WIXLIB

HOW TO BUILD AGILE CLOUDSYSTEMS:CHALLENGES AND ENABLINGTECHNOLOGIESPelin AnginDepartment of Computer Science, Purdue UniversityJune 27, 2016San Francisco, CA

O UTLINE PART 1:q Cloud Agility Challengesq Containers and Microservicesq Software-Defined Networking (SDN) PART 2:q Network Functions Virtualization (NFV)q NFV Use Cases & Projectsq Future R&D Problems PART 3:q OpenStack Overviewq OpenStack Hands-on lab1

PART 12

B US INESS VALUE O F CLO UD CO MPUTING Used to be defined in terms of Capital Expenses (CapEx) vs. OperationalExpenses (OpEx)vAbility to avoid buying hardware and software Now:AgilityvHarder to measure than CAPEX vs. OPEX Why the change?vCapEx vs. OpEx view not compelling enough from a cost standpointvBetter understanding of value metrics in agilityvBetter definition of worth of agility for internal business casesvShorter time to market valuable for specific industriesSource: arder-to-measure.html3

W H AT I S (CLO UD) AG ILITY?agile in Oxford Dictionary:“Able to move quickly and easily”Cloud Agility: Rapid provisioning of computer resourcesvNew compute instances, networking and storage provided in minutes instead ofweeks taken by IT Rapid business response to changing conditionsvShortened time-to-market4

CLO UD AG ILITY CH A LLENGES Need less resource consumption than VMs Need lightweight, portable application components for quick deployment Geographically-distributed mission-critical applications may suffer fromlimitations in network quality of service (QoS)vLimited responsiveness to changes Provisioning networks to deliver optimal paths between new applications andusers can take hours or daysvNetwork configuration highly manual, device-by-device in data center network Enforcement of policies in network involves complex architecture Enterprises have limited control over cloud operations5

CO M PONENTS O F CLO UD AG ILITYEnabling Technology Agility ComponentRapid service deploymentLightweight, high-performance componentsContainersEasy service migrationHigh service uptime / Rapid update integrationFlexible service compositionMicroservicesInteroperabilityRapid network resource provisioningEasy network policy definition / enforcementSDN & NFVRapid network maintenanceQuick network failure recovery6

W H AT I S A CO N TAINER? A lightweight structure in which an application can be stored, carried and runon a compatible OS Encapsulates application logic components provisioned with minimalresources (its own operating environment) required No need for embedded operating system Can be placed on any host without special configuration Virtualization at OS level rather than hypervisor level Required components:vCompatible OSvRuntime compatible with containers to runvPlatform to manage applicationsvTools for container orchestration, management, networking and security7

CO N TAINERS VS. VIRTUAL M ACHINES (VM )VMscontainersAdapted from n-vs-virtualisation-whats-the-difference8

CO N TAINER A DVANTAGES OVER VMSBoth technologies based on virtualization, OS virtualization rather thanhardware virtualization provides: Improved performancevApplication instructions do not go through guest OS and hypervisor to reach CPU Reduced application sizevEnables faster application startup Increased stabilityvApplications do not hang on the host OS Reduced footprint9

E VO LUTION O F CO N TAINERS Roots in Linux world, based on features of Linux kernel Early containers: FreeBSD Jails, Oracle Solaris Zones Google got involved beginning 2006:vEntire data-center architecture based on containersvKubernetes for container / container cluster management Docker increased traction in container worldvStarted as an open source project to build containerized microservices in 2013,followed by company LXC (Linux Containers) rose as major competitor with Docker10

DO CKER Client-server architecture Docker daemon:v Building, running, distributing dockercontainers Docker client:v Binary user interface to Dockerv Accepts commands from user,communicates with daemon Docker images (build):v Read-only template Docker registries (distribution):v Public or private stores foruploading/downloading images Docker containers (run):v Hold everything need to run app,created from Docker imageSource: nding-docker/11

H OW DO CKER WORKSDocker images:v Consist of layers combined using union file systems to formsingle coherent file systemv Changing image builds new layer rather than replacing wholeimage, making distribution faster by only sending updatesv Images built from bases (e,g, Ubuntu image) using instructionsDocker container: OS user-added files meta-data When running, adds read-write layer on top of image in which app can run Client tells daemon to run container:v Image is pulledv New container createdv Filesystem allocated, read-write layer addedv Network interface allocated, IP address setupv App run, output providedSource: nding-docker/12

H OW DO CO N TAINERS P ROVIDE AG ILITY? Containers can share the same OSvLess resource consumptionvIncreased efficiencyvFast application uploadvNo downtime during application updates Containers allow applications to be separated from underlying infrastructurevIncreased portabilityvPotential security benefits13

DRI VERS F O R CO NTAINER A DOPTION I N E N TERPRISES O’reilly survey in 2015138 respondents from a range of industriesHalf from companies of fewer than 500 employees13% from companies of over 10000 employeesSource: “The State of Containers and the Docker Ecosystem: port14

M I CROSERVICESMonolithic applicationsMicroservices Microservices style: Developing applications as a set of small services, each running in itsown process, communicating with lightweight mechanisms Evolved from Web services (service-oriented architecture) Scales by distributing services across servers, instead of distributing appsSource: l15

W H Y M I CROSERVICES? Independently deployable Single service changes require redeployment of only that service More explicit component interfaces Decreased coupling between components Continuous delivery Resilience against failures by monitoringINCREASED AGILITYUsed by Amazon, Netflix, Uber, Ebay, Karma, Sound Cloud,Groupon, Hailo, Gilt, Zalando, Capital One, Comcast 16

M A JOR B A RRIERS F O R CO N TAINER A DOPTION DevOps.com & ClusterHQ survey Conducted in May 2015 285 respondents from organizationsof mostly 1-500 employees, 18%with over 2500 stateof-container-usage-june-2015.pdf17

F UTURE O F CO N TAINERS Open Container Initiative (OCI) announced by Docker in 2015 to create openstandard for container runtimes supporting technology based on Docker’s containerformat OCI members: Amazon, Google, Mesosphere, Pivotal, Cisco, IBM, Microsoft, Intel,RedHat, Oracle, Verizon etc. Urs Hölze (senior vice president of technical infrastructure at Google at Interopkeynote, 2015):“We have to go with containers. We need to think about applications instead of machines. Thesystem manages placement on machines.You don’t have to think about OS security patches,and configuration. A whole class of administrative tasks is removed.” David Aronchick (lead product manager for Kubernetes):“When you talk to any large customers, their problems come down to two things – theywant to move faster and they want to do it in a more cost effective way. Containers enableboth of these.”18

F UTURE O F CO N TAINER R& D Orchestration and ManagementvVarious companies building new toolsvOther functions can be integrated for monitoring, intelligence, providing catalog ofcontainer apps NetworkingvContainers need to talk to each other across networksvCurrent infrastructure may cause barriers to communications with firewallsvNeed to adapt networking technology to handle containersvAlready started with network virtualizationvWhat is the most efficient way to connect? Should containers do their ownrouting? Should there be an independent controller?19

F UTURE O F CO N TAINER R& D (CO NT.) StoragevHow should containers connect to storage resources?vFirst containers stateless, but need state for data-heavy applicationsvSome solutions (e.g. ClusterHQ, Portworx) can connect containers to storagedevices and storage area networks (SANs) SecurityvContainers not secure by default!vMany container elements rely on a shared kernel, exposing OSvBanyan investigation discovered 30% of public container images withvulnerabilities*vNeed better isolation, better visibility, security screening*“Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities.” ker-hub20

H OW DO LE G ACY N E TWORKS O P ERATE? Decision-making capability (routing, managing, monitoring, load balancingetc.) distributed across network devices Data plane and control plane tightly coupledSource: 21

N E TWORKING P LANES Data Plane:Activities related to data packets sent by end-user Forwarding Fragmentation/Reassembly Replication for multicasting Control Plane:Activities not involving end-user data packets Routing tables Packet handling policies Announcing service availability Management Plane: Provisioning & monitoring of networks Services Plane: Improvement of performance or security22

P RO BLEMS W ITH LE G ACY N E TWORKS Inflexibility Not fit for constantly shifting network traffic patterns Adding/removing devices is complex Slow convergence after link failures High cost to update switches Vendor dependence Inability to scale Complexity of access control Manual configuration needs for supporting high-level network policies23

LE G ACY N E TWORK E XAMPLEIf R5-R6 link fails: Takes time to reprogram all devices to for new network Sometimes network not able to find new r-running-external-controller-sdn-rakesh-raushan24

N E TWORK VIRTUALIZATION Independent of Physical Network Location or StatevLogical network across any server, rack, cluster, data-centervVMs can migrate without requiring reworking of security policies, load balancingetc.vNew workloads or networks do not require provisioning of physical networkvNode failures in physical network do not disrupt workload Isolation for Multi-tenancy and Fault TolerancevMAC and IPs private per tenantvFailures and configuration errors by tenants do not affect other tenantsvFailures in virtual layer do not propagate to physical layerAdapted from http://www.slideshare.net/priti 5

S O F TWARE-DEFINED N E TWORKING (S DN)Open Networking Foundation (ONF) definition:The physical separation of the network control plane from the forwardingplane, and where a control plane controls several devices. Decouples network control and forwarding functionsAbstracts underlying infrastructure for apps and servicesDirectly programmableAgileCentrally managedProgrammatically configuredOpen standards-based and vendor-neutral26

N E TWORK E XAMPLE RE VI SITED W ITH S unning-external-controller-sdn-rakesh-raushan27

S DN H I G H-LEVEL VIEWSource: efinition28

S DN CO M PONENTS Control Plane Abstract view of network infrastructure Enables admins to apply custom policies/protocols across network hardware Northbound Application Interfaces Software interfaces between modules of controller and SDN applications runningon top of network platform East-West Protocols Manage interactions between controllers (if multi-controller-based) Data Plane and Southbound Protocols Forwarding hardware Protocols to manage interface between network devices29

S DN LAYERS Infrastructure Layer: Contains SDN devices performing packet switching and forwarding SDN devices composed of API for communication with controller, abstractionlayer, packet-processing component SDN device abstracted as a set of flow tables Control Layer: Centralized control to supervised network forwarding behavior Controls SDN devices making up network infrastructure Implements policy decisions (routing, forwarding, load balancing etc.) Application Layer: End-user apps utilizing SDN communications and network services Affect behavior of infrastructure by configuring flows, load-balancing, reacting tolink failures, redirecting traffic, authentication, etc.30