Incorporated peer feedback and added edits to current version

2018-11-19 17:47:16 -08:00 · 2018-11-19 17:47:16 -08:00 · 0007859641
parent 527fcc8476
commit 0007859641
18 changed files with 188 additions and 191 deletions
--- a/datacenter/dtr/2.5/reference/cli/backup.md
+++ b/datacenter/dtr/2.5/reference/cli/backup.md
@ -16,26 +16,26 @@ docker run -i --rm docker/dtr \
 ## Description


-This command creates a tar file with the contents of the volumes used by
-DTR, and prints it. You can then use the 'restore' command to restore the data
-from an existing backup.
+This command creates a `tar` file with the contents of the volumes used by
+DTR, and prints it. You can then use `docker/dtr restore` to restore the data
+from an existing backup. 

 Note:

  * This command only creates backups of configurations, and image metadata.
-    It doesn't backup users and organizations. Users and organizations can be
-    backed up when performing a UCP backup.
+    It does not back up users and organizations. Users and organizations can be
+    backed up during a UCP backup.

-    It also doesn't backup the Docker images stored in your registry.
+    It also doesn't back up Docker images stored in your registry.
    You should implement a separate backup policy for the Docker images stored
-    in your registry, taking in consideration whether your DTR installation is
-    configured to store images on the filesystem or using a cloud provider.
+    in your registry, taking into consideration whether your DTR installation is
+    configured to store images on the filesystem or is using a cloud provider.

  * This backup contains sensitive information and should be
    stored securely.

-  * Using the '--offline-backup' flag will temporarily shut down the rethinkdb container. 
-    You should take the replica out of your load balancer to avoid downtime.
+  * Using the `--offline-backup` flag temporarily shuts down the RethinkDB container. 
+    Take the replica out of your load balancer to avoid downtime.


 ## Options
@ -43,11 +43,11 @@ Note:
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify a DTR replica, you must connect to an existing healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--offline-backup` | $DTR_OFFLINE_BACKUP | This flag takes rethinkdb down during backup and takes a more reliable backup..If you back up DTR with this flag, rethinkdb will go down during backup. However, it will be   guaranteed to be consistent. With online backups there's no guarantee of consistency.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--offline-backup` | $DTR_OFFLINE_BACKUP | This flag takes RethinkDB down during backup and takes a more reliable backup. If you back up DTR with this flag, RethinkDB will go down during backup. However, offline backups are guaranteed to be more consistent than online backups. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/datacenter/dtr/2.5/reference/cli/emergency-repair.md
+++ b/datacenter/dtr/2.5/reference/cli/emergency-repair.md
@ -26,14 +26,14 @@ There are three steps you can take to recover an unhealthy DTR cluster:
 2. If the majority of replicas are unhealthy, use this command to revert your
   cluster to a single DTR replica.
 3. If you can't repair your cluster to a single replica, you'll have to
-   restore from an existing backup, using the 'restore' command.
+   restore from an existing backup, using the `restore` command.

 When you run this command, a DTR replica of your choice is repaired and
 turned into the only replica in the whole DTR cluster.
 The containers for all the other DTR replicas are stopped and removed. When
-using the 'force' option, the volumes for these replicas are also deleted.
+using the `force` option, the volumes for these replicas are also deleted.

-After repairing the cluster, you should use the 'join' command to add more
+After repairing the cluster, you should use the `join` command to add more
 DTR replicas for high availability.


@ -42,12 +42,12 @@ DTR replicas for high availability.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: 10.0.0.0/24.For high-availalibity, DTR creates an overlay network between UCP nodes. This flag  allows you to choose the subnet for that network. Make sure the subnet you choose is not  used on any machine where DTR replicas are deployed. |
-| `--prune` | $PRUNE | Delete the data volumes of all unhealthy replicas.With this option, the volume of the DTR replica you're restoring    is preserved but the volumes for all other replicas are deleted. This has the same    result as completely uninstalling DTR from those replicas.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: `10.0.0.0/24`. For high-availability, DTR creates an overlay network between UCP nodes. This flag allows you to choose the subnet for that network. Make sure the subnet you choose is not used on any machine where DTR replicas are deployed. |
+| `--prune` | $PRUNE | Delete the data volumes of all unhealthy replicas. With this option, the volume of the DTR replica you`re restoring is preserved but the volumes for all other replicas are deleted. This has the same result as completely uninstalling DTR from those replicas. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks. For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/datacenter/dtr/2.5/reference/cli/index.md
+++ b/datacenter/dtr/2.5/reference/cli/index.md
@ -19,6 +19,8 @@ docker run -it --rm docker/dtr \
    command [command options]
 ```

+If not specified, `docker/dtr` uses the `latest` tag by default. To work with a different version, specify it in the command. For example, `docker run -it --rm docker/dtr:2.5.5`.
+

 ## Commands

--- a/datacenter/dtr/2.5/reference/cli/install.md
+++ b/datacenter/dtr/2.5/reference/cli/install.md
@ -19,45 +19,43 @@ docker run -it --rm docker/dtr \
 This command installs Docker Trusted Registry (DTR) on a node managed by
 Docker Universal Control Plane (UCP).

-After installing DTR, you can join additional DTR replicas using the 'join'
-command.
+After installing DTR, you can join additional DTR replicas using `docker/dtr join`.

-Example usage:
+### Example Usage

-$ docker run -it --rm docker/dtr:2.5.0 install \
+$ docker run -it --rm docker/dtr install \
 	--ucp-node <UCP_NODE_HOSTNAME> \
 	--ucp-insecure-tls

-Note: Use --ucp-ca "$(cat ca.pem)" instead of --ucp-insecure-tls for a production deployment.
+Note: Use `--ucp-ca "$(cat ca.pem)"` instead of `--ucp-insecure-tls` for a production deployment.

 ## Options

 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS CA certificate with --dtr-ca "$(cat ca.pem)". |
-| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS certificate with --dtr-cert "$(cat ca.pem)". |
-| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR.When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format https://host[:port], where port is the value you used  with --replica-https-port. |
-| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with --dtr-key "$(cat ca.pem)". |
-| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images.By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  --nfs-storage-url instead. |
-| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server; use --enable-pprof=false to disable it.Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at /debug/pprof, and the registry endpoint at /registry_debug_pprof/debug/pprof. |
+| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS CA certificate with `--dtr-ca "$(cat ca.pem)"`. |
+| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS certificate with `--dtr-cert "$(cat ca.pem)"`. |
+| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR. When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the URL you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users log in  separately into the two applications. You can enable and disable single sign-on within your DTR system settings. Format `https://host[:port]`, where port is the value you used  with `--replica-https-port`. |
+| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS private key with `--dtr-key "$(cat ca.pem)"`. |
+| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images. By default DTR creates a volume to store the Docker images in the local filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  `--nfs-storage-url` instead. |
+| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server. Use `--enable-pprof=false` to disable it. Once DTR is deployed with this flag, you can access the `pprof` endpoint for the api server  at `/debug/pprof`, and the registry endpoint at `/registry_debug_pprof/debug/pprof`. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
 | `--http-proxy` | $DTR_HTTP_PROXY | The HTTP proxy used for outgoing requests. |
 | `--https-proxy` | $DTR_HTTPS_PROXY | The HTTPS proxy used for outgoing requests. |
-| `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set --log-protocol to tcp or udp. |
-| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO.The supported log levels are debug, info, warn, error, or fatal.. |
-| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal.By default, DTR internal components log information using the logger   specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are tcp, udp, and   internal. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with --log-host. |
-| `--nfs-storage-url` | $NFS_STORAGE_URL | NFS to store Docker images. Format nfs://<ip&#124;hostname>/<mountpoint>.By default DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high-availability. Use this flag to specify an  NFS mount for DTR to store images, using the format nfs://<ip&#124;hostname>/<mountpoint>. To  use this flag, you need to install an NFS client library like nfs-common in the node  where you're deploying DTR. You can test this by running showmount -e <nfs-server>. When  you join new replicas, they will start using NFS so you don't need to use this flag. To  reconfigure DTR to stop using NFS, leave this option empty. |
-| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for.When using --http-proxy you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format acme.com[, acme.org]. |
-| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: 10.0.0.0/24.For high-availalibity, DTR creates an overlay network between UCP nodes. This flag  allows you to choose the subnet for that network. Make sure the subnet you choose is not  used on any machine where DTR replicas are deployed. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set `--log-protocol` to `tcp` or `udp`. |
+| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO. The supported log levels are debug, info, warn, error, or fatal. |
+| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal. By default, DTR internal components log information using the logger specified in the Docker daemon in the node where the DTR replica is deployed. Use this option to send DTR logs to an external syslog system. The supported values are `tcp`, `udp`, or `internal`. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with `--log-host`. |
+| `--nfs-storage-url` | $NFS_STORAGE_URL | NFS to store Docker images. Format `nfs://<ip|hostname>/<mountpoint>`. By default DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high-availability. Use this flag to specify an  NFS mount for DTR to store images, using the format `nfs://<iphostname>/<mountpoint>`. To  use this flag, you need to install an NFS client library like ***nfs-common*** in your DTR node. You can test this by running `showmount -e <nfs-server>`. When  you join new replicas, they will start using NFS so you don't need to use this flag. To  reconfigure DTR to stop using NFS, leave this option empty: `--nfs-storage-url ""`  |
+| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for. When using `--http-proxy` you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format `acme.com[, acme.org]`. |
+| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: `10.0.0.0/24`. For high-availability, DTR creates an overlay network between UCP nodes. This flag allows you to choose the subnet for that network. Make sure the subnet you choose is not used on any machine where DTR replicas are deployed. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with `--replica-https-port`. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
 | `--replica-id` | $DTR_INSTALL_REPLICA_ID | Assign a 12-character hexadecimal ID to the DTR replica. Random by default. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in MB.
-			Default is auto. Auto is (available_memory - 1024) / 2.This config allows changing the rethinkdb cache usage per replica. You need to run it once per replica to change each one.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
-| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web UI, or  by running 'docker node ls' on a UCP manager node.. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
+| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default. You can find the hostnames of the nodes in the cluster in the UCP web interface, or  by running `docker node ls` on a UCP manager node. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/datacenter/dtr/2.5/reference/cli/join.md
+++ b/datacenter/dtr/2.5/reference/cli/join.md
@ -22,17 +22,16 @@ For setting DTR for high-availability, create 3, 5, or 7 replicas of DTR.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing  healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
 | `--replica-id` | $DTR_INSTALL_REPLICA_ID | Assign a 12-character hexadecimal ID to the DTR replica. Random by default. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in MB.
-			Default is auto. Auto is (available_memory - 1024) / 2.This config allows changing the rethinkdb cache usage per replica. You need to run it once per replica to change each one.. |
-| `--skip-network-test` | $DTR_SKIP_NETWORK_TEST | Don't test if overlay networks are working correctly between UCP nodes.For high-availalibity, DTR creates an overlay network between UCP nodes and tests  that it is working when joining replicas. Don't use this option for production deployments. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
-| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web UI, or  by running 'docker node ls' on a UCP manager node.. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--skip-network-test` | $DTR_SKIP_NETWORK_TEST | Don't test if overlay networks are working correctly between UCP nodes. For high-availability, DTR creates an overlay network between UCP nodes and tests  that it is working when joining replicas. Don't use this option for production deployments. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
+| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web interface, or  by running `docker node ls` on a UCP manager node. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/datacenter/dtr/2.5/reference/cli/reconfigure.md
+++ b/datacenter/dtr/2.5/reference/cli/reconfigure.md
@ -19,7 +19,7 @@ docker run -it --rm docker/dtr \
 This command changes DTR configuration settings.

 DTR is restarted for the new configurations to take effect. To have no down
-time, configure your DTR for high-availability.
+time, configure your DTR for high availability.


 ## Options
@ -29,25 +29,24 @@ time, configure your DTR for high-availability.
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
 | `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS CA certificate with --dtr-ca "$(cat ca.pem)". |
 | `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS certificate with --dtr-cert "$(cat ca.pem)". |
-| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR.When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format https://host[:port], where port is the value you used  with --replica-https-port. |
-| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with --dtr-key "$(cat ca.pem)". |
-| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images.By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  --nfs-storage-url instead. |
-| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server; use --enable-pprof=false to disable it.Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at /debug/pprof, and the registry endpoint at /registry_debug_pprof/debug/pprof. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR. When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format `https://host[:port]`, where port is the value you used  with `--replica-https-port`. |
+| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with `--dtr-key "$(cat ca.pem)"`. |
+| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images. By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use `--nfs-storage-url` instead. |
+| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server. Use `--enable-pprof=false` to disable it. Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at `/debug/pprof`, and the registry endpoint at `/registry_debug_pprof/debug/pprof`. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
 | `--http-proxy` | $DTR_HTTP_PROXY | The HTTP proxy used for outgoing requests. |
 | `--https-proxy` | $DTR_HTTPS_PROXY | The HTTPS proxy used for outgoing requests. |
-| `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set --log-protocol to tcp or udp. |
-| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO.The supported log levels are debug, info, warn, error, or fatal.. |
-| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal.By default, DTR internal components log information using the logger   specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are tcp, udp, and   internal. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with --log-host. |
-| `--nfs-storage-url` | $NFS_STORAGE_URL | NFS to store Docker images. Format nfs://<ip&#124;hostname>/<mountpoint>.By default DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high-availability. Use this flag to specify an  NFS mount for DTR to store images, using the format nfs://<ip&#124;hostname>/<mountpoint>. To  use this flag, you need to install an NFS client library like nfs-common in the node  where you're deploying DTR. You can test this by running showmount -e <nfs-server>. When  you join new replicas, they will start using NFS so you don't need to use this flag. To  reconfigure DTR to stop using NFS, leave this option empty. |
-| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for.When using --http-proxy you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format acme.com[, acme.org]. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in MB.
-			Default is auto. Auto is (available_memory - 1024) / 2.This config allows changing the rethinkdb cache usage per replica. You need to run it once per replica to change each one.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--log-host` | $LOG_HOST | The syslog system to send logs to. The endpoint to send logs to. Use this flag if you set `--log-protocol` to `tcp` or `udp`. |
+| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO. The supported log levels are `debug`, `info`, `warn`, `error`, or `fatal`. |
+| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal. By default, DTR internal components log information using the logger specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are `tcp`, `udp`, and `internal`. Internal is the default option, stopping DTR from sending logs to an external system. Use this flag with `--log-host`. |
+| `--nfs-storage-url` | $NFS_STORAGE_URL | NFS to store Docker images. Format `nfs://<ip|hostname>/<mountpoint>`. By default DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high-availability. Use this flag to specify an  NFS mount for DTR to store images, using the format `nfs://<ip|hostname>/<mountpoint>`. To  use this flag, you need to install an NFS client library like **nfs-common** in the node where you're deploying DTR. You can test this by running `showmount -e <nfs-server>`. When  you join new replicas, they will start using NFS so you don't need to use this flag. To  reconfigure DTR to stop using NFS, leave this option empty: `--nfs-storage-url ""` |
+| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for. When using `--http-proxy` you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format `acme.com[, acme.org]`. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/datacenter/dtr/2.5/reference/cli/remove.md
+++ b/datacenter/dtr/2.5/reference/cli/remove.md
@ -26,12 +26,12 @@ this operation.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing  healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--replica-id` | $DTR_REMOVE_REPLICA_ID | DEPRECATED Alias for --replica-ids. |
+| `--replica-id` | $DTR_REMOVE_REPLICA_ID | DEPRECATED Alias for `--replica-ids`. |
 | `--replica-ids` | $DTR_REMOVE_REPLICA_IDS | A comma separated list of IDs of replicas to remove from the cluster. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/datacenter/dtr/2.5/reference/cli/restore.md
+++ b/datacenter/dtr/2.5/reference/cli/restore.md
@ -17,7 +17,7 @@ docker run -i --rm docker/dtr \


 This command performs a fresh installation of DTR, and reconfigures it
-with configuration data from a tar file generated by the 'backup' command.
+with configuration data from a `tar` file generated by `docker/dtr backup`.

 There are three steps you can take to recover an unhealthy DTR cluster:

@ -26,14 +26,14 @@ There are three steps you can take to recover an unhealthy DTR cluster:
 2. If the majority of replicas are unhealthy, use this command to revert your
   cluster to a single DTR replica.
 3. If you can't repair your cluster to a single replica, you'll have to
-   restore from an existing backup, using the 'restore' command.
+   restore from an existing backup, using the `restore` command.

 This command does not restore Docker images. You should implement a separate
 restore procedure for the Docker images stored in your registry, taking in
 consideration whether your DTR installation is configured to store images on
 the local filesystem or using a cloud provider.

-After restoring the cluster, you should use the 'join' command to add more
+After restoring the cluster, you should use the `join` command to add more
 DTR replicas for high availability.


@ -42,28 +42,27 @@ DTR replicas for high availability.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS CA certificate with --dtr-ca "$(cat ca.pem)". |
-| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS certificate with --dtr-cert "$(cat ca.pem)". |
-| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR.When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format https://host[:port], where port is the value you used  with --replica-https-port. |
-| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with --dtr-key "$(cat ca.pem)". |
-| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images.By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  --nfs-storage-url instead. |
-| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server; use --enable-pprof=false to disable it.Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at /debug/pprof, and the registry endpoint at /registry_debug_pprof/debug/pprof. |
+| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS CA certificate with `--dtr-ca "$(cat ca.pem)"`. |
+| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS certificate with `--dtr-cert "$(cat ca.pem)"`. |
+| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR. When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the URL you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users log in  separately into the two applications. You can enable and disable single sign-on within your DTR system settings. Format `https://host[:port]`, where port is the value you used  with `--replica-https-port`. |
+| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS private key with `--dtr-key "$(cat ca.pem)"`. |
+| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images. By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  --nfs-storage-url instead. |
+| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server. Use `--enable-pprof=false` to disable it. Once DTR is deployed with this flag, you can access the `pprof` endpoint for the api server  at `/debug/pprof`, and the registry endpoint at `/registry_debug_pprof/debug/pprof`. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
 | `--http-proxy` | $DTR_HTTP_PROXY | The HTTP proxy used for outgoing requests. |
 | `--https-proxy` | $DTR_HTTPS_PROXY | The HTTPS proxy used for outgoing requests. |
 | `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set --log-protocol to tcp or udp. |
-| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO.The supported log levels are debug, info, warn, error, or fatal.. |
+| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: `INFO`. The supported log levels are `debug`, `info`, `warn`, `error`, or `fatal`. |
 | `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal.By default, DTR internal components log information using the logger   specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are tcp, udp, and   internal. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with --log-host. |
-| `--nfs-storage-url` | $NFS_STORAGE_URL | NFS to store Docker images. Format nfs://<ip&#124;hostname>/<mountpoint>.By default DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high-availability. Use this flag to specify an  NFS mount for DTR to store images, using the format nfs://<ip&#124;hostname>/<mountpoint>. To  use this flag, you need to install an NFS client library like nfs-common in the node  where you're deploying DTR. You can test this by running showmount -e <nfs-server>. When  you join new replicas, they will start using NFS so you don't need to use this flag. To  reconfigure DTR to stop using NFS, leave this option empty. |
+| `--nfs-storage-url` | $NFS_STORAGE_URL | NFS to store Docker images. Format `nfs://<ip|hostname>/<mountpoint>`. By default DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high-availability. Use this flag to specify an  NFS mount for DTR to store images, using the format `nfs://<iphostname>/<mountpoint>`. To  use this flag, you need to install an NFS client library like ***nfs-common*** in your DTR node. You can test this by running `showmount -e <nfs-server>`. When  you join new replicas, they will start using NFS so you don't need to use this flag. To  reconfigure DTR to stop using NFS, leave this option empty: `--nfs-storage-url ""`  |
 | `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for.When using --http-proxy you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format acme.com[, acme.org]. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with `--replica-https-port`. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
 | `--replica-id` | $DTR_INSTALL_REPLICA_ID | Assign a 12-character hexadecimal ID to the DTR replica. Random by default. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in MB.
-			Default is auto. Auto is (available_memory - 1024) / 2.This config allows changing the rethinkdb cache usage per replica. You need to run it once per replica to change each one.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
-| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web UI, or  by running 'docker node ls' on a UCP manager node.. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
+| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default. You can find the hostnames of the nodes in the cluster in the UCP web interface, or  by running `docker node ls` on a UCP manager node. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/datacenter/dtr/2.5/reference/cli/upgrade.md
+++ b/datacenter/dtr/2.5/reference/cli/upgrade.md
@ -24,10 +24,10 @@ This command upgrades DTR 2.4.x to the current version of this image.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing  healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/backup.md
+++ b/reference/dtr/2.6/cli/backup.md
@ -15,27 +15,27 @@ docker run -i --rm docker/dtr \

 ## Description

-
-This command creates a tar file with the contents of the volumes used by
-DTR, and prints it. You can then use the 'restore' command to restore the data
+This command creates a `tar` file with the contents of the volumes used by
+DTR, and prints it. You can then use `docker/dtr restore` to restore the data
 from an existing backup.

+
 Note:

  * This command only creates backups of configurations, and image metadata.
-    It doesn't backup users and organizations. Users and organizations can be
-    backed up when performing a UCP backup.
+    It does not back up users and organizations. Users and organizations can be
+    backed up during a UCP backup.

-    It also doesn't backup the Docker images stored in your registry.
+    It also does not back up Docker images stored in your registry.
    You should implement a separate backup policy for the Docker images stored
-    in your registry, taking in consideration whether your DTR installation is
-    configured to store images on the filesystem or using a cloud provider.
+    in your registry, taking into consideration whether your DTR installation is
+    configured to store images on the filesystem or is using a cloud provider.

  * This backup contains sensitive information and should be
    stored securely.

-  * Using the '--offline-backup' flag will temporarily shut down the rethinkdb container. 
-    You should take the replica out of your load balancer to avoid downtime.
+  * Using the `--offline-backup` flag temporarily shuts down the RethinkDB container. 
+    Take the replica out of your load balancer to avoid downtime.


 ## Options
@ -43,11 +43,11 @@ Note:
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify a DTR replica, you must connect to an existing healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--offline-backup` | $DTR_OFFLINE_BACKUP | This flag takes rethinkdb down during backup and takes a more reliable backup..If you back up DTR with this flag, rethinkdb will go down during backup. However, it will be   guaranteed to be consistent. With online backups there's no guarantee of consistency.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--offline-backup` | $DTR_OFFLINE_BACKUP | This flag takes RethinkDB down during backup and takes a more reliable backup. If you back up DTR with this flag, RethinkDB will go down during backup. However, offline backups are guaranteed to be more consistent than online backups. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/emergency-repair.md
+++ b/reference/dtr/2.6/cli/emergency-repair.md
@ -26,14 +26,14 @@ There are three steps you can take to recover an unhealthy DTR cluster:
 2. If the majority of replicas are unhealthy, use this command to revert your
   cluster to a single DTR replica.
 3. If you can't repair your cluster to a single replica, you'll have to
-   restore from an existing backup, using the 'restore' command.
+   restore from an existing backup, using the `restore` command.

 When you run this command, a DTR replica of your choice is repaired and
 turned into the only replica in the whole DTR cluster.
 The containers for all the other DTR replicas are stopped and removed. When
-using the 'force' option, the volumes for these replicas are also deleted.
+using the `force` option, the volumes for these replicas are also deleted.

-After repairing the cluster, you should use the 'join' command to add more
+After repairing the cluster, you should use the `join` command to add more
 DTR replicas for high availability.


@ -42,12 +42,12 @@ DTR replicas for high availability.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: 10.0.0.0/24.For high-availalibity, DTR creates an overlay network between UCP nodes. This flag  allows you to choose the subnet for that network. Make sure the subnet you choose is not  used on any machine where DTR replicas are deployed. |
-| `--prune` | $PRUNE | Delete the data volumes of all unhealthy replicas.With this option, the volume of the DTR replica you're restoring    is preserved but the volumes for all other replicas are deleted. This has the same    result as completely uninstalling DTR from those replicas.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: `10.0.0.0/24`. For high-availability, DTR creates an overlay network between UCP nodes. This flag allows you to choose the subnet for that network. Make sure the subnet you choose is not used on any machine where DTR replicas are deployed. |
+| `--prune` | $PRUNE | Delete the data volumes of all unhealthy replicas. With this option, the volume of the DTR replica you`re restoring is preserved but the volumes for all other replicas are deleted. This has the same result as completely uninstalling DTR from those replicas. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks. For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/index.md
+++ b/reference/dtr/2.6/cli/index.md
@ -20,6 +20,9 @@ docker run -it --rm docker/dtr \
 ```


+If not specified, `docker/dtr` uses the `latest` tag by default. To work with a different version, specify it in the command. For example, `docker run -it --rm docker/dtr:2.6.0`.
+
+
 ## Commands

 | Option                               | Description                                     |
--- a/reference/dtr/2.6/cli/install.md
+++ b/reference/dtr/2.6/cli/install.md
@ -19,46 +19,45 @@ docker run -it --rm docker/dtr \
 This command installs Docker Trusted Registry (DTR) on a node managed by
 Docker Universal Control Plane (UCP).

-After installing DTR, you can join additional DTR replicas using the 'join'
-command.
+After installing DTR, you can join additional DTR replicas using `docker/dtr join`.

-Example usage:
+## Example Usage

-$ docker run -it --rm docker/dtr:2.5.0 install \
+$ docker run -it --rm docker/dtr:{{ site.dtr_version }}.0 install \
 	--ucp-node <UCP_NODE_HOSTNAME> \
 	--ucp-insecure-tls

-Note: Use `--ucp-ca "$(cat ca.pem)"` instead of `--ucp-insecure-tls` for a production deployment.
+> Note: Use `--ucp-ca "$(cat ca.pem)"` instead of `--ucp-insecure-tls` for a production deployment.

 ## Options

 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS CA certificate with --dtr-ca "$(cat ca.pem)". |
-| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS certificate with --dtr-cert "$(cat ca.pem)". |
-| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR.When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format https://host[:port], where port is the value you used  with --replica-https-port. |
-| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with --dtr-key "$(cat ca.pem)". |
-| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images.By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  --nfs-storage-url instead. |
-| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server; use `--enable-pprof=false` to disable it.Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at /debug/pprof, and the registry endpoint at /registry_debug_pprof/debug/pprof. |
+| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS CA certificate with `--dtr-ca "$(cat ca.pem)"`. |
+| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS certificate with `--dtr-cert "$(cat ca.pem)"`. |
+| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR. When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the URL you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users log in  separately into the two applications. You can enable and disable single sign-on within your DTR system settings. Format `https://host[:port]`, where port is the value you used  with `--replica-https-port`. |
+| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS private key with `--dtr-key "$(cat ca.pem)"`. |
+| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images. By default DTR creates a volume to store the Docker images in the local filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  `--nfs-storage-url` instead. |
+| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server. Use `--enable-pprof=false` to disable it. Once DTR is deployed with this flag, you can access the `pprof` endpoint for the api server  at `/debug/pprof`, and the registry endpoint at `/registry_debug_pprof/debug/pprof`. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
 | `--http-proxy` | $DTR_HTTP_PROXY | The HTTP proxy used for outgoing requests. |
 | `--https-proxy` | $DTR_HTTPS_PROXY | The HTTPS proxy used for outgoing requests. |
-| `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set --log-protocol to tcp or udp. |
-| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO.The supported log levels are debug, info, warn, error, or fatal.. |
-| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal.By default, DTR internal components log information using the logger   specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are tcp, udp, and   internal. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with --log-host. |
-| `--nfs-storage-url` | $NFS_STORAGE_URL | Use NFS to store Docker images following this format: `nfs://<ip|hostname>/<mountpoint>`.By default, DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high availability. To  use this flag, you need to install an NFS client library like `nfs-common` in the node  where you're deploying DTR. You can test this by running `showmount -e <nfs-server>`. When  you join new replicas, they will start using NFS so there is no need to specify this flag. To  reconfigure DTR to stop using NFS, leave this option empty: `--nfs-storage-url ""`. See [USE NFS](../../../../ee/dtr/admin/configure/external-storage/nfs/) for more details. |
+| `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set `--log-protocol` to `tcp` or `udp`. |
+| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO. The supported log levels are debug, info, warn, error, or fatal. |
+| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal. By default, DTR internal components log information using the logger specified in the Docker daemon in the node where the DTR replica is deployed. Use this option to send DTR logs to an external syslog system. The supported values are `tcp`, `udp`, or `internal`. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with `--log-host`. |
+| `--nfs-storage-url` | $NFS_STORAGE_URL | Use NFS to store Docker images following this format: `nfs://<ip|hostname>/<mountpoint>`. By default, DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high availability. To  use this flag, you need to install an NFS client library like ***nfs-common*** in the node  where you're deploying DTR. You can test this by running `showmount -e <nfs-server>`. When  you join new replicas, they will start using NFS so there is no need to specify this flag. To  reconfigure DTR to stop using NFS, leave this option empty: `--nfs-storage-url ""`. See [USE NFS](/ee/dtr/admin/configure/external-storage/nfs/) for more details. |
 | `--async-nfs` | $ASYNC_NFS | Use async NFS volume options on the replica specified in the `--existing-replica-id` option. The NFS configuration must be set with `--nfs-storage-url` explicitly to use this option. Using `--async-nfs` will bring down any containers on the replica that use the NFS volume, delete the NFS volume, bring it back up with the appropriate configuration, and restart any containers that were brought down.  |
 | `--nfs-options` | $NFS_OPTIONS | Pass in NFS volume options verbatim for the replica specified in the `--existing-replica-id` option. The NFS configuration must be set with `--nfs-storage-url` explicitly to use this option. Specifying `--nfs-options` will pass in character-for-character the options specified in the argument when creating or recreating the NFS volume. For instance, to use NFS v4 with async, pass in "rw,nfsvers=4,async" as the argument.  |
-| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for. When using `--http-proxy`, you can use this flag to specify a list  of domains that you don't want to route throught the proxy. Format `acme.com[, acme.org]`. |
-| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: `10.0.0.0/24`. For high-availability, DTR creates an overlay network between UCP nodes. This flag  allows you to choose the subnet for that network. Make sure the subnet you choose is not  used on any machine where DTR replicas are deployed. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for. When using `--http-proxy` you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format `acme.com[, acme.org]`. |
+| `--overlay-subnet` | $DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: `10.0.0.0/24`. For high-availability, DTR creates an overlay network between UCP nodes. This flag allows you to choose the subnet for that network. Make sure the subnet you choose is not used on any machine where DTR replicas are deployed. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with `--replica-https-port`. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
 | `--replica-id` | $DTR_INSTALL_REPLICA_ID | Assign a 12-character hexadecimal ID to the DTR replica. Random by default. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in `MB`. Default is auto. Auto is `(available_memory - 1024) / 2`.This config allows you to change the RethinkDB cache usage per replica. You need to run it on a replica basis to apply the configuration change. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
-| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web UI, or  by running 'docker node ls' on a UCP manager node.. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
+| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default. You can find the hostnames of the nodes in the cluster in the UCP web interface, or  by running `docker node ls` on a UCP manager node. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/join.md
+++ b/reference/dtr/2.6/cli/join.md
@ -22,17 +22,16 @@ For setting DTR for high-availability, create 3, 5, or 7 replicas of DTR.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing  healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
 | `--replica-id` | $DTR_INSTALL_REPLICA_ID | Assign a 12-character hexadecimal ID to the DTR replica. Random by default. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in MB.
-			Default is auto. Auto is (available_memory - 1024) / 2.This config allows changing the rethinkdb cache usage per replica. You need to run it once per replica to change each one.. |
-| `--skip-network-test` | $DTR_SKIP_NETWORK_TEST | Don't test if overlay networks are working correctly between UCP nodes.For high-availalibity, DTR creates an overlay network between UCP nodes and tests  that it is working when joining replicas. Don't use this option for production deployments. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
-| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web UI, or  by running 'docker node ls' on a UCP manager node.. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--skip-network-test` | $DTR_SKIP_NETWORK_TEST | Don't test if overlay networks are working correctly between UCP nodes. For high-availability, DTR creates an overlay network between UCP nodes and tests  that it is working when joining replicas. Don't use this option for production deployments. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
+| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web interface, or  by running `docker node ls` on a UCP manager node. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/reconfigure.md
+++ b/reference/dtr/2.6/cli/reconfigure.md
@ -19,7 +19,7 @@ docker run -it --rm docker/dtr \
 This command changes DTR configuration settings.

 DTR is restarted for the new configurations to take effect. To have no down
-time, configure your DTR for high-availability.
+time, configure your DTR for high availability.


 ## Options
@ -29,27 +29,26 @@ time, configure your DTR for high-availability.
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
 | `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS CA certificate with --dtr-ca "$(cat ca.pem)". |
 | `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS certificate with --dtr-cert "$(cat ca.pem)". |
-| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR.When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format https://host[:port], where port is the value you used  with --replica-https-port. |
-| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with --dtr-key "$(cat ca.pem)". |
-| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images.By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use  `--nfs-storage-url` instead. |
-| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server; use --enable-pprof=false to disable it.Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at /debug/pprof, and the registry endpoint at /registry_debug_pprof/debug/pprof. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR. When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format `https://host[:port]`, where port is the value you used  with `--replica-https-port`. |
+| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with `--dtr-key "$(cat ca.pem)"`. |
+| `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Customize the volume to store Docker images. By default DTR creates a volume to store the Docker images in the local  filesystem of the node where DTR is running, without high-availability. Use this flag to  specify a full path or volume name for DTR to store images. For high-availability, make  sure all DTR replicas can read and write data on this volume. If you're using NFS, use `--nfs-storage-url` instead. |
+| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server. Use `--enable-pprof=false` to disable it. Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at `/debug/pprof`, and the registry endpoint at `/registry_debug_pprof/debug/pprof`. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
 | `--http-proxy` | $DTR_HTTP_PROXY | The HTTP proxy used for outgoing requests. |
 | `--https-proxy` | $DTR_HTTPS_PROXY | The HTTPS proxy used for outgoing requests. |
-| `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set --log-protocol to tcp or udp. |
-| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO.The supported log levels are debug, info, warn, error, or fatal.. |
-| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal.By default, DTR internal components log information using the logger   specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are tcp, udp, and   internal. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with --log-host. |
-| `--nfs-storage-url` | $NFS_STORAGE_URL | Use NFS to store Docker images following this format: `nfs://<ip|hostname>/<mountpoint>`.By default, DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high availability. To  use this flag, you need to install an NFS client library like `nfs-common` in the node  where you're deploying DTR. You can test this by running `showmount -e <nfs-server>`. When  you join new replicas, they will start using NFS so there is no need to specify this flag. To  reconfigure DTR to stop using NFS, leave this option empty: `--nfs-storage-url ""`. See [USE NFS](../../../../ee/dtr/admin/configure/external-storage/nfs/) for more details. |
+| `--log-host` | $LOG_HOST | The syslog system to send logs to. The endpoint to send logs to. Use this flag if you set `--log-protocol` to `tcp` or `udp`. |
+| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO. The supported log levels are `debug`, `info`, `warn`, `error`, or `fatal`. |
+| `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal. By default, DTR internal components log information using the logger specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are `tcp`, `udp`, and `internal`. Internal is the default option, stopping DTR from sending logs to an external system. Use this flag with `--log-host`. |
+| `--nfs-storage-url` | $NFS_STORAGE_URL | Use NFS to store Docker images following this format: `nfs://<ip|hostname>/<mountpoint>`. By default, DTR creates a volume to store the Docker images in the local filesystem  of the node where DTR is running, without high availability. To  use this flag, you need to install an NFS client library like `nfs-common` in the node  where you're deploying DTR. You can test this by running `showmount -e <nfs-server>`. When  you join new replicas, they will start using NFS so there is no need to specify this flag. To  reconfigure DTR to stop using NFS, leave this option empty: `--nfs-storage-url ""`. See [USE NFS](/ee/dtr/admin/configure/external-storage/nfs/) for more details. |
 | `--async-nfs` | $ASYNC_NFS | Use async NFS volume options on the replica specified in the `--existing-replica-id` option. The NFS configuration must be set with `--nfs-storage-url` explicitly to use this option. Using `--async-nfs` will bring down any containers on the replica that use the NFS volume, delete the NFS volume, bring it back up with the appropriate configuration, and restart any containers that were brought down.  |
 | `--nfs-options` | $NFS_OPTIONS | Pass in NFS volume options verbatim for the replica specified in the `--existing-replica-id` option. The NFS configuration must be set with `--nfs-storage-url` explicitly to use this option. Specifying `--nfs-options` will pass in character-for-character the options specified in the argument when creating or recreating the NFS volume. For instance, to use NFS v4 with async, pass in "rw,nfsvers=4,async" as the argument.  |
-| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for.When using --http-proxy you can use this flag to specify a list  of domains that you don't want to route throught the proxy. Format acme.com[, acme.org]. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in MB.
-			Default is auto. Auto is (available_memory - 1024) / 2.This config allows changing the rethinkdb cache usage per replica. You need to run it once per replica to change each one.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for. When using `--http-proxy` you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format `acme.com[, acme.org]`. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/remove.md
+++ b/reference/dtr/2.6/cli/remove.md
@ -26,12 +26,12 @@ this operation.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing  healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--replica-id` | $DTR_REMOVE_REPLICA_ID | DEPRECATED Alias for --replica-ids. |
+| `--replica-id` | $DTR_REMOVE_REPLICA_ID | DEPRECATED Alias for `--replica-ids`. |
 | `--replica-ids` | $DTR_REMOVE_REPLICA_IDS | A comma separated list of IDs of replicas to remove from the cluster. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/restore.md
+++ b/reference/dtr/2.6/cli/restore.md
@ -17,7 +17,7 @@ docker run -i --rm docker/dtr \


 This command performs a fresh installation of DTR, and reconfigures it
-with configuration data from a tar file generated by the `backup` command.
+with configuration data from a `tar` file generated by `docker/dtr backup`.

 There are three steps you can take to recover an unhealthy DTR cluster:

@ -42,28 +42,28 @@ DTR replicas for high availability.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS CA certificate with `--dtr-ca "$(cat ca.pem)"`. |
-| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS certificate with `--dtr-cert "$(cat ca.pem)"`. |
-| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR.When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the url you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users login  separately into the two applications. You can enable and disable single sign-on in the DTR  settings. Format https://host[:port], where port is the value you used  with --replica-https-port. |
-| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR.By default DTR generates a self-signed TLS certificate during deployment. You can use your  own TLS private key with --dtr-key "$(cat ca.pem)". |
+| `--dtr-ca` | $DTR_CA | Use a PEM-encoded TLS CA certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS CA certificate with `--dtr-ca "$(cat ca.pem)"`. |
+| `--dtr-cert` | $DTR_CERT | Use a PEM-encoded TLS certificate for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS certificate with `--dtr-cert "$(cat ca.pem)"`. |
+| `--dtr-external-url` | $DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach DTR. When you use this flag, users are redirected to UCP for logging in. Once authenticated  they are redirected to the URL you specify in this flag. If you don't use this flag, DTR  is deployed without single sign-on with UCP. Users and teams are shared but users log in  separately into the two applications. You can enable and disable single sign-on within your DTR system settings. Format `https://host[:port]`, where port is the value you used  with `--replica-https-port`. |
+| `--dtr-key` | $DTR_KEY | Use a PEM-encoded TLS private key for DTR. By default DTR generates a self-signed TLS certificate during deployment. You can use your own TLS private key with `--dtr-key "$(cat ca.pem)"`. |
 | `--dtr-storage-volume` | $DTR_STORAGE_VOLUME | Mandatory flag to allow for DTR to fall back to your configured storage setting at the time of backup. If you have previously configured DTR to use a full path or volume name for storage, specify this flag to use the same setting on restore. See [docker/dtr install](install.md) and [docker/dtr reconfigure](reconfigure.md) for usage details. Required if neither `--dtr-use-default-storage` nor `--nfs-storage-url` is set. |
 | `--dtr-use-default-storage` | $DTR_DEFAULT_STORAGE | Mandatory flag to allow for DTR to fall back to either your local filesystem or cloud storage depending on what was configured at the time of backup. If cloud storage was configured, then the default storage on restore is cloud storage. Otherwise, local storage is used. Required if neither `--dtr-storage-volume` nor `--nfs-storage-url` is set. |
 | `--nfs-storage-url` | $NFS_STORAGE_URL | Mandatory flag to allow for DTR to fall back to your configured storage setting at the time of backup. If NFS was previously configured, you must explicitly specify this flag to recover your NFS settings on restore. See [docker/dtr install](install.md) and [docker/dtr reconfigure](reconfigure.md) for NFS configuration options. Required if neither `--dtr-storage-volume` nor `--dtr-use-default-storage` is set. |
-| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server; use --enable-pprof=false to disable it.Once DTR is deployed with this flag, you can access the pprof endpoint for the api server  at /debug/pprof, and the registry endpoint at /registry_debug_pprof/debug/pprof. |
+| `--enable-pprof` | $DTR_PPROF | Enables pprof profiling of the server. Use `--enable-pprof=false` to disable it. Once DTR is deployed with this flag, you can access the `pprof` endpoint for the api server  at `/debug/pprof`, and the registry endpoint at `/registry_debug_pprof/debug/pprof`. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
 | `--http-proxy` | $DTR_HTTP_PROXY | The HTTP proxy used for outgoing requests. |
 | `--https-proxy` | $DTR_HTTPS_PROXY | The HTTPS proxy used for outgoing requests. |
 | `--log-host` | $LOG_HOST | The syslog system to send logs to.The endpoint to send logs to. Use this flag if you set --log-protocol to tcp or udp. |
-| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO.The supported log levels are debug, info, warn, error, or fatal.. |
+| `--log-level` | $LOG_LEVEL | Log level for all container logs when logging to syslog. Default: `INFO`. The supported log levels are `debug`, `info`, `warn`, `error`, or `fatal`. |
 | `--log-protocol` | $LOG_PROTOCOL | The protocol for sending logs. Default is internal.By default, DTR internal components log information using the logger   specified in the Docker daemon in the node where the DTR replica is deployed.   Use this option to send DTR logs to an external syslog system. The supported values are tcp, udp, and   internal. Internal is the default option, stopping DTR from sending logs to an external system.   Use this flag with --log-host. |
 | `--no-proxy` | $DTR_NO_PROXY | List of domains the proxy should not be used for.When using --http-proxy you can use this flag to specify a list  of domains that you don't want to route through the proxy. Format acme.com[, acme.org]. |
-| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is 80.This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with --replica-https-port. This port can also be used for unencrypted health checks. |
-| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is 443.This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
+| `--replica-http-port` | $REPLICA_HTTP_PORT | The public HTTP port for the DTR replica. Default is `80`. This allows you to customize the HTTP port where users can reach DTR. Once users access  the HTTP port, they are redirected to use an HTTPS connection, using the port specified  with `--replica-https-port`. This port can also be used for unencrypted health checks. |
+| `--replica-https-port` | $REPLICA_HTTPS_PORT | The public HTTPS port for the DTR replica. Default is `443`. This allows you to customize the HTTPS port where users can reach DTR. Each replica can  use a different port. |
 | `--replica-id` | $DTR_INSTALL_REPLICA_ID | Assign a 12-character hexadecimal ID to the DTR replica. Random by default. |
-| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space for rethinkdb in-memory cache use for the given replica in `MB`. Default is auto. Auto is (available_memory - 1024) / 2.This config allows changing the rethinkdb cache usage per replica. You need to run it once per replica to change each one.. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)` instead. |
-| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default.You can find the hostnames of the nodes in the cluster in the UCP web UI, or  by running 'docker node ls' on a UCP manager node. |
+| `--replica-rethinkdb-cache-mb` | $RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is `(available_memory - 1024) / 2`. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
+| `--ucp-node` | $UCP_NODE | The hostname of the UCP node to deploy DTR. Random by default. You can find the hostnames of the nodes in the cluster in the UCP web interface, or  by running `docker node ls` on a UCP manager node. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |
--- a/reference/dtr/2.6/cli/upgrade.md
+++ b/reference/dtr/2.6/cli/upgrade.md
@ -1,10 +1,10 @@
 ---
 title: docker/dtr upgrade
-description: Upgrade DTR 2.4.x cluster to this version
+description: Upgrade DTR 2.5.x cluster to this version
 keywords: dtr, cli, upgrade
 ---

-Upgrade DTR 2.4.x cluster to this version
+Upgrade DTR 2.5.x cluster to this version

 ## Usage

@ -16,7 +16,7 @@ docker run -it --rm docker/dtr \
 ## Description


-This command upgrades DTR 2.4.x to the current version of this image.
+This command upgrades DTR 2.5.x to the current version of this image.


 ## Options
@ -24,10 +24,10 @@ This command upgrades DTR 2.4.x to the current version of this image.
 | Option                        | Environment Variable      | Description                                                                          |
 |:------------------------------|:--------------------------|:-------------------------------------------------------------------------------------|
 | `--debug` | $DEBUG | Enable debug mode for additional logs. |
-| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica.To add, remove or modify DTR, you must connect to an existing  healthy replica's database.. |
+| `--existing-replica-id` | $DTR_REPLICA_ID | The ID of an existing DTR replica. To add, remove or modify DTR, you must connect to an existing  healthy replica's database. |
 | `--help-extended` | $DTR_EXTENDED_HELP | Display extended help text for a given command. |
-| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP.Download the UCP TLS CA certificate from https://<ucp-url>/ca, and  use --ucp-ca "$(cat ca.pem)". |
-| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP.The installation uses TLS but always trusts  the TLS certificate used by UCP, which can lead to man-in-the-middle attacks.  For production deployments, use --ucp-ca "$(cat ca.pem)" instead. |
+| `--ucp-ca` | $UCP_CA | Use a PEM-encoded TLS CA certificate for UCP. Download the UCP TLS CA certificate from `https://<ucp-url>/ca`, and  use `--ucp-ca "$(cat ca.pem)"`. |
+| `--ucp-insecure-tls` | $UCP_INSECURE_TLS | Disable TLS verification for UCP. The installation uses TLS but always trusts the TLS certificate used by UCP, which can lead to MITM (man-in-the-middle) attacks.  For production deployments, use `--ucp-ca "$(cat ca.pem)"` instead. |
 | `--ucp-password` | $UCP_PASSWORD | The UCP administrator password. |
 | `--ucp-url` | $UCP_URL | The UCP URL including domain and port. |
 | `--ucp-username` | $UCP_USERNAME | The UCP administrator username. |