[[day-one-building-containers]] = Contrail books :doctype: book :toc: manual :toc-placement: preamble :imagesdir: diagrams

• Day one: Contrail DPDK vrouter

• -- image::dpdk-book.png[] more details about dpdk vrouter book here: https://github.com/pinggit/dpdk-contrail-book[here]

• Day one: Building Containers Using Kubernetes and Contrail

• -- image::cover.front.png[]

  //image::cover.frontnback.png[]

== Day One: Building Containers Using Kubernetes and Contrail

This book details the long list of Juniper Contrail features that can enrich Kubernetes implementatons. Startng with the basic concepts of containers and moving through virtual networks and Contrail architecture, the authors review the basic foundaton and key components of Kubernetes, including several diferent Kubernetes features without Contrail integraton. But the core of the book is devoted to detailed labs and use cases of Contrail and Kubernetes together. Contrail can build and manage virtual networks that integrate containers, VMs, and bare metal servers of all types, so the authors focus on how to integrate a popular pair: Kubernetes and Contrail.

This book is available here:

• Download the most up-to-date version of this book from this repository:

  • pdf
  • html
  • kindle (mobi) and epub (new, since 03 Feb 2020)
  • adoc (online)

• PDF edition at:

  • http://www.juniper.net/dayone/[Juniper dayone]
  • https://www.juniper.net/documentation/en_US/day-one-books/day-one-containers-kubernetes-contrail.pdf[containers-kubernetes-contrail]
  • https://www.juniper.net/us/en/training/junos-genius/[Junos Genius App]

• Purchase the paper edition at:

  • Amazon: https://www.amazon.com/dp/1950960870
  • Vervante Corporation (http://www.vervante.com) in https://store.vervante.com/c/v/category_order.html?base_cat=Juniper%20Networks%3aShop%20Day%20One%20Books&pard=juniper[here]

• Applebook preview: https://books.apple.com/us/book/day-one-building-containers-with-kubernetes-and-contrail/id1487859822

Currently the book is also listed in:

• Juniper's https://www.juniper.net/us/en/[company main page]

image::page.junipermain.png[] //image::https://user-images.githubusercontent.com/2038044/74180429-7d60c080-4c0d-11ea-81ae-36fa593362ba.png[]

• the https://www.juniper.net/us/en/training/certification/certification-tracks/cloud-track?tab=jncie-cloud[JNCIE-cloud] certification page, as one of the "Additional Resources":

image::page.jnciecloud.png[] //image::https://user-images.githubusercontent.com/2038044/74180751-0a0b7e80-4c0e-11ea-9721-e426b30e75fd.png[]

== Key Juniper Contrail Resources

The Juniper TechLibrary has been supporting Contrail with its excellent documentation for years. The Contrail selection is thorough, and it’s kept up-to-date with the latest technologies and GUI changes. This book is no substitution for that body of information. The authors assume that you have some familiarity with Juniper Contrail documentation: https://www.juniper.net/documentation/product/en_US/contrail-networking/5.0

The authors keep a GitHub website at https://github.com/pinggit/kubernetes-contrail-day-one , where you can find the book’s content, all the YAML file source code used for the examples, figures, etc. Add com- ments, suggestions or questions regarding the book, too.”

== book content

=== topics

• Container technology and different Kubernetes features using YAML.
• Kubernetes integration with Contrail.
• Kubernetes network policy and Contrail firewall security.
• Configuring isolated Kubernetes Namespaces using Contrail.
• Configuring Floating IP in Contrail to provide container’s outside connectivity.
• Configuring load balancer and cluster IP services in Kubernetes using Contrail.
• Configuring different types of Kubernetes ingress using Contrail.
• Configuring and building multi-interfaces/multi-network containers using Contrail.
• Deploying Contrail service chaining using the Juniper cSRX in Kubernetes.

=== chapters

This book details the long list of Juniper Contrail features that can enrich Kubernetes implementations. It starts with the basics and builds from there to cover more complex setups. It’s structured as follows:

• Chapter 1: Provides a basic understanding of containers, virtual networks, and Contrail architecture.
• Chapter 2: Lays down the basic foundation and key components of Kubernetes.
• Chapter 3: Explains different Kubernetes features using labs and without any Contrail integration.
• Chapters 4 through 10: These chapters are the core of the book. They begin by explaining Contrail inte- gration with Kubernetes, then continue on to cover a number of detailed labs and use cases using Con- trail/Kubernetes.

=== detail TOC

Here is the structure of book content:

|Chapter 1: Foundation Principles . |Containers Overview . . |Understanding Containers . . |Juniper VSRX vs CSRX . . |Understanding Docker . |Contrail overview . . |Contrail Architecture Fundamentals . . |Contrail VRouter |Chapter 2: Kubernetes Basics . |What is kubernetes . |Kubernetes Architecture and Components . . |Kubernetes Master . . |Kubernetes Node . . |Kubernetes Work Flow . . |Kubernetes Objects . |Kubernetes Pod . . |YAML file . . |Pause Container . . |Intra Pod Communication . |Kubectl Tool |Chapter 3: Kubernetes in Practice . |Labels . |Namespace . . |what is Namespace . . |Create NS . . |Quota . |Replication Controller . . |Create RC . . |Evaluate RC . |ReplicaSet . |Deployment . . |Create Deployment . . |Deployment Work Flow . . |Rolling Update . . . |evalaute rolling update . . . |how it works . . . |record . . . |pause/resume/undo . |Secret . . |Opaque Secret . . . |define opaque secret . . . |refer opaque secret . . |DockerConfigJson secret . . . |docker credential data . . . |docker credential file (~/.docker/config.json) . . . |yaml file . . . |refer dockerconfigjson secret in pod: imagePullSecrets . . |Secret Benefits . |Service . . |ClusterIP Service . . . |create clusterIP service . . . |verify cluserIP service . . . |specify a clusterIP . . |NodePort Service . . |Loadbalancer Service . . . |externalIPs . . |Kube-Proxy . |Endpoints . |Ingress . . |Ingress vs Service . . |Ingress Object . . |Ingress Controller . . |Ingress Examples . . . |single service ingress . . . |simple fanout ingress . . . |virtual host ingress . . |Multiple Ingress Controllers . |contrail Network Policy (ch3) . . |network policy introduction . . |network policy definition . . . |selecting target pods . . . |policy types . . . |policy rules . . . . |network policy rules . . . . |AND vs OR . . . . |protocol and ports . . . . |line by line explanation . . |create network policy . |Liveness Probe and Readiness Probe . . |Liveness Probe . . |Readiness Probe . . |Probe Parameters . |Annotation |Chapter 4: Kubernetes and Contrail Integration . |Contrail-Kubernetes Architecture . . |Why Contrail with Kubernetes ? . . |Contrail-Kube-Manager . . |Kubernetes to Contrail Object Mapping . |Contrail Lab environment . . |Contrail Setup . . |Contrail Command . |Contrail Namespaces and Isolation . . |Non-Isolated NS . . |Isolated NS . . |Pods Communication across NS . |Contrail Floating IP . . |Overlay Internet Access . . |Floating IP and FIP Pool . . . |Create FIP Pool . . . |FIP Pool Scope . . . . |Object FIP Pool . . . . |NS FIP Pool . . . . |Global FIP pool . . |FIP for Pods . . |Advertising FIP . . |summarization |chapter 5: Contrail Services . |Kubernetes Service . |Contrail Service . . |Contrail Openstack Loadbalancer . . |Contrail Sevice Loadbalancer . . |Contrail Loadbalancer Objects . . . |Loadbalancer . . . |Listener . . . |Pool and Member . |Contrail ClusterIP Service . . |ClusterIP as FIP . . |ECMP Routing Table . . . |Control Node Perspective . . . |Compute Node Perspective . . |ClusterIP Service Workflow . . |Multiple Port Service . . |Contrail Flow Table . |Contrail Loadbalancer Service . . |External IP as FIP . . |Gateway Router VRF Table . . |Loadbalancer Service Workflow . . . |Verify Loadbalancer Service . . . |Loadbalancer Service ECMP . . . |Verify Loadbalancer Service ECMP |chapter 6: Contrail Ingress . |Contrail Ingress Loadbalancer . |Contrail Ingress Workflow . |Contrail Ingress Traffic Flow . |Single Service Ingress . . |Ingress Objects Definition . . . |Ingress Definition . . . |Backend service Definition . . . |Backend pod Definition . . . |An "all in one" Yaml File . . . |Deploy the Single Service Ingress . . |Ingress Post Examination . . . |Ingress Object . . . |Service Objects . . . |Backend and Client Pod . . . |Haproxy Processes . . . |Ingress Loadbalancer Objects . . . |haproxy.conf File . . . |Gateway Router VRF Table . . . |Ingress Verification: Internal . . . |Ingress Verification: External (Internet host) . |Simple Fanout Ingress . . |Ingress Objects Definition . . . |ingress Definition . . . |backend service definition . . . |backend pod definition . . . |deploy simple fanout Ingress . . |Ingress post examination . . . |ingress objects and ingress loadbalancer . . . |haproxy process and haproxy.cfg file . . |Ingress verification: from internal . . |Ingress verification: from external (Internet host) . |Virtual Hosting Ingress . . |Ingress objects definition . . . |ingress definition . . . |an "all in one" yaml file . . |Ingress post examination . . . |examine ingress objects . . . |exploring Ingress loadbalancer objects . . . |examine haproxy.conf file . . |Ingress verification: from internal . . |Ingress verification: from external (Internet host) . |Service vs Ingress Traffic Flow |chapter 7: Packet Flow in Contrail: End to End View . |Setup and Utils/Tools . |Packet Flow Analysis . . |Internet Host: Analyze HTTP Request . . |Internet Host to Gateway Router . . |Gateway router to Ingress Public FIP: MPLS over GRE . . |Ingress Public FIP to Ingress Pod IP: FIP(NAT) . . |Ingress Pod IP to Service IP: MPLS over UDP . . |Service IP to Backend Pod IP: FIP(NAT) . . |Backend Pod: Analyze HTTP Request . . |Return Traffic |chapter 8: Contrail Network Policy . |introducing Contrail Firewall . |contrail kubernetes Network Policy usage case . . |network design . . |lab preparation . . |traffic mode before kubernetes network policy creation . . |create kubernetes network policy . . |post kubernetes network policy creation . . . |ingress policy on webserver-dev . . . |egress policy on webserver-dev pod . . . |network policy on dbserver-dev pod . . . |egress policy on dbserver-dev . . . |the drop action in flow table . |contrail implementation details . . |construct mappings . . |Application Policy Set (APS) . . |policies . . . |contrail firewall policy naming convention . . . |the k8s-allowall and k8s-denyall firewall policy . . . |sequence number . . |firewall policy rules . . . |rules in k8s-dev-policy1 firewall policy . . . |rules in k8s-denyall firewall policy . . . |rules in k8s-allowall firewall policy . . |sequence number . . . |sequence number in firewall policies . . . |sequence number in firewall policy rules . . |tag . . |UI visualization |chapter 9: Contrail Multiple Interface Pod . |Contrail as a CNI . |NetworkAttachmentDefinition CRD . |Multiple Interface Pod |chapter 10: Contrail Service Chaining with CSRX . |Contrail Service Chaining Introduction . |Bringing Up Client and CSRX Pods . . |Create VNs . . |Create Client Pods . . |Create CSRX Pod . . |Verify podIP . . |Ping Test . . |Troubleshooting Ping Issue . |Service Chaining . . |Create Service Chaining . . |Verify Service Chaining . . |Security Policy |appendix . |contrail kubernetes setup installation . . |HW/SW prerequisites . . |3 nodes cluster only setup . . . |topology . . . |yaml template . . |deploy setup based on yaml file . . |verification

== Contrail Command

Contrail Command(CC) is the new user interface (UI) starting with Contrail 5.0.1. Throughout this book we use both the new CC and the old UI to demonstrate the lab studies. The publication date for this book is November 2019, so depending on when you are reading it, keep in mind that CC will soon be the only UI; the legacy one is slated to be discontinued at some time. Detailed information about CC is available from the Juniper documentation website, so we don’t elaborate on it here. To access CC use this URL in your web browser: https://Contrail-Command-Server-IP-Address:9091. The CC server can be the same as, or different from, the Kubernetes master server or the Contrail Controller node. In this book, we’ve installed them in same server. The functions and settings in CC are grouped in a main menu. This makes a great entry point where you can navigate through different Contrail functions. To get the CC main menu, click on the group name right next to the Contrail Command logo on the upper left corner of the UI.

.Contrail Command Main Menu image::https://user-images.githubusercontent.com/2038044/60282872-ed684380-98d5-11e9-92f7-e1df07c5fecf.png[]

Remember, our focus is not on CC but on giving you some basic insights into CC, which will be helpful to you as you build containers using Kubernetes.

== issues/suggestions/contributions

This book is free and is maintained as a "open source" project! you can find all text, diagrams, source code it refers in this GitHub repository:

• README.adoc : this file

• kubernetes-contrail-v1.pdf : version v1, this is the PFD available in all official channels. the TOC (Table of Content) has problems

• kubernetes-contrail-v1.1pdf : version v1.1, with corrections on TOC

• kubernetes-contrail-v1.mobi : for kindle

• kubernetes-contrail.pdf : original draft (before editor's editing), with original TOC

• kubernetes-contrail.html : original draft in html format, with a TOC panel on the right side, making it the same looking and feeling as the PDF, but much smaller.

• kubernetes-contrail.mobi : original draft in kindle format

• kubernetes-contrail.adoc : "source code" of the original "draft" of the whole book, the format in which we've writen/maintained.

• diagrams : all diagrams (except screenshots)

If you discover errors or omissions in the source code(yaml file, command line output, etc), documentation, or anything else, please don’t hesitate to submit an issue.

If you want to help by improving upon it, you can also fork the project, revise the content, then send a pull request. When the pull request is merged, the content will be updated automatically.

== copyright

2019 by Juniper Networks, Inc. All rights reserved. Juniper Networks and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo and the Junos logo, are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Published by Juniper Networks Books

== Authors

• Author: Ping Song, Ayman Aborabh,Yuvaraja Mariappan
• Editor in Chief: Patrick Ames
• Copyeditor: Nancy Koerbel
• Technical Reviewers: Yuvaraja Mariappan, Vincent Zhang
• ISBN: 978-1-941441-96-1
• Version History: v1, November. 2019

//// == book progress

• (2019-11-13) patrick returns the final edit, the book is DONE!
• (2019-10-29) Patrick send his edit to Nancy(5th edit)
• (2019-10-28) submit update (3rd update)
• (2019-10-28) patrick returns his edit(4th edit)
• (2019-10-21) submit update to 3rd edit (2nd update)
• (2019-10-14) Nancy returns her edit (3nd edit)
• (2019-10-03) patrick sent his edit to our first update to Nancy (2nd edit)
• (2019-10-01) submitted rewritten network policy chapter 8
• (2019-09-23) submitted rough version of network policy chapter 8
• (2019-09-20) submitted update to first edit (first update)
• (2019-09-07) patrick's edit to first draft returns (first edit)
• (2019-09-04) submitted first draft: chapter 4 (splitted into 6 chapters latter)
• (2019-08-26) submitted first draft: chapter 1 ~ 3
• (2019-06-30) main part of the book is done, start updating/extending/reviewing
• (2019-06-01) yuvaraja starts to co-author formally
• (2019-05-31) adjusted the book content plan
• (2019-05-28) tested csrx service chaining feature
• (2019-05-24) local setup built, tested multi intf pod and csrx
• (2019-05-05) ch1, ch2 done, starting ch3
• (2019-04-13) book project started, this repository is built
• (2019-04-10) ayman starts to co-author
• (2019-03-15) ping started the idea of this book with patrick ////

////

• (2019-11-13) patrick releases the final pdf
• (2019-10-29) Patrick send his edit to Nancy(5th edit)
• (2019-10-28) submit update (3rd update)
• (2019-10-28) patrick returns his edit(4th edit)
• (2019-10-21) submit final edit, patrick to merge all the changes
• (2019-10-14) Nancy returns her edit (3nd edit)
• (2019-10-03) patrick send his edit to our first update to Nancy (2nd edit)
• (2019-10-01) submitted network policy chapter 8 after rewritten
• (2019-09-23) submitted rough version of network policy chapter 8
• (2019-09-20) submitted update to patrick's first edit (first update)
• (2019-09-07) patrick returns his edit to first draft (first edit)
• (2019-09-04) submitted first draft: chapter 4 (splitted into 6 chapters latter)
• (2019-08-26) submitted first draft: chapter 1 ~ 3
• (2019-06-30) main part of the book is done, start updating/extending/reviewing
• (2019-06-01) yuvaraja start to co-author formally
• (2019-05-31) adjusted the book content plan
• (2019-05-28) tested csrx service chaining feature
• (2019-05-24) local setup built, tested multi intf pod and csrx
• (2019-05-05) ch1, ch2 done, starting ch3
• (2019-04-13) book project started, this repository is built
• (2019-04-10) ayman start to co-author
• (2019-03-15) ping started the idea of this book with patrick ////

////

• (2019-04-27) ping updated ch2: starting pod building example
• (2019-04-22) ayman uploaded 'docker.docx' of chapter 1
• (2019-04-20) ping kicked off ch2
• (2019-04-17) ayman uploaded 'containers' of chapter 1 ////

== known issues

=== diff between pdf version and adoc/html version

This book was originally written in adoc format, which is github version control friendly. with this format it went through many changes via git commit/PR flow during the writing process. However, some final modifications (mostly minor though) between authors and reviewer/editors are through an "offline" process (in MS-word and adobe-PDF format), and hence have not get cought by the adoc source and github yet. In another word, those last changes are in PDF format only (at of now) and has not been merged into adoc/html format yet.

=== PDF book TOC problem

the TOC of original book PDF (Containers_Kubernetes_Contrail.pdf) has some problem.

for example chapter 6 cuently shows:

|chapter 6: Contrail Ingress . |Contrail Ingress Workflow . |Contrail Ingress Traffic Flow

but it should look like:

|chapter 6: Contrail Ingress . |Contrail Ingress Loadbalancer . |Contrail Ingress Workflow . |Contrail Ingress Traffic Flow . |Single Service Ingress . . |Ingress Objects Definition . . . |Ingress Definition . . . |Backend service Definition . . . |Backend pod Definition . . . |An "all in one" Yaml File . . . |Deploy the Single Service Ingress . . |Ingress Post Examination . . . |Ingress Object . . . |Service Objects . . . |Backend and Client Pod . . . |Haproxy Processes . . . |Ingress Loadbalancer Objects . . . |haproxy.conf File . . . |Gateway Router VRF Table . . . |Ingress Verification: Internal . . . |Ingress Verification: External (Internet host) . |Simple Fanout Ingress . . |Ingress Objects Definition . . . |ingress Definition . . . |backend service definition . . . |backend pod definition . . . |deploy simple fanout Ingress . . |Ingress post examination . . . |ingress objects and ingress loadbalancer . . . |haproxy process and haproxy.cfg file . . |Ingress verification: from internal . . |Ingress verification: from external (Internet host) . |Virtual Hosting Ingress . . |Ingress objects definition . . . |ingress definition . . . |an "all in one" yaml file . . |Ingress post examination . . . |examine ingress objects . . . |exploring Ingress loadbalancer objects . . . |examine haproxy.conf file . . |Ingress verification: from internal . . |Ingress verification: from external (Internet host) . |Service vs Ingress Traffic Flow

I may find some time to fix it and post a new one. before that, if this is a problem for you, read these files:

• pdf kubernetes-contrail-v1.1.pdf (some corrections to PDF bookmarks only)
• adoc kubernetes-contrail.adoc
• html kubernetes-contrail.html

////

= short intro

book: "Building Containers Using Kubernetes and Contrail"

• github: https://github.com/pinggit/kubernetes-contrail-day-one
• Amazon: https://www.amazon.com/dp/1950960870
• applebook: https://books.apple.com/us/book/day-one-building-containers-with-kubernetes-and-contrail/id1487859822
• Juniper site: https://www.juniper.net/uk/en/training/jnbooks/day-one/building-containers-kubernetes-contrail/
• Juniper app: https://www.juniper.net/us/en/training/junos-genius/

topics:

• Container technology and different Kubernetes features using YAML.
• Kubernetes integration with Contrail.
• Kubernetes network policy and Contrail firewall security.
• Configuring isolated Kubernetes Namespaces using Contrail.
• Configuring Floating IP in Contrail to provide container’s outside connectivity.
• Configuring load balancer and cluster IP services in Kubernetes using Contrail.
• Configuring different types of Kubernetes ingress using Contrail.
• Configuring and building multi-interfaces/multi-network containers using Contrail.
• Deploying Contrail service chaining using the Juniper cSRX in Kubernetes.

////