Vmware vSphere Integrated Containers is made up of 3 components, the vSphere Integrated Containers Engine, Harbor and Admiral. All of these three are open source projects available on GitHub.
This is going to be one of the many posts that I plan to write on the vSphere Integrated Containers series. In this post, we will just look at what are the components on vSphere Integrated Containers and the basics of Networking and storage as to how it is implemented.
Let us first understand the three components with just the definitions and we will dive deep into them as the post progresses. This is going to be a long post, so stay with me!
The three components of vSphere Integrated Containers are:
- vSphere Integrated Containers -- Run containers alongside existing workloads
- Harbor -- An Enterprise-class Container Registry Server based on Docker Distribution.
- Admiral -- Highly Scalable Container Management Platform.
vSphere Integrated Containers Engine (VIC)
VIC is a container runtime similar to the Docker Engine for vSphere, allowing the developers who are familiar with Docker to develop in containers and deploy them along with traditional VM workloads in a vSphere environment.
VIC uses the vSphere ESXi hosts and resource pools to create the container host construct eliminating the need for a specific traditional Linux OS based container host. (Docker Engine is usually installed on a Linux host)
The below image gives an amazing overview of how VIC works alongside an existing vSphere environment. Image credits to VMware.
There are a couple of advantages that one should note when using vSphere Integrated Containers over traditional container technologies. The limitations of traditional container technologies are:
- Any images that are imported on a container host (Linux OS) are tied to that host only.
- To increase the resources on the container host, all the containers running need to be stopped and then the container host needs to be stopped in order to run more containers.
- The containers are also tied to the host kernel and cannot be moved from one host to another.
How does vSphere Integrated Containers work?
In vSphere Integrated Containers, we create a container host called Virtual Container Host (VCH). The VCH is built as a resource pool inside of a cluster.
When the VCH is created, a Docker endpoint VM is also created, which receives and translates the Docker commands to the VCH and containers.
For example, when the VCH receives the docker commands like “run” and “build”, it tells the vCenter Server to create a VM running the Photon OS kernel and unpack the Docker image into that VM. Other commands are translated and executed against the containers of the VCH.
Since the VCH is created as a resource pool in the cluster, it is very easy to scale by just adding an ESXi host to the cluster to increase the capacity without disrupting the existing containers.
Images for the container host are stored in a shared datastore so that all containers
using that VCH have access to them.
Virtual Container Host Networking
There are 4 possible networks options when creating a VCH. When you create a VCH, the Container Bridge Network is the only mandatory option. Here is a short description of each type of network option available:
- vSphere Management Network: It is used to communicate with vCenter and the hosts as needed.
- Docker Management Endpoint Network: This network can be used to isolate the docker endpoint from the more public network. This will basically allow for a “management” network for Docker without requiring the Docker clients to have access to the vSphere Management network.
- External Network: It is used to publish network services of a container instead of using the default bridged network. This is very useful in avoiding the VCH as a single point of failure. If an external network is not defined, the VCH will attach to the default “VM Network” for publishing external network services.
- Container Bridge Network: It is the network used for containers to communicate with each other. With VIC you can setup multiple bridged networks.
Virtual Container Host Datastore
There are 3 datastore options when creating a VCH. When you create a VCH, the image datastore is the only mandatory option. Here is a short description of each type of datastore option:
- Image-datastore: This is where all the container image files are kept. A folder called VIC will be created on the datastore specified and all image files will be placed in that folder. There will only be 1 VIC folder per datastore. Each VCH will have its own folder under VIC to store the cached images from the docker registry.
- Container-datastore: This is used to store the VM files that make up each container. By default when you create a VCH, a container-datastore is created with the same name as the VCH.
- Volume-store: This points to a folder location on a specified datastore and can be used as a shared volume for multiple VCHs. Containers can then attach to this volume and share data or have a persistent data location.
Harbor is an enterprise-class registry server that stores and distributes Docker images.
It is forked from the same code with which Docker Hub has been created and is specifically tailored to the needs of Enterprise customers.
With Harbor, the images are stored in the private registry, keeping the bits and intellectual properties behind the company firewall. In addition, Harbor offers advanced security features, such as user management, access control, and activity auditing.
- Role Based Access Control -- Users and docker repositories are organized via “projects”, a user can have different permission for images under a namespace.
- Image replication -- Images can be replicated (synchronized) between multiple registry instances. Great for load balancing, high availability, hybrid and multi-cloud scenarios.
- Graphical user portal -- User can easily browse, search docker repositories, manage projects/namespaces.
- AD/LDAP support -- Harbor integrates with existing enterprise AD/LDAP for user authentication and management.
- Auditing -- All the operations to the repositories are tracked and can be used for auditing purpose.
- Internationalization -- Already localized for English, Chinese, German, Japanese and Russian. More languages can be added.
- RESTful API -- RESTful APIs are provided for most administrative operations of Harbor. The integration with other management software becomes easy.
- Easy deployment -- docker compose and offline installer.
Admiral is a highly scalable and very lightweight Container Management platform for deploying and managing container based applications.
The portal provides users the ability to manage the containers that are run on top of vSphere. In the portal you get the following options to manage containers:
- Rule-based resource management -- Set up your deployment preferences to let Admiral manage container placement.
- Live state updates -- Provides a live view of your system.
- Efficient multi-container template management -- Enables logical multi-container application deployments.