Container Integration with OVS, with Gurucharan Shetty from VMware - a podcast by Ben Pfaff

Guru Shetty has been working at VMware, and before that at Nicira, since
about 2011. Guru has done a lot of work to integrate Open vSwitch withvarious platforms. This episode is a conversation with Guru primarily
about integrating Open vSwitch and OVN with multiple container systems,including Docker and Kubernetes.

Guru begins by reiterating the rationale for containers from an
application developer point of view: to capture and encapsulatedependencies into usable pieces and thereby make the software easier to
consume. This is not so different from a VM, conceptually, butcontainers have some advantages in terms of size and life-cycle
management. Microservices, on the other hand, are a way of building anapplication from many independently deployed and upgradeable components
that interact through well-defined APIs. The components, which are themicroservices themselves, could be housed on physical machines or in VMs
but are usually in containers.

To introduce the topic of how Open vSwitch integrates with container
systems, Guru begins by describing how Open vSwitch integrates with anykind of virtualization. This is divided into three parts. First, the
virtualization system must attach its virtual interfaces to Open vSwitch.This is usually simple: for a system that already integrates with the
Linux bridge, for example, it might entail calling into the OVSovs-vsctlprogram instead of the bridge'sbrctl. Second, the virtualization system needs to provide
some metadata to allow a network controller to identify the relationshipbetween VIFs and VMs. These first two pieces do not differ much between
VM and container virtualization.

The third part of integrating a virtualization system with Open vSwitch
is a matter of matching up the virtualization system's networkingconcepts with those understood by the network controller. OpenStack, for
example, has switch and router concepts and supports various ways toconnect virtual networks to external physical ones. Container systems,
though, generally have much simpler ideas of how to interact withnetworks, perhaps because they are designed by and for application
developers who have little interest in operating a network as opposed tosimply using one. This makes container systems harder to integrate with
featureful virtual networking systems such as OVN, since they simply lackmany of the concepts. Guru makes the counterpoint, though, that
OpenStack and similar ask application developers to work with a lot oflow-level concepts that really have no direct importance to them.
Rather, networking should “just work.”

OVS integration with Docker evolved through a few steps. The first step
was a form of integration without assistance from Docker itself, throughan external wrapper that built a network namespace and configured Docker
to use it through avethpair. This was not ideal, so
Guru proposed a native integration framework for Docker. At the sametime, there were about a dozen startups and companies all trying to do
something similar, which led to a lot of fighting over the approach.Eventually Docker elected to provide a pluggable architecture, although
its form is still unsatisfactory for many purposes and thus a number ofvendors continue to use a “side-band” or wrapper approach. A form of
the latter has been standardized asCNI, which is what
Kubernetes and CoreOS and Mesos use.

Guru has also implemented integration between Open vSwitch and
Kubernetes, the wildly popular container orchestration system fromGoogle. It approaches networking problems from an application deployer's
perspective. For example, an application developer does not care aboutIP addresses, so Kubernetes hides those details, instead exposing
services through higher-level names that are more meaningful to thedevelopers. Kubernetes also exposes every application through a load
balancer that allows the application to scale by increasing or decreasingthe number of containers behind the load balancer, in a manner hidden
from the application's clients. Guru implemented Kubernetes loadbalancing support for OVN through the NAT feature added to recent
versions of Open vSwitch.

The OVN support for Kubernetes is implemented in a repository separate
from the main Open vSwitch repository, which is unusual for OVN and OpenvSwitch. This was done because Kubernetes changes much faster than Open
vSwitch, so that OVN-Kubernetes integration needs to change much morequickly too.

One possibility for the future of the OVN-Kubernetes integration is to
take advantage of the Open vSwitch support for DPDK to build a very fastnorth-south gateway for Kubernetes.

Guru talks briefly about the possibilities for Open vSwitch integration
with Mesos, Pivotal Cloud Foundry, and Rocket.

Guru talks about how OVN might be a useful component for service function
chaining in container environments, where its general concept of networkvirtualization gives a lot of value versus ad hoc techniques.

Sometimes containers are portrayed as having, compared to VMs, huge
numbers per host and high rates of change. Guru has not seen this inpractice. While containers are shorter-lived than VMs, the scale is notmuch higher.

OVS Orbit is produced byBen Pfaff. The
intro music in this episode isDrive,
featuring cdk and DarrylJ, copyright 2013, 2016 by Alex. The bumper music isYeah Antfeaturing Wired Ant and Javolenus, copyright 2013 by Speck. The outro
music isSpace
Bazookafeaturing Doxen Zsigmond, copyright 2013 by Kirkoid. All content is licensed under a Creative CommonsAttribution 3.0
Unported (CC BY 3.0)license.

Further episodes of OVS Orbit

Further podcasts by Ben Pfaff

Website of Ben Pfaff