VMware VIC (vSphere Integrated Containers) is an elegant way to run container workloads alongside with regular VMs in your datacenter. You’ll get best of both worlds. Developers can use container tools as usual but with added high availability and flexibility of a vSphere cluster.
I’m going to give a little primer on VMware Integrated Containers (VIC) and how to use them.
- VMware vSphere Integrated Containers product page
- vSphere Integrated Containers Documentation
- Container primer on Wikipedia
- Create distributed portgroups on a vDS that we will use for containers. We need a public dPG and a bridge dPG.
- Create a VIC user to interact with vCenter. For example a standard domain user who gets permissions on vCenter to deploy and delete VMs. This user will be granted permissions to vCenter later during setup.
Login to VMware.com and download vSphere Integrated Containers appliance.
Deployment and configuration
Deploy OVA to your vSphere cluster, define root password and enter basic network settings. Separate DNS servers with spaces (!). Review settings and hit “finish”.
Power on the appliance, open a remote console window and wait until boot procedure has finished. Open browser to:
Link with vCenter
Now VIC appliance has to be linked with vCenter.
Make sure to install vCenter plugin (UI plugin). Beginning with version 1.4.3 the plugin will be installed automatically.
Now we’re finished with basic setup.
To make the vCenter plugin work you need to logout of your vSphere-Client or Web-Client. Sometimes it is neccesary to logout/login twice. After successful installation of the plugin you’ll see a new icon in the main menu.
Now it’s time to download the VIC engine bundle. No worries, you’ll see the instruction within your VIC appliance landingpage. Just open:
Download and unpack the engine bundle to a path of your choice. Better use a short one like c:\vic.
Obtain certificate thumbprint of vcsa
We need to make some firewall adjustments to ESX hosts. We’ll do it on the bash shell of vCenter. Therefore we first have to enable SSH and bash on VCSA.
Set bash timeout to 15 minutes.
Login to vcsa via SSH as root.
openssl x509 -in /etc/vmware-vpx/ssl/rui.crt -fingerprint -sha1 -noout
Copy fingerprint into an editor.
On the computer you’ve nstalled deployment tools before, change to your VIC directory.
Edit the following command to match your infrastructure.
vic-machine-windows update firewall --target vcenter_server_address/datacenter --user "Administrator@vsphere.local" --password vcenter_server_password --compute-resource cluster_name --thumbprint thumbprint --allow
Adjust vCenter address, datacenter name, password, cluster name, thumbprint.
vic-machine-windows update firewall --target myvcenter.domain.org/myDC --user "Administrator@vsphere.local" --password mySecretPassword --compute-resource Cluster1 --thumbprint B7:6E:FB:78:0D:EF:57:25:F0:8F:5A:F4:27:DB:3C:AA:AA:AA:AA:AA --allow
This command will open firewall ports for VIC on ESX hosts.
Firewall adjustment successful.
Prepare vDS for Private VLAN
- promiscuous VLAN 50
- Community VLAN 501 as bridge
Generate Virtual Container Host from vSphere Client
To run containes on our cluster we first have to deploy a Virtual Container Host. Open vSphere-Client or Web-Client and select “vSphere Integrated Containers” from the main menu. Select “Virtual Container Hosts” and click “New Virtual Container Host”.
Enter a name for the new Container Host
Seect a cluster and make adjustments to resources (optional).
Select a datastore for VCH.
Configure networks. I’ve created two dPG for public and bridge networks.
Managing certificates for Docker clients.
Limit access to registries (optional).
Define vSphere User. Permissions will be granted automatically.
Check summary. The wizard builds a CLI command for you. Choose the operation system of your tools installation. You can copy the command into an editor and execute it in the CLI if you like.
Once your VCH is deployed you’ll see a new object in your cluster.
All containers you deploy now will be listed below your new VCH object.