Advanced vSphere Integrated Containers Deployment

Most examples of Virtual Container Hosts deployments are quite minimal. However, what if we need to do more complicated deployments?

As an example, in this post I will deploy 3 Virtual Container Hosts (VCHs), one for Admin type containers, one for Web and one for App. The merits of splitting it out this way is very debatable but for the purpose of a good example it makes for a good option.
In reality, production environments will need strong authentication to prevent unauthorised access to Container Hosts so I will deploy with TLS verify enabled.
In production deployments or any larger scale deployments for that matter, having individual sets of keys per Container Host can be quite a burden. As an alternative, I will use one set of keys for all 3 Container hosts.

The first step is to deploy any container host like I have already done so in this post. The purpose of this is to get the key folder that is generated. However, instead of having a fully qualified cname, use the wildcard name of *.domain. An example is below where the –tls-cname is changed to *.home.lab.

$password = Read-Host 'What is your Password?'

c:\vic\vic-machine-windows.exe create `
--target "https://dartagnan.home.lab/home.lab" `
--user "eamonn@home.lab" `
--password $password `
--no-tlsverify `
--tls-cname "*.home.lab" `
--organization "Home Lab" `
--name "VCH01" `
--image-store "vsanDatastore" `
--bridge-network "VCH01-Bridge" `
--public-network "Management" `
--public-network-ip "192.168.0.27/24" `
--public-network-gateway "192.168.0.1" `
--dns-server "192.168.0.20" `
--dns-server "8.8.8.8" `
--timeout 60m `
--registry-ca="c:\vic\ca.crt" `
--thumbprint="00:6C:D2:B1:A2:0E:53:BD:26:91:DA:08:7F:ED:91:3C:1E:E5:2A:23"

Once that is generated it will create a folder in current directory from where the command is executed.
In my case, I took that folder (VCH01 from example above) and renamed it to home_lab. There is also a .env file which is a text file with the environment variables for Docker which also has the VCHs name. I renamed that also to home_lab.env

I deleted that VCH as I no longer needed it. For details on how to correctly delete a VCH see this post.

Once I had that in place, I prepared the script below. There are 2 functions contained in this script. The first ‘which-vch’ is just a function to determine which VCH is being deployed and choose the correct IP. It then calls ‘deploy-vch’.
This function contains a more involved vic-machine create statement. In this case I am pointing it to the server cert from the folder I just renamed using the –cert parameter. I also point it to the server key using the –key parameter. Lastly I use the –tls-ca parameter to point to the ca certificate from the same folder.

I have also added a PowerCli command to firstly test if the correct bridge network exists, if not create it. Remember, every VCH needs it own bridge network.

Finally at the bottom I have a command that will iterate through the 3 VCHs that I want to create and call these functions.

function which-vch ([string]$vchname) {
    Switch ($vchname)
        {
        "WEBVCH01" {$ipaddress = "192.168.0.41/24"
                    deploy-vch -vchname $vchname -ipaddress $ipaddress
                    }
        "APPVCH01" {$ipaddress = "192.168.0.42/24"
                    deploy-vch -vchname $vchname -ipaddress $ipaddress
                    }
        "ADMVCH01" {$ipaddress = "192.168.0.43/24"
                    deploy-vch -vchname $vchname -ipaddress $ipaddress
                    }
        }
}

function deploy-vch ([string]$vchname, [string]$ipaddress) {

$bridgenet = $vchname.ToLower()+"-bridge"
$tlscname = "*.home.lab"

    if (!(Get-VDPortgroup -Name $bridgenet)) {New-VDPortgroup -Name $bridgenet -VDSwitch LabDistSwitch}

    d:\bin\vic\vic-machine-windows.exe create `
    --target "https://dartagnan.home.lab/home.lab" `
    --user "eamonn@home.lab" `
    --password $password `
    --tls-cname $tlscname `
    --cert "d:\bin\vic\home_lab\server-cert.pem" `
    --key "d:\bin\vic\home_lab\server-key.pem"`
    --tls-ca "d:\bin\vic\home_lab\ca.pem" `
    --name $vchname `
    --image-store "vsanDatastore" `
    --bridge-network $bridgenet `
    --public-network "Management" `
    --public-network-ip $ipaddress `
    --public-network-gateway "192.168.0.1" `
    --dns-server "192.168.0.20" `
    --dns-server "8.8.8.8" `
    --timeout 60m `
    --registry-ca="d:\bin\vic\ca.crt" `
    --thumbprint="00:6C:D2:B1:A2:0E:53:BD:26:91:DA:08:7F:ED:91:3C:1E:E5:2A:23"

}

connect-viserver "dartagnan.home.lab"

$password = Read-Host "What is your Password?"

Foreach ($vchname in "WEBVCH01","APPVCH01","ADMVCH01") {which-vch -vchname $vchname}

That should iterate through the 3 new VCHs and deploy them. Powershell will throw an error when it tests if the bridge network exists and it does not. That’s expected. Its not the most graceful output but its how powershell does it.

If we check on vCenter we can see that our 3 container hosts.

 

At this stage I created 3 new environment variables. These are contained in the previously mentioned .env file which is just a text file. If you open it in a text editor you should see something like the following:

DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=D:\Bin\vic\VCH01
DOCKER_HOST=vch01.home.lab:2376

As I have multiple container hosts that I wish to use, I am only interested in the first 2. You can create environment variables in windows by right clicking on My Computer, clicking on Properties then Advanced System Settings. Click on Environment Variables and you can add New System Variables. I added the following:

Docker cert PathDocker TSL Verify

This saves me having to type the path to the client keys every time I use the docker command like below:

Full command with key paths
Going back to the cert folder I previously mentioned. It worth noting that it contains both server and client certs. Its wise not to share the server certs which are server-cert.pem and server-key.pem. These should be kept securely while the client keys of cert.pem and key.pem can be used to connect to docker.

Once the environment variables have been set you should restart the command prompt (or powershell) to make sure these have been picked up. We should be able to enter the command docker -H WEBVCH01.home.lab:2376 info now and with the keys being specified like below:

Shorter command

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s