Container Networking Strategy

[dol...@etsy.com]

When it comes to container networking, there are many options and many opinions. Does CoreOS have an opinion or vision with regard to container networking? Clearly, one solution may not fit all environments, but there seems to be much focus on network overlays. Since when is the physical network not good enough to get a packet from A to B? Probably the best use case for overlays is multi-tenancy, but my interest is single-tenant bare metal. I have come to a good understanding of container networking and formulated a design that leaves the networking to the network. At the same time, I am interested to learn the CoreOS strategy and vision.

[Seán C. McCord]

Many cloud infrastructures offer little to no inter-node networking control, and when building a federated network across providers and datacenters, network overlays are a great convenience.  When you don't have access to your routers, a network overlay is almost mandatory.

For bare metal systems, this is usually less of a requirement.  You will usually have contiguous and pre-determined address space, access to routers, VPNs, and other tools of networking that cloud systems generally don't offer.  In these cases yes, you can do without a network overlay.

In the cases where you _can_ leave the networking to the network, that's fine, but in today's world of cloud and multi-tenant systems, that is just not a common assumption.

Consider, also, that there are advantages in using a software-defined network (of which flannel is clearly a simple example) even when running your own network.  Application deployment in container-oriented clusters is highly dynamic.  A typical network and firewall solution which we used in the past inevitably leaves large swathes of the network unprotected in order to accommodate this dynamic nature.  For example:  I need port 5060 open to service A and service B, but specifically NOT service C (which responds on the port, but expects only internal traffic).  How do you configure your firewall to handle this when, at any moment, any of these services may be on any machine?  There are SDN-enabled firewalls coming on line, and you could artificially constrain the set of nodes on which the services may run, but you could also simply define application-oriented policies and be done with it.  Using Flannel and Calico for this is an easy way to get reactive, cohesive networking applied to this dynamic environment.

There are plenty of other reasons, of course, from the fact that applications know what their appropriate ingress and egress points are, the proliferation of hybrid and federated clouds, growth path tenancy, hardware abstraction and ubiquification, etc.

On Thu, Aug 11, 2016 at 9:07 AM dolvany via CoreOS User <coreo...@googlegroups.com> wrote:

When it comes to container networking, there are many options and many opinions. Does CoreOS have an opinion or vision with regard to container networking? Clearly, one solution may not fit all environments, but there seems to be much focus on network overlays. Since when is the physical network not good enough to get a packet from A to B? Probably the best use case for overlays is multi-tenancy, but my interest is single-tenant bare metal. I have come to a good understanding of container networking and formulated a design that leaves the networking to the network. At the same time, I am interested to learn the CoreOS strategy and vision.

--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Seán C McCord

CyCore Systems, Inc

+1 888 240 0308

PGP/GPG: http://cycoresys.com/scm.asc

[dol...@etsy.com]

Thanks for the insight, Sean.