VMware recently release vSphere Integrated Containers v1.1. I got an opportunity recently to give it a whirl. While I’ve done quite a bit of work with VIC in the past, a number of things have changed, especially in the command line. What I’ve decided to do in the post is highlight some of the new command line options that are necessary to deploy the VCH, the Virtual Container Host. Once the VCH is deployed, at that point you have the docker API endpoint to start deploying your “containers as VMs”. Before diving into that however, I do want to clarify one point that comes up quite a bit. VIC v1.1 is not using VM fork/instant clone. There are still some limitations to using instant clone, and the VIC team decided not to pursue this option just yet, as they wished to leverage the full set of vSphere core features. Thanks Massimo for the clarification. Now onto deploying my VCH with VIC v1.1.

First things first – VIC now comes as an OVA. Roll it out like any other OVA. Once deployed, you can point a web browser at the OVA and pull down the vic-machine components directly to deploy the VCH(s).

I have gone with deploying the VCH from a Windows environment using vic-machine. If you want to see the steps involved in getting a Windows environment ready for VIC, check out this post here from Cody over at the humble lab. Here is the help output to get us started.

C:\Users\chogan\Downloads\vic>vic-machine-windows.exe -h NAME: vic-machine-windows.exe - Create and manage Virtual Container Hosts USAGE: vic-machine-windows.exe [global options] command [command options] [arguments...] VERSION: v1.1.0-9852-e974a51 COMMANDS: create Deploy VCH delete Delete VCH and associated resources ls List VCHs inspect Inspect VCH upgrade Upgrade VCH to latest version version Show VIC version information debug Debug VCH update Modify configuration help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --help, -h show help --version, -v print the version C:\Users\chogan\Downloads\vic>

Lets see if I can at least validate against my vSphere environment by trying to list any existing VCHs:

C:\Users\chogan\Downloads\vic>vic-machine-windows.exe ls --target vcsa-06.rainpole.com \ --user administrator@vsphere.local --password xxx Apr 28 2017 12:38:04.402+01:00 INFO ### Listing VCHs #### Apr 28 2017 12:38:04.491+01:00 ERROR Failed to verify certificate for target=vcsa-06.rainpole.com \ (thumbprint=4B:A0:D1:84:92:DD:BD:38:07:E3:38:01:4B:0C:F1:14:E7:5D:5B:00) Apr 28 2017 12:38:04.494+01:00 ERROR List cannot continue - failed to create validator: x509: \ certificate signed by unknown authority Apr 28 2017 12:38:04.495+01:00 ERROR -------------------- Apr 28 2017 12:38:04.496+01:00 ERROR vic-machine-windows.exe ls failed: list failed

Well, that did not work. I need to include the thumbprint of the vCenter server in the command:

C:\Users\chogan\Downloads\vic>vic-machine-windows.exe ls --target vcsa-06.rainpole.com \ --user administrator@vsphere.local --password xxx --thumbprint \ 4B:A0:D1:84:92:DD:BD:38:07:E3:38:01:4B:0C:F1:14:E7:5D:5B:00 Apr 28 2017 12:39:37.898+01:00 INFO ### Listing VCHs #### Apr 28 2017 12:39:38.109+01:00 INFO Validating target ID PATH NAME VERSION UPGRADE STATUS

Now the command is working, but I don’t have any existing VCHs. Let’s create one. There are a lot of options included in this command since we are providing not only VCH details, but also network details for the “containers as VMs” that we will deploy later on:

C:\Users\chogan\Downloads\vic>vic-machine-windows.exe create --target vcsa-06.rainpole.com \ --user administrator@vsphere.local --password xxxx --name corVCH01 \ --public-network "VM Network" --bridge-network BridgeDPG --bridge-network-range "192.168.100/16" \ --dns-server 10.27.51.252 --tls-cname=*.rainpole.com --no-tlsverify --compute-resource Cluster \ --thumbprint 4B:A0:D1:84:92:DD:BD:38:07:E3:38:01:4B:0C:F1:14:E7:5D:5B:00 Apr 28 2017 12:59:31.479+01:00 INFO ### Installing VCH #### Apr 28 2017 12:59:31.481+01:00 WARN Using administrative user for VCH operation - use --ops-user to improve security (see -x for advanced help) Apr 28 2017 12:59:31.483+01:00 ERROR Common Name must be provided when generating certificates for client authentication: Apr 28 2017 12:59:31.485+01:00 INFO --tls-cname=<FQDN or static IP> # for the appliance VM Apr 28 2017 12:59:31.487+01:00 INFO --tls-cname=<*.yourdomain.com> # if DNS has entries in that form for DHCP addresses (less secure) Apr 28 2017 12:59:31.492+01:00 INFO --no-tlsverify # disables client authentication (anyone can connect to the VCH) Apr 28 2017 12:59:31.493+01:00 INFO --no-tls # disables TLS entirely Apr 28 2017 12:59:31.494+01:00 INFO Apr 28 2017 12:59:31.496+01:00 ERROR Create cannot continue: unable to generate certificates Apr 28 2017 12:59:31.498+01:00 ERROR -------------------- Apr 28 2017 12:59:31.499+01:00 ERROR vic-machine-windows.exe create failed: provide Common Name for server certificate

Unfortunately, it seems it doesn’t like the TLS part of the command. It appears that this is a known issue. It seems that the TLS part of the command should be one of the first options specified in the command line. Let’s move it before some of the other arguments in the command:

C:\Users\chogan\Downloads\vic>vic-machine-windows.exe create --target vcsa-06.rainpole.com \ --user "administrator@vsphere.local" --password "xxx" --no-tlsverify --name corVCH01 \ --public-network "VM Network" --bridge-network BridgeDPG --bridge-network-range "192.168.100.0/16" \ --dns-server 10.27.51.252 --compute-resource Cluster \ --thumbprint 4B:A0:D1:84:92:DD:BD:38:07:E3:38:01:4B:0C:F1:14:E7:5D:5B:00 Apr 28 2017 13:05:45.623+01:00 INFO ### Installing VCH #### Apr 28 2017 13:05:45.625+01:00 WARN Using administrative user for VCH operation - use --ops-user to improve security (see -x for advanced help) Apr 28 2017 13:05:45.627+01:00 INFO Generating self-signed certificate/key pair - private key in corVCH01\server-key.pem Apr 28 2017 13:05:46.162+01:00 WARN Configuring without TLS verify - certificate-based authentication disabled Apr 28 2017 13:05:46.336+01:00 INFO Validating supplied configuration Apr 28 2017 13:05:46.432+01:00 INFO Suggesting valid values for --image-store based on "*" Apr 28 2017 13:05:46.438+01:00 INFO Suggested values for --image-store: Apr 28 2017 13:05:46.439+01:00 INFO "vsanDatastore (1)" Apr 28 2017 13:05:46.441+01:00 INFO "isilion-nfs-01" Apr 28 2017 13:05:46.463+01:00 INFO vDS configuration OK on "BridgeDPG" Apr 28 2017 13:05:46.464+01:00 ERROR Firewall check SKIPPED Apr 28 2017 13:05:46.466+01:00 ERROR datastore not set Apr 28 2017 13:05:46.467+01:00 ERROR License check SKIPPED Apr 28 2017 13:05:46.468+01:00 ERROR datastore not set Apr 28 2017 13:05:46.469+01:00 ERROR DRS check SKIPPED Apr 28 2017 13:05:46.471+01:00 ERROR datastore not set Apr 28 2017 13:05:46.472+01:00 ERROR Compatibility check SKIPPED Apr 28 2017 13:05:46.473+01:00 ERROR datastore not set Apr 28 2017 13:05:46.475+01:00 ERROR -------------------- Apr 28 2017 13:05:46.476+01:00 ERROR datastore empty Apr 28 2017 13:05:46.477+01:00 ERROR Specified bridge network range is not large enough for the default bridge network size. --bridge-network-range must be /16 or larger network. Apr 28 2017 13:05:46.479+01:00 ERROR Firewall check SKIPPED Apr 28 2017 13:05:46.480+01:00 ERROR License check SKIPPED Apr 28 2017 13:05:46.482+01:00 ERROR DRS check SKIPPED Apr 28 2017 13:05:46.484+01:00 ERROR Compatibility check SKIPPED Apr 28 2017 13:05:46.488+01:00 ERROR Create cannot continue: configuration validation failed Apr 28 2017 13:05:46.490+01:00 ERROR -------------------- Apr 28 2017 13:05:46.491+01:00 ERROR vic-machine-windows.exe create failed: validation of configuration failed

The TLS issue now seems to be addressed, but it appears I omitted a required field, –image-store. This is where the container images will be stored, and it should be set to one of the available datastores in the vSphere environment. The output is even providing some recommended options, either vSAN or an NFS datastore. These are available to all hosts in the cluster.