Networking & Security for Mesos

Similar documents
Note: Isolation guarantees among subnets depend on your firewall policies.

2016 Mesosphere, Inc. All Rights Reserved.

Cloud Native Networking

SCALING LIKE TWITTER WITH APACHE MESOS

Scale your Docker containers with Mesos

MESOS A State-Of-The-Art Container Orchestrator Mesosphere, Inc. All Rights Reserved. 1

Project Calico v3.1. Overview. Architecture and Key Components

POWERING THE INTERNET WITH APACHE MESOS

利用 Mesos 打造高延展性 Container 環境. Frank, Microsoft MTC

Mesosphere and Percona Server for MongoDB. Peter Schwaller, Senior Director Server Eng. (Percona) Taco Scargo, Senior Solution Engineer (Mesosphere)

Orchestration Ownage: Exploiting Container-Centric Datacenter Platforms

AGILE DEVELOPMENT AND PAAS USING THE MESOSPHERE DCOS

Mesosphere and Percona Server for MongoDB. Jeff Sandstrom, Product Manager (Percona) Ravi Yadav, Tech. Partnerships Lead (Mesosphere)

Container Orchestration on Amazon Web Services. Arun

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Deploying Applications on DC/OS

Defining Security for an AWS EKS deployment

Big Data Security. Facing the challenge

Container Networking and Openstack. Fernando Sanchez Fawad Khaliq March, 2016

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Building/Running Distributed Systems with Apache Mesos

Kubernetes networking in the telco space

Buenos Aires 31 de Octubre de 2018

Secure Kubernetes Container Workloads

Using DC/OS for Continuous Delivery

Mesosphere and the Enterprise: Run Your Applications on Apache Mesos. Steve Wong Open Source Engineer {code} by Dell

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

A Whirlwind Tour of Apache Mesos

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Project Kuryr. Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie)

Zero to Microservices in 5 minutes using Docker Containers. Mathew Lodge Weaveworks

Opendaylight: Enabling 5G through Cloud Native Telco Architecture Edgar Lombara Lumina Networks Inc.

Overview of Container Management

How to Put Your AF Server into a Container

Torc. Applications, Microservices, VNFs controlled by Top-of-Rack Controller AT&T Foundry, where ideas are made. Marcel Neuhausler.

CONTINUOUS DELIVERY WITH DC/OS AND JENKINS

Growth of Docker hub pulls

Kuryr & Fuxi. OpenStack networking and storage for Docker Swarm containers. Hongbin Lu Antoni Segura Puimedon

Using Network Virtualization in DevOps environments Yves Fauser, 22. March 2016 (Technical Product Manager VMware NSBU)

Introduction to Mesos and the Datacenter Operating System

Wolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload

CONTAINERIZED SPARK ON KUBERNETES. William Benton Red Hat,

CONTINUOUS DELIVERY WITH MESOS, DC/OS AND JENKINS

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Exploring Cloud Security, Operational Visibility & Elastic Datacenters. Kiran Mohandas Consulting Engineer

Building a Data-Friendly Platform for a Data- Driven Future

Lessons Learned: Deploying Microservices Software Product in Customer Environments Mark Galpin, Solution Architect, JFrog, Inc.

Docker Networking Deep Dive online meetup

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Dockercon 2017 Networking Workshop

Virtual Infrastructure: VMs and Containers

Service Discovery using Avi Vantage as IPAM and DNS

Hacking and Hardening Kubernetes

@joerg_schad Nightmares of a Container Orchestration System

CNA1699BU Running Docker on your Existing Infrastructure with vsphere Integrated Containers Martijn Baecke Patrick Daigle VMworld 2017 Content: Not fo

FROM MONOLITH TO DOCKER DISTRIBUTED APPLICATIONS

Simplify Container Networking With ican. Huawei Cloud Network Lab

What Building Multiple Scalable DC/OS Deployments Taught Me about Running Stateful Services on DC/OS

Issues Fixed in DC/OS

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Cloud Native Security. OpenShift Commons Briefing

Containerizing GPU Applications with Docker for Scaling to the Cloud

Securing Microservice Interactions in Openstack and Kubernetes

Networking Approaches in. a Container World. Flavio Castelli Engineering Manager

Advantages of using DC/OS Azure infrastructure and the implementation architecture Bill of materials used to construct DC/OS and the ACS clusters

Windows Server Windows Server Windows Server 2008

Life of a Packet. KubeCon Europe Michael Rubin TL/TLM in GKE/Kubernetes github.com/matchstick. logo. Google Cloud Platform

Deploy an external load balancer with

Dan Williams Networking Services, Red Hat

Contrail Networking: Evolve your cloud with Containers

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Network Function Virtualization over Open DC/OS Yung-Han Chen

YOUR APPLICATION S JOURNEY TO THE CLOUD. What s the best way to get cloud native capabilities for your existing applications?

2018 Cisco and/or its affiliates. All rights reserved.

S Implementing DevOps and Hybrid Cloud

Running MarkLogic in Containers (Both Docker and Kubernetes)

Deploy Like A Boss Oliver Nicholas

Container Pods with Docker Compose in Apache Mesos

Kubernetes: Integration vs Native Solution

Supporting GPUs in Docker Containers on Apache Mesos

CLOUD INFRASTRUCTURE ARCHITECTURE DESIGN

Comparison of Service Description and Composition for Complex 3-tier Cloud-based Services

Nevin Dong 董乃文 Principle Technical Evangelist Microsoft Cooperation

Implementing Container Application Platforms with Cisco ACI

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

How to Keep UP Through Digital Transformation with Next-Generation App Development

Dataplane Networking journey in Containers

DaoliNet A Simple and Smart Networking Technology for Docker Applications

Kontejneri u Azureu uz pomoć Kubernetesa što i kako? Tomislav Tipurić Partner Technology Strategist Microsoft

Layer-4 to Layer-7 Services

Baremetal with Apache CloudStack

CONTRAIL SECURITY. Contrail Cloud Networking & Security

Containerization Dockers / Mesospere. Arno Keller HPE

Oracle Container Natve Applicaton Development Platorm. Edgars Ruņģis Cloud Soluton Architect

Welcome to Docker Birthday # Docker Birthday events (list available at Docker.Party) RSVPs 600 mentors Big thanks to our global partners:

The four forces of Cloud Native

Kubernetes - Networking. Konstantinos Tsakalozos

@unterstein #bedcon. Operating microservices with Apache Mesos and DC/OS

Why Kubernetes Matters

Transcription:

Sponsored by Networking & Security for Mesos AN IP FOR EVERY CONTAINER AND MORE! Christopher Liljenstolpe February 24, 2016

The #1 Challenge for Cloud? Recent data breaches due to hacking or poor security http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Cloud-native app architectures are driving 100-1000x growth in workloads in an era of heightened security threats

Enterprise security is still in the middle ages

Medieval security architecture

Oh, hey! I just love these things! Crunchy on the outside and a chewy center!

Fast forward to the present

Increased complexity

Resource Fungibility

Tear down the walls?

The opportunity?

The opportunity?

The Dynamic, Distributed Firewall eth0 192.168.1.2 eth0 192.168.1.5 eth0 192.168.1.4 Routing 10.0.0.1 10.0.0.2 eth0 Network eth0 Fabric Routing eth0 192.168.1.6 eth0 192.168.1.7 eth0 192.168.1.3

The Dynamic, Distributed Firewall: Worked Example Workload A 2001:db8::1 1. to 2001:db8::2 port 80 allow 2. to 2001:db8::3 port 80 allow 3. from <qarobots> any port 443 allow 4. default deny Workload B 2001:db8::2 Felix 1. from 2001:db8::1 port 80 allow 2. default deny A: loadbal; QA Pub B: webapp C: webapp loadbal: allow 80 to webapp webapp: allow 80 fm loadbal QA: allow 443 fm <qarobots> Pub: allow 443 fm any Workload C 2001:db8::3 Felix 1. from 2001:db8::1 port 80 allow 2. default deny

Mesos / HAProxy introduce another problem Host [10.0.0.1] A service [172.17.0.3] another [172.17.0.4] Application [172.17.0.2] IP:10.0.0.1:8080 IP:10.0.0.1:80

The Solution

Project Calico & Mesos Logical Architecture Mesos Agent Mesos Agent Mesos Master Mesos Agent Workload (container or VM) Workload (container or VM) Workload (container or VM) Security Policy Host Kernel Policy Enforcement Policy Enforcement Policy Enforcement Routes & Addresses Efficient Packet Forwarding (IP per workload, direct integration with cloud fabric)

Net-modules Work Flow Actual Architecture Framework Master Agent Plug- in (Calico) Launch task (NetworkInfo) Launch task (NetworkInfo) Update task state Task update (NetworkInfo) Cleanup module Task update (NetworkInfo) Get IP Isolate (IP, policy) Isolator module IPAM Network virtualizer Mesos module Network plug- in

Demonstration of basic network isolation Mesos cluster with 2 agents Launching 4 probe tasks Each probe listens to port 9000 Each probe tries to reach all other probes We want all 4 to launch successfully (no port conflicts) We want to isolate them into two groups of 2 probes

Demonstration (video)

Where are we at today? Net-modules supported with Mesos containerizer since Mesos 0.26 IP per container IP Address Management (IPAM) DNS-based service discovery (Mesos-DNS) Network isolation Try it out https://github.com/mesosphere/netmodules Includes step-by-step instructions to repeat the demo

Restrictions / Wish List Other frameworks (only Marathon supported today) Community work ongoing to integrate Spark, Chronos,... Docker daemon support via same net-modules mechanism Docker daemon includes a different networking model, via the libnetwork API, but it is not well integrated with Mesos Tighter integration of fine-grained policy control Today, fine-grained policy is side loaded via calicoctl One-step install via DCOS Support for Container Network Interface (CNI) model (as used by Kubernetes)

Summary

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback