Containers key as Cisco looks to “open” data centre OS
A key but quiet component of Cisco’s “open” data centre operating system is the ability to build applications and microservices via Linux containers.
It is not a new capability but an increasingly important one for making, and marketing, Cisco’s NX-OS as “open,” a campaign which began in June. Open NX-OS includes object store and model driven RESTful and XML/JSON API support in the NX-API; native third-party application integration of Puppet, Chef and Ganglia, among others; a software developer’s kit for application integration; and Linux utilities support for tool integration across compute and network.
It is these Linux utilities and capabilities that Cisco should emphasise if it is to benefit from the disaggregation wave service providers embrace and that is expected to eventually wash over enterprise networks, analysts say. VMware is working on container networking too with its NSX network virtualisation platform.
“Advanced networking support for containerisation and microservices will become increasingly important in the years ahead,” says IDC analyst Brad Casemore. “Cisco is positioning NX-OS to meet at least some of that need. At IDC, we believe all networking vendors will need to provide meaningful solutions for microservices-based approaches and containerisation.”
Numerous attempts to interview a Cisco official on the Linux container support in NX-OS were unsuccessful. But as described in a Cisco/Red Hat whitepaper, LinuX Containers (LXC) is an operating system-level virtualisation method for running multiple isolated Linux systems, or containers, on a single host. LXC can be used to install custom applications on the switch that a given customer requires.
Applications running in different containers are isolated so that no single container impacts the performance or stability of another or the underlying switch operations, the whitepaper states. These containers encapsulate any application dependency.
Because of this isolation, multiple versions of the same application dependency can co-exist in the same environment without the administrative overhead of a complete software stack, including the OS kernel, the whitepaper states.
Build once, run on many
Linux containers are intended to offer a “build once, run on many” application development environment that accelerates development and deployment, making containers ideal for DevOps collaboration. Containerised applications are designed to run on bare metal servers, virtual machines, public clouds, and network devices.
Containers can improve application delivery in several ways, including lowering costs, speeding up application development and simplifying security. They are often just a few dozen megabytes, where a typical virtual machine might be hundreds of megabytes, or even gigabytes, according to the whitepaper.
In addition to DevOps, they also make it easier to adopt new IT models such as hybrid clouds and microservices architectures. Microservices are a suite of application components which come together over the network. Each component is written in the best programming language for the task, and each component can be deployed and scaled independently of the others.
Microservices can start up and shut down quickly, and compute, memory, and other resources can scale independently, experts say.
Containers and microservices can improve IT operations through faster application provisioning, improved operating system and application patching, better resource utilisation, better application mobility, fewer operating systems to manage, and greater workload visibility. According to the whitepaper, Cisco is creating an Intercloud of container and microservices in a cloud native and hybrid continuous integration/continuous deployment models across OpenStack, VMware, and public clouds.
Cisco is also looking at using Linux containers in Fog Computing – cloud computing distributed farther out to the edge – a key delivery mechanism for its Internet of Everything initiative.
Linux containers can be used in place of a CLI to help applications configure network resources automatically, or give application developers access to network state, topology, VM port group and performance information for configuration management. This is key selecting the appropriate VLAN, opening ports, configuring load balancing, setting up port security through ACLs, and applying QoS and other network policies.
When a new containerised application is placed in production, the network should recognise the application requirements and apply them.
Cisco’s Nexus 9000 switching line, which runs under NX-OS, offers LXC as a way to program network forwarding tables. This is designed to give developers a greater amount of control over forwarding constructs and be able to directly command control over the switch’s forwarding logic, according to literature on the Cisco web site.
NX-OS also offers Cisco’s onePK development environment and its OpenFlow extensions as ways to program forwarding tables.
Widespread adoption of containers in the enterprise, as is the case with practically any bleeding edge technology, will lag behind service provider deployment and proven use cases, Cisco and Red Hat say. There are still some hurdles to overcome however, particularly in the area of security.
There are a few efforts underway to address kernel exploits at the host operating system level that affect all containers on the host. Vendors are improving techniques like mandatory access control to protect the host and containers from untrusted container processes.
The libseccomp Project, for example, eliminates syscalls to prevent a hacked container from compromising the kernel.
Vendors are also working to create frameworks for managing container images and orchestrating the container lifecycle. But this work will need to identify just one or a few of these frameworks to encourage container adoption, Cisco and Red Hat say.
One such framework is Docker’s libnetwork, which Cisco supports and contributes to, along with IBM, Joyent, Microsoft, Rancher, VMware and Weave. The Docker framework is a multi-platform library and Container Network Model for networking and porting distributed, container-based applications across multiple platforms.
Critical integration point
“Cisco sees libnetwork as a critical point of integration that will allow the networking giant to pursue a number of data centre networking opportunities,” says Casemore. “Foremost among them is the opportunity to deliver a manageable, scalable infrastructure — comprising UCS servers, Nexus switches and Cisco’s Application Centric Infrastructure (ACI) — that will be optimised for container-based microservices. Cisco also sees potential in developing ACI-based policy frameworks around application and operational intent for Docker microservices, in helping customers deploy Docker applications alongside their existing environments and tools and in assisting companies with organisational changes that will allow them to derive full benefit from Docker-based microservices.”
Vendors are also looking to create an audit trail for containers that would show when and where containers are delivered, and their content. It might also include information about who produced the container, the container’s products and components — for license management — and certifications.
Jim Duffy, IDG News Service