vSphere Integrated Containers Engine Version v0.8.0
Changes from v0.7.0 v0.7.0...v0.8.0
This release is will be included with the VIC Product 1.0 release and supported by VMware customers with Enterprise Plus licensing.
Features:
- Security Enhancements and improved Harbor interoperability
- HTTP and HTTPS proxies for fetching images
- custom CA cert bundle for validating registries
- allow for VCH operations user instead of deployment credentials
- vic-admin server supports pass-through authentication using vSphere credentials
- Improved detection of vSphere issues during deployment of the Virtual Container Host (VCH)
Of note:
If a container is started and subsequently attached to, only output generated by the container after the attach completes will be seen - docker logs
can be used to obtain the entire output over the life of the container.
If an attach is done prior to start, e.g. run -it
or start -ai
, we delay launching the container process until the attach has completed as we infer from the operation ordering a desire to receive all output from process launch onward.
Attaching to a containerVM inhibits that VM from vMotioning, detaching removes that inhibition:
- to launch a container without attaching, use
start
orrun -d
- to detach from a TTY enabled container, use
Ctrl-P Ctrl-Q
- to detach from a non-TTY enabled container, kill the docker client via a different terminal
- issues still exist with container logs when vMotioning containers
Resolved Issues
- Virtual container host does not work if management interface is not Layer 2 adjacent to vSphere management endpoints. #3081
- Setting a static IP address on the virtual container host without specifying
--dns-server
defaults to the specified gateway. #3060 - A single image cannot currently contain multiple tags. #1638
- rmi on VSAN fails with error "Cannot delete file" #2384
- Inconsistent license check reporting between vic-machine and vic-admin #2305
- vic-machine does not support secure test registries. #2103
- Allowing and configuring insecure registries is not supported. #1486
Known Issues
-
vSphere Integrated Containers Engine 0.8 does not support Docker Client 1.13. #3734, #3734
If you attempt to connect version 1.13 of the Docker Client to a virtual container host, the Docker client stops working. This happens because Docker 1.13 uses Docker Events, which vSphere Integrated Containers Engine 0.8 does not yet support.
Workaround: Use version 1.12 of the Docker Client to connect to virtual container hosts. -
Version 5.7 of the
mysql
image does not work withdocker compose up
#3857
If you rundocker compose up
and the application that you are creating uses version 5.7 of themysql
image, the database does not initialize. The MYSQL log contains the error--initialize specified but the data directory has files in it
. This happens because themysql
container creates an anonymous volume. vSphere Integrated Containers Engine creates a new VDMK for this volume, which contains alost+found
directory, whereasmysql
requires the volume to be empty.
Workarounds: Use themysql:5.6
image, which is not subject to this issue. Alternatively, if you are usingmysql:5.7
, specify--ignore-db-dir=lost+found
in the YML file:version: '2' services: db: image: mysql:5.7 environment: MYSQL_ROOT_PASSWORD: root command: ["mysqld", "--ignore-db-dir=lost+found"] volumes: - /var/lib/mysql
-
vMotion disconnects file-backed serial ports after a migration. #3243
While applications continue to function correctly without interruption, container logs lose output after a vMotion. -
Image store is in the wrong directory if the datastore already has a directory with the same name. #3365
If the datastore already has a directory with the same name as the VCH, and the directory does not have a VM, vic-machine creates the VCH correctly names the folder a slightly different name. Example, folder "test_1" with vch named "test". The kvstore is located in "test_1" folder correctly, but image files are still in the "test" directory. -
Deployment with static IP takes a long time. #3436
If you deploy a VCH with a static IP, the deployment might take longer than expected, resulting in timeouts.
Workaround: Increase the timeout for the deployment when using static IP. -
Firewall status delayed on vCenter Server. #3139
If you update the firewall rules on an ESXi host to allow access from specific IP addresses, and if that host is managed by vCenter Server, there might be a delay before vCenter Server takes the updated firewall rule into account. In this case, vCenter Server continues to use the old configuration for an indeterminate amount of time after you have made the update.vic-machine create
can successfully deploy a VCH with an address that you have blocked, or else fail when you deploy a VCH with an address that you have permitted.Workaround: Wait a few minutes and run
vic-machine create
again. -
Piping information into
busybox
fails. #3017
If you attempt to pipe information intobusybox
, for example by runningecho test | docker run -i busybox cat
, the operation fails with the following error:Error response from daemon: Server error from portlayer: ContainerWaitHandler(container_id) Error: context deadline exceeded
-
Deleting a VCH from an ESXi host does not remove the bridge network if it was created with a custom name. #3193
If you deploy a VCH to an ESXi host and use the--bridge-network
option to create a bridge network with a custom name,vic-machine delete
does not remove the bridge network if you delete the VCH.Workaround: Manually delete the bridge network from the ESXi host.
-
Running
docker ps -aq
reports containers that have been removed. #3196
Listing containers by runningdocker ps -aq
can include containers that have been removed. Attempting to perform an operation on a container that was included in the output ofdocker ps -aq
, for exampledocker rm -f
, results in the errorError response from daemon: No such container
.Workaround: Run
docker rm -f
again. -
VCH Admin shows network failure when virtual container host uses a proxy. #3213
If a virtual container host is configured to use a proxy, the VCH Admin status page shows a network failure even if connectivity through the proxy is working.
-
vic-machine delete does not recognize virtual container hosts that were not fully created. #2981
vic-machine delete
fails when you run it on a virtual container host that was not fully created.Workaround: Manually delete any components of a partial installation, for example, the virtual container host vApp, the endpoint VM, and datastore folders.
-
Incorrect gateway example in --container-network-gateway help 1741
The help text for vic-machine's option --container-network-gateway value, --cng incorrectly gives the example of a network range instead of the actual gateway address. A more proper example is e.g. vsphere-net:172.16.1.1/16. In additon, please note that we will be removing the CIDR specification from the gateway configuration in a future release. -
Container fails to shut down with
Error response from daemon: server error from portlayer : [DELETE /containers/{id}][500] containerRemoveInternalServerError.
#1823
Workaround: Developers: rundocker create
again. Administrators: Un-register and re-register the VM in the vSphere UI. -
Mounting directories as a data volume using the
-v
option is not supported. #2303 -
When you pull a large sized image from Harbor into a virtual container host, you get an error that the /tmp partition reached capacity. #2595
docker: Failed to fetch image blob: weblogic/test_domain/sha256:3bf21a5a3fdf6586732efc8c64581ae1b4c75e342b210c1b6f799a64bffd7924 returned download failed: write /tmp/3bf21a5a3fdf346188145: no space left on device.
Workaround: Deploy the virtual container host with--appliance-memory=4096
which increases the appliance memory configuration. -
Installing the virtual container host using a short hostname fails. #2582
Workaround:- The IP address that you provide to
vic-machine create target
must be reachable on the management network. - If you use a DNS name instead of an IP address, the virtual container host endpoint VM must be able to resolve the name using the DNS server that is configured either by DHCP or by the
vic-machine create --dns-server
option. There is no default search domain, so use the FQDN.
- The IP address that you provide to
-
Pulling all tagged images in a repository is not supported. #2724
vSphere Integrated Containers only attempts to pull the latest tagged images. -
Misleading error message appears when you run out of memory on ESXi. #2840
-
vSphere Integrated Containers fails to delete the vApp that remains after a virtual container host creation fails. #2853
- The docker personality is currently tied to API 1.23, which corresponds to CLI 1.11. #2368
- Virtual Container Host is unresponsive in a cluster with DRS and HA enabled. #2298
DRS and HA are not supported in this release. - Container VM fails to start on VIC backed by a VVOL datastore. #2242
VVOL datastores are not supported in this release. - Attaching the same container from multiple terminals causes problems. #2214
vic-machine create
prompts you for a password without allowing time to enter it and the VCH deployment fails with an incorrect username and password error. #2152- --net=none is not supported. #2108
- VCH restarts if required process cannot be restarted. #2099
The system attempts to restart a finite number of times, then reports an error, leaving the VCH up and running to download logs. Instead, VCH immediately reboots. - vic-machine incorrectly assumes conf.ImageStores[0] is the appliance datastore. #1884
- When some of the hosts in the cluster are not attached to the dVS and do not have access to the bridge network, the error message is not easily readable. #1647
- Image manifest validation for pulled images is not supported. #1331
- Setting up overlay networks is not supported. #1222
Error response from daemon: scope type not supported - vic-machine can connect to the target but the VCH appliance cannot. #1160
The VCH cannot get an IP address on the management network or does not have a route to the specified target. - Adding folder options to vic-machine is not yet implemented. #773
- Adding mapped vSphere networks to running containers is not yet implemented. #745
- Adding bridge networks to running containers is not yet implemented. #743
- Mapping an existing vSphere level network into the Docker network to explicitly provide a container with a route not through the VCH appliance is not yet implemented. #441
-
volume ls
ignores filters #1718 -
docker run busybox
behaves incorrectly #1687
The container configuration between vSphere Integrated Containers Engine and Docker containers is different in that vSphere Integrated Containers Engine attempts to attach to a container and Docker exits immediately. -
docker ps -n
shows stopped containers that have been created, but not started, for the state of the container #1545 -
Incorrect image digest format sent to Docker client #1484
docker images --digests
is not supported.Workaround: Pull images by tag instead.
-
docker pull
results an "already exists" error #1409
If a context deadline exceeded error occurs on the port layer while performing an image pull, it causes an inconsistent state for the image. Pulls can also take a very long time with a slow network connection. -
vic-machine create
validation fails if a dvSwitch exists on an ESXi target #729
- Root user support #1279
vSphere Integrated Containers Engine does not support root users inside containers. - The log server does not require authentication and might expose sensitive system information.
Debug logging is enabled in this release. This can potentially expose the path and identity of system resources over HTTP via the vicadmin portal. Plain-text passwords are not exposed. - Using anonymous volumes
To use anonymous volumes withdocker create -V
, you must specify adefault
volume store when you runvic-machine create
to create the virtual container host. For example,./vic-machine create <...> --volume-store default:datastore1/anonymousVolumes
Download Binaries
https://storage.googleapis.com/vic-engine-releases/vic_0.8.0.tar.gz
Installation
For instructions about how to deploy a vSphere Integrated Containers Engine v0.8.0 virtual container host, see vSphere Integrated Containers Engine Installation HTML | PDF | Source.
Using vSphere Integrated Containers Engine
For more details on using vSphere Integrated Containers Engine v0.8.0 see the general usage doc in Github, or the current drafts of the end user documentation on https://vmware.github.io/vic-product/:
- vSphere Integrated Containers Engine Installation HTML | PDF | Source.
- vSphere Integrated Containers Engine for vSphere Administrators HTML | PDF | Source
- Developing Container Applications with vSphere Integrated Containers Engine HTML | PDF | Source
Open Source Components
The copyright statements and licenses applicable to the open source software components distributed in vSphere Integrated Containers Engine are available in the LICENSE file.