Download - DevOps Guide to Container Networking

Transcript
Page 1: DevOps Guide to Container Networking

DevOps Guide toContainer Networking

Dirk Wallerstorfer DevOpsSummit New York, June 8th

Page 2: DevOps Guide to Container Networking

2

Technology Lead SDN, OpenStack

[email protected]@wall_dirkblog.ruxit.com

Page 3: DevOps Guide to Container Networking

3Dirk Wallerstorfer, @wall_dirk

Page 4: DevOps Guide to Container Networking
Page 5: DevOps Guide to Container Networking

5Dirk Wallerstorfer, @wall_dirk

Page 6: DevOps Guide to Container Networking

6Dirk Wallerstorfer, @wall_dirk

SDN

Page 7: DevOps Guide to Container Networking

7Dirk Wallerstorfer, @wall_dirk

Page 8: DevOps Guide to Container Networking

http://systematicrelativestrength.com/2013/11/12/your-plan-vs-reality/

Page 9: DevOps Guide to Container Networking

9Dirk Wallerstorfer, @wall_dirk

Page 10: DevOps Guide to Container Networking

10Dirk Wallerstorfer, @wall_dirk

Page 11: DevOps Guide to Container Networking

11Dirk Wallerstorfer, @wall_dirk

Page 12: DevOps Guide to Container Networking

12Dirk Wallerstorfer, @wall_dirk

Page 13: DevOps Guide to Container Networking

13Dirk Wallerstorfer, @wall_dirk

web:$ docker run -itd wordpress

Page 14: DevOps Guide to Container Networking

14Dirk Wallerstorfer, @wall_dirk

web:$ docker run -itd wordpress

Page 15: DevOps Guide to Container Networking

15Dirk Wallerstorfer, @wall_dirk

web:$ docker run -itd wordpress

user:wordpress$ ping 8.8.8.8

iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE

Page 16: DevOps Guide to Container Networking

16Dirk Wallerstorfer, @wall_dirk

web:$ docker run –itd –p 8080:80 wordpress

Page 17: DevOps Guide to Container Networking

17Dirk Wallerstorfer, @wall_dirk

web:$ docker run –itd –p 8080:80 wordpress

iptables –t nat –A PREROUTING ... –j DOCKERiptables –t nat –A DOCKER --dport 8080 --redirect-to 172.18.0.2:80

Page 18: DevOps Guide to Container Networking

18Dirk Wallerstorfer, @wall_dirk

SDN

Page 19: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 19

Three reasons for SDN• Permanent connectivity• Virtualization of everything• Paradigm shift in software development

Page 20: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 20

Three reasons for SDN

Networking had to keep up somehow!

Continuous delivery

Virtualize everything

Permanent connectivity

Page 21: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 21

SDN• Classic SDN

• SD WAN

• Network Overlay

Page 22: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 22

SDN• Classic SDN

• SD WAN

• Network Overlay

Page 23: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 23

SDN• Classic SDN

• SD WAN

• Network Overlay

Page 24: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 24

SDN• Classic SDN

• SD WAN

• Network Overlay

Page 25: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 25

Page 26: DevOps Guide to Container Networking

26Dirk Wallerstorfer, @wall_dirk

Page 27: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 27

Multi-host Container NetworkingNo SDNdb:$ docker run -itd –p 3306:3306 mysql

web:$ docker run -itd –p 8080:80 –e WORDPRESS_DB_HOST=172.16.198.248:3306 wordpress

Page 28: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 28

Multi-host Container NetworkingPrerequisites• Underlying network

• Distributed K/V store

• Accessible ports

Page 29: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 29

Multi-host Container Networking

Overlay No overlay

http://s568.photobucket.com/user/LMG_09/media/CrowdSurfftw.jpg.html Ocean’s Eleven, Warner Bros, 2001

Page 30: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 30

Multi-host Container NetworkingOverlay Protocols

• VXLAN

OuterEthernet

OuterIP

OuterUDP VXLAN Ethernet IP TCP Payload

Page 31: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 31

Multi-host Container NetworkingOverlay Protocols

• VXLAN

OuterEthernet

OuterIP

OuterUDP VXLAN Ethernet IP TCP Payload

Ethernet IP UDP VXLAN Ethernet IP TCP Payload

Page 32: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 32

Multi-host Container NetworkingOverlay Protocols

• VXLAN

OuterEthernet

OuterIP

OuterUDP VXLAN Ethernet IP TCP Payload

Ethernet IP UDP VXLAN Ethernet IP TCP Payload

Flags Reserved VXLAN Network Identifier (VNI) Reserved

Page 33: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 33

Multi-host Container NetworkingOverlay Protocols

• VXLAN

OuterEthernet

OuterIP

OuterUDP VXLAN Ethernet IP TCP Payload

Ethernet IP UDP VXLAN Ethernet IP TCP Payload

14 bytes 20 bytes 8 bytes 8 bytes

+ 50 bytes

Page 34: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 34

Multi-host Container NetworkingOverlay Protocols

• VXLAN• Ethernet in UDP, defacto standard, won the overlay war

• NVGRE• Ethernet in IP, Microsoft’s answer to a question nobody asked

• STT• Ethernet in fake TCP, to utilize TSO of NIC

• Geneve• Ethernet in UDP, best of breed approach• A+ for extensibility• https://packetpushers.net/podcast/podcasts/pq-show-68-geneve-data-center-overlay-update/

https://packetpushers.net/podcast/podcasts/pq-show-68-geneve-data-center-overlay-update/
https://packetpushers.net/podcast/podcasts/pq-show-68-geneve-data-center-overlay-update/
Page 35: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 35

Multi-host Container NetworkingOverlay

• Docker Libnetwork• WeaveNet• Flannel

Page 36: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 36

Docker libnetwork

https://blog.docker.com/2015/04/docker-networking-takes-a-step-in-the-right-direction-2/

Page 37: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 37

Docker libnetwork

Page 38: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 38

Docker libnetwork

Page 39: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 39

Docker libnetwork

Page 40: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 40

Docker libnetwork

Page 41: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 41

Docker libnetwork

Page 42: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 42

Docker libnetwork

Page 43: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 43

Docker libnetwork

Page 44: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 44

Docker libnetwork

Page 45: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 45

Why UDP?

Page 46: DevOps Guide to Container Networking

46Dirk Wallerstorfer, @wall_dirk

Page 47: DevOps Guide to Container Networking

47Dirk Wallerstorfer, @wall_dirk

Page 48: DevOps Guide to Container Networking

48Dirk Wallerstorfer, @wall_dirk

Departmentof

RedundancyDepartment

Page 49: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 49

Multi-host Container NetworkingNo overlay

• Project Calico • Flannel host-gw• Romana• Contiv• MACVLAN/IPVLAN

Page 50: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 50

Project Calico

https://www.projectcalico.org/docker-libnetwork-is-almost-here-and-calico-is-ready/

Page 51: DevOps Guide to Container Networking

51Dirk Wallerstorfer, @wall_dirk

Page 52: DevOps Guide to Container Networking

52Dirk Wallerstorfer, @wall_dirk

Page 53: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 53

© http://de.slideshare.net/grkvlt/metaswitch-project-calico

Page 54: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 54

© http://de.slideshare.net/grkvlt/metaswitch-project-calico

Host Host

Containers Containers

Page 55: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 55

Project Calico• Host is a router for the workloads• BGP to distribute routes• etcd backed• Pure Layer 3, no encapsulation

Page 56: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 56

Project Calico

Page 57: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 57

Project Calico

Page 58: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 58

Project Calico

Page 59: DevOps Guide to Container Networking
Page 60: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 60

Location of services

k8s pods, marathon application groups, swarm constraints, fleet units

Page 61: DevOps Guide to Container Networking

61Dirk Wallerstorfer, @wall_dirk

Page 62: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 62

Connectivity Problemsnf_conntrack: table full, dropping packet.

dirk@fueldev:~$ sudo sysctl –a | grep conntrack...net.netfilter.nf_conntrack_buckets = 8192net.netfilter.nf_conntrack_count = 0net.netfilter.nf_conntrack_max = 31760...

• Large number of iptables rules

Page 63: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 63

Connectivity Problems• The notorious MTU• https://www.youtube.com/watch?v=H2lBkj5zbYs

dirk@fueldev:~$ ip addr show enp0s32: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:f3:4e:5d brd ff:ff:ff:ff:ff:ff inet 172.16.99.14 brd 172.16.11.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fef4:4e56/64 scope link valid_lft forever preferred_lft forever

Page 64: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 64

TCP/IP over VXLAN Overhead

Ethernet IP UDP VXLAN Ethernet IP TCP Payload

14 bytes 20 bytes 8 bytes 8 bytes

+ 50 bytes

Send 1MB of data

1,000,000 bytes = 710 packets á 1410 bytes710 x 50 bytes = 35,500 bytes overhead

1,035,500 bytes are transmitted

3.55 %

Page 65: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 65

Send 1MB of data

1,000,000 bytes = 736 packets á 1330 bytes736 x 100 bytes = 73,600 bytes overhead

1,073,600 bytes are transmitted

TCP/IP over VXLAN over VXLAN Overhead

Ethernet IP UDP VXLAN Ethernet IP UDP VXLAN Ethernet IP TCP Payload

14 bytes

20 bytes

8bytes

8bytes

14 bytes

20 bytes

8bytes

8bytes

+ 100 bytes

7.36 %

Page 66: DevOps Guide to Container Networking

66Dirk Wallerstorfer, @wall_dirk

Page 67: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 67

Page 68: DevOps Guide to Container Networking

68Dirk Wallerstorfer, @wall_dirk

YOU WERE SO PREOCCUPIED WITH WHETHER OR NOT YOU COULD

YOU DIDN’T STOP TO THINK IF YOU SHOULD

Page 69: DevOps Guide to Container Networking

Dirk Wallerstorfer, @wall_dirk 69

1460

1410136013101260

12101160

MTU overhead

25,9%20,7%

15,9%11,5%

7,4%3,6%

0%

Page 70: DevOps Guide to Container Networking

70Dirk Wallerstorfer, @wall_dirkFebruary 20, 2016http://machinezone.github.io/research/networking-solutions-for-kubernetes/

Performance Comparison of Networking

Solutions for Kubernetes

Page 71: DevOps Guide to Container Networking

71Dirk Wallerstorfer, @wall_dirk

Performance Comparison of Networking

Solutions for Kubernetes

with --net=host

aws-vpc

vxlan

host-gw

IPvlan

February 20, 2016http://machinezone.github.io/research/networking-solutions-for-kubernetes/

Page 72: DevOps Guide to Container Networking

72Dirk Wallerstorfer, @wall_dirk

Performance Comparison of Networking

Solutions for Kubernetes

with --net=host

aws-vpc

vxlan

host-gw

IPvlan

libnetwork

February 20, 2016http://machinezone.github.io/research/networking-solutions-for-kubernetes/

Page 73: DevOps Guide to Container Networking

73Dirk Wallerstorfer, @wall_dirk

https://github.com/machinezone/tcpkali

serving 350 byte responsemaking 250,000 requests per second

Performance Comparison of Networking

Solutions for Kubernetes

Different network options - latency?

Page 74: DevOps Guide to Container Networking

74Dirk Wallerstorfer, @wall_dirk

250,000 requests per second, 350 bytes response

February 20, 2016http://machinezone.github.io/research/networking-solutions-for-kubernetes/

Page 75: DevOps Guide to Container Networking

75Dirk Wallerstorfer, @wall_dirk

> 3 sec

46 %response time

will leave the page

Page 76: DevOps Guide to Container Networking

76Dirk Wallerstorfer, @wall_dirk

+0.5 s

-11 %response time

in revenue

Page 77: DevOps Guide to Container Networking

keep it manageable

keep it simple

keep it fast

Page 78: DevOps Guide to Container Networking

78Dirk Wallerstorfer, @wall_dirk

http://i.coastingfish.com/image/3M

Volume-oriented network metrics

Quality-oriented network metrics

Page 79: DevOps Guide to Container Networking

79Dirk Wallerstorfer, @wall_dirk

http://i.coastingfish.com/image/3M

Page 80: DevOps Guide to Container Networking
Page 81: DevOps Guide to Container Networking
Page 82: DevOps Guide to Container Networking

82Dirk Wallerstorfer, @wall_dirk

Page 83: DevOps Guide to Container Networking

83

Technology Lead SDN, OpenStack

[email protected]@wall_dirkblog.ruxit.com

Image sources:pixabay.com (3, 4, 5, 7, 9, 10, 23, 41, 57, 59, 60, 61)


Top Related

Securing Serverless and Container Services...Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors DevOps Automation

Securing Serverless and Container Services...Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors DevOps Automation

Clocker: Managing Container Networking and Placement

Clocker: Managing Container Networking and Placement

Container Networking · 2017-12-14 · Container Networking Albert Greenberg, Corporate Vice President, Microsoft Representing the work of the Azure Networking team . Azure Momentum

Container Networking · 2017-12-14 · Container Networking Albert Greenberg, Corporate Vice President, Microsoft Representing the work of the Azure Networking team . Azure Momentum

DevOps Institute Partner Program · 2019-10-03 · transformational DevOps networking and career growth opportunities. The DevOps Institute offers a comprehensive DevOps learning

DevOps Institute Partner Program · 2019-10-03 · transformational DevOps networking and career growth opportunities. The DevOps Institute offers a comprehensive DevOps learning

OpenShift Container Platform 企業級容器化DevOps平台 · 2017-03-23 · container container container container container networking storage registry security logs & metrics

OpenShift Container Platform 企業級容器化DevOps平台 · 2017-03-23 · container container container container container networking storage registry security logs & metrics

DIGITAL TRANSFORMATION AND DEVOPS A CONTAINER …...A CONTAINER-PLATFORM APPROACH TO DIGITAL TRANSFORMATION AND DEVOPS Diógenes Rettor (@rettori) Principal Product Manager, OpenShift.

DIGITAL TRANSFORMATION AND DEVOPS A CONTAINER …...A CONTAINER-PLATFORM APPROACH TO DIGITAL TRANSFORMATION AND DEVOPS Diógenes Rettor (@rettori) Principal Product Manager, OpenShift.

Test Automation DevOps and CI/CD - Networking

Test Automation DevOps and CI/CD - Networking

Devops-Trend: Docker-Container Hafenarbeiter

Devops-Trend: Docker-Container Hafenarbeiter

Languages
Pages
Legal

Copyright © 2022 FDOCUMENTS