Application Hosting on Enterprise Devices

Use the Unused : Application Hosting on Enterprise Devices.

UMA SANKAR MOHANTY Technical Leader, Customer Delivery BRKARC-1002 Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

• The WW(WHAT & WHY) of Containers

• KVM Hosting

• Let’s Host an APP.

• Success Stories

• Key Takeaways

• Q & A

• Appendix

• The WW(WHAT & WHY) of Containers

• KVM Hosting • Hosting Spectrum • Difference : KVM & LXC • IOS-XE Architecture & Container Networking

• Let’s Host an APP.

• Success Stories • CASE 1 : Iperf Hosting • CASE 2 : YangSuite • CASE 3 : Docker Application • CASE 4 : Syslog Server

• Key Takeaways

• Q&A

• Appendix

This Session Focuses on :

• Brief Overview of Containers on Enterprise Platform

• A few success stories of applications running on the IOS-XE Platforms.

By the end, I hope everyone in this room gets a better understanding of containers and how to host applications on top of Enterprise Platforms which can be used for the betterment of the Network.

• Virtual Machine - Includes the application, binaries & libraries along with entire guest OS.

• Containers (LXC) - OS level virtualization method for running multiple isolated Linux containers on a single control host.

Containers are isolated but share OS App 1 App 2 App 3

Bins/ Bins/ VM Bins/ Libs Libs Libs App A1 App 2 p’ App 3

Guest OS Guest OS Guest OS Container Bins/Libs Bins/LibsBins/Lis Bins/Libs Hypervisor (Type2) Container Engine Host OS Host OS Server Server

Service Containers leverage virtualization layer (LXC and KVM) to provision an application hosting environment on Cisco routers/switches.

Gives ability to code application/service once and run it everywhere.

Cisco Virtual Services: • Example: WAAS, SNORT

Third Party Services: • Example: Wireshark, iperf etc.

Not Enough Network Bandwidth Data Reduction

Most Data is not interested Filtering

Use of Data at the Edge Latency Optimization

Computation to be optimized Partitioning

Data Normalization Application Simplification

Data Redirection based on Content Dynamic Changes

Data Timestamping & Algorithm analysis Analytic Support

• Existing hardware Business footprint Applications Management Analytic Systems • No need for IoT separate compute Applications Billing machinery

• Integrated security

• Reduced latency & bandwidth cost

Native LXC Docker KVM Type 1 Process • Strict Kernel • Emerging Industry • Any OS Hypervisor • Very Tight Requirements Standard • Complete • Service Module Integration • Good separation Only • Best performance • Linux host OS • VMWare, HyperV, Performance with some normally – Type Zen… security 2 hypervisor

Linux Containers

Native LXC Docker KVM Type 1 Process •Strict Kernel •Emerging Industry • AnyOS Hypervisor •Very Tight Requirements Standard •Complete • ServiceModule Integration •Good separation Only •Best Performance performance with • Linux host OS •VMWare, HyperV, some security normally – Type 2 Zen… hypervisor

Cisco Developed IOX & Service Containers

Native LXC Docker KVM Type 1 Process •Strict Kernel •Emerging Industry •Any OS Hypervisor •Very Tight Requirements Standard •Complete • ServiceModule Integration •Good • FutureSupport separation Only •Best Performance performance with •Linux host OS •VMWare, HyperV, some security normally – Type 2 Zen… hypervisor

Open IOX & Service Containers

Native LXC Docker KVM Type 1 Process •Strict Kernel • Emerging Industry • Any OS Hyperviso •Very Tight Requirements Standard • Complete r Integration • Good • Future Support separation • ServiceModule •Best performance • Linux host OS Only Performance with some normally – Type •VMWare, HyperV, security 2 hypervisor Zen…

Types of Applications

• Kernel Virtual Machine (KVM) • KVM application is a virtual machine that contains the full OS (kernel and root filesystem) along with the application code and dependencies in a single package.

• Linux Container (LXC) • A Container application is a single package of the root file system, application code and dependencies like libraries and native binaries.

Application Package

The application package consists of several required and optional pieces

• A Package Descriptor file describing the information and resources of the application

• A Package Configuration file for applying configuration values during provisioning

• The binaries, application code, application libraries, virtual disks, root file system, and manifest of the application itself

• OS kernel

• Root file system

• Dependent libraries

• Language runtimes and Frameworks

• Application descriptor file

• Application code

• Configuration files, scripts, etc

• Complete root file system

• Dependent libraries

• Language runtimes and Frameworks

• Application descriptor file

• Compiled application code Configuration files, scripts, etc

•Catalyst 9000 9300, 9400, 9500

•ISR4K ISR4321, ISR4331, ISR4351, ISR4431, ISR4451 •CSR •ASR1K ASR 1001-X (HX), ASR 1002-X (HX)

Customer and 3rd Party Cisco Apps (WAAS,Snort) IOSd Applications Control Plane KVM/LXC Virtual Ethernet

Linux OS

Platform-Specific Data Plane ERSPAN NSH AppNav

Internal Services Blade External Services Blade (UCS® E-Series) (UCS)

IOS-XE 25% CPU Service containers live here: 75% CPU Control Plane (1 core) Data Plane Services Plane (3 cores) (6 or 10 cores)

FPGE

ISC Multigigabit Service Container Fabric SM-X

KVM - Hypervisor

Service Plane (control plane CPU) NIM

Memory

• Service Containers (currently) REQUIRE additional DRAM beyond the 4GB system default • Additional DRAM beyond 4GB will be available to a KVM application • Example: 8GB DRAM will have 4GB available to Service Containers • Example: 16GB DRAM will have 12GB available to Service Containers

Storage

• No storage is included by default and applications do not have accessto bootflash. • Options include internal MSATA SSD on 4300 Series, NIM-SSD or NIM-HD on all ISR4K.

USB External Storage Memory Platform CPU vCPU CPU units M2 SATA USB 3.0 (GB) Storage (GB) (GB) 1 Core Catalyst 9300 2 (25%) 2 7400 NA 120

1 Core Catalyst 9400* 8 2 7400 960 N/A (25%)

1 Core Catalyst 9500* 8 (25%) 2 7400 NA 120 Catalyst 9500 1 Core high-performance* 8 (25%) 2 7400 960 N/A 2 Core Catalyst 9600* 8 (25%) 2 7400 960 NA

Cat 9500 Cat 9300/9500 Cat 9400 High Performance

USB 3.0 M2 SATA M2 SATA 120GB 240/480/960GB 240/480/960GB

Plug into Back Panel removable SUP Back Panel

For Local Storage and App Hosting

• Memory and CPU usage for Apps are bounded using Control groups (cgroups).

• Process and files access for Apps are isolated and restricted (using user namespace)

• Disk usage is isolated using separate storage.

CAT9K

SSD offers two layers of security:

• AES-256 Hardware encryption on SSD • Passcode Authentication on the switch and SSD

Match

Switch#hw-module switch 1 usbflash1 security ? Switch# conf t disable disable security on USB3.0 Switch(config)# hw-module switch 1 usbflash1- enable Enable security on USB3.0 password Switch(config)# no hw-module switch 1 unlock Unlock USB3.0 usbflash1-password

Container 10.0.0.10 Container Container VM eth1 eth1 eth1 eth0 eth0 eth0 eth0 eth1 172.19.0.24 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 Mgmt Bridge0 Svc Bridge1

IOS-XE AppGigabitEthernet X VirtualPortGroup X 10.0.0.1/24 Management Bridging Routing VRF

Linux SW component Ge0/0 Ge0/0/11 Ge0/0/12 Ge0/0/13 172.19.0.23 Ge0/0/1 Ge0/0/2 Ge0/0/3 HW 12.0.0.1/24 13.0.0.1/24 14.0.0.1/24 L2 interface* Forwarding L3 interface

Management Interface Container eth1 eth0 172.19.0.24

Mgmt Bridge0 L2 Bridging

Management VRF

Ge0/0 172.19.0.23 LXC/VM vNICs

Container Container VM eth1 eth1 eth0 eth0 eth0 eth1 AppGigabit Interface 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5

Svc Bridge1

AppGigabitEthernet X Bridging Outgoing Port

Ge0/0/1 Ge0/0/2 Ge0/0/3 L2 interface*

Container Container VM eth1 eth1 eth0 eth0 eth0 eth1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 VPG Interface Svc Bridge1

VirtualPortGroup X 10.0.0.1/24 Routing

Ge0/0/11 Ge0/0/12 Ge0/0/13 12.0.0.1/24 13.0.0.1/24 14.0.0.1/24 L3 interface

Logging directly into VM and configure Linux using CLI Linux commands

DHCP Enabling DHCP service in KVM/LXC and configuring DHCP server/relay

IOS XE CLI IOS assigned explicitly with IOS XE CLI

app-hosting install appid package usbflash1:

App-hosting activate appid

App-hosting start appid

install activate start

uninstall deactivate stop

App-hosting uninstall appid App-hosting stop appid

App-hosting deactivate appid

• Create : Creating the KVM Image

• Enable : Enable Serial Console

• Install : Install any other APP’s or Package

• Build : Building a Service Container

• Start up the VM Manager

• Click on the ‘Create a new virtual machine’ icon, type a name (e.g. centos) and click centos Forward.

• Select the ISO image, and make sure OS type and Version are set to Linux and Red Hat Enterprise 7

• Click Forward & select the CPU/RAM requirements.

• Specify the RAM and CPU requirement’s for the centos VM.

• Specify the harddisk requirement for centos VM.

• Click Forward to complete the Create process.

• Much like a real PC can have a serial or RS232 connection for a console session to Service Container

• Command to connect : virtual-service connect name console

• Install any packages and applications as per requirement.

• Shut Down the KVM VM, and close the VM manager application.

• If you name the KVM image centos then the image file will be called centos.img and will reside in /var/lib/libvirt/images

• Convert the .img file to qcow2 format.

• Copy qcow2 file, .yaml file & .ver file to one single dir.

• Run create_ova.sh on the dir

• This will generate a .ova file which can be installed on a router.

https://github.com/umohanty/Create_OVA

• centos.ova & centos.mf

Created after running create_ova.sh

• CASE 2 : Yangsuite

• CASE 3 : Docker Application

• CASE 4 : Syslog Server

• Build : Building a container using Docker

• Create : Package the application

• Install : Install the container(package.tar) on router Courtesy : Google Images • Enable : Start the container.

• Build : Building a container using Docker

• Install : Via Cisco DNA Center

1 Dockerfile 2 Build Docker Image 3 Deploy App 4 Cisco DNA-C

docker build –t .

CAT9K

BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 CASE 3 : Docker Application

• Critical Resources(Memory, CPU etc.) on a router should always be taken care of . • With Existing SNMP OID’s we can’t get each process memory usage.

• Using custom built Python codes hosted as a container we can achieve this.

• Build : Building a container using Docker

• Create : Package the application using ioxclient

• Install : Install the container(package.tar) on router

• Enable : Start the container.

Create a Dockerfile.

Run docker build command to build container image docker build -t python_iox .

Verify if docker image is created.

Create package.yaml in package directory

Run iox_client to create package.tar file

Install the package.tar on router

Copy Package.tar to bootflash on router.

Configure the Virtualportgroup interface.

Configure NAT to access external network

Use app-hosting install appid python_iox package bootflash:python_iox/package.tar to install package.

Activate: app-hosting activate appid python_iox Start: app-hosting start appid python_iox

Connect to package console:

“app-hosting connect appid python_iox console”

Initialize python script:

“/opt/apps/start.sh &”

Access memory monitoring application at http://192.168.172.3: 55000/memory

https://github.com/umohanty/Python-Webserver

Step 1: Build a CENTOS VM

Step 2: Install Syslog Application on VM

Step 3: Create a OVA Package and Install it on Router

Step 4: Configure Router (Mandate Configuration)

Use vi /etc/rsyslog.conf to Edit syslog settings

Enabling Firewall to Allow port 514

Verifying port 514 connection status

STEP 1 :- Installing the Service Container:

Copy the SyslogServer.ova file onto a USB stick, insert it into the router and type:

copy usb0:SyslogServer.ova harddisk: or Copy the SyslogServer.ova file onto a tftp/ftp Server and use the below command :

copy tftp: harddisk:

Create a DHCP pool so that the service container/Linux instance can acquire an IP address

BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 STEP 4 :- Installing the Virtual Service virtual-service install name SyslogServer package harddisk:SyslogServer.ova

Once that command shows the service is in Installed state, you can configure in IOS-XE for the service to be activated: virtual-service SyslogServer activate

Check the state using the same command as before: show virtual-service list

BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 Key Takeaways Key Takeaways • What are Service Containers ? • Provision’s an application hosting environment on Cisco routers/switches.

• Application Hosting Spectrum

• 4 Step Procedure to Host an APP.

• Success Stories : • Iperf Hosting • YangSuite By leveraging native Docker Support on CAT9K, programmability and management becomes lot more easier. • Docker Application Build your own Monitoring application hosted right on your edge device. • Syslog Server

WAY MORE INFO: What the Heck is a Service Containers? (blog) An Introduction to Service Containers (Presentation) Fundamentals of Service Containers (Techwise Video) Virtual Service Container Config Guide (NXOS &IOSXE) https://github.com/suchandanreddy/devnet3624 (Host IPERF on ISR4K)

BRKARC-1002 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 Q & A Complete your online session • Please complete your session survey survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.

• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

Demos in the Walk-In Labs Cisco Showcase

Meet the Engineer Related sessions 1:1 meetings