Production-ready, open source network virtualization
Jonathan LaCour - [email protected] Ryan Petrello - [email protected]
HELLOMy name is Jonathan
VP of Cloud at DreamHost
@cleverdevil on twitter
HELLOMy name is Ryan
Senior Cloud Developer at DreamHost
@ryanpetrello on twitter
AGENDA• The birth and evolution of Akanda
• Akanda technology overview
• Akanda in practice
• Retrospective
• The future
AKANDA’S BIRTH👶
DREAMCOMPUTE IS OPEN
Virtual Networking • L2 isolation for all tenants • IPv4 and IPv6 via SDN
Elastic Compute • Virtual machines via KVM hypervisor and OpenStack
Block Storage • OpenStack Cinder and Ceph • Massively scalable, distributed, and self-healing • Lightning fast boot-from-volume
AKANDA’S BIRTH• DreamCompute’s design and development necessitated Akanda
• Required L2 isolation and IPv6
• No Open Source solution and vendors were lacking
• Didn’t understand cloud
• Missing features and OpenStack integration
👶
INITIAL DESIGN• OpenBSD service VMs
• Routing, firewall, and services via OpenBSD Packet Filter (PF)
• Akanda Appliance API in Python
• Integration with OpenStack via Nova and Neutron
• Rug Orchestration platform for creating, updating, and monitoring service VMs
EVOLUTION
🙈🙉🙊
EVOLUTION• OpenBSD not well-suited for the task
• Community resistance to virtualization
• Poor network throughput and network driver issues
• Slow boot times (3-5 minutes)
• No hot-plugging support, requiring service VM reboots
🙈
THE SWITCH TO LINUX• Moved to Linux
• From PF to iptables, with a larger community
• Significantly improved performance
• Service VM boots and reboots in 45 seconds or less
• Hot-plugging support
AKANDA ARCHITECTUREA
kand
a RU
G O
rche
stra
tion
Akanda Virtual Services
OpenStack APIs – Neutron, Nova, etc.
Akanda Pluggable L2 Backends
Physical Network (L2)
Routing Load Balancing Firewall Etc.
NSX Linux Bridge OpenDaylight More!
• No vendor magic – open source and transparent
• IPv6 support – customer VMs get IPv6
• Performance – beat the competition
• Its just Linux – service VMs can run anything
• Stability – routes traffic for thousands of VMs daily
❤️
IN DEPTH
THE AKANDA APPLIANCE• Linux virtual machine, built with veewee, and stored in Glance.
• iptables – tenant NAT, floating IPs, etc.
• dnsmasq – DHCP, DNS, etc.
• bird – upstream connectivity (BGP, RADV)
• Python proxy for Nova metadata service
APPLIANCE REST API• Not exposed to user, instead used by The Rug for
configuration, monitoring, and reporting.
• Primary endpoints:
• Alive Check - are you alive?
• Configuration Push - reconfigure / reload router services
{ "networks": [{ "subnets": [{ "gateway_ip": "208.113.176.1", "cidr": "208.113.176.0/23", ... }],
"network_id": "b1234135-a0fc-4a1a-bea3-1232341235", "interface": { "ifname": "ge1", "addresses": [“208.113.176.249/23", “2607:f298:5:110d:f816:3eff:fe7d:e274/64"] }, }], "default_v4_gateway": "208.113.176.1", "floating_ips": [{ "floating_ip": "208.113.176.249", "fixed_ip": "10.10.10.3" }], ...}
THE RUG
• “Really ties the room together.”
• Orchestration and monitoring of service VMs
RUG ARCHITECTURE
Event Processing State Machine
Neutron
Notifications
Health Monitoring
Service VM
Service VM
Service VM
Service VM
STATE MACHINE
• Sophisticated state management
• Ten possible states
• Rug automates transitions between states
EXAMPLE – SERVICE VM BOOT
CALC_ACTION
CHECK_BOOT
CREATE_VM CONFIG
EXAMPLE – HEALTH MONITORING
CALC_ACTION
STOP_VM
ALIVE CHECK_BOOT
CREATE_VM
INTERESTING FEATURES
• Network hot-plugging
• Upon addition or removal of a network
• nova <interface-attach | interface-detach>
INTERESTING FEATURES
• Advanced failure tracking
• Configurable cool down threshold
• Reporting for service VMs stuck in ERROR state
IN PRACTICE
AKANDA OPERATIONS
• Build your service VM image and store in Glance
• Tell the Rug which service VM image to use
• The Rug actively monitors tenants missing service VMs and creates, configures, and keeps them alive
RUG-CTL COMMAND LINE TOOL• rug-ctl browse
• Lists all service VMs and basic details
• rug-ctl router debug
• Forces The Rug to temporarily stop managing a service VM
• rug-ctl router rebuild [—router_image_uuid]
• Destroys / recreates a service VM, optionally with a different VM image
RETROSPECTIVE
RETROSPECTIVE
• Neutron wasn’t ready for IPv6. Getting there now!
• State machines and distributed processing are hard. Very hard.
• Best way to stabilize is continuous automated testing.
• As a small team, keeping pace with upstream projects is almost a full-time job.
THE FUTURE
LAUNCHING TODAYhttp://akanda.io
AKANDA’S FUTURE• Launch of Akanda, Inc. - http://akanda.io
• Roadmap
• Additional services – Load Balancing and Firewall
• More L2 backends – physical bridge, OpenDaylight, etc.
• Enterprise Rug - HA and scale-out
GET THE CODE, JOIN THE TEAMhttp://akanda.io
