December 19, 2019
VMware VSphere Integrated Containers: What, How, and Why
In recent years, containers have begun to receive a lot of attention in the IT industry. This is mainly due to the various benefits that they can offer. Containerization has taken virtualization capabilities to a whole new level, allowing you to run containerized applications in isolation from other processes. VMware has seen an opportunity in container technology and decided to actively invest in its development. As a result, VMware vSphere Integrated Containers was introduced at VMworld 2015 in San Francisco. This announcement marked VMware’s journey as one of the major providers of container technology.
Today’s blog post discusses what, indeed, are vSphere Integrated Containers, and how they can enhance your infrastructure’s productivity. Moreover, we are going to delve into how VMware container technology can help you combine virtual machines and containers on a single platform to get the best of both worlds. We will also tackle the topic of protecting your business-critical workloads with NAKIVO Backup & Replication.
Containers vs Virtual Machines: How They Compare
To explain how vSphere Integrated Containers work, we first need to understand what a container is and how it differs from a virtual machine. The main differences between containers and VMs are as follows:
- A virtual machine (VM) represents a virtual copy of a computer system which emulates dedicated hardware. A container, on the other hand, only virtualizes an operating system (OS).
- Containers allow you run multiple workloads on top of a single OS instance, whereas VMs can be used to run multiple guest OSs on top of the virtualized hardware.
- Containers share the same OS kernel as the host operating system, whereas each VM requires a separate OS instance.
- A VM ensures hardware-level virtualization, while a container enables OS virtualization.
- A VM can take a few minutes to start, while a container can start in seconds.
- A single VM is completely isolated from other VMs, allowing you to secure each of your business workloads. A container only enables process-level isolation, making its deployment less secure. Process isolation implies that your processes run in isolation from one another.
- Running multiple VMs at once can cause performance overhead. Containers require fewer server resources, making them more resource-efficient, flexible, and portable.
- A required amount of memory is allocated to each VM, while containers share OS resources, meaning that less memory is consumed.
- VMs are the best option for when you need to run multiple resource-intensive applications simultaneously. VMs can also be used for running various types of operating systems and testing their capabilities. At the same time, the main advantage of containers is that they can run multiple non-resource-intensive applications on a single server, even with minimal resource allocation.
As you can see, containers and VMs can offer a set of unique features. Thus, it would be a more feasible option to integrate them both into your production environment. This way, you can have the best of both worlds by combining portability and flexibility of containers with high productivity and security of VMs. VMware is one of the top virtualization vendors who managed to do just that by introducing VMware vSphere Integrated Containers.
What Is VSphere Integrated Containers?
VSphere Integrated Containers (VIC) is a VMware technology which allows you to create and manage container workloads within the VMware vSphere environment. With advanced VMware technology, running containers has become an easy and intuitive process. This way, container technology can be seamlessly integrated into your existing VMware infrastructure, allowing you to run vSphere Integrated Containers alongside VMware VMs without installing any additional tools.
Requirements for vSphere Integrated Containers
For vSphere Integrated Containers to work properly, you need to meet the following minimum requirements:
- VSphere 6.0 or above
- 2 vCPUs
- 8GB of RAM
- 80GB of disk space or the VIC Appliance
- Outbound TCP traffic to port 2377 on the endpoint VM
- Inbound HTTPS traffic on port 443 for uploading and downloading from datastores
Components of vSphere Integrated Containers
To better understand how vSphere Integrated Containers can be deployed, you need to learn about the components this functionality includes:
- VSphere Integrated Containers Engine is a vSphere container run-time which can be used by Docker-savvy developers for creating and managing containers much as you would VMware VMs. IT administrators can manage vSphere container workloads easily and efficiently using the familiar vSphere UI. This way, vSphere containers can be deployed alongside traditional virtual machines without affecting existing VM-based policies and tools. VSphere Integrated Containers Engine is a Docker Remote API-compatible engine, meaning that you can still use Docker commands for managing container workloads as well as benefiting from simplicity and intuitiveness of vSphere UI.
- VSphere Integrated Containers Registry, also known as VMware Harbor, is an enterprise registry which enables storing and indexing existing container images. In order to enhance the capabilities of the Docker Distribution open-source project, the security, auditing, and identity management features have been added to the vSphere Integrated Containers.
- VSphere Integrated Containers Management Portal, also referred to as VMware Admiral, is a portal for managing and provisioning container-based applications by DevOps teams. This management portal has been designed to be lightweight, ensure high scalability, and produce a minimal footprint. This functionality can gather information on container instances by monitoring the performance of your container workloads. You can also set up various deployment rules to streamline the resource management of existing containers.
- VSphere Integrated Containers Plug-in for vSphere Client is a plug-in which enables managing and configuring virtual container hosts directly from the vSphere Client.
How to Deploy VSphere Integrated Containers
With vSphere Integrated Containers, you can containerize your business-critical workloads using the following deployment models:
- Virtual Container Hosts
A virtual container host (VCH) is a native vSphere construct which encompasses vSphere tools and hardware resources used for provisioning container-based applications. Traditionally, to ensure seamless container adoption, you would first have to build an individual container-based infrastructure stack. However, VMware allows you to fully use the underlying networking and storage resources to run container workloads. With vSphere integrated Containers, you can access the Docker API which can be leveraged for creating new containers, managing container images, and controlling container-based workloads.
Each VCH is deployed as a single VMware VM, ensuring that you can also make use of essential vSphere features such as vSphere vMotion, vSphere High Availability, or vSphere Distributed Resource Scheduler. A single virtual container host can house several container instances. You can create multiple virtual container hosts, with each of them being assigned a specific role (testing, development, or production).
- Docker Container Hosts
Another exclusive feature of vSphere Integrated Containers is that you can run native Docker container hosts along with virtual container hosts in your vSphere environment. As a result, dev teams can provision Docker container hosts by themselves and deploy those hosts as development sandboxes or swarm clusters. This way, your developers can leverage familiar Docker tools in a ready-to-use VMware environment. On the other hand, the simplicity of a vSphere environment can reduce management overhead, allowing your IT administrators to effectively manage container workloads of any complexity.
How to Use vSphere Integrated Containers
When it comes to vSphere Integrated Containers, the two common use cases can be differentiated as follows:
- Application repackaging
Container technology is in high demand in modern datacenters, mainly because containerization can improve the workflow management and enhance the overall infrastructure performance. With vSphere Integrated Containers, available applications and their dependencies can be packaged into container images without refactoring the app. This operation can enhance container portability, simplify deployment, and make application maintenance fast and simple.
- Developer sandbox
With vSphere Integrated Containers, you can create native Docker container hosts without investing extra time and money. Your developers get access to native Docker container tools using which they can test and run the applications they want. This way, you can boost the productivity of your dev teams by providing them with the Docker tools they are familiar with. As a result of such increased productivity, you can promptly identify any issues and vulnerabilities of existing apps in addition to significantly reducing the app’s time to market.
Pros and Peculiarities of VSphere Integrated Containers
VMware managed to release a comprehensive container solution which allows you to seamlessly integrate containerization into a vSphere infrastructure. By understanding all the peculiarities of vSphere Integrated Containers, you can learn how to leverage this functionality to the fullest.
Below, you can see a full list of vSphere Integrated Containers’ idiosyncrasies you should be aware of:
- All vSphere Integrated Containers components are open-source and can be found on GitHub.
- VSphere Integrated Containers is a part of vSphere 6.0 and above Enterprise Plus as well as vSphere Operations Management Enterprise Plus customers.
- No additional license subscription is required for you to use vSphere Integrated Containers. Technical support is included by default. Thus, you can start deploying containers in your production environment without any additional purchases of subscription.
- With vSphere Integrated Containers, you can deploy vSphere VMs as container hosts instead of Linux VMs.
- Traditional containers are running in VMs whereas vSphere containers are deployed as VMs.
- The vSphere platform offers hardware layer abstraction. As a result, each vSphere container runs in isolation from the container host as well as other containers, ensuring their uninterrupted performance.
- VSphere Integrated Containers ensures dynamic resource allocation on a per tenant basis.
- With vSphere Integrated Containers, you can develop applications in containers using a Docker-compatible interface and manage them through a management portal or vSphere UI.
- You can perform container image vulnerability scanning to promptly identify any corrupted or damaged containers and remove them from your data center.
- Even though containers have a large attack surface, VMware’s advanced feature set can ensure the security of container images, enhance user access control, and set up identity management policies using LDAP and Active Directory services.
- Moreover, vSphere Integrated Containers ensures modularity, meaning that the VIC components can be divided into separate modules which can be regrouped in various ways. If, for example, your production infrastructure already includes a management portal, you can use the vSphere Integrated Containers Registry and vSphere Integrated Containers Engine components along with the existing portal.
Data Protection with NAKIVO Backup & Replication
With vSphere Integrated Containers, you can get enterprise-grade functionality for running VM-based and container workloads on the same platform. Both ITOps and DevOps can benefit from improved management and the isolation that virtualization provides as well as the ease of use and flexibility of containers.
However, building a complex production environment has certain pitfalls which need to be avoided, especially when it comes to security. Containers are extremely prone to security vulnerabilities for a number of reasons. For example, you might unknowingly download an infected container image from the open-source platform, thus putting your entire environment at risk. Moreover, special attention should be given to user access management. You need to ensure that containers can be accessed and controlled only by a limited number of trusted employees. This way, you can significantly reduce the attack surface of your containers.
A comprehensive data protection solution can help you integrate an effective security strategy into your infrastructure. With the full-fledged functionality of NAKIVO Backup & Replication, you can safeguard every aspect of your environment. Read further to discover why you should choose NAKIVO Backup & Replication for protecting your business data and applications:
- Perform image-based, application-consistent, and incremental backups to secure your physical, virtual, and cloud workloads. NAKIVO Backup & Replication ensures the support of VMware, Hyper-V, Nutanix AHV, and AWS EC2 environments, as well as protection of physical servers.
- You can keep up to 4,000 recovery points for each data backup. Those backups can be rotated on the basis of the Grandfather-Father-Son scheme, ensuring long-term retention of your mission-critical data.
- With NAKIVO Backup & Replication, you can copy your backups and send them offsite or to AWS or Azure Clouds. Even if your primary site fails, you can successfully restore the data you need by accessing your backup copies. Eliminate a single point of failure and ensure continuous backup performance by scheduling backup to cloud jobs.
- By organizing various actions and conditions into an automated algorithm, you can create a site recovery workflow. These recovery workflows can be customized to address a specific DR scenario. Once a disaster occurs, you can start a required SR job in just a few clicks, allowing you to orchestrate the entire DR process and minimize the risk of failed disaster recovery.
- Reduce management complexity and streamline your data protection processes by creating various policy rules based on VM name, tag, size, location, power state, configuration, etc. With Policy-Based Data Protection, the solution can scan the entire production infrastructure, identify the VMs and instances matching the existing policy rules, and add or remove them from corresponding data protection jobs.
- With Instant Verification, you can test the recoverability of your VM backups and replicas right after the job’s completion. To verify that your VMs can be successfully recovered, our solution can either take a screenshot of the booted OS or check the availability of hypervisor tools. The results are then sent to your email or displayed in the product’s interface.
- Our product can recover the data you need (VMs, folders, and application objects) in just a few clicks. You can recover any item without having to perform a tedious full-scale VM recovery. Additionally, Cross-Platform Recovery allows you to export and recover backup data across platforms. Recover business-critical data from a VMware environment in Hyper-V and vice versa in addition to restoring physical server backups to VMware or Hyper-V VMs.