Table of Contents - VMware · Lab Guidance DevOps, Containers, Docker, Mesos, Kubernetes,...

118
Table of Contents Lab Overview - HOL-SDC-1630 - Cloud Native Apps ......................................................... 2 Lab Guidance .......................................................................................................... 3 Module 1 - Introduction to Microservices .......................................................................... 5 What's this 3rd Platform Thing? .............................................................................. 6 Introduction to Containers .................................................................................... 19 Introduction to Kubernetes .................................................................................... 25 Module 2 - Introducing Cloud-Native Apps ...................................................................... 27 Introduction - Photon OS and Lightwave with AppCatalyst ................................... 28 Installation - Photon OS and Lightwave with AppCatalyst ..................................... 33 Working with Lightwave ........................................................................................ 34 Module 3 - Getting started with Cloud-Native Apps ........................................................ 45 From Zero to Docker in 90 seconds! ..................................................................... 46 Working with Photon OS ........................................................................................ 47 Working with Docker ............................................................................................. 53 Module 4 - vSphere Integrated Containers ..................................................................... 64 Module Overview .................................................................................................. 65 Deploying vSphere Integrated Containers ............................................................ 66 vSphere Integrated Containers Introduction ......................................................... 67 vSphere Integrated Containers Management Appliance ....................................... 72 Managing vSphere Integrated Containers ............................................................. 89 Module 5 - Managing and Monitoring Containers ............................................................ 95 vRealize Operations - Monitoring Containers ........................................................ 96 vRealize Log Insight - Monitoring Containers ...................................................... 110 HOL-SDC-1630 Page 1 HOL-SDC-1630

Transcript of Table of Contents - VMware · Lab Guidance DevOps, Containers, Docker, Mesos, Kubernetes,...

  • Table of ContentsLab Overview - HOL-SDC-1630 - Cloud Native Apps ......................................................... 2

    Lab Guidance .......................................................................................................... 3Module 1 - Introduction to Microservices .......................................................................... 5

    What's this 3rd Platform Thing? .............................................................................. 6Introduction to Containers .................................................................................... 19Introduction to Kubernetes.................................................................................... 25

    Module 2 - Introducing Cloud-Native Apps ...................................................................... 27Introduction - Photon OS and Lightwave with AppCatalyst ...................................28Installation - Photon OS and Lightwave with AppCatalyst .....................................33Working with Lightwave ........................................................................................ 34

    Module 3 - Getting started with Cloud-Native Apps ........................................................ 45From Zero to Docker in 90 seconds! ..................................................................... 46Working with Photon OS........................................................................................ 47Working with Docker ............................................................................................. 53

    Module 4 - vSphere Integrated Containers ..................................................................... 64Module Overview .................................................................................................. 65Deploying vSphere Integrated Containers ............................................................ 66vSphere Integrated Containers Introduction ......................................................... 67vSphere Integrated Containers Management Appliance .......................................72Managing vSphere Integrated Containers............................................................. 89

    Module 5 - Managing and Monitoring Containers............................................................ 95vRealize Operations - Monitoring Containers ........................................................ 96vRealize Log Insight - Monitoring Containers ...................................................... 110

    HOL-SDC-1630

    Page 1HOL-SDC-1630

  • Lab Overview - HOL-SDC-1630 - Cloud Native

    Apps

    HOL-SDC-1630

    Page 2HOL-SDC-1630

  • Lab GuidanceDevOps, Containers, Docker, Mesos, Kubernetes, microservices, 12-factor applications,3rd platform, oh my! Modern application architecture and lifecycle is changing fast andthat means even more demands on IT. While some have argued that this newapplication approach calls for a whole new infrastructure, you will learn how to addressthese new business-driven demands head on, leveraging your existing investment whilestill delivering the highest SLAs – performance, availability, security, compliance, anddisaster recovery. You will discover how the emerging 3rd Platform Application stack notonly fits into your existing SDDC infrastructure investments but is actually the bestplace to run containers and emerging 3rd platform applications.

    Lab Module List:

    • Module 1 - Introduction to Microservices (30 minutes)• Module 2 - Introduction to Cloud-Native Apps (15 minutes)• Module 3 - Getting started with Cloud-Native Apps (30 minutes)• Module 4 - vSphere Integrated Containers (30 minutes)• Module 5 - Managing and Monitoring Containers (45 minutes)

    Lab Captains: Randy Carson, Pontus Rydin and Michael West

    This lab manual can be downloaded from the Hands-on Labs Document site found here:

    http://docs.hol.pub/catalog/

    This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process: http://docs.hol.vmware.com/announcements/nee-default-language.pdf

    Activation Prompt or Watermark

    When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated. One of the major benefits of virtualization is that virtualmachines can be moved and run on any platform. The Hands-on Labs utilizes thisbenefit and we are able to run the labs out of multiple datacenters. However, thesedatacenters may not have identical processors, which triggers a Microsoft activationcheck through the Internet.Rest assured, VMware and the Hands-on Labs are in fullcompliance with Microsoft licensing requirements. The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required forWindows to verify the activation. Without full access to the Internet, this automatedprocess fails and you see this watermark.This cosmetic issue has no effect on your lab.If you have any questions or concerns, please feel free to use the support madeavailable to you either at VMworld in the Hands-on Labs area, in your Expert-led

    HOL-SDC-1630

    Page 3HOL-SDC-1630

    http://docs.hol.pub/catalog/http://docs.hol.vmware.com/announcements/nee-default-language.pdfhttp://docs.hol.vmware.com/announcements/nee-default-language.pdf

  • Workshop, or online via the survey comments as we are always looking for ways toimprove your hands on lab experience.

    HOL-SDC-1630

    Page 4HOL-SDC-1630

  • Module 1 - Introduction toMicroservices

    HOL-SDC-1630

    Page 5HOL-SDC-1630

  • What's this 3rd Platform Thing?WARNING - this section is all reading! There are no lab components! If you want to getright to the keyboard, you can skip this Module, but you'll miss some glorious andfascinating sentences. Everyone good? Okay, let's go!

    3rd Platform! Microservices! What the heck are they? Put simply, the 3rd platform is thisis a new paradigm for architecting applications to operate in a distributed fashion. Whilethe 1st platform was designed around mainframes and the 2nd platform was designedaround client-server, the 3rd platform is designed around the cloud. In other words,applications are designed and built to live in the cloud. We can effectively think of thisas pushing many of the core infrastructure concepts (like availability and scale) into thearchitecture of the application itself with containers being a large part of this; they canbe thought of as lightweight runtimes for these applications. With proper applicationarchitecture and a rock solid foundation either on-premise or in the cloud, applicationscan scale on demand, new versions can be pushed quickly, components can be rebuiltand replaced easily, as well as many other benefits discussed below.

    Does this mean you should immediately move all of your applications to this model? Notso fast! While 3rd Platform architectures are exciting and extremely useful, they will notbe the answer for everyone. A thorough understanding of the benefits and, moreimportantly the complexities in this new world are extraordinarily important. VMware'sCloud-Native Apps group is dedicated to ensuring our customers are well informed inthis space and can adopt this technology confidently and securely when the time isright.

    HOL-SDC-1630

    Page 6HOL-SDC-1630

  • Application Development and Delivery

    If we look at the Outcomes Delivered from a new model of IT, Businesses are increasingtheir focus on App and Infrastructure Delivery Automation throughout thedatacenter.

    App and Infrastructure Delivery Automation

    IT is making strides to provide the ability to enable faster delivery of application and ITServices leveraging capabilities derived from automated infrastructure and applicationprovisioning.

    HOL-SDC-1630

    Page 7HOL-SDC-1630

  • New Business Imperative

    Competitive businesses are delivering new applications to market in increasingly fastercycles, ushering in technologies like Linux containers and microservices. Next-generation applications are being built on infrastructure assumed to be dynamic andelastic. To keep our customers agile, our Cloud-Native Apps group builds infrastructuretechnologies to open, common standards that preserve security, performance, andease-of-use, from developer desktop to the production stack.

    HOL-SDC-1630

    Page 8HOL-SDC-1630

  • Moving Faster Requires Design and Culture Changes

    To move faster, businesses implement a variety of cultural, design, and engineeringchanges. At VMware, we are striving to make the Developer a first class citizen of theData Center and help align them with IT's journey to achieve streamlined App andInfrastructure Delivery Automation.

    HOL-SDC-1630

    Page 9HOL-SDC-1630

  • History of Platforms

    1st Platform systems were based around mainframes and traditional servers withoutvirtualization. Consolidation was a serious issue and it was normal to run one applicationper physical server.

    2nd Platform architectures have been the standard mode for quite a while. This is thetraditional Client/Server/Database model with which you are likely very familiar,leveraging the virtualization of x86 hardware to increase consolidation ratios, add highavailability and extremely flexible and powerful management of workloads.

    3rd Platform moves up the stack, standardizing on Linux Operating Systems primarily,which allows developers to focus on the application exclusively. Portability, scalabilityand highly dynamic environments are valued highly in this space. We will focus on thisfor the rest of the module.

    3rd Platform - Microservice Architecture

    Microservices are growing in popularity, due in no small part to companies like Netflixand Paypal that have embraced this relatively new model. When we considermicroservices, we need to understand both the benefits and the limitations inherent inthe model, as well as ensure we fully understand the business drivers.

    At its heart, microservice architecture is about doing one thing and doing it well. Eachmicroservice has one job. This is clearly in stark contrast to the monolithic applicationsmany of us are used to; using microservices, we can update components of theapplication quickly without forcing a full recompile of the entire application. But it is nota "free ride" - this model poses new challenges to application developers and operationsteams as many assumptions no longer hold true.

    HOL-SDC-1630

    Page 10HOL-SDC-1630

  • The recent rise of containerization has directly contributed to the uptake ofmicroservices, as it is now very easy to quickly spin up a new, lightweight run-timeenvironments for the application.

    The ability to provide single-purpose components with clean APIs between them is anessential design requirement for microservices architecture. At their core, microserviceshave two main characteristics; they are stateless and distributed. To achieve this, let'stake a closer look at the Twelve-Factor App methodology in more detail to help explainmicroservices architecture as a whole.

    The Twelve-Factor App

    To allow the developer maximum flexibility in their choice of programming languagesand back-end services, Software-as-a-Service web applications should be designed withthe following characteristics:

    • Use of a declarative format to attempt to minimize or eliminate side effects bydescribing what the program should accomplish, rather than describing how to goabout it. At a high level it's the variance between a section of code and aconfiguration file.

    • Clean Contract with the underlying Operating Systems which enables portabilityto run and execute on any infrastructure. API's are commonly used to achieve thisfunctionality.

    • Ability to be deployed into modern cloud platforms; removing the dependencieson underlying hardware and platform.

    • Keep development, staging, and production as similar as possible. Minimize thedeviation between the two environments for continuous development.

    HOL-SDC-1630

    Page 11HOL-SDC-1630

  • • Ability to scale up (and down) as the application requires without needing tochange the tool sets, architecture or development practices.

    At a high level, the 12 Factors that are used to achieve these characteristics are:

    1. Codebase - One codebase tracked in revision control, many deploys2. Dependencies - Explicitly declare and isolate dependencies3. Config - Store config in the environment4. Backing Services - Treat backing services as attached resources5. Build, release, run - Strictly separate build and run stages6. Process - Execute the app as one or more stateless processes7. Port Binding - Export services via port binding8. Concurrency - Scale out via the process model9. Disposability - Maximize robustness with fast startup and graceful shutdown

    10. Dev/Pro Parity - Keep development, staging, and production as similar aspossible

    11. Logs - Treat logs as event streams12. Admin Process - Run admin/management tasks as one-off processes

    For additional detailed information on these factors, check out 12factor.net.

    HOL-SDC-1630

    Page 12HOL-SDC-1630

  • Benefits of Microservices

    Microservice architecture has benefits and challenges. If the development and operatingmodels in the company do not change, or only partially change, things could getmuddled very quickly. Decomposing an existing app into hundreds of independentservices requires some choreography and a well thought-out plan. So why are teamsconsidering this move? Because there are considerable benefits!

    HOL-SDC-1630

    Page 13HOL-SDC-1630

  • Resilience

    With a properly architected microservice-based application, the individual services willfunction similarly to a bulkhead in a ship. Individual components can fail, but this doesnot mean the ship will sink. The following tenet is held closely by many developmentteams - "Fail fast, fail often." The quicker a team is able to identify a malfunctioningmodule, the faster they can repair it and return to full operation.

    Consider an online music player application - as a user, I might only care about playingartists in my library. The loss of the search functionality may not bother me at all. In theevent that the Search service goes down, it would be nice if the rest of the applicationstays functional. The dev team is then able to fix the misbehaving featureindependently of the rest of the application.

    Defining "Service Boundaries" is important when architecting a microservice-basedapplication!

    HOL-SDC-1630

    Page 14HOL-SDC-1630

  • Scaling

    If a particular service is causing latency in your application, it's trivial to scale upinstances of that specific service if the application is designed to take full advantage ofmicroservices. This is a huge improvement over monolithic applications.

    Similar to the Resilience topic, with a monolithic application, one poorly-performingcomponent can slow down the entire application. With microservices, it is almost trivialto scale up the service that is causing the latency. Once again, this scalability must bebuilt into the application's DNA to function properly.

    HOL-SDC-1630

    Page 15HOL-SDC-1630

  • Deployment

    Once again, microservices allow components to be upgraded and even changed out forentirely new, heterogeneous pieces of technology without bringing down the entireapplication. Netflix pushes updates constantly to production code in exactly thismanner.

    Misbehaving code can be isolated and rolled back immediately. Upgrades can be pushedout, tested, and either rolled back or pushed out further if they have been successful.

    HOL-SDC-1630

    Page 16HOL-SDC-1630

  • Organizational

    "Organizations which design systems ... are constrained to produce designs which arecopies of the communication structures of these organizations" --Melvin Conway

    The underlying premise here is that the application should align to the business drivers,not to the fragmentation of the teams. Microservices allow for the creation of right-sized, more flexible teams that can more easily align to the business drivers behind theapplication. Hence, ideas like the "two pizza rule" in which teams should be limited tothe number of people that can finish two pizzas in a sitting (conventional wisdom saysthis is eight or less...though my personal research has proved two pizzas do not feedmore than four people.)

    No Silver Bullet!

    Microservices can be accompanied by additional operations overhead compared to themonolithic application provisioned to a application server cluster. When each service isseparately built out, they could each potentially require clustering for fail over and highavailability. When you add in load balancing, logging and messaging layers betweenthese services, the real-estate starts to become sizable even in comparison to a largeoff the shelf application. Microservices also require a considerable amount of DevOpsand Release Automation skills. The responsibility of ownership of the application doesnot end when the code is released into production, the Developer of the applicationessentially owns the application until it is retired. The natural evolution of the code and

    HOL-SDC-1630

    Page 17HOL-SDC-1630

  • collaborative style in which it is developed can lend itself to challenges when making amajor change to the components of the application. This can be partially solved withbackwards compatibility but it is not the panacea that some in the industry may claim.

    Microservices can only be utilized in certain use cases and even then, Microservicesopen up a world of new possibilities that come with new challenges and operationalhurdles. How do we handle stateful services? What about orchestration? What is thebest way to store data in this model? How do we guarantee a data persistence model?Precisely how do I scale an application properly? What about "simple" things like DNSand content management? Some of these questions do not have definitive solutionsyet. A distributed system can also introduce a new level of complexity that may nothave been such a large concern like network latency, fault tolerance, versioning, andunpredictable loads in the application. The operational cost of application developersneeding to consider these potential issues in new scenarios can be high and should beexpected throughout the development process.

    When considering the adoption of a Microservices, ensure that the use case is sound,the team is aware of the potential challenges and above all, the benefits of this modeloutweigh the cost.

    Recommended reading: If you would like to learn more about the operational andfeasibility considerations of Microservices, look up Benjamin Wootton and read someof his publications on the topic, specifically 'Microservices - Not A Free Lunch!'.

    HOL-SDC-1630

    Page 18HOL-SDC-1630

  • Introduction to ContainersIn this Chapter, we will explain containers and how they enable 3rd Platform applicationarchitectures to be run efficiently in distributed environments.

    Brief History of Containers

    While containers are certainly a very popular topic right now, containers themselves arenot new. They have existed for many years. FreeBSD, Solaris Zones, LXC...there aremany incarnations of containerization technology.

    You may ask - then why is Docker so popular? For a few good reasons, but mainlybecause Docker created a very easy to use framework for deploying and sharingcontainers on standard Linux builds.

    There are still many challenges to address in this space, however! Security, isolationand data persistence are areas that are arguably not ready for the Enterprise just yet.We will discuss this more throughout the lab.

    What are Containers?

    Containers are an OS-level virtualization method in which the kernel of an operatingsystem allows for multiple isolated user-space instances, instead of just one. Theprimary benefits of using containers include limited overhead, increased flexibility andefficient use of storage; the container looks like a regular OS instance from the user's

    HOL-SDC-1630

    Page 19HOL-SDC-1630

  • perspective. Changes to the image can be made very quickly and pushed to a repositoryto share with others for further development and utilization.

    HOL-SDC-1630

    Page 20HOL-SDC-1630

  • What is Docker?

    Docker containers wrap up a piece of software in a complete filesystem that containseverything it needs to run: code, runtime, system tools, system libraries – anything youcan install on a server. This guarantees that it will always run the same, regardless ofthe environment it is running in.

    Containers running on a single machine all share the same operating system kernel sothey start instantly and make more efficient use of RAM. Images are constructed fromlayered filesystems so they can share common files, making disk usage and imagedownloads much more efficient. Docker containers are based on open standardsallowing containers to run on all major Linux distributions and Microsoft operatingsystems.

    Containers include the application and all of its dependencies, but share the kernel withother containers. They run as an isolated process in userspace on the host operatingsystem.

    Docker is a natural fit for microservice-based architectures.

    HOL-SDC-1630

    Page 21HOL-SDC-1630

  • How do Containers and Virtual Machines Differ?

    A container is intended to run a single application. Containers are typically very specific,intended to run MySQL, Nginx, Redis, or some other application. So what happens if youneed to run two distinct applications or services in a containerized environment? Therecommendation is usually to use two separate containers. The low overhead and quickstart-up times make running multiple containers trivial, thus they are typically scoped toa single application.

    A VM, on the other hand, has a broader range, and can run almost any operatingsystem. As you are likely aware, the VM serves as an extremely firm boundary betweenOS instances that's enforced by a robust hypervisor, and connects to Enterprise-levelstorage, network and compute systems in a trusted, well-defined and secure manner.VMs have traditionally lent themselves to running 2nd Platform (Web - App - Database)applications that compromise 99% of the application space today.

    HOL-SDC-1630

    Page 22HOL-SDC-1630

  • Virtual machines and containers: better together

    Containers provide great application portability, enabling the consistent provisioning ofthe application across infrastructures. However, applications and data alone are rarelythe major barrier to workload mobility. Instead, operational requirements such asperformance and capacity management, security, and various management toolintegrations can make redeploying workloads to new environments a significantchallenge. So while containers help with portability, they’re again only a piece of abigger puzzle.

    Due to the fundamental differences in architecture (namely the ESXi hypervisor used byVMs versus the shared kernel space leveraged by containers), Linux containers will notachieve the same level of isolation and security. Furthermore, the toolsets available inthe VM ecosystem are battle-tested and Enterprise-grade, enabling scores of benefits(stability, compliance, integrated operations, etc) that are indispensable to operationsand infrastructure teams.

    For these reasons, VMware provides the best of both worlds by offering an optimized OSbuilt for containers to run with minimal overhead. By dedicating an extremelylightweight OS to run containerized workloads, we don't have to choose one or the other- we can have both! By taking advantage of memory sharing, a core feature of the ESXihypervisor, we drastically reduce the OS overhead while enabling the applicationflexibility promised by containers.

    In Module 6, we will look at some of our newer solutions, including Bonneville, whichseamlessly integrates containers and VMs into a single fluid and dynamic deploymentoperation! This will surely be one of the most exciting announcements at VMworld, soplease make sure to look over that Module!

    HOL-SDC-1630

    Page 23HOL-SDC-1630

  • HOL-SDC-1630

    Page 24HOL-SDC-1630

  • Introduction to KubernetesIn this Chapter, we take a quick look at Kuberentes and how it fits into the world ofcontainers.

    What is Kubernetes?

    Kubernetes is an open source system for managing containerized applications acrossmultiple hosts, providing basic mechanisms for deployment, maintenance, and scalingof applications. It’s APIs are intended to serve as the foundation for an open ecosystemof tools, automations systems, and higher-level API layers.

    Kubernetes, at its basic level, is a system for managing containerized applicationsacross a cluster of nodes. In many ways, Kubernetes was designed to address thedisconnect between the way that modern, clustered infrastructure is designed, andsome of the assumptions that most applications and services have about theirenvironments.

    Most clustering technologies strive to provide a uniform platform for applicationdeployment. The user should not have to care much about where work is scheduled.The unit of work presented to the user is at the "service" level and can be accomplishedby any of the member nodes.

    However, in many cases, it does matter what the underlying infrastructure looks like.When scaling an app out, an administrator cares that the various instances of a serviceare not all being assigned to the same host.

    On the other side of things, many distributed applications build with scaling in mind areactually made up of smaller component services. These services must be scheduled onthe same host as related components if they are going to be configured in a trivial way.This becomes even more important when they rely on specific networking conditions inorder to communicate appropriately.

    While it is possible with most clustering software to make these types of schedulingdecisions, operating at the level of individual services is not ideal. Applicationscomprised of different services should still be managed as a single application in mostcases. Kubernetes provides a layer over the infrastructure to allow for this type ofmanagement.

    Master Server:

    The controlling unit in a Kubernetes cluster is called the master server. It serves as themain management contact point for administrators, and it also provides many cluster-wide systems for the relatively dumb worker nodes.

    HOL-SDC-1630

    Page 25HOL-SDC-1630

  • The master server runs a number of unique services that are used to manage thecluster's workload and direct communications across the system.

    Minion Server:

    In Kubernetes, servers that perform work are known as minions. Minion servers have afew requirements that are necessary to communicate with the master, configure thenetworking for containers, and run the actual workloads assigned to them.

    Kubernetes Work Units:

    While containers are the used to deploy applications, the workloads that define eachtype of work are specific to Kubernetes:

    Services:

    We have been using the term service throughout this guide in a very loose fashion, butKubernetes actually has a very specific definition for the word when describing workunits. A service, when described this way, is a unit that acts as a basic load balancerand ambassador for other containers.

    Labels:

    A Kubernetes organizational concept outside of the work-based units is labeling. A labelis basically an arbitrary tag that can be placed on the above work units to mark them asa part of a group. These can then be selected for management purposes and actiontargeting.

    Source: (Digitalocean.com,. 'An Introduction To Kubernetes | Digitalocean'. N.p., 2015.Web. 4 Aug. 2015)

    HOL-SDC-1630

    Page 26HOL-SDC-1630

  • Module 2 - IntroducingCloud-Native Apps

    HOL-SDC-1630

    Page 27HOL-SDC-1630

  • Introduction - Photon OS andLightwave with AppCatalystAn introduction to two of the latest Cloud-Native innovations from VMware.

    HOL-SDC-1630

    Page 28HOL-SDC-1630

  • Introduction to VMware Photon OS

    Photon OS is a lightweight Linux operating system for Cloud-Native apps. Photon OS isoptimized for vSphere and vCloud Air, providing an easy way for our customers toextend their current platform with VMware and run modern, distributed applicationsusing containers.

    Photon provides the following benefits:

    • Support for the most popular Linux container formats including Docker, rkt, andGarden from Pivotal

    • Minimal footprint (approximately 300MB), to provide an efficient environment forrunning containers

    • Seamless migration of container workloads from development to production• All the security, management, and orchestration benefits already provided with

    vSphere offering system administrators with operational simplicity

    We have open sourced Photon OS to encourage widespread contributions and testingfrom customers, partners, prospects, and the developer community at large. It isavailable today on GitHub for forking and experimentation; the binary is also availableon JFrog Bintray. We’re even making it easily accessible to developers by packaging itwith Vagrant and making it available through Atlas with our friends at HashiCorp.

    By offering Photon OS, we are able to provide integrated support for all aspects of theinfrastructure, adding to the leading compute, storage, networking, and managementfound today. Customers will benefit from end-to-end testing, compatibility, andinteroperability with the rest of our software-defined data center and End UserComputing product portfolios. Through integration between Photon and Lightwave,customers can enforce security and governance on container workloads, for example,by ensuring only authorized containers are run on authorized hosts by authorizedusers.

    Introduction to VMware Lightwave

    Lightwave is an open source project comprised of standards-based, enterprise-grade,identity and access management services targeting critical security, governance, andcompliance challenges for cloud-native apps. Here are a few of its features:

    HOL-SDC-1630

    Page 29HOL-SDC-1630

  • • Multi-tenancy to simplify governance and compliance across the infrastructureand application stack and across all stages of application development lifecycle

    • Support for SASL, OAuth, SAML, LDAP v3, Kerberos, X.509, and WS-Trust• Extensible authentication and authorization using username and password,

    tokens and PKI infrastructure for users, computers, containers and user definedobjects

    Lightwave pairs well with Photon OS, to provide an enforcement layer for identity andaccess management via VMware vSphere and vCloud Air.

    Introduction to VMware AppCatalyst

    VMware AppCatalyst is a desktop hypervisor for developers – currently available as atechnology preview. As we spoke with development teams the last few months, itbecame clear that there was a gap in the market. Most developers use some form ofhypervisor on their desktop - typically either VMware Fusion or Oracle VirtualBox – andthey use these tools every day. But these tools were not specifically designed to supportdeveloper workflows, and there are many developer use cases where we thought wecould do a lot better.

    VMware AppCatalyst is an API and Command Line Interface (CLI)-driven Mac hypervisorthat is purpose-built for developers, with the goal of bringing the datacenterenvironment to the desktop. Currently a technology preview, VMware AppCatalyst offersdevelopers a fast and easy way to replicate a private cloud locally on their desktop forbuilding and testing containerized and microservices-based applications. The toolfeatures Project Photon, an open source minimal Linux container host, Docker Machineand integration with Vagrant. AppCatalyst uses MacOS as its host operating system (i.e.,the user must use MacOS 10.9 or later as their host operating system to useAppCatalyst).

    One of the most common use cases for the desktop hypervisor is with Docker. Docker isfundamentally a Linux technology, but most developers we talk to are using Macs sothey need some form of hypervisor to run a Docker engine. But to do this you need to a)download a hypervisor, b) select a Linux distribution, c) download and install said Linuxdistribution, then d) setup Docker. All just to get to the point where you can start usingDocker.

    AppCatalyst comes pre-bundled with Photon OS - VMware’s compact container hostLinux distribution. When you download AppCatalyst, you can point docker-machine at it,

    HOL-SDC-1630

    Page 30HOL-SDC-1630

  • start up a Photon instance almost instantly (since there’s no Linux ISO to download),and start using Docker. This saves a lot of time getting started.

    Another common use of the desktop hypervisor is with Vagrant. Developers buildVagrant files and then Vagrant up their deployment. AppCatalyst ships with a Vagrantprovider so you can start using it with Vagrant immediately.

    Our long term goal is to turn AppCatalyst into a data center on the desktop: anyprogram or utility that you use against your production data center should be able torun in dev/test mode on your laptop. To do this we’ll be adding storage and networkingabstractions to AppCatalyst, and moving towards API parity with the data center. Wehave a ways to go to get there, and this initial tech preview is just the first step.

    Introduction to VMware Photon Controller

    Photon Controller, part of the broader Photon Project, is a hyper-scale distributedcontrol plane built for multi-tenant deployments enabling anybody to deploy andoperate a cloud. In addition to basic Infrastructure-as-a-Service (IaaS) consumptionscenarios to create, manage and destroy virtual machines and related resources, PhotonController is optimized for 3rd Platform application development and deploymentparadigms such as:

    HOL-SDC-1630

    Page 31HOL-SDC-1630

  • • Container clusters (K8, Mesos, Docker/ Swarm)• PaaS (Cloud Foundry Bosh CPI)• Openstack• Big Data

    HOL-SDC-1630

    Page 32HOL-SDC-1630

  • Installation - Photon OS and Lightwavewith AppCatalystThis demo shows an AppCatalyst-based installation of Photon, along with Lightwave.

    Click here to view an interactive demo of an AppCatalyst-based installation of PhotonOS, along with Lightwave. The demo will open in a new browser tab or window, and youcan continue with the lab after the demo is finished.

    HOL-SDC-1630

    Page 33HOL-SDC-1630

    http://www.googledrive.com/host/0BwKvJQgQjgwdfkYwb3VaLXpxMHA5SWF0YVMwTUR2bW1KNTdEVXE1UWhrVzN2M25wbGpSX2M/HOL-SDC-1630-PhotonLightwave.htmhttp://www.googledrive.com/host/0BwKvJQgQjgwdfkYwb3VaLXpxMHA5SWF0YVMwTUR2bW1KNTdEVXE1UWhrVzN2M25wbGpSX2M/HOL-SDC-1630-PhotonLightwave.htmhttp://www.googledrive.com/host/0BwKvJQgQjgwdfkYwb3VaLXpxMHA5SWF0YVMwTUR2bW1KNTdEVXE1UWhrVzN2M25wbGpSX2M/HOL-SDC-1630-PhotonLightwave.htm

  • Working with LightwaveIn this section, we will configure two hosts as Domain Controllers for the"lightwave.local" domain. By deploying two Domain Controllers, we add additionalresiliency and high availability.

    Configuring the primary Domain Controller

    1. From the Windows start menu, select "PuTTY"2. In the list of saved sessions, double click on "lightwave-01a.corp.local"

    HOL-SDC-1630

    Page 34HOL-SDC-1630

  • Promote lightwave-01a to domain controller

    In this step, we will promote the current host (lightwave-01a) to Domain Controller (DC)for the domain "lightwave.local".

    1. Click inside the PuTTY window you opened in the previous step.2. Type /opt/vmware/bin/ic-promote --domain lightwave.local --password

    VMware1! followed by Enter3. Check the output. Make sure it ends with "Domain Controller setup was

    successful".

    Create a new user in lightwave

    1. Stay within the same PuTTY window as you did for the previous step(lightwave-01a).

    2. Type /opt/vmware/bin/dir-cli user create --account amy --first-name Amy --last-name Wu --user-password VMware1! --password VMware1! followedby enter.

    3. We have now created an account for Amy Wu with the login "amy".

    HOL-SDC-1630

    Page 35HOL-SDC-1630

  • Configure the secondary Domain Controller

    1. From the Windows start menu, select "PuTTY"2. In the list of saved sessions, double click on "lightwave-02a.corp.local"

    HOL-SDC-1630

    Page 36HOL-SDC-1630

  • Promote lightwave-02a to Domain Controller and pair itwith lightwave-01a

    In this step, we will promote the current host (lightwave-02a) to Domain Controller (DC)for the domain "lightwave.local".

    1. Click inside the PuTTY window you opened in the previous step.2. Type /opt/vmware/bin/ic-promote --partner lightwave-01a.corp.local --

    domain lightwave.local --password VMware1! followed by Enter.3. Check the output. Make sure it ends with "Domain Controller setup was

    successful".4. Type exit followed by enter to log out.

    HOL-SDC-1630

    Page 37HOL-SDC-1630

  • Verify installation

    1. From the Windows start menu, select "PuTTY"2. In the list of saved sessions, double click on "application-01a.corp.local"3. When asked for username, type root followed by enter4. When asked for password, type VMware1! followed by enter.

    Join the lightwave.local domain

    1. Click inside the PuTTY window you opened in the previous step.2. Type /opt/vmware/bin/ic-join --domain lightwave.local --domain-controller

    lightwave-01a.corp.local --password VMware1! followed by Enter3. Check the output. Make sure it ends with "Domain Join was successful".4. Do not close this Putty Window.

    HOL-SDC-1630

    Page 38HOL-SDC-1630

  • Enable SSH authentication against lightwave

    1. Stay within the same PuTTY window as you did for the previous step(application-01a).

    2. Type cd /root followed by enter.3. To enable lightwave authentication, we are going to run a short script that

    contains the necessary commands.4. Type cat init_pam.sh followed by enter to review the script. This script plugs in

    lightwave authentication as a PAM (Pluggable Authentication Module).5. Type ./init_pam.sh followed by enter to run the script.6. After the lsass command completes type exit.

    HOL-SDC-1630

    Page 39HOL-SDC-1630

  • Login using your lightwave credentials

    1. From the Windows start menu, select "PuTTY"2. In the list of saved sessions, double click on "application-01a.corp.local"3. When asked for username, type [email protected] followed by

    enter4. When asked for password, type VMware1! followed by enter.

    Check who is logged in

    1. Click inside the PuTTY window you opened in the previous step.2. Type who followed by enter.3. You will see a list of logged-in users. The first line is the "root" user you logged in

    as at the start of this exercise. The second line is the the lightwave user we justlogged in as.

    HOL-SDC-1630

    Page 40HOL-SDC-1630

  • Run a Docker command

    1. Stay within the same PuTTY window as you did for the previous step(application-01a).

    2. Type docker run -t -i docker-hub:5000/centos:latest followed by enter3. Type whoami followed by enter. This prints the current user in Docker. Notice

    that Docker thinks you are "root". This is due to the isolation between the Dockercontainer and the host operating system.

    4. Type exit followed by enter to exit the Docker container.5. Type exit followed by enter to finish the terminal session. The PuTTY window will

    close.

    HOL-SDC-1630

    Page 41HOL-SDC-1630

  • Login as a non-privileged user

    1. From the Windows start menu, select "PuTTY"2. In the list of saved sessions, double click on "application-01a.corp.local"3. When asked for username, type [email protected] followed by enter4. When asked for password, type VMware1! followed by enter.

    Attempt to run a Docker command

    1. Type docker run docker-hub:5000/centos:latest followed by enter.2. You will notice that amy was not given permission to run Docker commands and

    therefore Docker returned an error.3. Type exit followed by enter to close the session. The PuTTY window will close.

    HOL-SDC-1630

    Page 42HOL-SDC-1630

  • Delete a user

    1. From the Windows start menu, select "PuTTY"2. In the list of saved sessions, double click on "lightwave-01a.corp.local"

    Delete user from directory

    1. Click inside the PuTTY window you opened in the previous step.2. Type /opt/vmware/bin/dir-cli user delete --account amy --password

    VMware1! followed by enter.3. Type exit followed by enter to log out.

    Attempt to login as deleted user

    1. From the Windows start menu, select "PuTTY"2. In the list of saved sessions, double click on "application-01a.corp.local"3. When asked for username, type [email protected] followed by enter4. When asked for password, type VMware1! followed by enter.

    HOL-SDC-1630

    Page 43HOL-SDC-1630

  • 5. Notice that Amy is no longer allowed to log in6. Close the terminal window by clicking the X on the upper right hand corner.

    HOL-SDC-1630

    Page 44HOL-SDC-1630

  • Module 3 - Gettingstarted with Cloud-Native

    Apps

    HOL-SDC-1630

    Page 45HOL-SDC-1630

  • From Zero to Docker in 90 seconds!Photon was designed to install and start extremely quickly. The following is ademonstration of an installation from scratch all the way to a running dockerizedapplication.

    As you will see, the installation itself completes in a mere 8 seconds on a standardVMware corporate laptop. The entire process, including VM creation, installation,activation of docker and download of a simple docker container takes less than 90seconds. This allows users to spin up docker containers with all the benefits of isolationand manageability that a virtual machine offers in almost the same time as it wouldtake to spin it up on an existing system.

    Bringing up a Docker host in 90 seconds

    An error occurred.Try watching this video on www.youtube.com, or enableJavaScript if it is disabled in your browser.

    HOL-SDC-1630

    Page 46HOL-SDC-1630

  • Working with Photon OSPhotonOS™ is a technology preview of a minimal Linux container host. It is designed tohave a small footprint and boot extremely quickly on VMware platforms. PhotonOS™ isintended to invite collaboration around running containerized applications in avirtualized environment.

    • Optimized for vSphere - Validated on VMware product and provider platforms.• Container support - Supports Docker, rkt, and the Pivotal Garden container

    specifications.• Efficient lifecycle management - contains a new, open-source, yum-compatible

    package manager that will help make the system as small as possible, butpreserve the robust yum package management capabilities.

    Activation Prompt or Watermark

    When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated. One of the major benefits of virtualization is that virtualmachines can be moved and run on any platform. The Hands-on Labs utilizes thisbenefit and we are able to run the labs out of multiple datacenters. However, thesedatacenters may not have identical processors, which triggers a Microsoft activationcheck through the Internet.Rest assured, VMware and the Hands-on Labs are in fullcompliance with Microsoft licensing requirements. The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required forWindows to verify the activation. Without full access to the Internet, this automatedprocess fails and you see this watermark.This cosmetic issue has no effect on your lab.If you have any questions or concerns, please feel free to use the support made

    available to you either at VMworld in the Hands-on Labs area, in your Expert-ledWorkshop, or online via the survey comments as we are always looking for ways toimprove your hands on lab experience.

    Login to Application-01a

    Lauch Putty from the taskbar at the bottom.

    HOL-SDC-1630

    Page 47HOL-SDC-1630

  • 1. Select application-01a.corp.local2. Click Open.

    HOL-SDC-1630

    Page 48HOL-SDC-1630

  • TDNF Help

    Login as user root using:

    username: root

    password: VMware1!

    For a list of the main commands type:

    tdnf --help

    This will show you all available TDNF commands. Updating or downloading a package issimple using tdnf install , but we won't do that yet since we're notconnected to the internet!

    Examine repositories

    Next, we will navigate to the repo directory and examine the configuration files.

    Change your working directory to /etc/yum.repos.d using:

    cd /etc/yum.repos.d

    List the contents of the directory using:

    HOL-SDC-1630

    Page 49HOL-SDC-1630

  • ls

    To examine the contents of the ligtwave.repo type:

    more lightwave.repo

    These files will indicate where packages are pulled from. These can be remote or localsources. As you can see, the baseurl in the above screenshot is pointing tohttps://dl.bintray.com/vmware/lightwave which is where the lightwave packages arestored.

    To learn more about package management in Photon OS™, please seehttps://github.com/vmware/tdnf

    Package Management

    PhotonOS™ uses a modified YUM repository for package management called TDNF (TinyDaNdiFied Yum). The project is on Git here: https://github.com/vmware/tdnf

    TDNF is easy to use, very similar to Yum, and can be used to manage local and remoterepositories.

    Service and Systemd

    If you are familiar with common flavours of Linux, you will likely know the Servicecommand can be used to start and stop services. Some newer versions of popular

    HOL-SDC-1630

    Page 50HOL-SDC-1630

    https://dl.bintray.comhttps://github.com/vmware/tdnfhttps://github.com/vmware/tdnf

  • flavours have moved from Service to Systemd, as this service managementframework yields many benefits outside the scope of this lab.

    Using systemctl

    In your putty session:

    Try the following command:

    service

    The command will not be found, so we need to use something else!

    Try using systemctl instead to look for details on the docker service using:

    systemctl status docker

    The usage of systemctl is required in Photon for service management. If you want toknow more about its usage, type systemctl --help and press enter. If you need to stop,start or restart a service, the syntax is systemctl stop|start|restart

    Journalctl

    Coupled with Systemd, Journald is a daemon that handles messages produced by thekernel, initrd, services and more. The jounalctl utility is used to access these logscentrally. A full explanation of journal is beyond the scope of this lab, but we will showhow it can be used in Photon to quickly find specific log files.

    HOL-SDC-1630

    Page 51HOL-SDC-1630

  • Grep for a log

    Let's say you want to have a look at SSH activity in the logs. With journalctl, this is quiteeasy. In your putty session, type:

    journalctl | grep ssh

    and press enter.

    All logs related to SSH are displayed. This can be used with containers as well!

    (Optional) - to examine the options available to this utility type:

    journalctl --help

    HOL-SDC-1630

    Page 52HOL-SDC-1630

  • Working with DockerDocker Overview

    Docker is a popular container solution that allows developers and sysadmins an easy-to-use engine, runtime, and packaging tool. Docker manages content through DockerHub,which allows users to share images and applications easily.

    In this exercise, we will look at some key use cases of Docker. First, we will run a verysimple container. Then we will discuss how to package and application as a Dockerimage and finally we'll look at a more realistic, multi-node application. For the last partof the exercise, we'll deploy a fully functioning MediaWiki-site.

    Some key concepts

    Container - A running instance of an image. A container provides an encapsulatedruntime environment for an application, as well as hosting the application itself.

    HOL-SDC-1630

    Page 53HOL-SDC-1630

  • Docker Daemon - The background process that manages a Docker host. Implementsall of the basic functionality of Docker and provides the runtime environment forcontainers.

    Docker Host - A machine (virtual or physical) hosting one or more running dockercontainers.

    Image - A fully packaged, self-contained application or application component that canbe instantiated on a Docker host. A running instance of an image is known as acontainer. An image is implemented as a layered file system.

    Layered file system - A way of representing a docker image as the union of severalcontributing overlaid file systems. The image above shows a the layered file system in atypical container. At the bottom is a set of files needed to emulate a certain OSenvironment. On top of that, the application designed can layer various componentsand applications. The layered file system is completely transparent to applicationsrunning inside the container.

    Repository - A catalog of images for use with Docker. Repositories can be public orprivate and can be hosted locally as well as centrally.

    Connect to the linux machine

    1. Open Putty from the windows taskbar2. Click on application-01a.corp.local3. You will be automatically logged in without having to enter a password.

    HOL-SDC-1630

    Page 54HOL-SDC-1630

  • HOL-SDC-1630

    Page 55HOL-SDC-1630

  • Docker Run "Hello World"

    Let's make sure that our Docker environment is working by running a small testapplication. All this does is to print a simple message to the console and exit. Noticehow the docker repo wasn't available locally and was automatically pulled down from acentral registry.

    1. Type docker run hello-world followed by Enter.2. Examine the output. It should look similar to the screenshot above.

    Run a webserver

    Let's try a slightly more meaningful example by spinning up a simple web server. Youwill notice we have added the -d (Daemon mode) flag to the command. This allows ourapplication to continue running in the background after the docker command hasfinished. In this case, we're running a simple web application that listens to port 80(HTTP). The -p argument tells Docker to wire port 80 inside the container to port 80 onthe host. This allows us to expose the web application to the outside world.

    1. At the command prompt, type docker run -dt -p 80:80 httpd:latest followedby Enter.

    2. You should see a long hexadecimal string, similar to the one in the screen shot.

    HOL-SDC-1630

    Page 56HOL-SDC-1630

  • Load the webpage

    Let's verify that it worked by loading the webpage!

    1. Open Firefox2. In the URL field, type http://192.168.120.4 followed by Enter3. You should see a web page similar to above. If you get an error while loading

    the page, try refreshing. It is possible that the application didn't havetime to fully initialize before you tried to hit the web page.

    Kill the running container

    Since we started the container in daemon mode, it will keep running until we explicitlykill it. To do that, we first need to find its container ID. This is similar to a process ID inan operating system.

    1. Type docker ps followed by Enter.2. You will see output similar to the screenshot above. Notice the hex-string at the

    beginning of the line! This is the container ID we need in order to kill thecontainer.

    3. Type docker kill CONTAINERID followed by Enter. You need to replace'CONTAINERID' with the container ID from the docker ps command. Note that youcan specify a substring of the container ID as long as it is unique.

    The Dockerfile

    OK, that wasn't very hard, was it? But what if we want to build our own customizedimage? Let's say, for example, that we'd like to build a simple webserver that serves upsome static content that we've created. We want this little application to be distributedusing Docker.

    HOL-SDC-1630

    Page 57HOL-SDC-1630

  • To do that, we need some kind of "source code" instructing Docker how to create andconfigure such an image. Let's have a look at what a docker file might look like. In theterminal window for application-01, type the following:

    1. Type cd /root/website followed by Enter2. Type cat Dockerfile followed by Enter.

    You should see something similar to the screen shot above. Let's walk through it!

    • The FROM statement specifies the base image. So the build process for thisimage starts with pulling down the latest version of an Apache HTTP daemon.

    • Next, we use the ADD statement to transfer a file to the image. In our example,the static content of the site is stored in the file index.html. Of course, in a morerealistic example, you'd transfer more than one file or transfer a ZIP or TAR thatyou expand in the target.

    • Finally, we use the ENTRYPOINT keyword to specify the command the containershould run when it starts up. The command httpd-foreground simply starts aHTTP daemon and blocks until it's explicitly killed.

    For more information about the Dockerfile and its keywords, refer to this page:https://docs.docker.com/engine/reference/builder/

    HOL-SDC-1630

    Page 58HOL-SDC-1630

    https://docs.docker.com/engine/reference/builder/

  • Building an image from a Dockerfile

    Since the Dockerfile itself is just the "source code" for our image, we need to run adocker command that builds an actual image from it. This is where "docker build" comesinto the picture. Let's try it out!

    Type the following:

    1. Type cd /root/website followed by Enter2. Type ls Followed by Enter. You should see two files: The Dockerfile and an

    index.html containing the static content for the site.3. Type docker build -t my-website /root/website followed by enter. You should

    see output similar to above.

    The docker build command takes two parameters: -t my-website tags the image andgives it the name "my-website". This is what we'll refer to when we'll run the image. Thesecond parameter specifies where to find the Dockerfile and the content.

    Starting our new website

    Let's start our new website to see what it looks like!

    1. Type docker run -d -p 80:80 my-website:latest followed by enter.

    You should see output similar to the first screen shot above.

    If you get a message saying "Bind for 0.0.0.0:80 failed: port is alreadyallocated", you missed the step above where kill the webserver from our firstfew steps. Go back to the step "Killing the running container" and try again!

    HOL-SDC-1630

    Page 59HOL-SDC-1630

  • Testing our new website

    Go to the web browser and enter the address "http://192168.120.4" You should see apage similar to the screen shot above. The content you're seeing comes from the HTML-file we injected using our Dockerfile. You may have to reload the page to see this!

    HOL-SDC-1630

    Page 60HOL-SDC-1630

    cme-export/hol-sdc-1630_pdf_en/"http:/192168.120.4".

  • A two-tier application

    Unfortunately, all applications aren't as simple as the one we just built. Most of the time,you need multiple tiers residing in multiple containers. In our example, we're going tobuild a wiki-site with the web-server and app-server residing in one image and thedatabase resides in another image.

    Ideally, we'd like to deploy the appserver container and the database on some kind ofinternal network not visible outside the application. This way, we don't have to botherwith allocating IP-addresses for the database and keeping track of how the applicationconnects to the database. It would also be nice from a security aspect, since thedatabase wouldn't expose any ports to the outside world.

    Luckily, Docker allows us to do this by linking containers. Let's try it out!

    Spinning up the database

    To spin up the database, the the following in the application-01 terminal window:

    1. docker run --name wiki-db -d -e MYSQL_ROOT_PASSWORD=secretmysql:latest followed by Enter.

    There are two things to note here. First, we're giving the container a name, "wiki-db".We're going to use this when we're linking the database to the appserver/webservercontainer. The other thing is the -e parameter. This simply sends an environmentvariable to the container, which, in this case, allows us to set the root password for ourdatabase instance to "secret".

    HOL-SDC-1630

    Page 61HOL-SDC-1630

  • You may want to type a docker ps followed by Enter to make sure the database isrunning before you continue.

    Spinning up the appserver/webserver

    Let's spin up the appserver/webserver! Type the following in the application-01 terminalwindow:

    1. Type docker run --link wiki-db:mysql -p 8080:80 -d synctree/mediawikifollowed by Enter.

    We're starting to get used to "docker run" commands by now. Let's examine what makesthis one special. Most of it should be familiar by now. We're running it in daemon modeand we're exposing internal port 80 as external port 8080. But let's focus on the --linkparameter.

    This parameter tells docker that we're dependent on the "wiki-db" container we justspun up. It also tells us to expose it to the appserver/webserver as "mysql". Thisessentially does two things:

    • It makes the appserver/webserver inherit all environment variables from thedatabase. Notice how we didn't have to specify any password for the databaseand how it all "just worked". That's because the wiki-image knows how to pick upthat variable from the database and use if it wasn't specified when spinning upthe appserver/webserver.

    • It creates an ad-hoc network between the two containers and establishes namemapping between the containers. The wiki appserver/webserver internally refersto a host called "mysql" for its database. The --link wiki-db:mysql parametermaps the name "mysql" to the address of the database server on the internalnetwork we just created.

    HOL-SDC-1630

    Page 62HOL-SDC-1630

  • Testing the wiki

    1. In a web browser, enter the address http://192.168.120.4:8080

    You should see a site similar to the screenshot above. This is what a fresh install lookslike and you're welcome to click on the "set up the wiki" link if you want to explore itfurther.

    It may take a few moment for the application to start, so if you're getting atimeout, just try reloading the site a few times. It should come up within aminute.

    Summary

    In this chapter, we have introduced some of the basic concepts in Docker. We've testeda couple of simple cases and finally deployed a Wiki site, representing a more realisticapplication. You should now have a basic understanding of the various components andconstructs in Docker to start thinking about some of the challenges around this model.

    For example, how do we secure containers? A virtualized network on the same host andgeographic area is fine, but what if we want to geographically disperse containers andstill abstract away the network? How do you automate and coordinate containers?Remember that the best practice is to keep containers small and nimble, but what about"container sprawl"? How do you deal with thousands or tens of thousands of containers?

    Keep going in the lab to review and test out VMware's vision on how to harness thepower of this exciting technology!

    HOL-SDC-1630

    Page 63HOL-SDC-1630

    http://192.168.120.4:8080

  • Module 4 - vSphereIntegrated Containers

    HOL-SDC-1630

    Page 64HOL-SDC-1630

  • Module OverviewThis module will give you an overview of the design principles and the implementationstrategy of vSphere Integrated Containers.

    In this module we will NOT go through the VIC installation. We will go through:

    • Deploy and Connect to a container host• Show how a container relates to a VM• Create a simple application

    HOL-SDC-1630

    Page 65HOL-SDC-1630

  • Deploying vSphere IntegratedContainersDeploying vSphere Integrated Containers is as simple as deploying an OVA into yourvSphere Infrastructure. The video below will walk you through the process.

    vSphere Integrated Containers Installation

    An error occurred.Try watching this video on www.youtube.com, or enableJavaScript if it is disabled in your browser.

    HOL-SDC-1630

    Page 66HOL-SDC-1630

  • vSphere Integrated ContainersIntroductionIn this section, we will walk you through how we made vSphere a container host.

    The concept behind vSphere Integrated Containers

    VIC is a solution for current VMware customers that need to find a way to provide theirdevelopers with containers and allows their VMware admins the ability to manage thosecontainers as if they were a VM.

    Developers can now create applications using standard docker commands to build andrun their applications. They only need to point their current docker client to the vSpherecontainer host.

    VMware admins can now see each container as a VM. They will now be able to managethose container just like any other VM by determining which storage, network, andresource pool those containers will run on.

    How can VMware do this? We setup a VM as a container host and then use our forkingtechnology build into vSphere 6 to rapidly deploy VMs as the docker run command isissued. By forking of a VM instead of deploying one from a template we give thedevelopers the instant deployment they expect with containers but yet give the VMwareadmins the VM they know how to manage.

    Let's go through this in a little more detail

    HOL-SDC-1630

    Page 67HOL-SDC-1630

  • A Linux Container Host

    A traditional container host, runs on a linux machine, physical or virtual. The containerkernel modules are loaded, in our case the docker daemon. Using commands from thedocker client, traditionally on the same host, container images are pulled from thedocker hub or created from scratch using a DockerFile.

    • shows the Linux host OS• Docker API + Daemon• Container images that• Multiple containers sharing the same OS kernel

    HOL-SDC-1630

    Page 68HOL-SDC-1630

  • Traditional container host on ESXi

    In the traditional deployment of container hosts today, the VMware admins give thedevelopers a linux VM. The developers load up the daemon and run multiple containersinside that linux VM to build their application. The issues this can present are:

    1. No visibility into those VMs and containers to help with resource contention,security or advanced networking to allow those containers to communicate withlegacy application or databases outside of those linux VMs.

    2. Limited resource scaling of the containers because they are bond to one VM, thecontainer host.

    3. Inefficient resource utilization on the vSphere host because those VMs are stillusing resources even when the containers are shutdown.

    4. Wasting resources on each VMs because container images are most likelyduplicated on each container host.

    vSphere Integrated Container on ESXi

    In this new model, VMware treats each container as a VM. This helps with each listedpreviously.

    HOL-SDC-1630

    Page 69HOL-SDC-1630

  • 1. There is complete visibility of the containers. We can see the resources beingused and help aviod contention, apply the currently established networking andsecurity models build in the underlying vSphere infrastructure.

    2. Container scaling is only limited by the resources in the cluster, but is also easilyexpanded by adding more hosts to the cluster

    3. When containers are shutdown those resources are given back to the cluster foruse somewhere else.

    4. Because of the scalability of the containers, you can reduce container hoststherefore reducing the number of duplicate images.

    HOL-SDC-1630

    Page 70HOL-SDC-1630

  • vSphere Integrated Containers Architecture

    The vSphere Integrated Containers architecture is simple. The Bonneville appliance is aVM running on a host in the vCenter cluster. This VM has the kernel space that eachcontainer shares. Within vSphere Integrated Containers, the Bonnecville VM runs thedocker daemon and translates the container creation commands into a vSphere forkcommand, which is how each container becomes a VM. This appliance is also the localimage repository for all the containers associated with that container host.

    HOL-SDC-1630

    Page 71HOL-SDC-1630

  • vSphere Integrated ContainersManagement ApplianceLaunch the Firefox browser

    Double Click on the Internet Explorer Icon on the desktop

    Log Into vCenter

    Username: Administrator

    Password: VMware1!

    1. Click on Login

    HOL-SDC-1630

    Page 72HOL-SDC-1630

  • Verifying the vSphere Integrated containers managementappliance is installed

    1. Verify the ip address of the vSphere integrated containers management appliance

    Install the vSphere Integrated Containers plugin

    1. Type "http://vic-01a.corp.local/register-plugin" in the address bar (without thequotes).

    2. Press ENTER

    HOL-SDC-1630

    Page 73HOL-SDC-1630

    cme-export/hol-sdc-1630_pdf_en/"http:/vic-01a.corp.local/register-plugin"

  • Fill in the vCenter information

    1. Be sure Install is selected

    2. Registration information

    vCenter Server host name or IP address: vcsa-01.corp.local

    User Name: [email protected]

    Password: VMware1!

    Cloud Native Extensions Package URL: ALREADY FILLED IN - DO NOT REPLACE

    3. Click on Submit

    HOL-SDC-1630

    Page 74HOL-SDC-1630

  • Confirmation of plugin install

    1. When the plugin is finished installing you will see this message.

    2. Close the Install Cloud Native Extensions tab

    3. Close the browser, so you can log back in.

    HOL-SDC-1630

    Page 75HOL-SDC-1630

  • Logout of vCenter

    Launch the Firefox browser

    Double Click on the Internet Explorer Icon on the desktop

    Log back into vCenter

    Username: Administrator

    Password: VMware1!

    1. Click on Login

    HOL-SDC-1630

    Page 76HOL-SDC-1630

  • vSphere Integrated Containers management console

    From the Home screen of vCenter, double-click on the vSphere IntegratedContainers icon

    HOL-SDC-1630

    Page 77HOL-SDC-1630

  • Create a Virtual Container Host

    1. Be sure the Getting Started tab is selected

    2. Double click on the Create a Virtual Container Host under Basic Tasks

    HOL-SDC-1630

    Page 78HOL-SDC-1630

  • Virtual Container Host vApp/host name

    1. Enter the name of the Virtual Container Host: VCH01,

    2. Click Next

    HOL-SDC-1630

    Page 79HOL-SDC-1630

  • Virtual Container Host cluster resource

    1. Select the cluster to install the container host into, in this case select Cluster Site A

    2. Click Next

    HOL-SDC-1630

    Page 80HOL-SDC-1630

  • Virtual Container Host storage resource

    1. Select the datastore for the virtual container host and all the containers on this host.In our case select ds-site-a-nfs02

    2. Click Next

    HOL-SDC-1630

    Page 81HOL-SDC-1630

  • Virtual Container Host network resource

    1. Select the External Network, this network is what the containers will use to bridgeto for outside connectivity. In our case and is the default, select VM Network from thedrop down menu

    2. Select the Internal Network, this network is what the container host uses forinternal communication. In our case, select the Management Network from the dropdown menu.

    3. Click Next

    HOL-SDC-1630

    Page 82HOL-SDC-1630

  • Virtual Container Host Static IP

    ** NOTE this ip does not need to be set, DHCP can be used** The ip address for theDocker Host will be displayed in both the notes field of vCenter and on the VHC console

    1. Click Next

    HOL-SDC-1630

    Page 83HOL-SDC-1630

  • Virtual Container Host default container configuration

    You can set the default container size, we will be taking the defaults for this lab.

    1. Click Next

    HOL-SDC-1630

    Page 84HOL-SDC-1630

  • Virtual Container Host customer participation program

    Please participate in the customer improvement program so we can get your feedback.For this lab we will disable it.

    1. Uncheck the check box

    2. Click Next

    HOL-SDC-1630

    Page 85HOL-SDC-1630

  • Review and deploy

    Review the configuration.

    ** For this lab we will NOT be building a VCH. Please DO NOT select Finish **

    1. Click Cancel

    HOL-SDC-1630

    Page 86HOL-SDC-1630

  • Review Virtual Container Host deployment

    1. Select Host and Clusters under the Home menu

    HOL-SDC-1630

    Page 87HOL-SDC-1630

  • Look for the deployed host

    Find the virtual container host and the template VMs used to fork off the container VMson this host. Be sure that there are as many template VMs as there are vSphere hostsin the cluster.

    In this screen shot you will also see there is more than 1 container host in this cluster,more on that in the next section of this module

    HOL-SDC-1630

    Page 88HOL-SDC-1630

  • Managing vSphere IntegratedContainersIn this section we will be using our virtual container host to creating containers and runbasic web applications. We will be using multiple virtual container host(s) to show howmultiple teams can have their own virtual container host to create, build, and run theircontainers

    Multiple Virtual Container host(s) per cluster

    Please note that there are 2 different virtual container hosts running in this cluster, eachwith their own set of templates for each host in the cluster.

    1. Virtual Container Hosts

    2. Container template for esx-01a

    3. Container template for esx-02a

    ** Temporary Fix ** restarting docker daemon

    If you look at either virtual container host (proj_Atlas or proj_Zeus), and see that onlythe container host is started:

    1. Open the console

    HOL-SDC-1630

    Page 89HOL-SDC-1630

  • 2. type this command: sudo -- sh -c '/opt/bootsync.sh; /opt/dockerd.sh'

    ** Temporary Fix ** error "OK"

    1. This error is only temporary but ok. Please verify in the next step.

    ** Temporary Fix ** refresh vCenter

    1. click on the refresh button

    HOL-SDC-1630

    Page 90HOL-SDC-1630

  • ** Temporary Fix ** verify daemon has started

    The template container VMs should now be running.

    *** Please repeat for 2nd container host if needed ***

    Get the IP address of the proj_Atlas virtual container host

    Make note of this command, specifically the virtual container host IP Address.

    HOL-SDC-1630

    Page 91HOL-SDC-1630

  • Open a terminal to the docker client

    From the ControlCenter desktop, double click on the Putty icon

    Launch the Docker_client putty session

    1. Select the Docker_client session

    2. Click Open

    HOL-SDC-1630

    Page 92HOL-SDC-1630

  • Log into the docker client putty session and attach to thedocker host

    Username: root

    Password: VMware1!

    Attach the Docker_client to the proj_Atlas virtual containerhost

    Type the export command in the Docker client: exportDOCKER_HOST=tcp://192.168.100.137:2376 , Press Enter

    HOL-SDC-1630

    Page 93HOL-SDC-1630

    cme-export/hol-sdc-1630_pdf_en/DOCKER_HOST=tcp:/192.168.100.137:2376

  • Check virtual container host connectivity

    Type Docker info and press Enter. Here you will see information about the vSpherebacking of the virtual container host.

    Notice: the Name of the virtual container host, the total memory and available CPUof this container host

    Currently no docker applications configured.

    Please see Module 2 for docker single and multitier application setup.

    HOL-SDC-1630

    Page 94HOL-SDC-1630

  • Module 5 - Managing andMonitoring Containers

    HOL-SDC-1630

    Page 95HOL-SDC-1630

  • vRealize Operations - MonitoringContainersIn this Module, we will use our Enterprise performance, management and compliancesolution vRealize Operations to retrieve metrics from containerized workloads. Thisrequires adapter installation which has been done for you. To fully understand andexperience vRealize Operations, please see HOL-SDC-1601 and 1602. Building alertsand automatic remediation steps is not in the scope of this lab, but is certainly possible!

    Note: you may need to reduce the resolution in your Chrome or Firefox window to seethe bottom of the vR Ops windows in some steps.

    HOL-SDC-1630

    Page 96HOL-SDC-1630

  • Overview of vRealize Operations

    vRealize Operations is a core component in VMware's vRealize Suite, functioning as ahub for performance, capacity and compliance information, correlating that informationacross the Enterprise, and providing easy to understand dashboards as seen above.vRealize Operations functions primarily by way of adapters, using dedicated instancesto gather information from the target systems such as vCenter, Hyperic, ConfigurationManager or third party systems. Docker is just another endpoint for an adapter, so wewill use an adapter to pull container metrics from Docker.

    Start a Container

    HOL-SDC-1630

    Page 97HOL-SDC-1630

  • Login to Application-01a

    If you don't already have a putty session open to Application-01a.corp.local, please openone now. Login with root and VMware1!

    HOL-SDC-1630

    Page 98HOL-SDC-1630

  • Start a Container (if one isn't already up)

    1. Type docker ps and press enter.2. If there are no containers running (as pictured above) then proceed to step 3. If

    there ARE containers running, skip the remaining instructions in thisstep.

    3. Type docker run -d -p 80:80 docker-hub:5000/k8s-example-guestbook-php-redis

    4. Type docker ps and ensure you have at least one container running.

    Working with Adapters

    HOL-SDC-1630

    Page 99HOL-SDC-1630

  • Log in to vRealize Operations

    Type admin / VMware1! in the username and password fields. Click Login.

    HOL-SDC-1630

    Page 100HOL-SDC-1630

  • Navigate to Solutions

    1. Click the Solutions icon.2. Ensure Solutions is highlighted.3. The Management Pack has already been installed for you. Remember this is a

    beta version of the Docker MP!!4. You will see an adapter instance has already been configured for testing. We are

    going to create another instance now. We have left the first one in place in caseyou want to inspect it, but notice that the adapter is reporting Object down. Thisis because the test adapter's endpoint is powered off. Also notice the Collector iscollecting. This information is useful for troubleshooting purposes!

    5. Click the gear icon to edit the Adapter.

    Configure a New Instance of the Adapter

    1. Click the + sign.2. Name the new adapter application-01a3. Type application-01a.corp.local in the Docker Host field.

    HOL-SDC-1630

    Page 101HOL-SDC-1630

  • 4. Click the + button for credentials.

    HOL-SDC-1630

    Page 102HOL-SDC-1630

  • Credentials

    1. Select Docker SSH Credentials. Notice API connectivity is possible as well.2. Type appRoot for the Credential Name3. Type root for Username4. Type VMware1! for Password.5. Click OK.

    HOL-SDC-1630

    Page 103HOL-SDC-1630

  • Test Connection

    Once the credentials are saved:

    1. Click Test Connection2. This should be successful. If it is not, ensure you have a docker container

    running on application-01a and the credentials are correct.3. Save Settings. If this button is not visible, reduce your browser's resolution.4. Click Close.

    View the Environment

    Docker Dashboards

    Notice the Home screen now has two Docker Dashboards! It may take a couple minutesto populate this as the adapter retrieves information from Docker. Please be patient andrefresh the web page after a minute or two.

    1. Click Home (if you aren't already there).2. Click Docker Relationship3. Click an Image or a Container. Your choice!

    HOL-SDC-1630

    Page 104HOL-SDC-1630

  • 4. Notice the Object Relationship populate. Feel free to click other objects tounderstand this interaction.

    HOL-SDC-1630

    Page 105HOL-SDC-1630

  • Navigate to Environment Overview

    1. Click the globe icon to navigate to Environment.2. Notice the Docker inventory items. Docker World.

    Examine the Docker objects

    NOTE - the screen may not look exactly as it is displayed here depending on the state ofyour environment after doing other labs.

    1. Ensure Docker is selected.2. Click the Troubleshooting tab.3. Click All Metrics.4. Notice the Related Objects. Select Docker.5. Select the adapter instance you just build, application-01a.corp.local. Notice

    the test adapter deployed with the lab appears here to demonstrate thehierarchy.

    HOL-SDC-1630

    Page 106HOL-SDC-1630

  • 6. Click the plus sign on Memory, scroll to pgfault and doubleclick. It shoulddisplay in the metric viewer.

    While this adapter is still in development, we wanted to offer VMworld attendees aglimpse into the direction we are heading. vRealize Operations team will continuedeveloping this adapter to ensure Operations and Infrastructure admins have a clearview into containerized workloads.

    Looking at Containers

    Feel free to explore these objects!

    1. Click Containers2. Click one of the containers in your inventory. Please note this screen capture may

    look different from your environment. Choose any object you like.3. Explore using the metric selector as in the previous step.

    HOL-SDC-1630

    Page 107HOL-SDC-1630

  • What do you notice about the objects? Do we pull the same metrics from images as wedo from containers? Examine the hierarchy of objects to better understand how dockerimages and containers are related to the docker host!

    If you are interested in furthering your knowledge and are well-versed in vRealizeOperations, please feel free to explore the creation of alerts based on container metrics.This is purely an optional step for fun. Assuming you think that kind of thing is fun. Ithink it's fun. :)

    HOL-SDC-1630

    Page 108HOL-SDC-1630

  • Docker Cleanup

    Stop the existing container by using the docker stop command:

    Type docker stop . Note that you only have to type the first couplecharacters of the Container ID that make it unique. Your Container ID will be unique inthis lab.

    Type docker ps and ensure that you do not have any other container running beforecontinuing on to the next module, as shown in the image above.

    HOL-SDC-1630

    Page 109HOL-SDC-1630

  • vRealize Log Insight - MonitoringContainersConfigure Integration with vR Ops

    In this Module, the integration between Log Insight and vRealize Operations has alreadybeen performed. If you would like a deeper dive into Log Insight with vRealizeOperations, please see HOL-SDC-1601.

    Log into Log Insight

    Please open a browser tab/window and click the link to Log Insight. The credentialsshould be stored, but if they are not, enter admin / VMware1! and click Login.

    HOL-SDC-1630

    Page 110HOL-SDC-1630

  • Observe the Agent Configuration

    Examine the Agent dashboard. Notice that we only have one agent running forcontrolcenter. We will return to this after we configure the Linux agent!

    1. Use the drop down and select Administration2. Click Agents

    Configure Linux Agent

    In this step, the Log-Insight agent has already been installed for you, but we still need toactivate the daemon.

    1. If you do not already have a session open, Putty into application-01a using root/ VMware1!

    2. Type /usr/bin/docker-insight -agent="$GOPATH/src/github.com/JeremyOT/docker-insight/liagent" -api="http://log-01a.corp.local:9000"and pressEnter. (Ignore the hyperlink in the lab module, this is an unavoidable artifact.)

    HOL-SDC-1630

    Page 111HOL-SDC-1630

    cme-export/hol-sdc-1630_pdf_en/-api="http:/log-01a.corp.local:9000"

  • You have just launched the daemon. We have done this manually to show how the agentis started, but one could easily put this into a boot script to execute every time. Leavethis window open for the next steps.

    HOL-SDC-1630

    Page 112HOL-SDC-1630

  • Login to application-01a in a New Window

    Leaving the agent session running, launch another Putty session and login with root /VMware1!

    Organize your Putty windows so you can see both clearly on your screen as per below!

    HOL-SDC-1630

    Page 113HOL-SDC-1630

  • Start a Container

    Launch a simple container to see the log output:

    1. In the new Putty session, type docker run -d -p 80:80 docker-hub:5000/k8s-example-guestbook-php-redis

    2. Notice the new entry on the right? It may look different than the picturedepending on what you have been doing previously! The goal here is to noticethe docker commands are registering with the agent, and being pushed to LogInsight.

    HOL-SDC-1630

    Page 114HOL-SDC-1630

  • Examine in Log Insight

    Return to your browser window with Log Insight. If you closed it previously, please re-open the browser and navigate to the Log Insight link in the toolbar.

    1. Click the pull down menu and select Administration.2. Click Agents.3. Notice DockerAgent running on application-01a. There may be more than one

    if you restarted the agent during the previous step! Notice the Events Sentnumber. You should see at least 1 or 2 events already streaming from Docker.

    4. Optional - Notice the file locations in the Agent Configuration? These can beconfigured to monitor directories in the containers themselves. If you want achallenge, configure the agent to monitor container directories! Remember tosave the configuration. The challenge will be generating logs which we will notcover in this lab, so this step is optional!

    5. When satisfied, click application-01a (the most recently updated if there aremore than one) .

    HOL-SDC-1630

    Page 115HOL-SDC-1630

  • View the Environment

    You should now be in the Interactive Analysis of Log Insight. If you clicked correctly, youshould see a filter in place for application-01a.

    1. Change the time filter to Latest 24 hours of data.2. Notice the events! We are now seeing Docker logs and application logs from the

    container itself! If you do not see this right away, give it no more than fiveminutes. You should see some logs generating, provided you have started yourcontainers properly in the previous steps. You may need to refresh the window.

    Docker Cleanup

    Stop the existing container by using the docker stop command:

    Type docker stop . Note that you only have to type the first couplecharacters of the Container ID that make it unique. Your Container ID will be unique inthis lab.

    HOL-SDC-1630

    Page 116HOL-SDC-1630

  • Type docker ps and ensure that you do not have any other container running beforecontinuing on to the next module, as shown in the image above.

    Summary

    There are many, many more features in vRealize Operations and Log Insight. If this areais of interest, we encourage you to take those labs as they go much further into how onecan leverage logs to create Alerts in vR Ops and configure remediation activities basedon these alerts.

    Remember that these adapters are still in beta, and we can expect more features andfunctionality in the near future!

    HOL-SDC-1630

    Page 117HOL-SDC-1630

  • ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

    Lab SKU: HOL-SDC-1630

    Version: 20160301-042707

    HOL-SDC-1630

    Page 118HOL-SDC-1630

    http://hol.vmware.com/

    Table of ContentsLab Overview - HOL-SDC-1630 - Cloud Native AppsLab GuidanceActivation Prompt or Watermark

    Module 1 - Introduction to MicroservicesWhat's this 3rd Platform Thing?Application Development and DeliveryApp and Infrastructure Delivery AutomationNew Business ImperativeMoving Faster Requires Design and Culture ChangesHistory of Platforms3rd Platform - Microservice ArchitectureThe Twelve-Factor AppBenefits of MicroservicesResilienceScalingDeploymentOrganizationalNo Silver Bullet!

    Introduction to ContainersBrief History of ContainersWhat are Containers?What is Docker?How do Containers and Virtual Machines Differ?Virtual machines and containers: better together

    Introduction to KubernetesWhat is Kubernetes?

    Module 2 - Introducing Cloud-Native AppsIntroduction - Photon OS and Lightwave with AppCatalystIntroduction to VMware Photon OSIntroduction to VMware LightwaveIntroduction to VMware AppCatalystIntroduction to VMware Photon Controller

    Installation - Photon OS and Lightwave with AppCatalystWorking with LightwaveConfiguring the primary Domain ControllerPromote lightwave-01a to domain controllerCreate a new user in lightwaveConfigure the secondary Domain ControllerPromote lightwave-02a to Domain Controller and pair it with lightwave-01aVerify installationJoin the lightwave.local domainEnable SSH authentication against lightwaveLogin using your lightwave credentialsCheck who is logged inRun a Docker commandLogin as a non-privileged userAttempt to run a Docker commandDelete a userDelete user from directoryAttempt to login as deleted user

    Module 3 - Getting started with Cloud-Native AppsFrom Zero to Docker in 90 seconds!Bringing up a Docker host in 90 seconds

    Working with Photon OSActivation Prompt or WatermarkLogin to Application-01aTDNF HelpExamine repositoriesPackage ManagementService and SystemdUsing systemctlJournalctlGrep for a log

    Working with DockerDocker OverviewSome key conceptsConnect to the linux machineDocker Run "Hello World"Run a webserverLoad the webpageKill the running containerThe DockerfileBuilding an image from a DockerfileStarting our new websiteTesting our new websiteA two-tier applicationSpinning up the databaseSpinning up the appserver/webserverTesting the wikiSummary

    Module 4 - vSphere Integrated ContainersModule OverviewDeploying vSphere Integrated ContainersvSphere Integrated Containers Installation

    vSphere Integrated Containers IntroductionThe concept behind vSphere Integrated ContainersA Linux Container HostTraditional container host on ESXivSphere Integrated Container on ESXivSphere Integrated Containers Architecture

    vSphere Integrated Containers Management ApplianceLaunch the Firefox browserLog Into vCenterVerifying the vSphere Integrated containers management appliance is installedInstall the vSphere Integrated Containers pluginFill in the vCenter informationConfirmation of plugin installLogout of vCenterLaunc