vSphere Integrated Containers Engine Version v1.3.1-rc1

Changes from 1.3.0

1.3.1 Dev release

Dev release in preparation for 1.3.1 release candidate.

Changes from 1.3.0 v1.3.0...v1.3.1-dev

vSphere Integrated Containers Engine Version v1.3.0

Changes from 1.2.1

Changes from 1.2.1

New Features

• Create Virtual Container Host wizard in the vSphere Integrated Containers plug-in for the HTML5 vSphere Client. This feature allows you to deploy VCHs interactively, directly from the vSphere Client. Read more
• Delete VCHs from the vSphere Client.
• VCHs support 4 virtual NICs, so each VCH network can have a dedicated virtual NIC. Read more
• Specify a naming convention for container VMs. Read more
• Support for docker rm -v. Read more
• Improved scalability and concurrency.

Resolved Issues

The following issues found in previous releases have been fixed in 1.3.0:

• Deployment fails if you configure a VCH to use 4 NICs. #2802
  A VCH supports a maximum of 3 distinct network interfaces. The bridge network requires its own port group, at least two of the public, client, and management networks must share a network interface and therefore a port group.
• Running docker create results in InvalidDeviceSpec. #4666
  When attempting to create a VMDK for the read-write layer of a container during docker create, the parent VMDK sometimes cannot be accessed or located, resulting in an InvalidDeviceSpec fault. This is specific to vSAN datastores.
• Piping information into busybox fails. #3017
  If you attempt to pipe information into busybox, for example by running echo test | docker run -i busybox cat, the operation fails.
• vic-machine delete does not recognize virtual container hosts that were not fully created. #2981
  vic-machine delete fails when you run it on a virtual container host that was not fully created.
• Installing the virtual container host using a short hostname fails. #2582

Known Issues

• docker run -rm deletes named image volumes #7138
  Running docker run -rm should only delete anonymous volumes. However, running docker run -rm against a vSphere Integrated Containers container VM that uses named image volumes results in the deletion of the volume and the loss of all of its data.

  Workaround: If possible, upgrade to vSphere Integrated Containers 1.3.1. If you cannot upgrade, do not use docker run -rm against a container that uses named image volumes.

• Containers time out while starting with the error context deadline exceeded. #4294
  When this occurs the container VM is not powered off but is left in the Starting state, and might not have a configured network interface. Also, docker-compose and other tools that perform operations based on container state might not handle starting correctly. In the case of docker-compose it does not stop the container before trying to remove it.

• Container start failure handled inconsistently. #4294

• Docker exec following a docker restart of a node container results in unknown task ID error. #6370

• Deleting multiple VCHs fails. #7020, #6079
  Deleting multiple VCHs at the same time fails with one of the following errors:

  • vic/pkg/trace.(*Operation).Err: vic-machine-linux error: context deadline exceeded.
  • ServerFaultCode: The method is disabled by 'VIC'

  Workaround: Try the delete operation again.

• IP range error while powering on containers. #6851
  Powering on container VMs results in the error Server error from portlayer: could not find IP range.

• Docker operations fail with the NotAuthenticated or session not authenticated errors. #6673
  This issue occurs after restarting vCenter or ESXi hosts because the keepalive duration for the authentication of the session is 20 seconds and the session might not have re-authenticated yet.

  Workaround: retry the operation after a few seconds.

• vic-machine debug --rootpw option enables SSH. #6402
  If you specify the vic-machine debug --rootpw option without also specifying --enable-ssh, SSH access to the VCH is still enabled. This behavior is incorrect and will be fixed in a future release.

• Gateway information is missing from docker inspect. #6010
  If you configured a container network on a VCH, if this network uses DHCP, and if you did not specify --container-network-gateway, the gateway is configured correctly but does not show up in the output of docker inspect commands that are run on containers on that network.

• Schema 2 image manifests not supported. #5187
  vSphere Integrated Containers Engine does not support pulling images that only have schema 2 image manifests. If an image registry offers only the schema 2 manifest for an image, pull operations fail. This is most commonly seen when pulling an image by digest.

• docker exec always returns 0 and ignores the exit code of processes. #5692
  docker exec always returns 0, even if you specify -it. This issue is potentially due to a delay in vSphere host synchronization. If you configure command-based health checks in vSphere Integrated Containers Management Portal, the health checks are always successful for containers that are provisioned on affected VCHs, even if the user-specified command does not exist in the scope of the container. This is because command-based health checks are considered to be successful if the exit code of that command is 0.

• Container VMs deleted between upgrading and rolling back an upgrade on a VCH show up in docker ps. #5754
  If you upgrade a VCH, perform vic-machine delete on container VMs, then use vic-machine upgrade --rollback to revert the VCH to the previous version, the cache information in the VCH is reverted. However, the deleted container VM cannot be reverted, so if you run docker ps, the deleted container VMs are listed.

  Workaround: Restart the VCH endpoint VM in the vSphere Client.

• docker diff does not fully work with all containers. #6059
  Running docker diff on certain containers, for example postgres, results in Error response from daemon: Server error from portlayer: Server error from portlayer: Server error from archive reader for device.

• Cannot delete images using image ID after restarting VCH. #6076
  If you pull images into a VCH, then restart that VCH, running docker rmi image_ID results in Error response from daemon: No such image.

  Workaround: Delete images by using the human-readable name.

• docker info does not report secure registries. #6256
  Running docker info on a VCH reports any registries that you have whitelisted, but does not report secure registries that you specified with vic-machine create --registry-ca.

• Enabling content trust in Management Portal does not work if a VCH is in whitelist mode. #6258
  If you install a VCH with whiltelist mode enabled, attempting to a enable content trust on a vSphere Integrated Containers Registry in Management Portal does not update the whitelist, and you cannot pull from that registry.

• Publishing all exposed ports to random ports with the -P option is not supported. #3000
  vSphere Integrated Containers Engine does not support docker create/run -P.

• Occasional disconnection during vMotion. #4484
  If you are attached to a container VM that is migrated by vMotion, the SSH connection to the container VM might drop when vMotion completes.

  Workaround: Perform docker attach after the vMotion completes to reattach to the container.

• Using volume labels with docker-compose causes a plugin error. #4540
  Setting a label in a volume in the Docker compose YML file results in error looking up volume plugin : plugin not found.

  Workaround: Set the volume driver explicitly as local or vsphere in the compose file. E.g.,

  volumes:
    volume_with_label:
      driver: local
  

• vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integra...

vSphere Integrated Containers Engine Version v1.3.0-rc6

Changes from 1.2.1
v1.2.1...v1.3.0-rc6

vSphere Integrated Containers Engine Version v1.3.0-rc5

Changes from 1.2.1
v1.2.1...v1.3.0-rc5

vSphere Integrated Containers Engine Version v1.3.0-rc4

Changes from 1.2.1
v1.2.1...v1.3.0-rc4

vSphere Integrated Containers Engine Version v1.3.0-rc3

Changes from 1.2.1
v1.2.1...v1.3.0-rc3

vSphere Integrated Containers Engine Version v1.3.0-rc2

Changes from 1.2.1
v1.2.1...v1.3.0-rc2

vSphere Integrated Containers Engine Version v1.3.0-rc1

Changes from 1.2.1
v1.2.1...v1.3.0-rc1

vSphere Integrated Containers Engine Version v1.2.1 GA

v1.2.1 is tagged on releases/1.2.1 branch

Changes from v1.1.1 v1.1.1...v1.2.1

New Features

This release adds fixes for issues found in 1.2.0, and a new vic-machine create option, --container-name-convention.

Resolved Issues

The following issues found in previous releases have been fixed in 1.2.1:

• docker stop fails with error about collision of concurrent operations. #6236
  Error response from daemon: Conflict error from portlayer... collision of concurrent operations. This error is due vSphere Integrated Containers Engine not obtaining the up-to-date power state of the container VM from vCenter Sever in a slow environment. The container VM is already powered off but vCenter Server assumes that it is running, which causes the conflict error. vSphere Integrated Containers Engine obtains the latest power state of the container VM after some time.
• Container with container-network gets assigned bogus port mappings after VCH restart #6091
• Fix panic when vSphere session goes away #6280
• Reduce WAN check timeout #6290
• docker-compose integration tests not cleaning up on failures #5948
• VIC endpoint delay or error in releasing explicit port mapping #6197
• support use-rp option in vic-machine create/inspect/configure/upgrade #6272
• Attach sessions hang (both attach and exec for new and existing containers) #6281
• Adds basic name convention support [full ci] #6265
• docker run ls of a volume mounted folder does not exit #6371
• docker info should not be unresponsive if admiral is slow responding #6346
• Incorrect construction of target URL string for tag service #6347
• RegistryCheck should have a much lower timeout and failure modes should be different #6348

Known Issues

• vic-machine debug --rootpw option enables SSH. #6402
  If you specify the vic-machine debug --rootpw option without also specifying --enable-ssh, SSH access to the VCH is still enabled. This behavior is incorrect and will be fixed in a future release.

• Gateway information is missing from docker inspect. #6010
  If you configured a container network on a VCH, if this network uses DHCP, and if you did not specify --container-network-gateway, the gateway is configured correctly but does not show up in the output of docker inspect commands that are run on containers on that network.

• Schema 2 image manifests not supported. #5187
  vSphere Integrated Containers Engine does not support pulling images that only have schema 2 image manifests. If an image registry offers only the schema 2 manifest for an image, pull operations fail. This is most commonly seen when pulling an image by digest.

• docker exec always returns 0 and ignores the exit code of processes. #5692
  docker exec always returns 0, even if you specify -it. This is potentially due to a delay in vSphere host synchronization.

• Container VMs deleted between upgrading and rolling back an upgrade on a VCH show up in docker ps. #5754
  If you upgrade a VCH, perform vic-machine delete on container VMs, then use vic-machine upgrade --rollback to revert the VCH to the previous version, the cache information in the VCH is reverted. However, the deleted container VM cannot be reverted, so if you run docker ps, the deleted container VMs are listed.

  Workaround: Restart the VCH endpoint VM in the vSphere Client.

• docker diff does not fully work with all containers. #6059
  Running docker diff on certain containers, for example postgres, results in Error response from daemon: Server error from portlayer: Server error from portlayer: Server error from archive reader for device.

• Cannot delete images using image ID after restarting VCH. #6076
  If you pull images into a VCH, then restart that VCH, running docker rmi image_ID results in Error response from daemon: No such image.

  Workaround: Delete images by using the human-readable name.

• docker info does not report secure registries. #6256
  Running docker info on a VCH reports any registries that you have whitelisted, but does not report secure registries that you specified with vic-machine create --registry-ca.

• Enabling content trust in Management Portal does not work if a VCH is in whitelist mode. #6258
  If you install a VCH with whiltelist mode enabled, attempting to a enable content trust on a vSphere Integrated Containers Registry in Management Portal does not update the whitelist, and you cannot pull from that registry.

• Running docker create results in InvalidDeviceSpec. #4666
  When attempting to create a VMDK for the read-write layer of a container during docker create, the parent VMDK sometimes cannot be accessed or located, resulting in an InvalidDeviceSpec fault. This is specific to vSAN datastores.

  Workaround: Attempt to create the container again.

• Publishing all exposed ports to random ports with the -P option is not supported. #3000
  vSphere Integrated Containers Engine does not support docker create/run -P.

• Occasional disconnection during vMotion. #4484
  If you are attached to a container VM that is migrated by vMotion, the SSH connection to the container VM might drop when vMotion completes.

  Workaround: Perform docker attach after the vMotion completes to reattach to the container.

• Using volume labels with docker-compose causes a plugin error. #4540
  Setting a label in a volume in the Docker compose YML file results in error looking up volume plugin : plugin not found.

  Workaround: Set the volume driver explicitly as local or vsphere in the compose file. E.g.,

  volumes:
    volume_with_label:
      driver: local
  

• vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4706
  Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority.

  Workarounds: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry option, or provide a CA certificate in the --registry-ca option.

• Deployment fails if you configure a VCH to use 4 NICs. #2802
  A VCH supports a maximum of 3 distinct network interfaces. The bridge network requires its own port group, at least two of the public, client, and management networks must share a network interface and therefore a port group. Container networks do not go through the VCH, so they are not subject to this limitation. This limitation will be removed in a future release.

• vic-machine and VCH do not support creation of resources within inventory folders. #3619
  This capability will be added in a future release.

• Image store is in the wrong directory if the datastore already has a directory with the same name. #3365
  If the datastore already has a directory with the same name as the VCH, and the directory does not have a VM, vic-machine creates the VCH correctly names the folder a slightly different name. Example, folder "test_1" with vch named "test". The kvstore is located in "test_1" folder correctly, but image files are still in the "test" directory.

• Deployment with static IP takes a long time. #3436
  If you deploy a VCH with a static IP, the deployment might take longer than expected, resulting in timeouts.
  Workaround: Increase the timeout for the deployment when using static IP.

• Firewall status delayed on vCenter Server. #3139
  If you update the firewall rules on an ESXi host to allow access from specific IP addresses, and if that host is managed by vCenter Server, there might be a delay before vCenter Server takes the updated firewall rule into account. In this case, vCenter Server continues to use the old configuration for an indeterminate amount of time after you have made the update. vic-machine create can successfully deploy a VCH with an address that you have blocked, or else fail when you deploy a VCH with an address that you have permitted.

  Workaround: Wait a few minutes and run vic-machine create again.

• Piping information into busybox fails. #3017
  If you attempt to pipe information into busybox, for example by running echo test | docker run -i busybox cat, the operation fails with the following error:

  Error response from daemon: Server error from portlayer: 
  ContainerWaitHandler(container_id) ...