A couple of weeks ago, I got an early sneak peak at some of the work that was being done in VMware's Storage and Availability Business Unit (SABU) on providing storage persistency for Docker Containers in a vSphere based environment. Today, VMware has open sourced a new Docker Volume Driver for vSphere (Tech Preview) that will enable customers to easily take advantage of their existing vSphere Storage (VSAN, VMFS and NFS) and provide persistent storage access to Docker Containers running on top of the vSphere platform. Both the Developers and vSphere Administrators will have familiar interfaces in how they manage and interact with these Docker Volumes from vSphere, which we will explore further below.
The new Docker Volume Driver for vSphere is comprised of two components: The first is the vSphere Docker Volume Plugin that is installed inside of a Docker Host (VM) that will allow you to instantiate new Docker Volumes. The second is the vSphere Data Volume Driver that is installed in the ESXi Hypervisor host that will handle the VMDK creation and the mapping of the Docker Volume request back to the Docker Hosts. If you have shared storage on your ESXi hosts, you can have a VM on one ESXi host create a Docker Volume and have a completely different VM on another ESXi host mount the exact same Docker Volume. Below is diagram to help illustrate the different components that make up the Docker Volume Driver for vSphere.
Below is a quick tutorial on how to get started with the new Docker Volume Driver for vSphere.
Pre-Requisites
- vSphere ESXi 6.0+
- vSphere Storage (VSAN, VMFS or NFS) for ESXi host (shared storage required for multi-ESXi host support)
- Docker Host (VM) running Docker 1.9+ (recommend using VMware Photon 1.0 RC OVA but Ubuntu 10.04 works as well)
Getting Started
Step 1 - Download the vSphere Docker Volume Plugin (RPM or DEB) and vSphere Docker Volume Driver VIB for ESXi
Step 2 - Install the vSphere Docker Volume Driver VIB in ESXi by SCP'ing the VIB to the ESXi and then run the following command specifying the full path to the VIB:
esxcli software vib install -v /vmware-esx-vmdkops-0.1.0.tp.vib -f
Step 3 - Install the vSphere Docker Volume Plugin by SCP'ing the RPM or DEB file to your Docker Host (VM) and then run one of the following commands:
rpm -ivh docker-volume-vsphere-0.1.0.tp-1.x86_64.rpm
dpkg -i docker-volume-vsphere-0.1.0.tp-1.x86_64.db
Creating Docker Volumes on vSphere (Developer)
To create your first Docker Volume on vSphere, a Developer would only need access to a Container Host (VM) like PhotonOS for example that has the vSphere Docker Volume Plugin installed. They would then use the familiar Docker CLI to create a Docker Volume like they normally would and there is nothing they need to know about the underlying infrastructure.
Run the following command to create a new Docker Volume called vol1 with the capacity of 10GB using the new vmdk driver:
docker volume create --driver=vmdk --name=vol1 -o size=10gb
We can list all the Docker Volumes that available by running the following command:
docker volume ls
We can also inspect a specific Docker Volume by running the following command and specifying the name of the volume:
docker volume inspect vol1
Lets actually do something with this volume now by attaching it to a simple Busybox Docker Container by running the following command:
docker run --rm -it -v vol1:/mnt/volume1 busybox
As you can see from the screenshot above, I have now successfully accessed the Docker Volume that we had created earlier and I am now able to write to it. If you have another VM that resides on the same underlying shared storage, you can also mount the Docker Volume that you had just created from a different system.
Pretty straight forward and easy right? Happy Developers 🙂
Managing Docker Volumes on vSphere (vSphere Administrator)
For the vSphere Administrators, you must be wondering, did I just give my Developers full access to the underlying vSphere Storage to consume as much storage as possible? Of course not, we have not forgotten about our VI Admins and we have some tools to help. Today, there is a CLI utility located at /usr/lib/vmware/vmdkops/bin/vmdkops_admin.py which runs directly on the ESXi Shell (hopefully this will turn into an API in the future) which provides visibility into how much storage is being consumed (provisioned and usage) by the individual Docker Volumes as well as who is creating them and their respective Virtual Machine mappings.
Lets take a look at a quick example by logging into the ESXi Shell. To view the list ofDocker Volumes that have been created, run the following command:
/usr/lib/vmware/vmdkops/bin/vmdkops_admin.py ls
You should see the name of the Docker Volume that we had created earlier and the respective vSphere Datastore in which it was provisioned to. At the time of writing this, these were the only two default properties that are displayed out of the box. You can actually add additional columns by simply using the -c option by running the following command:
/usr/lib/vmware/vmdkops/bin/vmdkops_admin.py ls -c volume,datastore,created-by,policy,attached-to,capacity,used
Now we get a bunch more information like which VM had created the Docker Volume, the BIOS UUID that the Docker Volume is currently attached to, the VSAN VM Storage Policy that was used (applicable to VSAN env only), the provisioned and used capacity. In my opinion, this should be the default set of columns and this is something I have feedback to the team, so perhaps this will be the default when the Tech Preview is released.
One thing that to be aware of is that the Docker Volumes (VMDKs) will automatically be provisioned onto the same underlying vSphere Datastore as the Docker Host VM (which makes sense given it needs to be able to access it). In the future, it may be possible to specify where you may want your Docker Volumes to be provisioned. If you have any feedback on this, be sure to leave a comment in the Issues page of the Github project.
Docker Volume Role Management
Although not yet implemented in the Tech Preview, it looks like VI Admins will also have the ability to create Roles that restrict the types of Docker Volume operations that a given set of VM(s) can perform as well as the maximum amount of storage that can be provisioned.
Here is an example of what the command would look like:
/usr/lib/vmware/vmdkops/bin/vmdkops_admin.py role create --name DevLead-Role --volume-maxsize 100GB --rights create,delete,mount --matches-vm photon-docker-host-*
Docker Volume VSAN VM Storage Policy Management
Since VSAN is one of the supported vSphere Storage backends with the new Docker Volume Driver, VI Admins will also have the ability to create custom VSAN VM Storage Policies that can then be specified during Docker Volume creations. Lets take a look at how this works.
To create a new VSAN Policy, you will need to specify the name of the policy and provide the set of VSAN capabilities formatted using the same syntax found in esxcli vsan policy getdefault command. Here is a mapping of the VSAN capabilities to the attribute names:
VSAN Capability Description | VSAN Capability Key |
---|---|
Number of failures to tolerate | hostFailuresToTolerate |
Number of disk stripes per object | stripeWidth |
Force provisioning | forceProvisioning |
Object space reservation | proportionalCapacity |
Flash read cache reservation | cacheReservation |
Run the following command to create a new VSAN Policy called FTT=0 which sets Failure to Tolerate to 0 and Force Provisioning to true:
/usr/lib/vmware/vmdkops/bin/vmdkops_admin.py policy create --name FTT=0 --content '(("hostFailuresToTolerate" i0) ("forceProvisioning" i1))'
If we now go back to our Docker Host, we can create a second Docker Volume called vol2 with capacity of 20GB, but we will also now include our new VSAN Policy called FTT=0 policy by running the following command:
docker volume create --driver=vmdk --name=vol2 -o size=20gb -o vsan-policy-name=FTT=0
We can also easily see which VSAN Policies are in use by simply listing all policies by running the following command:
All VSAN Policies and Docker Volumes (VMDK) that are created are stored under a folder called dockvols in the root of the vSphere Datastore as shown in the screenshot below.
Hopefully this gave you a nice overview of what the Docker Volume Driver for vSphere can do in its first release. Remember, this is still in Tech Preview and our Engineers would love to get your feedback on the things you like, new features or things that we can improve on. The project is on Github which you can visit the page here and if you have any questions or run into bugs, be sure to submit an issue here or contribute back!
Fabio says
HI William
Fantastic post as usual: very informative and forward looking 🙂
You stated:
"If you have shared storage on your ESXi hosts, you can have a VM on one ESXi host create a Docker Volume and have a completely different VM on another ESXi host mount the exact same Docker Volume. "
How could you do this and preserve the writes to that volume(as you have two "OSes" writing to the same device)?
I assume you an just attach a volume to a single VM (and then Container) and maybe I am reading this statement in the wrong way 😛
Thank you very much.
F.
William Lam says
Hi Fabio,
Thanks for the comment. Yes, you're correct, only a single Docker Volume can be written to at a time. There is a PR (https://github.com/vmware/docker-volume-vsphere/issues/193) to add support for multi-writer (generally used for clustered application) that our vSphere Platform supports. Feel free to leave any additional comments you have if you would like to see this
Yadong Zhang says
I want to know how we can do that "If you have shared storage on your ESXi hosts, you can have a VM on one ESXi host create a Docker Volume and have a completely different VM on another ESXi host mount the exact same Docker Volume."
See the issues I asked https://github.com/vmware/docker-volume-vsphere/issues/409. As I know, Docker Volume Driver for vSphere can not support multi host. That is said containers on the same VM can access (r/w) the same Docker volume. But on different VM, they can not share the Volume, and on different ESXi host too.
Ritesh Shukla says
Any VM with access to the shared datastore can access the volume. Thus any one VM can create and any VM can consumer. At a time concurrently only one VM can use a volume => docker run command with -v for volume can be running only from one VM at a time.. once the container is stopped another VM can execute the run command. Give it a try and let us know.
Ritesh Shukla says
Once docker run command completes the volume is available to to be used by docker run on a different VM.. 2 VMs cannot run a docker run with the same volume at a time (maybe if customers ask it could be concurrent read only access).
twm1010 says
Any constraints? Is this just multi-writer VMDK?
William Lam says
Can you be more specific about what you mean by constraints? No, this is not multi-writer VMDK as mentioned in last reply. Only a single Docker Volume can be mapped for r/w for a Docker Container
Andres Puccini says
Hi
Great article. Maybe you could assist me with the following.
We are a vcloud service provider, currently considering implementing this functionality. But two concerns comes to our mind:
1) If two Dockers VMs from a different tenant are coexisting in the same datastore, do they have visibility to each others docker volumes, or just to their own?
2) Is billing time: Tenant "A" has a Docker VM that deployed 3 docker volumes, but only one is mounted. How do you bill them? Do you have any visibility in vcloud or vcenter to be able to identify the owner of these volumes?
Thanks in advance.