Changes from v0.8.0 v0.8.0...v0.9.0

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Features:

Resolved Issues

  • vSphere Integrated Containers Engine 0.8 does not support Docker Client 1.13. #3734, #3720
    If you attempt to connect version 1.13 of the Docker Client to a virtual container host, the Docker client stops working.
  • Version 5.7 of the mysql image does not work with docker compose up #3857
    If you run docker compose up and the application that you are creating uses version 5.7 of the mysql image, the database does not initialize. The MYSQL log contains the error --initialize specified but the data directory has files in it.
  • vMotion disconnects file-backed serial ports after a migration. #3243
    While applications continue to function correctly without interruption, container logs lose output after a vMotion.
  • Deleting a VCH from an ESXi host does not remove the bridge network if it was created with a custom name. #3193
    If you deploy a VCH to an ESXi host and use the --bridge-network option to create a bridge network with a custom name, vic-machine delete does not remove the bridge network if you delete the VCH.
  • Running docker ps -aq reports containers that have been removed. #3196
    Listing containers by running docker ps -aq can include containers that have been removed. Attempting to perform an operation on a container that was included in the output of docker ps -aq, for example docker rm -f, results in the error Error response from daemon: No such container.
  • volume ls ignores filters #1718
  • docker run busybox behaves incorrectly #1687

    The container configuration between vSphere Integrated Containers Engine and Docker containers is different in that vSphere Integrated Containers Engine attempts to attach to a container and Docker exits immediately.
  • docker ps -n shows stopped containers that have been created, but not started, for the state of the container #1545

Known Issues

  • VCH deployment fails with invalid URL error when using --insecure-registry. #4141
    If you use the --insecure-registry option with vic-machine create, deployment of the VCH fails with the following error:

    registry_address:5000 is an invalid format for registry url.

    Workaround: Precede the registry address with double forward slashes.

    //registry_address:5000

  • vSphere Integrated Containers leaks DOM objects on VMware vSAN. #3938
    When using a VMware vSAN datastore as the image store, if you pull an image and then delete the VCH, DOM object leaking occurs on the datastore. Running docker rmi without deleting the VCH has the same issue.

    Workaround: Use govc to list and remove leaked objects:

    • List leaked objects: govc datastore.vsan.dom.ls -l -o
    • Remove leaked objects: govc datastore.vsan.dom.ls -o | xargs govc datastore.vsan.dom.rm
  • docker-compose does not allow you to specify the TLS version on the command line. #4317
    vSphere Integrated Containers supports TLS v1.2. You must configure docker-compose to use TLS 1.2. However, docker-compose only allows you to set the TLS version by using environment variables. For more information, see docker-compose issue 4651. Furthermore, docker-compose has a limitation that requires you to set TLS options either by using command line options or by using environment variables. You cannot use a mixture of both command line options and environment variables. To use docker-compose with vSphere Integrated Containers and TLS, set the following environment variables:

     COMPOSE_TLS_VERSION=TLSv1_2
     DOCKER_TLS_VERIFY=1
     DOCKER_CERT_PATH="path to your cert files"

    The certificate file path must lead to CA.pem, client_key.pem, and client cert.pem. You can run docker-compose with the following command:

    docker-compose -H vch_address -f up

  • docker-compose does not allow you to specify the TLS version on the command line. #4317
    vSphere Integrated Containers supports TLS v1.2. To use docker-compose with VIC, you must configure docker-compose to use TLS 1.2. However, docker-compose only allows you to set the TLS version by using environment variables. For more information, see docker-compose issue 4651. Furthermore, docker-compose has a limitation that requires you to set TLS options either by using command line options or by using environment variables. You cannot use a mixture of both command line options and environment variables. To use docker-compose with vSphere Integrated Containers and TLS, set the following environment variables:

     COMPOSE_TLS_VERSION=TLSv1_2
     DOCKER_TLS_VERIFY=1
     DOCKER_CERT_PATH="path to your cert files"

    The certificate file path must lead to CA.pem, client_key.pem, and client cert.pem. You can run docker-compose with the following command:

    docker-compose -H vch_address -f up

  • Containers remain in the Starting state when you run docker compose up. #4223
    Bringing up a compose application by using docker-compose up results in containers getting stuck at the Starting state. This does not happen if you use the -d option when you run docker compose up.

    Workaround: Use docker compose up -d instead of docker compose up.

  • Installing the HTML5 plug-in on vCenter Server on Windows does not work. #4277
    When using a Web server to install the HTML5 client plug-in on a vCenter Server instance that runs on Windows, the installer reports success but the installation does not succeed.

    Workaround: Installing the HTML5 plug-in on a vCenter Server Appliance works. To install the HTML plug-in on a vCenter Server instance that runs on Windows, use a build that post-dates 2017-03-18.

  • vic-machine ls doubles output. #3975
    When you run vic-machine ls, VCHs are listed twice in the output.

    Workaround: Specify the --compute-resource option when you run vic-machine ls.

  • Deployment fails with a list failed error when you specify resources by name rather than by path. #4203
    Deployment of a VCH fails with an error about failing to find resources that you specified by name in the --compute-resource option. However, vic-machine suggests the resource that you specified as a valid resource.

     INFO Validating compute resource
     INFO Suggesting valid values for --compute-resource based on "cls" 
     INFO Failed to find resource pool in the provided path, showing all top level resource pools.
     INFO Suggested values for --compute-resource: 
     INFO "cls"
     ERROR resource pool 'cls' not found 
     ERROR List cannot continue - compute resource validation failed: validation of configuration failed
     vic-machine-linux ls failed: list failed
    

    Workaround: Specify the full path to the resource rather than just the resource name.

  • Error response from daemon: Unexpected http code: 400 when pulling images from local Harbor registries. #3441
    Currently, vSphere Integrated Containers Engine always performs certificate verification with a secure registry even if you specify vic-machine create --insecure-registry during deployment of the VCH. VMware is working to resolve the issue.

  • Containers have access to vSphere management assets. #3970
    Containers that are attached to the bridge network can use NAT through the VCH and so have full access to assets on the management and client networks, or they can be reached via the gateway on those networks. As a consequence, any container can access to vSphere assets.

  • Shutting down and restarting a VCH does not behave correctly on vCenter Server. #3137
    If you shut down a VCH and its container VMs by powering off the vApp and then restart the vApp, container VMs appear in the vSphere Client as having restarted but might show up as stopped if you run docker ps -a. Container VMs might also show up as not being connected to the bridge network when you run docker network inspect bridge. Currently vSphere Integrated Containers Engine does not support restarting the whole vApp.

    Workaround: Restart the VCH endpoint VM, then restart the container VMs if necessary.

  • Deleting container VMs by using the vSphere Client can remove the underlying image. #2928
    If you delete a container VM by using the vSphere Client, attempts to create other containers that use the same base image containers can fail if the base image has been removed.

    Workaround: As stated in the documentation, always use Docker commands to perform operations on containers. Do not use the vSphere Client to perform operations on container VMs.

  • Deployment fails if you configure a VCH to use 4 NICs. #2802
    A VCH supports a maximum of 3 distinct network interfaces. The bridge network requires its own port group, at least two of the public, client, and management networks must share a network interface and therefore a port group. Container networks do not go through the VCH, so they are not subject to this limitation. This limitation will be removed in a future release.

  • vic-machine and VCH do not support creation of resources within inventory folders. #3619
    This capability will be added in a future release.

  • Image store is in the wrong directory if the datastore already has a directory with the same name. #3365
    If the datastore already has a directory with the same name as the VCH, and the directory does not have a VM, vic-machine creates the VCH correctly names the folder a slightly different name. Example, folder "test_1" with vch named "test". The kvstore is located in "test_1" folder correctly, but image files are still in the "test" directory.

  • Deployment with static IP takes a long time. #3436
    If you deploy a VCH with a static IP, the deployment might take longer than expected, resulting in timeouts.
    Workaround: Increase the timeout for the deployment when using static IP.

  • Firewall status delayed on vCenter Server. #3139
    If you update the firewall rules on an ESXi host to allow access from specific IP addresses, and if that host is managed by vCenter Server, there might be a delay before vCenter Server takes the updated firewall rule into account. In this case, vCenter Server continues to use the old configuration for an indeterminate amount of time after you have made the update. vic-machine create can successfully deploy a VCH with an address that you have blocked, or else fail when you deploy a VCH with an address that you have permitted.

    Workaround: Wait a few minutes and run vic-machine create again.

  • Piping information into busybox fails. #3017
    If you attempt to pipe information into busybox, for example by running echo test | docker run -i busybox cat, the operation fails with the following error:

    Error response from daemon: Server error from portlayer: 
    ContainerWaitHandler(container_id) 
    Error: context deadline exceeded
    
  • VCH Admin shows network failure when virtual container host uses a proxy. #3213
    If a virtual container host is configured to use a proxy, the VCH Admin status page shows a network failure even if connectivity through the proxy is working.

  • vic-machine delete does not recognize virtual container hosts that were not fully created. #2981
    vic-machine delete fails when you run it on a virtual container host that was not fully created.

    Workaround: Manually delete any components of a partial installation, for example, the virtual container host vApp, the endpoint VM, and datastore folders.

  • Container fails to shut down with Error response from daemon: server error from portlayer : [DELETE /containers/{id}][500] containerRemoveInternalServerError. #1823

    Workaround: Developers: run docker create again. Administrators: Un-register and re-register the VM in the vSphere UI.

  • Mounting directories as a data volume using the -v option is not supported. #2303

  • When you pull a large sized image from Harbor into a virtual container host, you get an error that the /tmp partition reached capacity. #2595, #3624

    docker: Failed to fetch image blob: weblogic/test_domain/sha256:3bf21a5a3fdf6586732efc8c64581ae1b4c75e342b210c1b6f799a64bffd7924 returned download failed: write /tmp/3bf21a5a3fdf346188145: no space left on device.

    Workaround: Deploy the virtual container host with --appliance-memory=4096 which increases the appliance memory configuration.

  • Installing the virtual container host using a short hostname fails. #2582
    Workaround:

    • The IP address that you provide to vic-machine create target must be reachable on the management network.
    • If you use a DNS name instead of an IP address, the virtual container host endpoint VM must be able to resolve the name using the DNS server that is configured either by DHCP or by the vic-machine create --dns-server option. There is no default search domain, so use the FQDN.
  • Pulling all tagged images in a repository is not supported. #2724

    vSphere Integrated Containers only attempts to pull the latest tagged images.

  • Misleading error message appears when you run out of memory on ESXi. #2840

  • vSphere Integrated Containers fails to delete the vApp that remains after a virtual container host creation fails. #2853

  • Container VM fails to start on VIC backed by a VVOL datastore. #2242

    VVOL datastores are not supported in this release.
  • Attaching the same container from multiple terminals causes problems. #2214
  • --net=none is not supported. #2108
  • VCH restarts if required process cannot be restarted. #2099

    The system attempts to restart a finite number of times, then reports an error, leaving the VCH up and running to download logs. Instead, VCH immediately reboots.
  • vic-machine incorrectly assumes conf.ImageStores[0] is the appliance datastore. #1884
  • When some of the hosts in the cluster are not attached to the dVS and do not have access to the bridge network, the error message is not easily readable. #1647
  • Image manifest validation for pulled images is not supported. #1331
  • Setting up overlay networks is not supported. #1222

    Error response from daemon: scope type not supported
  • vic-machine can connect to the target but the VCH appliance cannot. #1160, #3479

    The VCH cannot get an IP address on the management network or does not have a route to the specified target.
  • Adding folder options to vic-machine is not yet implemented. #773
  • Adding mapped vSphere networks to running containers is not yet implemented. #745
  • Adding bridge networks to running containers is not yet implemented. #743
  • Mapping an existing vSphere level network into the Docker network to explicitly provide a container with a route not through the VCH appliance is not yet implemented. #441
  • Incorrect image digest format sent to Docker client #1484

    docker images --digests is not supported.

    Workaround: Pull images by tag instead.

  • docker pull results an "already exists" error #1409

    If a context deadline exceeded error occurs on the port layer while performing an image pull, it causes an inconsistent state for the image. Pulls can also take a very long time with a slow network connection.

  • vic-machine create validation fails if a dvSwitch exists on an ESXi target #729

  • Root user support #1279

    vSphere Integrated Containers Engine does not support root users inside containers.
  • The log server does not require authentication and might expose sensitive system information.

    Debug logging is enabled in this release. This can potentially expose the path and identity of system resources over HTTP via the vicadmin portal. Plain-text passwords are not exposed.
  • Using anonymous volumes

    To use anonymous volumes with docker create -V, you must specify a default volume store when you run vic-machine create to create the virtual container host. For example, ./vic-machine create <...> --volume-store default:datastore1/anonymousVolumes

Download Binaries

https://storage.googleapis.com/vic-engine-releases/vic_0.9.0.tar.gz

Installation

For instructions about how to deploy a vSphere Integrated Containers Engine virtual container host, see vSphere Integrated Containers Engine Installation at https://vmware.github.io/vic-product/index.html#getting-started.

Using vSphere Integrated Containers Engine

For more details on using vSphere Integrated Containers Engine see the general usage doc in Github, or the current drafts of the end user documentation at https://vmware.github.io/vic-product/index.html#getting-started:

  • vSphere Integrated Containers Engine Installation HTML | PDF | Source.
  • vSphere Integrated Containers Engine for vSphere Administrators HTML | PDF | Source
  • Developing Container Applications with vSphere Integrated Containers Engine HTML | PDF | Source

Open Source Components

The copyright statements and licenses applicable to the open source software components distributed in vSphere Integrated Containers Engine are available in the LICENSE file.