Tuesday, July 17, 2018

vSphere Integrated Containers – Affinity rules

Managing a vSphere environment is not about making use of the technology by itself, in fact, it’s leveraging this technology to fulfill business needs what it really matters. Often vSphere Administrators utilize DRS affinity rules to control virtual machines placement specifying a group of hosts which might fulfill those needs, reasons vary from license constraints, specific hardware needs, increase availability etc.

With the advent of vSphere Integrated Containers, VIC, developers can instantiate their own containers, container-vms to be more precise, without the interference of a vSphere Admin, while it increases the agility of the business it also places a new challenge; as containers-vms come and go as need how admins can keep their affinity rules updated in order to fulfill the business need ??? For sure a manual intervention is not up for debate.

Luckily VIC 1.4 brought a new functionality, host affinity. When enabled, there will be a DRS VM Group for each Virtual Container Host, VCH, and as containers are created or deleted this group will be updated accordingly, helping administrators and developers life to adhere to those business need automatically.

During the creation of a VCH, you enable host affinity just specifying ”--affinity-vm-group” option on the vic-machine command line (not yet available on VCH wizard).

A new DRS VM Group will be created with the same name of the VCH, you will also notice VCH VM is part of this group, it’s made that way because it’s impossible to create an empty VM Group, while an empty group can exist as a result of removing all VMs from it.

But what about new existing VCHs ???
Starting with VIC 1.4.1 you can reconfigure them enabling host affinity as well.
After creating the VCH, vSphere Administrators just need to create a VM-Host Affinity rule that matches this newly created VM Group and a Host Group, before handling the VCH for the developers.

So every time a developer creates or deletes containers on the VCH, the VM group membership will be updated accordingly and DRS will take care of the scheduling container-vm based on the rule create before automatically.
Enabling higher agility and improving operational efficiency while keeping the business need into account.

If you are still not sure why would you use this feature, I’d like to expose a few use cases;
On a hypothetical scenario of a single vSphere cluster made of 10 hosts distributed on 2 physical racks you may have;

*** Licensing needs ***
Let’s imagine you have an application that is licensed per physical host or processor, to decrease your license cost you might create a host group containing just the hosts you have this application license for and match this group with an affinity rule for the VCH VM Group, this way you don’t need to license your entire cluster;

*** Specific Hardware needs ***
Now if your container benefits from a graphical intensive processor, GPU, you can create a host group containing those hosts and match this group with the VCH VM Group, now those intensive containers will always be scheduled on the right host;

*** Fault Domains ***
Increasing your fault domain is always a plus when it comes to availability.
You can use a Host Group to create a kind of virtual cluster inside your vSphere cluster where the members of this host are spread among the racks. While you cannot guarantee your application will always be spread evenly between racks, HA will restart your container-vms on the remaining hosts in case of rack failure.

But, if you wanna make sure your application will always be spread evenly between racks you can create two VCHs, where each one will have an affinity rule to a Host Group based on hosts of a single rack.
Like VCH01 will use hosts from rack-A and VCH02 will use hosts from rack-B, now you can control the placement of your containers assuring that your application will always be available in case of a rack failure.

As you can see there's so many use cases for this feature but even more important is to support the agility you need while still aligned with your business need.

Do you have a different use case for this feature ? let us know...

Tuesday, June 5, 2018

vSphere Integrated Containers 1.4 - Upgrade 3/3

Finally, we get to the last step on this journey of upgrading my environment to the latest and greatest vSphere Integration Containers so far.

Today I'll upgrade my Virtual Container Host, VCH, to version 1.4

VCH management and lifecycle actions, like upgrades, are performed through the use of VIC Engine Bundle.
If you haven't that available yet or is using an older version, grab it now.
Engine Bundle can be found on the VIC Getting Start page (https://VIC:9443)

Unpack the binaries from Engine bundle tar file;
Run: tar -zxf vic_1.4.0.tar.gz

Check the VCH version on your environment;
Run: vic-machine ls
As you can see it’s running version 1.3 and has one container running.

The amazing thing about VIC is that interruptions, like upgrades, to VCH, does not cause any outage to the containers, basically because they are running independently as container-vms;
if you are using NAT based port forwarding then communication will be briefly interrupted but if you are using the exclusive VIC feature, Container Network, you are in good shape them.

Now that we know the ID of our VCH we can upgrade it.
Execute the vic-machine upgrade command and specify the VCH's ID we just got from the previous step.
Run: vic-machine upgrade --id "VCH_ID"

In less than 3 minutes my VCH has been upgraded to version 1.4 and as you can see my container kept running for the entire process.


There’s no process to upgrade your running containers !!!
Containers are ephemeral by nature, so if you want a newer version, delete it and create a new one. Welcome to the container world !!!!

VIC containers are based on Photon OS, and with VIC 1.4 comes a new bootstrap.iso version; don't get too excited, it was not this time it got upgraded to version 2.0, but it got some nice minor packages updates.
So any previous container will still be running the old Photon OS version but the new ones will get the new bootstrap.iso version.

For comparison, I just run a new container based on the same image and compared the OS versions.

That’s all folks there are no more excuses to be running an older VIC version if you still unsure about why to upgrade, take a look at the complete list of what's new.

See you

Wednesday, May 30, 2018

vSphere Integrated Containers 1.4 - Upgrade 2/3

Hello there, following my series of upgrading vSphere Integration Containers to version 1.4, I'll cover today how to upgrade the vSphere Web Client Plug-in.

Let’s start with some housekeeping:
I’m considering you are running vCenter Server Appliance right, who is running the Windows version anyway ?!?!?
  • You already upgraded your VIC appliance to version 1.4;
  • VIC plugin 1.2.x or 1.3.x is already installed on vCenter;
  • The bash shell is enabled on VCSA; (just check it on vCenter's VAMI page)
Copy the VIC Engine Bundle file from the new appliance to VCSA;
Engine Bundle can be found on the VIC Getting Start page (https://VIC:9443)

Unpack the binaries from Engine bundle;
Run: tar -zxf vic_1.4.0.tar.gz

Execute the upgrade script;
Run: ../vic/ui/VCSA/upgrade.sh

Once on the VCSA bash shell, set up some environments variables;
Run: export VIC_ADDRESS="VIC_v1.4_IP"
Run: export VIC_BUNDLE="vic_engine_bundle_version"

Provide the vCenter name, the user with privileges to register plugins, If the plugin version you want to upgrade is correct, just hit yes to proceed

The log is provided on the screen during the process;

If everything ran as expected, just restart the web client services for the new version takes place.

Run: service-control --stop vsphere-ui
Run: service-control --stop vsphere-client
Run: service-control --start vsphere-ui
Run: service-control --start vsphere-client

When logging back to vCenter we see the plug-in has been upgraded

Unfortunately, this new plug-in has no new features, but VCH Creation Wizard has gone through some design improvements, collapsing and sorting some information in order to make the deployment more intuitive and easier.

Now we are missing the last piece of it, upgrading Virtual Container Hosts....keep watching.

Friday, May 25, 2018

vSphere Integrated Containers 1.4 - Upgrade 1/3

On May 15th VMware has released a new version of its own docker implementation product, vSphere Integrated Containers 1.4, as always it comes with enhancements that include but not limited to support for vSphere 6.7 and ROBO deployments, affinity rules (more on that in a future post) and some management portal improvements.

But today I wanna cover the upgrade process, I will break it into 3 phases for easier consumption;

- Upgrade vSphere Integrated Containers Appliance (This post)

To be honest the upgrade itself is not really an in-place upgrade, in fact, the process involves deploying a new VIC appliance and copying the relevant information from the previous appliance to the new one, including management portal, registry configuration and data.

The good thing about it is that it leaves you with an easy rollback option, since the previous appliance is kept intact, in case of any problem, you can just get rid of the new appliance and power the previous one back on and everything will still there just the way it was before the upgrade.

My actual environment compresses of a VIC 1.3 and one VCH connected to it;
obs: you can upgrade from any version later than 1.2.x
I also have a project (cnameetupsp), with a few images, which has been scanned for vulnerabilities and signed by Content Trust (another post I own you guys).

Let’s start downloading and deploying VIC 1.4 since it’s a new appliance, give it it’s own IP address and hostname.
OVA deploy process is pretty standard among VMware’s solutions, so I’m not going through it, but if you still have doubts the product's documentation is your friend.

Important: Make sure to use the Flex-based vSphere Web Client to deploy it, even if you are using vSphere 6.7, because HTML5 Web Client is not ready for VIC yet, although the deployment my succeed the configuration required for VIC to work might not be implemented properly.

Once the appliance is deployed access it through SSH. Make sure to enable it during OVA deployment.

Important 2: do NOT go to the Getting Started page of the new appliance, because it will initiate the services for a new set up and would cause the upgrade to fail, if you have done it, just deploy a new appliance ; )

Once on the new appliance console just run the upgrade script;
Run: ./etc/vmware/upgrade/upgrade.sh

The script will prompt you with the information about the vCenter where the previous appliance is provisioned, if you have an external PSC provide their information as well otherwise just leave it blank

Now you need to provide the information about your previous VIC appliance, make sure the appliance is power on and with SSH enabled, if not, power off the appliance and enable it through Permit Root Login within vApp Options.

There you go, just sit back, relax and watch the upgrade process running;
During the process, the relevant files are copied over and the old appliance is shut down.
If you need more information or for troubleshooting needs, the log is saved on /var/log/vmware/upgrade.log

Once it’s done, just power on the new appliance and log in.
As we can see the upgrade was successful, my VCH is connected to the new VIC Appliance

My projects and images are there as well.

The only downside is that my images came unsigned, it’s due as a new appliance comes with a different certificate from my previous one.
So, if you are using Content Trust you will have to plan it accordingly and resigned your images after the upgrade so the users will be able to pull and run them again.

That’s all for today, stay tuned for the remaining upgrade phases; vSphere Plugin and Virtual Container Hosts.


Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive