Project Kuryr Here comes advanced services for containers networking

Mohammad Banikazemi @MBanikazemiGal Sagie @GalSagieAntoni Segura Puimedon @celebdor

Outline❏ Motivation and Introduction❏ Current state❏ Kubernetes❏ Getting involved❏ Demo

Networking as the starting point...❏ Reinventing networking abstractions❏ Changing and vendor specific solutions❏ Hard to connect VMs, bare metal and nested containers

❏ No unified networking infrastructure

❏ Overlay2 for VM nested containers❏ Performance, latency, SLA, management penalties

❏ Lack of isolation and policy level constructs❏ Security❏ 3-Tier Applications

Similar Concepts

Nested Containers Overlay

MissionThe GlueBetween Containers EcosystemandOpenStack

Current state

Kuryr Project Overview

❏ Part of OpenStack Big-Tent❏ Connecting Containers with OpenStack Services: Networking

(Neutron), Authentication (Keystone) and Storage (Cinder)❏ Aims to support:

❏ Different container Runtimes: docker, rkt, etc❏ Multi-host/Clustered environments: Kubernetes, Mesos, Docker Swarm

❏ Working together with OpenStack community❏ Magnum, Kolla, Neutron, Keystone, Cinder

Kuryr Newton contribution

Current Supported Features❏ Keystone v2 and v3 support with multiple pluggins❏ Supports Docker networking (CNM): libnetwork

❏ Remote driver❏ IPAM driver

❏ Partial Support for Kubernetes networking (CNI)❏ Allows use of Security Groups (exposed ports and pod annotation)❏ Supports use of existing Neutron resources

❏ Networks❏ Subnets❏ Load balancers

❏ Supports Docker Swarm*

Components

❏ Multiple Repos❏ openstack/kuryr (kuryr-lib)

❏ Configuration❏ Binding❏ Llibrary

❏ openstack/kuryr-libnetwork❏ Libnetwork remote driver❏ Libnetwork ipam driver

❏ openstack/kuryr-kubernetes❏ K8s Watcher❏ CNI plugin

Kuryr VIF Binding drivers

❏ Part of Kuryr-lib❏ Virtual device drivers

❏ Veths❏ Ipvlan❏ Macvlan❏ vlan*

❏ Supports ovs, lb, midonet and others

❏ Used by both Docker libnetwork and CNI

❏ To be enhanced to use Oslo versioned objects and os-vif

How to Use: Docker Native API$ docker network create -d kuryr \ --ipam-driver=kuryr \ --subnet=10.10.0.0/24 \ --gateway=10.10.0.1 mynet08192d75a75a490163ac33434fb2c8a74a7841ad42abb985a1fdc7cde3c92f17

$ docker run -it --net=mynet alpine sh

$ neutron net-list+--------------------------------------+--------------------+---------------------------------------------------+

| id | name | subnets |

| a747d101-eefb-4aa2-9575-9c7ad181f8e0 | kuryr-net-08192d75 | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 10.10.0.0/24 |

$ neutron net-show kuryr-net-08192d75+---------------------------+----------------------------------------------------+| Field | Value || id | a747d101-eefb-4aa2-9575-9c7ad181f8e0 || name | kuryr-net-08192d75 || subnets | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 || tags | kuryr.net.uuid.lh:08192d75a75a490163ac33434fb2c8a7 || | kuryr.net.uuid.uh:4a7841ad42abb985a1fdc7cde3c92f17 |

Behind the Scenes: Neutron Network

❏ network tags: associate Neutron and Docker networks

Existing Neutron Networks$ neutron net-create mynet$ docker network create -d kuryr \ --ipam-driver=kuryr \ --subnet=10.10.0.0/24 \ --gateway=10.10.0.1 \ -o neutron.net.name=mynet \ mynet_d

$ ID=$(neutron net-list | grep mynet \ | awk '{print $2}')$ docker network create -d kuryr \ --ipam-driver=kuryr \ --subnet=10.10.0.0/24 \ --gateway=10.10.0.1 \ -o neutron.net.uuid=$ID mynet_d

$ neutron net-show mynet+---------------------------+----------------------------------------------------+| Field | Value |+---------------------------+----------------------------------------------------+| tags | kuryr.net.uuid.uh:4ca3f3fc3fc48a8c9cd902ed7508f1cd || | kuryr.net.uuid.lh:12f769bd2697f2200f27f60753bd5dad || | kuryr.net.existing |

Existing Neutron Networks (Cont’d)

❏ Neutron tags added to the network❏ Subnet if existing is used, otherwise gets created❏ Neutron network is not deleted upon deletion of Docker network

❏ If using an old release (i.e., Liberty or earlier):❏ Neutron network name is modified❏ Deleting Docker network → deletion of Neutron network if no ports

$ docker run --net=mynet --expose=1234/udp -it alpine sh

$ neutron port-list+--------------------------------------+-------------------------------------------------+| id | fixed_ips |+-------------------------------------------+--------------------------------------------+| 53f0fbec-67ac-4432-9596-8911b7044c99 | {"subnet_id": || | "2b3c390c-a8b2-4036-bb28-7599a6d71d4c", || | bb28-7599a6d71d4c", "ip_address": "10.10.0.8"} |

$ neutron port-show 53f0fbec-67ac-4432-9596-8911b7044c99+-----------------------+---------------------------------------+| Field | Value |+-----------------------+---------------------------------------+| security_groups | 4062dc96-0601-465c-a577-f4aef58ef99d || | e50a0ae3-0d79-4c20-93a7-51dafd9b2311 |

Exposed ports and Security Groups

❏ Docker expose supported by Neutron security groups

$ neutron security-group-list+----------------------------+----------------------------+-----------------------------+| id | name | security_group_rules |+----------------------------+----------------------------+-----------------------------+| 4062dc96-0601-465c-a577-f4 | 53f0fbec-67ac-4432-9596-89 | egress, IPv4 || aef58ef99d | 11b7044c99-exposed_ports | egress, IPv6 || | | ingress, IPv4, 1234/udp || e50a0ae3-0d79-4c20-93a7-51 | default | egress, IPv4 || dafd9b2311 | | egress, IPv6 || | | ingress, IPv4, || | | remote_group_id: e50a0ae3- || | | 0d79-4c20-93a7-51dafd9b2311 || | | ingress, IPv6, || | | remote_group_id: e50a0ae3- || | | 0d79-4c20-93a7-51dafd9b2311 |+----------------------------+----------------------------+-----------------------------+

Exposed ports (Cont’d)

Kubernetes

Kubernetes❏ Container orchestration engine❏ Implemented in Go❏ Thriving multi vendor community❏ Main components

❏ API server❏ Scheduler❏ Kubelet❏ Controller manager❏ Etcd datastore

❏ Pluggable networking with Container Networking Interface

Kubernetes Integration❏ Deployment options

❏ Kuryr watcher on the project instances❏ Kuryr watcher on admin/tenant machine

❏ Kuryr CNI plugin only communicates with K8s API❏ Kubelet already has a channel to the API❏ Uses kuryr-lib for binding to the correct Neutron port

❏ Kuryr watcher updates API servers❏ Neutron to create the resources for the Kubernetes deployment❏ Kubernetes resource annotations to place Neutron resource info

Kubernetes components

❏ Kubelet configured with Kuryr CNI

❏ The watcher reads k8s resource event streams

❏ Events can have multiple handlers

❏ Multiple Watchers for HA*

Kubernetes Services

Kubernetes Services

VM Nested Containers and

Magnum❏ Will support net modes:

❏ Ipvlan❏ Macvlan❏ Trunk / subport

❏ If Neutron is routable from controller VM, watcher can go there

❏ CNI only needs to talk to k8s API

❏ Depending on vendor, lbaas will need a node with Octavia

Getting involved

Packaging❏ Automated container builds at https://hub.docker.com/r/kuryr/

❏ libnetwork❏ watcher❏ kubelet

❏ Kolla Integration❏ Distribution packaging with systemd unit files

❏ Debian❏ RDO

Kuryr Roadmap❏ Ocata cycle

❏ Kubernetes integration❏ HA❏ Multitenancy❏ Policy support using security groups

❏ Nested containers and Magnum integration❏ Oslo Versioned Objects binding interface❏ Kuryr-Kubernetes release❏ Kuryr-lib 1.0.0❏ Kuryr-libnetwork 1.0.0

Kuryr and Storage❏ Kuryr as incubator for bringing native OpenStack services to

containers❏ Cinder❏ Manila❏ Swift❏ Freezer

Kuryr work sessionsThursday 27th Friday 28th

9:00 - 9:40 K8s services

9:50 - 10:30 K8s HA

11:00 - 11:40 Kolla and containers

11:50 - 12:30 Storage - Cinder

13:50 - 14:30 Kuryr - Magnum

16:40 - 17:30 Container-in-VM

17:30 - 18:10 Multitenancy

Join us! Be the Kuryr!❏ Project Launchpad

❏ https://launchpad.net/kuryr

❏ Project Git Repository❏ https://github.com/openstack/kuryr

❏ Weekly IRC Meeting❏ http://eavesdrop.openstack.org/#Kuryr_Project_Meeting

❏ IRC❏ #openstack-kuryr @ Freenode

❏ Mailing List❏ openstack-dev@lists.openstack.org ([Kuryr])

Join us! Be the Kuryr!❏ Documentation

❏ http://docs.openstack.org/developer/kuryr

❏ Getting Started Blog posts❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/08/24/kuryr-part1/❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/10/10/kuryr-ovn/❏ https://mbanikazemi.com/2016/01/07/docker-swarm-and-kuryr/

Demo