Post Dockercon 2017 @ Austin TX, I raised a feature request titled “LinuxKit command to push vmware.vmdk to remote ESXi datastore”. Within few weeks time, the feature was introduced by LinuxKit team. A Special thanks goes to Daniel Finneran who worked hard to get this feature merged into the LinuxKit main branch.
LinuxKit project is 5 month old now. It has already bagged 3100+ stars, added up 69 contributors and 350+ forks till date. If you are pretty new, LinuxKit is not a full host operating system, as it primarily has two jobs: run containerd containers, and be secure. It uses modern kernels, and updates frequently following new releases. As such, the system does not contain extraneous packages or drivers by default. Because LinuxKit is customizable, it is up to individual operators to include any additional bits they may require.
LinuxKit is undoubtedly Secure
The core system components included in LinuxKit userspace are key to security, and written in type safe languages, such as Rust, Go and OCaml, and run with maximum privilege separation and isolation. The project is currently leveraging MirageOS to construct unikernels to achieve this, and that progress can be tracked here: as of this writing,
dhcp is the first such type safe program. There is ongoing work to remove more C components, and to improve, fuzz test and isolate the base daemons. Further rationale about the decision to rewrite system daemons in MirageOS is explained at length in this document. I am planning to come up with blog post to brief on “LinuxKit Security” aspect. Keep an eye on this space in future..
Let’s talk about building a secure Docker Host VM…
I am a great fan of VMware PowerCLI. I have been using it since the time I was working full time in VMware Inc.(during 2010-2011 timeframe). Today the most quickest way to get VMware PowerCLI up and running is by using PhotonOS based Docker Image. Just one Docker CLI and you are already inside Photon OS running PowerShell & PowerCLI to connect to remote ESXi to build up VMware Infrastructure. Still this mightn’t give you a secure Docker host environment. If you are really interested to build a secure, portable and lean Docker Host operating system, LinuxKit is the right tool. But how?
Under this blog post, I am going to show how Moby & LinuxKit can help you in building a secure Docker 17.07 Host VM on top of VMware ESXi.
- VMware vSphere ESXi 6.x
- Linux or MacOS with Go packages installed
- Docker 17.06/17.07 installed on the system
The below commands has been executed on one of my local Ubuntu 16.04 LTS system which can reach out to ESXi system flawlessly.
Cloning the LinuxKit Repository:
$git clone https://github.com/linuxkit/linuxkit
Building Moby & LinuxKit:
Configuring the right PATH for Moby & LinuxKit
$cp bin/moby /usr/local/bin
$cd bin/linuxkit /usr/local/bin
A Peep into vmware.yml File
The first 3 lines shows modern, securely configured kernel. The init section spins up containerd to run services. The onboot section allows dhcpd for networking. The services includes getty service container for shell, runs nginx service container. The trust section indicates all images signed and verified.
Building VMware ISO Image using Moby
$moby build -output iso-bios -name vmware vmware.yml
Pushing VMware ISO Image to remote ESXi datastore
$linuxkit push vcenter -datastore=datastore1 -hostname=myesxi.dell.com -url https://root:email@example.com/sdk -folder=linuxkit vmware.iso
Usage of linuxkit push vcenter :-
Running a secure VM directly from the ESXi datastore using LinuxKit
dell@redfish-ubuntu:~/linuxkit/examples$ sudo linuxkit run vcenter -cpus 8 -datastore datastore1 -mem 2048 -network ‘VM Network’ -hostname myesxi.dell.com -powerOn -url https://root:firstname.lastname@example.org/sdk vmware.iso
Creating new LinuxKit Virtual Machine
Adding ISO to the Virtual Machine
Adding VM Networking
Powering on LinuxKit VM
Now let us verify that VM is up and running using either VMware vSphere Client or SDK URL.
You will find that VM is already booted up with the latest Docker 17.07 platform up and running.
Building a Docker Host VM using Moby & LinuxKit
In case you want to build a Docker Host VM, you can refer to the below vmware.yml file:
Just re-run the below command to get the new VM image:
$moby build -output iso-bios -name vmware docker-vmware.yml
Follow the above steps to push it to remote datastore and run it using LinuxKit. Hence, you have a secured Docker 17.07 Host ready to build Docker Images and build up application stack.
How about building Photon OS based Docker Image using Moby & LinuxKit? Once you build it and push it to VM , its all ready to build Virtual Infrastructure. Interesting, Isn’t it?
Did you find this blog helpful? Feel free to share your experience. Get in touch @ajeetsraina.
If you are looking out for contribution/discussion, join me at Docker Community Slack Channel.