Category Archives: congress

Contiv – Policy based networking for Containers

Contiv is an Open source project driven primarily by Cisco for policy based networking, storage and cluster management for containerized applications. In this blog, I will focus on how Contiv does policy based Container networking. In the next blog, I will cover some hands-on stuff that I tried with Contiv.

Container Policy

Policies have become critical to control the business logic in a Cloud environment. There are 2 ways to describe policy. In imperative model, policy is defined in terms of how the end goal is achieved. For example, we specify the filters and actions with Openflow protocol that achieves end goal of packet handling and this is an example of imperative model. In declarative model, policy is defined in terms of the end goal and it gives flexibility to the end-system to implement the policy in different ways. Congress and Opflex are examples of declarative policy model. With declarative model, it is possible to specify the policy in terms of business logic without specifying implementation detail. For example, the business logic can say that web container should not talk to database container. The implementation of this business logic can be achieved by having an iptables rule or by having a hardware tcam rule to block specific ports. In a cloud computing world, policies can be defined for compute, storage and networking. Both Containers and VM needs policies to implement business logic. Following are examples of some policies that can be applied to applications deployed in Cloud using either VMs or Containers:

  • Authorization policy – Specifies tenants and their privileges.
  • Resource usage policy – Specifies resource constraints for tenants, containers and VMs.
  • Application access policy – Specifies containers that can communicate to each other and containers that are exposed to outside world.

Contiv Networking

Contiv Networking project provides policy based networking for Docker Containers. Following are some details on Contiv Networking:

Continue reading Contiv – Policy based networking for Containers

Advertisements

Cloud policy – Congress and Opflex

Recently, I saw a lot of press on Cisco’s Opflex protocol that allows a declarative policy model to control a physical or virtual device. There were discussions around if the Opflex protocol would replace Ovsdb and Openflow. Within Openstack, there is a new project called Congress that allows for creating a policy framework within Openstack. This blog is my attempt to get into more details on Congress and Opflex and explain the relationship between them. This is mostly information gathered from different references that I have listed in the end.

Congress:

Congress is a new Openstack project that is used to enforce compliance within the cloud environment. The end goal would be to integrate Congress with other cloud orchestration software as well. Compliance could be needed because of Government regulations, contracts between organizations, SLA enforcement etc. Following picture illustrates the need for Congress.

Continue reading Cloud policy – Congress and Opflex