Sign up to save your podcasts
Or
Share Container Integration with OVS, with Gurucharan Shetty from VMware
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Container Integration with OVS, with Gurucharan Shetty from VMware
Guru Shetty has been working at VMware, and before that at Nicira, since
about 2011. Guru has done a lot of work to integrate Open vSwitch with
various platforms. This episode is a conversation with Guru primarily
about integrating Open vSwitch and OVN with multiple container systems,
including Docker and Kubernetes.
Guru begins by reiterating the rationale for containers from an
application developer point of view: to capture and encapsulate
dependencies into usable pieces and thereby make the software easier to
consume. This is not so different from a VM, conceptually, but
containers have some advantages in terms of size and life-cycle
management. Microservices, on the other hand, are a way of building an
application from many independently deployed and upgradeable components
that interact through well-defined APIs. The components, which are the
microservices themselves, could be housed on physical machines or in VMs
but are usually in containers.
To introduce the topic of how Open vSwitch integrates with container
systems, Guru begins by describing how Open vSwitch integrates with any
kind of virtualization. This is divided into three parts. First, the
virtualization system must attach its virtual interfaces to Open vSwitch.
This is usually simple: for a system that already integrates with the
Linux bridge, for example, it might entail calling into the OVS
ovs-vsctl program instead of the bridge's
brctl. Second, the virtualization system needs to provide
some metadata to allow a network controller to identify the relationship
between VIFs and VMs. These first two pieces do not differ much between
VM and container virtualization.
The third part of integrating a virtualization system with Open vSwitch
is a matter of matching up the virtualization system's networking
concepts with those understood by the network controller. OpenStack, for
example, has switch and router concepts and supports various ways to
connect virtual networks to external physical ones. Container systems,
though, generally have much simpler ideas of how to interact with
networks, perhaps because they are designed by and for application
developers who have little interest in operating a network as opposed to
simply using one. This makes container systems harder to integrate with
featureful virtual networking systems such as OVN, since they simply lack
many of the concepts. Guru makes the counterpoint, though, that
OpenStack and similar ask application developers to work with a lot of
low-level concepts that really have no direct importance to them.
Rather, networking should “just work.”
OVS integration with Docker evolved through a few steps. The first step
was a form of integration without assistance from Docker itself, through
an external wrapper that built a network namespace and configured Docker
to use it through a veth pair. This was not ideal, so
Guru proposed a native integration framework for Docker. At the same
time, there were about a dozen startups and companies all trying to do
something similar, which led to a lot of fighting over the approach.
Eventually Docker elected to provide a pluggable architecture, although
its form is still unsatisfactory for many purposes and thus a number of
vendors continue to use a “side-band” or wrapper approach. A form of
the latter has been standardized as CNI, which is what
Kubernetes and CoreOS and Mesos use.
Guru has also implemented integration between Open vSwitch and
Kubernetes, the wildly popular container orchestration system from
Google. It approaches networking problems from an application deployer's
perspective. For example, an application developer does not care about
IP addresses, so Kubernetes hides those details, instead exposing
services through higher-level names that are more meaningful to the
developers. Kubernetes also exposes every application through a load
balancer that allows the application to scale by increasing or decreasing
the number of containers behind the load balancer, in a manner hidden
from the application's clients. Guru implemented Kubernetes load
balancing support for OVN through the NAT feature added to recent
versions of Open vSwitch.
The OVN support for Kubernetes is implemented in a repository separate
from the main Open vSwitch repository, which is unusual for OVN and Open
vSwitch. This was done because Kubernetes changes much faster than Open
vSwitch, so that OVN-Kubernetes integration needs to change much more
quickly too.
One possibility for the future of the OVN-Kubernetes integration is to
take advantage of the Open vSwitch support for DPDK to build a very fast
north-south gateway for Kubernetes.
Guru talks briefly about the possibilities for Open vSwitch integration
with Mesos, Pivotal Cloud Foundry, and Rocket.
Guru talks about how OVN might be a useful component for service function
chaining in container environments, where its general concept of network
virtualization gives a lot of value versus ad hoc techniques.
Sometimes containers are portrayed as having, compared to VMs, huge
numbers per host and high rates of change. Guru has not seen this in
practice. While containers are shorter-lived than VMs, the scale is not
much higher.
OVS Orbit is produced by Ben Pfaff. The
intro music in this episode is Drive,
featuring cdk and DarrylJ, copyright 2013, 2016 by Alex. The bumper music is
Yeah Ant
featuring Wired Ant and Javolenus, copyright 2013 by Speck. The outro
music is Space
Bazooka featuring Doxen Zsigmond, copyright 2013 by Kirkoid. All content is licensed under a Creative Commons Attribution 3.0
Unported (CC BY 3.0) license.
View all episodes
By Ben Pfaff
5
11 ratings
Guru Shetty has been working at VMware, and before that at Nicira, since
about 2011. Guru has done a lot of work to integrate Open vSwitch with
various platforms. This episode is a conversation with Guru primarily
about integrating Open vSwitch and OVN with multiple container systems,
including Docker and Kubernetes.
Guru begins by reiterating the rationale for containers from an
application developer point of view: to capture and encapsulate
dependencies into usable pieces and thereby make the software easier to
consume. This is not so different from a VM, conceptually, but
containers have some advantages in terms of size and life-cycle
management. Microservices, on the other hand, are a way of building an
application from many independently deployed and upgradeable components
that interact through well-defined APIs. The components, which are the
microservices themselves, could be housed on physical machines or in VMs
but are usually in containers.
To introduce the topic of how Open vSwitch integrates with container
systems, Guru begins by describing how Open vSwitch integrates with any
kind of virtualization. This is divided into three parts. First, the
virtualization system must attach its virtual interfaces to Open vSwitch.
This is usually simple: for a system that already integrates with the
Linux bridge, for example, it might entail calling into the OVS
ovs-vsctl program instead of the bridge's
brctl. Second, the virtualization system needs to provide
some metadata to allow a network controller to identify the relationship
between VIFs and VMs. These first two pieces do not differ much between
VM and container virtualization.
The third part of integrating a virtualization system with Open vSwitch
is a matter of matching up the virtualization system's networking
concepts with those understood by the network controller. OpenStack, for
example, has switch and router concepts and supports various ways to
connect virtual networks to external physical ones. Container systems,
though, generally have much simpler ideas of how to interact with
networks, perhaps because they are designed by and for application
developers who have little interest in operating a network as opposed to
simply using one. This makes container systems harder to integrate with
featureful virtual networking systems such as OVN, since they simply lack
many of the concepts. Guru makes the counterpoint, though, that
OpenStack and similar ask application developers to work with a lot of
low-level concepts that really have no direct importance to them.
Rather, networking should “just work.”
OVS integration with Docker evolved through a few steps. The first step
was a form of integration without assistance from Docker itself, through
an external wrapper that built a network namespace and configured Docker
to use it through a veth pair. This was not ideal, so
Guru proposed a native integration framework for Docker. At the same
time, there were about a dozen startups and companies all trying to do
something similar, which led to a lot of fighting over the approach.
Eventually Docker elected to provide a pluggable architecture, although
its form is still unsatisfactory for many purposes and thus a number of
vendors continue to use a “side-band” or wrapper approach. A form of
the latter has been standardized as CNI, which is what
Kubernetes and CoreOS and Mesos use.
Guru has also implemented integration between Open vSwitch and
Kubernetes, the wildly popular container orchestration system from
Google. It approaches networking problems from an application deployer's
perspective. For example, an application developer does not care about
IP addresses, so Kubernetes hides those details, instead exposing
services through higher-level names that are more meaningful to the
developers. Kubernetes also exposes every application through a load
balancer that allows the application to scale by increasing or decreasing
the number of containers behind the load balancer, in a manner hidden
from the application's clients. Guru implemented Kubernetes load
balancing support for OVN through the NAT feature added to recent
versions of Open vSwitch.
The OVN support for Kubernetes is implemented in a repository separate
from the main Open vSwitch repository, which is unusual for OVN and Open
vSwitch. This was done because Kubernetes changes much faster than Open
vSwitch, so that OVN-Kubernetes integration needs to change much more
quickly too.
One possibility for the future of the OVN-Kubernetes integration is to
take advantage of the Open vSwitch support for DPDK to build a very fast
north-south gateway for Kubernetes.
Guru talks briefly about the possibilities for Open vSwitch integration
with Mesos, Pivotal Cloud Foundry, and Rocket.
Guru talks about how OVN might be a useful component for service function
chaining in container environments, where its general concept of network
virtualization gives a lot of value versus ad hoc techniques.
Sometimes containers are portrayed as having, compared to VMs, huge
numbers per host and high rates of change. Guru has not seen this in
practice. While containers are shorter-lived than VMs, the scale is not
much higher.
OVS Orbit is produced by Ben Pfaff. The
intro music in this episode is Drive,
featuring cdk and DarrylJ, copyright 2013, 2016 by Alex. The bumper music is
Yeah Ant
featuring Wired Ant and Javolenus, copyright 2013 by Speck. The outro
music is Space
Bazooka featuring Doxen Zsigmond, copyright 2013 by Kirkoid. All content is licensed under a Creative Commons Attribution 3.0
Unported (CC BY 3.0) license.