Container Adoption for NFV Challenges & Opportunities Sriram Natarajan, T-Labs Silicon Valley Innovation Center
Virtual Machine vs. Container Stack KVM Container-stack Libraries Guest-OS Hypervisor Libraries Lightweight footprint: Very small images with API-based control to automate the management of services Resource Overhead: Lower use of system resources (CPU, memory, etc.) by eliminating hypervisor & guest OS overhead Container A (Application + Libraries) Container B (Application + Libraries) Kernel Functions and Modules: (container group) A (Application + Libraries) Namespaces, cgroups, capabilities, chroot, SELinux Deployment time: Rapidly deploy applications with minimal run-time requirements Updates: Depending on requirements, updates, failures or scaling apps can be achieved by scaling containers up/down 2
Container Environment Container Management Networking Container Specification OS Distributions Security / Monitoring / UI Service Discovery Repositories 11/18/2015 3
Containers for NFV: Portability & Performance Container Management Solutions Scheduler C D B E A Requirements Applications s Load, execute apps across infrastructure infrastructure Decouple application instance from instance from underlying infrastructure infrastructure End-to-end performance improvements improvements Allocate resources to meet performance performance targets Collect performance related information related information Virtual Customer CPE Container Performance White Paper, http://info.ixiacom.com/rs/098-frb-840/images/calsoft- Labs-CaseStudy2015.pdf Test Setup: COTS server with Intel Xeon E5-2680 v2 processor, Virtual CPE s (Firewall etc.) fast path optimized using Intel DPDK, Measured L2-L3 TCP traffic throughput per core. VM (KVM) environment with SRIOV Containers (LXC) environment -- 5.8Gbps -- 7.2Gbps ~25% PERFROMANCE IMPROVEMENT OVER VMs 4
Containers for NFV: Agility, Elasticity & Resilience Replication Controller Container Management Solutions Scheduler Requirements Applications s Agility to spin-up/down apps On-demand scaling (networkwide requirements, # of instances), Auto-heal after failure Optimize location, reservation, allocation of required resources 5
Containers for NFV: Security & Service Assurance Requirements Applications s Service Discovery Replication Controller capabilities Security Protection of data, interfaces, and isolation between sets (PID, mount, netns, ipc, uid) Container Privileges (Linux capabilities, roles) Container Management Solutions Level of service continuity (seamless or non-seamless) Resource exhaustion - How about physical resources (SR-IOV, caching etc.)? Scheduler Security Debug service issues (watchdog, notifications, discovery mechanism, liveness) 6
Containers for NFV: Operations & Management Requirements Applications s Service Discovery Replication Controller Function automation (creation, termination etc.) Handle App lifecycle (deployment, operational, migration) Manage policies and constraints Container Management Solutions Scheduler Monitor and collect resource usage and other service related information Use of standard APIs for all applicable functions Security 7
Conclusion Containerized network functions promises to address some requirements, but requires more work to meet production requirements Physical resources (e.g., accelerators, NIC adapters) should be exposed as native resources to containers, with the right abstractions. Further study is required to identify possible unknown challenges (performance, security, operations etc.) IETF NFVRG draft: https://datatracker.ietf.org/doc/draft-natarajan-nfvrgcontainers-for-nfv/?include_text=1 Opportunistic areas for future work Distributed micro-service network functions Controller discovery/management/etc. strictly confidential, confidential, internal, public 11/18/2015 8
THANK YOU!