Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to improve the effect of network isolation in Mesos. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

As we all know, in the field of network architecture, no solution can adapt to all specific scenarios once and for all. However, Mesos 0.23.0 made a bold practice, for the first time to implement a container-IP mechanism to support the native Mesos containerization scheme, and can meet many specific needs.

Apache Mesos uses operating system containers such as Docker and Linux cgroups to isolate tasks from resources. Although this solution can provide good results at the local resource level such as CPU and memory, it does not work as a practical cross-container network resource management mechanism. In view of this, Mesos is now beginning to provide different IP addresses (that is, one container-IP mechanism) for each container system in the same cluster, which first appeared in Mesos 0.23.0.

If there is no one-container-IP mechanism. The container implementation shares all host IP addresses and therefore the host port.

This means that the application is assigned to a non-standard port to avoid port conflicts, resulting in a non-known port it is actually listening to. This hinders its service discovery ability and makes it difficult for other applications to interface with containerized applications.

The lack of network isolation capability of list projects can also pose security risks to multi-tenant environments, especially when a set of Mesos clusters can be shared by many different types of applications.

For example, if a financial company runs both risk analysis simulations and customer-facing applications in a single Mesos cluster, it will be difficult for relevant managers to solve the problem of malicious applications accidentally accessing sensitive information. Another risk is that poorly performing applications may slow down the speed performance of the entire network, in which case mission-critical applications on the same node may not be adequately resourced.

Finally, each enterprise has different network requirements. In the field of network architecture, no solution can adapt to all specific scenarios once and for all.

To solve the above problems, the Mesos community has enhanced the Mesos project to ensure that the one container-IP mechanism can support native Mesos containerization solutions (support for Docker containers is expected to be launched in the future). This pluggable solution also allows products from Calico, WeaveWorks and other third-party network isolation solutions vendors to act as plug-ins on our Mesos clusters.

How to implement a container-IP mechanism to support native Mesos containerization scheme?

As a container-IP mechanism in Mesos, one of its design goals is to establish a pluggable architecture that allows users to choose solutions from existing third-party network providers and serve as the basis for network implementation. To achieve this goal, there are five key components:

Responsible for specifying the framework / scheduling label required by IP for the container to be enabled. This is an optional service that brings container-to-IP capabilities into the existing framework without any side effects.

A Mesos cluster built by a Mesos master node and a Mesos agent node.

A set of third-party IP address management (IPAM) servers are responsible for allocating IP addresses as needed and recycling IP addresses after they have been used.

The third-party network isolation scheme provider is responsible for isolating different container systems and allows operators to adjust their accessibility and routing through configuration.

The network isolation module, which is loaded into the agent node as a lightweight Mesos module, will be responsible for reviewing the task requirements through the scheduler and providing IP addresses for the corresponding containers using IP address management and network isolation services. After that, it further delivers the IP address to the master node and the framework. Although the functions of IP allocation and network isolation can be implemented by a single unit, based on the conceptual level, Mesos provides two different service solutions. One envisions that two independent service providers provide IP address management and network isolation services respectively. For example, one of them uses Ubuntu FAN for IP address allocation, while the other uses the Calico project for network isolation.

The optional attribute of the one container-IP mechanism makes the existing framework unaffected, which makes it possible for the cluster to be upgraded on a rolling basis. Therefore, if users run multiple container systems in mixed mode-- some of them use a container-IP mechanism, while others still run in the default mode-- there will be no compatibility issues within the same cluster.

The emergence of one container and one IP service enables us to make coarse-grained and fine-grained adjustments to network isolation. Although you still need to rely on the third-party network isolation scheme provider, if you simply want to set the network isolation in a coarse-grained manner, then you can use the network routing table.

Best practices for one container-one IP mechanism

If there is no container-to-IP mechanism, the application must register to implement discovery services (including Consul, Zookeeper, and so on). In addition, the HAProxy or similar reverse proxy mechanism must be deployed in each compute node to ensure that traffic is directed from localhost: to the appropriate container port.

With the support of the container-IP mechanism, when the IP address is assigned to the container and the network isolation and routing functions are all in place, then the Mesos master and the scheduler will obtain the IP address allocation information. In this case, the scheduler can use the container IP to interface with the application. In addition, it can also use this information for newly launched containers and applications.

In addition, Mesos master can also achieve container IP availability through its own state endpoints. This information can be used by various DNS service providers, including Mesos-DNS and Mesos-Consul, to achieve domain name resolution.

With the many benefits of one container and one IP address, each container system can have a complete port range that matches its IP, and we no longer have to worry about port conflicts and so on. With its help, applications can now listen on standard ports and thus easily implement service discovery without reverse proxy assistance.

The above is how to improve the effect of network isolation in Mesos. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.