microservices and containers networking: contiv, an industry leading open source solution from cisco...

1© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Contiv: Network Policies for Microservices

Luca Relandini @lucarelandini

ROME 24-25 MARCH 2017

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Introduction: Microservices and Containers... Though you already know them

3BRKDCT-2023


Containers and Microservices

container

Your codeYour startup scriptsCode dependencies

Should deploy with exactly the same behavior on any host/VM that can run containers

Orders

Wishlist

Payment


Cloud Native

FROM

TO

Microservices - Impact on IT Operations

DevOpsShared Responsibility

Common Incentives, Tools, Process and Culture

Not My ProblemSeparate Tools,

Varied Incentives, Opaque Process

Continuous DeliveryRelease Early and Often

Higher Quality of Code

Release Once Every 6 MonthsMore Bugs in Production

MicroservicesLoosely Coupled ComponentsAutomated Deploy Without Waiting on Individual

Components

Tightly Coupled ComponentsSlow Deployment Cycles Waiting

on Integrated Tests Teams

Traditional IT


Containers Help to Achieve Agile App Development

Stage/ProductionTestDevelopment

VersionControl

SysAdmin

QA/QEDeveloper

BRKDCT-2023 7

Different players in the game


8

But... There are Concerns in Containers AdoptionWhat slows an organization’s use of containers?

75% 71% 64% 62% 61%

Security Networking Performance Integration Management

Source: n= 124 to-date, IDC custom survey, study commissioned by Cisco

6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialNeed for production-grade infrastructure

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

HW Integration

Can not leverage performance and security by natively integrating with HW

Networking In The New Container World

Physical NetworkHypervisorHypervisor

Physical Network

Virtual Switching or Overlay Network

C1 Cn

Guest OS - Bridged

Overlay Network - VXLAN

Physical Network

Hypervisor Hypervisor

Host 1 Host 2 Host 2Host 1

VM1

C1 Cn

Guest OS - Bridged

VM2

C1 Cn

Guest OS - Bridged

Overlay Network - VXLAN

C1 Cn

Guest OS - Bridged

Connectivity

Network services, e.g. Load balancer, Firewall

Performance

Encap over encap over encap affects performance

VM1 VM2

Bare Metal VM Containers in VM


Container Networking Abstractions:only 3 slides

11DEVNET-1195


VM or BM

Basics of Container Networking

Minimally it provides:

- IP Connectivity in Container’s Network Namespace

- IPAM, and Network Device Creation (eth0)

- Route Advertisement or Host NAT for external connectivity

Container

eth0

Container

eth0

Physical Network

Linux/Windows OS Networking

ensp0


Container Network Model (CNM)

Docker Container

Endpoint

Network Sandbox

Green Network

Docker Container

Endpoint

Network Sandbox

Blue Network

• Proposed by Docker to provide networking abstractions/API for container networking

• Sandbox contains configuration of a container's network stack (Linux network namespace)

• An endpoint is a container's interface into a network (veth pair)

• A network is collection of arbitrary endpoints that can communicate with each other

• A container can belong to multiple endpoints (and therefore multiple networks)

CNM provides Driver APIs for IPAM and Endpoint creation/deletion

IPAM Driver APIs: - Create/Delete Pool, - Allocate/Free IP Address

Network Driver APIs: - Network Create/Delete, - Endpoint Create/Delete/Join/Leave

eth0 eth1


Container Network Interface (CNI)

• Proposed by CoreOS as part of appc specification, used also by Kubernetes

• Common interface between container run time and network plugin

• Gives driver freedom to manipulate network namespace

• Network described by JSON config

• Plugins support two commands:- Add Container to Network- Remove Container from Network

Container

Network namespace

Driver plumbing

Differences (from CNM):- Gives Driver freedom to manipulate network namespace- Provide Container Id, Params to drivers- Just 2 API: Add Container to Network, Delete Container from Network


Introduction – Why Contiv?

15BRKDCT-2023


Today’s Infrastructure Needs

16BRKDCT-2023

Mike, IT AdminSally, Dev/Test

1. Develop and test fast2. Agility and Elasticity3. Does not care about other users

1. Manage infrastructure2. Stability and Security3. Isolation and Compliance

Challenge: Conflicting goals and priorities

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKDCT-2023

How can we achieve these goals?Key: Policy-based Container Networking

Declarative Tags (simpler)Manage Groups instead of single objects (faster)


What is Contiv?

18BRKDCT-2023


Containerized Apps on Shared Infrastructure

ApplicationIntent

Compute Compute

Operational Intent

Contiv Is an Open Source Solution to Define and Enforce Distributed Policies Across Infrastructure

NETWORK

Compute


Application Intent with Operation Intent

PLACEHOLDER

version: '2' services: web: build: . label: - tier: web volumes:

- .:/code networks:

- front-tier - back-tier

db: image: mysql

App IntentPLACEHOLDER

web: environment: prod networks: security: - allow ports: 5000, 443 bandwidth: 5gbps lb selector: - tier: web db: networks: security: allow ports: 3306 from web

Ops Intent (e.g. Contiv Intent*)

Operation Intent Provides Operational Requirements and Policies for Applications

* Shown in yaml for better visualization


Contiv: How everything fits togetherOperational Policy Management

Developer Operations

ApplicationScheduler

Node 1 Node 2 Node-nContiv Distributed Policy Layer

...

Contiv Elements

Contiv UI/CLI/API to manage and monitor policies/usage

Distributed policy enforcement for network

Integration with physical infrastructure

Integrated with popular container schedulers

Contiv Automatically Integrates and Enforces Developer and Operations Policies


6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential100% Open Source

The Most Powerful Container Networking Fabric L2, L3, Overlay or ACI Rich Policies

DevOps IT Admin

Any NetworkingAny Platform

Any Infrastructure

Application Intent

Rich Policy Model

DeclarativeSimple Install

GUI + CLI

LDAP/RBAC

Contiv


Contiv Integration with Underlying DC Infrastructure

Application-Centric Infrastructure (ACI)• Containers integrated with APIC policies• Physical services integration

Nexus Standalone or Any Network• VLAN handoff• BGP interop (standard routing protocol)

6© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialContiv Leverages Underlying Infrastructure Capabilities


Introducing Contiv 1.0

What’s New:

LDAP+RBAC

All New User Experience

and Workflow

Kubernetes 1.4 Support

Docker 1.12 Support

OpenShiftIntegration

Simple Install

1

Commercially Supported Contiv will be announced shortly

Cisco Advances Services

Cisco Solutions Support

100% Open Source at contiv.github.io


Contiv’s Approach to Containers

ScaleRoute and

Policy Distribution

SpeedAutomated Scale-Out

Layer of NetworkFlat Networks

High Performance

Application-CentricIntegrated with App Blueprint

Shared ResourcesPolicies for

Resource Acquisition

Hybrid CloudConsistent Policies

SecurityTenant Isolation Security Policies

Telemetry/DiagnosticsApplication Statistics

Data Export

25


Contiv Network Components

Contiv CLI/UI

Node 1

Contiv Agent

...Node 2

Contiv Agent

Node-n

Contiv Agent

Contiv Elements

Container networking for:• Kubernetes, Mesos, Nomad, and SwamRoute distribution using BGP or JSON RPCCustom OpenFlow pipeline for host networking• Allows implementing various features (details later)Exports data about: App connectivity, stats, peer

Distributed, cluster-wide functionStateless: Useful in node failure/restart, upgradeImplements cluster-wide network and policyManage global resources: IPAM, VLAN/VXLAN pools

Tools to manipulate Contiv objectsImplements CRUD using REST I/FExpected to be used by infra/ops teamsRBAC

26


Contiv NetworkHigh-Level Architecture

Host-1

.…Host Plug-In Distributed

KV Store

Plug-In Logic

Contiv Host Agent

Host-n

Linux Host Routing/Switching

To Physical Network

ARP/DNS Responder

Service LB

Route Distribution [ BGP | RPC ]

Container Runtime

(e.g., Docker)

[ K8s| Swarm | Mesos | Nomad ]

Master-DBPolicy EngineREST Server

IPAM/Res-Mgmt

HA Heartbeat

DistributedKV Store

[ Etcd | Consul ]

REST client (e.g. netctl)

API Calls to External Orchestration Systems e.g,. ACI, Schedulers

Health MonitoringContiv Master Cluster

.……

.…


Demo

30Presentation ID


Tutorial on Docker and Contiv - do it yourself ;-)

A normal docker network (without Contiv) looks like it:

It’s online at http://contiv.github.io

http://contiv.github.io/

http://contiv.github.io/


33Presentation ID

Let’s create a Contiv network


How Docker sees a Contiv network

Let’s attach a new container to the new network:


35Presentation ID

Networks are isolatedLet’s create one more container on contiv-net:

We have many containers now (contiv-c1 and contiv-c5 are on the same network):

Ping works here(same if the container is on a different host/VM)

Ping does not work here


Tenants in Contiv

Two different networks, they don’t communicate

Tenants are isolated worlds, to avoid conflicts.They have separate namespaces for resources.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37Presentation ID

Applying policies between containers with Contiv

Contiv provide a way to apply isolation policies between containers groups (regardless of the tenants, eventually within the tenants).

For this, we create a simple policy called db-policy, and add some rules to it to define which ports are allowed.


Policies are applied among Groups

Finally, we associate the policy with a group (a group is an arbitrary collection of containers, e.g. a tier for a microservice) and then run some containers that belong to db group

Let’s create two more containers:

The policy db-policy (ports open and closed) is applied to all the 3 containers:Managing many end points as a single object makes it easy and fast, think about auto-scaling (especially when integrated with Swarm, Kubernetes, etc.)


Contiv is Microservices Ready

• Support for grouping Applications• Allows scale-out instances of container applications to be grouped together• Policies specified on a micro-service tier, rather than individual container workloads

• Efficient forwarding between Microservice tiers• Allows a fixed (DNS published) VIP for a micro-service• Containers within the micro-services can come and go

• Their IP addresses are mapped to the service IP for east-west traffic• Eliminates single point of forwarding (proxy) between micro-service tiers

• Application visibility at service levels (across the cluster)

Web Group

App Group

DB Group

Allow grouping of containers/pods

Specify Policies between groups or from outside

the network


Elements of Contiv Networking

Cluster-wide Connectivity

Truly Multi-tenant

Network Isolation

Traffic Prioritization

App-Composers Integrated

Network Monitoring

Scalable

Physical Network Integration: ACI | Nexus Standalone

Micro Services Ready

Leverages NIC

IPAM, Service Discovery

Contiv Networking

High Throughput


Contiv Value Proposition


Go and test it (easy!): http://contiv.github.io

Contiv releases - github.com/contiv/install/releasesDocuments - contiv.github.ioJoin Contiv Slack - contiv.herokuapp.comContiv Blogs - blogs.cisco.com/tag/contivRecorded demo - https://www.youtube.com/watch?v=55s4wAVbTM4Cisco DevNet community - https://developer.cisco.com/site/contiv/videos/index.gspContiv on Docker Store - https://store.docker.com/plugins/803eecee-0780-401a-a454-e9523ccf86b3?tab=description

https://www.youtube.com/watch?v=55s4wAVbTM4

https://developer.cisco.com/site/contiv/videos/index.gsp

https://store.docker.com/plugins/803eecee-0780-401a-a454-e9523ccf86b3?tab=description

microservices and containers networking: contiv, an industry leading open source solution from cisco...

Technology