O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

OpenStack & OpenContrail in Production

Workday is running OpenStack and OpenContrail in production. This deck explain our best practices and lessons learnt.

  • Entre para ver os comentários

OpenStack & OpenContrail in Production

  1. 1. OpenStack & OpenContrail in Production: Best Practices from a SaaS leader
  2. 2. Introductions Edgar Magana, PhD ------ Workday, Inc. Cloud Operations Architect Twitter: @emaganap - Member since April 2011 – Santa Clara Summit - OpenStack Board of Directors - OpenStack Foundation User Committee - OpenContrail Advisory Group - Neutron core former member and founder (Quantum) - Open-source developer enthusiastic! - Futbol Club Barcelona Fan!
  3. 3. Outline  Operations Challenges  Architecture Overview  CI – Pipeline  CI – Environments – Desktop – Virtual Machines (OOO) – Bare-Metal  HA Design  OpenContrail & Containers  Q & A
  4. 4. OpenStack Logical Architecture  Three levels: – API – Messaging Bus – Backend Source: OpenStack Docs
  5. 5. OpenStack Components Source: OpenStack Docs – Training Guide
  6. 6. OpenStack Reference Architecture Source: OpenStack Docs – Networking Guide
  7. 7. Let’s do it!
  8. 8. Workday Production Requirements  Automation  Idempotent  Scalable  Secure – SSL on End Points – SSL on RabbitMQ – SSL on MySQL – IPTables  Stable  Production Readiness – Logging – Monitoring  Bonded physical interfaces per server  Multi-tenant  High Availability
  9. 9. Let me take one more look! Source: OpenStack Docs – Training Guide
  10. 10. Source: http://www.opentcpcloud.org/en/documentation/reference-architecture/ TCP Cloud – HA Reference Architecture
  11. 11. Source: https://docs.mirantis.com/openstack/fuel/fuel-7.0/reference-architecture.html Mirantis – HA Reference Architecture
  12. 12. Source: Internet - Indepent
  13. 13. Let’s … Plan it better!
  14. 14. OpenStack @ Workday - Now
  15. 15. OpenStack @ Workday - Tomorrow
  16. 16. CI/CD @ Workday for OpenStack
  17. 17. How it started: Prototype #1 Controller Compute Tempest Build once and reuse SDN NOTE: https://github.com/openstack/openstack-chef-repo Rally
  18. 18. Drivers for Containers  Lightweight – many containers on a single VM  Re-usable – Build once and deploy  Shareable –share common components (Chef server, Tempest etc.)
  19. 19. Chef Development Framework Host (Fedora 20) Virtual Machine DNS LDAP Controller Compute TempestSDN Docker Engine
  20. 20. Iteration #1: With Neutron Development Workflow
  21. 21. Development Workflow Iteration #2: (OpenContrail)
  22. 22. Development Environment - Network Diagram
  23. 23. Building CI/CD on OpenStack and OpenContrail
  24. 24. OpenStack @ Workday Environments CI on Virtual Machines (OoO) –Reproducible disposable test environment integrated with Workday’s Jenkins/Gerrit build pipeline. –Runs on OpenStack Icehouse –Ruby Fog Library
  25. 25. CI Environment on Virtual Machines Workflow 1 2 3 4 5 6
  26. 26. OoO - CI Workflow Jenkins Openstack Controller Git repo Chef Launch Chef Server Fetch Chef artifacts Create OS controller SDN, Compute Tempest Controller SDN Compute Tempest Run Chef Clients Run Tempest
  27. 27. Road to production Dev • Build and test Virtual • Create Gerrit review • VM CI passes Bare Metal • Promote cookbooks to production
  28. 28. Visibility  Nagios checks – Over 200 in total
  29. 29. Visibility  Wavefront integration
  30. 30. Workday Production Requirements  Automation  Idempotent  Scalable  Secure – SSL on End Points – SSL on RabbitMQ – SSL on MySQL – IPTables  Stable  Production Readiness – Logging – Monitoring  Bonded physical interfaces per server  Multi-tenant  High Availability
  31. 31. OpenContrail Data Plane Source: Internet - OpenContrail
  32. 32. Key Take Away  It took a number of iterations  Docker on Vagrant proved to be a very powerful Chef development environment – Rapid development and prototyping – Containers are very lightweight – You can share container images across teams  Increased development agility by building CI on OpenStack  Predictable deployment outcome  Super User 2016 Finalist: http://superuser.openstack.org/articles/austin-superuser- awards-finalist-workday-inc
  33. 33. How it all started..  Build OpenStack cloud with community cookbooks and packages  Started with openstack-chef, a community project  Realized its limitations  Consistent and repeatable environment for developers, operations  Share common components  Test framework  Continuous integration framework  Scalability & Benchmarking tests (Rally) NOTE: https://github.com/openstack/openstack-chef-repo
  34. 34. Container Networking Roadmap Product Management, OpenContrail DP Ayyadevara dpayyadevara@juniper.net
  35. 35. PRODUCT ROADMAP feature AREAS Routing & Switching (IPv4, v6) Network Services (IPAM, DNS, DHCP SNAT, FIP, BGPaaS, QoS) Load Balancing (customizable ECMP, LBaaS) Security & Policies (Policy Enf.,Distributed FW, Sec Grp, XMPP Encryp.) Perf & Scale (DPDK / SRIOV, Smart NIC, Infra. scale) Gateway Services (L2, L3, vCenter GW) Rich Analytics, (Alerts, Overlay- Underlay Correlation, multi-region) Service Chaining (PNF, VNF, containers, v6, 3rd party / TAP, Health-check, failover, policy-based) HA, Upgrades (Infra Failover, ISSU) API Services (multi-vendor Orch., Global Controller, OpenStack, K8s, vCenter)Source: OpenContrail/Juniper
  36. 36. N a m e s p a c e - B N a m e s p a c e - A … Containers … C 1 C 2 … … Containers POD 2 C 1 C 2 … K8S COMPONENTS & TERMINOLOGY … Containers POD 1 (POD1-IP allocated by Contrail) C 1 C 2 … Service – S1 Application 1 (Load balancing across multiple PODs done using ECMP-LB) Service – S2 … Containers … C 1 C 2 … … Containers POD 6 C 1 C 2 … … Containers POD 5 C 1 C 2 … Service (VIP, Port)… Service IP allocated by K8s IPAM External IP Service (VIP, Port) Service – S3 Service (VIP, Port) (does not have any PODs) Minion / NodeMinion / Node … Application 2 (Load balancing across multiple PODs using ECMP-LB) Repl . Ctrl Repl . Ctrl Accessing an end-point outside of the cluster Source: OpenContrail/Juniper
  37. 37. DIFFERENT LEVELS OF ISOLATION N a m e s p a c e - B S 3 S 4 POD 9 … POD 13 … … N a m e s p a c e - A S 1 S 2 POD 1 … POD 5 … … N a m e s p a c e - D S 7 S 8 POD 25 … POD 29 … … N a m e s p a c e - C S 5 S 6 POD 17 … POD 21 … … N a m e s p a c e - F S1 1 S1 2 POD 41 … POD 45 … … N a m e s p a c e - E S 9 S1 0 POD 33 … POD 37 … … …… … DEFAULT CLUSTER MODE NAMESPACE ISOLATION POD / SERVICE ISOLATION  This is how K8s networking works today  Flat subnet where -- Any workload can talk to any other workload  In addition to default cluster, operator can add isolation to different namespaces transparent to the developer  In this mode, each POD is isolated from one another  Note that all three modes can co- exist Source: OpenContrail/Juniper
  38. 38. We Are Hiring!

×