Thanks for the info. As I wrote before, I am very new to networking. So, I take it that I should make sure the datacenter allows “peering”? Is that the correct term to ask their sales department? Is it common for ISPs to support this? I’m looking into using dedicated servers from OVH for this project. I have never rented servers from OVH but they look very reasonably priced for “beefy” servers. Do you know if OVH supports “peering” by a customer's dedicated servers? They do sell higher priced servers that are on something they call a VRack for private networking and these VRack servers do apparently have access to the router, but I’m not clear whether that router is only for private network or for the public IPs as well. I’m also not clear whether I even need VRack at all and just get servers with a single network interface to the Public network.
How should this really be set up? I realize that there are probably many valid choices to make in setting up my cluster networking, but I'm really just looking for the “best practices” for deploying a website on 6 or more dedicated servers and have the Public part of the website be Highly Available (so users won’t have connections timeout when I either do scheduled reboots of containers/servers or one fails unexpectedly). I want all services that make up my website including app, database, caching, mail, etc. be deployed with 3 containers for each service running on 3 separate dedicated servers. So, if one or two dedicated servers fail with a corrupt/failing SSD or some other unexpected event in the middle of the night, the website still chugs along until I can address the problem the next day and either add a new dedicated server or two to my cluster or fix the problems with the failed servers. At the moment, I am planning on deploying CoreOS and Docker on my dedicated servers and probably use Docker Machine/Compose/Swarm to spin up containers as needed. I’m investigating whether I should add Calico to the mix or just go with the standard “out of the box” Docker Multi-tenant Overlay networking (coming in 1.8?). As I understand it, Calico should allow me to provide HA public IPs for users of my site if I can get the Datacenter to support it. Otherwise, I don’t really need Calico and the Overlay networking should work just fine for my small cluster of servers. Right? Finally, I realize that all these projects are not really “production ready”. How long do you think it will be before Calico is “production ready” for use with CoreOS/Docker? I assume it will be at least a few months after Docker 1.8 comes out with networking plugin support (if that is exiting “experimental”), but maybe Calico will be ready next month? Kevin > On Jul 24, 2015, at 11:05 AM, Shaun Crampton <shaun.cramp...@metaswitch.com> > wrote: > > Hi Kevin, > > Thanks for paying us a visit. > > Calico is pretty flexible so it can be used with or with our peering to > the datacenter fabric. > > Peering to the fabric is what brings most of the benefits of Calico. For > example, your containers can be assigned their real, public IP addresses > rather than relying on NAT. Calico then announces the public IP to the > fabric of the datacenter and the packets for that IP address should just > arrive at the host. You can certainly move an IP around between > containers using Calico, which may help with your HA problem. However, we > donąt (yet) have any HA integration in place to automate that for you. > Youąd have to decide when the container is down and tell Calico to move > the IP. Calico would then advertise out the new location of the IP. > > We also have some support for anycast, where multiple containers have the > same IP and the network routes to the łclosest˛ instance of that IP. If > one of the hosts running a container goes down, the network will spot that > the BGP connection has gone away and route to the other one. > > If you donąt peer then you can use Calico for internal (private) > connectivity between your containers but then youąll need to do NAT to get > the packets to your containers. Our FAQ [1] explains how to set up NAT > to/from containers with private IPs. > > The Calico approach to security is to enforce security through policy in > iptables rather than by isolating public/private networks on different > interfaces. It becomes pretty meaningless to do that isolation when > youąre already talking about virtualised networks. > > You can configure Calico to announce any IP that you choose. However, the > datacenter should police that only you are announcing the IPs that youąve > been assigned. They should have policy in place at their border router to > only announce the IPs that they know belong to their customers. Thereąs > nothing new about announcing IPs with Calico. A hacking group could try > to announce your IP from another datacenter already but theyąd need to get > the datacenter and its peers to trust them to do so. > > Hope that helps! > > -Shaun > > > [1] > https://github.com/Metaswitch/calico-docker/blob/20adfd2b7640af9d85c4af7691 > 6e043286691452/docs/FAQ.md > > On 24/07/2015 15:00, "KT Walrus" <ke...@my.walr.us> wrote: > >> Just discovered Project Calico in my search for a Docker networking >> plugin. Iąm working on deploying my first multi-server site. I want the >> site to use 3 dedicated servers with NGINX for HTTPS using a HA VIP. My >> cluster of 6 servers will have 3 of the servers accessible on Public IPs >> with all servers on a private network for the backend Dockerized >> micro-services. I will also be providing SMTP/IMAP access using another >> HA VIP. >> >> In reading the documentation/blog about Calico networking, it is not >> clear to me exactly what requirements I will need from the DC where my >> dedicated servers reside. I think that Calico can support announcing >> next-hop to the DC routers so these routers can do HA load balancing of >> my HA VIPs with the routes being łautomatically˛ withdrawn if one or more >> of the load balancing NGINX services fail. >> >> I am a newbie to all this networking stuff, so I could be just >> misunderstanding how Calico works. >> >> What are the requirements on my ISP? Do they have to be cooperative in >> setting up their routers to support my HA VIPs? I havenąt chosen where to >> rent my dedicated servers yet, but my current ISP only offers to do HTTPS >> load balancing of a VIP for HA for a fee (but doesnąt do SMTP/IMAP VIP >> load balancing, I think). This hasnąt been a problem in the past since my >> websites all fit on one server and donąt need HA. Also, the ISP charges >> extra to put servers on a private network (physically separate from the >> public network). Will I need my servers on a private physical network or >> can Calico be used to have Public and Private networking on a single >> ethernet interface so I donąt have to pay extra for the Private network? >> >> Does getting the ISP to allow my servers to łannounce˛ routes for HA VIPs >> (if that is how Calico works) introduce any security issues for me (like >> letting a hacker group possibly divert real traffic to their own servers)? >> >> Anyway, it would be nice if you could blog or provide documentation on >> exactly what the requirements are on the ISP to allow Calico SDN on >> clusters of dedicated servers. I know if I used a Cloud ISP like Google >> or Amazon, these issues would be handled by łthe cloud˛. But a guide on >> what questions to ask the ISP before purchase to ensure that Calico can >> be used for a cluster of dedicated servers running Docker containers >> would be helpful. >> >> Maybe such a guide is already posted somewhere, but I didn't find it in >> browsing the site today. >> >> Kevin >> >> >> _______________________________________________ >> calico-tech mailing list >> calico-tech@lists.projectcalico.org >> http://lists.projectcalico.org/mailman/listinfo/calico-tech_lists.projectc >> alico.org > _______________________________________________ calico-tech mailing list calico-tech@lists.projectcalico.org http://lists.projectcalico.org/mailman/listinfo/calico-tech_lists.projectcalico.org
