线程安全的可见性和原子性
By Jeff Enters
Originally published on July 21, 2020, on Hewlett Packard Enterprise’s Enterprise.nxt, publishing insights about the future of technology.
最初于2020年7月21日发布在Hewlett Packard Enterprise的 Enterprise.nxt上 ,发布了有关技术未来的见解。
Portability and the short lifecycle of containers can overwhelm the traditional networking stack. How can you adapt?
容器的可移植性和较短的生命周期可能使传统的网络堆栈不堪重负。 您如何适应?
Container-based microservices are increasingly the architecture of choice for enterprise applications. Services running in containers are highly interconnected and also connected with distributed backing data services. Networking, therefore, is a critical component in the container ecosystem. However, due to its dynamic and highly scalable nature, container architectures present considerable challenges to enterprise data center networks.
基于容器的微服务越来越成为企业应用程序选择的体系结构。 容器中运行的服务是高度互连的,并且还与分布式后备数据服务连接。 因此,网络是容器生态系统中的关键组成部分。 但是,由于容器的动态性和高度可伸缩性,它对企业数据中心网络提出了巨大的挑战。
These challenges are centered around visibility and control. While there were visibility and control challenges in the earlier shift from physical hardware to virtual hardware (virtual machines), with containers, this is magnified. One issue is that the sheer number of containers is far greater than the number of VMs. Whereas a single application might run on a single VM or be load balanced between VMs, a multitude of containers run a small number of microservices each. Containers have amplified visibility and control challenges that appeared during the early days of VM sprawl, when the number of VMs under management increased to the point where they could not be managed effectively.
这些挑战围绕可见性和控制。 尽管在早期从物理硬件到带有容器的虚拟硬件(虚拟机)的转换中存在可视性和控制方面的挑战,但这种情况被放大了。 一个问题是,容器的数量远远大于VM的数量。 单个应用程序可以在单个VM上运行,也可以在VM之间进行负载平衡,而每个容器都有多个容器运行少量微服务。 在虚拟机蔓延的早期,当受管理的虚拟机数量增加到无法有效管理的程度时,容器已经放大了可见性和控制挑战。
The other major challenge is integration between the various platforms and frameworks required to run a containerized production environment. It’s not trivial to gain visibility into and control of application data flows across the entire DevOps process and its myriad tools, such as Docker Hub, Kubernetes, Jenkins, and dozens of specialized tools. Add public cloud into the mix, and it’s easy to see that security, visibility, and control become challenging on networks powering containerized workloads.
另一个主要挑战是运行容器化生产环境所需的各种平台和框架之间的集成。 在整个DevOps流程及其众多工具(例如Docker Hub,Kubernetes,Jenkins和许多专用工具)中获得对应用程序数据流的可见性和控制权并非易事。 将公共云添加到组合中,很容易看出,在为容器化工作负载提供动力的网络上,安全性,可见性和控制变得充满挑战。
There are no rock-solid solutions yet to the problems brought on by the revolutionary nature of container-based applications. It’s also difficult to make specific recommendations for such a varied and rapidly changing combination of technologies. The best approach is to be informed about typical challenges and best practices while staying alert for new solutions.
对于基于容器的应用程序的革命性带来的问题,还没有坚如磐石的解决方案。 对于如此多样化和快速变化的技术组合,也很难提出具体的建议。 最好的方法是了解典型的挑战和最佳实践,同时保持对新解决方案的警觉。
The state of container adoption: Expert advice for success in the cloud
容器采用的状态:在云中取得成功的专家建议
应用程序架构带来了网络可见性和控制挑战 (Application architectures present network visibility and control challenges)
While recent attention in enterprise IT has been focused on the shift to containers and the code running in containers, there is a lot of complexity involved beneath the container, which IT leaders need to take into consideration when planning large-scale container deployments. Applications will converse differently because they were designed as microservices and possibly put different loads and traffic patterns on the network. One major consideration is the shift of traffic to east-west as containers shift and converse with one another within a data center, as opposed to north-south, when many clients accessed a single cluster of data center resources.
尽管企业IT部门最近的注意力集中在向容器的转移和在容器中运行的代码上,但是容器之下涉及许多复杂性,IT领导者在计划大规模容器部署时需要考虑这些复杂性。 应用程序的会话方式会有所不同,因为它们被设计为微服务,并可能在网络上施加不同的负载和流量模式。 一个主要的考虑因素是,当许多客户访问单个数据中心资源集群时,随着容器在数据中心内相互转移并相互交谈,流量向东西方转移。
Today’s data center traffic is very different from that of pre-container days. The emphasis on pooled cloud resources means that most data centers include physical infrastructure (servers, storage, and network); at least one layer of software-defined infrastructure; and a mix of dedicated servers, virtual servers, and containers, with the latter two moving dynamically across physical locations as they execute.
如今的数据中心流量与之前的容器时代大不相同。 对池化云资源的强调意味着大多数数据中心包括物理基础架构(服务器,存储和网络)。 至少一层软件定义的基础结构; 以及专用服务器,虚拟服务器和容器的组合,后两者在执行时会在物理位置之间动态移动。
Just as VM sprawl changed how data center networks were designed, provisioned, managed, and secured, container architectures introduce new challenges. The most immediate of these challenges is that the sheer number of containers is far greater than the number of VMs.
就像VM蔓延改变了数据中心网络的设计,供应,管理和保护方式一样,容器架构也带来了新的挑战。 这些挑战中最直接的挑战是,纯粹的容器数量远远大于虚拟机的数量。
Research from IDC indicates that average VM densities started at two to three and have increased to just above 10 per server. According to Datadog research, the companies that adopt Docker run a median of eight containers simultaneously on each host, while 25 percent of companies run 18 and the top 1 percent run 40 or more. When you take into consideration that some of the top enterprise Docker container adopters are running more than 1,000 hosts, it’s easy to see the magnitude of the problem.
IDC的研究表明,平均VM密度从2到3开始,并且每服务器已增加到刚好超过10。 根据Datadog的研究 ,采用Docker的公司在每个主机上同时运行八个容器,而25%的公司运行18个容器,排名前1%的公司运行40个或更多。 当您考虑到一些顶级企业Docker容器采用者正在运行1000多个主机时,很容易看出问题的严重性。
As VM adoption soared, so did the challenges created by VM sprawl, and we can expect to see a similar relationship between containers and container sprawl.
随着VM的采用率猛增,VM蔓延所带来的挑战也随之增加,我们可以期望看到容器与容器蔓延之间的相似关系。
Another consideration beyond the sheer number of containers is the speed with which they go up and down. According to a Datadog survey on Docker adoption, containers churn nine times faster than VMs, resulting in an average life span of 2.5 days versus the 23-day average of VMs. How does a data center operations team gain visibility and control into a rapidly and constantly changing environment that can be between five and 20 times the scale of anything they’ve previously seen?
除了数量庞大的容器外,另一个考虑因素是它们上升和下降的速度。 根据Datadog对Docker采用率的调查 ,容器的流失速度比VM快9倍,因此平均寿命为2.5天,而VM为23天。 数据中心运营团队如何在Swift变化的环境中获得可见性和控制力,而这种环境的规模是以前所见规模的5到20倍?
According to Datadog research, the companies that adopt Docker run a median of eight containers simultaneously on each host, while 25 percent of companies run 18 and the top 1 percent run 40 or more.
根据Datadog的研究,采用Docker的公司在每个主机上同时运行八个容器,而25%的公司运行18个容器,排名前1%的公司运行40个或更多容器。
Top of rack is not the place to gain visibility into this environment. Even in virtualized environments, we had grown to the point where top-of-rack-level physical network management fell short, and we had to add virtual integrations to provide required levels of visibility and control. Security, of course, is as much of a consideration in containerized environments, yet the nature of the containerized environment presents enormous challenges. Even things as basic as visibility and control present significant challenges in containerized environments. In the event of a data breach, the problem of finding and isolating the bad actor becomes much harder, as the exploited container may have existed for only an instant or may be bouncing around the data center.
机架顶部不是了解此环境的地方。 即使在虚拟环境中,我们也已经发展到机架顶级物理网络管理不足的地步,我们还必须添加虚拟集成来提供所需级别的可见性和控制。 在容器化环境中,安全当然是考虑的重点,但是容器化环境的性质带来了巨大的挑战。 在容器化环境中,即使是诸如可见性和控制之类最基本的东西也面临着巨大的挑战。 如果发生数据泄露,发现和隔离不良行为者的问题将变得更加困难,因为被利用的容器可能只存在了片刻,或者可能在数据中心附近反弹。
The shift to containerized workloads brings greater complexity to network operations and troubleshooting now that these disciplines must span physical and software-defined infrastructure. Adding to this complexity is the way software-defined infrastructure spans multiple open source platforms such as Docker Hub and Kubernetes. For example, how do you now troubleshoot slow application performance from a network perspective across these multiple platforms? Could the container be compromised? How long would it take your network or security team to track down that container exactly where it is being executed and where it resides and to understand how it is communicating with everything else in your data center?
如今,由于这些规范必须跨越物理和软件定义的基础架构,因此转移到容器化工作负载为网络运营和故障排除带来了更大的复杂性。 软件定义基础架构跨越多个开源平台(例如Docker Hub和Kubernetes)的方式增加了这种复杂性。 例如,您现在如何从网络角度跨多个平台解决应用程序性能下降的问题? 容器会被破坏吗? 您的网络或安全团队需要多长时间来跟踪该容器的确切位置,执行位置和驻留位置,并了解其如何与数据中心的其他所有设备通信?
You could always go straight into Kubernetes and destroy the container. You might think you’re safe now, but at some point, that container may have opened a connection to a database. How do you know that the database isn’t compromised? And how are you going to figure out what it may or may not have compromised while it is hopping from Kubernetes node to node because it keeps getting destroyed? How can you audit traffic and isolate potential evil actors across a pool of containers running on a pool of nodes being dynamically assigned IP addresses?
您总是可以直接进入Kubernetes并销毁容器。 您可能认为您现在很安全,但是在某个时候,该容器可能已打开与数据库的连接。 您怎么知道数据库没有受到破坏? 并且,如何确定由于Kubernetes节点不断被破坏而从Kubernetes节点跳到另一节点时,它可能会或可能不会受到损害的原因是什么? 如何在运行于动态分配IP地址的节点池上的容器池中审核流量并隔离潜在的恶意行为者?
自助式DevOps和网络安全 (Self-service DevOps and network security)
The challenges presented to network planning, management, troubleshooting, and security by container-based microservices are only one piece of the puzzle. Two core elements of the DevOps process―developer self-service and automation, particularly continuous integration/continuous deployment (CI/CD)―stand in stark contrast to typical enterprise network and security practices that tend to emphasize control over agility. Believe it or not, many enterprises have found that developers place greater importance on meeting DevOps schedules than they do on adhering to security policy. Who knew?
基于容器的微服务对网络规划,管理,故障排除和安全性提出的挑战只是难题之一。 DevOps流程的两个核心要素是开发人员自助服务和自动化,特别是持续集成/连续部署(CI / CD),这与典型的企业网络和安全实践形成了鲜明的对比,后者通常强调对敏捷性的控制。 信不信由你,许多企业发现,开发人员在遵守DevOps时间表方面比在遵守安全策略方面更加重视。 谁知道?
Core to the DevOps and container movement is the idea that developers (and container orchestration platforms like Kubernetes) can quickly and easily provision a container, spin it up very quickly, spin it down even faster, and move it around the data center based on load. At the same time that containers need to be able to communicate across networks, they also need to be secured, and traffic from different workloads may need to be isolated. At the very least, sensitive workloads must be isolated across layers―for example, within Kubernetes and the switching fabric. Even then, the possibility of a compromise spreading east-west within the same zone still exists.
DevOps和容器移动的核心思想是,开发人员(以及诸如Kubernetes之类的容器编排平台)可以快速轻松地配置容器,非常快速地旋转容器,快速地旋转容器以及根据负载在数据中心内移动它。 。 同时,容器需要能够跨网络通信,还需要保护它们的安全,并且可能需要隔离来自不同工作负载的流量。 至少,敏感工作负载必须跨层隔离,例如,在Kubernetes和交换结构中。 即使那样,妥协在同一区域内东西扩散的可能性仍然存在。
No matter how you look at it, containers and DevOps require a more fluid environment, and this magnifies the risk to enterprise data center networks and the data they contain.
无论您如何看待,容器和DevOps都需要一个更加流畅的环境,这会放大企业数据中心网络及其包含的数据的风险。
推荐建议 (Recommendations)
While there is no cure-all for the impact containers will have on your enterprise data center network, a few tools and practices can help.
尽管无法完全解决容器对企业数据中心网络的影响,但一些工具和实践可以提供帮助。
A DDI (DNS, DHCP, and IPAM) platform can be a valuable tool to manage the dynamic aspects of the network. DDI tools provide immediate visibility and deeper historical analysis of the dynamic network config that’s needed to support automation in a container-based environment. DDI gives network and security staff a way to verify that these core network functions are configured correctly and applied consistently across multiple environments and platforms.
DDI(DNS,DHCP和IPAM)平台可以是管理网络动态方面的宝贵工具。 DDI工具提供了对动态网络配置的即时可见性和更深入的历史分析,而动态网络配置是支持基于容器的环境中的自动化所必需的。 DDI为网络和安全人员提供了一种方法,以验证这些核心网络功能是否已正确配置并在多个环境和平台之间一致地应用。
Beyond provisioning, a DDI solution provides correlated visibility and heuristics not possible with traditional and disaggregated methods. Network visibility and logging is such an important need that these DDI solutions can include data visualization and AI-driven automated discovery processes to quickly help make sense of dynamic network configurations at scale.
除了供应之外,DDI解决方案还提供了相关的可见性和启发式信息,而传统的和分解的方法则无法实现。 网络可见性和日志记录是如此重要,因此这些DDI解决方案可以包括数据可视化和AI驱动的自动发现过程,以快速帮助大规模理解动态网络配置。
Integration between network quality of service and software-defined QoS, such as that provided by Kubernetes and Docker, is essential for end-to-end QoS. Be aware that inconsistent configuration could lead multiple teams on a wild goose chase investigating poor application performance. This could force your DevOps teams to take matters into their own hands.
网络服务质量和软件定义的QoS(例如Kubernetes和Docker提供的服务)之间的集成对于端到端QoS是必不可少的。 请注意,不一致的配置可能导致多个团队忙于调查不良的应用程序性能。 这可能会迫使您的DevOps团队自行处理事务。
Keep in mind that planning goes beyond network and security design to include processes. Shifting workloads to containers means that network, server, and applications teams may have shifting responsibilities and shifting demarcation points.
请记住,规划不仅要包括网络和安全设计,还包括流程。 将工作负载转移到容器意味着网络,服务器和应用程序团队可能会转移职责并转移分界点。
Make sure you have control and visibility at each step of your journey toward container-based microservices, adjusting processes to integrate with this new approach, and you’ll get a fighting chance of securing multiple highly dynamic environments.
确保您在访问基于容器的微服务的每一步都具有控制权和可见性,并调整流程以与该新方法集成,并且您将有机会确保多个高度动态的环境。
Engage HPE Pointnext Services for help in identifying a solution that fits your needs and container environment, based on our experience and key multi-vendor partnerships. One example of how we can fast-path a solution for you is with our container-specific Security Reference Architectures (SRAs), which are based on the HPE P5 model and HPE Enterprise Security Reference Model.
根据我们的经验和关键的多供应商合作伙伴关系,请HPE Pointnext Services协助您确定适合您需求和容器环境的解决方案。 我们如何为您快速找到解决方案的一个示例是我们的基于容器的安全参考架构(SRA),该架构基于HPE P5模型和HPE企业安全参考模型。
容器和网络:快速入门 (Containers and networking: Quick takes)
- Because containers are dynamic and highly scalable, they introduce significant challenges to enterprise data center networks in terms of visibility and control. 由于容器是动态的且具有高度可伸缩性,因此它们在可见性和控制方面给企业数据中心网络带来了巨大挑战。
- Tools such as a DDI platform can help manage dynamic network configuration, including data visualization and AI-based automated discovery. DDI平台之类的工具可以帮助管理动态网络配置,包括数据可视化和基于AI的自动发现。
- Beyond network and security design, focus on processes, as the responsibilities of network, server, and applications teams will likely shift. 除了网络和安全设计之外,还应将重点放在流程上,因为网络,服务器和应用程序团队的职责可能会发生变化。
Read these next:
接下来阅读这些内容:
What containers and cloud-native are and why they’re hot
Why DevSecOps approach is key to mainstream container use
The telecom network is modernizing with containers, cloud-native
Why containers will drive transformations in the 2020s
How containers and open source Kubernetes accelerate innovation
Podcast: The surging role of containers in the ‘hybrid estate’
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.
本文/内容由确定的个人作家撰写,不一定反映Hewlett Packard Enterprise Company的观点。
翻译自: https://medium.com/enterprise-nxt/adapting-to-the-flood-of-transient-containers-a57d63d8fd68
线程安全的可见性和原子性
扫一扫
425
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
