Simplifying the Management of Kubernetes with Docker Enterprise Edition

Back in October at DockerCon Europe, we announced that Docker will be delivering a  seamless and simplified integration of Kubernetes into the Docker platform. By integrating Kubernetes with Docker EE, we provide the choice to use Kubernetes and/or Docker Swarm for orchestration while maintaining the consistent developer to operator workflow users have come to expect from Docker. For users, this means they get an unmodified, conformant version of Kubernetes with the added value of the Docker platform including security, management, a familiar developer workflow and tooling, broad ecosystem compatibility and an adherence to industry standards including containerd and the OCI.

One of the biggest questions that we’ve been asked since we announced support for Kubernetes at  DockerCon EU –  what does this mean for an operations team that is already using Kubernetes to orchestrate containers within their enterprise? The answer is really fairly straightforward  –  Kubernetes teams using Docker EE will have the following:

• Full access to the Kube API and all Kubernetes constructs
• Native use of KubeCTL
• If you are developing in Kube YML, seamless deployment
• Ability to develop  in Docker with Compose and leverage your best practices around Kubernetes services

Docker Enterprise Edition with support for Kubernetes Continue reading

Make SSL boring again

It may (or may not!) come as surprise, but a few months ago we migrated Cloudflare’s edge SSL connection termination stack to use BoringSSL: Google's crypto and SSL implementation that started as a fork of OpenSSL.

We dedicated several months of work to make this happen without negative impact on customer traffic. We had a few bumps along the way, and had to overcome some challenges, but we ended up in a better place than we were in a few months ago.

TLS 1.3

We have already blogged extensively about TLS 1.3. Our original TLS 1.3 stack required our main SSL termination software (which was based on OpenSSL) to hand off TCP connections to a separate system based on our fork of Go's crypto/tls standard library, which was specifically developed to only handle TLS 1.3 connections. This proved handy as an experiment that we could roll out to our client base in relative safety.

However, over time, this separate system started to make our lives more complicated: most of our SSL-related business logic needed to be duplicated in the new system, which caused a few subtle bugs to pop up, and made it Continue reading

Dell EMC makes big hyperconverged systems push with new servers

Dell EMC is expanding its hyperconverged infrastructure portfolio with new systems built around 14th generation PowerEdge servers.Converged (CI) and hyperconverged infrastructure (HCI) is a fancy way of saying turnkey systems with compute, storage, networking and software all combined into a single bundle. Rather than building a system from a variety of vendors, the customer gets everything they need from one vendor and it comes pre-configured to run out of the box.It’s basically a page out of the mainframe book, when everything came from one vendor (usually IBM). As server technology moved away from big iron and the x86 market took over, pieces were fragmented. You got your servers from Dell, HP or IBM, storage from EMC or NetApp, networking from Cisco or 3Com, etc.To read this article in full, please click here

Dell EMC makes big hyperconverged systems push with new servers

Dell EMC is expanding its hyperconverged infrastructure portfolio with new systems built around 14th generation PowerEdge servers.Converged (CI) and hyperconverged infrastructure (HCI) is a fancy way of saying turnkey systems with compute, storage, networking and software all combined into a single bundle. Rather than building a system from a variety of vendors, the customer gets everything they need from one vendor and it comes pre-configured to run out of the box.It’s basically a page out of the mainframe book, when everything came from one vendor (usually IBM). As server technology moved away from big iron and the x86 market took over, pieces were fragmented. You got your servers from Dell, HP or IBM, storage from EMC or NetApp, networking from Cisco or 3Com, etc.To read this article in full, please click here

VMware Tweaks NSX Virtual Networks For Containers, Microservices

VMware jumped into burgeoning software-defined networking (SDN) field in a big way four years ago when it bought started Nicira for $1.26 billion, a deal that led to the launch of VMware’s NSX offering a year later. NSX put the company on a crash course with other networking vendors, particularly Cisco Systems, all of whom were trying to plot their strategies to deal with the rapid changes in what had been a relatively staid part of the industry.

Many of these vendors had made their billions over the years selling expensive appliance-style boxes filled with proprietary technologies, and now faced …

VMware Tweaks NSX Virtual Networks For Containers, Microservices was written by Jeffrey Burt at The Next Platform.

Investigating Routing Problems

Automate Remote Site Hardware Refresh Process

Every time we finish the Building Network Automation Solutions online course I ask the attendees to share their success stories with me. Stan Strijakov was quick to reply:

I have yet to complete the rest of the course and assignments, but the whole package was a tremendous help for me to get our Ansible running. We now deploy whole WAN sites within an hour.

Of course I wanted to know more and he sent me a detailed description of what they’re doing:

Telstra Tests Network Slicing Today to Prep for 5G Tomorrow

Managing a lot of different slices is no easy task.

Telefónica Works With Juniper to Monitor its Networks in Spain

Juniper's Telemetry Interface leverages its own silicon.

Power9 To The People

The server race is really afoot now that IBM has finally gotten off the starting blocks with its first Power9 system, based on its “Nimbus” variant of that processor and turbocharged with the latest “Volta” Tesla GPU accelerators from Nvidia and EDR InfiniBand networks from Mellanox Technologies.

The machine launched today, known variously as by the code-name “Witherspoon” or “Newell,” is the building block of the CORAL systems being deployed by the US Department of Energy – “Summit” at Oak Ridge National Laboratory and “Sierra” at Lawrence Livermore National Laboratory. But more importantly, the Witherspoon system represents a new …

Power9 To The People was written by Timothy Prickett Morgan at The Next Platform.

OpenStack Launches Open Source ‘Kata Containers’ Project

It combines technology from Intel and Hyper.

Using SAML with Ansible Tower

This blog post focuses on getting Red Hat Ansible Tower to use SAML as quick as possible. We will use the free OneLogin SAML provider service. Users with an existing SAML service may still find this blog post useful; especially the last section with some troublehooting tips.

Getting Ansible Tower to interoperate with OneLogin SAML requires both systems to have values from each other. This blog post is separated into three sections: the interdependent fields of the two systems, a detailed walkthrough of configuring OneLogin and Ansible Tower with both interdependent and per-system fields and values, and the troubleshooting of potential misconfigurations and corresponding error messages in Ansible Tower.

Interdependence of Ansible Tower and OneLogin

Defined in Ansible Tower, needed by OneLogin:

1. ACS URL
2. Entity ID

Defined in OneLogin, needed by Ansible Tower:

1. Issuer URL
2. SAML 2.0 Endpoint (HTTP)
3. X.509 Certificate

Ansible Tower and OneLogin Definitions

VXLAN designs: 3 ways to consider routing and gateway design (part 1)

With VXLAN design, the easiest thing to overlook is how communication occurs between subnets. I think many times, network engineers take for granted that our traffic will flow in a VXLAN environment. And it’s also easy to get confused when trying to figure out traffic routing path between your overlay and underlay.

As I work with customers in designing VXLAN infrastructures, one of the first questions I always ask is: “Where do you expect the gateway of the servers?”

This always leads to one of three designs, which I will outline over the next two posts. Before we start, know that all these designs leverage BGP EVPN. Ethernet Virtual Private Networks (EVPN) are an address family within BGP that are used to exchange VXLAN related information. This blog won’t go into detail about EVPN, but we have previous blogs to help fill in the gap.

With that said, let’s get started with the first VXLAN design example.

The first case is the simplest environment, and that is the gateway on an internet edge service. In this case, the VXLAN acts as a strict L2 overlay, and the L3 routed BGP underlay is hidden from the end hosts and servers.

Continue reading

DDOS and The DNS

The Mirai DDOS attack happened just over a year ago, on the 21st October 2016. The attack was certainly a major landmark regarding the sorry history of “landmark” DDOS attacks on the Internet. It’s up there with the Morris Worm of 1988, Slammer of 2002, Sapphine/Slammer of 2009 and of course Conficker in 2008. What made the Mirai attack so special? It was the largest we have seen so far, with an attack that amassed around 1Tb of attack traffic, which is a volume that creates not only a direct impact on the intended victim but wipes out much of the network infrastructure surrounding the attack point as well. Secondly, it used a bot army of co-opted webcams and other connected devices, which is perhaps a rather forbidding portent of the ugly side of the over-hyped Internet of Things. Thirdly, the target of the attack was aimed at the Internet’s DNS infrastructure. —Geoff Huston @ CircleID

Cisco Exec Says Enterprises Need Help Navigating Multi-Cloud World   

The world doesn’t need another public cloud.

Pivotal Cloud Foundry Shows Love for Serverless, Containers

Pivotal Container Service, developed with VMware and Google, is initially available.

Terminology Tuesday Presents: ZTP

ZTP stands for Zero Touch Provisioning.  And, as a quick google search will quickly reveal, many other things as well.

Back to our ZTP.  ZTP is the process by which new network switches can be configured without much human involvement.   Notice that I said “much” and not “any”.  ZTP is not it’s not truly zero because something (someone!) needs to put the first components of the network together in order for the rest of the network to be built in a ZTP fashion.

Where provisioning many switches could have quite a while through ZTP processes it’s down to a matter of minutes.  Switches can also be updated automatically with any need for physical intervention.

The beauty of ZTP is the continued march towards more and more robust automation solutions.  Delightfully, once folks aren’t mired in the repetitive manual work they can move onto tasks that bring innovation to businesses and, more importantly, make jobs more enjoyable.  We also can’t ignore the fact that it renders moot a lot of the specialized skills that traditionally defined the role of a network engineer. Continue reading

SLAAC and DHCPv6

When deploying IPv6, one of the fundamental questions the network engineer needs to ask is: DHCPv6, or SLAAC? As the argument between these two has reached almost political dimensions, perhaps a quick look at the positive and negative attributes of each solution are. Originally, the idea was that IPv6 addresses would be created using stateless configuration (SLAAC). The network parts of the address would be obtained by listening for a Router Advertisement (RA), and the host part would be built using a local (presumably unique) physical (MAC) address. In this way, a host can be connected to the network, and come up and run, without any manual configuration. Of course, there is still the problem of DNS—how should a host discover which server it should contact to resolve domain names? To resolve this part, the DHCPv6 protocol would be used. So in IPv6 configuration, as initially conceived, the information obtained from RA would be combined with DNS information from DHCPv6 to fully configure an IPv6 host when it is attached to the network.

There are several problems with this scheme, as you might expect. The most obvious is that most network operators do not want to deploy two protocols to Continue reading

Barefoot Networks Plunges Into Network Monitoring

Barefoot leverages its Tofino programmable switch and the P4 language.

VMware targets cloud and container networking with latest NSX-T launch

VMware today released a new version of its NSX virtual networking software that aims to make it easier to manage network requirements of cloud-native and application-container-based applications.The move represents the latest example of a network vendor evolving its automation tooling to operate in not just traditional data center and campus networks, but increasingly in cloud environments that cater to a faster-pace of application development.+MORE AT NETWORK WORLD: What SDN is and where its going +VMware has two separate versions of its software-defined networking (SDN) software. The more popular and widely-used version named NSX integrates with VMware’s vSphere virtualization management software and the company’s popular ESXi compute hypervisor.To read this article in full, please click here