SlideShare a Scribd company logo

Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)

Download as PPTX, PDF
Andrew Randall
Andrew Randall

Presentation for the London Mesos Users Meetup, 11 May 2016. An overview of the current state of the art in container networking, with lessons learned over the last 12 months or so deploying Project Calico in the real world.

1 of 27
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Networking in a Containerized Data Center: the Gotchas! MESOS LONDON MEETUP Andy Randall | @andrew_randall May 11, 2016
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Background
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Run anywhere Simple Lightweight Standard Speed Cloud Efficient
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io The original “container approach” to networking  All containers on a machine share the same IP address  Gotcha #1: WWW1 WWW2 80 80 Proxy 8080 8081 Still most container deployments use this method!
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io World is moving to “IP per container” Container Network Interface (CNI) Container Network Model (libnetwork, 0.19) net-modules (Mesos 0.26) (future: CNI?)
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch VM 1 VM 2 VM 3 Virtual Switch
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences for containers (gotcha #2): Scale Hundreds of servers, low churn Millions of containers, high churn
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Consequences for containers (gotcha #3): Layering Packets are double encap’d! Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 pHost 2 Virtual Switch / encapsulation VM2 Container D Container E Container F Virtual Switch / encapsulation pNIC vNIC vNIC veth0 veth1 veth2 Physical Switch
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences for containers (gotcha #4): walled gardens Legacy App pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 Physical Switch
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io “Any intelligent fool can make things bigger, more complex… It takes a touch of genius – and a lot of courage – to move in the opposite direction.”
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io A Saner Approach: just route IP from the container pHost 1 Virtual underlay vNIC pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 Virtual Underlay VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC vNIC veth0 veth1 veth2 Physical Underlay
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Variant: 1 vm per host, no virtual underlay, straight-up IP pHost 1 pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC veth0 veth1 veth2 Physical Underlay
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Results: bare metal performance from virtual networks 0 1 2 3 4 5 6 7 8 9 10 Bare metal Calico OVS+VXLAN Throughput Gbps 0 20 40 60 80 100 120 Bare metal Calico OVS+VXLAN CPU % per Gbps Source: https://www.projectcalico.org/calico-dataplane-performance/
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  Some container frameworks still assume port mapping  E.g. Marathon load balancer service (but being fixed…)  Some PaaS’s not yet supporting IP per container  But several moving to build on Kubernetes, and will likely pick it up Gotcha #5: IP per container not yet universally supported
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  You can easily get your configuration wrong and get sub- optimal performance, e.g.  select wrong Flannel back-end for your fabric  turn off AWS src-dest IP checks  get MTU size wrong for the underlay… Gotcha #6: running on public cloud
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico (MTU=1440) Calico (MTU=8980)
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  Suppose we assign a /24 per Kubernetes node (=> 254 pods)  Run 10 VMs per server, each with a Kubernetes node  40 servers per rack  20 racks per data center  4 data centers  => now need a /15 for the rack, a /10 space for the data center, and the entire 10/8 rfc1918 range to cover 4 data centers.  … and hope your business doesn’t expand to need a 5th data center! Gotcha #7: IP addresses aren’t infinite
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  DC/OS / Mesos – multiple ways to network your container  Net-modules – but only supports Mesos containerizer  Docker networking – but then not fully integrated e.g. into MesosDNS  CNI – possible future, but not here today  Roll-your-own orchestrator-network co-ordination – the approach some of our users have taken  Kubernetes  CNI fairly stable  Fine-grained policy being added – will move from alpha (annotation— based) to beta (first-class citizen API) in 1.3  Docker  Swarm / Docker Datacenter still early; libnetwork evolution? policy? Gotcha #8: orchestration platforms support still evolving
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  Docker libnetwork provides limited functionality / visibility to plug-ins  E.g. network name you specify as a user is NOT passed to the underlying SDN  Consequences:  Diagnostics hard to correlate  Hard to enable ”side loaded” commands referring to networks created on Docker command line (e.g. Calico advanced policy)  Hard to network between Docker virtual network domain and non- containerized workloads Gotcha #9: Docker libnetwork is “special”
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  “Can you write a function that tells me when all nodes have caught up to the global state?”  Sure… Gotcha #10: at cloud scale, nothing ever converges function is_converged() return false
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io The Future of Cloud Networking Flat routed IP networking with fine-grained policy Broad set of overlay options De facto industry standard for policy-driven networking for cloud native applications
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  https://www.projectcalico.org/calico-dcos-demo-security- speed-and-no-more-port-forwarding/ Check it out – Calico is in the Mesosphere Universe!
@projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io

Recommended

Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
Metaswitch Project Calico
Metaswitch Project CalicoMetaswitch Project Calico
Metaswitch Project Calico
Andrew Kennedy
 
Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016
Andrew Randall
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and Docker
Andrew Kennedy
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
Docker Networking with Project Calico
Docker Networking with Project CalicoDocker Networking with Project Calico
Docker Networking with Project Calico
Andrew Kennedy
 

Recommended

Simplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project CalicoSimplifying and Securing your OpenShift Network with Project Calico
Simplifying and Securing your OpenShift Network with Project Calico
Andrew Randall
 
Metaswitch Project Calico
Metaswitch Project CalicoMetaswitch Project Calico
Metaswitch Project Calico
Andrew Kennedy
 
Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016Container Networking Meetup March 31 2016
Container Networking Meetup March 31 2016
Andrew Randall
 
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project CalicoSimple, Scalable and Secure Networking for Data Centers with Project Calico
Simple, Scalable and Secure Networking for Data Centers with Project Calico
Emma Gordon
 
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Container Networking - State of the Ecosystem [ContainerConf, Mannheim, Nov 2...
Karthik Prabhakar
 
Clocker, Calico and Docker
Clocker, Calico and DockerClocker, Calico and Docker
Clocker, Calico and Docker
Andrew Kennedy
 
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networkingIntro to Project Calico: a pure layer 3 approach to scale-out networking
Intro to Project Calico: a pure layer 3 approach to scale-out networking
Packet
 
Docker Networking with Project Calico
Docker Networking with Project CalicoDocker Networking with Project Calico
Docker Networking with Project Calico
Andrew Kennedy
 
Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetes
Anirban Sen Chowdhary
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...
Dhananjay Sampath
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
Cloud Native Day Tel Aviv
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
LibbySchulze1
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container Networking
Lee Calcote
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
'Dockerizing' within enterprises
'Dockerizing' within enterprises'Dockerizing' within enterprises
'Dockerizing' within enterprises
Harish Jayakumar
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloud
Arjan Schaaf
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and Security
Cloud 66
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
Vietnam Open Infrastructure User Group
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
Isaac Tseng
 
Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfaces
D.Rajesh Kumar
 
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
Cloud Native Day Tel Aviv
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
Weaveworks
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
HungWei Chiu
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
Matt Baldwin
 
Container network security
Container network securityContainer network security
Container network security
Daisuke Nakajima
 
Onug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no videoOnug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no video
Andrew Randall
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
Packet
 

More Related Content

What's hot

Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetes
Anirban Sen Chowdhary
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...
Dhananjay Sampath
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Sanjeev Rampal
 
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
Cloud Native Day Tel Aviv
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
LibbySchulze1
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container Networking
Lee Calcote
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
Hazzim Anaya
 
'Dockerizing' within enterprises
'Dockerizing' within enterprises'Dockerizing' within enterprises
'Dockerizing' within enterprises
Harish Jayakumar
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloud
Arjan Schaaf
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and Security
Cloud 66
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
Vietnam Open Infrastructure User Group
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
Isaac Tseng
 
Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfaces
D.Rajesh Kumar
 
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
Cloud Native Day Tel Aviv
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
Weaveworks
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Fawad Khaliq
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
HungWei Chiu
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
Matt Baldwin
 
Container network security
Container network securityContainer network security
Container network security
Daisuke Nakajima
 

What's hot (20)

Deploying calico on kubernetes
Deploying calico on kubernetesDeploying calico on kubernetes
Deploying calico on kubernetes
 
Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...Microservices for Enterprises - Consistent Network & Security services for Co...
Microservices for Enterprises - Consistent Network & Security services for Co...
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project CalicoKubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
 
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
Cisco Live 2017: Container networking deep dive with Docker Enterprise Editio...
 
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
 
Deploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vmsDeploying vn fs with kubernetes pods and vms
Deploying vn fs with kubernetes pods and vms
 
Overlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container NetworkingOverlay/Underlay - Betting on Container Networking
Overlay/Underlay - Betting on Container Networking
 
Project calico - introduction
Project calico - introductionProject calico - introduction
Project calico - introduction
 
'Dockerizing' within enterprises
'Dockerizing' within enterprises'Dockerizing' within enterprises
'Dockerizing' within enterprises
 
Docker network performance in the public cloud
Docker network performance in the public cloudDocker network performance in the public cloud
Docker network performance in the public cloud
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and Security
 
Kubernetes networking & Security
Kubernetes networking & SecurityKubernetes networking & Security
Kubernetes networking & Security
 
20170705 kubernetes with calico
20170705 kubernetes with calico20170705 kubernetes with calico
20170705 kubernetes with calico
 
Calico to secure host interfaces
Calico to secure host interfacesCalico to secure host interfaces
Calico to secure host interfaces
 
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
OpenDaylight Netvirt and Neutron - Mike Kolesnik, Josh Hershberg - OpenStack ...
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
 
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron IntegrationNetworking For Nested Containers: Magnum, Kuryr, Neutron Integration
Networking For Nested Containers: Magnum, Kuryr, Neutron Integration
 
High performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User GroupHigh performace network of Cloud Native Taiwan User Group
High performace network of Cloud Native Taiwan User Group
 
Using OpenContrail with Kubernetes
Using OpenContrail with KubernetesUsing OpenContrail with Kubernetes
Using OpenContrail with Kubernetes
 
Container network security
Container network securityContainer network security
Container network security
 

Viewers also liked

Onug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no videoOnug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no video
Andrew Randall
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
Packet
 
Kubernetes SDN performance and architecture
Kubernetes SDN performance and architectureKubernetes SDN performance and architecture
Kubernetes SDN performance and architecture
Jakub Pavlik
 
An Introduction to the Kubernetes API
An Introduction to the Kubernetes APIAn Introduction to the Kubernetes API
An Introduction to the Kubernetes API
Stefan Schimanski
 
Zero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetesZero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetes
Arjan Schaaf
 
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryRevolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Imesh Gunaratne
 
150326 openstack, glance 김지은
150326 openstack, glance 김지은150326 openstack, glance 김지은
150326 openstack, glance 김지은
jieun kim
 
Arritmias
Arritmias Arritmias
Arritmias
MELISSA ESPINOSA FLORES
 
Container Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyond
KubeAcademy
 
Kubernetes on aws
Kubernetes on awsKubernetes on aws
Kubernetes on aws
Yousun Jeong
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Multi-Container Applications Spanning Docker, Mesos and OpenStack
Multi-Container Applications Spanning Docker, Mesos and OpenStackMulti-Container Applications Spanning Docker, Mesos and OpenStack
Multi-Container Applications Spanning Docker, Mesos and OpenStack
Andrew Kennedy
 
Containers: Beyond the Basics
Containers: Beyond the BasicsContainers: Beyond the Basics
Containers: Beyond the Basics
Andrew Kennedy
 

Viewers also liked (13)

Onug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no videoOnug lunch talk may 12 2015 no video
Onug lunch talk may 12 2015 no video
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
 
Kubernetes SDN performance and architecture
Kubernetes SDN performance and architectureKubernetes SDN performance and architecture
Kubernetes SDN performance and architecture
 
An Introduction to the Kubernetes API
An Introduction to the Kubernetes APIAn Introduction to the Kubernetes API
An Introduction to the Kubernetes API
 
Zero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetesZero downtime-java-deployments-with-docker-and-kubernetes
Zero downtime-java-deployments-with-docker-and-kubernetes
 
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryRevolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
 
150326 openstack, glance 김지은
150326 openstack, glance 김지은150326 openstack, glance 김지은
150326 openstack, glance 김지은
 
Arritmias
Arritmias Arritmias
Arritmias
 
Container Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyond
 
Kubernetes on aws
Kubernetes on awsKubernetes on aws
Kubernetes on aws
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Multi-Container Applications Spanning Docker, Mesos and OpenStack
Multi-Container Applications Spanning Docker, Mesos and OpenStackMulti-Container Applications Spanning Docker, Mesos and OpenStack
Multi-Container Applications Spanning Docker, Mesos and OpenStack
 
Containers: Beyond the Basics
Containers: Beyond the BasicsContainers: Beyond the Basics
Containers: Beyond the Basics
 

Similar to Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)

Build and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
Build and Deploy Cloud Native Camel Quarkus routes with Tekton and KnativeBuild and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
Build and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
Omar Al-Safi
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
Project ACRN
 
We all need friends and Akka just found Kubernetes
We all need friends and Akka just found KubernetesWe all need friends and Akka just found Kubernetes
We all need friends and Akka just found Kubernetes
Fabio Tiriticco
 
Akka and Kubernetes: Reactive From Code To Cloud
Akka and Kubernetes: Reactive From Code To CloudAkka and Kubernetes: Reactive From Code To Cloud
Akka and Kubernetes: Reactive From Code To Cloud
Lightbend
 
Kubernetes Operability Tooling (GOTO Chicago 2019)
Kubernetes Operability Tooling (GOTO Chicago 2019)Kubernetes Operability Tooling (GOTO Chicago 2019)
Kubernetes Operability Tooling (GOTO Chicago 2019)
bridgetkromhout
 
Icinga Camp Antwerp - Current State of Icinga
Icinga Camp Antwerp - Current State of IcingaIcinga Camp Antwerp - Current State of Icinga
Icinga Camp Antwerp - Current State of Icinga
Icinga
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewGet the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - Overview
ForgeRock
 
Building High Availability Application with Docker
Building High Availability Application with DockerBuilding High Availability Application with Docker
Building High Availability Application with Docker
nevalla
 
OpenStack Ottawa Meetup - October 2018
OpenStack Ottawa Meetup - October 2018OpenStack Ottawa Meetup - October 2018
OpenStack Ottawa Meetup - October 2018
Stacy Véronneau
 
CA Performance Manager Agility by using Docker Containers for Network Manag...
CA Performance Manager Agility by using Docker Containers for Network Manag...CA Performance Manager Agility by using Docker Containers for Network Manag...
CA Performance Manager Agility by using Docker Containers for Network Manag...
CA Technologies
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023
Anthony Dahanne
 
Everyone Loves Docker Containers Before They Understand Docker Containers - A...
Everyone Loves Docker Containers Before They Understand Docker Containers - A...Everyone Loves Docker Containers Before They Understand Docker Containers - A...
Everyone Loves Docker Containers Before They Understand Docker Containers - A...
ITCamp
 
11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup
Philipp Grossenbacher
 
Project “The Interceptor”: Owning anti-drone systems with nanodrones
Project “The Interceptor”: Owning anti-drone systems with nanodronesProject “The Interceptor”: Owning anti-drone systems with nanodrones
Project “The Interceptor”: Owning anti-drone systems with nanodrones
Priyanka Aash
 
Reactive Programming With Akka - Lessons Learned
Reactive Programming With Akka - Lessons LearnedReactive Programming With Akka - Lessons Learned
Reactive Programming With Akka - Lessons Learned
Daniel Sawano
 
A Primer on FPGAs - Field Programmable Gate Arrays
A Primer on FPGAs - Field Programmable Gate ArraysA Primer on FPGAs - Field Programmable Gate Arrays
A Primer on FPGAs - Field Programmable Gate Arrays
Taylor Riggan
 
Project Atomic - rootconf2015
Project Atomic - rootconf2015Project Atomic - rootconf2015
Project Atomic - rootconf2015
Aditya Patawari
 
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
Patrick Chanezon
 
Montreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUpMontreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUp
Stacy Véronneau
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 

Similar to Container Networking: the Gotchas (Mesos London Meetup 11 May 2016) (20)

Build and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
Build and Deploy Cloud Native Camel Quarkus routes with Tekton and KnativeBuild and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
Build and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
 
We all need friends and Akka just found Kubernetes
We all need friends and Akka just found KubernetesWe all need friends and Akka just found Kubernetes
We all need friends and Akka just found Kubernetes
 
Akka and Kubernetes: Reactive From Code To Cloud
Akka and Kubernetes: Reactive From Code To CloudAkka and Kubernetes: Reactive From Code To Cloud
Akka and Kubernetes: Reactive From Code To Cloud
 
Kubernetes Operability Tooling (GOTO Chicago 2019)
Kubernetes Operability Tooling (GOTO Chicago 2019)Kubernetes Operability Tooling (GOTO Chicago 2019)
Kubernetes Operability Tooling (GOTO Chicago 2019)
 
Icinga Camp Antwerp - Current State of Icinga
Icinga Camp Antwerp - Current State of IcingaIcinga Camp Antwerp - Current State of Icinga
Icinga Camp Antwerp - Current State of Icinga
 
Get the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - OverviewGet the Exact Identity Solution You Need - In the Cloud - Overview
Get the Exact Identity Solution You Need - In the Cloud - Overview
 
Building High Availability Application with Docker
Building High Availability Application with DockerBuilding High Availability Application with Docker
Building High Availability Application with Docker
 
OpenStack Ottawa Meetup - October 2018
OpenStack Ottawa Meetup - October 2018OpenStack Ottawa Meetup - October 2018
OpenStack Ottawa Meetup - October 2018
 
CA Performance Manager Agility by using Docker Containers for Network Manag...
CA Performance Manager Agility by using Docker Containers for Network Manag...CA Performance Manager Agility by using Docker Containers for Network Manag...
CA Performance Manager Agility by using Docker Containers for Network Manag...
 
CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023CNCF Québec Meetup du 16 Novembre 2023
CNCF Québec Meetup du 16 Novembre 2023
 
Everyone Loves Docker Containers Before They Understand Docker Containers - A...
Everyone Loves Docker Containers Before They Understand Docker Containers - A...Everyone Loves Docker Containers Before They Understand Docker Containers - A...
Everyone Loves Docker Containers Before They Understand Docker Containers - A...
 
11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup11th Docker Switzerland User Group Meetup
11th Docker Switzerland User Group Meetup
 
Project “The Interceptor”: Owning anti-drone systems with nanodrones
Project “The Interceptor”: Owning anti-drone systems with nanodronesProject “The Interceptor”: Owning anti-drone systems with nanodrones
Project “The Interceptor”: Owning anti-drone systems with nanodrones
 
Reactive Programming With Akka - Lessons Learned
Reactive Programming With Akka - Lessons LearnedReactive Programming With Akka - Lessons Learned
Reactive Programming With Akka - Lessons Learned
 
A Primer on FPGAs - Field Programmable Gate Arrays
A Primer on FPGAs - Field Programmable Gate ArraysA Primer on FPGAs - Field Programmable Gate Arrays
A Primer on FPGAs - Field Programmable Gate Arrays
 
Project Atomic - rootconf2015
Project Atomic - rootconf2015Project Atomic - rootconf2015
Project Atomic - rootconf2015
 
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
Docker Orchestration: Welcome to the Jungle! Devoxx & Docker Meetup Tour Nov ...
 
Montreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUpMontreal OpenStack Q3-2017 MeetUp
Montreal OpenStack Q3-2017 MeetUp
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 

More from Andrew Randall

Why Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft PartnershipWhy Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft Partnership
Andrew Randall
 
State of cloud and application connectivity
State of cloud and application connectivityState of cloud and application connectivity
State of cloud and application connectivity
Andrew Randall
 
Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”Andrew Randall
 
A randall powerpresentations
A randall powerpresentationsA randall powerpresentations
A randall powerpresentations
Andrew Randall
 
Ingredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation EcosystemIngredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation Ecosystem
Andrew Randall
 
ONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just BegunONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just BegunAndrew Randall
 

More from Andrew Randall (6)

Why Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft PartnershipWhy Kubernetes on Azure: Tigera-Microsoft Partnership
Why Kubernetes on Azure: Tigera-Microsoft Partnership
 
State of cloud and application connectivity
State of cloud and application connectivityState of cloud and application connectivity
State of cloud and application connectivity
 
Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”Preview of “CIOReview - Networking Technology Special 2015”
Preview of “CIOReview - Networking Technology Special 2015”
 
A randall powerpresentations
A randall powerpresentationsA randall powerpresentations
A randall powerpresentations
 
Ingredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation EcosystemIngredients for a Successful Service Innovation Ecosystem
Ingredients for a Successful Service Innovation Ecosystem
 
ONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just BegunONUG Keynote - VoIP Has Just Begun
ONUG Keynote - VoIP Has Just Begun
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 

Container Networking: the Gotchas (Mesos London Meetup 11 May 2016)

  • 1. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Networking in a Containerized Data Center: the Gotchas! MESOS LONDON MEETUP Andy Randall | @andrew_randall May 11, 2016
  • 2. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Background
  • 3. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io
  • 4. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Run anywhere Simple Lightweight Standard Speed Cloud Efficient
  • 5. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io
  • 6. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io The original “container approach” to networking  All containers on a machine share the same IP address  Gotcha #1: WWW1 WWW2 80 80 Proxy 8080 8081 Still most container deployments use this method!
  • 7. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io World is moving to “IP per container” Container Network Interface (CNI) Container Network Model (libnetwork, 0.19) net-modules (Mesos 0.26) (future: CNI?)
  • 8. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch
  • 9. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io We’ve solved “IP per VM” before… VM 1 VM 2 VM 3 Virtual Switch VM 1 VM 2 VM 3 Virtual Switch
  • 10. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences for containers (gotcha #2): Scale Hundreds of servers, low churn Millions of containers, high churn
  • 11. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Consequences for containers (gotcha #3): Layering Packets are double encap’d! Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 pHost 2 Virtual Switch / encapsulation VM2 Container D Container E Container F Virtual Switch / encapsulation pNIC vNIC vNIC veth0 veth1 veth2 Physical Switch
  • 12. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences for containers (gotcha #4): walled gardens Legacy App pHost 1 Virtual Switch / encapsulation vNIC pNIC vNIC VM1 Container A Container B Container C Virtual Switch / encapsulation veth0 veth1 veth2 Physical Switch
  • 13. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io “Any intelligent fool can make things bigger, more complex… It takes a touch of genius – and a lot of courage – to move in the opposite direction.”
  • 14. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io A Saner Approach: just route IP from the container pHost 1 Virtual underlay vNIC pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 Virtual Underlay VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC vNIC veth0 veth1 veth2 Physical Underlay
  • 15. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Variant: 1 vm per host, no virtual underlay, straight-up IP pHost 1 pNIC vNIC VM1 Container A Container B Container C Linux kernel routing (no encapsulation) veth0 veth1 veth2 pHost 2 VM2 Container D Container E Container F Linux kernel routing (no encapsulation) pNIC vNIC veth0 veth1 veth2 Physical Underlay
  • 16. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Results: bare metal performance from virtual networks 0 1 2 3 4 5 6 7 8 9 10 Bare metal Calico OVS+VXLAN Throughput Gbps 0 20 40 60 80 100 120 Bare metal Calico OVS+VXLAN CPU % per Gbps Source: https://www.projectcalico.org/calico-dataplane-performance/
  • 17. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  Some container frameworks still assume port mapping  E.g. Marathon load balancer service (but being fixed…)  Some PaaS’s not yet supporting IP per container  But several moving to build on Kubernetes, and will likely pick it up Gotcha #5: IP per container not yet universally supported
  • 18. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  You can easily get your configuration wrong and get sub- optimal performance, e.g.  select wrong Flannel back-end for your fabric  turn off AWS src-dest IP checks  get MTU size wrong for the underlay… Gotcha #6: running on public cloud
  • 19. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico
  • 20. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io Consequences of MTU size… 0 50 100 150 200 250 300 t2.micro m4.xlarge qperf bandwidth Bare Metal Calico (MTU=1440) Calico (MTU=8980)
  • 21. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  Suppose we assign a /24 per Kubernetes node (=> 254 pods)  Run 10 VMs per server, each with a Kubernetes node  40 servers per rack  20 racks per data center  4 data centers  => now need a /15 for the rack, a /10 space for the data center, and the entire 10/8 rfc1918 range to cover 4 data centers.  … and hope your business doesn’t expand to need a 5th data center! Gotcha #7: IP addresses aren’t infinite
  • 22. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  DC/OS / Mesos – multiple ways to network your container  Net-modules – but only supports Mesos containerizer  Docker networking – but then not fully integrated e.g. into MesosDNS  CNI – possible future, but not here today  Roll-your-own orchestrator-network co-ordination – the approach some of our users have taken  Kubernetes  CNI fairly stable  Fine-grained policy being added – will move from alpha (annotation— based) to beta (first-class citizen API) in 1.3  Docker  Swarm / Docker Datacenter still early; libnetwork evolution? policy? Gotcha #8: orchestration platforms support still evolving
  • 23. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  Docker libnetwork provides limited functionality / visibility to plug-ins  E.g. network name you specify as a user is NOT passed to the underlying SDN  Consequences:  Diagnostics hard to correlate  Hard to enable ”side loaded” commands referring to networks created on Docker command line (e.g. Calico advanced policy)  Hard to network between Docker virtual network domain and non- containerized workloads Gotcha #9: Docker libnetwork is “special”
  • 24. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  “Can you write a function that tells me when all nodes have caught up to the global state?”  Sure… Gotcha #10: at cloud scale, nothing ever converges function is_converged() return false
  • 25. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io The Future of Cloud Networking Flat routed IP networking with fine-grained policy Broad set of overlay options De facto industry standard for policy-driven networking for cloud native applications
  • 26. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io  https://www.projectcalico.org/calico-dcos-demo-security- speed-and-no-more-port-forwarding/ Check it out – Calico is in the Mesosphere Universe!
  • 27. @projectcalico Project Calico is sponsored by Tigera, Inc. | www.tigera.io

Editor's Notes

  1. All the containers can talk to one another Things like Kubeproxy will allow a single service VIP to access the containers inside the virtual network But some legacy apps need direct access to the containers, and there’s no on/off-ramp possible