running dockerized services across several cloud providers

Running Dockerizedservices across several cloud providers

KONTENA MEETUP IS STARTING SOON

! @kontenainc " slack.kontena.io# github.com/kontena/kontena

.....

Agenda

1. Kontena briefly

2. Overlay networking concepts

3. Demo

What is Kontena?

© 2015 Kontena, Inc.

Open Source container & micro services platform built to maximize developer

happiness. Works on any cloud, easy to setup, simple to use.

Quick Facts

# ~1kGITHUB STARGAZERS

>1MNUMBER OF INSTALLS(Docker pulls)

FEATURED IN

Quotes from Community

“You guys have clearly put a heck of a lot of time and thought into Kontena, it's really pretty cool.”

- thecatwasnot

“I’m onto day 2 on Kontena, and I think I’m close to moving a production app over to it. Very very cool project.”

- cory

“Your project looks amazing, and is exactly what I want.”- dbones

Source: Kontena Gitter

How does it work?

Kontena GridA number of physical or virtual machines – Kontena Nodes– create a Kontena Grid. The nodes may be located anywhere; in single data center, different AZs or different cloud providers.

Overlay NetworkKontena will automatically create an overlay network powered by Weave and connect all nodes of a Grid. Overlay network enable services to communicate with each other in multi-host, multi-AZ environment.

Service DiscoveryKontena has a built-in service discovery powered by etcd. It is used to automatically assign DNS addresses for any services running in Kontena. It is also used by Kontena’s load balancer for zero-downtime operation.

OrchestrationKontena’s orchestrator is distributing, running and monitoring all Kontena Services in a Grid. Services may be stateless or stateful, and they are automatically distributed across Nodes in a Grid.

Containerized WorkloadsWith Kontena, all containerized workloads are described as Services. Kontena Service is composed of containers based on the same image file. Services may be scaled and linked together to create complex elastic apps.

OS

Docker

Kontena Nodes & AgentKontena Agent may be installed to

any machine capable of running Docker. It is running as a privileged

container in a machine.

Kontena MasterKontena Master is orchestrating the

entire Kontena system. It provides APIs used by Kontena CLI, Web UI and

third party integrations.

Kontena Master may be installed as high-availability setup if needed.

All Batteries Included!

Built-In Image RegistrySometimes projects can not use publicly

hosted container image registries like DockerHub. Kontena comes with built-in

container image registry providing private and secure solution.

Built-In VPN AccessAll containers are run inside a virtual private

network by default. Nothing is exposed to Internet unless explicitly defined. With

Kontena’s built-in VPN access developers can securely access those resources.

Built-In Load BalancerKontena comes with built-in load balancer.

Based on Haproxy. It features fully automatic, zero-downtime operation due to deep

integration with Kontena’s service discovery and orchestration technology.

Aggregated Stats & LogsKontena provides real-time log and statistics streams containers. The streams may be grouped and aggregated to produce service level streams. This allows easy viewing of logs and statistics for your application CPU, memory, disk and network usage.

User Management with Audit TrailAll events and actions performed through Kontena CLI or APIs are logged into audit trail. Combined with users and access control, the audit trail support makes Kontena a reliable and secure solution for any enterprise deployments.

Built-In Secrets ManagementWhen your application requires access to APIs or databases, you'll often need to use secrets such as passwords and access tokens for authenticating the access. Kontena Vault is a secure key/value storage that can be used to manage secrets in Kontena.

“Includes all the s**t you don’t want to implement by yourself”

Multi cloud/DC apps

Multi cloud/DC challenges• Deployment differences• Platforms• Networking• …

• Enabling connectivity between clouds

• Security

• Service discovery© 2017 Kontena, Inc.

Potential solutions•VPN(s) between clouds

•Custom service discovery

•Port mappings

© 2017 Kontena, Inc.

© 2017 Kontena, Inc.

Overlay Networking

Overlay Network

© 2017 Kontena, Inc.

Image credit: https://www.weave.works/wp-content/uploads/d989f137a913d15c6ab2afe14149d8acfd180db3.png

Overlay network features•Mesh networking•DNS•Encryption•Multicast•NAT traversal

© 2017 Kontena, Inc.

How it works

© 2017 Kontena, Inc.

Image credit: https://www.weave.works/wp-content/uploads/049a8b89c3cb6526256b63378fd88d2fddc27884.png

How it works•Each node in a grid is a network peer•Peers establish TCP connections for control plane•Peers establish UDP “connections” for data plane•Network bridge on each host•Containers attached to overlay bridge with veth

pairs•Network topology and container info (MACs)

exchanged between peers

© 2017 Kontena, Inc.

Fastdp vs. sleeve•Weave Overlay supports 2 modes: Fastdp and sleeve

•Fastdp:•Kernel space forwarding with Open vSwitch&VXLAN

•Sleeve:•User space UDP tunneling

© 2017 Kontena, Inc.

IP Address Management

• IPAM is taken care of by Kontena• Infrastructure service on each node• Data backed by Etcd on the nodes• Kind-of like DHCP J

• Default overlay network used is 10.81.0.0/16• 10.81.0.0/17 used by Kontena infrastucture services• 10.81.128.0/17 used by service containers

© 2017 Kontena, Inc.

DNS• Overlay network has its own DNS service

• Kontena configures DNS for each service and each container

• Service level DNS has IPs of all containers

• <service>.<stack>.<grid>.kontena.local• <service>-<instance_number>.<stack>.<grid>.kontena.local

• For stack exposed service: <stack>.<grid>.kontena.local

© 2017 Kontena, Inc.

Trusted subnets

• By default overlay is configured to use sleeve encryption between peers

• Not all traffic needs to be encrypted, e.g. within AWS VPC

• Kontena supports trusted-subnets

• Configure each trusted subnet for the grid

• Within a trusted subnet, overlay will use fastdp without encryption

Trusted-subnet: 192.168.100.0/24

Trusted-subnet: 10.10.0.0/24

Network Interfaces• Public address

• Node tries to resolve this using http://whatismyip.akamai.com• Can be set with KONTENA_PUBLIC_IP

• Private address• By default taken from eth1• Override using KONTENA_PRIVATE_IP• KONTENA_PEER_INTERFACE controls which interface is used for overlay peering

• Overlay address• Each node has 10.81.0.[1..254]/16 address on the overlay network• Sequentially allocated when node joins grid

• Docker bridge• 172.17.0.1 on docker0 bridge• Overlay DNS• Provide outside connectivity for containers

© 2017 Kontena, Inc.

Network interface selection• Kontena intelligence

• Nodes within the same region use private interface to connect• E.g. label: region=eu-central-1

• Master figures these out when node joins the grid

© 2017 Kontena, Inc.

Performance

© 2017 Kontena, Inc.

Performance• Usually application is bottleneck faster than the NW

• Overlay has always some overhead• Especially the encrypted peer connections

• Big factor in overlay performance is MTU• By default Weave uses conservative MTU 1410• If running on single cloud / network, big MTUs possible

• Ability to configure grid level MTU, followhttps://github.com/kontena/kontena/issues/1640• With large MTU and fastdp one can get close to native throughput:

https://www.weave.works/weave-docker-networking-performance-fast-data-path/

© 2015 Kontena, Inc.

Demo Time

DigitalOceanAMS 1

Node-1

AWS VPCEU-Central-1

Node-3

Node-2

Master

Node-4

Node-5

Private DC(Vagrant)

Node-6

© 2017 Kontena, Inc.

Our mission is to becomenumber 1 container &

microservices platformfor developers

$ info@kontena.io

! @kontenainc

" slack.kontena.io

# github.com/kontena/kontena

meetup.com/pro/kontena

% www.kontena.io

Stay up to date!

www.kontena.io

Learn more about KontenaContainer & Microservices platform at

! @kontenainc " slack.kontena.io# github.com/kontena/kontena