Kubernetes + OpenStack + HyperContainer = The Container Platform for NFV

Transcript

1. OPENSTACK + KUBERNETES + HYPERCONTAINER The Container Platform for NFV

2. ABOUT ME ➤ Harry Zhang ➤ ID: @resouer ➤ Coder,

   Author, Speaker … ➤ Member of Hyper ➤ Feature Maintainer & Project Manager of Kubernetes ➤ sig-scheduling, sig-node ➤ Also maintain: kubernetes/frakti (hypervisor runtime for k8s)

3. NFV Network Functions Virtualization: why, and how?

4. TRENDS OF TELECOM OPERATORS ➤ Traditional businesses rarely grow ➤

   Non-traditional businesses climb to 8.1% of the whole revenue, even 15%~20% in some operators ➤ The new four business models: ➤ Entertainment & Media ➤ M2M ➤ Cloud computing ➤ IT service Source: The Gartner Scenario for Communications Service Providers

5. WHAT’S WRONG? ➤ Pain of telecom network ➤ Specific equipments

   & devices ➤ Strict protocol ➤ Reliability & performance ➤ High operation cost Long deploy time cost Complex operation processes Multiple hardware devices co-exists Close ecosystem New business model requires new network functioning

6. NFV ➤ Replacing hardware network elements with ➤ software running

   on COTS computers ➤ that may be hosed in datacenter Speedup TTM Save TCO Encourage innovation ➤ Functionalities should be able to: ➤ locate anywhere most effective or inexpensive ➤ speedily combined, deployed, relocated, and upgraded

7. USE CASE ➤ Project Clearwater ➤ Open source implementation of

   IMS (IP Multimedia Subsystem) for NFV deployment Devices (physical equipments) NFV VNF (software)

8. SHIP VNF TO CLOUD Physical Equipments ->VNFs -> Cloud

9. VNF cloud ➤ Wait, what kind of cloud? ➤ Q:

   VM, or container? ➤ A: 6 dimensions analysis ➤ Service agility ➤ Network performance ➤ Resource footprint & density ➤ Portability & Resilience ➤ Configurability ➤ Security & Isolation disk image container image VNF VNF VNF VNF VNF VNF

10. SERVICE AGILITY ➤ Provision VM ➤ hypervisor configuration ➤ guest

    OS spin-up ➤ align guest OS with VNFs ➤ process mgmt service, startup scripts etc ➤ Provision container ➤ start process in right namespaces and cgroups ➤ no other overhead Average Startup Time (Seconds) Over Five Measurements Data source: Intel white paper Start up time in seconds 0 7.5 15 22.5 30 25 0.38 Container KVM

11. NETWORK PERFORMANCE ➤ Throughput ➤ “the resulting packets/sec that the

    VNF is able to push through the system is stable and similar in all three runtimes” Packets per Second That a VNF Can Process in Different Environments Data source: Intel white paper Millions 0 7.5 15 22.5 30 direct fwd L2 fwd L3 fwd Host Container KVM

12. NETWORK PERFORMANCE ➤ Latency ➤ Direct forwarding ➤ no big

    difference ➤ VM show unstable ➤ caused by hypervisor time to process regular interrupts ➤ L2 forwarding ➤ no big difference ➤ container even shows extra latency ➤ extra kernel code execution in cgroups ➤ VM show unstable ➤ cased by same reason above Data source: Intel white paper

13. RESOURCE FOOTPRINT & DENSITY ➤ VM ➤ KVM 256MB(without —mem-prealloc)

    using about 125MB when booted ➤ Container ➤ only 17MB ➤ amount of code loaded into memory is significantly less ➤ Deployment density ➤ is limited by incompressible resource ➤ Memory & Disk, while container does not need disk provision Memory footprint 0 35 70 105 140 container KVM 256MB 125 17

14. PORTABILITY & RESILIENCE ➤ VM disk image ➤ a provisioned

    disk with full operating system ➤ the final disk image size is often counted by GB ➤ extra processes for porting VM ➤ hypervisor re-configuration ➤ process mgmt service ➤ Container image ➤ share host kernel = smaller image size ➤ can even be: “app binary size + 2~5MB” for deploy ➤ docker multi-stage build (NEW FEATURE) OS Flavor Disk Size Container Image Size Ubuntu 14.04 > 619MB > 188.3MB CentOS 7 > 680MB > 229.6MB Alpine — > 5 MB Busybox — >2MB Data source: Intel white paper

15. CONFIGURABILITY ➤ VM ➤ no obvious method to pass configuration

    to application ➤ alternative methods: ➤ share folder, port mapping, ENV … ➤ no easy or user friendly tool to help us ➤ Container ➤ user friendly container control tool (dockerd etc) ➤ volume ➤ ENV ➤ …

16. SECURITY & ISOLATION ➤ VM ➤ hardware level virtualization ➤

    independent guest kernel ➤ Container ➤ weak isolation level ➤ share kernel of host machine ➤ reinforcement ➤ Capabilities ➤ libseccomp ➤ SELinux/APPArmor ➤ while non of them can be easily applied ➤ e.g. what CAP is needed/unneeded for a specific container? No cloud provider allow user to run containers without wrapping them inside full blown VM!

17. “ Cloud Native vs Security?

18. Hyper Let's make life easier

19. HYPERCONTAINER ➤ Secure, while keep Cloud Native ➤ Make container

    more like VM ➤ Make VM more like container

20. REVISIT CONTAINER ➤ Container Runtime ➤ The dynamic view and

    boundary of your running process ➤ Container Image ➤ The static view of your program, data, dependencies, files and directories FROM busybox ADD temp.txt / VOLUME /data CMD [“echo hello"] Read-Write Layer & /data “echo hello” read-only layer /bin /dev /etc /home /lib / lib64 /media /mnt /opt /proc / root /run /sbin /sys /tmp / usr /var /data /temp.txt /etc/hosts /etc/hostname /etc/resolv.conf read-write layer /tem p.txt json json init layer FROM busybox ADD temp.txt / VOLUME /data CMD [“echo hello"] e.g. Docker Container

21. HYPERCONTAINER ➤ Container runtime: hypervisor ➤ RunV ➤https://github.com/hyperhq/runv ➤ The

    OCI compatible hypervisor based runtime implementation ➤ Control daemon ➤ hyperd: https://github.com/hyperhq/hyperd ➤ Init service (PID=1) ➤hyperstart: https://github.com/hyperhq/hyperstart/ ➤ Container image: ➤ Docker image ➤ OCI Image Spec

22. STRENGTHS ➤ Service agility ➤ startup time: sub-second (e.g. 500~ms)

    ➤ Network performance ➤ same with VM & container ➤ Resource footprint ➤ small (e.g. 30MB) ➤ Portability & Resilience ➤ use Docker image (i.e. MB) ➤ Configurability ➤ same as Docker ➤ Security & Isolation ➤ hardware virtualization & independent kernel Want to see a demo?

23. DEMO ➤ hyperctl run -d ubuntu:trusty sleep 1000 ➤ small

    memory footprint ➤ hyperctl exec -t $POD /bin/bash ➤ fork bomb ➤ Do not test this in Docker (without ulimit set) ➤ unless you want to lose your host machine :)

24. WHERE TO RUN YOUR VNF? Container VM HyperContainer Kernel features

    No Yes Yes Startup time 380ms 25s 500ms Portable Image Small Large Small Memory footprint Small Large Small Configurability of app Flexible Complex Flexible Network Performance Good Good Good Backward Compatibility No Yes Yes (bring your own kernel) Security/Isolation Weak Strong Strong

25. HYPERNETES the cloud platform for NFV

26. HYPERNETES ➤ Hypernetes, also known as h8s is: ➤ Kubernetes

    + HyperContainer ➤ HyperContainer is now an official container runtime in k8s 1.6 ➤ integration is achieved thru kubernetes/frakti project ➤ + OpenStack ➤ Multi-tenant network and persistent volumes ➤ standalone Keystone + Neutron + Cinder

27. 1. CONTAINER RUNTIME

28. POD ➤ Why? ➤ Fix some bad practices: ➤ use

    supervised manage multi-apps in one container ➤ try to ensure container order by hacky scripts ➤ try to copy files from one container to another ➤ try to connect to peer container across whole network stack ➤ So Pod is ➤ The group of super-affinity containers ➤ The atomic scheduling unit ➤ The “process group” in container cloud ➤ Also how HyperContainer match to Kubernetes philosophy Pod log app infra container volume init container

29. HYPERCONTAINER IN KUBERNETES ➤ The standard CRI workflow ➤ see:

    1.6.0 release note NODE Pod foo container A container B A B foo VM foo A B 2. CreatContainer(A) 3. StartContainert(A) 4. CreatContainer(B) 5. StartContainer(B) docker runtime hyper runtime 1. RunPodSandbox(foo) Container Runtime Interface (CRI)

30. 2. MULTI-TENANT NETWORK

31. MULTI-TENANT NETWORK ➤ Goal: ➤ leveraging tenant-aware Neutron network for

    Kubernetes ➤ following the k8s network plugin workflow ➤ Non-goal: ➤ break k8s network model

32. KUBERNETES NETWORK MODEL ➤ Pod reach Pod ➤ all Pods

    can communicate with all other Pods without NAT ➤ Node reach Pod ➤ all nodes can communicate with all Pods (and vice-versa) without NAT ➤ IP addressing ➤ Pod in cluster can be addressed by its IP

33. DEFINE NETWORK ➤ Network ➤ a top level API object

    ➤ Network: Namespace = 1: N ➤ each tenant (created by Keystone) has its own Network ➤ Network Controller is responsible for lifecycle of Network object ➤ a control loop to create/delete Neutron “net” based on API object change

34. ASSIGN POD TO NETWORK ➤ Pods belonging to the same

    Network can reach each other directly through IP ➤ a Pod’s network mapping to Neutron “port” ➤ kubelet is responsible for Pod network setup ➤ let’s see how kubelet works

35. DESIGN OF KUBELET InitNetworkPlugin Choose Runtime ҁdocker, rkt, hyper/remote҂ InitNetworkPlugin

    HandlePods {Add, Update, Remove, Delete, …} NodeStatus Network Status status Manager PLEG SyncLoop Pod Update Worker (e.g.ADD) • generale Pod status • check volume status (will talk this later) • use hyper runtime to start containers • set up Pod network (see next slide) volume Manager PodUpdate image Manager

36. SET UP POD NETWORK

37. KUBESTACK A standalone gRPC daemon 1. to “translate” the SetUpPod

    request to the Neutron network API 2. handling multi-tenant Service proxy

38. MULTI-TENANT SERVICE ➤ Default iptables-based kube-proxy is not tenant aware

    ➤ Pods and Nodes are isolated into different networks ➤ Hypernetes uses a build-in ipvs as the Service LB ➤ handle all Services in same namespace ➤ follow OnServiceUpdate and OnEndpointsUpdate workflow ➤ ExternalProvider ➤ a OpenStack LB will be created as Service ➤ e.g. curl 58.215.33.98:8078

39. 3. PERSISTENT VOLUME

40. PERSISTENT VOLUME IN HYPERNETES ➤ Enhanced Cinder volume plugin ➤

    Linux container: 1. query Nova to find node 2. attach Cinder volume to host path 3. bind mount host path to Pod containers ➤ HyperContainer: ➤ directly attach block devices to Pod ➤ no extra time to query Nova ➤ no need to install full OpenStack Host vol Enhanced Cinder volume plugin Pod Pod mountPath mountPath attach vol desired World reconcile Volume Manager

41. PV EXAMPLE ➤ Create a Cinder volume ➤ Claim volume

    by reference its volumeID

42. HYPERNETES TOPOLOGY Node Node Node kubestack Neutron L2 Agent kube-proxy

    kubelet Enhanced Cinder Plugin VNF Pod VNF Pod VNF Pod VNF Pod Keystone Neutron Cinder Master Object: Network Ceph kube-apiserver kube-apiserver kube-apiserver The next goal of h8s: modular CNI specific plugin for block devices TPR

43. BACK TO THE REAL-WORLD DEMO ➤ Run Clearwater in Hypernetes

    Ellis = k8s Service Bono Homestead Homer Chronos Ralf Astaire Etcd Cassandra Sprout = DNS awareness

44. DEMO ➤ One command to deploy all ➤ All scripts

    and yamls can be found here: ➤ https://github.com/hyperhq/ hypernetes ➤ https://github.com/Metaswitch/ clearwater-docker $ kubectl create -f clearwater-docker/kubernetes/

45. LESSONS LEARNED ➤ Do not use supervisord to manage processes

    ➤ use Pod + initContainer ➤ Do not abuse DNS name ➤ e.g. scscf.sprout is not a valid DNS name, see PR#441 ➤ Liveness & Readiness check are useful

46. THE END NEWS: Stackube, a new OpenStack project originated from

    h8s