Calico Scales Networking To Container Orchestrators - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:05 AM
Connect Directly

Calico Scales Networking To Container Orchestrators

Calico open source project extends its reach to CoreOS' Tectonic container orchestrator for cloud container scalability plus security.

Insider Threats: 10 Ways To Protect Your Data
Insider Threats: 10 Ways To Protect Your Data
(Click image for larger view and slideshow.)

Calico, the open source code that provides scalable container networking, keeps adding additional systems with which it can work. It already gets deployed as a component with some implementations of the Kubernetes, Mesos, Docker Swarm, and OpenStack container orchestration systems. Now it's added CoreOS' Tectonic container orchestration as well.

Chris Liljenstolpe, chief architect for the Calico project and director of solution at Metaswitch Networks, sponsor of the project, explained in an interview at the Tectonic Summit in New York Dec. 3 what Calico brings to each orchestration system. Container users are dependent on orchestrators, such as Kubernetes, to place a container on a cluster and track its operations.

It's still an early phase of container management, and there are several ways of generating the networking that links one container to another or to other resources on the data center network. But if containers proliferate, as some IT managers believe, then it's critical to find a networking approach that works with hundreds and thousands of containers at a time.

(Image: Courtney Keating/iStockphoto)

(Image: Courtney Keating/iStockphoto)

OpenStack's open source cloud software has its own "overlay" networking approach in its Neutron Project. Docker in its 1.0 version uses a port-forwarding approach, Liljenstolpe said. Both have their advantages in early container deployments, but developers and operations managers may get bogged down in the details of their operation as the number of containers increases, he said.

Port forwarding imposes port constraints on the application in the container when one of the goals of containerization is to make the code as moveable as possible. The overlay approach works fine up to a point, but the state of the VPN tunnel used to connect containers must be tracked and forces the application developer to know a lot about networking, Liljenstolpe said.

What Calico has tried to do is to simplify the networking of containers at scale. "We do not use overlay networks, tunnels, or protocol wrappers," he said. Instead, Calico "makes each server run like a router for the containers that it is hosting," he added.

Calico also relies on the Linux operating system's kernel to act as the IP traffic forwarding mechanism, something it's designed to do but that isn't needed in the other approaches. Furthermore, the reliance means the networking function can be spread out to match the distribution of containers on their hosts.

Asked who he was referring to as providing "the other approaches," Liljenstolpe said VMware's NSX, Nuage, and Contrail's software-defined networking.

To make its distributed approach work, Calico had to design a way to build a system that can capture high-level policies meant to govern individual containers, then make knowledge of those policies available wherever the container moves. To do so, Calico places an agent on each container host to monitor any changes in the network map. If a container connected to another container on a given host moves, the agent detects the move and re-examines the policies associated with it upon the next connection.

"We can update all those policies dynamically," Liljenstolpe said, giving each container protections that resemble the rules of a firewall, without actually needing to put a firewall next to every container. "Calico is constantly updating those rules, managing the policy environment" so people don't need to, he said.

"The rules are put in place only on the server where the container is running," he added.

[Want to learn more about container security? See Containers March Into Mainstream With Security, Management Updates.]

Calico can interface with Docker, Kubernetes, Mesos, and OpenStack and collect the information they gather on where they've placed their containers. The information is put in a key value store, etcd, originated at CoreOS and now an open source project.

"Each container host has a Calico agent listening for changes in the etcd key value store. If it detects no changes, it goes back to sleep," but if changes that apply to it have occurred, it knows to bring those changes into the network operation of its containers.

It's a "software-driven solution but not a classical software-defined networking solution," he said.

The Calico approach works for virtual machine networking as well and has been extended to work with the lesser known container orchestrators Apache Brooklyn and Cloudsoftcorp's Clocker, as well.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/3/2016 | 11:10:04 AM
Re: first ones?
@kstaron, no I did see the few other players planing the same and doing it in Europe... sorry do not recall names from the top of my head...
User Rank: Ninja
12/21/2015 | 9:54:44 AM
first ones?
Looks like they've got an interesting new way of scaling containers. Are they the first ones to try to scale it or is this just the newest way?
Li Tan
Li Tan,
User Rank: Ninja
12/4/2015 | 11:58:36 PM
Re: Is SDN already "classic?"
I don't think SDN is really legacy or classic now. But this new product do have some differentiator compared to SDN.:-)
Charlie Babcock
Charlie Babcock,
User Rank: Author
12/4/2015 | 3:23:21 PM
Is SDN already "classic?"
It's a "software-driven solution but not a classical software-defined networking solution," Liljenstope said. First time I've seen software-defined networking referred to as "classic."
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll