There are many different ways in which containers are used and enabled throughout the open-source OpenStack cloud platform. With the OpenStack Queens platform, which was released on Feb. 28, there are even more options than ever before.
OpenStack has been supporting containers for several years, beginning with the nova-docker driver in the OpenStack Nova compute project, which has since been deprecated. Among the different OpenStack container efforts in 2018 are Zun, Magnum, Kuryr, Kolla, LOCI, OpenStack-Helm and Kata containers.
“Zun and Magnum are at the cloud workload level,” Jonathan Bryce, Executive Director of the OpenStack Foundation, told ServerWatch.
OpenStack Magnum is a project that enables container orchestration systems like Kubernetes to run as an OpenStack resource.
OpenStack Zun is an abstraction for container life-cycle management with a simple API across different container technologies.
Looking beyond Zun and Magnum is OpenStack’s Kolla project, which containerizes OpenStack services. In the OpenStack Queens release, there is also the new addition of LOCI (Lightweight Open Container Initiative).
Bryce explained that Kolla provides a complete packaging approach for each container image. In contrast, the new LOCI project takes an approach that is more aligned with the Kubernetes way of running an image, where the container itself is very small and the management sits outside of the container.
Going a level further is the new OpenStack-Helm project, which sits underneath the cloud to help orchestrate services. OpenStack-Helm brings the popular Helm Kubernetes package manager project to OpenStack.
Bryce explained that OpenStack-Helm provides a series of charts for different OpenStack services. As such, an organization first decides which services it wants to run in an OpenStack cloud, then executes the helm chart, which will start the services up in a Kubernetes cluster.
Container Isolation and Networking
Another container project within the OpenStack Foundation is the Kuryr networking effort. In the OpenStack Queens release, Kuryr has gained support for the Kubernetes Container Networking Interface (CNI).
Bryce explained that Kuryr has had the ability to talk to Docker’s libnetwork networking interface in a direct container networking stack and then connect back to the Neutron networking project in OpenStack. That model enabled a way to have containers attached to an enterprise networking stack with all the security monitoring and appliance capabilities of OpenStack.
Now, in the OpenStack Queens release, Byrce says Kuryr can connect with CNI, which provides a pod level rather a container level of control.
“As Kubernetes may move containers around, restart or scale them, the Kuryr CNI daemon watches and configures Neutron to continue to secure those workloads running in the pod,” Bryce said.
Another container effort associated with OpenStack is Kata containers, which provide a micro-virtual machine layer for containers. Kata Containers is an effort run by the OpenStack Foundation, though it is not an official OpenStack project.
“Kata is sort of the compute execution equivalent of Kuryr,” Bryce said.
Linking Kata Containers with Kuryr provides a high degree of isolation, according to Bryce. He explained that an organization can use Kuryr to manage the networking on the pods. Those pods can be further isolated and secured inside a Kata container.
“Kata and Kuryr create a strong container isolation story, and that’s exciting to see how the tools can interact in that way,” Bryce said.
OpenStack Container Services Efforts
|Magnum||Container Orchestration Engine Management|
OpenStack Containers Service
|Kolla||Containerized OpenStack Services|
Lightweight Open Container Initiative
|OpenStack-Helm||Kubernetes Package Management|
|Kata Containers||Micro-Virtual Machines for Container Isolation|
Sean Michael Kerner is a senior editor at ServerWatch and InternetNews.com. Follow him on Twitter @TechJournalist.