Added registry and portal security and log info (#979)

* Added registry and portal security and log info. * Comments from Daniel
vmware · Oct 26, 2017 · a3ae2fd · a3ae2fd
1 parent a6847f6
commit a3ae2fd
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 45 deletions.
diff --git a/docs/user_doc/SUMMARY.md b/docs/user_doc/SUMMARY.md
@@ -80,7 +80,8 @@
      * [Check Service Status](vic_vsphere_admin/service_status.md)
      * [Restart Services](vic_vsphere_admin/restart_services.md)  
   * [Troubleshooting](vic_vsphere_admin/troubleshoot_vic.md) 
-     * [Access Log Bundles](vic_vsphere_admin/log_bundles.md)
+     * [Access Appliance Logs](vic_vsphere_admin/appliance_logs.md)
+     * [Access VCH Logs](vic_vsphere_admin/log_bundles.md)
      * [VCH Deployment Times Out](vic_vsphere_admin/ts_vch_deployment_timeout.md)
      * [Appliance Fails to Register with PSC](vic_vsphere_admin/ts_register_psc_fails.md)
      * [Certificate Verification Error](vic_vsphere_admin/ts_thumbprint_error.md)
@@ -98,7 +99,7 @@
      * [Appliance VM Password Refused](vic_vsphere_admin/ts_appliance_password_refused.md)
      * [Default Volume Store Error](vic_app_dev/ts_volume_store_error.md)
      * [Docker Login Fails](vic_vsphere_admin/ts_dockerlogin_error.md)
-  * [Security](vic_vsphere_admin/security_reference.md)
+  * [Security Reference](vic_vsphere_admin/security_reference.md)
      * [Certificate Reference](vic_vsphere_admin/vic_cert_reference.md)
      * [Obtain Appliance Certificates](vic_vsphere_admin/obtain_appliance_certs.md)
 

diff --git a/docs/user_doc/vic_vsphere_admin/SUMMARY.md b/docs/user_doc/vic_vsphere_admin/SUMMARY.md
@@ -69,7 +69,8 @@
      * [Check Service Status](service_status.md)
      * [Restart Services](restart_services.md) 
   * [Troubleshooting](troubleshoot_vic.md) 
-     * [Access Log Bundles](log_bundles.md)
+     * [Access Appliance Logs](appliance_logs.md)
+     * [Access VCH Logs](log_bundles.md)
      * [VCH Deployment Times Out](ts_vch_deployment_timeout.md)
      * [Appliance Fails to Register with PSC](ts_register_psc_fails.md)
      * [Certificate Verification Error](ts_thumbprint_error.md)
@@ -87,7 +88,6 @@
      * [Appliance VM Password Refused](ts_appliance_password_refused.md)
      * [Default Volume Store Error](vic_app_dev/ts_volume_store_error.md)
      * [Docker Login Fails](ts_dockerlogin_error.md)
-  * [Security](vic_vsphere_admin/security_reference.md)
-  * [Security](security_reference.md)
+  * [Security Reference](security_reference.md)
      * [Certificate Reference](vic_cert_reference.md)
      * [Obtain Appliance Certificates](obtain_appliance_certs.md)
diff --git a/docs/user_doc/vic_vsphere_admin/appliance_logs.md b/docs/user_doc/vic_vsphere_admin/appliance_logs.md
@@ -0,0 +1,28 @@
+# Access vSphere Integrated Containers Appliance Logs #
+
+You access the logs for the vSphere Integrated Containers appliance by using SSH.
+
+**Prerequisites**
+
+Make sure that SSH access to the appliance is enabled. To enable SSH access to the appliance, see [Reconfigure the vSphere Integrated Containers Appliance](reconfigure_appliance.md).
+
+**Procedure**
+
+1. Use SSH to connect to the appliance as root user.<pre>$ ssh root@new_vic_appliance_address</pre>When prompted for the password, enter the appliance password that you specified when you deployed the appliance.
+2. To access the logs for the appliance, navigate to `/var/log`.<pre>$ cd /var/log</pre>The `/var/log` folder contains the appliance installation log, `installation.log`.
+3. To access logs for vSphere Integrated Containers Registry, navigate to `/var/log/harbor`.<pre>$ cd /var/log/harbor</pre>The `/var/log` folder contains the log files for the following services:
+
+   - `adminserver.log`: Registry administration service
+   - `clair-db.log`: Clair database used for vulnerability scanning of images
+   - `clair.log`: Clair service used for vulnerability scanning of images
+   - `jobservice.log`: Registry job service log
+   - `mysql.log`: Embedded registry database
+   - `notary-db.log`: Notary database by Docker Content Trust
+   - `notary-server.log`: Notary server used by Docker Content Trust
+   - `notary-signer.log`: Notary image signing service used by Docker Content Trust
+   - `registry.log`: Registry service logs
+   - `ui.log`: User interface logs
+
+1. To access logs for vSphere Integrated Containers Management Portal, run the `docker logs` command.
+
+    vSphere Integrated Containers Management Portal runs as a Docker container in the appliance.<pre>$ docker logs vic-admiral</pre>
diff --git a/docs/user_doc/vic_vsphere_admin/log_bundles.md b/docs/user_doc/vic_vsphere_admin/log_bundles.md
@@ -1,6 +1,6 @@
-# Access vSphere Integrated Containers Engine Log Bundles #
+# Access Virtual Container Host Log Bundles #
 
-vSphere Integrated Containers Engine provides log bundles that you can download from the VCH Admin portal for a virtual container host (VCH).
+Virtual container hosts (VCHs) provide log bundles that you can download from the VCH Admin portal.
 
 You access the VCH Admin Portal at https://<i>vch_address</i>:2378. For more information about the VCH Admin portal, see [VCH Administration Portal](access_vicadmin.md).
 
@@ -9,20 +9,23 @@ To aid in troubleshooting errors, you can download different log bundles:
 - **Log Bundle** contains logs that relate specifically to the VCH that you created. 
 - **Log Bundle with container logs** contains the logs for the VCH and also includes the logs regarding the containers that the VCH manages.
 
-   **NOTE**: If the VCH is unable to connect to vSphere, logs that require a vSphere connection are disabled, and you see an error message. For information about accessing logs manually, see [Collecting Logs Manually](#manual) below.
-- Live logs (tail files) allow you to view the current status of how components are running.
-  - **Docker Personality** is the interface to Docker. When configured with client certificate security, it reports unauthorized access attempts to the Docker server web page.
-  - **Port Layer Service** is the interface to vSphere.
-  - **Initialization & watchdog** reports:
-  		- Network configuration
-  		- Component launch status for the other components
-  		- Reports component failures and restart counts
+    **NOTE**: If the VCH is unable to connect to vSphere, logs that require a vSphere connection are disabled, and you see an error message. For information about accessing logs manually, see [Collecting Logs Manually](#manual) below.
 
-  	At higher debug levels, the component output is duplicated in the log files for those components, so `init.log`  includes a superset of the log data.
+Live logs (tail files) allow you to view the current status of how components are running.
 
-    **Note:** This log file is duplicated on the datastore in a file in the endpoint VM folder named `tether.debug`, to allow the debugging of early stage initialization and network configuration issues.
+- **Docker Personality** is the interface to Docker. When configured with client certificate security, it reports unauthorized access attempts to the Docker server web page.
+- **Port Layer Service** is the interface to vSphere.
+- **Initialization & watchdog** reports:
 
-  - **Admin Server** includes logs for the VCH admin server, may contain processes that failed, and network issues. When configured with client certificate security, it reports unauthorized access attempts to the admin server web page.
+  - Network configuration
+  - Component launch status for the other components
+  - Reports component failures and restart counts
+
+    At higher debug levels, the component output is duplicated in the log files for those components, so `init.log`  includes a superset of the log data.
+
+    **NOTE:** This log file is duplicated on the datastore in a file in the endpoint VM folder named `tether.debug`, to allow the debugging of early stage initialization and network configuration issues.
+
+- **Admin Server** includes logs for the VCH admin server, may contain processes that failed, and network issues. When configured with client certificate security, it reports unauthorized access attempts to the admin server web page.
 
 Live logs can help you to see information about current commands and changes as you make them. For example, when you are troubleshooting an issue, you can see whether your command worked or failed by looking at the live logs.
 

diff --git a/docs/user_doc/vic_vsphere_admin/security_reference.md b/docs/user_doc/vic_vsphere_admin/security_reference.md
@@ -10,54 +10,87 @@ The Security Reference provides information to allow you to secure your vSphere
 
 
 ## Network Security <a id="network"></a>
-VMware highly recommends using a secure management network for vSphere Integrated Containers Engine. The container VMs communicate with the endpoint VM over the management network when an interactive shell is required. While the communication is encrypted, the public keys are not validated, which leaves scope for man-in-the-middle attacks. This connection is only used for the interactive console when enabled (stdin/out/err), and not for any other purpose.
+VMware highly recommends using a secure management network for vSphere Integrated Containers Engine. Container VMs communicate with the virtual container host (VCH) endpoint VM over the management network when an interactive shell is required. While the communication is encrypted, the public keys are not validated, which leaves scope for man-in-the-middle attacks. This connection is only used when the interactive console is enabled (stdin/out/err), and not for any other purpose.
 
+All connections to vSphere Integrated Containers Management Portal and Registry are encrypted and secured by HTTPS.
 
 ## External Interfaces, Ports, and Services <a id="open_ports"></a>
 
-The following ports must be open on the VCH appliance.
+The following ports must be open on the vSphere Integrated Containers appliance, VCH endpoint VMs, and container VMs:
 
-### Endpoint VM
-Client interface:
+### vSphere Integrated Containers Appliance
 
-- 2375 insecure port for Docker API access if deployed with `--no-tls`
-- 2376 for TLS secured port for Docker API access
-- 22 SSH when enabled with `vic-machine debug`
-- 2378 VIC admin server health and log access (HTTPS)
-- 6060 pprof debug data when enabled with --debug levels
+The vSphere Integrated Containers appliance makes the core vSphere Integrated Containers services available.
 
-Management interface:
+|Port|Protocol|Description|
+|---|---|---|
+|443|HTTPS|Connections to vSphere Integrated Containers Registry from vSphere Integrated Containers Management Portal, VCHs, and Docker clients|
+|1337|HTTPS|Connections to the Demo VCH Installer|
+|4443|HTTPS|Connections to the Docker Content Trust service for vSphere Integrated Containers Registry|
+|8282|HTTPS|Connections to vSphere Integrated Containers Management Portal UI and API|
+|9443|HTTPS|Connections to the appliance intialization and Getting Started page, vSphere Integrated Containers Engine download, and vSphere Client plug-in installer|
 
-- 2377 incoming connections from container VMs
-- 443 outgoing connections established to vSphere target
-- 443 outgoing connections established to ESX hosts
+### VCH Endpoint VM
 
-Bridge interface:
+The different network interfaces on a VCH expose different services on different ports. For an overview of the different network interfaces on a VCH, see [Virtual Container Host Networking](vch_networking.md).
 
-- 53 DNS server for container name resolution
 
-Public interface:
+#### Public Interface
 
-- any port not listed as used elsewhere can be forwarded to a container VM
+Container developers can forward any VCH port that is not used elsewhere to a container VM. For more information about the VCH public interface, see [Configure the Public Network](public_network.md).
 
-### Container VM
+#### Bridge Interface
 
-- 6060 pprof debug data when enabled with --debug levels
-- vSphere Integrated Containers Engine does not use ports when not configured for debug
+For information about the VCH bridge interface, see [Configure Bridge Networks](bridge_network.md).
 
-## Service Accounts and Privileges <a id="accounts"></a>
-vSphere Integrated Containers Engine does not create service accounts and does not assign privileges. The `--ops-user` and `--ops-password` options allow a VCH to operate with less-privileged credentials than those that are required for deploying a new VCH. For information about the `--ops-user` option and the permissions that it requires, see the descriptions of `--ops-user` in [VCH Deployment Options](vch_installer_options.md#ops-user) and [Advanced Examples of Deploying a VCH](vch_installer_examples.md#ops-user), and the section [Use Different User Accounts for VCH Deployment and Operation](set_up_ops_user.md).
+|Port|Protocol|Description|
+|---|---|---|
+|53|TCP|Connections from the VCH to DNS servers for container name resolution|
+
+#### Client Interface
+
+For information about the VCH client interface, see [Configure the Client Network](client_network.md).
+
+|Port|Protocol|Description|
+|---|---|---|
+|22|SSH|Connections to the VCH when using `vic-machine debug --enable-ssh`|
+|2375|HTTP|Insecure port for Docker API access if VCH is deployed with `--no-tls`|
+|2376|HTTPS|Secure port for Docker API access if VCH is not deployed with `--no-tls`|
+|2378|HTTPS|Connections to the VCH Administration Portal server|
+|6060|HTTPS|Exposes `pprof` debug data about the VCH if the VCH is running with `vic-machine create --debug` or `vic-machine configure --debug` enabled|
+
+#### Management Interface
+
+For information about the VCH management interface, see [Configure the Management Network](mgmt_network.md).
 
+|Port|Protocol|Description|
+|---|---|---|
+|443|HTTPS|Outgoing connections from the VCH to vCenter Server and ESXi hosts|
+|2377|HTTPS|Incoming connections from container VMs to the VCH|
 
+### Container VMs
 
-## Apply Security Updates and Patches <a id="patches"></a>
-Download a new version of vSphere Integrated Containers Engine and upgrade your existing VCHs.
+If container developers do not explicitly expose ports, container VMs do not expose any ports if they are not running in debug mode.
 
+|Port|Protocol|Description|
+|---|---|---|
+|6060|HTTPS|Exposes `pprof` debug data about a container VM when a VCH is running with `vic-machine create --debug` enabled|
+
+## Service Accounts and Privileges <a id="accounts"></a>
+vSphere Integrated Containers does not create service accounts and does not assign any vSphere privileges. The vSphere Integrated Containers appliance uses vCenter Single Sign-On user accounts to manage user authentication. You can optionally create example Single Sign-On user accounts for vSphere Integrated Containers Management Portal when you deploy the appliance. For information about the example user accounts, see [Deploy the vSphere Integrated Containers Appliance](deploy_vic_appliance.md) and [User Authentication](../vic_overview/introduction.html#authentication).
+
+The `vic-machine create --ops-user` and `--ops-password` options allow a VCH to operate with less-privileged credentials than those that are required for deploying a new VCH. For information about the `--ops-user` option and the permissions that it requires, see the descriptions of `--ops-user` in [VCH Deployment Options](vch_installer_options.md#ops-user) and [Advanced Examples of Deploying a VCH](vch_installer_examples.md#ops-user), and the section [Use Different User Accounts for VCH Deployment and Operation](set_up_ops_user.md).
+
+## Security Updates and Patches <a id="patches"></a>
+Download a new version of vSphere Integrated Containers and upgrade your existing appliances, vSphere Client plug-ins, and VCHs. For information about installing security patches, see [Upgrading vSphere Integrated Containers](upgrading_vic.md).
 
 ## Security Related Log Messages <a id="logs"></a>
-Security-related information for vSphere Integrated Containers Engine appears in `docker-personality.log` and `vicadmin.log`, that you can access from the VCH Admin portal for a VCH.
+Security-related information for vSphere Integrated Containers Engine appears in `docker-personality.log` and `vicadmin.log`, that you can access from the VCH Admin portal for a VCH. For information about accessing VCH logs, see [Access Virtual Container Host Log Bundles](log_bundles.md).
 
+There are no specific security-related logs for the vSphere Integrated Containers appliance. To access logs for the appliance, see [Access vSphere Integrated Containers Appliance Logs](appliance_logs.md).
 
 ## Sensitive Data <a id="data"></a>
 
 The VMX file of the VCH endpoint VM stores vSphere Integrated Containers Engine configuration information, which allows most of the configuration to be read-only by the guest. The container VMs might hold sensitive application data, such as environment variables for processes, command arguments, and so on.
+
+vSphere Integrated Containers Management Portal securely stores the credentials for access to VCHs, Docker hosts, and registries. Any private elements of those credentials, such as passwords or private keys, are kept encrypted in the vSphere Integrated Containers Management Portal data store.
diff --git a/docs/user_doc/vic_vsphere_admin/troubleshoot_vic.md b/docs/user_doc/vic_vsphere_admin/troubleshoot_vic.md
@@ -2,9 +2,12 @@
 
 This section provides solutions for common problems that you might encounter during operation.
 
-* [Access vSphere Integrated Containers Engine Log Bundles](log_bundles.md)
+* [Access Appliance Logs](appliance_logs.md)
+* [Access VCH Logs](log_bundles.md)
 * [VCH Deployment Times Out](ts_vch_deployment_timeout.md)
+* [vSphere Integrated Containers Appliance Fails to Register with PSC](ts_register_psc_fails.md)
 * [VCH Deployment Fails with a Certificate Verification Error](ts_thumbprint_error.md)
+* [Browser Rejects Certificates with ERR_CERT_INVALID Error](ts_cert_error.md)
 * [VCH Deployment Fails with Missing Common Name Error Even When TLS Options Are Specified Correctly](ts_cli_argument_error.md)
 * [VCH Deployment Fails with Firewall Validation Error](ts_firewall_error.md)
 * [VCH Deployment Fails with Certificate cname Mismatch](ts_cname_mismatch.md)
@@ -15,4 +18,6 @@ This section provides solutions for common problems that you might encounter dur
 * [Some Users Cannot Access vSphere Integrated Containers Services](ts_no_access_to_vic_services.md)
 * [Deleting or Inspecting a VCH Fails with a Not a VCH or Resource Pool Not Found Error](ts_delete_inspect_error.md)
 * [Connections Fail with Certificate Errors when Using Full TLS Authentication with Trusted Certificates](ts_clock_skew.md)
-* [vSphere Integrated Containers Appliance VM Password Refused](ts_appliance_password_refused.md)
+* [vSphere Integrated Containers Appliance VM Password Refused](ts_appliance_password_refused.md)
+* [Default Volume Store Error](ts_volume_store_error.md)
+* [Logging in to vSphere Integrated Containers Registry from Docker Fails](ts_dockerlogin_error.md)