vSphere Integrated Containers (VIC) combines the agility and application portability of Docker Linux containers with the industry-leading virtual infrastructure platform, offering hardware isolation advantages along with improved manageability. VIC consists of several different components for managing, executing, and monitoring containers. This post delves deeper into key elements of VIC – for more information, please also see this introductory video:
Virtual Container Host
The Virtual Container Host (VCH) is the means of controlling, as well as consuming, container services – a Docker API endpoint is exposed for developers to access, and desired ports for client connections are mapped to running containers as required. Each VCH is backed by a vSphere resource pool, delivering compute resources far beyond that of a single VM or even a dedicated physical host. Multiple VCHs can be deployed in an environment, depending on business requirements. For example, to separate resources for development, testing, and production.
Each VCH also maintains a cache of container images, which are downloaded from either the public Docker Hub or a private registry. The filesystem layers inherent in container images are maintained, by mapping to discrete VMDK files – all of which are housed in vSphere datastores on VSAN, NFS, or local disks.
vSphere Web Client Plugin
Administrators interact with VIC through the vSphere Web Client, gaining the ability to manage and monitor VIC by means of a plug-in. A wizard is available that enables creation of Virtual Container Hosts (shown below), and container-specific insight is offered in several areas of the Web Client.
Instant Clone Template and Just Enough VM
The architecture of VIC calls for each individual container to be executed in a separate virtual machine – this provides hardware isolation for robust resource management and security. Launching a full virtual machine to run a single microservice may at first seem like a heavy-handed approach – despite the fact that customers are admittedly doing this today. Fortunately, the new Instant Clone technology introduced in vSphere 6 provides an appealing alternative: a single running base VM can be very quickly and efficiently forked for use with containers. This technique provides a thin copy and avoids duplication of memory for common elements while still preventing containers from inadvertently communicating with their neighbors.
Linux containers require a Linux kernel for execution, and in the case of VIC this kernel is derived from another VMware initiative – Project Photon. However, it is important to note that only the kernel and a few supporting resources are used, not the full, albeit tiny, Photon OS. There are no binaries for administration and package management, no init system, not even any Docker components present in the individual containers running under VIC – only the VCH itself uses Docker technology.
The combination of a forked virtual machine with a bare-bones Linux kernel yields “just enough VM” to run a container.
Consistent User Experience
Whether using a native Docker command-line client or the graphical Web Client plug-in, the same information is available about containers running under VIC. Administrators gain insight into container resource utilization, port mapping, and base image information that help to more effectively manage the overall infrastructure. On top of that, VIC facilitates more contextual communication between administrators, developers, and application owners when the time comes to troubleshoot or audit applications.
In addition to this visual information, VIC also maps various container actions to relevant vSphere commands. For instance, stopping or removing a container will power off or delete the related VM, respectively.
vSphere Integrated Containers are the on-ramp to cloud-native applications for environments that have standardized on industry leading vSphere virtual infrastructure.
vSphere Integrated Containers is currently in Technology Preview. Please contact your VMware account team for more information, or to learn about potential opportunities to participate in private betas.