We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
8
25
2016
3.1.2023

Managing and Securing vSphere Integrated Containers

Last updated:
9.16.2020
3.1.2023
No items found.
customer support icon
A Lunavian

Your trusted adviser for enterprise IT services: hybrid IT, cloud, digital transformation, data center, & consulting.

physical metal containers

Containers are here to stay, but instead of being the virtual machine killer some touted them to be, they’re turning out to work in concert with legacy virtualization technologies. Seeing the writing on the wall, last fall VMware introduced Photon OS, a new spinoff of ESX that included management for container technology like Docker.

Now vSphere Integrated Containers (VIC) can be used in your existing vSphere environment, allowing the development advantages of containerization with the rapid provisioning, automation features, and management tools your administrators are already accustomed to.

Here are some key features for managing and securing your vSphere Integrated Containers.

 

Why Use Docker Containers?

Containers, the most popular form provided by Docker, are a different take on virtualization where the host kernel is shared by every container. Each container entails an entire filesystem and application. With traditional virtualization, each VM runs on top of a shared hypervisor, which sits on the host kernel.

Containers can be easily moved around and are great for software testing and development without having to take into account discrepancies in hardware or configuration. Another nice feature for development is that containers have layers, with the top layer being the current state and the others read-only images of previous versions, which can be re-built.

 

Managing VICs with the Virtual Container Host

The Virtual Container Host (VCH) is how administrators can manage their containers within vSphere. Essentially a container runs within a virtual machine, treating that VM as the host hardware for its kernel and containerized application/filesystem. The VCH includes port mapping for client connections as well as an exposed Docker API endpoint for integration.

vSphere resources are managed in much the same manner as you normally would, with the resource pool divided up into VMs as needed for each container. Multiple VCHs can be set up within a single vSphere environment.

The vSphere Web Client is simply set up with a new wizard that install the VCH plugin. Alternatively, the command line can be used, by leveraging the create command of the vic-machine command line utility. This command utility can create a VCH within a vCenter server in a cluster, a vCenter server with standalone ESXi hosts, or standalone ESXi hosts.

Make sure your environment meets the prerequisites first, though.

The advantage of deploying containers on virtualized hardware and managing them via vSphere is primarily a simplified multi-host deployment process, with compute, storage, and network resources all managed in a single portal. The placement of each container and allocation of resources is handled by vSphere. VICs are well-integrated into vSphere to the point where stopping or deleting a container will also cause its host VM to power down or be deleted.

Additional software-defined tools like NSX allow automated configuration of networking and storage tiers according to set policies, so when you spin up a new container VM, it can be ready to go in an instant. NSX also enables security features by automating security policy enforcement.

“Just Enough VM”

VMware has introduced the concept of “just enough VM” to explain how containers are deployed in VCH. Each container is executed in its own virtual machine generally, but with vSphere 6, users can Instant Clone to create forked VMs with thin copies, each holding a lightweight Linux Kernel – or “just enough VM” for a container to run.

Hosting each container within a single VM does keep the environment more secure, however, by isolating and using built-in security features of vSphere. Without them, a compromised container (which often has many exposed ports and attack vectors, as it is being used for active development) could lead to a cascade attack across the other containers on the VM.

 

VICs make a lot of sense for organizations who are already embedded in a VMware ecosystem, as they allow the use of familiar vSphere management features while still enjoying the agile capabilities of containers.

They aren’t necessarily perfect, however. While VMware downplays the performance impact, running within a hypervisor—even one that is “just enough VM”—still incurs more resource overhead than deploying on raw hardware with a completely shared kernel and Docker library.

Recent Blog Posts

lunavi logo alternate white and yellow
BLOG
4.5.2024
03
.
27
.
2024
Utilizing Bicep Parameter Files with ALZ-Bicep

Ready to achieve more efficient Azure Deployments? You can use Bicep parameters instead of JSON which opens new opportunities for deployment. Let Lunavi expert, Joe Thompson, show you how.

Learn more
lunavi logo alternate white and yellow
BLOG
3.26.2024
03
.
04
.
2024
Anticipating Surges in Cyber Attacks and Bolstering Your InfoSec Defenses in 2024

Learn how to navigate 2024 with the right InfoSec defenses to protect your organization against a rising number of cyber attacks.

Learn more
lunavi logo alternate white and yellow
BLOG
3.26.2024
01
.
03
.
2024
Microsoft Copilot is Re-Shaping the Innovation Frontier

Microsoft 365 Copilot has been released, and it's changing the way we work. More than OpenAI or ChatGPT, read how Copilot can seamlessly integrate with your workflow.

Learn more

How Can We Help You Navigate What's Next?

Let's work together to deliver the services, applications, and solutions that take your organization to the next level.

Get Started
Services
Company
Contact
© 2024 Lunavi, Inc. All Rights Reserved.
Privacy Policy | Acceptable Use