OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neutron
Download as PPTX, PDF7 likes1,492 views
This document describes Project Kuryr, which aims to use Neutron as the networking abstraction for containerized workloads. It maps container networking concepts like endpoints and sandboxes to equivalent Neutron API entities. This allows containers to leverage Neutron features like security groups, LBaaS, and integration with VM networking. Kuryr includes a libnetwork remote driver, generic VIF binding, and plans to support Kubernetes, Docker Swarm, and other orchestration engines. It brings container and VM networking under a common API without vendor lock-in.
![Join Us! Be the Kuryr!
Mailing List
openstack-dev@lists.openstack.org ([Neutron][Kuryr])
Trello Board
https://trello.com/b/cbIAXrQ2/project-kuryr
Documentation
http://docs.openstack.org/developer/kuryr
Getting Started Blog posts
http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/08/24/kur
yr-part1/
http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/10/10/kur
yr-ovn/](https://image.slidesharecdn.com/kuryr-meetup-160101080007/85/OpenStack-Israel-Meetup-Project-Kuryr-Bringing-Container-Networking-to-Neutron-28-320.jpg)
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neutron
- 1. Project Kuryr Gal Sagie (@GalSagie) http://galsagie.github.io
- 2. Net1 10.10.10.0/24 VM1 10.10.10.100 VM2 10.10.10.200 Virtual Machine or Container Virtual Interface (VIF) Virtual Port Virtual Network Virtual subnet Neutron Abstraction
- 3. Public Network 10.50.50.0/24 Router Router Tenant A Net1 192.168.1.0/0 Tenant A Net2 192.168.5.0/0 Tenant B Net1 192.168.1.0/0 Tenant B Net2 192.168.9.0/0 VM1 192.168.1.5 VM2 192.168.1.7 192.168.5.2 VM3 192.168.1.9 VM1 192.168.1.3 VM2 192.168.1.3 192.168.9.5 VM3 192.168.9.7 You can build this
- 4. A Docker Container Network Sandbox Endpoint A Docker Container Network Sandbox Endpoint A Docker Container Network Sandbox Endpoint Frontend Network Endpoint Backend Network Container Networking : libnetwork
- 5. Where Have I Seen That Before?
- 6. Neutron and libnetwork A Docker Container Network Sandbox Endpoint A Docker Container Network Sandbox Endpoint A Docker Container Network Sandbox Endpoint Frontend Network Endpoint Backend Network Tenant A Net1 192.168.1.0/0 Tenant A Net2 192.168.5.0/0 VM1 192.168.1.5 VM2 192.168.1.7 192.168.5.2
- 7. What are the problems? Reinventing networking abstractions Changing and vendor specific solutions Flannel Weave SocketPlane Overlay2 for VM nested containers Performance, latency, SLA, management penalties
- 8. New Solutions For Containers Networking Compute Node Node Networking Infrastructure
- 9. Compute Node Nested Containers Overlay2 VM BR-INT BR-TUN Docker0 Compute Node VM BR-INT BR-TUN Docker0 Flannel Overlay Neutron Overlay
- 10. Neutron as the production ready networking abstraction containers need
- 11. Kuryr Solution Neutron as the production ready network abstraction containers need Map container networking abstractions to the Neutron API Allow consumers to choose vendor keeping one high quality API free of vendor lock-in Bring your container and VM networking together under one API Implement all the common code for Neutron vendors allowing them to get to container networking by just having a binding script
- 12. Kuryr Solution Implement a common base for Neutron vendors that support VM nested containers Avoid double encapsulation Manage each container port as a Neutron entity Planned support for OVN, MidoNet, Dragonflow and Calico Leverage Neutron advanced networking LBaaS, FWaaS, VPNaaS Security Groups / NAT
- 13. Kuryr Project Overview Open source Part of OpenStack Neutron’s big stadium Under OpenStack big tent from next release!!! Brings the Neutron networking model as a provider for the Docker CNM Aims to support different Container Orchestration Engines E.g. Kubernetes, Mesos, Docker Swarm Weekly IRC meetings Working together with OpenStack community Neutron, Magnum, Kolla
- 14. Kuryr Project Overview Multiple companies working on it
- 15. Kuryr Configuration Management Docker Libnetwork Remote Driver Docker Libnetwork IPAM Driver Kubernetes CNI Driver Authentication Neutron Client Generic VIF Binding
- 16. Kuryr Libnetwork Remote Driver Keeping up to date with the changing libnetwork remote driver API Maps Docker's CNM operations into a Neutron API usage Any Neutron plugin can use it (for example OVS)
- 17. Kuryr Generic VIF Binding
- 18. Kuryr Generic VIF Binding Layer Binds the container networking namespace to the networking infra Common part (container side) IPAM vEth creation Executable based vendor-specific part Choice based on Neutron port type Free implementation language Root context Generic OS VIF Binding Library (Nova)
- 19. Deployment Package based Container based with Kolla Vendors must generate their downstream container with the necessary agents and plugin Quick and easy deployment (Ansible based)
- 20. Kuryr In OpenStack Controller Node Neutron Server Kuryr Service Compute Node Neutron Infrastructure Compute Node VM Kuryr Service Neutron Infrastructure
- 21. VM Nested Containers Leverage the same Neutron solution for tenant containers networking Neutron features Easier management Same “implementation” Support containers networks and VM network isolation Neutron plugins already support this: OVN, Midonet, Dragonflow Magnum Backend Implementations interoperability
- 22. Compute Node Mixed OpenStack Environments – Nested Containers VM OVS / Midonet / Calico / Dragonflow VM Lightweight Tagging Layer Neutron network 1 Neutron network 2 Neutron network 3
- 23. Neutron Side Port Forwarding Can be used to implement Docker port-mapping Save public IP space Adding Tags to Resources Pre allocation of ports/networks Mapping between Docker IDs to Neutron IDs VLAN Trunk API (Nested Ports) Formal Neutron API to define nested containers ports DNS Resolution for Port Names Leveraged for DNS service discovery
- 24. New Features for Containers Security Groups Subnet Pools NAT (SNAT / DNAT – Floating IP) Port Security (ARP Spoofing) QoS Quota Management Neutron pluggable IPAM Provide well-integrated COE Load balancing through Neutron FWaaS for Containers Many more as Neutron progress…
- 25. Kuryr Roadmap Plan Liberty Release Kuryr specs in Neutron/Magnum communities Neutron new features specs Docker Libnetwork remote driver Generic VIF binding layer Configuration and authentication in Neutron and Docker
- 26. Kuryr Roadmap Plan Mitaka Release Neutron IPAM for Docker Containerized Neutron plugins and solutions with Kolla Nested containers in VM’s, Magnum – Kuryr integration Missing Neutron features Port forwarding – port mapping for Docker Neutron tags to resources – pre-allocating of network/ports/subnets DNS resolution for port names – Docker DNS discovery VLAN trunk API - used for nested containers Kubernetes networking model (K8s API) N Release Neutron advance services (LBaaS, FWaaS VPNaaS) Kubernetes services to use Neutron LBaaS Project Astara Mesos
- 27. Join Us! Be the Kuryr! Project Launchpad https://launchpad.net/kuryr Project Git Repository https://github.com/openstack/kuryr Weekly IRC Meeting http://eavesdrop.openstack.org/#Kuryr_Project_Meeting IRC #openstack-neutron @ Freenode
- 28. Join Us! Be the Kuryr! Mailing List [email protected] ([Neutron][Kuryr]) Trello Board https://trello.com/b/cbIAXrQ2/project-kuryr Documentation http://docs.openstack.org/developer/kuryr Getting Started Blog posts http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/08/24/kur yr-part1/ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/10/10/kur yr-ovn/
Editor's Notes
- #3: Top parts belong to nova or magnum Bottom parts belong to Neutron
- #8: <voice note: Here we'd explain the part about them being vendor specific makes that each Neutron vendor would have to make its own implementation of libnetwork or cni reinventing the wheel and without the ability to share the common parts./>
- #14: <voice note: Here I'd stop to thank Neutron drivers for welcoming us into the big stadium/> <voice note: Talk about how this may be straight away support or by the plugins for this platforms that we can incorporate in our repository/> <voice note: Here tell the people to join us and contribute/>
- #15: <voice note: Here I'd stop to thank Neutron drivers for welcoming us into the big stadium/> <voice note: Talk about how this may be straight away support or by the plugins for this platforms that we can incorporate in our repository/> <voice note: Here tell the people to join us and contribute/>
- #19: <voice note: here explain which actions are done for the veth that goes into the container/> <voice note: here explain that it is akin to what nova does/>
- #20: <voice note: talk about the typical speed of deployment and how it will be very handy for development and tests too/>
- #25: voiced about K8s
- #26: <voice note: Explain that it will not be a release but rather what we have done in the cycle/>