In this post, I wanted to play a little more with our registry product (Harbor) and how it integrated with vSphere Integrated Containers (VIC). The workflow that I am going to show you in this post is using Docker on MAC to pull an image from the docker hub, do whatever I need to do with that image/application, and then push out the updated version to my private Harbor registry. From my Harbor registry I am then going to pull that image down and run it on my production VCH (Virtual Container Host). The VCH provides my docker API endpoint in VIC.
I’ll begin with getting my MAC setup with Docker. Now I already have Docker installed in my MAC – Docker Community Edition version 17.03.1-ce-mac12 (17661) – so I first of all verified that I could login to the Harbor registry from my MAC. Immediately I hit this issue:
Cormacs-MacBook-Pro-8:.docker cormachogan$ docker login 10.27.51.37 -u chogan Password: Error response from daemon: Get https://10.27.51.37/v1/users/: x509: certificate signed by unknown authority Cormacs-MacBook-Pro-8:.docker cormachogan$
Ah – the good old x509 certificate issue. You might remember that I hit the same thing when try to login to Harbor via my VCH docker endpoint. I wrote about it here, and the solution was to include the CA cert from Harbor when I created my VCH. So how do I deal with it here? This time, the solution is to include the option –insecure-registry when starting the docker daemon on my MAC. However, Docker on MAC have another way of dealing with it. Simply click on the docker icon, select preferences:
Now add the IP address of the insecure registry under the Daemon option (which in my case is Harbor with self-signed certs):
Once Docker had restarted, I tried to see if I could now login to the Harbor registry from my MAC.
Cormacs-MacBook-Pro-8:.docker cormachogan$ Cormacs-MacBook-Pro-8:.docker cormachogan$ docker login 10.27.51.37 -u chogan Password: Login Succeeded Cormacs-MacBook-Pro-8:.docker cormachogan>
Excellent. Now I can push up whatever image that I have been working, and now push it into production on my Virtual Container Host. I’m just going to use a simple nginx image. First I’ll pull it down from docker hub, tag it and then push it out to Harbor. I won’t make any changes, but imagine that you have made some modifications specific to your requirements. I have pushed it to a project called cormac-proj, which is basically the repository that I am going to use for this nginx image on Harbor.
Cormacs-MacBook-Pro-8:.docker cormachogan$ docker pull nginx Using default tag: latest latest: Pulling from library/nginx ff3d52d8f55f: Pull complete b05436c68d6a: Pull complete 961dd3f5d836: Pull complete Digest: sha256:12d30ce421ad530494d588f87b2328ddc3cae666e77ea1ae5ac3a6661e52cde6 Status: Downloaded newer image for nginx:latest Cormacs-MacBook-Pro-8:.docker cormachogan$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE nginx latest 3448f27c273f 5 days ago 109 MB busybox latest 00f017a8c2a6 2 months ago 1.11 MB neo4j latest 794246f48249 7 months ago 377 MB hello-world latest c54a2cc56cbb 10 months ago 1.85 kB Cormacs-MacBook-Pro-8:.docker cormachogan$ docker tag 3448f27c273f cormac-nginx:latest Cormacs-MacBook-Pro-8:.docker cormachogan$ docker tag cormac-nginx:latest \ 10.27.51.37/cormac-proj/cormac-nginx:latest Cormacs-MacBook-Pro-8:.docker cormachogan$ docker push 10.27.51.37/cormac-proj/cormac-nginx:latest The push refers to a repository [10.27.51.37/cormac-proj/cormac-nginx] 08e6bf75740d: Pushed f12c15fc56f1: Pushed 8781ec54ba04: Pushed latest: digest: sha256:12d30ce421ad530494d588f87b2328ddc3cae666e77ea1ae5ac3a6661e52cde6 size: 948 Cormacs-MacBook-Pro-8:.docker cormachogan$
Let’s now use the UI of Harbor to see this image in my repository:
Cool – looks like it is there. OK. So I’m now ready to put this into production with VIC. Let’s do that next. I will use a Windows docker client to do my VIC related stuff (as I’m making a distinction between the developer on the MAC and my VIC administrator with a Windows desktop). Of course, you could also use a MAC to manage VIC if you wish – all the necessary vic-machine components are available for that distro too.
E:\vic> docker -H 10.27.51.36:2376 --tls images REPOSITORY TAG IMAGE ID CREATED SIZE E:\vic> docker -H 10.27.51.36:2376 --tls pull \ 10.27.51.37/cormac-proj/cormac-nginx:latest Pulling from cormac-proj/cormac-nginx ff3d52d8f55f: Pull complete a3ed95caeb02: Pull complete b05436c68d6a: Pull complete 961dd3f5d836: Pull complete Digest: sha256:12d30ce421ad530494d588f87b2328ddc3cae666e77ea1ae5ac3a6661e52cde6 Status: Downloaded newer image for cormac-proj/cormac-nginx:latest E:\vic> docker -H 10.27.51.36:2376 --tls run -d -p 80:80 \ 10.27.51.37/cormac-proj/cormac-nginx 16c3188f42ab7a30c6d3a04e328c952c08c1a226c39acb20c271ccb1567aad1d E:\vic> docker -H 10.27.51.36:2376 --tls ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 16c3188f42ab 10.27.51.37/cormac-proj/cormac-nginx "nginx -g daemon off;" About a minute ago Up 22 seconds 10.27.51.36:80->80/tcp jovial_nightingale E:\vic>
Looks good – we were able to launch our nginx image that we pulled down from Harbor. The proof is in the pudding as the say, so lets point to port 80 on the VCH (10.27.51.36) and see if we get an nginx landing page (in the docker run command we requested that the container port 80 with nginx map to port 80 on the VCH for access):
Success! One thing I need to highlight is that VIC does not support the use of docker push via the VCH docker API endpoint in VIC. If I try to do a push via the VCH, I will get the following:
E:\vic> docker -H 10.27.51.28:2376 --tls push 10.27.51.37/cormac-nginx:latest Error response from daemon: vSphere Integrated Containers does not yet implement image.PushImage
I spoke about this to my good pal Massimo once more, and he explained that right now, the best place to position VIC would be at the end of a manual or automated development process where the app just gets deployed (in production). So like I demonstrated here, the dev/test/QA cycle would be done in environments outside of VCH (such as Docker running on MAC for example) and then moved to VIC for production. However, that is not to say that the VIC team are not looking at this as a future use case. Stay tuned!