Building a secure Docker Host VM on VMware ESXi using LinuxKit & Moby

Estimated Reading Time: 4 minutes

Post Dockercon 2017 @ Austin TX,  I raised a feature request titled “LinuxKit command to push vmware.vmdk to remote ESXi datastore”. Within few weeks time, the feature was introduced by LinuxKit team. A Special thanks goes to Daniel Finneran who worked hard to get this feature merged into the LinuxKit main branch.

 

LinuxKit project is 5 month old now. It has already bagged 3100+ stars, added up 69 contributors and 350+ forks till date. If you are pretty new, LinuxKit is not a full host operating system, as it primarily has two jobs: run containerd containers, and be secure. It uses modern kernels, and updates frequently following new releases. As such, the system does not contain extraneous packages or drivers by default. Because LinuxKit is customizable, it is up to individual operators to include any additional bits they may require.

LinuxKit is undoubtedly Secure

The core system components included in LinuxKit userspace are key to security, and written in type safe languages, such as RustGo and OCaml, and run with maximum privilege separation and isolation. The project is currently leveraging MirageOS to construct unikernels to achieve this, and that progress can be tracked here: as of this writing, dhcp is the first such type safe program. There is ongoing work to remove more C components, and to improve, fuzz test and isolate the base daemons. Further rationale about the decision to rewrite system daemons in MirageOS is explained at length in this document. I am planning to come up with blog post to brief on “LinuxKit Security” aspect. Keep an eye on this space in future..

Let’s talk about building a secure Docker Host VM…

I am a great fan of VMware PowerCLI. I have been using it since the time I was working full time in VMware Inc.(during 2010-2011 timeframe). Today the most quickest way to get VMware PowerCLI up and running is by using PhotonOS based Docker Image. Just one Docker CLI and you are already inside Photon OS running PowerShell & PowerCLI to connect to remote ESXi to build up VMware Infrastructure. Still this mightn’t give you a secure Docker host environment. If you are really interested to build a secure, portable and lean Docker Host operating system, LinuxKit is the right tool. But how?

Under this blog post, I am going to show how Moby & LinuxKit can help you in building a secure Docker 17.07 Host VM on top of VMware ESXi.

Pre-requisites:

  • VMware vSphere ESXi 6.x
  • Linux or MacOS with Go packages installed
  • Docker 17.06/17.07 installed on the system

The below commands has been executed on one of my local Ubuntu 16.04 LTS system which can reach out to ESXi system flawlessly.

Cloning the LinuxKit Repository:

git clone https://github.com/linuxkit/linuxkit

Building Moby & LinuxKit:

cd linuxkit
make

Configuring the right PATH for Moby & LinuxKit

cp bin/moby /usr/local/bin
cd bin/linuxkit /usr/local/bin

A Peep into vmware.yml File

The first 3 lines shows modern, securely configured kernel. The init section spins up containerd to run services. The onboot section allows dhcpd for networking. The services includes getty service container for shell, runs nginx service container. The trust section indicates all images signed and verified.

Building VMware ISO Image using Moby

moby build -output iso-bios -name vmware vmware.yml

 

Pushing VMware ISO Image to remote ESXi datastore

linuxkit push vcenter -datastore=datastore1 -hostname=myesxi.dell.com -url https://root:xxx@100.98.x.x/sdk -folder=linuxkit vmware.iso

Usage of linuxkit push vcenter :-

 

Running a secure VM directly from the ESXi datastore using LinuxKit

dell@redfish-ubuntu:~/linuxkit/examples$ sudo linuxkit run vcenter -cpus 8 -datastore datastore1 -mem 2048 -network ‘VM Network’ -hostname myesxi.dell.com -powerOn -url  https://root:xxx@100.98.x.x/sdk vmware.iso
Creating new LinuxKit Virtual Machine
Adding ISO to the Virtual Machine
Adding VM Networking
Powering on LinuxKit VM

Now let us verify that VM is up and running using either VMware vSphere Client or SDK URL.

You will find that VM is already booted up with the latest Docker 17.07 platform up and running.

Building a Docker Host VM using Moby & LinuxKit

In case you want to build a Docker Host VM, you can refer to the below vmware.yml file:

Just re-run the below command to get the new VM image:

moby build -output iso-bios -name vmware docker-vmware.yml

Follow the above steps to push it to remote datastore and run it using LinuxKit. Hence, you have a secured Docker 17.07 Host ready to build Docker Images and build up application stack.

How about building Photon OS based Docker Image using Moby & LinuxKit? Once you build it and push it to VM , its all ready to build Virtual Infrastructure. Interesting, Isn’t it?

Did you find this blog helpful?  Feel free to share your experience. Get in touch @ajeetsraina

If you are looking out for contribution/discussion, join me at Docker Community Slack Channel.

 

 

Building Docker For Mac 17.06 Community Edition using Moby & LinuxKit

Estimated Reading Time: 6 minutes

Docker For Mac 17.06 CE edition is the first Docker version built entirely on the Moby Project. In case you’re new, Moby is an open framework created by Docker, Inc to assemble specialised container systems. It comprises of 3 basic elements: a library of containerised backend components (e.g., a low-level builder, logging facility, volume management, networking, image management, containerd, SwarmKit), a framework for assembling the components into a standalone container platform, and tooling to build, test and deploy artifacts for these assemblies and a reference assembly, called Moby Origin, which is the open base for the Docker container platform, as well as examples of container systems using various components from the Moby library or from other projects.

Docker for Mac is a Docker Community Edition (CE) app and aims for a native OSX experience that works with existing developer workflows. The Docker for Mac install package includes everything you need to run Docker on a Mac. Few of the attractive features it includes: 

  • Easy drag and drop installation, and auto-updates to get latest Docker.
  • Secure, sandboxed virtualisation architecture without elevated privileges. 
  • Native networking support, with VPN and network sharing compatibility. 
  • File sharing between container and host: uid mapping, inotify events, etc

The core building blocks for Docker for Mac includes –

  • Virtualisation
  • Networking
  • Filesystem

Some notable components include:

  • HyperKit, a toolkit for embedding hypervisor capabilities in your application
  • DataKit, a tool to orchestrate applications using a 9P dataflow
  • VPNKit, a set of tools and services for helping HyperKit VMs interoperate with host VPN configurations

Screen Shot 2017-07-13 at 10.01.33 PM

 

Screen Shot 2017-07-13 at 10.05.21 PM

 

Screen Shot 2017-07-13 at 10.08.09 PM

                                                                                                                                                                                            source ~ Docker Inc.

If you want to learn more details about these components, this should be the perfect guide.

LinuxKit today support multiple Cloud platforms like AWS, Google Cloud Platform, Microsoft Azure, VMware  etc. In terms of Local hypervisor, it supports HyperKit, VMware, KVM and Microsoft Hyper-V too. 

 

Screen Shot 2017-07-13 at 10.16.48 PM

 

If you have closely watched LinuxKit repository, a new directory called blueprint has been introduced which will contain the blueprints for base systems on the platforms that will be supported with LinuxKit.These has been targeted to include all the platforms that Docker has editions on, and all platforms that Docker community supports. All the initial testing work will be done under examples/ and then pushed to blueprints/ directory as shown. 

Currently, the blueprint/ directory holds  essential files for Docker For Mac 17.06 CE – 

  • base.yml => which contains the open source components for Docker for Mac.
  • docker-17.06.ce.yml => necessary YAML file to build up VM Image

The blueprint has support for controlling dockerd from the host via vsudd and port forwarding with VPNKit. It requires HyperKit, VPNKit and a Docker client on the host to run.

Screen Shot 2017-07-13 at 8.55.29 AM

File: docker-17.06-ce.yml

Screen Shot 2017-07-13 at 9.00.10 AM

The VPNKIT specific enablement comes from the below YAML code:

Screen Shot 2017-07-13 at 10.40.42 PM

File: base.yml

Screen Shot 2017-07-13 at 9.03.49 AM

Use the Moby tool to build it with Docker 17.06:

moby build -name docker4mac base.yml docker-17.06-ce.yml

Screen Shot 2017-07-13 at 10.09.33 AM

 

This will produce couple of files under docker4mac-state directory as shown below:

 

Screen Shot 2017-07-13 at 11.59.04 AM

 

Next, we can now run the LinuxKit command to run VM with 1024M disk

linuxkit run hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=1024M docker4mac

By now, you should be able to see docker4mac VM booting up smoothly:

Screen Shot 2017-07-13 at 10.11.28 AM

Screen Shot 2017-07-14 at 10.07.12 PM

You can open up a new terminal to see the overall directory/files tree structure:

Screen Shot 2017-07-13 at 10.28.18 AM

 

Let us try listing the service containers using  ctr containers ls command. It should show up Docker For Mac 17.06 service container as shown below:

Screen Shot 2017-07-14 at 10.13.40 PM

Run the ctr tasks ls command to get the list of service containers:

Screen Shot 2017-07-16 at 10.30.49 AM

Now its easy to enter into docker-ddm service container with the below command:

ctr exec -t --exec-id 861 docker-dfm sh

Screen Shot 2017-07-16 at 10.33.07 AM

You can verify further information with docker info command:

Screen Shot 2017-07-16 at 10.36.49 AM

 

How to connect to docker-dfm` from another terminal?

Using another terminal, it is pretty easy to access docker via the socket guest.00000948 in the state directory (docker4mac-state/ by default) with the below command:

docker -H unix://docker4mac-state/guest.00000948 images

 

Let us create a Nginx docker container and see if it is accessible from Safari browser:

Did you find this blog helpful?  Feel free to share your experience. Get in touch @ajeetsraina

If you are looking out for contribution/discussion, join me at Docker Community Slack Channel.

Know more what’s happening in LinuxKit project by visiting this link.