In an earlier blog, I gave a brief overview how Nuage Networks Virtual Services Platform (VSP) supports Docker containers in our SDN overlay networks. We’ve just released a new white paper, which goes into more detail for those wanting a clearer picture.
As a refresher: While virtual machine (VM) technology has matured greatly over the last decade, a new form of server virtualization, called “containers” is rapidly increasing in popularity. Containers promise to accelerate application deployment cycles and increase cloud agility in fundamental ways.
Containers allow applications to be isolated from each other using operating system-level virtualization features such as Linux control groups (resource control) and namespaces (resource isolation). Since containers run atop the same operating system they require fewer resources than VMs. For example, containers require fewer CPU cycles and less memory (they are much smaller in comparison to VM images). As a result of these differences, and the fact that they don’t require an operating system to boot up, containers can also be launched very quickly. The smaller footprint of containers means many more application instances can be run on a host compared to VMs (which in turn can also raise network bandwidth requirements).
Nuage Networks has created a plug-in for Docker networking, which runs on every Docker host. Each Docker host, whether bare-metal or virtual, also has the VSP’s Virtual Routing and Switching (VRS) component installed on it. VRS, a software agent, is the Nuage user space component of standard Open vSwitch (OVS). It is responsible for forwarding traffic from the containers, performing the VXLAN encapsulation of layer-2 packets, and enforcing security policies. When creating a Docker container, the user can specify what Zone or Policy Group it belongs to. All endpoints in a given Zone adhere to the same set of security policies.
The Nuage Networks VSP plug-in first creates a virtual Ethernet (veth) interface pair to connect the Docker container to the VRS, which is the distributed routing component that runs on each host. The Nuage Networks VSP plug-in then passes the Zone or Policy Group information to the VRS, which uses it to resolve the IP address of the container. The Platform plug-in configures the resolved IP addresses in the container’s namespace. This means that every container gets its own IP address.
With some other approaches, containers are given an address from a subnet that is local to the host and therefore requires the use of NAT to reach the container.
VRS also downloads the security policies based on the container’s Zone or Policy Group from the Virtualized Services Directory (VSD). The container can only exchange information with other containers/VMs that are authorized by the configured policies.
Docker containers are gaining rapid adoption for the next generation of cloud applications. By choosing Nuage Networks as the virtual networking solution for Docker containers, businesses can ensure that they have a solid foundation for their applications, including traditional VM’s and bare metal workloads. The Docker integration for Nuage Networks VSP has been available since July 2015. Integrations with other Docker orchestration platforms, like Kubernetes and Mesos, are also on the Nuage Networks VSP roadmap.
For More Information: