For nearly two decades, we at VMware have been working on helping our customers address the challenge of supporting traditional business critical applications as well as next-generation application. Today, with the General Availability of vSphere Integrated Containers, we are proud to announce that our customers can count on vSphere to also natively run containerized workloads.
Over the past couple of years, we’ve met a number of customers who have started to experiment with containers in their dev/test environment. While being impressed by the benefits of this technology our customers raised a few important concerns that kept them from being able to take these applications to production.
Reduced visibility – Enterprise IT admins are responsible for running tens if not hundreds of applications in production and their existing toolset and practices do not allow them to peek inside the VMs. If they are able to, often times, they have not had the opportunity to understand the application, its architecture, the effects and the processes to isolate any misbehaving containers.
Multi-tenancy and concerns when sharing a kernel – With no efficient way to partition infrastructure, admins are forced to rethink their strategy for multi-tenancy. On a related note, the well-known security issues that arise from a shared kernel prevent admins from running these workloads in production. The problem is acute in industries where regulation and compliance is mandatory.
Non-elastic infrastructure and inefficient resource utilization – Customers struggle with sizing their container hosts and end up spending too much time trying to predict the amount of resources their applications need. Some overprovision resources to save time and that leads to the creation of monster VMs and inefficient utilization. Even when they overprovision, they often end up resizing their hosts or include additional capacity. As a result, they are forced to bolt on a clustering solution that increases complexity.
DIY isn’t for everyone – Many enterprise customers do not have the bandwidth or the capacity to build out their own stack using a DIY approach or to keep on top of the ever evolving set of patches and updates.
vSphere Integrated Containers starts by enabling IT teams to run traditional and container workloads side-by-side on existing infrastructure seamlessly. This ensures that customers do not ever have to create silos in their infrastructure. Using constructs from the Open Container Initiative to map Docker containers to vSphere infrastructure, containers are provisioned as virtual machines, offering the same security and functionality of virtual machines in VMware ESXi hosts or VMware vCenter Server instances.
The resultant container VMs, that are provisioned on-demand, lend themselves to be managed much like any other VM in the vSphere environment. Thus administrators are able to use their existing tools, processes and even scripts to manage containerized workloads. Since every container VM is backed by its own kernel, the existing security and compliance best practices translate directly to this new paradigm. The on-demand nature of vSphere Integrated Containers ensures that resources are never over provisioned and once a container has been deleted, the resources are recaptured.
vSphere Integrated Containers uses existing vSphere constructs to create a Virtual Container Host (VCH) that is compatible with standard Docker client tools and is backed by a pool of resources to accommodate applications. This resource pool leverages the vSphere resource pool construct in the backend that is elastic by nature. As a result, the vSphere admin has complete control over the amount of resources available to every VCH and is able to address multi-tenant use cases by provisioning an individual VCH per tenant.
By leveraging existing vSphere constructs to run containerized workloads, vSphere Integrated Containers can seamlessly leverage advanced technologies like NSX, VSAN and vRealize out of the box. This also allows for easy integration with the entire ecosystem of vSphere compatible products from various partners and our vast ecosystem. vSphere Integrated Containers provides developers the portability, speed, and agility of using enterprise-class containers, and provide IT Ops the management, security, and visibility they require to run containerized workloads in production.
Learn more about vSphere Integrated Containers at http://www.vmware.com/go/vsphereintegratedcontainers
Last year we introduced Project Bonneville. The idea behind it, at the high level, is that there is a strong parallel between the constructs Docker uses inside a Linux Docker host and the constructs ESXi uses as a hypervisor. In the final analysis what project Bonneville allowed you to do is to run a docker image as a VM on top of a hypervisor (as opposed to just as a container on top of a Linux host). This has the intrinsic advantage that you can operationalize Docker with the constructs you know and love.
One of the biggest problems IT is facing right now is that their internal customers are asking for “big Linux VMs” only to find out weeks later that they have deployed containerized applications inside those instances. IT has no idea of how to manage, monitor and secure those applications. The Bonneville approach fixes this problem by instantiating those applications as separate virtual machines. Maybe not cool, but very useful.
Fast forward 18 months, we are releasing (and fully supporting**) these technologies as part of vSphere.
Enterprise Plus customers have now the option of leveraging a feature of vSphere called vSphere Integrated Containers (VIC for short).
vSphere Integrated Containers is comprised of three different technologies. What makes them unique is that they are all open source. This means that you can just “consume” what we are building or you can also contribute (if you wish so) features that you may deem as necessary for your particular use case. These three technologies are discussed below.
Note that there is a video at the end of this post that will show these technologies in action. In the meanwhile, this is a 33.000 high level diagram of how these technologies relate to each other:
This a complete rebase of project Bonneville. When the engineering team was tasked with the need to productize Bonneville they decided to re-write it and include a so called Portlayer. The Portlayer is an interface that exposes vSphere objects and services as containers primitives. On top of Portlayer you can have multiple different personalities. As part of the first announcement we have created a Docker personality (think about VIC Engine today as a Docker “façade” on top of vSphere).
The way you create this “façade” is pretty straightforward: as a vSphere admin you will use a tool called vic-machine (which is part of the VIC Engine binary) to deploy a Virtual Container Host (a vApp) on top of vSphere.
Inside the Virtual Container Host there is a small VM that acts as the Docker Endpoint. The IP of that VM is what the vSphere admin will hand over to the internal customers that need Docker. When the customer run “docker run –H
The VIC Engine Github repo is located here.
While one could see VIC Engine as being the core component of vSphere Integrated Containers, we soon realized that Enterprise customers were asking for more. Hence we decided to create a product that would do more than just mimic the behavior of a compatible Docker Engine.
For this reason, vSphere Integrated Containers also ships Harbor, an Enterprise Docker registry. For vSphere Integrated Containers deployments we have bundled it as a virtual appliance in OVA format. vSphere admins will grab the appliance and import it into the vSphere environment.
vSphere admins can then hand off its FQDN or IP address to their internal customers. They can then use the registry service provided by Harbor as a secure Docker registry instantiated inside the data center. Not only they will continue to push and pull to and from Docker Hub, but they now have the possibility to push and pull to and from a local registry.
Harbor is built on top of the open source Docker registry foundation and we added features that most Enterprise customer are asking for: LDAP/AD support, role based access control, a user interface and image replication to name a few.
If you are interested in understanding more about the internals of Harbor this is a good blog post from the engineering team that gets into some of the details.
This is the public Harbor repo on Github. For people that are interested in joining the Harbor community (as opposed to just use it as part of the supported vSphere Integrated Containers product), feel free to interact directly with the engineering team over there and/or submit PRs.
Admiral is an extension of vRealize Automation 7.2 and it adds container support to vRealize Automation. You can find additional information about it here.
However, given Admiral has been developed independently and can be instantiated standalone, VMware decided to add Admiral to the vSphere Integrated Containers product.
Given that with VIC Engine we are leveraging the very robust vSphere features to schedule “ContainerVMs” on top of hypervisor hosts, we are not leveraging all the capabilities that Admiral provides in a scenario where you are using Linux Docker hosts on top of which you instantiate containers. However, we leverage a lot of Admiral features in the context of vSphere Integrated Containers including providing a user interface for Virtual Container Hosts consumption and the capability of composing multi-container applications to be deployed as a single entity.
You can access the public Admiral Github repo here. As a reminder, Admiral is still considered Beta as part of vSphere Integrated Containers.
See vSphere Integrated Containers in action
Now that we talked about the technologies that comprise vSphere Integrated Conatiners, it is time to see them in action. This video shows how to use together the three technologies discussed above.
** Admiral has not been GAed yet so support for Admiral, as part of vSphere Integrated Container, is limited to the level of support we provide for Beta software.