Calico Scales Networking To Container Orchestrators

Insider Threats: 10 Ways To Protect Your Data

Calico, the open source code that provides scalable container networking, keeps adding additional systems with which it can work. It already gets deployed as a component with some implementations of the Kubernetes, Mesos, Docker Swarm, and OpenStack container orchestration systems. Now it's added CoreOS' Tectonic container orchestration as well.

Chris Liljenstolpe, chief architect for the Calico project and director of solution at Metaswitch Networks, sponsor of the Calico.org project, explained in an interview at the Tectonic Summit in New York Dec. 3 what Calico brings to each orchestration system. Container users are dependent on orchestrators, such as Kubernetes, to place a container on a cluster and track its operations.

It's still an early phase of container management, and there are several ways of generating the networking that links one container to another or to other resources on the data center network. But if containers proliferate, as some IT managers believe, then it's critical to find a networking approach that works with hundreds and thousands of containers at a time.

OpenStack's open source cloud software has its own "overlay" networking approach in its Neutron Project. Docker in its 1.0 version uses a port-forwarding approach, Liljenstolpe said. Both have their advantages in early container deployments, but developers and operations managers may get bogged down in the details of their operation as the number of containers increases, he said.

Port forwarding imposes port constraints on the application in the container when one of the goals of containerization is to make the code as moveable as possible. The overlay approach works fine up to a point, but the state of the VPN tunnel used to connect containers must be tracked and forces the application developer to know a lot about networking, Liljenstolpe said.

What Calico has tried to do is to simplify the networking of containers at scale. "We do not use overlay networks, tunnels, or protocol wrappers," he said. Instead, Calico "makes each server run like a router for the containers that it is hosting," he added.

Calico also relies on the Linux operating system's kernel to act as the IP traffic forwarding mechanism, something it's designed to do but that isn't needed in the other approaches. Furthermore, the reliance means the networking function can be spread out to match the distribution of containers on their hosts.

Asked who he was referring to as providing "the other approaches," Liljenstolpe said VMware's NSX, Nuage, and Contrail's software-defined networking.

To make its distributed approach work, Calico had to design a way to build a system that can capture high-level policies meant to govern individual containers, then make knowledge of those policies available wherever the container moves. To do so, Calico places an agent on each container host to monitor any changes in the network map. If a container connected to another container on a given host moves, the agent detects the move and re-examines the policies associated with it upon the next connection.

"We can update all those policies dynamically," Liljenstolpe said, giving each container protections that resemble the rules of a firewall, without actually needing to put a firewall next to every container. "Calico is constantly updating those rules, managing the policy environment" so people don't need to, he said.

"The rules are put in place only on the server where the container is running," he added.

[Want to learn more about container security? See Containers March Into Mainstream With Security, Management Updates.]

Calico can interface with Docker, Kubernetes, Mesos, and OpenStack and collect the information they gather on where they've placed their containers. The information is put in a key value store, etcd, originated at CoreOS and now an open source project.

"Each container host has a Calico agent listening for changes in the etcd key value store. If it detects no changes, it goes back to sleep," but if changes that apply to it have occurred, it knows to bring those changes into the network operation of its containers.

It's a "software-driven solution but not a classical software-defined networking solution," he said.

The Calico approach works for virtual machine networking as well and has been extended to work with the lesser known container orchestrators Apache Brooklyn and Cloudsoftcorp's Clocker, as well.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.