Life without Service Containers - Cisco Live

Introduction

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 3BRKARC-1101

Too many devices to

troubleshoot for identifying

the actual issue

Life without Service Containers

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 4BRKARC-1101

Acquiring Knowledge

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Life with Service Containers

5BRKARC-1101

• Space and power saving

• No troubleshooting on multiple servers for applications

• No need for separate storage, cooling, switch

#CLUS

Sutheendiran Vijendiran, Software EngineerBRKARC-1101

An Introduction to Cisco Service Containers on ISR 4000 routers


• Routers started as packet processing machines, but now they have evolved to perform many computing functions. Routers have acquired so much processing power that traditional desktop PC hardware is no longer required to perform the function of a server at the branch. Server applications can be hosted inside the router

Goal :

• High level overview of Service containers

• Building and installing Service Containers

• Deploying ISR-WAAS as a virtual service without appliances

Session Abstract

BRKARC-1101 7

Agenda


• Introduction

• WW of Service Containers and Dockers

• Router requirements

• Creation and Deployment of service Containers

• Installation of Virtual Service-ISR WAAS

• Summary

8BRKARC-1101


Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

Webex Teams will be moderated by the speaker until June 18, 2018.

cs.co/ciscolivebot#BRKARC-1101

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

1

2

3

4

9

WW of Service containers and Dockers


What are Service Containers

• Service containers are virtual machines that run on the routers on which applications can be hosted (Cisco provided or non-cisco).

• Supported on most of the platforms running on IOS XE.

• IOS XE is based on the Linux architecturewhich supports virtual machine hosting.

11BRKARC-1101

Cisco IOS

Apps

container



In Linux environment, there are 2 options for VM hosting:

1. KVM - Kernel Virtual Machine

2. LXC - Linux virtual Containers

12BRKARC-1101



Linux Containers (LXC):

Common resources such as kernel and core components are shared between guest and the host system.

This hosting type is not currently supported for non-Cisco applications.However, Cisco signed applications are provided with this type.

13BRKARC-1101

OPERATING SYSTEM

App LIB App LIB

LXC



KVM (kernel Virtual Machine):

This types of VM’s have dedicatedkernel and other resources that are carved out from the host resources.

This resource separation provides security and flexibility for application development as developers need not worry about compatibility with host system.

14BRKARC-1101

Host OS (Linux Kernel)

Host OS (Linux root file system)

Hardware Resource

IOS

& h

ost

serv

ice

Application

Guest Root file system

Guest OS Kernal


Why Service Container

Benefits:

Your ISR 4000 router is no longer a router, it is a server (even without a server blade) as lightweight applications can be hosted.

Lightweight applications of your choice can be hosted without Cisco signing.

15BRKARC-1101



Cisco also provides applications to host.For example:

• ISR WAAS • SNORT IPS• Inventory Management• WAN Optimization

open service container applicationis the property of the application developer.

16BRKARC-1101

Snort IPS Wan Opt

ISR WAAS

Inventory

Deployment in later slides



If you are running Linux servers, chances are that you already have applications that can be transferred onto the service containers for hosting.

17BRKARC-1101

The apps use the Linux infrastructure of the IOS XE operating system to host both LXC and KVM on ISR4000 routers.



• Cost of purchasing dedicated hardware appliances is reduced • No major branch HW changes• No physical cabling • Most of the time, the control plane

of the router will be inactive ,This will leave much CPU time that can be utilized for service containers without affecting packet forwarding performance of the router.

18BRKARC-1101

High performance


Dockers

Another popular technology :• They are packaged by including all the libraries and dependencies

that are required to run an application • Compare to VM, it uses very less resources. • Dockers are lightweight and use to share the kernel with the host.• Since they use the same host kernel it is not supported directly

ISR 4K routers at this time.

19BRKARC-1101

Dockers aren’t a virtualization technology. It is an application delivery technology.

Router Requirements


ISR 4000 SERIES•Multi-core architecture •IOS-XE: Separated Control and Data Plane •1-3 Cores are Service Container Ready

21BRKARC-1101

IOSd

Scalable Data planes

Data packetsNIM SM-X

Multi gigabit fabric

dispatcher

Service and control plane CPU

Front Gig interfaces

Multi gigabit fabric

ISR 4K contains additional processing cores built-in standard to allow full-featured services to run on-board


ISR 4000 Series – 4400 Architecture layout

22BRKARC-1101

Control & service plane CPUs

Network Interface module

Enhanced Service modules

Front Panel Interfaces

Next Gen DSP(PVDM4)

Multi-core Data Plane


ISR 4000 Series – 4400 Architecture

23BRKARC-1101

Service containers home

IOS

Control Plane (1 core) and Services

Plane (3 cores)

Data Plane (6 cores)

FPGE

ISC

SM-X

MultigigabitFabric

NIMService Plane

KVM - Hypervisor

Service Container


ISR 4000 Series - Platform capabilities

24BRKARC-1101

Platform Intel X86 Processor

CPU System Memory Memory for KVM Storage

ISR4451 Intel Gladden 4 core 2GHz

3 cores (equivalent)

4-16GB 0-12GB NIM-SSD(200GB, 400GB), NIM-HD(500GB, 1TB)

ISR4431 Intel Gladden 4 core 1GHz


4-16GB 0-12GB NIM-SSD(200GB, 400GB), NIM-HD(500GB, 1TB)

ISR4351 Intel Rangeley 8 core 2.4GHz


4-16GB 0-12GB MSATA(50GB, 200GB), NIM-SSD, NIM-HD

ISR 4331 Intel Rangeley 8 core 2.0GHz



ISR 4321 Intel Rangeley 4 core 2.4GHz

1 core (equivalent)



ISR 4000 Series – Add-ons

Memory :

• As of now, Service Containers REQUIRE additional DRAM beyond the 4GB system default

• Additional DRAM beyond 4GB will be available to a KVM application

25BRKARC-1101

CISCO MEM-4400-4G

Example: • 8GB DRAM will have

4GB available to Service Containers

• 16GB DRAM will have 12GB available to Service Containers


ISR 4000 Series - Storage Options • No storage is included by default to support service containers

• Hosted applications do not have access to bootflash

Hence, use hard disks:

26BRKARC-1101

NIM-SSD • 1 or 2 hot-swappable 200GB SSD drives

• 400GB option is available too

NIM-HD • 1 hot-swappable 1TB drive

SSD-MSATA-200G • Doesn’t consume a NIM slot!• Embedded 50GB or 200GB SSD

storage• Not available on 4431/4451

Creation & Deployment of Service containers


Service Container - Quick InformationApplication to run on service container There are no restrictions on what can run

in a service container. Popular use cases include: • Network monitoring agents • Troubleshooting applications

Cisco IOS XE Software support Cisco IOS XE routers beginning with Release 3.17 Support is also included in Cisco IOS-XE Release 16.2 and later

License No software license is required

Type of Files for KVM apps Service containers use an industry-standard open virtualization archive (OVA) file. While the format of an OVA is standard, the contents are not.

28BRKARC-1101


Service Container - Brief Installation Steps

29BRKARC-1101

• Install IOS-XE 3.17 or later • Copy the .ova file(Example: service_container.ova file to the hard disk)• a quick way is to copy to a USB memory stick first and plug it into the

router • Use the virtual-service install CLI to install the container

Configure IP addresses• Configure the virtual-service

Activate the virtual-serviceDone!

NIM SSd

USB

Configure DHCP if desired for the VM &Configure NAT if desired for traffic between the VM and the outside world


Where the WAAS app sits - XE software Architecture

30BRKARC-1101

Platform-Specific Data plane

Linux OS

IOSdControl plane

KVM/LXC virtual Ethernet

WAASCustomer and 3rd Party Apps

Core for IOS

Container runs on this base

Router data plane

Service plane (spare cores)

Service containers

ISR WAAS can be deployed on a single

router or multiple routers as desired.


Packet Punt Path

31BRKARC-1101

App App App App

VMLXC

ContainerVM

libvirt VMAN

KVM Driver LXC Driver

CLI

IpsecControl Plane

Routing Table Calc

Core Core Core Core Core Core Core

Crypto

NBAR2

PfRv3

ZBFW

Packet Forwarding

BQS

Kernel Vis. Support

vEtho..n Linux Bridge

Punt PathLinux Kernel

IOSd

Data Plane

Multigigabit Fabric

Interfaces

Services Plane Control Plane Data Plane


Service Container - Installation Flow

32BRKARC-1101

Preparing Linux Environment

Documenting Requirements

Allocate Resources (cpu,memory)& create Virtual Machine

Install Required Applications

Build Configurations

Build an OVA that can be installed on IOS-XE platform


How to Build a Service Container

Building a service container is easy as it involves creating an OVA package by including all the files.

Coding is involved in application developing.

33BRKARC-1101

No coding is needed to build a Cisco supported service container.


OVA - Open Virtual Appliance

• Cisco Service Container OVA packages are relatively simple.

• Contains all the files necessary to deploy a VM in TAR archive format.

• Need to create a Open Virtual Format and a standard which will be in the OVA file.

34BRKARC-1101

OVA


OVA - Files

• The industry standard package for a virtual machine is known as an Open Virtual Appliance or OVA

• There are only a few required files listed in the table next slide

• ISO, QCOW2 or RAW

35BRKARC-1101

ISO This represents the binary read-only or read-write

QCOW2 or RAW disk image for the virtual machine

Complex files


OVA – File contentsName Definition Use Origin

package.yaml Virtual Machine definition defined in YAML format.

Used by Virtualization Manager to provision the virtual service

Provided by s/w developer for virtual service.

*.mf

Manifest file that contains SHA1 hash for each file in the OVA

Used by Virtualization Manager to verify the integrity of the files in OVA

Automatically generated by script or created using tools such as open ssl.

*.ver

Simplified compatibility check with Virtualization Infrastructure

Used by Virtualization Manager to perform simple compatibility check.

Simple text file provided by s/w developer.

*.img HDD image files (qcow2, raw)

Used to package pre-installed images or pre-allocated empty storage for usage by virtual machine.

Provided by s/w developer.

*.ISO ISO image files Used to pass CDROM images or root file systems

36BRKARC-1101


PC Requirements • At least 8GB more than the size of the desired service container

memory

• At least 2s+15 GB of free disk space where ‘s’ is the size of the desired service

37BRKARC-1101

Container disk space :For example a 20GB sized service container will require a development PC with at least 2x20+15 = 55GB of free disk space.

If you don’t have such space, consider using USB memory or network storage


OVA Creation

• Enable Intel virtualization technology support (VT) from BIOS

• Obtain 64 bit version of Ubuntu long term support (LTS)

• Create a virtual machine using downloaded Ubuntu ISO file using applications that support virtual machine creation such as Virtual Box

38BRKARC-1101

Ubuntu 64 bit version

Virtual box


OVA Creation – Continued..

• After creation, select processor type to support Intel or AMD virtual technology

• This installed VM will serve as Linux environment for building the service container (OVA file) that can be installed on the ISR 4000 router.

• Transfer the ISO file to the desktop

of installed VM as it is required to

create another VM inside the VM.

39BRKARC-1101


OVA Creation – Continued..

• Open terminal and type the below command to confirm that Intel VT support is enabled:

egrep -c '(svm|vmx)' /proc/cpuinfo

• Make yourself a root user and install packages required to create and manage virtual machines on Linux environment:

apt-get install qemu-kvm libvirt-bin bridge-utils virt-manager qemu-system

40BRKARC-1101

The terminal here is Ubuntu 64 bit installed

on the pc


OVA Creation – Screen View

41BRKARC-1101

Windows pc or mac

VM ware work station

Ubuntu#1 (used as development environment)

Virtual Machine properties

VM details/info


OVA Creation Screen - continued..

• The following command is used to view installed virtual machines. The output below shows that No VMS are installed, but it confirms that required virtual service management components are installed:

• virsh -c qemu:///system list

• Id Name State

42BRKARC-1101

System list output

VSM components installation


OVA Creation - Open up virtual manager from GUI• Create a new virtual machine which you copied before by providing a

name.

• Selecting correct OS type with required memory and disk sizes.

• Install by accepting default options.

43BRKARC-1101

example Assigning memory

Installation



• Enable SSH and virtual serial console

• Install any other applications as necessary

• Build the container

44BRKARC-1101

Start virtual machine manager

Open ssh server should be installed to enable ssh

As root user create a file /etc/init/ttyS0.conf and then type sudostart ttyS0

VM created



• Once completed, the new VM will be available in the following location:

/var/lib/libvirt/images/name..img

45BRKARC-1101

This file describes things such as CPU, memory and storage requirements, network interfaces, pointers to disk images and any serial console options. This is great for the open source community. Lousy for predictability when writing applications for wide distribution in network devices.

name refers to the name that you provided during VM creation


OVA Creation - Final Step

Create a directory, copy package.yaml, create_ova.ssh and version.ver into it.

46BRKARC-1101

mkdir container-build; cd container-buildwgethttps://github.com/shabaz123/ServiceContainers/raw/master/templ ates.tartar xvf templates.tarcp templates/create_ova.sh .mkdir ubuntu; cd ubuntucp ../templates/package.yaml .grep manifest-version package.yamlecho 1.0 > version.versuqemu-img convert -p -c -f raw -o compat=0.10 -O qcow2 /var/lib/libvirt/images/ubuntu.imgubuntu.qcow2 chown bob:bob ubuntu.qcow2exit./create_ova.sh -mts 200000 -mfs 100000 ubuntu

This cmd will Convert the .img file into qcow2 format (qemu-img convert -p -c -f raw -o compat=0.10 -O qcow2

/var/lib/libvirt/images/ubuntu.imgubuntu.qcow2)

Set user permission to a non-root user using chowncommand

This command will create .mf file and qcow2 file will not be compressedNow the ova file is ready


Developer workflow• Working with Virtual Services is almost same as working with KVM

virtual machines

47BRKARC-1101

Tool USE

virt-manager GUI Linux VM Manager for

crafting KVMs. GUI

qemu-img Converting disk image formats.

qemu-img convert -p -c -f raw -

O qcow2 <raw.img>

<qcow2.img>

openssl Generates the manifest file.

qemu-img convert -p -c -f raw -

O qcow2 <raw.img>

<qcow2.img>

tar Packages the files into an OVA. tar -cvf VM.ova vm.qcow2

*.yaml vm.mf

create_ova.sh Creates the OVA filecreate_ova.sh [<options>]

<directory>

The development workflow and

common development tools used for KVM can still be used when

developing, or modifying existing

applications, for the Virtual Service Environment.


Service Container Configure & Activate CommandsCommand Description

Virtual-service Takes in to the virtual service config mode

signing level unsigned to run non-cisco apps as well

interface virtualportgroup 1 Interface will be used to communicate between the host and the guest apps

ip address 10.0.0.1 255.255.255.0 assigning ip

virtual-service testapp giving a name for the virtual service

vnic gateway virtualportgroup 1 mapping the virtual interface with the virtual service instance

activate activating the service

48BRKARC-1101


Service Container - Supported Interfaces

VirtualPortGroup Interface Management Interface

Act as the default gateway to the guest's interface

Will need to be in the same subnet as the guest interface, but will not act as the gateway

49BRKARC-1101

The order in which these interfaces are defined is also maintained in the guest.

guest ip address 10.0.0.2 Optional guest interface configuration


Service Container - Install/Monitor Commands

50BRKARC-1101

specifies the name for virtual instance and points the location of OVA pkgused to install the service instance

Shows current status including application install progress of the installed container

connects to the virtual console for management purposes

Installation of Virtual Service :

ISR WAAS


ISR WAASBusiness organisations are trying to expand their presence and reach without geographical constraints with the help of internet. This trend has prompted the need for making WAN connections more reliable and efficient by minimising bandwidth consumption, by reducing latency and by minimising the packet loss.

52BRKARC-1101

Benefits Features

WAN optimization Transport flow optimization (TFO)

Application acceleration: Data redundancy elimination (DRE)

Ease of initial and ongoing deployment

Adaptive, persistent, session-based compression

As a result, critical applications and other computing resources can be accessed by remote usersas if they are present in the local environment (lan-like experience).


ISR WAAS – Install

Router details : (outputs from the router)

53BRKARC-1101

ISR4K# sh ver

System image file is "bootflash:isr4400-universalk9.16.03.06.SPA.bin"

cisco ISR4451-X/K9 (2RU) processor with 7794898K/6147K bytes of memory.

4 Gigabit Ethernet interfaces32768K bytes of non-volatile configurationmemory.

16777216K bytes of physical memory.7393215K bytes of flash memory at bootflash:.0K bytes of at webui:

20971520K bytes of SATA hard disk at harddisk:.

16G DRAM(8+8)

IOS-XE image /version

200G NIM-SSD


ISR WAAS Virtual Service Install

54BRKARC-1101

ISR4K#virtual-service install name ISRWAAS package harddisk:ISR-WAAS-6.4.1a.6.ova

ISR4K#sh virtual-service listVirtual Service List:

Name Status Package Name-------------------------------------------------------------------ISRWAAS Installed ISR-WAAS-6.4.1a.6.ova

Installing package 'harddisk:/ISR-WAAS-6.4.1a.6.ova' for virtual-service 'ISRWAAS'. Once the install has finished, the VM may be activated. Use 'show virtual-service list' for progress.

Installation complete

.ova is stored in HDD

Downloaded from cisco software download page

Shows current status including application install progress of the installed container


ISR WAAS –Virtual Service Configuration & Creation

55BRKARC-1101

ISR4K(config)#interface virtualportGroup 4ISR4K(config-if)#no shutISR4K(config-if)#ip address 192.168.4.4 255.255.255.0ISR4K(config-if)#end

ISR4K#show virtual-service profile name ISRWAASVirtual Service ISRWAAS profiles:

Name Description Allowed -------------------------------------------------------------------------ISR-WAAS-2500 ISR-WAAS profile for 2500 TCP connections Yes ISR-WAAS-1300 ISR-WAAS profile for 1300 TCP connections Yes ISR-WAAS-750 ISR WAAS profile for 750 TCP connections Yes

ISR4K(config)#virtual-service ISRWAASISR4K(config-virt-serv)#profile ISR-WAAS-750ISR4K(config-virt-serv)#vnic gateway virtualPortGroup 4

IP address for router side

Available profiles based on requirement

Create the ISR WAAS container

profile Max.opt tcp DRAM (GB) Number of SSD(200G)

Flash(GB)

ISR-WAAS-750

750 8 1 16

ISR-WAAS-1300

1300 16 1 32

ISR-WAAS-2500

2500 16 2 32


ISR WAAS - Activate the Virtual Service

56BRKARC-1101

ISR4K(config)#virtual-service ISRWAAS

ISR4K(config-virt-serv)#activate

% Activating virtual-service 'ISRWAAS', this might take a few minutes. Use 'show virtual-service list' for progress.

ISR4K#sh virtual-service listVirtual Service List:

Name Status Package Name-----------------------------------------------------------------ISRWAAS Activated ISR-WAAS-6.4.1a.6.ova

pkg infoStatus info

Note: The Cisco ISR-WAAS

Container Lifecycle enables a user to install, uninstall,

activate, or deactivate the

service container


Summary Steps

57BRKARC-1101

Install Service (package)

Configure Service (VM

instance)

Start Service (VM

instance)

Monitor Service

Deactivate and Un-

install service

Virtual-service install name <name> package <hdd: .ova>

(conf)Int Virtualportgroup 1Ip address Virtual-service <name>Vnic gateway virtualportgroup 1

(Conf) virtual-service <name>start

Show virtual-service listShow virtual-service detail name <name>

(conf)virtual-service <name>No activateVirtual-service name <name> uninstall


Guest Shell – As Simple As Possible • Cisco is trying to make the deployment of application hosting as

simple as possible – Guestshell

• Guestshell is a Linux container

• 2 steps to activate the Guestshell containers:

1. Enable the IOx framework

2. Enable the guest shell.

• Though Guest Shell shares the kernel with the host system, users within the Guest Shell cannot modify the host file system and processes.

58BRKARC-1101

conf tioxexitguestshell enable

Guest shell is supported on IOS-XE platforms from 16.5.1 and later releases

To run any script or Linux application, use guestshell run command


More info :More information about developing your own open service container application?

A Cisco DevNet is the premiere place to find developer resources and connect with a community of Cisco and third-party developers who are excited to provide help in getting your application running. You can also find sample code, including complete functioning OVAs and developer guides to get you started.

Visit https://developer.cisco.com/site/kvm/ to get started.

59BRKARC-1101

https://developer.cisco.com/site/kvm/


Container - Specific Sessions

Break Out:

• Use the Unused : Utilizing the Containers in ISR4K [BRKARC-1002]

• Introduction to Containers and Container Networking [BRKSDN-2115]

• Containers and Microservices: A Survival Guide [BRKSPV-1110]

DevNet:

• DevNet Workshop- Getting Started with Containers [DEVNET-2042]

• DevNet Workshop-Fun with Containers on ISR4K [DEVNET-3624]

60BRKARC-1101

Complete your online session evaluation


Give us your feedback to be entered into a Daily Survey Drawing.

Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

61BRKARC-1101

http://www.ciscolive.com/us

http://www.ciscolive.com/Online


Demos in the Cisco campus

Walk-in self-paced

labs

Meet the engineer

1:1 meetings

Related sessions

Continue your education

Presentation ID 62

Thank you

#CLUS


Internet of Things (IoT) Cisco education offerings

65

Course Description Cisco Certification

Managing Industrial Networks for Manufacturing (IMINS2)

An associate level instructor led lab based training focuses on common industrial application protocols, security, wireless and troubleshooting designed to prepare you for the CCNA Industrial certification

CCNA® Industrial

Managing Industrial Networks with Cisco Networking Technologies (IMINS)

This instructor led lab based training addressesfoundational skills needed to manage and administer networked industrial control systems for today's connected plants and enterprises. It helps prepare plant administrators, control system engineers and traditional network engineers for the Cisco Industrial Networking Specialist certification.

Cisco Industrial Networking Specialist

Control Systems Fundamentals for Industrial Networking (ICINS)

For IT and Network Engineers, provides an introduction to industry IoT verticals, automation environment and an overview of industrial control networks (E-Learning)

Pre-learning for IMINS, IMINS2 training & certifications

Networking Fundamentals for Industrial Control Systems (INICS)

For Industrial Engineers and Control System Technicians, covers basic IP and networking concepts, and introductory overview of Automation industry Protocols.

Pre-learning for IMINS, IMINS2 training & certifications

For more details, please visit: http://learningnetwork.cisco.comQuestions? Visit the Learning@Cisco Booth

BRKARC-1101

http://learningnetwork.cisco.com/


Digital Business Transformation Cisco education offerings

66

Course Description Cisco Certification

For Technology Sellers:

Adopting the Cisco Business ArchitectureApproach

Builds skills to discover and address technology needs using a business-focused, consultative sales approach, broadly applicable and targeted to prepare for the digital transformation journey that is demanded across the business world.

Cisco Business Architecture Analyst

Applying Cisco Business Architecture Techniques

Provides tools and skills training to prepare the learner to use a business led approach to technology solutions sales and deployments. This continues the journey begun with the Adopting the Cisco Business Architecture Approach above

Cisco Business Architecture Specialist

Mastering the Cisco Business Architecture Discipline

Builds skills, and proven, real-world techniques to prepare for a Business architect leadership role in the sales and deployment of transformative technology solutions.

Cisco Business Architecture Practitioner

Cisco Customer Success Manager Specialist Prepares for the crucial role that drives adoption and enablement, ensuring that customers achieve their expected business outcomes, and reduces churn/increases renewal for services and subscription based products.

Cisco Certified Customer Success Manager

For more details, please visit: http://learningnetwork.cisco.comQuestions? Visit the Learning@Cisco Booth

BRKARC-1101

http://learningnetwork.cisco.com/

Life without Service Containers - Cisco Live

Documents

Transcript of Life without Service Containers - Cisco Live