The Container Story: Run Your Apps and Tools Natively on Cisco Boxes
Total Page:16
File Type:pdf, Size:1020Kb
The Container Story: Run your apps and tools natively on Cisco boxes Per Jensen, [email protected] June, 2015 • Fast feature delivery – independent from “My Stuff” network OS release cycle • Custom feature delivery – “for me only” • Integration into existing/custom tool chains • Security domains – isolate “my stuff” from network OS Network Element Customization: Examples DataCenter - DevOps Service Provider IoT Enterprise • DevOps Configuration • Custom analytics/stats • Single device hosting for • Custom analytics (e.g. Automation Toolchain aggregation networking and non- brownout analysis) Integration • Custom VPN networking functions – • Integration with (Puppet, Chef, Ansible, • Custom routing incl. DNS- , DHCP- , SIP Enterprise apps (Unified CFEngine, ..) • Service chaining intercept, load balancing, Comms) • Linux tools (e.g. Ganglia) • Custom OS AP-light, OOB • Custom routing (e.g. • Custom scripts in Python (combining open-source management proxy,… military) and vendor-source) • Protocol gateway (for • Custom traffic protocols used in manipulation different embedded deployments) • Custom routing (e.g. active-active) • Linux-tools Towards An Eco-System For Customization Cisco • Empower Cisco-Services, ISV/Partners, • Deliver Network Architecture & Network Element Customers to innovate and customize • Feature rich, optimized, secure software stack • Services and support • Custom feature delivery independent Customer from Network OS software release • Deploy & Manage Network Element cycle • Deploy Business Functions • Examples: Customer • Automated management (tools/scripts) requires new capability • Automated system visibility • Automated fault detections Cisco Partner Customer • Proprietary business and networking implements new capability functions Customer • … deploys new capability Linux Containers • A Linux container lets you run a Linux system within another Linux system. Zones • A container is a group of processes on a Linux machine. • Those processes form an isolated environment. • Inside the container, it looks like a VM. • Outside the container, it looks like normal processes running on the machine. • It looks like a VM, but it is more efficient: Containers = Lightweight Virtualization Containers are almost like Virtual Machines • Containers have their own network interface (and IP address) • Can be bridged, routed... just like with Xen, KVM etc. • Containers have their own filesystem • For example a Debian host can run Fedora container (and vice-versa) • Security: Containers are isolated from each other • Two containers can't harm (or even see) each other • Resource Control: Containers are isolated and can have dedicated resources • Soft & hard quotas for RAM, CPU, I/O... Containers and Virtual Machines App A App A’ App B Containers are isolated but share OS and where Bins/ Bins/ Bins/ VM appropriate bins/libraries Libs Libs Libs Guest OS Guest OS Guest OS App App App App App App Container A A’ B B’ B’ B’ Hypervisor (Type 2) Bins/Libs Bins/Libs Control Container Host OS Host OS Server Server Containers: Classes of Use-Cases Extend Network Network Web-Scale Function Elements’ Micro-Services Virtualization Functionality Motivation: Containers on Network Elements • Network OS Independence • System Modularity • Limit kernel dependencies • Enable multiple constituents to provide for device enhancements • Cisco Development, Cisco Services, Partners, Customers, … • Leverage existing tools/tool-chains and eco-systems • Integration of network device with server-centric tool chains • Isolation / Security • Application-focused deployment, as opposed to base-OS focused deployment (“escape dependency hell”) Containers for network elements: Enabling Plugins • Virtualized environment to host “applications” on a Cisco device. Customer ISV Cisco Apps Apps Apps • Wide range of “applications” – shell, virtual services, plugins… • Applications can be developed and release independent from Network OS release cycles Plug-in 1 Plug-in 1 • Application Examples: Plug-in 2 Plug-in 3 v1.17 v2.13 • Cisco Virtual Services: • Integrated Appliance: ISR4451X-WAAS (KVM) Container Container Container • Linux shell: Guest shell (LXC) • Cisco Plugins: • Features with decoupled release cycles: Puppet Plugin, Chef Plugin (LXC), Network OS Splunk universal forwarder plugin • Third Party Services Container Network Models Shared Dedicated Applications inside the container appear as applications Applications inside the container appear as appliances on a subnet running natively on the host reachable from the host Examples: Nexus 3k, 9k, Cat 3k, 4k, Titanium Examples: ASR 1k, CSR 1kv, ISR4k, ISR 819 Container 1 Container 2 Container 1 Container 2 Network namespace: Host Network namespace: Host Network namespace: N1 Network namespace: N2 Container interfaces Container interfaces Container interfaces Container interfaces eth0 eth1 eth2 eth0 eth1 eth2 veth0 veth1 veth2 veth0 veth1 veth2 Shared namespace: Linux Bridge Interfaces are directly mapped to container VPG Multiple bridges and virtual topologies possible Host platform Host platform Forwarding Plane Network namespace: Host Network namespace: Host eth0 eth1 eth2 eth0 eth1 eth2 Physical interfaces Physical interfaces Containers On Network Elements: High-Level Architecture On Linux-based systems API/onePK Virtual Service (container) IOSd vman NXOS libvirt • Packet Connectivity libcontainer • Storage • Console/Logging Application Manages • Resource Control packaged as virtualization System • Separate Namespace .ova infrastructure Processes and virtual service lifecycle Host User Space (install, activate, …) Host Kernel OVA - Open Virtual Appliance Apps Configuration for the virtual environment (E.g., Puppet, • Amount of host resources for the guest Chef, …) • Guest storage • Network interfaces OVA is a • Package manifest tarball of these files • Authentication Certificate • Disk image (.iso) • File systems Virtual Service Deployment Workflow: Hosted Service Deployment Model router#virtual-service install name Install <app_name> package <file_uri> Service router#interface VirtualPortGroup1 ip address 3.3.3.1 router#virtual-service Un-Install Configure 255.255.255.0 uninstall name <app_name> Service Service router#virtual-service <app-name> interface virtualPortGroup1 ip address 3.3.3.2 profile app-model-1 router#virtual-service Upgrade Start upgrade name <app_name> Service Service package <file_uri> router#virtual-service <app-name> activate router#show virtual-service connect Manage Monitor router#show log Service Service router#show virtual-service global router#show virtual-service list router#show virtual-service detail name <app-name> router#show virtual-service utilization name <app-name> See also: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sdn/command/openflow-cr-bookmap/cr-virtual-services.html Guest Shell as a virtual service EEM and Guest Shell: EEM triggers Guest Shell commands/scripts as actions Enable enhanced EEM event detectors Run Guest Shell command when applet triggers Towards An Open Ecosystem For Network Components “Cisco” “Open Packages” “Reference Ecosystem” Cisco focused apps Cisco + 3rd-party packages Cisco + 3rd-party packages + reference environment Orchestration & “Open” Lifecycle Management 3rd Controller NOS NOS NOS NOS Container Container Container Container Container OS/Linux OS/Linux OS/Linux Linux Linux Switch/Router Switch/Router Switch/Router 3rd-party Device 3rd-party Server Integration Plugins Guest Shell Portable Network Components (Puppet, Chef, OpenFlow,…) In Open Reference Environment Open Application Container: Developer Perspective • Common Environment for Network Functions Orchestration & Life-cycle management • Physical Router/Switch - Virtual Router/Switch • Server/Application (incl. “Controller”) … … • Common Development Experience Load/ • Linux-style programming experience Logging “App” Unload • Typical networking functions available to developer as integrated libraries HA Scale • Distributed/Centralized/Combined NFs Storage Update • Common Runtime Experience • Run network function at the most optimal place in Data- Fwd’ing Routing Comms Topology … the network (device, controller, application server), Plane API Control Control (NC-NC) depending on NF’s needs (performance, scale, Hooks into network functions (local/remote) ease of use) Container • Open Ecosystem / Open-Source Operating Data-Plane Network System (HW/SW) Control Plane Summary • Containers as a tool to complement the OS of the network element • Fast feature delivery – independent from network OS release cycle • Enable custom feature delivery – “for me only” • Tool to provide for easy integration into existing/custom tool chains • Security domains – isolate “my stuff” from network OS • Deployment examples • Integration tools (Puppet, Chef, .. plugins) • Guest-Shell • Network Applications (Distributed Network Analytics, Self Learning Networks, …) ISR 4000 Architecture and Virtualization C97-732576-00 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Cisco ISR 4000 Family I/O Design Management Interface Front-Panel GE Network Interface Modules Optional Drive NIM for out-of-band control plane . RJ45/SFP GE Interfaces (NIMs) Embedded Applications Larger and more powerful connection directly to a . RAID 1 for data protection . PoE+ available on some than EHWICs . Single HD (future) and management network models . Up to 8 ports per module dual SSD options . DSPs directly on modules Enhanced Service Modules USB Connections . Compatible with Cisco® ISR G2