how openshift sdn helps to automate
TRANSCRIPT
![Page 1: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/1.jpg)
OpenShift SDNHow OpenShift Networking helps to automate
Ilkka Tengvall ([email protected])Solution Architect, Red HatApril, 2016
![Page 2: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/2.jpg)
Understand what OpenShift network benefits and how to use it
● What problem are we trying to solve?● What are the advantages of the solution?
Agenda
2
![Page 3: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/3.jpg)
Container cluster network might be messy
3
But it doesn’t need to be
![Page 4: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/4.jpg)
How do we do that with SDN?Add a layer of confusion abstraction!
4
![Page 5: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/5.jpg)
DEMO to answer the big WHY :)* the OpenShift itself is production ready!
Author of demo: Tero Ahonen, Cybercom Finland5
*
![Page 6: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/6.jpg)
Developers can leverage existing development tools and then access the OpenShift Web, CLI or IDE interfaces to create new application services and push source code via GIT. OpenShift can also accept binary deployments or be fully integrated with a customer’s existing CI/CD environment.
Code
Source 2 Image Walk Through Can configure triggers for automated deployments, builds, and more.
![Page 7: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/7.jpg)
OpenShift automates the Docker image build process with Source-to-Image (S2I). S2I combines source code with a corresponding Builder image from the integrated Docker registry. Builds can also be triggered manually or automatically by setting a Git webhook.
Build
Source 2 Image Walk Through Can configure triggers for automated deployments, builds, and more.
![Page 8: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/8.jpg)
DeployOpenShift automates the deployment of application containers across multiple Node hosts via the Kubernetes scheduler. Users can automatically trigger deployments on application changes and do rollbacks, configure A/B deployments & other custom deployment types.
Source 2 Image Walk Through
Can configure different deployment strategies like A/B, Rolling upgrade, Automated base updates, and more.
Can configure triggers for automated deployments, builds, and more.
Logs and metrics
![Page 9: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/9.jpg)
![Page 10: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/10.jpg)
Why do we need Software Defined Networking?● Containers are designed to come and go. Networking needs automation.● Automation allows extreme elasticity provisioning services● HA models and automated scaling● Locate services where they make the most sense physically
10
![Page 11: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/11.jpg)
DMZ
API traffic to control OpenShift
Master1
Master2
Master3
Node
Zone A
Node
Node
Node
Node
Node
Zone B
Node
Node
Node
Node
LB
lb.MyOpenShiftPaaS.com
![Page 12: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/12.jpg)
DMZ
Application traffic via HA-Router with two spares
Master1
Master2
Master3
Node
Zone A
Node
Node
Node
Node
Node
Zone B
Node
Node
Node
Node*.apps.MyOpenShiftPaaS.com
![Page 13: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/13.jpg)
DMZ
Application traffic via HA-Router recovery
Master2
Master3
Node
Zone A
Node
Node
Node
Node
Node
Zone B
Node
Node
Node
Node*.apps.MyOpenShiftPaaS.com
![Page 14: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/14.jpg)
DMZ
Private intranet traffic via another router
Master1
Master2
Master3
Node
Zone A
Node
Node
Node
Node
Zone B
Node
Node
Node
Node
Zone 52
![Page 15: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/15.jpg)
Cluster Ingress via Router
15
Machine Outside
of Cluster
ExternalNetwork
Public IP Node IP
Router Pod(on the node)
Node w/ External Access
Public IP Address
(Uses HostNetwork)
ClusterNode
Node IP
Cluster Pod (on the node)
Pod IP Address
![Page 16: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/16.jpg)
SDN Across the Cluster
16
VxLAN Overlay
Real Network172.16.1.2 192.168.1.2
10.1.2.x 10.1.3.x
Zone A Zone B
![Page 17: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/17.jpg)
SDN Inside the Node
17
iptables NAT
VxLAN
Linux Bridge
lbr0
OVSbr0
Pods Docker Containers
External Network
External Pods
External Systems
eth0
eth0
eth0
Port 4+Port 2tun0
Port 1
Port 3
eth0
eth0
Actualeth0
![Page 18: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/18.jpg)
The technology involvedVirtual Bridge
● Open vSwitch● Linux Bridge
Transport/Tunneling
● VxLAN● VLAN Tagging● UDP Encapsulation● IP Routing
Virtual Interface
● Veth Pair● Tap/Tun
18
Integrations for swapping to:
● F5● Nuage● …?
Future:
● Container Network Interface (CNI) for plugins https://github.com/appc/cni
![Page 19: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/19.jpg)
Traffic Inside the Cluster
● Discoverability via Services● Services available as
○ Environment Variables○ Automatic DNS entries
● Simple round-robin-ish load balancing● Leading the community to define flexible access control policy
19
![Page 20: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/20.jpg)
20
● HAProxy Load Balancer
● Built in to the platform
● Supports common web traffic
● F5 BIG IP integration also available
Getting Traffic Into the ClusterOpenShift Router
HTTP
HTTPS TLS SNI
![Page 21: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/21.jpg)
21
● Provided by Kubernetes
● Same port on EVERY node forwarded to service
● Can handle non-http traffic
Getting Traffic Into The ClusterService NodePorts
![Page 22: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/22.jpg)
22
● Ports on the host where pod is
● Requires custom scheduling
● Can be used to write custom ingress
● This is what the internal router uses
Getting Traffic Into The ClusterHostPorts/HostNetwork
![Page 23: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/23.jpg)
Getting Traffic Out Of The Cluster
● Traffic is NAT’d to the host IP● No current security policy on egress traffic
○ We are working in the community to design egress policies
23
![Page 24: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/24.jpg)
OpenShift Router● Stable (configurable) DNS name
○ We often suggest a wildcard DNS to the router○ You can configure DNS by hand route by route
● Application scalability and mobility inside the cluster● Protocols
○ HTTP○ HTTPS (with SNI)○ WebSockets○ TLS with SNI
24
![Page 25: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/25.jpg)
Troubleshooting● Try the troubleshooting guide: https://docs.openshift.com/enterprise/3.
1/admin_guide/sdn_troubleshooting.html
● Use plotnetcfg (dnf install plotnetcfg; or clone https://github.com/jbenc/plotnetcfg) to draw a diagram of the networking inside a machine
● Use the same tools as with a physical cluster (except with fewer physical cables to check)
○ ping, tcpdump, wireshark, etc.
25
![Page 26: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/26.jpg)
Future directions● We will use the the Container Network Interface (CNI) for plugins
○ https://github.com/appc/cni○ OpenShift SDN will be reimplemented as a CNI plugin○ Why? More feature complete plugin interface○ Hopefully there will be more networking plugins available
● Check out the OpenShift Networking board:○ https://trello.com/b/TV5P9gKe/networking
26
![Page 27: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/27.jpg)
OpenStack integrations (future)● LDAP unified user management (Keystone + OSE)● Floating IP and Firewall to help with public traffic● HEAT + ansible installer● Cinder Block Storage as persistent storage *● VLAN aware VLANS will possibly help unifying networks*
Infortaining Youtube flicks to watch:
● OpenShift on OpenStack: https://youtu.be/8Hjk-EImZLk● Case Santander global SDN using Nuage: https://youtu.be/cmr3UZCkL5A● Tenths of excellent tutorials to OpenShift at OpenShift channel: https://www.
youtube.com/channel/UCZKMj3YI0wP-kq4QYpaKdEA27
![Page 28: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/28.jpg)
Conclusion● Don’t be afraid of SDN● It’s the same concepts as a physical network● Virtualizing the components bring many benefits● There are some costs, but most can be worked around, if needed
28
![Page 29: How OpenShift SDN helps to automate](https://reader034.vdocuments.us/reader034/viewer/2022051123/5873f5861a28abb1528b6007/html5/thumbnails/29.jpg)
THANK YOUplus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews
twitter.com/RedHatAtomic