vSphere Integrated Containers Engine Version v1.1.1-rc2

v1.1.1-rc2 is tagged on releases/1.1.1 branch

Changes from v1.1.0 v1.1.0...v1.1.1-rc2

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Resolved Issues

The following issues found in vSphere Integrated Containers Engine 1.1.0 have been fixed in 1.1.1:

• Container VMs immediately power off with Server error from portlayer: ServerFaultCode: Permission to perform this operation was denied. #4817
  This error results if the --ops-user option was used when deploying VCHs. Operations user accounts require more permissions than were initially documented. The list of required permissions in Use Different User Accounts for VCH Deployment and Operation has been updated to include all of the required permissions.
• Race condition in vSAN can cause VCH kvstore to enter an inconsistent state. #4601
  
  VCHs store the key-value state for the VCH in a file on the datastore named kvstore. When values are updated a new version is uploaded as kvstore.tmp, which then overwrites the existing file. Race conditions can occur in VSAN if you upload a file and then quickly move that file.
  If this condition occurs, the kvstore of the VCH can enter an inconsistent state. If this error occurs you see the following error:

  Error response from daemon:
  
  failed to save image cache: [PUT /kv/{key}][500]
  
  putValueInternalServerError  &{Code:500 Message:Error uploading apiKV.dat:
  
  File [vsanDatastore] 5568e458-4f51-10c5-3994-020...

  This error mostly occurs when running docker rmi, but could also occur when performing docker pull, docker run, or docker create on a new image.
• Installing vSphere Client plug-in fails on VCSA. #4906
  When you attempt to install the vSphere Client plug-in for vSphere Integrated Containers on a vCenter Server Appliance, the installation fails with the error failed to find target plugin.
• vSphere Web Client plug-in does not appear after successful installation. #4948
  When you install the Flex plug-in for the vSphere Web Client, the installation process reports success but the plug-in does not appear in the vSphere Web Client.
• vSphere Integrated Containers Engine files not upgraded. #5013
  If you upgrade the vSphere Integrated Containers appliance from 1.1.0 to 1.1.1, vSphere Integrated Containers Registry and Management Portal upgrade successfully, but the downloads for vSphere Integrated Containers Engine remain at 1.1.0.

Known Issues

• Running docker create results in InvalidDeviceSpec. #4666
  When attempting to create a VMDK for the read-write layer of a container during docker create, the parent VMDK sometimes cannot be accessed or located, resulting in an InvalidDeviceSpec fault. This is specific to vSAN datastores.

  Workaround: Attempt to create the container again.

• Cannot login to insecure registries that use self-signed certificates. #4681
  If you deploy a VCH with the --insecure-registry option, and if that registry uses self-signed certificates, attempts to use docker login to log in to the registry fail with Error response from daemon: Unexpected http code: 400, URL: http://X.X.X.X:443/v2/. However, performing docker pull from that registry without attempting docker login succeeds.

  Workaround: Download the self-signed certificate from the registry and redeploy the VCH, specifying the path to this certificate in the --registry-ca option.

• Docker client 1.13 returns an incorrect error message on non-existent objects. #4573
  If you run a Docker command against a non-existent object, for example docker inspect fake, where fake is an object that does not exist, vSphere Integrated Containers Engine reports Error response from daemon: vSphere Integrated Containers does not yet support Docker Swarm. The error message should be Error: No such image, container or task: fake.

• Publishing all exposed ports to random ports with the -P option is not supported. #3000
  vSphere Integrated Containers Engine does not support docker create/run -P.

• Shared data volumes are not supported. #2303
  vSphere Integrated Containers Engine does not support shared data volumes, meaning that multiple containers cannot share a common vSphere volume. As a consequence, using vSphere Integrated Containers Management Portal to provision applications that include containers that share volumes fails when using vSphere Integrated Containers Engine, with the error Server error from portlayer: Failed to lock the file. Do not design or import such templates in vSphere Integrated Containers Management Portal and do not attempt to deploy applications based on such templates when using vSphere Integrated Containers Engine.

• Occasional disconnection during vMotion. #4484
  If you are attached to a container VM that is migrated by vMotion, the SSH connection to the container VM might drop when vMotion completes.

  Workaround: Perform docker attach after the vMotion completes to reattach to the container.

• Using volume labels with docker-compose causes a plugin error. #4540
  Setting a label in a volume in the Docker compose YML file results in error looking up volume plugin : plugin not found.

  Workaround: Set the volume driver explicitly as local or vsphere in the compose file. E.g.,

  volumes:
    volume_with_label:
      driver: local
  

• VCH Admin portal does not respect proxy settings. #4557
  This affects is the internet connectivity status on the VCH Admin portal, which does not use the proxy used by the rest of the VCH.

• vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4706
  Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority.

  Workarounds: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry option, or provide a CA certificate in the --registry-ca option.

• Specifying the same datastore for volume store and images store leads to unintended volume loss on ESXi hosts. #4478
  When deploying VCHs directly to ESXi hosts, if you specify vic-machine create --name dev --image-store datastore1 --volume-store datastore1/dev:default, volumes will go into the same folder as images and the VCH. If you then run vic-machine delete, the volumes are deleted, even if you do no specify --force. This does not occur when deploying to vCenter Server.

• Containers have access to vSphere management assets. #3970
  Containers that are attached to the bridge network can use NAT through the VCH and so have full access to assets on the management and client networks, or they can be reached via the gateway on those networks. As a consequence, any container can access to vSphere assets.

• Deleting container VMs by using the vSphere Client can remove the underlying image. #2928
  If you delete a container VM by using the vSphere Client, attempts to create other containers that use the same base image containers can fail if the base image has been removed.

  Workaround: As stated in the documentation, always use Docker commands to perform operations on containers. Do not use the vSphere Client to perform operations on container VMs.

• Deployment fails if you configure a VCH to use 4 NICs. #2802
  A VCH supports a maximum of 3 distinct network interfaces. The bridge network requires its own port group, at least two of the public, client, and management networks must share a network interface and therefore a port group. Container networks do not go through the VCH, so they are not subject to this limitation. This limitation will be removed in a future release.

• vic-machine and VCH do not support creation of resources within inventory folders. #3619
  This capability will be added in a future release.

• Image store is in the wrong directory if the datastore already has a directory with the same name. #3365
  If the datastore already has a directory with the same name as the VCH, and the directory does not have a VM, vic-machine creates the VCH correctly names the folder a slightly different name. Example, folder "test_1" with vch named "test"...

vSphere Integrated Containers Engine Version v1.1.1-rc1

v1.1.1-rc1 is tagged on releases/1.1.1 branch

Changes from v1.1.0 v1.1.0...v1.1.1-rc1

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Issues Resolved:
#4817
#4601
#4906
#4948

Binary download available at https://storage.googleapis.com/vic-engine-releases/vic_1.1.1-rc1.tar.gz

vSphere Integrated Containers Engine Version v1.1.0

v1.1.0 is tagged on release branch

Changes from v0.9.0 v0.9.0...v1.1.0

This release is will be included with the VIC Product 1.1 release and supported by VMware customers with Enterprise Plus licensing.

Features

• A unified OVA installer for all three components
• Upgrade from version 0.8
• A plug-in for the HTML5 vSphere Client
• Support for Docker Client 1.13 and Docker API version 1.25
• Support for additional Docker commands. For the list of Docker commands that this release supports, see Supported Docker Commands in Developing Container Applications with vSphere Integrated Containers.

Resolved Issues

• VCH deployment fails with invalid URL error when using --insecure-registry. #4141
  If you use the --insecure-registry option with vic-machine create, deployment of the VCH fails with the following error:

  registry_address:5000 is an invalid format for registry url.

• vSphere Integrated Containers leaks DOM objects on VMware vSAN. #3938
  When using a VMware vSAN datastore as the image store, if you pull an image and then delete the VCH, DOM object leaking occurs on the datastore. Running docker rmi without deleting the VCH has the same issue.
• Containers remain in the Starting state when you run docker compose up. #4223
  Bringing up a compose application by using docker-compose up results in containers getting stuck at the Starting state. This does not happen if you use the -d option when you run docker compose up.
• Installing the HTML5 plug-in on vCenter Server on Windows does not work. #4277
  When using a Web server to install the HTML5 client plug-in on a vCenter Server instance that runs on Windows, the installer reports success but the installation does not succeed.
• vic-machine ls doubles output. #3975
  When you run vic-machine ls, VCHs are listed twice in the output.
• Deployment fails with a list failed error when you specify resources by name rather than by path. #4203
  Deployment of a VCH fails with an error about failing to find resources that you specified by name in the --compute-resource option. However, vic-machine suggests the resource that you specified as a valid resource.
• Error response from daemon: Unexpected http code: 400 when pulling images from local Harbor registries. #3441
  Currently, vSphere Integrated Containers Engine always performs certificate verification with a secure registry even if you specify vic-machine create --insecure-registry during deployment of the VCH.
• Shutting down and restarting a VCH does not behave correctly on vCenter Server. #3137
  If you shut down a VCH and its container VMs by powering off the vApp and then restart the vApp, container VMs appear in the vSphere Client as having restarted but might show up as stopped if you run docker ps -a. Container VMs might also show up as not being connected to the bridge network when you run docker network inspect bridge . Currently vSphere Integrated Containers Engine does not support restarting the whole vApp.
• VCH Admin shows network failure when virtual container host uses a proxy. #3213
  If a virtual container host is configured to use a proxy, the VCH Admin status page shows a network failure even if connectivity through the proxy is working.
• Misleading error message appears when you run out of memory on ESXi. #2840
• vSphere Integrated Containers Engine does not support root users inside containers #1279

Known Issues

• Running docker create results in InvalidDeviceSpec. #4666
  When attempting to create a VMDK for the read-write layer of a container during docker create, the parent VMDK sometimes cannot be accessed or located, resulting in an InvalidDeviceSpec fault. This is specific to vSAN datastores.

  Workaround: Attempt to create the container again.

• Cannot login to insecure registries that use self-signed certificates. #4681
  If you deploy a VCH with the --insecure-registry option, and if that registry uses self-signed certificates, attempts to use docker login to log in to the registry fail with Error response from daemon: Unexpected http code: 400, URL: http://X.X.X.X:443/v2/. However, performing docker pull from that registry without attempting docker login succeeds.

  Workaround: Download the self-signed certificate from the registry and redeploy the VCH, specifying the path to this certificate in the --registry-ca option.

• Docker client 1.13 returns an incorrect error message on non-existent objects. #4573
  If you run a Docker command against a non-existent object, for example docker inspect fake, where fake is an object that does not exist, vSphere Integrated Containers Engine reports Error response from daemon: vSphere Integrated Containers does not yet support Docker Swarm. The error message should be Error: No such image, container or task: fake.

• Publishing ports to random ports is not supported. #3000
  vSphere Integrated Containers Engine does not support docker create/run -P.

• Shared data volumes are not supported. #2303
  vSphere Integrated Containers Engine does not support shared data volumes, meaning that multiple containers cannot share a common vSphere volume. As a consequence, using vSphere Integrated Containers Management Portal to provision applications that include containers that share volumes fails when using vSphere Integrated Containers Engine, with the error Server error from portlayer: Failed to lock the file. Do not design or import such templates in vSphere Integrated Containers Management Portal and do not attempt to deploy applications based on such templates when using vSphere Integrated Containers Engine.

• Occasional disconnection during vMotion. #4484
  If you are attached to a container VM that is migrated by vMotion, the SSH connection to the container VM might drop when vMotion completes.

  Workaround: Perform docker attach after the vMotion completes to reattach to the container.

• Using volume labels with docker-compose causes a plugin error. #4540
  Setting a label in a volume in the Docker compose YML file results in error looking up volume plugin : plugin not found.

  Workaround: Set the volume driver explicitly as local or vsphere in the compose file. E.g.,

  volumes:
    volume_with_label:
      driver: local
  

• VCH Admin portal does not respect proxy settings. #4557
  This affects is the internet connectivity status on the VCH Admin portal, which does not use the proxy used by the rest of the VCH.

• vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4706
  Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority.

  Workarounds: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry option, or provide a CA certificate in the --registry-ca option.

• Specifying the same datastore for volume store and images store leads to unintended volume loss on ESXi hosts. #4478
  When deploying VCHs directly to ESXi hosts, if you specify vic-machine create --name dev --image-store datastore1 --volume-store datastore1/dev:default, volumes will go into the same folder as images and the VCH. If you then run vic-machine delete, the volumes are deleted, even if you do no specify --force. This does not occur when deploying to vCenter Server.

• Race condition in vSAN can cause VCH kvstore to enter an inconsistent state. #4601
  
  VCHs store the key-value state for the VCH in a file on the datastore named kvstore. When values are updated a new version is uploaded as kvstore.tmp, which then overwrites the existing file. Race conditions can occur in VSAN if you upload a file and then quickly move that file.
  If this condition occurs, the kvstore of the VCH can enter an inconsistent state. If this error occurs you see the following error:

  Error response from daemon:
  
  failed to save image cache: [PUT /kv/{key}][500]
  
  putValueInternalServerError  &{Code:500 Message:Error uploading apiKV.dat:
  
  File [vsanDatastore] 5568e458-4f51-10c5-3994-020...

  This error mostly occurs when running docker rmi, but could also occur when performing docker pull, docker run, or docker create on a new image.

  Workaround: Rerun the Docker command that resulted in the error.

vSphere Integrated Containers Engine Version v1.1.0-rc5

v1.1.0-rc5 is tagged on release branch

Changes from v0.9.0 v0.9.0...v1.1.0-rc5

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Documentation pending

vSphere Integrated Containers Engine Version v1.1.0-rc4

v1.1.0-rc4 is tagged on release branch

Changes from v0.9.0 v0.9.0...v1.1.0-rc4

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Documentation pending

vSphere Integrated Containers Engine Version v1.1.0-rc3

v1.1.0-rc3 is tagged on master branch

Changes from v0.9.0 v0.9.0...v1.1.0-rc3

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Documentation pending

vSphere Integrated Containers Engine Version v1.1.0-rc2

Changes from v0.9.0 v0.9.0...v1.1.0-rc2

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Documentation pending

vSphere Integrated Containers Engine Version v1.1.0-rc1

The RC1 build failed. Github does not allow you to replace the tagged merge so we have to rev an RC2.

Changes from v0.9.0 v0.9.0...v1.1.0-rc1

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Documentation pending

vSphere Integrated Containers Engine Version v0.9.0

Changes from v0.8.0 v0.8.0...v0.9.0

This is an interim pre-release and does not include support from VMware global support services (GSS). Support is OSS community level only. See https://github.com/vmware/vic/blob/master/CONTRIBUTING.md#community for details on how to contact the VIC Engine community.

Features:

• vSphere HTML 5 Client plugin. See https://blogs.vmware.com/vsphere/2016/12/new-vcenter-management-clients-vsphere-6-5.html for details on the HTML 5 Client
• Upgrade from v0.8.0 using vic-machine upgrade. Includes rollback on failure.
• Docker Client 1.13 support and Docker API version 1.25 support.
• Initial Docker container event support. See https://docs.docker.com/engine/reference/commandline/events/

Resolved Issues

• vSphere Integrated Containers Engine 0.8 does not support Docker Client 1.13. #3734, #3720
  If you attempt to connect version 1.13 of the Docker Client to a virtual container host, the Docker client stops working.
• Version 5.7 of the mysql image does not work with docker compose up #3857
  If you run docker compose up and the application that you are creating uses version 5.7 of the mysql image, the database does not initialize. The MYSQL log contains the error --initialize specified but the data directory has files in it.
• vMotion disconnects file-backed serial ports after a migration. #3243
  While applications continue to function correctly without interruption, container logs lose output after a vMotion.
• Deleting a VCH from an ESXi host does not remove the bridge network if it was created with a custom name. #3193
  If you deploy a VCH to an ESXi host and use the --bridge-network option to create a bridge network with a custom name, vic-machine delete does not remove the bridge network if you delete the VCH.
• Running docker ps -aq reports containers that have been removed. #3196
  Listing containers by running docker ps -aq can include containers that have been removed. Attempting to perform an operation on a container that was included in the output of docker ps -aq, for example docker rm -f, results in the error Error response from daemon: No such container.
• volume ls ignores filters #1718
  
• docker run busybox behaves incorrectly #1687
  
  The container configuration between vSphere Integrated Containers Engine and Docker containers is different in that vSphere Integrated Containers Engine attempts to attach to a container and Docker exits immediately.
• docker ps -n shows stopped containers that have been created, but not started, for the state of the container #1545
  

Known Issues

• VCH deployment fails with invalid URL error when using --insecure-registry. #4141
  If you use the --insecure-registry option with vic-machine create, deployment of the VCH fails with the following error:

  registry_address:5000 is an invalid format for registry url.

  Workaround: Precede the registry address with double forward slashes.

  //registry_address:5000

• vSphere Integrated Containers leaks DOM objects on VMware vSAN. #3938
  When using a VMware vSAN datastore as the image store, if you pull an image and then delete the VCH, DOM object leaking occurs on the datastore. Running docker rmi without deleting the VCH has the same issue.

  Workaround: Use govc to list and remove leaked objects:

  • List leaked objects: govc datastore.vsan.dom.ls -l -o
  • Remove leaked objects: govc datastore.vsan.dom.ls -o | xargs govc datastore.vsan.dom.rm

• docker-compose does not allow you to specify the TLS version on the command line. #4317
  vSphere Integrated Containers supports TLS v1.2. You must configure docker-compose to use TLS 1.2. However, docker-compose only allows you to set the TLS version by using environment variables. For more information, see docker-compose issue 4651. Furthermore, docker-compose has a limitation that requires you to set TLS options either by using command line options or by using environment variables. You cannot use a mixture of both command line options and environment variables. To use docker-compose with vSphere Integrated Containers and TLS, set the following environment variables:

   COMPOSE_TLS_VERSION=TLSv1_2
   DOCKER_TLS_VERIFY=1
   DOCKER_CERT_PATH="path to your cert files"

  The certificate file path must lead to CA.pem, client_key.pem, and client cert.pem. You can run docker-compose with the following command:

  docker-compose -H vch_address -f up

• docker-compose does not allow you to specify the TLS version on the command line. #4317
  vSphere Integrated Containers supports TLS v1.2. To use docker-compose with VIC, you must configure docker-compose to use TLS 1.2. However, docker-compose only allows you to set the TLS version by using environment variables. For more information, see docker-compose issue 4651. Furthermore, docker-compose has a limitation that requires you to set TLS options either by using command line options or by using environment variables. You cannot use a mixture of both command line options and environment variables. To use docker-compose with vSphere Integrated Containers and TLS, set the following environment variables:

   COMPOSE_TLS_VERSION=TLSv1_2
   DOCKER_TLS_VERIFY=1
   DOCKER_CERT_PATH="path to your cert files"

  The certificate file path must lead to CA.pem, client_key.pem, and client cert.pem. You can run docker-compose with the following command:

  docker-compose -H vch_address -f up

• Containers remain in the Starting state when you run docker compose up. #4223
  Bringing up a compose application by using docker-compose up results in containers getting stuck at the Starting state. This does not happen if you use the -d option when you run docker compose up.

  Workaround: Use docker compose up -d instead of docker compose up.

• Installing the HTML5 plug-in on vCenter Server on Windows does not work. #4277
  When using a Web server to install the HTML5 client plug-in on a vCenter Server instance that runs on Windows, the installer reports success but the installation does not succeed.

  Workaround: Installing the HTML5 plug-in on a vCenter Server Appliance works. To install the HTML plug-in on a vCenter Server instance that runs on Windows, use a build that post-dates 2017-03-18.

• vic-machine ls doubles output. #3975
  When you run vic-machine ls, VCHs are listed twice in the output.

  Workaround: Specify the --compute-resource option when you run vic-machine ls.

• Deployment fails with a list failed error when you specify resources by name rather than by path. #4203
  Deployment of a VCH fails with an error about failing to find resources that you specified by name in the --compute-resource option. However, vic-machine suggests the resource that you specified as a valid resource.

   INFO Validating compute resource
   INFO Suggesting valid values for --compute-resource based on "cls" 
   INFO Failed to find resource pool in the provided path, showing all top level resource pools.
   INFO Suggested values for --compute-resource: 
   INFO "cls"
   ERROR resource pool 'cls' not found 
   ERROR List cannot continue - compute resource validation failed: validation of configuration failed
   vic-machine-linux ls failed: list failed
  

  Workaround: Specify the full path to the resource rather than just the resource name.

• Error response from daemon: Unexpected http code: 400 when pulling images from local Harbor registries. #3441
  Currently, vSphere Integrated Containers Engine always performs certificate verification with a secure registry even if you specify vic-machine create --insecure-registry during deployment of the VCH. VMware is working to resolve the issue.

• Containers have access to vSphere management assets. #3970
  Containers that are attached to the bridge network can use NAT through the VCH and so have full access to assets on the management and client networks, or they can be reached via the gateway on those networks. As a consequence, any container can access to vSphere assets.

• Shutting down and restarting a VCH does not behave correctly on vCenter Server. #3137
  If you shut down a VCH and its container VMs by powering off the vApp and then restart the vApp, container VMs appear in the vSphere Client as h...

vSphere Integrated Containers Engine Version v0.8.0

Changes from v0.7.0 v0.7.0...v0.8.0

This release is will be included with the VIC Product 1.0 release and supported by VMware customers with Enterprise Plus licensing.

Features:

• Security Enhancements and improved Harbor interoperability
  • HTTP and HTTPS proxies for fetching images
  • custom CA cert bundle for validating registries
  • allow for VCH operations user instead of deployment credentials
  • vic-admin server supports pass-through authentication using vSphere credentials
• Improved detection of vSphere issues during deployment of the Virtual Container Host (VCH)

Of note:
If a container is started and subsequently attached to, only output generated by the container after the attach completes will be seen - docker logs can be used to obtain the entire output over the life of the container.

If an attach is done prior to start, e.g. run -it or start -ai, we delay launching the container process until the attach has completed as we infer from the operation ordering a desire to receive all output from process launch onward.

Attaching to a containerVM inhibits that VM from vMotioning, detaching removes that inhibition:

• to launch a container without attaching, use start or run -d
• to detach from a TTY enabled container, use Ctrl-P Ctrl-Q
• to detach from a non-TTY enabled container, kill the docker client via a different terminal
• issues still exist with container logs when vMotioning containers

Resolved Issues

• Virtual container host does not work if management interface is not Layer 2 adjacent to vSphere management endpoints. #3081
• Setting a static IP address on the virtual container host without specifying --dns-server defaults to the specified gateway. #3060
• A single image cannot currently contain multiple tags. #1638
• rmi on VSAN fails with error "Cannot delete file" #2384
  
• Inconsistent license check reporting between vic-machine and vic-admin #2305
  
• vic-machine does not support secure test registries. #2103
  
• Allowing and configuring insecure registries is not supported. #1486
  

Known Issues

• vSphere Integrated Containers Engine 0.8 does not support Docker Client 1.13. #3734, #3734
  If you attempt to connect version 1.13 of the Docker Client to a virtual container host, the Docker client stops working. This happens because Docker 1.13 uses Docker Events, which vSphere Integrated Containers Engine 0.8 does not yet support.
  Workaround: Use version 1.12 of the Docker Client to connect to virtual container hosts.

• Version 5.7 of the mysql image does not work with docker compose up #3857
  If you run docker compose up and the application that you are creating uses version 5.7 of the mysql image, the database does not initialize. The MYSQL log contains the error --initialize specified but the data directory has files in it. This happens because the mysql container creates an anonymous volume. vSphere Integrated Containers Engine creates a new VDMK for this volume, which contains a lost+found directory, whereas mysql requires the volume to be empty.
  Workarounds: Use the mysql:5.6 image, which is not subject to this issue. Alternatively, if you are using mysql:5.7, specify --ignore-db-dir=lost+found in the YML file:

  version: '2'
   services:
      db:
           image: mysql:5.7
           environment:
              MYSQL_ROOT_PASSWORD: root
           command: ["mysqld", "--ignore-db-dir=lost+found"]
           volumes: 
                 - /var/lib/mysql
  

• vMotion disconnects file-backed serial ports after a migration. #3243
  While applications continue to function correctly without interruption, container logs lose output after a vMotion.

• Image store is in the wrong directory if the datastore already has a directory with the same name. #3365
  If the datastore already has a directory with the same name as the VCH, and the directory does not have a VM, vic-machine creates the VCH correctly names the folder a slightly different name. Example, folder "test_1" with vch named "test". The kvstore is located in "test_1" folder correctly, but image files are still in the "test" directory.

• Deployment with static IP takes a long time. #3436
  If you deploy a VCH with a static IP, the deployment might take longer than expected, resulting in timeouts.
  Workaround: Increase the timeout for the deployment when using static IP.

• Firewall status delayed on vCenter Server. #3139
  If you update the firewall rules on an ESXi host to allow access from specific IP addresses, and if that host is managed by vCenter Server, there might be a delay before vCenter Server takes the updated firewall rule into account. In this case, vCenter Server continues to use the old configuration for an indeterminate amount of time after you have made the update. vic-machine create can successfully deploy a VCH with an address that you have blocked, or else fail when you deploy a VCH with an address that you have permitted.

  Workaround: Wait a few minutes and run vic-machine create again.

• Piping information into busybox fails. #3017
  If you attempt to pipe information into busybox, for example by running echo test | docker run -i busybox cat, the operation fails with the following error:

  Error response from daemon: Server error from portlayer: 
  ContainerWaitHandler(container_id) 
  Error: context deadline exceeded
  

• Deleting a VCH from an ESXi host does not remove the bridge network if it was created with a custom name. #3193
  If you deploy a VCH to an ESXi host and use the --bridge-network option to create a bridge network with a custom name, vic-machine delete does not remove the bridge network if you delete the VCH.

  Workaround: Manually delete the bridge network from the ESXi host.

• Running docker ps -aq reports containers that have been removed. #3196
  Listing containers by running docker ps -aq can include containers that have been removed. Attempting to perform an operation on a container that was included in the output of docker ps -aq, for example docker rm -f, results in the error Error response from daemon: No such container.

  Workaround: Run docker rm -f again.

• VCH Admin shows network failure when virtual container host uses a proxy. #3213
  If a virtual container host is configured to use a proxy, the VCH Admin status page shows a network failure even if connectivity through the proxy is working.

• vic-machine delete does not recognize virtual container hosts that were not fully created. #2981
  vic-machine delete fails when you run it on a virtual container host that was not fully created.

  Workaround: Manually delete any components of a partial installation, for example, the virtual container host vApp, the endpoint VM, and datastore folders.

• Incorrect gateway example in --container-network-gateway help 1741
  
  The help text for vic-machine's option --container-network-gateway value, --cng incorrectly gives the example of a network range instead of the actual gateway address. A more proper example is e.g. vsphere-net:172.16.1.1/16. In additon, please note that we will be removing the CIDR specification from the gateway configuration in a future release.

• Container fails to shut down with Error response from daemon: server error from portlayer : [DELETE /containers/{id}][500] containerRemoveInternalServerError. #1823
  
  Workaround: Developers: run docker create again. Administrators: Un-register and re-register the VM in the vSphere UI.

• Mounting directories as a data volume using the -v option is not supported. #2303
  

• When you pull a large sized image from Harbor into a virtual container host, you get an error that the /tmp partition reached capacity. #2595
  
  docker: Failed to fetch image blob: weblogic/test_domain/sha256:3bf21a5a3fdf6586732efc8c64581ae1b4c75e342b210c1b6f799a64bffd7924 returned download failed: write /tmp/3bf21a5a3fdf346188145: no space left on device.
  
  Workaround: Deploy the virtual container host with --appliance-memory=4096 which increases the appliance memory configuration.

• Installing the virtual container host using a short hostname fails. #2582
  Workaround:

  • The IP address that you provide to vic-machine create target must be reachable on the management network.
  • If you use a DNS name instead of an IP address, the virtual container host endpoint VM must be able to resolve the name using the DNS server that is configured either by DHCP or by the `vic-mach...