Review: VMware vSphere gets much-needed facelift

The VMware-Docker implementation is an interesting model, where vSphere is the container host, not Linux. Containers are technically deployed as VMs, but not in VMs. Each container is isolated from the host and other containers. Much TLS (with auto and CA-chained security authentication certificates) can protect communications, but network is somewhat limited at this time.

This means that vSphere is the infrastructure so that you can use its networks, its datastores, etc. You don’t need to run a separate Linux VM that will be the Docker host (however, you will want another host that has Docker tools installed in order to remotely run Docker commands on the virtual container hosts).

Integrated Containers uses a concept of a Virtual Container Host (VCH) accessed by an app binary that installs on Mac, Windows, and Linux. The Docker container pull (getting a workload from a Docker repository) lands on ESXi, and is contained by PhotonOS as an intermediary.

As an example, we created a VCH under Linux by:        

./vic-machine-linux create —target 10.0.100.243 —user ‘Administrator@vsphere.local’

          —compute-resource extremeCluster -—bridge-network vic-bridge —image-store iSCSI \

          —-volume-store iSCSI:container —no-tlsverify —force —name containers \

          —-public-network-ip 10.0.100.112 —public-network-gateway 10.0.100.71/16

We had three networks available to communicate, private, management, and public, each with specific port groups (virtual plug jacks).

At this point in testing, we found a new and frustrating pet peeve, as we needed to have Port 2377/tcp outbound open (which is not in the built-in ESXi firewall ports) and this rule has to be manually added every time you reboot an ESXi host because manual firewall rulesets are not persistent for some unknown reason. Creating a rules set is supposedly supported (see for more information).

Containers are launched in a minimal PhotonOS VM. There are some caveats we found while running docker on newer machines. The Docker API version in the vSphere integration is 1.23 and most of the newer versions of Docker run version 1.24. This causes an error when trying to connect. We had to perform export DOCKER_API_VERSION=1.23 to enable a connection.

To run a ngnix container on Port 1080, we used the following command:

docker —tls -H $DOCKER_HOST run -d -p 1080:80 —name mynginx nginx

DOCKER_HOST is the IP address and port of the VCH (by default 2376)

There is also an “enterprise-class” container registry server called Harbor which can be an appliance deployed into your vSphere infrastructure. It can be used to store and distribute Docker images but with more of an enterprise mindset. It focuses on security, identity and management.

And if desired, you can just run instances of Red Hat, CentOS, Ubuntu, even Windows for Docker, along with control planes and security constructs used as before—inside these operating systems and away from VHC.

Overall

This update to 6.0 has some profound changes in it that many admins will enjoy. There’s even something for the experimenters who want to leverage an existing VMware infrastructure for Docker container rollouts, although there isn’t full functionality available just yet, especially in networking.

How we tested

We used HP ProLiant DL560 Gen8 and DL580 Gen9 and a Lenovo ThinkServer RD630 in a vSphere cluster. The two HP’s were upgraded to 6.5 and the Lenovo was a fresh install. We also tried to use an older HP DL585 G5 but we were unable upgrade it to 6.5 (because of unsupported devices). We used an older Dell (formerly Compellent) SAN for our iSCSI needs. For vCenter backup and recovery, we used an Ubuntu 16.04 VM with an ssh server to use with scp. For integrated containers, we used separate Linux VM /MacOS laptops to run remote Docker commands and create the VCHs on the cluster.

This story, "Review: VMware vSphere gets much-needed facelift" was originally published by Network World.