OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

Similar documents
Bringing Security and Multitenancy. Lei (Harry) Zhang

The speed of containers, the security of VMs

The speed of containers, the security of VMs. KataContainers.io

How Container Runtimes matter in Kubernetes?

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Code: Slides:

Docker und IBM Digital Experience in Docker Container

Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack.

Evolution of Kubernetes in One Year From Technical View

Stackube Documentation

Full Scalable Media Cloud Solution with Kubernetes Orchestration. Zhenyu Wang, Xin(Owen)Zhang

Multitenancy Deep Dive

Question: 2 Kubernetes changed the name of cluster members to "Nodes." What were they called before that? Choose the correct answer:

Infoblox Kubernetes1.0.0 IPAM Plugin

Important DevOps Technologies (3+2+3days) for Deployment

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Kubernetes 101. Doug Davis, STSM September, 2017

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

OpenStack Magnum Hands-on. By Saulius Alisauskas and Bryan Havenstein

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

How to build and run OCI containers

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Using DC/OS for Continuous Delivery

UP! TO DOCKER PAAS. Ming

Buenos Aires 31 de Octubre de 2018

Think Small to Scale Big

The four forces of Cloud Native

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Deployment Patterns using Docker and Chef

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Package your Java Application using Docker and Kubernetes. Arun

Akraino & Starlingx: a technical overview

Docker All The Things

CS-580K/480K Advanced Topics in Cloud Computing. Container III

Kubernetes Integration with Virtuozzo Storage

Building A Better Test Platform:

Secure Kubernetes Container Workloads

Build Cloud like Rackspace with OpenStack Ansible

The Post-Cloud. Where Google, DevOps, and Docker Converge

Containers for NFV Peter Willis March 2017

Singularity CRI User Documentation

DEPLOYING NFV: BEST PRACTICES

Infoblox IPAM Driver for Kubernetes User's Guide

Kubernetes on Openstack

Infoblox IPAM Driver for Kubernetes. Page 1

Introduction to Virtualization and Containers Phil Hopkins

agenda PAE Docker Docker PAE

Kuber-what?! Learn about Kubernetes

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Blockchain on Kubernetes

Internals of Docking Storage with Kubernetes Workloads

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.1

Container Orchestration on Amazon Web Services. Arun

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Kubernetes - Networking. Konstantinos Tsakalozos

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Akraino & Starlingx: A Technical Overview

S Implementing DevOps and Hybrid Cloud

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Container-Native Storage

Kubernetes introduction. Container orchestration

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Kubernetes 1.9 Features and Future

Datacenter Network Solutions Group

Blockchain on Kubernetes

How to Put Your AF Server into a Container

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

CNI, CRI, and OCI - Oh My!

docker & HEP: containerization of applications for development, distribution and preservation

Managing and Protecting Persistent Volumes for Kubernetes. Xing Yang, Huawei and Jay Bryant, Lenovo

Build your own Cloud on Christof Westhues

Onto Petaflops with Kubernetes

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.0

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

Windows Azure Services - At Different Levels

Kuryr & Fuxi. OpenStack networking and storage for Docker Swarm containers. Hongbin Lu Antoni Segura Puimedon

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

The Path to GPU as a Service in Kubernetes Renaud Gaubert Lead Kubernetes Engineer

Introduction to Kubernetes Storage Primitives for Stateful Workloads

Investigating Containers for Future Services and User Application Support

Virtual Infrastructure: VMs and Containers

Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

/ Cloud Computing. Recitation 5 February 14th, 2017

Getting Started with VMware Integrated OpenStack with Kubernetes. VMware Integrated OpenStack 5.1

Midterm Presentation Schedule

January 28 29, 2014San Jose. Engineering Workshop

SQL Server inside a docker container. Christophe LAPORTE SQL Server MVP/MCM SQL Saturday 735 Helsinki 2018

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

K8s(Kubernetes) and SDN for Multi-access Edge Computing deployment

Asterisk & the Docker revolution Some lessons from the trenches

Scaling Jenkins with Docker and Kubernetes Carlos

Oh.. You got this? Attack the modern web

Dan Williams Networking Services, Red Hat

Transcription:

OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV

ABOUT ME Harry Zhang ID: @resouer Coder, Author, Speaker Member of Hyper Feature Maintainer & Project Manager of Kubernetes sig-scheduling, sig-node Also maintain: kubernetes/frakti (hypervisor runtime for k8s)

NFV Network Functions Virtualization: why, and how?

TRENDS OF TELECOM OPERATORS Traditional businesses rarely grow Non-traditional businesses climb to 8.1% of the whole revenue, even 15%~20% in some operators The new four business models: Entertainment & Media M2M Cloud computing IT service Source: The Gartner Scenario for Communications Service Providers

WHAT S WRONG? Pain of telecom network Specific equipments & devices Long deploy time cost Strict protocol Reliability & performance High operation cost Complex operation processes Multiple hardware devices co-exists Close ecosystem New business model requires new network functioning

NFV Replacing hardware network elements with software running on COTS computers that may be hosed in datacenter Functionalities should be able to: locate anywhere most effective or inexpensive speedily combined, deployed, relocated, and upgraded Speedup TTM Save TCO Encourage innovation

USE CASE Project Clearwater Open source implementation of IMS (IP Multimedia Subsystem) for NFV deployment NFV Devices (physical equipments) VNF (software)

SHIP VNF TO CLOUD Physical Equipments ->VNFs -> Cloud

VNF cloud disk image Wait, what kind of cloud? VNF VNF VNF Q: VM, or container? container image A: 6 dimensions analysis Service agility VNF VNF VNF Network performance Resource footprint & density Portability & Resilience Configurability Security & Isolation

SERVICE AGILITY Container KVM Provision VM 30 hypervisor configuration guest OS spin-up Start up time in seconds 22.5 15 7.5 25 align guest OS with VNFs process mgmt service, startup scripts etc Provision container start process in right namespaces and cgroups 0 0.38 no other overhead Average Startup Time (Seconds) Over Five Measurements Data source: Intel white paper

NETWORK PERFORMANCE Host Container KVM Throughput 30 the resulting packets/sec that the VNF is able to push through the 22.5 system is stable and similar in all three runtimes Millions 15 7.5 Packets per Second That a VNF Can Process in Different Environments Data source: Intel white paper 0 direct fwd L2 fwd L3 fwd

NETWORK PERFORMANCE Latency Direct forwarding no big difference VM show unstable caused by hypervisor time to process regular interrupts L2 forwarding Data source: Intel white paper no big difference container even shows extra latency extra kernel code execution in cgroups VM show unstable cased by same reason above

RESOURCE FOOTPRINT & DENSITY VM 140 KVM 256MB(without mem-prealloc) 125 using about 125MB when booted Memory footprint 105 70 35 Container only 17MB amount of code loaded into memory is significantly less Deployment density is limited by incompressible resource 17 0 container KVM 256MB Memory & Disk, while container does not need disk provision

PORTABILITY & RESILIENCE VM disk image a provisioned disk with full operating system OS Flavor Disk Size Container Image Size Ubuntu 14.04 > 619MB > 188.3MB the final disk image size is often counted by GB extra processes for porting VM CentOS 7 > 680MB > 229.6MB Alpine > 5 MB hypervisor re-configuration process mgmt service Busybox >2MB Data source: Intel white paper Container image share host kernel = smaller image size can even be: app binary size + 2~5MB for deploy docker multi-stage build (NEW FEATURE)

CONFIGURABILITY VM no obvious method to pass configuration to application alternative methods: share folder, port mapping, ENV no easy or user friendly tool to help us Container user friendly container control tool (dockerd etc) volume ENV

SECURITY & ISOLATION VM hardware level virtualization independent guest kernel Container weak isolation level share kernel of host machine reinforcement No cloud provider allow user to run containers without Capabilities libseccomp SELinux/APPArmor while non of them can be easily applied wrapping them inside full blown VM! e.g. what CAP is needed/unneeded for a specific container?

Cloud Native vs Security?

Hyper Let's make life easier

HYPERCONTAINER Secure, while keep Cloud Native Make container more like VM Make VM more like container

REVISIT CONTAINER Container Runtime FROM busybox ADD temp.txt / VOLUME /data CMD [ echo hello"] The dynamic view and boundary of your running process /bin /dev /etc /home /lib / lib64 /media /mnt /opt /proc / root /run /sbin /sys /tmp / usr /var /data /temp.txt echo hello Read-Write Layer & /data read-write layer init layer Container Image The static view of your program, data, dependencies, files and directories /etc/hosts /etc/hostname /etc/resolv.conf CMD [ echo hello"] VOLUME /data ADD temp.txt / json json /temp.txt read-only layer FROM busybox e.g. Docker Container

HYPERCONTAINER Container runtime: hypervisor RunV https://github.com/hyperhq/runv The OCI compatible hypervisor based runtime implementation Control daemon hyperd: https://github.com/hyperhq/hyperd Init service (PID=1) hyperstart: https://github.com/hyperhq/hyperstart/ Container image: Docker image OCI Image Spec

STRENGTHS Service agility startup time: sub-second (e.g. 500~ms) Network performance same with VM & container Resource footprint small (e.g. 30MB) Portability & Resilience use Docker image (i.e. MB) Configurability same as Docker Want to see a demo? Security & Isolation hardware virtualization & independent kernel

DEMO hyperctl run -d ubuntu:trusty sleep 1000 small memory footprint hyperctl exec -t $POD /bin/bash fork bomb Do not test this in Docker (without ulimit set) unless you want to lose your host machine :)

WHERE TO RUN YOUR VNF? Container VM HyperContainer Kernel features No Yes Yes Startup time 380ms 25s 500ms Portable Image Small Large Small Memory footprint Small Large Small Configurability of app Flexible Complex Flexible Network Performance Good Good Good Backward Compatibility No Yes Yes (bring your own kernel) Security/Isolation Weak Strong Strong

HYPERNETES the cloud platform for NFV

HYPERNETES Hypernetes, also known as h8s is: Kubernetes + HyperContainer HyperContainer is now an official container runtime in k8s 1.6 integration is achieved thru kubernetes/frakti project + OpenStack Multi-tenant network and persistent volumes standalone Keystone + Neutron + Cinder

1. CONTAINER RUNTIME

POD Why? Fix some bad practices: Pod use supervised manage multi-apps in one container log app try to ensure container order by hacky scripts try to copy files from one container to another infra container volume init container try to connect to peer container across whole So Pod is network stack The group of super-affinity containers The atomic scheduling unit The process group in container cloud Also how HyperContainer match to Kubernetes philosophy

HYPERCONTAINER IN KUBERNETES Pod foo container A container B The standard CRI workflow see: 1.6.0 release note 1. RunPodSandbox(foo) 2. CreatContainer(A) 3. StartContainert(A) 4. CreatContainer(B) NODE VM foo 5. StartContainer(B) A B A B foo Container Runtime Interface (CRI) docker runtime hyper runtime

2. MULTI-TENANT NETWORK

MULTI-TENANT NETWORK Goal: leveraging tenant-aware Neutron network for Kubernetes following the k8s network plugin workflow Non-goal: break k8s network model

KUBERNETES NETWORK MODEL Pod reach Pod all Pods can communicate with all other Pods without NAT Node reach Pod all nodes can communicate with all Pods (and vice-versa) without NAT IP addressing Pod in cluster can be addressed by its IP

DEFINE NETWORK Network a top level API object Network: Namespace = 1: N each tenant (created by Keystone) has its own Network Network Controller is responsible for lifecycle of Network object a control loop to create/delete Neutron net based on API object change

ASSIGN POD TO NETWORK Pods belonging to the same Network can reach each other directly through IP a Pod s network mapping to Neutron port kubelet is responsible for Pod network setup let s see how kubelet works

DESIGN OF KUBELET Choose Runtime docker, rkt, hyper/remote NodeStatus Network Status status Manager PLEG InitNetworkPlugin SyncLoop volume Manager Pod Update Worker (e.g.add) generale Pod status check volume status (will talk this later) use hyper runtime to start containers set up Pod network (see next slide) image Manager PodUpdate HandlePods {Add, Update, Remove, Delete, }

SET UP POD NETWORK

KUBESTACK A standalone grpc daemon 1. to translate the SetUpPod request to the Neutron network API 2. handling multi-tenant Service proxy

MULTI-TENANT SERVICE Default iptables-based kube-proxy is not tenant aware Pods and Nodes are isolated into different networks Hypernetes uses a build-in ipvs as the Service LB handle all Services in same namespace follow OnServiceUpdate and OnEndpointsUpdate workflow ExternalProvider a OpenStack LB will be created as Service e.g. curl 58.215.33.98:8078

3. PERSISTENT VOLUME

PERSISTENT VOLUME IN HYPERNETES Host Enhanced Cinder volume plugin Linux container: Pod Pod mountpath mountpath 1. query Nova to find node 2. attach Cinder volume to host path attach vol vol 3. bind mount host path to Pod Enhanced Cinder volume plugin containers Volume Manager desired World HyperContainer: directly attach block devices to Pod no extra time to query Nova reconcile no need to install full OpenStack

PV EXAMPLE Create a Cinder volume Claim volume by reference its volumeid

HYPERNETES TOPOLOGY The next goal of h8s: modular Node Keystone Neutron Node Node VNF Pod VNF Pod VNF Pod VNF Pod CNI Master Object: Network TPR Cinder kubestack kube-proxy kube-apiserver Ceph Neutron L2 Agent kubelet kube-apiserver specific plugin for block devices Enhanced Cinder Plugin kube-apiserver

BACK TO THE REAL-WORLD DEMO Run Clearwater in Hypernetes = k8s Service = DNS awareness Ellis Bono Sprout Homestead Homer Chronos Ralf Astaire Cassandra Etcd

DEMO One command to deploy all All scripts and yamls can be found here: https://github.com/hyperhq/ hypernetes https://github.com/metaswitch/ clearwater-docker $ kubectl create -f clearwater-docker/kubernetes/

LESSONS LEARNED Do not use supervisord to manage processes use Pod + initcontainer Do not abuse DNS name e.g. scscf.sprout is not a valid DNS name, see PR#441 Liveness & Readiness check are useful

THE END NEWS: Stackube, a new OpenStack project originated from h8s

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback