OS

API/Authentication

Swarm Master

Data Store

Docker-Compose

Policy Management

Container OS

Container OS Container OS

Physical Infrastructure

Swarm Cluster

RHEL/Ubuntu

Docker Engine

Swarm Master

Policy Enforcement

Apps

Contiv Integrates with Docker to Provide Policy Management and Enforcement


Contiv–Modules and FeaturesConnectivity, Security, Load Balancing, Visibility, Prioritization, Performance, Scale, External Connectivity, Multi-Tenancy

Persistent Storage (Ceph/NFS), Allocation, Snapshots, Disk Management, Garbage Collection, IO Limits, Quotas, Monitoring

Node Life Cycle: Discovery, Commissioning, Decommissioning Cluster Management: Health Monitoring, Management

UI for Ops Policies and Cluster Management: CLI, REST, and Graphical User Interface, Role Based Access

Network

Storage

Cluster

Contiv Manager

Available at http://contiv.github.io


Production Grade Network and Security Policies

Multi-Tenant Multi-Host Network Connectivity

Network Security and Isolation (White/Black

List Rules)

Traffic Prioritization and Bandwidth Allocation

Network Monitoring (Live Connectivity Graphs and Stats)

Integration with External Network (Cloud | Nexus |

Cisco ACI)

Micro-services Load Balancing

Integrated IPAM, Service Discovery

Performance and Scale

Available at https://github.com/contiv/netplugin


Production Grade Storage Policies

Allocation (on demandwithin policy domain)

Snapshots (with frequency and interval) and Restore

IO Guarantees and Rate Limiting

Persistent Storage for Stateful microservices

Multiple Storage Backend: Ceph, NFS

Disk Management, Storage Class Pooling

Garbage Collection (policy driven)

Monitoring, Stats and Quotas

Available at https://github.com/contiv/volplugin


Contiv Cluster: Node LifeCycle Management

Node Discovery (leverages physical proximity)

Commissioning, Decommissioning

Integrated with Docker-UCP Health Monitoring and Cluster Management

Provisioning: OS Boot (with UCS) and infrastructure

install

CLI, REST Interface for Automation

Available at https://github.com/contiv/cluster


Contiv Manager for Operations Policy Management

Integrated Dashboard for DevOps Admin

Ops Policies: Application Groups, Network, Storage

Policies for all features

Visibility: Application Connectivity and Monitoring

Role Based Access Control to various functions

Physical Node Management: Node Discovery/Management

Planned future integration with Docker UCP, other

management tools

Compatible CLI tool for all Operations

REST Interface for Automation

To Get Early Access Email [email protected]


Contiv Integration with Cisco Products

Application Centric Infrastructure (ACI)• Containers Integrated with APIC Policies• Physical Services Integration

Nexus Standalone or any network• BGP Interop (standard routing protocol)• EVPN based multi-tenancy and automation

Unified Compute Systems: B and C Series• Leveraging vNICs for control, data, management, and storage traffic• Offload encapsulation function

Contiv Leverages Underlying Infrastructure Capabilities for Applications


• Need predictable application performance• Need to avoid port conflict and do service discovery• Need hardened isolation for applications for security & compliance• Need automated security policies for microservices• Need distributed persistent storage for stateful applications• Need to use open source tools that offer best in class flexible

network connectivity and integration into physical network• Need integration into Cisco ACI or Nexus or UCS.

Contiv Use Cases


Summary Contiv Benefits

Infrastructure Policies are created on demand and scaled as microservices applications scale

Infrastructure Automation at the Speed of Microservices Applications

Automated Security Policy creation for better scale of cloud native applications

Multi-tenancy, Hardware based isolation, end to end visibility ensure secure clouds

Security and Isolation for Microservices Applications

Allows flexible connectivity options integrating best with existing infrastructure

Allows production grade policies (app performance requirements to be defined and enforced consistently

Allows monitoring of the application performance

Predictable – Production Grade Shared Infrastructure

Contiv is Open Source and Available at contiv.github.io


Contiv is an open Source communityeffort. Contribute at contiv.github.io

Join the conversation via Contiv slack channel at contiv.slack.com

For engagement with the team contributing to Contiv open-source initiative, send emailto [email protected]

For tech preview of Cisco Docker Integration, visit us at Booth #P2

For More Information


Cloud Native Strategy

Ken OwensCTO, Cloud Solutions EngineeringCisco


Digital Transformation is a paradigm shift• NGDC & NG Applications cloud trends

• Microservices Architecture (Container)• Opensource technologies driving innovation• DevOps• Container Stacks – K8s & docker• Container Orchestration & PaaS convergence• commodization of the infrastructure (Compute and

network)

• Happening faster than Virtualization• Still a Multi-year transformation


Cisco Open Source Project Participation ~ 2 years


Cloud Native Computing Foundation Reference Arch


Components of a Cloud Native Strategy• Containers, Containerization of NGDC

• Distributed Orchestration and Management

• Micro-services Architecture

• Application Composition (Devs build as they always have – support common software and Eclipse))

• Application Delivery (Deploy the application into different environments (dev, test, prod), locations (private and public cloud(s)), in a CI/CD and hybrid model

• Provide governance, security, networking, and application policy intent framework (ops)

• Provide common single control panel for running of the services and ops policies


Application Definition & DX

Proxy / Load Balancer

Distributed Systems Services(Service Discovery)

Application Orchestration

Resource Scheduling

Container Runtime

Resource Management (SDN, SDS)

Provisioning

IaaS

Traefik

Consul

Marathon, Kubernetes

Chronos

Docker

Mesos

Terraform and Ansible

AWS, OpenStack, vSphere, Bare Metal

Cisco Open Source initiative for Cloud-Native Applications

Mantl

Shipped


Cisco’s Open-Source Contribution to the Next Generation Data Center

enabling production grade containerized applications through policy based infrastructure

Technology