VSphere Integrated Containers v3.0

Containers Technology

Traditional to Cloud Native Application Stacks

2

Microservices

CONFIDENTIAL

Hardware

OS Kernel

OS File system

Use

rspa

ce

Container

App

pro

cess

App

pro

cess

App

pro

cess

App

pro

cess

App

pro

cess

Container

App

pro

cess

App

pro

cess

Introduction To Linux Containers OS-level Isolation •  Isolation at individual kernel subsystem level

(e.g. filesystem, process table, etc) •  User-level process (LXC, libcontainer)

orchestrates these subsystems to create a container

Existed for Many Years Solaris Zones, FreeBSD Jails, OpenVZ

Why? •  Process isolation •  Reproducible environment

•  Enables management at scale

3 CONFIDENTIAL

Containers Help You Iterate Quickly

DEV TEST PROD

Drive Business Agility 4 CONFIDENTIAL

But I’m a vSphere Admin, Why Do I Care about Containers?

Because There Are Still Many Challenges with Containers

6

CONTAINERS IN DEVELOPMENT

CONTAINERS IN PRODUCTION

THE “LEARNING CLIFF”

Source: https://twitter.com/mfdii/status/697532387240996864

High Availability

Security

Disaster Recovery

Monitoring

Diagnosis

Repeatable Deployments

Portability

Accounting

Docker Docker

@cloudnativeapps #vmwcna CONFIDENTIAL

Physical Hardware

Linux

Container Engine

C C C

Container Deployment On Bare Metal

Linux

Container Engine

C C C

7 CONFIDENTIAL

Linux

Container Engine

C C C

VM

vSphere

Basic Approach

Container Deployment In VMs

•  Prediction of VM size during creation / Resizing to meet demand

•  Restricted visibility when troubleshooting

•  Inability to reclaim unused resources

8 CONFIDENTIAL

Linux

Container Engine

C C C

VM

Linux Kernel

Linux Kernel

Linux Kernel

vSphere

Virtual Container Host

Introducing The vSphere Integrated Containers Engine

9 CONFIDENTIAL

Full Visibility Proven Security Mature Ecosystem

Developer Portable

Fast Light

Security Visibility Management

IT

vSphere

Linux Kernel

Linux Kernel

Linux Kernel

C C C VM


10 CONFIDENTIAL

Photon OS - Secure Container Runtime Container Optimized Linux OS

Docker, Rocket and Garden (Pivotal) support Minimal footprint to run containers

vSphere and Photon Platform Integration Boots in 6 sec.

Hypervisor-optimized container runtime

Updates from VMware Enterprise support

Security and update patches from VMware

Open Source GPL v2 License

1.0 released June 2016 CONFIDENTIAL 11


Endpoint VM

vSphere Integrated Containers Engine – In Detail

Linux Kernel

Container VM

Traditional App Guest OS


Container VM Container VM


Container VM


Endpoint VM Linux Kernel

Container VM

Container VM Container VM

Container VM

vSphere Administrator Creates a Virtual Container Host

Developer connects and issues a Docker run command

Developer connects and issues a Docker run command

12 CONFIDENTIAL

CONFIDENTIAL 13

Screenshots of vSphere Integrated Containers in vCenter

CONFIDENTIAL 14


CONFIDENTIAL 15


CONFIDENTIAL 16


CONFIDENTIAL 17


What Developers Want

Light

What IT Ops Needs

Data Persistence

Rich SLAs Portable Fast

Consistent Management

VM, vSphere Distributed

Switch, NSX

vVols, VSAN

vSphere DRS, I/O Controls

vCenter Server

•  Run Standard Containers Formats and integrated with Developer Tools •  Common APIs for Orchestration •  Container in Seconds

•  Isolation and Multi-Tenancy •  Network Provisioning and Configuration •  Choice of Storage and Guarantee of Services •  Align SLAs per Workload •  Manage with Existing Tool Sets

Open container formats +

orchestration APIs

Instant Clone, fast

boot

Photon OS

VMware Validation and Differentiation – Giving the Best of Both World (Developers and IT Ops)

Network & Security

18 @cloudnativeapps #vmwcna

CONFIDENTIAL

VCENTER SERVER

PORTABLE + FAST + LIGHT

NSX

vSAN

VCH 1 VCH 2

CONSISTENT MGMT + RICH SLAS

VM

VM

VM

VM

VM

VM

VM

VM

C-VM C-VM C-VM

C-VM C-VM C-VM

C-VM C-VM C-VM

C-VM Container VM Linux Kernel VM Traditional VM

NETWORK + SECURITY

DATA PERSISTENCE

C-VM C-VM C-VM

C-VM C-VM C-VM

C-VM C-VM C-VM

CONTAINER ENDPOINT CONTAINER ENDPOINT

vSphere Integrated Containers Engine

19 CONFIDENTIAL

VCENTER SERVER


NSX

vSAN

VCH 1 VCH 2


VM

VM

VM

VM

VM

VM

VM

VM

REGISTRY

C-VM C-VM C-VM

C-VM C-VM C-VM

C-VM C-VM C-VM


NETWORK + SECURITY

DATA PERSISTENCE

C-VM C-VM C-VM

C-VM C-VM C-VM

C-VM C-VM C-VM


vSphere Integrated Containers – Enterprise Registry

20 CONFIDENTIAL

Introduction of Harbor : Enterprise-Class Registry

An open source enterprise class private registry. Part of VIC, and it also can be used independently. Why does one need a private registry? •  Efficiency

–  LAN vs WAN

•  Security –  Intellectual property stays in organization –  Access Control

21 CONFIDENTIAL

Harbor Key Features •  User management & access control

–  RBAC: admin, developer, guest –  AD/LDAP integration

•  Policy based image replication

•  Web UI •  Audit and logs

•  Restful API for integration •  HA with vSAN

•  Lightweight and easy deployment

22 CONFIDENTIAL

Explaining Harbor Architecture

Basic Registry (Docker Distribution)

Docker Client

Reverse Proxy

(Nginx) API

Harbor

Browser

Auth

UI

DB

AD / LDAP

Admin Server

Log Collector

Replication Service

Remote Harbor

23 CONFIDENTIAL

Role Based Access Control Project

Members Images

Guest:

Developer:

Admin:

${Project}/ubuntu:14.04${Project}/nginx:1.8, 1.9${Project}/golang:1.6.2${Project}/redis:3.0

…...

docker pull ...

docker pull/push ...

24 CONFIDENTIAL

Image Replication between Registry Instances

Project

Images

Policy

Image

Project

Images

Initial replication

Image

Incremental replication(including image deletion)

25 CONFIDENTIAL

Policy of Image Replication (1) – Master Slave •  Image distribution •  Load balancing

26

Master – Slave

Docker Client

push

CONFIDENTIAL

Policy of Image Replication (2) - Hierarchical

27

Hierarchical

Docker Client

push

CONFIDENTIAL

Policy Image Replication (3) – Master Master •  Load Balancing •  Active-Active

28

Master - Master

Docker Client

push

Docker Client

push

CONFIDENTIAL

Screenshots of Replication GUI

CONFIDENTIAL 29

VCENTER SERVER


NSX

vSAN

VCH 1 VCH 2


VM

VM

VM

VM

VM

VM

VM

VM

REGISTRY

C-VM C-VM C-VM

C-VM C-VM C-VM

C-VM C-VM C-VM


NETWORK + SECURITY

DATA PERSISTENCE

C-VM C-VM C-VM

C-VM C-VM C-VM

C-VM C-VM C-VM


CONTAINER MANAGEMENT PORTAL

vSphere Integrated Containers – Container Management Portal

31 CONFIDENTIAL

Admiral: Container Management Portal

•  An open source container management portal

•  Part of VIC product, and it also can be used independently with other solutions

•  Container management available via both API and UI

•  Integration with vRealize platform is also available – accepting beta nominations!

32 CONFIDENTIAL

Provisioning of Container Hosts

33

•  Mapping to deployment policies

•  Usage of pre-defined resource pools

•  Security credentials storage

•  Custom properties for affinity rules or any extensibility use cases

•  VCH can be added as well

CONFIDENTIAL

Resource Pools and Policies

34

•  Resource pools between different teams

•  Deployment policies for the consumption of resource pools

•  Affinity and anti-affinity policies for deployment

CONFIDENTIAL

Container Provisioning from Templates

35

•  Different registries can be used with Project Admiral

•  Docker compose import / export support is available

•  Containers can be provisioned from images or templates

•  vSphere Integrated Containers (VIC) provisioning also supported

CONFIDENTIAL

Auto Discovery of Containers

36

•  Visibility of ports and last commands

•  Mapping to specific container hosts

•  Both container and application views available

CONFIDENTIAL

Container Details and Lifecycle Actions

37

•  Visibility into resources – CPU, memory, network

•  Information about IP address, image used

•  Executed commands on containers with log details

CONFIDENTIAL

vRealize Integration with Project Admiral

38

•  Model application using containers as a first-class blueprint object

•  Import from Docker compose as a starting point

•  Mix containers and VMs in the same blueprint

•  Configure networking and security options

•  Configure persistent storage •  Specify dynamic placement

policies

CONFIDENTIAL

CONFIDENTIAL 39

The Best Way To Run Containers On vSphere

Run Containers Natively Alongside Existing Workloads Provision containers natively on vSphere with fine grain controls while giving developers the portability, speed and agility they want

Combine Portability with Security, Visibility and Management Leverage the core capabilities of vSphere to run containers in production

Leverage Your Existing Infrastructure, Scale Easily. Avoid costly and time consuming re-architecture of your infrastructure that results in silos. Scale application deployments instantly.

vSphere Integrated Containers

CONFIDENTIAL 40

Docker compatible interface

Container management portal

Enterprise-class Container registry

Familiarity of vSphere

No new tooling or technologies

Full enterprise-grade power of the Software-Defined Data Center

vSphere Integrated Containers – Enabling the Best of Both Worlds

41 CONFIDENTIAL

Availability

Available as Open Source Software http://github.com/vmware/vic-product vSphere Integrated Container as VMware Cloud Native Solutions https://www.vmware.com/solutions/cloudnative.html

42 CONFIDENTIAL