Can Storage Policies be used with VIC?

The answer is an emphatic yes. One can absolutely use storage policies with vSphere Integrated Containers (VIC). However, there is currently no way to specify a policy at the docker CLI when creating a container (at this time). Therefore one would have to deploy the VCH, then deploy the container, and then finally modify the storage policy as appropriate. My understanding is that consideration is being given to a way to do this at deployment time, but at the present, it involves a number of steps. Let’s discuss them in turn.

First off, the containers would need to be deployed on a datastore that can consume policies. Let’s take vSAN as an example. When deploying the VCH (Virtual Container Host) you must specify the container-store. At the moment, this defaults to the same as the image-store, but this should change going forward. Now that the image-store is a vsanDatastore, then containers are also deployed to the vsanDatastore, with a default policy. Here is the complete deployment of the VCH, where the image-store (and conversely the container-store) is specified as a vsanDatastore:

root@photon-NaTv5i8IA [ /workspace/vic ]# ./vic-machine-linux create \
--bridge-network Bridge-DPG --image-store vsanDatastore  \
-t 'administrator@vsphere.local:VMware123!@' \
--compute-resource Mgmt
INFO[2016-11-01T12:16:29Z] ### Installing VCH ####
INFO[2016-11-01T12:16:29Z] Generating certificate/key pair \
- private key in ./virtual-container-host-key.pem
INFO[2016-11-01T12:16:29Z] Validating supplied configuration
INFO[2016-11-01T12:16:29Z] vDS configuration OK on "Bridge-DPG"
INFO[2016-11-01T12:16:29Z] Firewall status: DISABLED on \
INFO[2016-11-01T12:16:29Z] Firewall status: DISABLED on \
INFO[2016-11-01T12:16:29Z] Firewall status: DISABLED on \
INFO[2016-11-01T12:16:29Z] Firewall configuration OK on hosts:
INFO[2016-11-01T12:16:29Z]   "/CNA-DC/host/Mgmt/"
INFO[2016-11-01T12:16:29Z]   "/CNA-DC/host/Mgmt/"
INFO[2016-11-01T12:16:29Z]   "/CNA-DC/host/Mgmt/"
INFO[2016-11-01T12:16:30Z] License check OK on hosts:
INFO[2016-11-01T12:16:30Z]   "/CNA-DC/host/Mgmt/"
INFO[2016-11-01T12:16:30Z]   "/CNA-DC/host/Mgmt/"
INFO[2016-11-01T12:16:30Z]   "/CNA-DC/host/Mgmt/"
INFO[2016-11-01T12:16:30Z] DRS check OK on:
INFO[2016-11-01T12:16:30Z]   "/CNA-DC/host/Mgmt/Resources"
INFO[2016-11-01T12:16:31Z] Creating virtual app "virtual-container-host"
INFO[2016-11-01T12:16:31Z] Creating appliance on target
INFO[2016-11-01T12:16:31Z] Network role "external" is sharing NIC with "management"
INFO[2016-11-01T12:16:31Z] Network role "client" is sharing NIC with "management"
INFO[2016-11-01T12:16:35Z] Uploading images for container
INFO[2016-11-01T12:16:35Z]      "bootstrap.iso"
INFO[2016-11-01T12:16:35Z]      "appliance.iso"
INFO[2016-11-01T12:16:38Z] Registering VCH as a vSphere extension
INFO[2016-11-01T12:16:46Z] Waiting for IP information
INFO[2016-11-01T12:17:01Z] Waiting for major appliance components to launch
INFO[2016-11-01T12:17:09Z] Initialization of appliance successful
INFO[2016-11-01T12:17:09Z] vic-admin portal:
INFO[2016-11-01T12:17:09Z] DOCKER_HOST=
INFO[2016-11-01T12:17:09Z] Connect to docker:
INFO[2016-11-01T12:17:09Z] docker -H --tls info
INFO[2016-11-01T12:17:09Z] Installer completed successfully
root@photon-NaTv5i8IA [ /workspace/vic ]#

Let’s take a look at the VCH storage policy. We can clearly see that it is using the default storage policy for Virtual SAN.

vch-policyNext, lets deploy a container. In this example, we will deploy an Ubuntu image and drop into a bash shell:

root@photon-NaTv5i8IA [ /workspace/vic ]# docker -H --tls run \
-it ubuntu bash
Unable to find image 'ubuntu:latest' locally
Pulling from library/ubuntu
a3ed95caeb02: Pull complete
6bbedd9b76a4: Pull complete
fc19d60a83f1: Pull complete
de413bb911fd: Pull complete
2879a7ad3144: Pull complete
668604fde02e: Pull complete
Digest: sha256:312986132029d622ae65423ca25d3a3cf4510de25c47b05b6819d61e2e2b5420
Status: Downloaded newer image for library/ubuntu:latest
root@6c8d6a4add24:/# ls
bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  root  \
run  sbin  srv  sys  tmp  usr  var

Let’s take a look at what this looks like from a storage policy perspective. Remember, one of the great benefits of VIC is that we get full visibility into our container, as it looks just like a VM:

container-policyWe can clearly see that this “container as a VM” has been deployed to the vSAN datastore and has also picked up the default vSAN datastore policy. Now we can easily go in and edit the settings of this “container as a VM” and change the policy of its VMDK to something else. For example, I can set this to a non-default policy called FTT=1, even though it achieves the same availability as the default policy. Now if I look at the compliance state, I see two policies:

ftt1The reason why we see two policies is because the default policy is still associated with the VM Home object, but the VMDK object now has the new FTT=1 policy. This can be seen in greater detail if we navigate to the Monitor > Policies view, and look at the physical placement of the VMDK object, as shown here:

placementSo there you have it. As a vSphere admin, not only do you have full visibility into the “containers as VMs” deployed via VIC, but you can also make VIC containers highly available from a storage persistent perspective. You can do this by deploying these containers on a storage system that is policy driven, such as vSAN. And you can then modify the policies according to your requirements.

  1. Great article, I have really enjoyed your article . You show how we can use storage policies with vSphere Integrated Containers . I was little bit confused about how I can use storage policies with VIC and now I completely understood with the help of your article. The best thing is that we can do this by deploying these containers on a storage system that is policy driven, such as vSAN. and we can then modify the policies according to our requirements.
    Thanks for sharing. The way you explained each and everything is really great. Thanks once again .

Leave a Reply