Project kuryr returns: Docker delivered, Kubernetes Next

25
Project Kuryr Docker delivered, Kubernetes Next! Mohammad Banikazemi @MBanikazemi Gal Sagie @GalSagie Antoni Segura Puimedon @celebdor

Transcript of Project kuryr returns: Docker delivered, Kubernetes Next

Project Kuryr Docker delivered, Kubernetes Next!

Mohammad Banikazemi @MBanikazemiGal Sagie @GalSagieAntoni Segura Puimedon @celebdor

What Are the Problems?❏ Reinventing networking abstractions❏ Changing and vendor specific solutions❏ Overlay2 for VM nested containers

❏ Performance, latency, SLA, management penalties❏ Lack of isolation and policy level constructs

❏ Security❏ 3-Tier Applications

❏ Hard to connect VMs, bare metal and nested containers❏ No unified networking infrastructure

Similar Concepts

Nested Containers Overlay

MissionNeutron as the production-ready networking abstraction containers need

Kuryr Project Overview❏ Open source❏ Part of OpenStack Big-Tent❏ Brings the Neutron networking model to containers❏ Aims to support different Container Runtimes (docker, rkt, etc)

❏ E.g. Kubernetes, Mesos, Docker Swarm

❏ Weekly IRC meetings❏ Working together with OpenStack community

❏ Neutron, Magnum, Kolla

Current Supported Features❏ Utilizes Neutron and Keystone❏ Supports Docker networking

❏ Network Plugin❏ IPAM Plugin

❏ Allows for out of band use of Security Groups❏ Supports use of existing Neutron resources

❏ Networks❏ Subnets❏ Load balancers

❏ Supports Docker Swarm

New features for containers� Security Groups� Subnet Pools� NAT (SNAT / DNAT – Floating IP)� Port Security (ARP Spoofing)� QoS� Quota Management� Neutron pluggable IPAM� Provide well-integrated COE Load balancing through Neutron� FWaaS for Containers� Plugging into existing Neutron networks

Kuryr Components

Kuryr Generic VIF Binding

How to Use: Docker Native API$ docker network create -d kuryr \

--ipam-driver=kuryr \

--subnet=10.10.0.0/24 \

--gateway=10.10.0.1 mynet08192d75a75a490163ac33434fb2c8a74a7841ad42abb985a1fdc7cde3c92f17

$ docker run -it --net=mynet alpine

$ neutron net-list+--------------------------------------+--------------------+---------------------------------------------------+

| id | name | subnets |

| a747d101-eefb-4aa2-9575-9c7ad181f8e0 | kuryr-net-08192d75 | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 10.10.0.0/24 |

$ neutron net-show kuryr-net-08192d75+---------------------------+----------------------------------------------------+| Field | Value || id | a747d101-eefb-4aa2-9575-9c7ad181f8e0 || name | kuryr-net-08192d75 || subnets | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 || tags | kuryr.net.uuid.lh:08192d75a75a490163ac33434fb2c8a7 || | kuryr.net.uuid.uh:4a7841ad42abb985a1fdc7cde3c92f17 |

Behind the Scene: Neutron Network

❏ Neutron network tags: associate Neutron and Docker networks

Existing Neutron Networks$ neutron net-create mynet$ docker network create -d kuryr \ --ipam-driver=kuryr \ --subnet=10.10.0.0/24 \ --gateway=10.10.0.1 \ -o neutron.net.name=mynet \ mynet_d

$ ID=$(neutron net-list | grep mynet \ | awk '{print $2}')$ docker network create -d kuryr \ --ipam-driver=kuryr \ --subnet=10.10.0.0/24 \ --gateway=10.10.0.1 \ -o neutron.net.uuid=$ID mynet_d

$ neutron net-show mynet+---------------------------+----------------------------------------------------+| Field | Value |+---------------------------+----------------------------------------------------+| tags | kuryr.net.uuid.uh:4ca3f3fc3fc48a8c9cd902ed7508f1cd || | kuryr.net.uuid.lh:12f769bd2697f2200f27f60753bd5dad |

| | kuryr.net.existing |

Existing Neutron Networks (Cont’d)

❏ Neutron tags added to the network❏ Subnet if existing is used, otherwise gets created❏ Neutron network is not deleted upon deletion of Docker network

❏ If not using Mitaka release (i.e., Liberty or earlier):❏ Neutron network name is modified❏ Deleting Docker network → deletion of Neutron network if no ports

Docker Swarm

Kubernetes Integration❏ Secure connection to the Neutron API Server

❏ Kuryr watcher on admin/tenant machine

❏ Kuryr CNI plugin only communicates with K8s API❏ Kubelet must already have a channel to the API❏ Only performs the binding to the correct Neutron port

❏ Raven updates policy using Neutron❏ Policy information gets translated into security groups

Kubernetes and Kuryr

Kubernetes Services

VM Nested Containers and Magnum

Packaging❏ Automated container builds at https://hub.docker.com/r/kuryr/

❏ Libnetwork❏ Raven❏ Kubelet

❏ Kolla Integration❏ Under review

❏ Distribution packaging with systemd unit files❏ Debian❏ RDO

❏ Heat Templates❏ Magnum Integration

Kuryr Roadmap❏ Newton cycle

❏ Kubernetes integration❏ CNI and watcher parts upstreaming❏ Policy support using security groups

❏ Nested containers and Magnum integration❏ Neutron advanced services (FWaaS VPNaaS)❏ DNS integration and Port Forwarding❏ Docker exposed ports❏ Packaging and Deployment❏ Mesos

Kuryr and Storage❏ Kuryr as incubator for bringing native OpenStack services to containers

❏ Cinder❏ Manila❏ Swift❏ Freezer❏ Smaug

Join us! Be the Kuryr!❏ Project Launchpad

❏ https://launchpad.net/kuryr

❏ Project Git Repository❏ https://github.com/openstack/kuryr

❏ Weekly IRC Meeting❏ http://eavesdrop.openstack.org/#Kuryr_Project_Meeting

❏ IRC❏ #openstack-kuryr @ Freenode

❏ Mailing List❏ [email protected] ([Neutron][Kuryr])

Join us! Be the Kuryr!❏ Documentation

❏ http://docs.openstack.org/developer/kuryr

❏ Getting Started Blog posts❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/08/24/kuryr-part1/❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/10/10/kuryr-ovn/❏ https://mbanikazemi.com/2016/01/07/docker-swarm-and-kuryr/

Demo