diff --git a/datacenter/images/try-ddc-2.png b/datacenter/images/try-ddc-2.png index fff4d96b6a..5c98707c42 100644 Binary files a/datacenter/images/try-ddc-2.png and b/datacenter/images/try-ddc-2.png differ diff --git a/datacenter/images/ucp.png b/datacenter/images/ucp.png index 3bba8eb3d5..11f6dcd62b 100644 Binary files a/datacenter/images/ucp.png and b/datacenter/images/ucp.png differ diff --git a/datacenter/ucp/2.2/guides/architecture.md b/datacenter/ucp/2.2/guides/architecture.md index 54af9dcffa..120930e79d 100644 --- a/datacenter/ucp/2.2/guides/architecture.md +++ b/datacenter/ucp/2.2/guides/architecture.md @@ -1,22 +1,23 @@ --- +title: UCP architecture description: Learn about the architecture of Docker Universal Control Plane. keywords: docker, ucp, architecture -title: UCP architecture --- -Universal Control Plane is a containerized application that runs on [Docker Enterprise Edition](/enterprise/index.md) and extends its functionality to -make it easier to deploy, configure, and monitor your applications at scale. +Universal Control Plane is a containerized application that runs on +[Docker Enterprise Edition](/enterprise/index.md) and extends its functionality +to make it easier to deploy, configure, and monitor your applications at scale. -It also secures Docker with role-based access control so that only authorized +UCP also secures Docker with role-based access control so that only authorized users can make changes and deploy applications to your Docker cluster. ![](images/architecture-1.svg) -Once Universal Control Plane (UCP) is deployed, developers and IT operations -no longer interact with Docker Engine directly, but interact with UCP instead. -Since UCP exposes the standard Docker API this is all done transparently, so -that you can use the tools you already know and love like the Docker CLI client -and Docker Compose. +Once Universal Control Plane (UCP) instance is deployed, developers and IT +operations no longer interact with Docker Engine directly, but interact with +UCP instead. Since UCP exposes the standard Docker API, this is all done +transparently, so that you can use the tools you already know and love, like +the Docker CLI client and Docker Compose. ## Under the hood @@ -26,31 +27,38 @@ by Docker. ![](images/architecture-2.svg) -A swarm is a collection of nodes that are in the same Docker swarm. [Nodes](/engine/swarm/key-concepts.md) in a Docker swarm operate in one of two modes: Manager or Worker. If nodes are not already running in a swarm when installing UCP, nodes will be configured to run in swarm mode. +A swarm is a collection of nodes that are in the same Docker cluster. +[Nodes](/engine/swarm/key-concepts.md) in a Docker swarm operate in one of two +modes: Manager or Worker. If nodes are not already running in a swarm when +installing UCP, nodes will be configured to run in swarm mode. When you deploy UCP, it starts running a globally scheduled service called -`ucp-agent`. This service monitors the node where it is running and starts -and stops UCP services, based on whether that node is a +`ucp-agent`. This service monitors the node where it's running and starts +and stops UCP services, based on whether the node is a [manager or a worker node](/engine/swarm/key-concepts.md). If the node is a: * **Manager**: the `ucp-agent` service automatically starts serving all UCP -components including the UCP web UI and data stores used by UCP. The `ucp-agent` accomplishes this by [deploying several containers](#ucp-components-in-manager-nodes) on the node. By promoting a node to manager, UCP automatically becomes highly available and fault tolerant. -* **Worker**: on worker nodes the `ucp-agent` service starts serving a proxy -service that ensures only authorized users and other UCP services can run Docker -commands in that node. The `ucp-agent` only deploys a [subset of containers](#ucp-components-in-worker-nodes) on worker nodes. - + components, including the UCP web UI and data stores used by UCP. The + `ucp-agent` accomplishes this by + [deploying several containers](#ucp-components-in-manager-nodes) + on the node. By promoting a node to manager, UCP automatically becomes + highly available and fault tolerant. +* **Worker**: on worker nodes, the `ucp-agent` service starts serving a proxy + service that ensures only authorized users and other UCP services can run + Docker commands in that node. The `ucp-agent` deploys a + [subset of containers](#ucp-components-in-worker-nodes) on worker nodes. ## UCP internal components The core component of UCP is a globally-scheduled service called `ucp-agent`. -When you install UCP on a node, or join a node to a swarm that is being managed +When you install UCP on a node, or join a node to a swarm that's being managed by UCP, the `ucp-agent` service starts running on that node. Once this service is running, it deploys containers with other UCP components, -and ensures they keep running. The UCP components that are deployed -on a node depend on whether that node is a manager or a worker. +and it ensures they keep running. The UCP components that are deployed +on a node depend on whether the node is a manager or a worker. ### UCP components in manager nodes @@ -73,8 +81,6 @@ persist the state of UCP. These are the UCP services running on manager nodes: | ucp-swarm-manager | Used to provide backwards-compatibility with Docker Swarm | - - ### UCP components in worker nodes Worker nodes are the ones where you run your applications. These are the UCP @@ -120,7 +126,7 @@ By default, the data for these volumes can be found at There are two ways to interact with UCP: the web UI or the CLI. -You can use the UCP web UI to manage your cluster, grant and revoke user +You can use the UCP web UI to manage your swarm, grant and revoke user permissions, deploy, configure, manage, and monitor your applications. ![](images/architecture-3.svg) diff --git a/datacenter/ucp/2.2/guides/get-support.md b/datacenter/ucp/2.2/guides/get-support.md index 86e6677338..41ea69c2dd 100644 --- a/datacenter/ucp/2.2/guides/get-support.md +++ b/datacenter/ucp/2.2/guides/get-support.md @@ -1,12 +1,11 @@ --- -description: Your Docker subscription gives you access to prioritized support. You - can file tickets via email, your the support portal. -keywords: Docker, support, help title: Get support +description: Your Docker EE subscription gives you access to prioritized support. You can file tickets via email or the support portal. +keywords: Docker, support, help --- -Your Docker Data Center, or Universal Control Plane subscription gives you -access to prioritized support. The service levels depend on your subscription. +Your Docker Enterprise Edition subscription gives you access to prioritized +support. The service levels depend on your subscription. If you need help, you can file a ticket via: @@ -21,8 +20,8 @@ support dump: ## From the UI -1. Log into the UCP UI with an administrator account. -2. On the top-right menu, **click your username**, and choose **Support Dump**. +1. Log into the UCP web UI with an administrator account. +2. In the top-left menu, click your username and choose **Support Dump**. ![](images/get-support-1.png){: .with-border} @@ -35,10 +34,10 @@ and run: docker run --rm \ --name ucp \ -v /var/run/docker.sock:/var/run/docker.sock \ - {{ page.docker_image }} \ + {{ page.ucp_latest_image }} \ support > docker-support.tgz ``` This support dump only contains logs for the node where you're running the command. If your UCP is highly available, you should collect support dumps -from all the manager nodes. +from all of the manager nodes. diff --git a/datacenter/ucp/2.2/guides/images/cli-based-access-1.png b/datacenter/ucp/2.2/guides/images/cli-based-access-1.png index 1845e2981a..e9dd30b6fa 100644 Binary files a/datacenter/ucp/2.2/guides/images/cli-based-access-1.png and b/datacenter/ucp/2.2/guides/images/cli-based-access-1.png differ diff --git a/datacenter/ucp/2.2/guides/images/get-support-1.png b/datacenter/ucp/2.2/guides/images/get-support-1.png index 142d6fe679..315276d1fa 100644 Binary files a/datacenter/ucp/2.2/guides/images/get-support-1.png and b/datacenter/ucp/2.2/guides/images/get-support-1.png differ diff --git a/datacenter/ucp/2.2/guides/images/overview-3.png b/datacenter/ucp/2.2/guides/images/overview-3.png index 6a6cd5c91a..97484fa82d 100644 Binary files a/datacenter/ucp/2.2/guides/images/overview-3.png and b/datacenter/ucp/2.2/guides/images/overview-3.png differ diff --git a/datacenter/ucp/2.2/guides/images/web-based-access-2.png b/datacenter/ucp/2.2/guides/images/web-based-access-2.png index 6a6cd5c91a..080179407e 100644 Binary files a/datacenter/ucp/2.2/guides/images/web-based-access-2.png and b/datacenter/ucp/2.2/guides/images/web-based-access-2.png differ diff --git a/datacenter/ucp/2.2/guides/index.md b/datacenter/ucp/2.2/guides/index.md index 8b3dc9a1d9..1b0f5e361f 100644 --- a/datacenter/ucp/2.2/guides/index.md +++ b/datacenter/ucp/2.2/guides/index.md @@ -1,23 +1,24 @@ --- +title: Universal Control Plane overview description: Learn about Docker Universal Control Plane, the enterprise-grade cluster management solution from Docker. keywords: docker, ucp, overview, orchestration, clustering -title: Universal Control Plane overview --- Docker Universal Control Plane (UCP) is the enterprise-grade cluster management solution from Docker. You install it on-premises or in your virtual private -cloud, and it helps you manage your Docker cluster and applications from a -single place. +cloud, and it helps you manage your Docker swarm and applications through a +single interface. ![](../../../images/ucp.png){: .with-border} -## Centralized cluster management +## Centralized swarm management -With Docker you can join up to thousands of physical or virtual machines -together to create a container cluster, allowing you to deploy your applications -at scale. Docker Universal Control Plane extends the functionality provided -by Docker to make it easier to manage your cluster from a centralized place. +With Docker, you can join up to thousands of physical or virtual machines +together to create a container cluster, or swarm, allowing you to deploy your +applications at scale. Docker Universal Control Plane extends the +functionality provided by Docker to make it easier to manage your swarm +from a centralized place. You can manage and monitor your container cluster using a graphical UI. @@ -28,38 +29,39 @@ you already know, including the Docker CLI client, to deploy and manage your applications. As an example, you can use the `docker info` command to check the -status of a Docker cluster managed by UCP: +status of a Docker swarm managed by UCP: -```bash +```none $ docker info -Containers: 30 -Images: 24 -Server Version: ucp/2.0.1 -Role: primary -Strategy: spread -Filters: health, port, containerslots, dependency, affinity, constraint -Nodes: 2 - ucp-node-1: 192.168.99.100:12376 - └ Status: Healthy - └ Containers: 20 - ucp-node-2: 192.168.99.101:12376 - └ Status: Healthy - └ Containers: 10 +Containers: 38 +Running: 23 +Paused: 0 +Stopped: 15 +Images: 17 +Server Version: 17.06 +... +Swarm: active +NodeID: ocpv7el0uz8g9q7dmw8ay4yps +Is Manager: true +ClusterID: tylpv1kxjtgoik2jnrg8pvkg6 +Managers: 1 +… ``` ## Deploy, manage, and monitor -With Docker UCP you can manage from a centralized place all the computing -resources you have available like nodes, volumes, and networks. +With Docker UCP, you can manage from a centralized place all of the computing +resources you have available, like nodes, volumes, and networks. You can also deploy and monitor your applications and services. ## Built-in security and access control Docker UCP has its own built-in authentication mechanism and integrates with -LDAP services. It also has Role Based Access Control (RBAC), so that you can -control who can access and make changes to your cluster and applications. +LDAP services. It also has role-based access control (RBAC), so that you can +control who can access and make changes to your swarm and applications. +[Learn about role-based access control](admin/manage-users/index.md). ![](images/overview-3.png){: .with-border} diff --git a/datacenter/ucp/2.2/guides/user/access-ucp/cli-based-access.md b/datacenter/ucp/2.2/guides/user/access-ucp/cli-based-access.md index 16b94ea81a..d6398ccd23 100644 --- a/datacenter/ucp/2.2/guides/user/access-ucp/cli-based-access.md +++ b/datacenter/ucp/2.2/guides/user/access-ucp/cli-based-access.md @@ -1,14 +1,14 @@ --- -description: Learn how to access Docker Universal Control Plane from the CLI. -keywords: docker, ucp, cli, administration title: CLI-based access +description: Learn how to access Docker Universal Control Plane from the CLI. +keywords: ucp, cli, administration --- -Docker UCP secures your cluster with role-based access control, so that only -authorized users can perform changes to the cluster. +Docker UCP secures your swarm by using role-based access control, +so that only authorized users can perform changes to the cluster. For this reason, when running docker commands on a UCP node, you need to -authenticate your request using client certificates. When trying to run docker +authenticate your request with client certificates. When trying to run docker commands without a valid certificate, you get an authentication error: ```none @@ -20,20 +20,20 @@ x509: certificate signed by unknown authority There are two different types of client certificates: * Admin user certificate bundles: allow running docker commands on the -Docker Engine of any node, + Docker Engine of any node, * User certificate bundles: only allow running docker commands through a UCP -manager node. + manager node. ## Download client certificates -To download a client certificate bundle, log into the **UCP web UI**, and -navigate to your user **profile page**. +To download a client certificate bundle, log in to the UCP web UI and +navigate to your **My Profile** page. + +In the left pane, click **Client Bundles** and click **New Client Bundle** +to download the certificate bundle. ![](../../images/cli-based-access-1.png){: .with-border} -Click the **Create a Client Bundle** button, to download the certificate bundle. - - ## Use client certificates Once you've downloaded a client certificate bundle to your local computer, you @@ -42,7 +42,7 @@ can use it to authenticate your requests. Navigate to the directory where you downloaded the user bundle, and unzip it. Then source the `env.sh` script. -```none +```bash $ unzip ucp-bundle-dave.lauper.zip $ cd ucp-bundle-dave.lauper $ eval $( Note: The bundle includes scripts for setting up Windows nodes. To set up a +> Windows environment, run `env.cmd` in an elevated command prompt, or run +> `env.ps1` in an elevated PowerShell prompt. + From now on, when you use the Docker CLI client, it includes your client -certificates as part of the request to the Docker Engine. -You can now use the Docker CLI to create services, networks, volumes and other -resources on a swarm managed by UCP. +certificates as part of the request to the Docker Engine. You can now use the +Docker CLI to create services, networks, volumes and other resources on a swarm +that's managed by UCP. -## Download client certificates using the REST API +## Download client certificates by using the REST API -You can also download client bundles using the UCP REST API. In -this example we'll be using `curl` for making the web requests to the API, and -`jq` to parse the responses. +You can also download client bundles by using the +[UCP REST API](../../../reference/api/index.md). In this example, +we use `curl` to make the web requests to the API, and `jq` to parse the +responses. To install these tools on a Ubuntu distribution, you can run: -```none +```bash $ sudo apt-get update && apt-get install curl jq ``` Then you get an authentication token from UCP, and use it to download the client certificates. -```none +```bash # Create an environment variable with the user security token $ AUTHTOKEN=$(curl -sk -d '{"username":"","password":""}' https:///auth/login | jq -r .auth_token) diff --git a/datacenter/ucp/2.2/guides/user/access-ucp/index.md b/datacenter/ucp/2.2/guides/user/access-ucp/index.md index afd3493691..d775279245 100644 --- a/datacenter/ucp/2.2/guides/user/access-ucp/index.md +++ b/datacenter/ucp/2.2/guides/user/access-ucp/index.md @@ -1,7 +1,7 @@ --- -description: Learn how to access Docker Universal Control Plane from the web browser. -keywords: docker, ucp, web, administration title: Web-based access +description: Learn how to access Docker Universal Control Plane from the web browser. +keywords: ucp, web, administration --- Docker Universal Control Plane allows you to manage your cluster in a visual @@ -10,18 +10,22 @@ way, from your browser. ![](../../../../../images/ucp.png){: .with-border} -Docker UCP secures your cluster with role-based access control. From the -browser, Administrators can: +Docker UCP secures your swarm by using +[role-based access control](../../admin/manage-users/index.md). +From the browser, administrators can: -* Manage cluster configurations, -* Manage the permissions of users and teams, +* Manage swarm configurations, +* Manage the permissions of users, teams, and organizations, * See all images, networks, volumes, and containers. +* Grant permissions to users for scheduling tasks on specific nodes + (with the Docker EE Advanced license). ![](../../images/web-based-access-2.png){: .with-border} Non-admin users can only see and change the images, networks, volumes, and -containers, they are granted access. +containers, and only when they're granted access by an administrator. # Where to go next +* [Authorization](../../admin/manage-users/index.md) * [Access UCP from the CLI](cli-based-access.md) diff --git a/datacenter/ucp/2.2/guides/user/secrets/grant-revoke-access.md b/datacenter/ucp/2.2/guides/user/secrets/grant-revoke-access.md index 1c6723793d..33e6281047 100644 --- a/datacenter/ucp/2.2/guides/user/secrets/grant-revoke-access.md +++ b/datacenter/ucp/2.2/guides/user/secrets/grant-revoke-access.md @@ -9,8 +9,11 @@ use a specific secret in their services and which users can delete the secret. ## Grant access to a secret -As with most resources managed by UCP, the way to grant permission to a set -of users to use a secret, is by applying the `com.docker.ucp.access.label` to +As with other resources managed by UCP, the way to grant permission to a set +of users to use a secret is by creating a grant against the collection that +contains the secret. + +is by applying the `com.docker.ucp.access.label` to the secret. ![](../../images/grant-access-secrets-1.png){: .with-border} diff --git a/datacenter/ucp/2.2/guides/user/secrets/index.md b/datacenter/ucp/2.2/guides/user/secrets/index.md index 6ce324ce0a..eb2b3a9503 100644 --- a/datacenter/ucp/2.2/guides/user/secrets/index.md +++ b/datacenter/ucp/2.2/guides/user/secrets/index.md @@ -1,26 +1,22 @@ --- title: Manage secrets description: Learn how to manage your passwords, certificates, or other secrets in a secure way with Docker Datacenter -keywords: Docker, UCP, secrets, secrets management +keywords: UCP, secrets, secrets management --- -[![Secrets](../../images/secrets_video.png)](https://www.youtube.com/watch?v=8CaiJ9uZEk8 "Working with Secrets"){:target="_blank"} - -When deploying and orchestrating services, you often need to configure those -services with sensitive information like passwords, TLS certificates, or -private keys. +When deploying and orchestrating services, you often need to configure them +with sensitive information like passwords, TLS certificates, or private keys. Universal Control Plane allows you to store this sensitive information, also -know as secrets, in a secure way. It also gives you role-based access control +known as *secrets*, in a secure way. It also gives you role-based access control so that you can control which users can use a secret in their services and which ones can manage the secret. UCP extends the functionality provided by Docker Engine, so you can continue using the same workflows and tools you already use, like the Docker CLI client. +[Learn how to use secrets with Docker](/engine/swarm/secrets/). - - -In this example we're going to deploy a WordPress application that's composed of +In this example, we're going to deploy a WordPress application that's composed of two services: * wordpress: The service that runs Apache, PHP, and WordPress @@ -28,17 +24,19 @@ two services: Instead of configuring our services to use a plain text password stored in an environment variable, we're going to create a secret to store the password. -When we deploy those services we'll attach the secret to them, which creates -a file with the password inside the container running the service. Our services -will be able to use that file, but no one else will be able to see the -plain text password. +When we deploy those services, we'll attach the secret to them, which creates +a file with the password inside the container running the service. +Our services will be able to use that file, but no one else will be able +to see the plain text password. To make things simpler, we're not going to configure the database service to persist data. When the service stops, the data is lost. ## Create a secret -In the **UCP web UI**, navigate to **Resources**, and click **Secrets**. +In the UCP web UI, navigate to **Secrets** page and click **Create Secret** +to create a new secret. Once you create the secret you won't be able to edit +it or see the secret data again. ![](../../images/manage-secrets-1.png){: .with-border} diff --git a/datacenter/ucp/2.2/guides/user/services/use-domain-names-to-access-services.md b/datacenter/ucp/2.2/guides/user/services/use-domain-names-to-access-services.md index 20ab54113d..f8d5ce7071 100644 --- a/datacenter/ucp/2.2/guides/user/services/use-domain-names-to-access-services.md +++ b/datacenter/ucp/2.2/guides/user/services/use-domain-names-to-access-services.md @@ -22,7 +22,7 @@ You also need permissions to attach services to the `ucp-hrm` network. ## Deploy WordPress -Log in the UCP web UI, navigate to the **Services** page, and click +Log in to the UCP web UI, navigate to the **Services** page, and click **Create Service**. Then create a WordPress service with the following configuration: