Friday, February 16, 2018

vSphere Integrated Containers and VMware NSX better together


The dynamics and agile nature of container world are constantly challenging us that need to deal with securing our environments, it’s clear manual operations are just not enough to keep up with innovations pace this new world brings us.

But How can I protect my production container workloads in a dynamic and agile way?
VMware NSX has the answer.

Leveraging Security Groups and dynamic membership you can create rules that match specific vSphere objects, which is a perfect match for vSphere Integrated Containers and its container-vm constructs, allowing or blocking traffic on-demand whenever a new workload is created or deleted, providing the agility developers love without giving up on security that infrastructure guys need.

Let me give you a couple of use cases:

- Protect containers based on name
VIC allows you to expose a container service directly on the network with the use of container networks (just covered it on another post), so you can protect them just allowing certain services based on the container-vm name, like access to HTTP to only container-vms starting with web. (check the video below for a quick demo).

- Container to container communication
You could also use the container-vm names to create rules between containers, like, just container-vms starting with app could communicate with database container-vms (starting with db).

- Protect tenant containers
I might be pushing a little bit on that one, it’s not a real tenant construct OK, but it serves my point.
Image 2 distinct developers or projects, you can provision a VCH for each one of them leveraging distinct name prefixes/suffixes (check my post about it if you are not sure), that way you can create a security boundary based on the prefixes, where they can communicate freely between the container-vms with the same one, but not with the others, this way providing isolation and security between projects.

You guys are clever than me and I’m sure you can come up with some new and innovative ideas to use NSX to protect the containers, so tell us about it, leave your comment below.



Monday, January 22, 2018

vSphere Integrated Containers – VCH Wizard


With the increase of user’s adoption of vSphere Integrated Containers, it became clear a new consumption model of Virtual Container Hosts (VCH) is needed. There was nothing wrong with the VIC Engine Bundle command line, but due to VIC powerful features, sometimes, VIC creation command line string is just too long.

In order to provide an easier, faster and agile way for initial setup, VIC 1.3 brought a new VCH creation/deletion Wizard !!!


This Wizard is part of the new VIC Plugin for vCenter HTML5 UI, so, don't forget to install/upgrade the plugin to version 1.3 before start using it.

A new “+  New Virtual Container Host” action is available on the Virtual Container Hosts tab where you can initiate the creation of your VCHs any time.

 
Once started, the Wizard will guide you throughout all the sections related to VCH and on the right will be shown the specifics about each section.

Some sections also provide advanced parameters to be configured, just expand it to configure them, otherwise default values will be used instead.

 
On the Storage section, a good practice is to always have one volume named “Default”, eliminating the need to explicitly tell datastore names during container’s volume use.


The network section is where you have the most interesting things, don't forget to hit Advanced to see it all

 
There you can find the options to configure Container networks, firewall behavior and optional VCH networks, like management and client networks.

There's also an entire section dedicated to protect your VCH with TLS.


You can also grant the required privileges of the operations user on demand.


Double check the details on the Summary, if everything is fine just hit Finish



One nice touch is during the creation of VCH, you can watch the log live, just expands the VCH details.



If you are a fan of VIC Engine Bundle, don’t worry the script still available and you can still use it to create VCHs.


Wednesday, January 3, 2018

Year in Review 2017

 

Another year has just started and it's time to look back and see how much I contributed to the community.

2017 was a busy year, with a lot of challenges and work to be done, I had the amazing opportunity to spend 3 months with VMware Technical Marketing Team for Cloud-Native Applications, where I learned a lot about this new emerging world and technology, you might have noted the effect on my post subjects.
The drawback about all this rush, it that I have produced only 27 posts this year, while for the past 3 years it was always over 30, I had to confess I'm a bit disappointed with myself, but that's the thing when you run a personal blog on your own free time.

Interesting though is this 27 posts only generated 64,407 pageviews, a slight increase of 1% from last year, I'll call it a victory.
The audience is coming from all parts of the globe, 164 countries to be more precisely, but mostly coming from US, India, UK, Germany, and Brazil.

These are my Top 10 Blogs for 2017 (in red it's rank # from 2016)

#1.  NSX Reference Poster (#1)
#2.  vSphere Integrated Containers Networking
#3.  VMware Converter Configuration Tips (#4)
#4.  Enable vRealize Orchestrator Control Center
#5.  vSphere Replication Traffic Isolation
#6.  Unlock vRealize Orchestrator default VMware Account (#2)
#7.  ESXi password Complexity Requirements (#3)
#8.  vSAN streched cluster topology explained
#9.  VMware script to delete/remove VMs (#6)
#10. RDM disk corruption on Microsoft Failover Cluster

NSX reference poster made #1 again, I have to admit it's a damn good poster, also I'm glad 50% of the top 10 posts are debuting on the list, which means I'm generating meaningful articles.
One last thing, VMware Converter Configuration Tips post made it again, ranking in the Top 10 since 2013;
Are there still people converting physical machines ?!?! please, if you do let me know ; )

Now, let's make 2018 better !!!!



Friday, November 17, 2017

vSphere Integrated Containers – additional Docker commands

vSphere Integrated Containers brings an enterprise container runtime into vSphere environments, where developers, who are familiar to Docker, can run their containerized applications transparently without even noticing it’s running on a nontraditional Docker host.

In order to provide this seamless experience, VIC must provide a completely parity of supported commands with Docker. VMware has been putting a lot of efforts on each release to add as much commands as possible, making developers life easier and easier.
Along with a bunch of new features and fixes, VIC 1.2 also made a step closer to the 100% parity with Docker adding support for the following most used commands;

- docker cp
description: Copy files to and from containers
syntax: docker cp "src_file" container_ID:"dst_path"
 
- docker exec 
description: run commands on a running container
syntax: docker exec container_ID [command]









- docker commit
description: Commit changes to a container into a new image
syntax: docker commit container_ID new_image:tag









- docker diff
description: Inspect for differences on the containers’ file system since it’s creation
syntax: docker diff container_ID
A = file added
C = file changed
D = file deleted








- docker stats (not really new, but on 1.2 we added support for network statistics)
description: Shows container’s statistics
syntax: docker stats container_ID




For a full list of supported Docker command on VIC check the documentation.
 

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive