340 likes | 355 Views
Learn how VMware NSX provides stability, high availability, and performance solutions for OpenStack Neutron challenges, including demos and key takeaways, with insights from technical product managers. Discover NSX's multi-hypervisor support, advanced networking capabilities, and seamless integration with physical networks.
E N D
Is Neutron challenging to you?Learn how VMware NSX is the solution for regular OpenStack Network & Security services and Kubernetes Dimitri Desmidt – Technical Product Manager NSX Yves Fauser - Technical Product Manager NSX May 2017
Agenda Why Neutron is most challenging OpenStackproject? Why NSX plugin for your Neutron? Demo of OpenStack + NSX What about Kubernetes in NSX? Key Takeaways
Agenda Why Neutron is most challenging OpenStack project? Why NSX plugin for your Neutron? Demo of OpenStack + NSX What about Kubernetes in NSX? Key Takeaways
Neutron is #1 most challenging OpenStack project!!!From OpenStack survey 2016 • https://www.openstack.org/assets/survey/April-2016-User-Survey-Report.pdf Users called out Ceilometer and Neutron most frequently as projects with significant concerns. For Neutron, they wanted the networking service to be less complicated to use, with more substantial documentation and better integration with compute functions and PaaS layer integration
Neutron is #1 most challenging OpenStack project!!!From OpenStack last survey April 2017 • https://www.openstack.org/assets/survey/April2017SurveyReport.pdf Neutron needs to be reworked and simpler – we don't need to include every use case under the sun.
Neutron is #1 most challenging OpenStack project !!!What are the biggest challenges • Highly Complex implementation • Implementation of L2 Switching (http://docs.openstack.org/developer/neutron/devref/openvswitch_agent.html) • Of course this complex solution is possible to be masterized by OpenStack Neutron gurus • However it doesn't removes the challenges on: • Performance • Series of linuxbriges + OVS • Troubleshooting • Doing a simple packet-walk requires high-expertise • And this shows only L2 !!! Web-01 10.1.1.0/24 .11 .12 .13
Neutron is #1 most challenging OpenStack project !!!What are the biggest challenges • Highly Complex implementation – cont • Layer 3 Networking in Neutron - via Layer 3 agent (http://docs.openstack.org/developer/neutron/devref/layer3.html) • And this shows only L3. • Not: • Distributed L3 • Security Group • Load Balancing • etc .1 .1 App-01 10.1.2.0/24 Web-01 10.1.1.0/24 .11 .12 .13 .11 .12
So why a vendor Neutron plugin? • Simpler implementation of Neutron services • Vendor support of that critical Cloud service • Higher performance • Management / Operation / Troubleshooting tools • Stability at scale + High-Availability
Agenda Why Neutron is most challenging OpenStack project? Why NSX plugin for your Neutron? Demo of OpenStack + NSX What about Kubernetes in NSX? Key Takeaways
Why NSX Neutron plugin?Stability and High-Availability • NSX offers Network & Security services Enterprise-Grade quality • with scale tests and longevity tests run on each release • so with vendor support at scale • High-Availability is offered built-in in NSX
Why NSX Neutron plugin?Multi Hyper-Visor support • NSX offers Network & Security services for multiple hypervisors • Important Note: . All NSX Network & Security services are available on both hypervisors. . Network & Security services are installed in kernel for best performance. No Neutron services running in VM (which would bring challenges on HA and performance)
Why NSX Neutron plugin?Advanced Network & Security services vendor supported • NSX offers advanced Network & Security services NSX API & UI VM1 VM2 VM3 LB-Pool VM1 VM1 VM2 VM2 NAT Animated slide VM3 VM2 VM1 VM1 VM2 VM4 Subnet A Subnet B
Why NSX Neutron plugin?Simple and dynamic integration with physical • NSX offers simple and unique integration with physical world NSX router with pre-created BGP adjacencies with physical routers. At day0, nothing is advertised from NSX Router to physical routers BGP NSX API & UI Animated slide OpenStack Logical Networks
Why NSX Neutron plugin? Simple and dynamic integration with physical • NSX offers simple and unique integration with physical world Physical routers are NOT touched !!! Routes learned: . Subnet A + B . Public-NAT 1 + 2 + 3 + 4 BGP NSX API & UI VM1 VM2 VM3 Public-NAT3 LB-Pool VM1 VM1 VM2 VM2 Public-NAT1 Public-NAT4 Animated slide Public-NAT2 VM3 VM2 VM1 VM1 VM2 VM4 Subnet A Subnet B OpenStack Logical Networks
Why NSX Neutron plugin?Performance – Switching (1/3) • NSX offers stunning performance • Streamlining networking services in the hypervisors And FYI View with Security Gateway VM1 VM2 ovs-vswitchd ovs-fwd (conntrack) eth1 VLAN or VXLAN
Why NSX Neutron plugin? Performance – East/West Routing (2/3) • Traffic Flow with Distributed Routing • NSX offers stunning performance .1 .1 App-01 10.1.2.0/24 Web-01 10.1.1.0/24 .11 .12 .13 .11 .12 Logical View Physical View
Why NSX Neutron plugin? Performance – North/South Routing (3/3) • NSX offers stunning performance • DPDK support • Active/Active North/South support External .1 .1 DPDK (80Gbps / Node) App-01 10.1.2.0/24 Web-01 10.1.1.0/24 Active/Active (Active Cluster up to 8 nodes) .11 .12 .13 .11 .12 Logical View Physical View
Why NSX Neutron plugin?Day2 operations (operations / troubleshooting) • NSX makes Neutron manageable • Typical Troubleshooting without NSX root@compute01:~# ovs-dpctl dump-flows recirc_id(0),in_port(6),eth(src=b6:cf:d2:e5:ac:8c,dst=00:50:56:6d:fa:8e),eth_type(0x0800),ipv4(frag=no), packets:92456, bytes:12844792, used:0.305s, flags:P., actions:drop recirc_id(0),in_port(6),eth(src=00:50:56:93:39:7d,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.31.32,tip=192.168.31.31,op=1/0xff), packets:69189, bytes:4151340, used:0.105s, actions:5,4 recirc_id(0),in_port(6),eth(src=00:50:56:6d:fa:8e,dst=00:50:56:93:39:7d),eth_type(0x0800),ipv4(frag=no), packets:88150, bytes:12167094, used:0.689s, flags:P., actions:drop recirc_id(0),in_port(6),eth(src=b6:cf:d2:e5:ac:8c,dst=d2:7e:07:86:a1:cc),eth_type(0x0806), packets:1, bytes:60, used:0.793s, actions:4 recirc_id(0),in_port(3),eth(src=42:7f:11:88:a4:49,dst=ff:ff:ff:ff:ff:ff),eth_type(0x8100),vlan(vid=2101),encap(eth_type(0x0806),arp(op=2/0xff)), packets:30018, bytes:1921152, used:1.621s, actions:2 recirc_id(0),tunnel(tun_id=0x10801000,src=192.168.31.32,dst=192.168.31.231,tos=0xc0,ttl=64,flags(-df+csum+key)),in_port(8),skb_mark(0),eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=3784), packets:92255, bytes:6088830, used:0.097s, actions:userspace(pid=4294963061,slow_path(bfd)) recirc_id(0),in_port(3),eth(src=00:50:56:93:a9:55,dst=ff:ff:ff:ff:ff:ff),eth_type(0x8100),vlan(vid=2101),encap(eth_type(0x0806),arp(sip=20.20.20.122,tip=20.20.20.121,op=1/0xff)), packets:10005, bytes:640320, used:6.517s, actions:2 recirc_id(0),in_port(4),eth(src=d2:7e:07:86:a1:cc,dst=00:50:56:6d:fa:8e),eth_type(0x0800),ipv4(frag=no), packets:92323, bytes:12738740, used:0.073s, flags:P., actions:6 recirc_id(0),in_port(3),eth(src=ce:4e:c3:f2:d6:59,dst=ff:ff:ff:ff:ff:ff),eth_type(0x8100),vlan(vid=2101),encap(eth_type(0x0806),arp(sip=20.20.20.101,tip=20.20.20.101,op=1/0xff)), packets:3920, bytes:250880, used:1.705s, actions:2 recirc_id(0),tunnel(tun_id=0x1e001000,src=192.168.31.21,dst=192.168.31.231,ttl=64,flags(-df+csum+key)),in_port(8),skb_mark(0),eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=3784), packets:88175, bytes:5819550, used:0.289s, actions:userspace(pid=4294963061,slow_path(bfd)) recirc_id(0),in_port(6),eth(src=00:50:56:6d:fa:8e,dst=b6:cf:d2:e5:ac:8c),eth_type(0x0800),ipv4(frag=no), packets:88452, bytes:12277876, used:0.789s, flags:P., actions:drop <snip> Troubleshoot OVS from KVM
Why NSX Neutron plugin?Day2 operations (operations / troubleshooting) • NSX makes Neutron manageable • Troubleshooting withNSX Troubleshoot OVS from NSX
Agenda Why Neutron is most challenging OpenStack project? Why NSX plugin for your Neutron? Demo of OpenStack + NSX What about Kubernetes in NSX? Key Takeaways
OpenStack Barcelona 2016 Summit: Done with Mirantis: https://goo.gl/zbpio0 OpenStack Boston 2017 Summit: Doing with RedHat OS 10 this time Demo of OpenStack + NSX • Demo • User1 creation of 2 Tier-App with NAT • User2 creation of 2 Tier-App without NAT • User2 complains MySQL access not working Physical Router Routes learned: . SNAT Router-User1 + FloatingIP-User1Web1 . Subnet User2-Web + User2-DB BGP NSX Tier0 Router External 30.30.30.0/24 SNAT-Router-User1 Floating-IP for User1Web1 No-NAT .1 .1 .1 .1 NAT_db 10.21.2.0/24 NAT_db 10.22.2.0/24 NAT_web 10.21.1.0/24 NAT_web 10.22.1.0/24 MySQL NOT working!!! .3 .3 .3 .3 User1 User2
Agenda Why Neutron is most challenging OpenStack project? Why NSX plugin for your Neutron? Demo of OpenStack + NSX What about Kubernetes in NSX? Key Takeaways
The Container Networking Challenges • No fine grained visibility into container networks • Missing Network Policy definition and enforcement • Missing Network Automation VM Encap Header Data
Kubernetes NSX Topology Kubernetes NSX Topology • Namespaces: We are dynamically building a separate network topology per K8s namespace, every K8s namespace gets one or mode logical switches and one Tier-1 router • Nodes: Are not doing IP routing, every Pod has its own logical port on a NSX logical switch. Every Node can have Pods from different Namespaces and with this from different IP Subnets / Topologies • Firewall: Every Pod has DFW rules applied on its Interface • Routing: High performant East/West and North/South routing using NSX’s routing infrastructure, including dynamic routing to physical network • Visibility and troubleshooting: Every Pod has a logical port on the logical switch with: • Counters • SPAN / Remote mirroring • IPFIX export • Traceflow / Port-Connection tool • Spoofguard • IPAM: NSX is used to provide IP Address Management by supplying Subnets from IP Block to Namespaces, and Individual IPs and MAC to Pods NSX/ K8s topology Namespace: bar Namespace: foo 10.24.1.0/24 10.24.3.0/24 10.24.0.0/24
K8s / NSX ComponentsNetwork Container Plugin (NCP) NSX Container Plugin Network Container Plugin (NCP) K8s / OSAdapter NCM Infra NSX Manager API Client • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, e.g. to be run as a K8s Pod • Adapter layer: NCP is build in a modular way, so that individual adapters can be added for different CaaS and PaaS systems • NSX Infra layer: Implements the logic that creates topologies, attaches logical ports, etc. based on triggers from the Adapter layer • NSX API Client: Implements a standardized interface to the NSX API CloudFoundry Adapter Libnetwork Adapter More… K8s master NSX Manager API-Server etcd Scheduler NSX/ K8s topology NS: bar NS: foo
CNI – Container Network Interface CNI interface spec • Network Driver Interface:Used by Kubernetes, OpenShift, Cloud Foundry and Mesos • Implementation:Uses a simple local executable call and environment variable injection as the API between the container runtime / orchestration and the network plugin • Relation to Docker Networking:The CNI spec is different to Dockers Libnetwork Container Network Model (CNM), that uses a HTTP REST API for the plugins and is more targeted towards the ‘Docker use-case’ [0] [0] http://blog.kubernetes.io/2016/01/why-Kubernetes-doesnt-use-libnetwork.html
NSX-T Container Interface (CIF) Hypervisor(ESXi &KVM) Container Interfaces in NSX-T cif cif mgmt network cif cif • K8s Node VMs: Most customers are looking to deploy K8s Nodes as VMs today • Nested Network-Virtualization: Instead of terminating the overlay tunnels in the Node VM, we are extending the Hypervisor vSwitch into the Node VM using VLAN tagging. The Node VM vSwitch (OVS) is ‘standalone’, and only gets programed by the NSX CNI Plugin • Benefits: • No double encapsulation • Enhanced security through strong isolation of the Node VM from the NSX Control-Plane • Less transport-nodes in NSX which equates to higher scale DFW mgmt network DFW Node VM eth2 eth0 NodeVM eth2 vlan 11 Vlan 10 Minion Mgmt. IP Stack eth0 vlan 11 vlan 10 OVS Minion Mgmt. IP Stack OVS NSX CNI Plugin NSX CNI Plugin Pods Pods
K8s / NSX Demo DEMO
K8s / NSX - FAQ Q: Why is the K8s / NSX solution presented here not using the Neutron API to create network objects?A:We are developing a solution for NSX that works for any compute environment, vSphere, Photon-Platform, KVM Virtualization without OpenStack, as well as public cloud. Therefore we need to be independent from Neutron. We fully support OpenStack Kuryr for Container Networking with Neutron and NSX if a tighter integration with Neutron is desired Q: Are you supporting K8s Network-Policy?A: Yes, our integration fully supports K8s Network Policy Q:Are your supporting the K8s cloud provider for OpenStack A: Yes, one can use the OpenStack Load-Balancing cloud provider, however we are more focused on testing solutions that use K8s Ingress instead of the OpenStack Load-Balancing cloud provider Q: <INSERT YOUR QUESTION HERE>
Agenda Why Neutron is most challenging OpenStack project? Why NSX plugin for your Neutron? Demo of OpenStack + NSX What about Kubernetes in NSX? Key Takeaways
Key Takeaways – NSX for Neutron Neutron offers Networks & Security services. Neutron is made by geeks and for geeks. If you're looking for a production grade Neutron solution, Vendors plugin are required Neutron + NSX plugin makes Neutron production grade thanks to: • Multi-Hypervisor support (it's not only ESXi!!!) • Stability + High performance • Support and support at scale • Management / Operation / Troubleshooting tools Neutron + NSX can be installed within any OpenStack distro Neutron + NSX supports Kubernetes and offers now security to Containers