VMware vSphere Integrated Containers aka VIC is a new product released by VMware last year. It comes with a vSphere Enterprise Plus license. This new product allows you to deploy containers as vSphere virtual machines from the Docker command line interface.

VMware vSphere Integrated Containers bundles three different open source projects: Admiral, which is a management web interface; Harbor, which is a Docker registry; and VIC engine, which is the core of VMware vSphere Integrated Containers.

You can see VIC engine as a translator from Docker API calls to VMware vSphere API calls.

The container virtual machines are running a stripped down version of VMware Photon OS. The size of the operating system ISO is around 60MB, which is reasonably small.

One of the benefits of VMware vSphere Integrated Containers is that you can use the Docker command line interface to deploy containers, but still enjoy most of the VMware vSphere features like vMotion, Snapshots, DRS, HA, etc.

Preriquisites

For this lab, we need a VMware vSphere Enterprise Plus environment with a virtual distributed switch configured, but also a Ubuntu 16.04 virtual machine that is able to access the VMware vCenter API over the network. This machine will be used to deploy the Virtual Container Host aka VCH on the VMware vSphere infrastructure. This Ubuntu 16.04 virtual machine also needs access to the Internet to be able to download container images from the Docker public registry. The same network will be used to deploy the vSphere Integrated Containers OVA. This OVA contains Admiral and Harbor.

We are going to deploy container virtual machines on their own network and this network will provide IPs to the container virtual machines via DHCP. By doing so, each container will have his own LAN IP and we will not have to setup a port forward in order to access the application running inside the container. This is one of the awesome features of vSphere Integrated Containers.

We will also need the vic-v1.2.1-4104e5f9.ova OVA. You can download it from My VMware.

Deployment of Harbor and Admiral

1- Right click your cluster and choose "Deploy a new OVF..."

2- Select the vic-v1.2.1-4104e5f9.ova file on your local disk.

3- Enter the name "vic" for the virtual machine.

4- Choose the cluster where you would like to deploy the virtual machine.

5- Review the details.

6- Accept the license.

7- Select the datastore where you would like to deploy the virtual machine.

8- Select the network as discussed in the prerequisites.

9- Enter a root password for the virtual machine.

10- Enter the network information for your virtual machine. Leave these fields blank if you are using DHCP.

11- Start the deployment.

12- When the OVA is deployed, power on the vic virtual machine.

13- Once the virtual machine is started, browse to https://[your_vic_vm_ip]:9443 and enter your vCenter FQDN and credentials to register your appliance with the vCenter SSO.

14- Browse to https://[your_vic_vm_ip]:443. You should now have access to the Admiral and Harbor interface.

Installation of VIC engine.

1- SSH to your Ubuntu 16.04 virtual machine.

2- Download the VIC engine archive from the vic virtual machine.

$ wget --no-check-certificate \
https://[your_vic_vm_ip]:9443/files/vic_1.2.1.tar.gz

3- Extract the archive.

$ tar xvzf vic_1.2.1.tar.gz

4- Go to the vic directory.

$ cd vic

5- Download the Harbor certificate authority.

$ scp root@[your_vic_vm_ip]:/data/harbor/ca_download/ca.crt .

Installation of Docker CE

1- Add the Docker GPG key.

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo apt-key add -

2- Add the Docker repository.

$ sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

3- Update the Ubuntu 16.04 package index.

$ sudo apt-get update

4- Install Docker CE.

$ sudo apt-get install docker-ce

5- Add your user to the docker group.

$ sudo usermod -aG docker $USER

6- Enable Docker CE.

$ sudo systemctl enable docker

7- Logout from the Ubuntu 16.04 virtual machine and log back into it.

8- Verify the Docker CE installation.

$ docker info

Configure Docker for Harbor

1- Create a directory for the Harbor CA.

$ sudo mkdir -p /etc/docker/certs.d/[your_vic_vm_ip]

2- Copy the Harbor CA into the directory.

$ sudo cp ~/vic/ca.crt /etc/docker/certs.d/[your_vic_vm_ip]

3- Restart Docker CE.

$ sudo systemctl restart docker

4- Try to login to Harbor.

$ docker login -u 'administrator@vsphere.local' [your_vic_vm_ip]

Configure the ESXi firewall

If you look at the VIC documentation, it is explained how to open the outgoing port 2377. The problem with this is that this firewall rule will not be persistent after a reboot of your ESXi. The following steps explain how to configure the ESXi firewall in a persistent fashion.

1- Download the VIC firewall offline bundle.

2- Create a VIB directory on your datastore.

3- Upload the offline bundle to the VIB directory.

4- SSH on each of your ESXi and install the offline bundle.

$ esxcli software acceptance set --level=CommunitySupported

$ esxcli software vib install \
-d /vmfs/volumes/[your_datastore]/VIB/vic-firewall-offline-bundle.zip

5- Reload the firewall on each of your ESXi.

$ esxcli network firewall refresh

Create a port group for the VCH bridge

1- Create a new port group on your virtual distributed switch.

2- Enter the name "vch-bridge-01".

3- Leave all the other options as default.

Deployment of a VCH

1- Go back to you vic-machine Ubuntu 16.04 virtual machine.

2- Go to the vic directory.

$ cd ~/vic

3- Deploy a VCH on your VMware vSphere infrastructure.

$ ./vic-machine-linux create \
--target [your_vcenter_ip] \
--user administrator@vsphere.local \
--name vch-01 \
--compute-resource [your_vsphere_cluster_name] \
--image-store [your_datastore_name] \
--volume-store [your_datastore_name]:default \
--bridge-network vch-bridge-01 \
--public-network [your_production_static_network_port_group_name] \
--public-network-ip [your_vch_static_ip]/24 \
--public-network-gateway [your_production_static_network_gateway_ip] \
--container-network [your_production_dhcp_network_port_group_name] \
--container-network-firewall [your_production_dhcp_network_port_group_name]:Open \
--dns-server [your_production_static_network_dns_ip] \
--no-tlsverify \
--registry-ca ./ca.crt \
--thumbprint [your_vcenter_certificate_thumbprint]

note: If you don't know the thumbprint of your vcenter, execute the command without it and the thumbprint will be displayed.

4- Verify your deployment.

$ docker -H [your_vch_static_ip]:2376 --tls info

5- Verify the connection to Harbor.

$ docker -H [your_vch_static_ip]:2376 --tls login \
--user 'administrator@vsphere.local' \
[your_vic_vm_ip]

Upload a new image to Harbor

1- Download an image from Docher Hub to your vic-machine Ubuntu 16.04 virtual machine.

$ docker pull nginx:latest

2- Get the image ID.

$ docker images

3- Tag the image for Harbor.

$ docker tag [your_image_id] [your_vic_vm_ip]/default-project/nginx:latest

4- Push the image to Harbor.

$ docker push [your_vic_vm_ip]/default-project/nginx:latest

Run a container from a Harbor image

1- Ensure that your VCH is connected to Harbor.

$ docker -H [your_vch_static_ip]:2376 --tls login \
--user 'administrator@vsphere.local' \
[your_vic_vm_ip]

2- Run a Nginx container on the container network.

$ docker -H [your_vch_static_ip]:2376 --tls run -d \
--name nginx-01 \
--net=[your_production_dhcp_network_port_group_name] \
[your_vic_vm_ip]/default-project/nginx:latest

3- Get the container IP.

$ docker -H [your_vch_static_ip]:2376 --tls inspect \
nginx-01 | grep IPAddress

4- Browse to http://[your_container_ip].

As you can see, one of the huge benefits of VMware vSphere Integrated Containers is the ability to run containers directly attached to the network. This avoids the port redirection that would be required with a standard Docker engine.