Docker

Integrating Github Actions with vSphere and VMware Cloud on AWS

04/01/2019 by William Lam Leave a Comment

I have always been a fan of event-driven automation, the idea where you can automatically trigger a workflow or an operation based on a specific event. In the consumer world, the most popular example is the If This, Then That (IFTTT) service, which I use on a regular basis to automate the sharing of new articles from virtuallyGhetto to different Social Media channels.

For the Enterprise, this is also not a new idea and many folks including myself have been doing this for years in vSphere using vCenter Server Alarms. In fact, one example I still reference on a regular basis is from 2012 where you automatically apply a set of vSphere Security Hardening configurations to a Virtual Machine when a new VM Create Event is published by vCenter.

There are countless more examples of this concept beyond VMware but the general idea is to be able to subscribe to specific events and then automatically do something when a given event occurs. When Github Actions (Beta) was announced last year, I was really interested as I think this could open the door for a ton of interesting possibilities, especially from a VMware perspective around Continuous Integration/Development (CI/CD). I quickly registered for the Beta but did not get access until the start of this year. If you want to know what Github Actions can do, check out some of these demos that have been built by various folks from the community. The really exciting thing about Github Actions is that you can literally execute any workflow as long as you can containerized your business logic within a Docker Container. This means, you can use any language or tool that you are familiar with and make this work with Github Actions, pretty powerful stuff!

It was only recently while working on a personal project, which I hope will make its way to VMworld, that I finally got a chance to dig into Github Actions. I noticed in many of the online Github Action examples, that it included ways to deploy applications and containers to a Public Cloud but there was nothing that I found related to VMware. I figured, this would be a good learning opopournity for myself and I could even learn how to build my own Actions which can be useful for others to use or extend further.

Quick Tip – Creating a multiline Dockerfile using heredoc w/variable substitution

04/26/2017 by William Lam 1 Comment

I was helping out a fellow colleague yesterday who was having some troubles handling a multiline echo statement within his Dockerfile. There are multiple ways in which you can create multiline Dockerfiles, the web is full of examples from using multiple echo statements (pretty ugly) to using heredocs which is easier to read and manage. The challenge was that he also wanted to substitute some variables into his multiline statement which apparently there were no examples online, at least neither of us could find.

Taking a closer look, I found that we can just leverage Bash's ANSI-C Quoting syntax $'string' to do what we want, which was actually something new to me as well. You can then pass in the variable like you normally would between the strings and that would give you the readability of heredocs and still be able to use Docker variables. I am sure there are other methods with more extensive escapes with single-ticks, but I also prefer a solution that is easy to read and use in case others need to manage it.

Here is a quick sample Dockerfile which demonstrates how this works:

FROM photon:1.0

ARG BASEURL="https://vmware.bintray.com/powershell"

RUN echo $'[powershell]\n\
name=VMware Photon Linux 1.0(x86_64)\n\
baseurl='$BASEURL$'\n\
gpgcheck=0\n\
enabled=1\n\
skip_if_unavailable=True\n '\
>> /etc/yum.repos.d/powershell.repo

CMD ["/bin/bash"]

FROM photon:1.0

ARG BASEURL="https://vmware.bintray.com/powershell"

RUN echo $'[powershell]\n\

name=VMware Photon Linux 1.0(x86_64)\n\

baseurl='$BASEURL$'\n\

gpgcheck=0\n\

enabled=1\n\

skip_if_unavailable=True\n '\

>> /etc/yum.repos.d/powershell.repo

CMD ["/bin/bash"]

Basically the echo statement has $'SOME-STRING'$VARIABLE$'SOME-STRING'

If we build and run this Docker image, we can see that we have properly substituted the BASEURL variable into our file as seen in the screenshot below.

docker build -t sample .
docker run --rm -it sample cat /etc/yum.repos.d/powershell.repo

I personally prefer to keep such logic within a separate script which the Dockerfile can reference, but I was also sympathetic to that fact that my colleague wanted to keep things simple and just have everything within the Dockerfile. I figure I would share this in case other comes across this problem as well as benefiting myself as I will probably forget in a months time 🙂

Easily try out vSAN 6.6 Encryption feature using KMIP Docker Container

04/14/2017 by William Lam 3 Comments

One of biggest feature introduced in the upcoming vSAN 6.6 release is the native vSAN Data-at-Rest Encryption capability. My good friend Duncan Epping even posted a video recently demo'ing the feature and showing how easy it is to enable with just a couple of clicks. Just like VM Encryption which was introduced in vSphere 6.5, vSAN Encryption also requires a Key Management Interoperability Protocol (KMIP) Server which needs to be associated with your vCenter Server.

The really nice thing about this is that because both VM Encryption and vSAN Encryption uses the exact same encryption library, as long as you have a supported KMS (which you can find over on the VMware KMS HCL here, more are being certified and added), you can actually leverage the same KMS for both types of encryption across different vSphere Clusters with different requirements. For the ultra paranoid, you could even "double" encrypt by running Encrypted VMs on top of a vSAN Encrypted Datastore 😉

As with any feature that relies on 3rd party tools, it can take some time to acquire evaluational licenses. For those of you who would like to try out either vSAN or VM Encryption from a functional standpoint, you can quickly get started in under a few minutes by using the KMIP Docker Container that I had built last year. This is a great way to familiarize yourself with the workflow or even try out some of the new vSphere and vSAN APIs if you plan to automate the KMIP configuration or even deployment of encrypted VMs. Another great use case for this is doing live demos and all you need is just a couple of Nested ESXi VMs and a Docker Container Host like Photon OS or even just your laptop for example. Below are the instructions on how to get started.

Disclaimer: It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption or vSAN Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes, do NOT run anything important that you care about due to the risks mentioned earlier.

VUM UMDS Docker Container for vSphere 6.5

12/07/2016 by William Lam Leave a Comment

Early last week, I had published an article on how to automate the deployment of VUM's Update Manager Download Service (UMDS) in vSphere 6.5 for an Ubuntu 14.04 distribution. The interesting backstory to that script is that it started from a Docker Container that I had initially built for the VUM UMDS. I found that being able to quickly spin up UMDS instance using a Docker Container purely from a testing standpoint was much easier than needing to deploy a full VM, especially as I have Docker running on my desktop machines. Obviously, there are limitations with using a Docker Container, especially if you plan to use UMDS for a longer duration and need persistence. However, for quick lab purposes, it may just fit the bill and even with Docker Containers, you can use Docker Volumes to help persist the downloaded content.

You can find the Dockerfile and its respective scripts on my Github repo here: https://github.com/lamw/vum-umds-docker

Below are the instructions on how to use the VUM UMDS Docker Container.

5 ways to a run PowerCLI script using the PowerCLI Docker Container

10/25/2016 by William Lam 3 Comments

In case you missed the exciting update last week, the PowerCLI Core Docker Container is now hosted on Docker Hub. With just two simple commands you can now quickly spin up a PowerCLI environment in under a minute! This is really useful if you need perform a couple of operations using the cmdlets interactively and then discarding the environment once you are done. If you want to do something more advanced like run an existing PowerCLI script as well as potentially persist its output (Docker Containers are stateless by default), then there are few options to consider.

To better describe the options, lets use the following scenario. Say you have a Docker Host, this can be a VMware's Photon OS or a Microsoft Windows, Linux or Mac OS X system which has the Docker Client running. The Docker Host is where you will run the PowerCLI Core Docker Container and it also has access to a collection of PowerCLI scripts that you have created or downloaded else where. Lets say the location of these PowerCLI scripts are located in /Users/lamw/scripts and you would like them to be available within the PowerCLI Core Docker Container when it is launched, say under /tmp/scripts.

Here is a quick diagram illustrating the scenario we had just discussed.

Here are 5 different ways in which you can run your PowerCLI scripts within the Docker Container. Each will have its pros/cons and I will be using real sample scripts to exercise each of the options. You can download all the sample scripts in my Github repository: powerclicore-docker-container-samples

Note: Before getting started, please familiarize yourself with launching the PowerCLI Core Docker Container which you can read more about here. In addition, you will need access to either a vCenter Server or ESXi host environment and also please create a tiny "Dummy" VM called DummyVM which we will be using to update its Notes field with the current time.

UPDATE (04/11/18) - Microsoft has GA'ed PowerShell Core, one of the changes is the name of the PS binary from powershell to pwsh. For entrypoint parameter, you will need to specify /usr/bin/pwsh rather than /usr/bin/powershell

Option 1:

This is the most basic and easiest method. You literally run a PowerCLI script that already contains all of the necessary information hardcoded within the script itself. This means things like credentials as well as user input that is required can be found within the script. This is obviously simple but makes it very inflexible as you would need to edit the script before launching the container. Another downside is that you now have your vSphere credentials hardcoded inside of the script which is also not ideal from a security standpoint.

To exercise example 1, please edit the pcli_core_docker_sample1.ps1 script and update it with your environment credentials and then run the following command:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample1.ps1

If executed correctly, the Docker container should launch, connect to your vSphere environment, update the notes field of DummyVM with the current time and then exit. Pretty straight forward and below is a screenshot of this example.

Option 2:

Nobody likes hardcoding values, especially when it comes to endpoints and credentials. This next method will allow us to pass in variables from the Docker command-line and make them available to the PowerCLI scripts inside of the container as OS environmental variables. This allows for greater flexibility then the previous option but the downside is that you may potentially be exposing credentials in plaintext which can be inspected by others who can perform docker run/inspect commands. You also need to update your existing PowerCLI scripts to handle the environmental variable translation which may not be ideal if you have a lot of pre-existing scripts.

To exercise example 2, run the following command and specify your environmental credentials in the command-line instead:

docker run --rm -it \
-e VI_SERVER=192.168.1.150 \
-e VI_USERNAME=administrator@vghetto.local \
-e VI_PASSWORD=VMware1! \
-e VI_VM=DummyVM \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample2.ps1

If executed correctly, you will see that the variables that we have defined are passed into the container and we are now able to make use of them within the PowerCLI script by simply accessing the respective environmental variable names as shown in the screenshot below.

Option 3:

If you have created some PowerCLI scripts which already prompt for user input which can include also include credentials, then another way to run those script is to do so interactively. If the parameters are required for a given script, then it should prompt for input. The benefit here is that you can reuse your existing PowerCLI scripts without needing to make any modifications even when executing it within a Docker container. You are also not exposing any credentials in plaintext. To take this step further, you could also implement the secure string feature in PowerShell but that would still require you to include a small snippet in your PowerCLI script to do the appropriate decoding when connecting.

To exercise example 3, run the following command and specify your environmental credentials in the command-line instead:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample3.ps1

If executed correctly, you will be prompted for the expected user inputs to the script and then it will perform the operation as shown in the screenshot below.

Option 4:

Similiar to Option 3, if you have defined parameters to your PowerCLI script, you can also just specify them directly in the Docker command-line just like you would if you were to manually run the PowerCLI script in a Windows environment. Again, the benefit here is that you can reuse your existing PowerCLI scripts without any modifications. You do risk exposing any credentials if you are passing it through the command-line, but the risk was known as you are already doing that with your existing scripts. A downside to this option is if your PowerCLI script accepts quite a few parameters, your Docker run command can get quite long. You may just consider prompting for endpoint/credentials and the rest of the user input can then be passed in dynamically if you were to go with this option.

To exercise example 4, run the following command and specify your environmental credentials in the command-line instead:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample3.ps1 -VI_SERVER 192.168.1.150 -VI_USERNAME administrator@vghetto.local -VI_PASSWORD VMware1! -VI_VM DummyVM

Option 5:

The last option is a nice compromise of the above in which you can continue leveraging your existing scripts but providing a better way of sending in things like credentials. As I mentioned before, Docker Volumes allows us to make directories and files available from our Docker Host to the Docker Container. This not only allows us to make our PowerCLI scripts available from within the container but it can also be used to provide access to other things like simply sourcing a credentials file. This method works on a per-individual basis running the container without any major modification to your existing scripts, you simply just need to source the credential file at the top of each script. Best of all, you are not exposing any sensitive information

Note: Some of you might be thinking about PowerCLI's credential store and seeing how that might be a better solution but currently today that has not been implemented yet in PowerCLI Core which is really leveraging Microsoft's credential store feature. Once that has been implemented in .NET Core, I am sure the PowerCLI team can then add that capability which is probably the recommended and preferred option both from a security perspective as well as Automation standpoint.

To exercise example 5, edit the credential.ps1 file and update it with your environmental credentials and run the following command:

docker run --rm -it \
-v /Users/lamw/scripts:/tmp/scripts vmware/powerclicore /tmp/scripts/pcli_core_docker_sample4.ps1 -VI_VM DummyVM

If executed correctly, the same variables in the credentials file will then be loaded into the PowerCLI script context and run the associated operations and exit.

As you can see, there are many different ways in which you can run your existing PowerCLI scripts using the new PowerCLI Core Docker Container. Hopefully this article gives you a good summary along with some real world examples to consider. Given this is still an active area of development by the PowerCLI team, if you have any feedback or suggestions, please do leave a comment. I know the Alan (PM) as well as the engineers are very interested in hearing your feedback and seeing how else we could better improve the user experience of both PowerCLI Core as well as consuming PowerCLI Core through these various interfaces.

UPDATE (10/25/16) - It looks like PowerCLI Core Docker Container has been updated with my suggestion below, so you no longer need to specify the --entrypoint parameter 🙂

One finale note, right now the PowerCLI Core Docker Container does not automatically startup the Powershell process when it is launched. This is why we have the --entrypoint='/usr/bin/powershell' command appended to the Docker command-line. If you prefer to have Powershell start up which will automatically load the PowerCLI module, you can check out my updated PowerCLI Core Docker Container: lamw/powerclicore which uses the original as a base with one tiny modification. Perhaps this is something Alan and the team would consider making as a default in the future? 🙂

How to run a Docker Container on the vCenter Server Appliance (VCSA) 6.5?

10/24/2016 by William Lam 6 Comments

One of the most notable changes in the vCenter Server Appliance (VCSA) in vSphere 6.5 is a switch of the underlying OS from SLES to VMware's very own Photon OS. With this change, VMware will now own the entire software stack within the VCSA (OS + Application). This will allow VMware to quickly respond and deliver OS and security updates to customers at a much quicker rate than it was possible before.

During my testing of the VCSA, I had a need to spin up a Docker Container. Given that the VCSA is now Photon OS based, this should be a pretty trivial thing to enable as it is with a standalone installation of Photon OS. After a bit of trial/error, I found what was needed to get this working on the VCSA. Before jumping into the solution, I should say that this is really for lab and educational purposes. In general, I would NOT recommend installing additional software on the VCSA, not only is this NOT supported by VMware but you may also potentially be impacting your vCenter Server by taking resources away from the main application. It is possible to constrain the amount of resources (CPU/Memory) allocated to the Docker Container, please refer to this resource for more information.

For smaller customers, the argument is that I can just run everything on a single system but in reality there are many benefits to having a separate management VM which can be Photon OS or any other OS that your organization supports. You can install additional management tools/scripts and you would not be artificially limited by the VCSA's environment which is really locked down to what is absolutely needed to run the vCenter Server application and its services.

Disclaimer: This is not officially supported by VMware, please use at your own risk.

Given that PowerCLI Core (Linux and Mac OS X) was just recently released, which also includes a Docker Container, I figure this would be a nice example to start with as I know a few of you have asked about this possibility 🙂

Step 1 - Install Docker by running the following command (you will need access to the internet either direct or proxy access from the VCSA)

tdnf -y install docker

Step 2 - Load the following kernel module which will allow us to start the Docker client by running the following command:

insmod /usr/lib/modules/$(uname -r)/kernel/net/bridge/bridge.ko

Note: The above command does not persist across reboots. If you would like to persist this configuration, please refer to the instructions at the very bottom.

Step 3 - Enable and start the Docker Client by running the following command:

systemctl enable docker
systemctl start docker

Step 4 - Pull down the PowerCLI Core Docker Image from Docker Hub by running the following command:

docker pull vmware/powerclicore

Step 5 - Start the PowerCLI Core Docker Container by running the following command:

docker run --rm -it --entrypoint='/usr/bin/powershell' vmware/powerclicore

As you can see from the screenshot above, you now have PowerShell and the PowerCLI module loaded running as a Docker Container on the VCSA 🙂 You can apply this to any Docker Container that you have created or pulling it directly from Docker Hub. If you prefer to build the PowerCLI Core Docker Container from the Dockerfile, you simply just need to download and extract the PowerCLI Core zip file onto the VCSA and then run the following command:

docker build -t vmware/powercli .

How to persist bridge module load across reboots:

Step 1 - Edit /etc/modprobe.d/modprobe.conf and remove the "install bridge /bin/false" entry.

Step 2 - Create a new file called /etc/modules-load.d/bridge.conf which contains the word "bridge" (no quotes). When the system boots up, it will iterate through all the module configuration file and load the respective modules. The bridge module is what is needed to start the Docker Daemon.