vSphere Integrated Containers

VMware VIC (vSphere Integrated Containers) is an elegant way to run container workloads alongside with regular VMs in your datacenter. You’ll get best of both worlds. Developers can use container tools as usual but with added high availability and flexibility of a vSphere cluster.

I’m going to give a little primer on VMware Integrated Containers (VIC) and how to use them.

Getting started

Create distributed portgroups on a vDS that we will use for containers. We need a public dPG and a bridge dPG.
Create a VIC user to interact with vCenter. For example a standard domain user who gets permissions on vCenter to deploy and delete VMs. This user will be granted permissions to vCenter later during setup.

Deployment and configuration

Deploy OVA to your vSphere cluster, define root password and enter basic network settings. Separate DNS servers with spaces (!). Review settings and hit “finish”.

Power on the appliance, open a remote console window and wait until boot procedure has finished. Open browser to:

https://<vic-appliance-IP>:9443

Link with vCenter

Now VIC appliance has to be linked with vCenter.

Make sure to install vCenter plugin (UI plugin). Beginning with version 1.4.3 the plugin will be installed automatically.

Click continue

Now we’re finished with basic setup.

To make the vCenter plugin work you need to logout of your vSphere-Client or Web-Client. Sometimes it is neccesary to logout/login twice. After successful installation of the plugin you’ll see a new icon in the main menu.

Now it’s time to download the VIC engine bundle. No worries, you’ll see the instruction within your VIC appliance landingpage. Just open:

https://<vic>:9443

Download and unpack the engine bundle to a path of your choice. Better use a short one like c:\vic.

Obtain certificate thumbprint of vcsa

We need to make some firewall adjustments to ESX hosts. We’ll do it on the bash shell of vCenter. Therefore we first have to enable SSH and bash on VCSA.

Set bash timeout to 15 minutes.

openssl x509 -in /etc/vmware-vpx/ssl/rui.crt -fingerprint -sha1 -noout

Copy fingerprint into an editor.

On the computer you’ve nstalled deployment tools before, change to your VIC directory.

cd c:\vic

Edit the following command to match your infrastructure.

vic-machine-windows update firewall
--target vcenter_server_address/datacenter
--user "Administrator@vsphere.local"
--password vcenter_server_password
--compute-resource cluster_name
--thumbprint thumbprint 
--allow

Adjust vCenter address, datacenter name, password, cluster name, thumbprint.

vic-machine-windows update firewall --target myvcenter.domain.org/myDC --user "Administrator@vsphere.local" --password mySecretPassword --compute-resource Cluster1 --thumbprint B7:6E:FB:78:0D:EF:57:25:F0:8F:5A:F4:27:DB:3C:AA:AA:AA:AA:AA --allow

This command will open firewall ports for VIC on ESX hosts.

Firewall adjustment successful.

Create Networks

Prepare vDS for Private VLAN

promiscuous VLAN 50
Community VLAN 501 as bridge

Generate Virtual Container Host from vSphere Client

To run containes on our cluster we first have to deploy a Virtual Container Host. Open vSphere-Client or Web-Client and select “vSphere Integrated Containers” from the main menu. Select “Virtual Container Hosts” and click “New Virtual Container Host”.

Enter a name for the new Container Host

Seect a cluster and make adjustments to resources (optional).

Select a datastore for VCH.

Configure networks. I’ve created two dPG for public and bridge networks.

Managing certificates for Docker clients.

Limit access to registries (optional).

Define vSphere User. Permissions will be granted automatically.

Check summary. The wizard builds a CLI command for you. Choose the operation system of your tools installation. You can copy the command into an editor and execute it in the CLI if you like.

Once your VCH is deployed you’ll see a new object in your cluster.

All containers you deploy now will be listed below your new VCH object.