Slides for the OpenStack Newton Summit in Austin that cover the changes done during the Mitaka cycle and the direction we will take for Neutron. Swarm and Kubernetes integrations explained

1. Project Kuryr
Docker delivered, Kubernetes Next!
Mohammad Banikazemi @MBanikazemi
Gal Sagie @GalSagie
Antoni Segura Puimedon @celebdor

2. What Are the Problems?
❏ Reinventing networking abstractions
❏ Changing and vendor specific solutions
❏ Overlay
2
for VM nested containers
❏ Performance, latency, SLA, management penalties
❏ Lack of isolation and policy level constructs
❏ Security
❏ 3-Tier Applications
❏ Hard to connect VMs, bare metal and nested containers
❏ No unified networking infrastructure

3. Similar Concepts

4. Nested Containers Overlay

5. Mission
Neutron as the
production-ready
networking
abstraction
containers need

6. Kuryr Project Overview
❏ Open source
❏ Part of OpenStack Big-Tent
❏ Brings the Neutron networking model to containers
❏ Aims to support different Container Runtimes (docker, rkt, etc)
❏ E.g. Kubernetes, Mesos, Docker Swarm
❏ Weekly IRC meetings
❏ Working together with OpenStack community
❏ Neutron, Magnum, Kolla

7. Current Supported Features
❏ Utilizes Neutron and Keystone
❏ Supports Docker networking
❏ Network Plugin
❏ IPAM Plugin
❏ Allows for out of band use of Security Groups
❏ Supports use of existing Neutron resources
❏ Networks
❏ Subnets
❏ Load balancers
❏ Supports Docker Swarm

8. New features for containers
Security Groups
Subnet Pools
NAT (SNAT / DNAT – Floating IP)
Port Security (ARP Spoofing)
QoS
Quota Management
Neutron pluggable IPAM
Provide well-integrated COE Load balancing through Neutron
FWaaS for Containers
Plugging into existing Neutron networks

9. Kuryr Components

10. Kuryr Generic VIF Binding

11. How to Use: Docker Native API
$ docker network create -d kuryr
--ipam-driver=kuryr
--subnet=10.10.0.0/24
--gateway=10.10.0.1 mynet
08192d75a75a490163ac33434fb2c8a74a7841ad42abb985a1fdc7cde3c92f17
$ docker run -it --net=mynet alpine

12. $ neutron net-list
+--------------------------------------+--------------------+---------------------------------------------------+
| id | name | subnets |
| a747d101-eefb-4aa2-9575-9c7ad181f8e0 | kuryr-net-08192d75 | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 10.10.0.0/24 |
$ neutron net-show kuryr-net-08192d75
+---------------------------+----------------------------------------------------+
| Field | Value |
| id | a747d101-eefb-4aa2-9575-9c7ad181f8e0 |
| name | kuryr-net-08192d75 |
| subnets | 42a8d0c5-687d-4284-ac3e-2db86f5579f6 |
| tags | kuryr.net.uuid.lh:08192d75a75a490163ac33434fb2c8a7 |
| | kuryr.net.uuid.uh:4a7841ad42abb985a1fdc7cde3c92f17 |
Behind the Scene: Neutron Network
❏ Neutron network tags: associate Neutron and Docker networks

13. Existing Neutron Networks
$ neutron net-create mynet
$ docker network create -d kuryr
--ipam-driver=kuryr
--subnet=10.10.0.0/24
--gateway=10.10.0.1
-o neutron.net.name=mynet
mynet_d
$ ID=$(neutron net-list | grep mynet
| awk '{print $2}')
$ docker network create -d kuryr
--ipam-driver=kuryr
--subnet=10.10.0.0/24
--gateway=10.10.0.1
-o neutron.net.uuid=$ID mynet_d

14. $ neutron net-show mynet
+---------------------------+----------------------------------------------------+
| Field | Value |
+---------------------------+----------------------------------------------------+
| tags | kuryr.net.uuid.uh:4ca3f3fc3fc48a8c9cd902ed7508f1cd |
| | kuryr.net.uuid.lh:12f769bd2697f2200f27f60753bd5dad |
| | kuryr.net.existing |
Existing Neutron Networks (Cont’d)
❏ Neutron tags added to the network
❏ Subnet if existing is used, otherwise gets created
❏ Neutron network is not deleted upon deletion of Docker network
❏ If not using Mitaka release (i.e., Liberty or earlier):
❏ Neutron network name is modified
❏ Deleting Docker network → deletion of Neutron network if no ports

15. Docker Swarm

16. Kubernetes Integration
❏ Secure connection to the Neutron API Server
❏ Kuryr watcher on admin/tenant machine
❏ Kuryr CNI plugin only communicates with K8s API
❏ Kubelet must already have a channel to the API
❏ Only performs the binding to the correct Neutron port
❏ Raven updates policy using Neutron
❏ Policy information gets translated into security groups

17. Kubernetes and Kuryr

18. Kubernetes Services

19. VM Nested Containers and Magnum

20. Packaging
❏ Automated container builds at https://hub.docker.com/r/kuryr/
❏ Libnetwork
❏ Raven
❏ Kubelet
❏ Kolla Integration
❏ Under review
❏ Distribution packaging with systemd unit files
❏ Debian
❏ RDO
❏ Heat Templates
❏ Magnum Integration

21. Kuryr Roadmap
❏ Newton cycle
❏ Kubernetes integration
❏ CNI and watcher parts upstreaming
❏ Policy support using security groups
❏ Nested containers and Magnum integration
❏ Neutron advanced services (FWaaS VPNaaS)
❏ DNS integration and Port Forwarding
❏ Docker exposed ports
❏ Packaging and Deployment
❏ Mesos

22. Kuryr and Storage
❏ Kuryr as incubator for bringing native OpenStack services to containers
❏ Cinder
❏ Manila
❏ Swift
❏ Freezer
❏ Smaug

23. Join us! Be the Kuryr!
❏ Project Launchpad
❏ https://launchpad.net/kuryr
❏ Project Git Repository
❏ https://github.com/openstack/kuryr
❏ Weekly IRC Meeting
❏ http://eavesdrop.openstack.org/#Kuryr_Project_Meeting
❏ IRC
❏ #openstack-kuryr @ Freenode
❏ Mailing List
❏ openstack-dev@lists.openstack.org ([Neutron][Kuryr])

24. Join us! Be the Kuryr!
❏ Documentation
❏ http://docs.openstack.org/developer/kuryr
❏ Getting Started Blog posts
❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/08/24/kuryr-part1/
❏ http://galsagie.github.io/sdn/openstack/docker/kuryr/neutron/2015/10/10/kuryr-ovn/
❏ https://mbanikazemi.com/2016/01/07/docker-swarm-and-kuryr/

25. Demo