Calico Scales Networking To Container Orchestrators - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:05 AM
Connect Directly

Calico Scales Networking To Container Orchestrators

Calico open source project extends its reach to CoreOS' Tectonic container orchestrator for cloud container scalability plus security.

Insider Threats: 10 Ways To Protect Your Data
Insider Threats: 10 Ways To Protect Your Data
(Click image for larger view and slideshow.)

Calico, the open source code that provides scalable container networking, keeps adding additional systems with which it can work. It already gets deployed as a component with some implementations of the Kubernetes, Mesos, Docker Swarm, and OpenStack container orchestration systems. Now it's added CoreOS' Tectonic container orchestration as well.

Chris Liljenstolpe, chief architect for the Calico project and director of solution at Metaswitch Networks, sponsor of the project, explained in an interview at the Tectonic Summit in New York Dec. 3 what Calico brings to each orchestration system. Container users are dependent on orchestrators, such as Kubernetes, to place a container on a cluster and track its operations.

It's still an early phase of container management, and there are several ways of generating the networking that links one container to another or to other resources on the data center network. But if containers proliferate, as some IT managers believe, then it's critical to find a networking approach that works with hundreds and thousands of containers at a time.

(Image: Courtney Keating/iStockphoto)

(Image: Courtney Keating/iStockphoto)

OpenStack's open source cloud software has its own "overlay" networking approach in its Neutron Project. Docker in its 1.0 version uses a port-forwarding approach, Liljenstolpe said. Both have their advantages in early container deployments, but developers and operations managers may get bogged down in the details of their operation as the number of containers increases, he said.

Port forwarding imposes port constraints on the application in the container when one of the goals of containerization is to make the code as moveable as possible. The overlay approach works fine up to a point, but the state of the VPN tunnel used to connect containers must be tracked and forces the application developer to know a lot about networking, Liljenstolpe said.

What Calico has tried to do is to simplify the networking of containers at scale. "We do not use overlay networks, tunnels, or protocol wrappers," he said. Instead, Calico "makes each server run like a router for the containers that it is hosting," he added.

Calico also relies on the Linux operating system's kernel to act as the IP traffic forwarding mechanism, something it's designed to do but that isn't needed in the other approaches. Furthermore, the reliance means the networking function can be spread out to match the distribution of containers on their hosts.

Asked who he was referring to as providing "the other approaches," Liljenstolpe said VMware's NSX, Nuage, and Contrail's software-defined networking.

To make its distributed approach work, Calico had to design a way to build a system that can capture high-level policies meant to govern individual containers, then make knowledge of those policies available wherever the container moves. To do so, Calico places an agent on each container host to monitor any changes in the network map. If a container connected to another container on a given host moves, the agent detects the move and re-examines the policies associated with it upon the next connection.

"We can update all those policies dynamically," Liljenstolpe said, giving each container protections that resemble the rules of a firewall, without actually needing to put a firewall next to every container. "Calico is constantly updating those rules, managing the policy environment" so people don't need to, he said.

"The rules are put in place only on the server where the container is running," he added.

[Want to learn more about container security? See Containers March Into Mainstream With Security, Management Updates.]

Calico can interface with Docker, Kubernetes, Mesos, and OpenStack and collect the information they gather on where they've placed their containers. The information is put in a key value store, etcd, originated at CoreOS and now an open source project.

"Each container host has a Calico agent listening for changes in the etcd key value store. If it detects no changes, it goes back to sleep," but if changes that apply to it have occurred, it knows to bring those changes into the network operation of its containers.

It's a "software-driven solution but not a classical software-defined networking solution," he said.

The Calico approach works for virtual machine networking as well and has been extended to work with the lesser known container orchestrators Apache Brooklyn and Cloudsoftcorp's Clocker, as well.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
12/4/2015 | 3:23:21 PM
Is SDN already "classic?"
It's a "software-driven solution but not a classical software-defined networking solution," Liljenstope said. First time I've seen software-defined networking referred to as "classic."
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll