Canal brings fine-grained policy to DC/OS and Apache Mesos via CNI

Canal brings fine-grained policy to DC/OS and Apache Mesos via CNI

When we launched Canal at CoreOS Fest last month, we indicated that this was the start of something bigger than just the constituent projects (Calico and Flannel). Today, at Mesoscon, we unveiled another big step forward for Canal – support for Apache Mesos, bringing fine-grained network policy to the Mesos and DC/OS communities.

Didn’t Calico already support Apache Mesos and DC/OS?

Well, yes we did! (See demos here and here, for example). In fact, Calico was the first networking solution to implement the “IP per container” model. But we did so through the net-modules interface, which was specific to that platform. That means that the work we did on Canal, to combine Calico and Flannel via the Container Network Interface (CNI) that is used by Kubernetes, would not translate to Apache Mesos and DC/OS.

That is why we were excited to work with the team that has taken the CNI specification and implemented it for Apache Mesos. A huge shout-out here to the development team behind this leap forward, including Avinash Sridharan, Jie Yu and Qian Zhang, who are speaking today at Mesoscon about their work.

Why should I care about this?

First, an ever-growing community is now embracing CNI as the de facto standard interface for cloud-native networking, and all the goodness of Canal (dynamic, fine-grained policy with the broadest choice of connectivity options) is now available to an even wider group of users. The consensus and momentum behind a simple, secure model for cloud-native network is growing, and we’re proud to be part of this movement!

Second, it means that, as a Mesos or DC/OS user, you now have access to the powerful network policy capabilities developed in the Kubernetes community (see the Kubernetes Networking SIG blog post on this topic). Simply apply labels to tasks when launching them via Marathon, define the policies that apply to those labels (in the same way as you would with the new Kubernetes API – but passing them into Calico rather than Kubernetes), and sit back and watch Calico automagically maintain dynamic, distributed firewalls around every task. It’s that simple!

Awesome. When can I get it?

Support for CNI (and hence for Canal and Calico via CNI) will be generally available along with the upcoming Apache Mesos 1.0 release.

As always, there is still work to do – including integration with workloads running under Docker Engine (today just the Unified Containerizer is supported) and the Marathon UI for seamless operation in DC/OS – but we are excited at this milestone and hope you will be too. We look forward to hearing your thoughts over on Slack (get an invite if you’re not already a member) – we have a dedicated #Mesos channel for discussions of all things Apache Mesos and DC/OS related.

What about Docker?

If you’re wondering about CNI support for Docker… check out this proof of concept we worked on with our friends over at Weaveworks!… but for those of you who are using our libnetwork integration – don’t worry, Calico will continue to support that. While we’re excited about the momentum behind CNI, we don’t believe there will ever be just one way of doing things – and we’re committed to our mission of bringing simple, secure networking to all the major cloud platforms.

Having cycled through various roles from software engineering to marketing ("fear leads to the dark side" - Yoda), I ended up in management, and am affectionately known by my teammates as the "PHB of Project Calico" (I must look up that acronym sometime). I am grateful to be able to live in beautiful Berkeley, California, where I enjoy the proximity to world-class sailing, skiing and wine - and spending time with my family (wife, 2 kids, 2 cats - neither of them calicos, 1 dog and 1 turtle).