Production-ready, open source network virtualization

Jonathan LaCour - jonathan@dreamhost.com Ryan Petrello - ryan.petrello@dreamhost.com

HELLOMy name is Jonathan

VP of Cloud at DreamHost

@cleverdevil on twitter

HELLOMy name is Ryan

Senior Cloud Developer at DreamHost

@ryanpetrello on twitter

AGENDA• The birth and evolution of Akanda

• Akanda technology overview

• Akanda in practice

• Retrospective

• The future

AKANDA’S BIRTH👶

DREAMCOMPUTE IS OPEN

Virtual Networking • L2 isolation for all tenants • IPv4 and IPv6 via SDN

Elastic Compute • Virtual machines via KVM hypervisor and OpenStack

Block Storage • OpenStack Cinder and Ceph • Massively scalable, distributed, and self-healing • Lightning fast boot-from-volume

AKANDA’S BIRTH• DreamCompute’s design and development necessitated Akanda

• Required L2 isolation and IPv6

• No Open Source solution and vendors were lacking

• Didn’t understand cloud

• Missing features and OpenStack integration

👶

INITIAL DESIGN• OpenBSD service VMs

• Routing, firewall, and services via OpenBSD Packet Filter (PF)

• Akanda Appliance API in Python

• Integration with OpenStack via Nova and Neutron

• Rug Orchestration platform for creating, updating, and monitoring service VMs

EVOLUTION

🙈🙉🙊

EVOLUTION• OpenBSD not well-suited for the task

• Community resistance to virtualization

• Poor network throughput and network driver issues

• Slow boot times (3-5 minutes)

• No hot-plugging support, requiring service VM reboots

🙈

THE SWITCH TO LINUX• Moved to Linux

• From PF to iptables, with a larger community

• Significantly improved performance

• Service VM boots and reboots in 45 seconds or less

• Hot-plugging support

AKANDA ARCHITECTUREA

kand

a RU

G O

rche

stra

tion

Akanda Virtual Services

OpenStack APIs – Neutron, Nova, etc.

Akanda Pluggable L2 Backends

Physical Network (L2)

Routing Load Balancing Firewall Etc.

NSX Linux Bridge OpenDaylight More!

• No vendor magic – open source and transparent

• IPv6 support – customer VMs get IPv6

• Performance – beat the competition

• Its just Linux – service VMs can run anything

• Stability – routes traffic for thousands of VMs daily

❤️

IN DEPTH

THE AKANDA APPLIANCE• Linux virtual machine, built with veewee, and stored in Glance.

• iptables – tenant NAT, floating IPs, etc.

• dnsmasq – DHCP, DNS, etc.

• bird – upstream connectivity (BGP, RADV)

• Python proxy for Nova metadata service

APPLIANCE REST API• Not exposed to user, instead used by The Rug for

configuration, monitoring, and reporting.

• Primary endpoints:

• Alive Check - are you alive?

• Configuration Push - reconfigure / reload router services

{ "networks": [{ "subnets": [{ "gateway_ip": "208.113.176.1", "cidr": "208.113.176.0/23", ... }],

"network_id": "b1234135-a0fc-4a1a-bea3-1232341235", "interface": { "ifname": "ge1", "addresses": [“208.113.176.249/23", “2607:f298:5:110d:f816:3eff:fe7d:e274/64"] }, }], "default_v4_gateway": "208.113.176.1", "floating_ips": [{ "floating_ip": "208.113.176.249", "fixed_ip": "10.10.10.3" }], ...}

THE RUG

• “Really ties the room together.”

• Orchestration and monitoring of service VMs

RUG ARCHITECTURE

Event Processing State Machine

Neutron

Notifications

Health Monitoring

Service VM

Service VM

Service VM

Service VM

STATE MACHINE

• Sophisticated state management

• Ten possible states

• Rug automates transitions between states

EXAMPLE – SERVICE VM BOOT

CALC_ACTION

CHECK_BOOT

CREATE_VM CONFIG

EXAMPLE – HEALTH MONITORING

CALC_ACTION

STOP_VM

ALIVE CHECK_BOOT

CREATE_VM

INTERESTING FEATURES

• Network hot-plugging

• Upon addition or removal of a network

• nova <interface-attach | interface-detach>

INTERESTING FEATURES

• Advanced failure tracking

• Configurable cool down threshold

• Reporting for service VMs stuck in ERROR state

IN PRACTICE

AKANDA OPERATIONS

• Build your service VM image and store in Glance

• Tell the Rug which service VM image to use

• The Rug actively monitors tenants missing service VMs and creates, configures, and keeps them alive

RUG-CTL COMMAND LINE TOOL• rug-ctl browse

• Lists all service VMs and basic details

• rug-ctl router debug

• Forces The Rug to temporarily stop managing a service VM

• rug-ctl router rebuild [—router_image_uuid]

• Destroys / recreates a service VM, optionally with a different VM image

RETROSPECTIVE

RETROSPECTIVE

• Neutron wasn’t ready for IPv6. Getting there now!

• State machines and distributed processing are hard. Very hard.

• Best way to stabilize is continuous automated testing.

• As a small team, keeping pace with upstream projects is almost a full-time job.

THE FUTURE

LAUNCHING TODAYhttp://akanda.io

AKANDA’S FUTURE• Launch of Akanda, Inc. - http://akanda.io

• Roadmap

• Additional services – Load Balancing and Firewall

• More L2 backends – physical bridge, OpenDaylight, etc.

• Enterprise Rug - HA and scale-out

GET THE CODE, JOIN THE TEAMhttp://akanda.io