Image management with VIC and Harbor

In this post, I wanted to play a little more with our registry product (Harbor) and how it integrated with vSphere Integrated Containers (VIC). The workflow that I am going to show you in this post is using Docker on MAC to pull an image from the docker hub, do whatever I need to do with that image/application, and then push out the updated version to my private Harbor registry. From my Harbor registry I am then going to pull that image down and run it on my production VCH (Virtual Container Host). The VCH provides my docker API endpoint in VIC.

I’ll begin with getting my MAC setup with Docker. Now I already have Docker installed in my MAC – Docker Community Edition version 17.03.1-ce-mac12 (17661) – so I first of all verified that I could login to the Harbor registry from my MAC. Immediately I hit this issue:

Cormacs-MacBook-Pro-8:.docker cormachogan$ docker login 10.27.51.37 -u chogan
Password:
Error response from daemon: Get https://10.27.51.37/v1/users/: x509: certificate signed by unknown authority
Cormacs-MacBook-Pro-8:.docker cormachogan$

Ah – the good old x509 certificate issue. You might remember that I hit the same thing when try to login to Harbor via my VCH docker endpoint. I wrote about it here, and the solution was to include the CA cert from Harbor when I created my VCH. So how do I deal with it here? This time, the solution is to include the option –insecure-registry when starting the docker daemon on my MAC. However, Docker on MAC have another way of dealing with it. Simply click on the docker icon, select preferences:

Now add the IP address of the insecure registry under the Daemon option (which in my case is Harbor with self-signed certs):

Once Docker had restarted, I tried to see if I could now login to the Harbor registry from my MAC.

Cormacs-MacBook-Pro-8:.docker cormachogan$
Cormacs-MacBook-Pro-8:.docker cormachogan$ docker login 10.27.51.37 -u chogan
Password:
Login Succeeded
Cormacs-MacBook-Pro-8:.docker cormachogan>

Excellent. Now I can push up whatever image that I have been working, and now push it into production on my Virtual Container Host. I’m just going to use a simple nginx image. First I’ll pull it down from docker hub, tag it and then push it out to Harbor. I won’t make any changes, but imagine that you have made some modifications specific to your requirements. I have pushed it to a project called cormac-proj, which is basically the repository that I am going to use for this nginx image on Harbor.

Cormacs-MacBook-Pro-8:.docker cormachogan$ docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
ff3d52d8f55f: Pull complete
b05436c68d6a: Pull complete
961dd3f5d836: Pull complete
Digest: sha256:12d30ce421ad530494d588f87b2328ddc3cae666e77ea1ae5ac3a6661e52cde6
Status: Downloaded newer image for nginx:latest

Cormacs-MacBook-Pro-8:.docker cormachogan$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
nginx               latest              3448f27c273f        5 days ago          109 MB
busybox             latest              00f017a8c2a6        2 months ago        1.11 MB
neo4j               latest              794246f48249        7 months ago        377 MB
hello-world         latest              c54a2cc56cbb        10 months ago       1.85 kB

Cormacs-MacBook-Pro-8:.docker cormachogan$ docker tag 3448f27c273f cormac-nginx:latest

Cormacs-MacBook-Pro-8:.docker cormachogan$ docker tag cormac-nginx:latest \
10.27.51.37/cormac-proj/cormac-nginx:latest

Cormacs-MacBook-Pro-8:.docker cormachogan$ docker push 10.27.51.37/cormac-proj/cormac-nginx:latest
The push refers to a repository [10.27.51.37/cormac-proj/cormac-nginx]
08e6bf75740d: Pushed
f12c15fc56f1: Pushed
8781ec54ba04: Pushed
latest: digest: sha256:12d30ce421ad530494d588f87b2328ddc3cae666e77ea1ae5ac3a6661e52cde6 size: 948
Cormacs-MacBook-Pro-8:.docker cormachogan$

Let’s now use the UI of Harbor to see this image in my repository:

Cool – looks like it is there. OK. So I’m now ready to put this into production with VIC. Let’s do that next. I will use a Windows docker client to do my VIC related stuff (as I’m making a distinction between the developer on the MAC and my VIC administrator with a Windows desktop). Of course, you could also use a MAC to manage VIC if you wish – all the necessary vic-machine components are available for that distro too.

E:\vic> docker -H 10.27.51.36:2376 --tls images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE

E:\vic> docker -H 10.27.51.36:2376 --tls pull \
10.27.51.37/cormac-proj/cormac-nginx:latest
Pulling from cormac-proj/cormac-nginx
ff3d52d8f55f: Pull complete
a3ed95caeb02: Pull complete
b05436c68d6a: Pull complete
961dd3f5d836: Pull complete
Digest: sha256:12d30ce421ad530494d588f87b2328ddc3cae666e77ea1ae5ac3a6661e52cde6
Status: Downloaded newer image for cormac-proj/cormac-nginx:latest

E:\vic> docker -H 10.27.51.36:2376 --tls run -d -p 80:80 \
10.27.51.37/cormac-proj/cormac-nginx
16c3188f42ab7a30c6d3a04e328c952c08c1a226c39acb20c271ccb1567aad1d

E:\vic> docker -H 10.27.51.36:2376 --tls ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
16c3188f42ab 10.27.51.37/cormac-proj/cormac-nginx "nginx -g daemon off;" 
About a minute ago Up 22 seconds 10.27.51.36:80->80/tcp jovial_nightingale

E:\vic>

Looks good – we were able to launch our nginx image that we pulled down from Harbor. The proof is in the pudding as the say, so lets point to port 80 on the VCH (10.27.51.36) and see if we get an nginx landing page (in the docker run command we requested that the container port 80 with nginx map to port 80 on the VCH for access):

Success! One thing I need to highlight is that VIC does not support the use of docker push via the VCH docker API endpoint in VIC. If I try to do a push via the VCH, I will get the following:

E:\vic> docker -H 10.27.51.28:2376 --tls push 10.27.51.37/cormac-nginx:latest
 Error response from daemon: vSphere Integrated Containers does not yet implement image.PushImage

I spoke about this to my good pal Massimo once more, and he explained that right now, the best place to position VIC would be at the end of a manual or automated development process where the app just gets deployed (in production). So like I demonstrated here, the dev/test/QA cycle would be done in environments outside of VCH (such as Docker running on MAC for example) and then moved to VIC for production. However, that is not to say that the VIC team are not looking at this as a future use case. Stay tuned!