WilliamLam.com

How to setup Harbor registry on Synology

by // 6 Comments

With my recent exploration of GenAI and using a private ChatGPT solution with my own blog posts, I quickly realized in the space of AI/ML, the required software dependencies can take up a significant amount of storage, especially for a kubernetes/container-based deployment.

To give you an example, to deploy the private ChatGPT (h2ogpt) application using kubernetes, just the container image itself is a whopping 40GB+! 😲

Unfourntately, this is not a one off scenario but a common theme when working in the AI/ML space that the size of the packages and drivers are extremely large even when using containers. I figure I should probably setup my own container registry instead of pulling directly from the Internet given the size of these images.

I already have a local Harbor instance running in a VM but with my Synology, I have been using it centralize a number of functions and that would be the ideal place to actually run Harbor. While you can run individual containers on the Synology as I have demonstrated HERE with GitLab, the Harbor installation processes relies on Docker Compose, which Synology does not natively support using the Synology DiskStation Manager (DSM) interface.

With a little bit of tinkering and trial/error, I was able to finally get Harbor running on my Synology and centralize all my storage needs including having my own container registry.

[Read more...]

NVIDIA GPU with Dynamic DirectPath IO (Passthrough) to Tanzu Kubernetes Grid (TKG) Cluster using vSphere with Tanzu

by // Leave a Comment

When provisioning a Tanzu Kubernetes Grid Cluster (TKC) using vSphere with Tanzu, you can easily request an NVIDIA GPU resource as part of the deployment, which can either be provided by NVIDIA vGPU or using PCIe passthrough with Dynamic DirectPath IO.

vGPU is great for those with a capable NVIDIA GPU, especially if the GPU will not be utilized 100% and you can share its resources amongst several VMs. However, if you do not have a capable GPU that supports vGPU, you can still provide you TKC workloads with a GPU resource using passthrough.


While playing with the Lenovo P3 Ultra, I unfortunately came to learn that NVIDIA RTX A5500 Laptop was NOT the same as an NVIDIA RTX A5500 🙁

Not ideal, but I guess NVIDIA did not want to add this additional device to their test matrix and hence their ESXi graphics drivers would not detect the GPU as vGPU capable. I knew that I could still use the NVIDIA GPU via passthrough but to my surprise, I just needed to get the NVIDIA drivers installed onto the TKC worker nodes.

That was much easier said than done as all the documentation that I could find on both VMware and NVIDIA website had detailed instructions for vGPU configuration but there was little to no documentation on how to use NVIDIA GPU in passthrough mode with vSphere with Tanzu. I came across a number of different NVIDIA solutions when it comes to k8s, but it was not very clear on which would be interoperable with vSphere with Tanzu and I eventually figured it out with the help pointing me in the right direction.

It was actually super easy, once you knew the exact steps! 😅

[Read more...]

Support for Virtual Trusted Platform Module (vTPM) on ESXi without vCenter Server?

by // 27 Comments

Starting with vSphere 6.7, users have been able to add a Virtual Trusted Platform Module (vTPM) to a VM, enabling guest operating systems to create and store private keys using a software-based representation of a physical TPM 2.0 chip, that is completely transparent to the underlying OS.

A major benefit of using vTPM is that a physical TPM chip is NOT required in the underlying ESXi host and the vTPM secrets are protected by encrypting the .nvram file, where the secrets are stored.

The encryption keys that are used to encrypt the vTPM is provisioned by a key provider, which can be either be an external Standard Key Provider (SKP) that is KMIP-compliant or using vCenter Server's built-in Native Key Provider (NKP). It is the management of these key providers and their workflows that requires the use of vCenter Server, providing a centralized control plane and a seamless user experience when using the vTPM feature.

Most recently, I saw an influx of inquiries from our field and customers asking about using vTPM with a standalone ESXi host that is NOT managed by vCenter Server, primarily for homelab purposes. While this question has come up in the past, the increased interests might be due to more folks looking to deploy Windows 11, which now has a requirement of a TPM.

While sharing this observation with our lead engineer for VM Encryption, I came to learn that while vCenter Server is highly recommended for a good vTPM user experience, it is technically NOT required for vTPM to function. This sounded very intriguing but surely this solution would NOT be supported right?!

Interestingly, vCenter Server simply uses a set of public vSphere APIs that are available directly on an ESXi host to add or remove encryption keys that is generated from the key provider but the functionality to manage the encryption keys are available on an ESXi host. While this "manual" method is not as seamless as using vCenter Server, you can enable vTPM for a VM using a standalone ESXi host that is not managed by vCenter Server in a completely supported manner!

The lesson here, do not always assume something is NOT supported until you have been told it is NOT supported and always be learning! 😁

[Read more...]