VIC では、ESXi から Virtural Container Host (VCH) に対して ESXi Firewall のルール設定が必要です。
VIC 1.0 のときは下記のような感じで、悩ましい設定をしていました。
vSphere Integrated Containers (VIC) 1.0 むけの ESXi Firewall Rule 設定。
VIC 1.1 では、VIC で必要となる ESXi Firewall ルールの解放設定も、
vic-machine コマンドで実行できるようになっています。
それでは、ESXi Firewall を開放してみます。
VIC 1.1 の vic-machine-linux コマンドを使用してみます。
[gowatana@client01 vic]$ ./vic-machine-linux version
vic-machine-linux version v1.1.0-9852-e974a51
今回は、「vc-sv02.go-lab.jp」という vCenter の「cluster-01」クラスタにある ESXi の Firewall ルール設定を変更します。
vic-machine では、vCenter の thumbprint の指定をしないと下記のようなエラーになります。
[gowatana@client01 vic]$ ./vic-machine-linux update firewall --target vc-sv02.go-lab.jp --user gowatana --allow --compute-resource cluster-01
May 16 2017 08:58:11.738+09:00 INFO vSphere password for gowatana:
May 16 2017 08:58:15.814+09:00 INFO ### Updating Firewall ####
May 16 2017 08:58:15.857+09:00 ERROR Failed to verify certificate for target=vc-sv02.go-lab.jp (thumbprint=70:45:F3:C7:~省略)
May 16 2017 08:58:15.858+09:00 ERROR Update cannot continue - failed to create validator: x509: certificate signed by unknown authority
May 16 2017 08:58:15.858+09:00 ERROR --------------------
May 16 2017 08:58:15.858+09:00 ERROR vic-machine-linux update firewall failed: update firewall failed
thumbprint の指定をしつつ、ESXi Firewall を通信許可(allow)に設定します。
指定したクラスタに含まれるホスト 3台の設定が変更されました。
[gowatana@client01 vic]$ ./vic-machine-linux update firewall --target vc-sv02.go-lab.jp --user gowatana --allow --compute-resource cluster-01 --thumbprint 70:45:F3:C7:~省略
May 16 2017 08:58:44.670+09:00 INFO vSphere password for gowatana: ★パスワードを入力
May 16 2017 08:58:47.196+09:00 INFO ### Updating Firewall ####
May 16 2017 08:58:47.328+09:00 INFO Validating target
May 16 2017 08:58:47.328+09:00 INFO Validating compute resource
May 16 2017 08:58:47.343+09:00 INFO
May 16 2017 08:58:47.343+09:00 WARN ### WARNING ###
May 16 2017 08:58:47.343+09:00 WARN This command modifies the host firewall on the target machine or cluster
May 16 2017 08:58:47.343+09:00 WARN The ruleset "vSPC" will be enabled
May 16 2017 08:58:47.343+09:00 WARN This allows all outbound TCP traffic from the target
May 16 2017 08:58:47.343+09:00 WARN To undo this modification use --deny
May 16 2017 08:58:47.343+09:00 INFO
May 16 2017 08:58:47.420+09:00 INFO Ruleset "vSPC" enabled on host "HostSystem:host-29 @ /dc02/host/cluster-01/hv-n11.go-lab.jp"
May 16 2017 08:58:47.491+09:00 INFO Ruleset "vSPC" enabled on host "HostSystem:host-32 @ /dc02/host/cluster-01/hv-n12.go-lab.jp"
May 16 2017 08:58:47.556+09:00 INFO Ruleset "vSPC" enabled on host "HostSystem:host-34 @ /dc02/host/cluster-01/hv-n13.go-lab.jp"
May 16 2017 08:58:47.556+09:00 INFO
May 16 2017 08:58:47.556+09:00 INFO Firewall changes complete
May 16 2017 08:58:47.556+09:00 INFO Command completed successfully
[gowatana@client01 vic]$
ESXi のもともとの発信接続(outbound) のルールはこうなっていましたが・・・
設定変更により vSPC のルールセットが解放されました。
Firewall 設定後に Virtual Container Host (VCH) の作成をしてみると
ESXi Firewall の設定確認が OK になります。
※名前解決の都合上、vCenter はこちらでは IP アドレス(192.168.1.96)で指定しています。
[gowatana@client01 vic]$ ./vic-machine-linux create \
> --target 192.168.1.96 \
> --user gowatana \
> --compute-resource cluster-01 \
> --name vch02 \
> --public-network pg-vds02-0000 --bridge-network vic-bridge-02 \
> --image-store ds_nfs_219 \
> --no-tlsverify --force
May 17 2017 01:37:33.510+09:00 INFO ### Installing VCH ####
May 17 2017 01:37:33.510+09:00 INFO vSphere password for gowatana:
May 17 2017 01:37:36.594+09:00 WARN Using administrative user for VCH operation - use --ops-user to improve security (see -x for advanced help)
May 17 2017 01:37:36.594+09:00 INFO Generating self-signed certificate/key pair - private key in vch02/server-key.pem
May 17 2017 01:37:36.917+09:00 WARN Configuring without TLS verify - certificate-based authentication disabled
May 17 2017 01:37:37.049+09:00 INFO Validating supplied configuration
May 17 2017 01:37:37.154+09:00 INFO vDS configuration OK on "vic-bridge-02"
May 17 2017 01:37:37.183+09:00 INFO Firewall status: ENABLED on "/dc02/host/cluster-01/hv-n11.go-lab.jp"
May 17 2017 01:37:37.211+09:00 INFO Firewall status: ENABLED on "/dc02/host/cluster-01/hv-n12.go-lab.jp"
May 17 2017 01:37:37.236+09:00 INFO Firewall status: ENABLED on "/dc02/host/cluster-01/hv-n13.go-lab.jp"
May 17 2017 01:37:37.242+09:00 INFO Firewall configuration OK on hosts:
May 17 2017 01:37:37.242+09:00 INFO "/dc02/host/cluster-01/hv-n11.go-lab.jp"
May 17 2017 01:37:37.242+09:00 INFO "/dc02/host/cluster-01/hv-n12.go-lab.jp"
May 17 2017 01:37:37.242+09:00 INFO "/dc02/host/cluster-01/hv-n13.go-lab.jp"
May 17 2017 01:37:37.354+09:00 INFO License check OK on hosts:
May 17 2017 01:37:37.354+09:00 INFO "/dc02/host/cluster-01/hv-n11.go-lab.jp"
May 17 2017 01:37:37.354+09:00 INFO "/dc02/host/cluster-01/hv-n12.go-lab.jp"
May 17 2017 01:37:37.354+09:00 INFO "/dc02/host/cluster-01/hv-n13.go-lab.jp"
May 17 2017 01:37:37.357+09:00 INFO DRS check OK on:
May 17 2017 01:37:37.357+09:00 INFO "/dc02/host/cluster-01"
May 17 2017 01:37:37.378+09:00 INFO
May 17 2017 01:37:38.444+09:00 INFO Creating virtual app "vch02"
May 17 2017 01:37:38.469+09:00 INFO Creating appliance on target
May 17 2017 01:37:38.487+09:00 INFO Network role "public" is sharing NIC with "management"
May 17 2017 01:37:38.487+09:00 INFO Network role "client" is sharing NIC with "management"
May 17 2017 01:37:41.062+09:00 INFO Uploading images for container
May 17 2017 01:37:41.062+09:00 INFO "bootstrap.iso"
May 17 2017 01:37:41.062+09:00 INFO "appliance.iso"
May 17 2017 01:37:49.197+09:00 INFO Waiting for IP information
May 17 2017 01:38:07.152+09:00 INFO Waiting for major appliance components to launch
May 17 2017 01:38:07.204+09:00 INFO Obtained IP address for client interface: "192.168.1.2"
May 17 2017 01:38:07.204+09:00 INFO Checking VCH connectivity with vSphere target
May 17 2017 01:38:07.315+09:00 INFO vSphere API Test: https://192.168.1.96 vSphere API target responds as expected
May 17 2017 01:38:37.345+09:00 INFO Initialization of appliance successful
May 17 2017 01:38:37.345+09:00 INFO
May 17 2017 01:38:37.345+09:00 INFO VCH Admin Portal:
May 17 2017 01:38:37.345+09:00 INFO https://192.168.1.2:2378
May 17 2017 01:38:37.345+09:00 INFO
May 17 2017 01:38:37.345+09:00 INFO Published ports can be reached at:
May 17 2017 01:38:37.345+09:00 INFO 192.168.1.2
May 17 2017 01:38:37.345+09:00 INFO
May 17 2017 01:38:37.345+09:00 INFO Docker environment variables:
May 17 2017 01:38:37.345+09:00 INFO DOCKER_HOST=192.168.1.2:2376
May 17 2017 01:38:37.346+09:00 INFO
May 17 2017 01:38:37.346+09:00 INFO Environment saved in vch02/vch02.env
May 17 2017 01:38:37.346+09:00 INFO
May 17 2017 01:38:37.346+09:00 INFO Connect to docker:
May 17 2017 01:38:37.346+09:00 INFO docker -H 192.168.1.2:2376 --tls info
May 17 2017 01:38:37.346+09:00 INFO Installer completed successfully
[gowatana@client01 vic]$
VIC については、こちらもどうぞ。
vSphere Integrated Containers (VIC) 1.0 をためしてみる。
vSphere Integrated Containers (VIC) 1.1 の VIC Appliance デプロイの様子。
以上、VIC 1.1 で改善された ESXi Firewall 設定方法の様子についてでした。