Merge remote-tracking branch 'dtr/dtr-2.1' into vnext-datacenter

datacenter/dtr/2.1/architecture.md

@@ -0,0 +1,93 @@
+<!--[metadata]>
++++
+title = "Architecture"
+description = "Learn about the architecture of Docker Trusted Registry."
+keywords = ["docker, registry, dtr, architecture"]
+[menu.main]
+parent="workw_dtr"
+identifier="dtr_architecture"
+weight=20
++++
+<![end-metadata]-->
+
+# DTR architecture
+
+Docker Trusted Registry (DTR) is a Dockerized application that runs on a Docker
+Universal Control Plane cluster.
+
+![](images/architecture-1.png)
+
+
+## Containers
+
+When you install DTR on a node, the following containers are started:
+
+| Name                                 | Description                                                                                                                        |
+|:-------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------|
+| dtr-api-&lt;replica_id&gt;           | Executes the DTR business logic. It serves the DTR web application, and API                                                        |
+| dtr-etcd-&lt;replica_id&gt;          | A key-value store for persisting DTR configuration settings                                                                        |
+| dtr-jobrunner-&lt;replica_id&gt;     | Runs cleanup jobs in the background                                                                                                |
+| dtr-nginx-&lt;replica_id&gt;         | Receives http and https requests and proxies them to other DTR components. By default it listens to ports 80 and 443 of the host   |
+| dtr-notary-server-&lt;replica_id&gt; | Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to DTR with content trust enabled |
+| dtr-notary-signer-&lt;replica_id&gt; | Performs server-side timestamp and snapshot signing for content trust metadata                                                     |
+| dtr-registry-&lt;replica_id&gt;      | Implements the functionality for pulling and pushing Docker images. It also handles how images are stored                          |
+| dtr-rethinkdb-&lt;replica_id&gt;     | A database for persisting repository metadata                                                                                      |
+
+All these components are for internal use of DTR. Don't use them in your applications.
+
+## Networks
+
+To allow containers to communicate, when installing DTR the following networks
+are created:
+
+| Name   | Type    | Description                                                                            |
+|:-------|:--------|:---------------------------------------------------------------------------------------|
+| dtr-br | bridge  | Allows DTR components on the same node to communicate with each other in a secure way  |
+| dtr-ol | overlay | Allows DTR components running on different nodes to communicate, to replicate DTR data |
+
+
+## Volumes
+
+DTR uses these named volumes for persisting data:
+
+| Volume name                     | Description                                                                      |
+|:--------------------------------|:---------------------------------------------------------------------------------|
+| dtr-ca-&lt;replica_id&gt;       | Root key material for the DTR root CA that issues certificates                   |
+| dtr-etcd-&lt;replica_id&gt;     | DTR configuration data                                                           |
+| dtr-notary-&lt;replica_id&gt;   | Certificate and keys for the Notary components                                   |
+| dtr-registry-&lt;replica_id&gt; | Docker images data, if DTR is configured to store images on the local filesystem |
+| dtr-rethink-&lt;replica_id&gt;  | Repository metadata                                                              |
+
+You can customize the volume driver used for these volumes, by creating the
+volumes before installing DTR. During the installation, DTR checks which volumes
+don't exist in the node, and creates them using the default volume driver.
+
+By default, the data for these volumes can be found at
+`/var/lib/docker/volumes/<volume-name>/_data`.
+
+## Image storage
+
+By default, Docker Trusted Registry stores images on the filesystem of the node
+where it is running.
+
+You can also configure DTR to use these storage backends:
+
+* NFS
+* Amazon S3
+* Cleversafe
+* OpenStack Swift
+* Microsoft Azure
+
+For highly available installations, you should use a cloud storage system
+instead of an NFS mount, since they usually have better performance.
+
+## High-availability support
+
+For load balancing and high-availability, you can install multiple replicas of
+DTR, and join them to create a cluster.
+[Learn more about high availability](high-availability/index.md).
+
+## Where to go next
+
+* [System requirements](install/system-requirements.md)
+* [Install DTR](install/index.md)

datacenter/dtr/2.1/configure/config-general.md

@@ -0,0 +1,53 @@
++++
+title = "Configure general settings"
+description = "Configure general settings for Docker Trusted Registry"
+keywords = ["docker, documentation, about, technology, understanding, enterprise, hub, general, domain name, HTTP, HTTPS ports, registry"]
+[menu.main]
+parent="workw_dtr_configure"
+identifier="dtr_configure_general"
+weight=3
++++
+
+# Configure general settings
+
+This document describes the general settings you need to configure.
+
+## Configure your domain name and port settings
+
+Each setting on this page is explained in the Docker Trusted Registry UI.
+
+* *Domain Name*: **required**. By default it is an empty string. It is the fully qualified domain name assigned to the Docker Trusted Registry host.
+* *HTTP Port*: defaults to 80 and is used as the entry point for the image storage service. To see load balancer status, you can query
+http://<dtr-host>/load_balancer_status.
+* *HTTPS Port*: defaults to 443, used as the secure entry point for the image storage service.
+* *HTTP proxy*: defaults to an empty string, proxy server for HTTP requests.
+* *HTTPS proxy*: defaults to an empty string, proxy server for HTTPS requests.
+* *No proxy*: defaults to an empty string, proxy bypass for HTTP and HTTPS requests.
+* *Upgrade checking*: enables or disables automatic checking for the Trusted Registry software updates.
+
+If you need the Trusted Registry to re-generate a self-signed certificate at
+some point, you can change the domain name. Whenever the domain name does not
+match the current certificate, a new self-signed certificate is generated
+for the new domain. This also works with IP addresses.
+
+
+## Docker Content Trust
+
+The Trusted Registry integrates with Docker Notary by default to provide
+Content Trust functionality, allowing your organization to push and pull
+trusted images. After pushing images in the Trusted Registry, you can see
+which image tags were signed by viewing the appropriate repositories through
+Trusted Registry's web interface.
+
+To configure your Docker client to be able to push signed images to Docker
+Trusted Registry, refer to the CLI Reference's [Environment Variables
+Section](/engine/reference/commandline/cli.md#environment-variables) and
+[Notary Section](/engine/reference/commandline/cli.md#notary).
+
+This requires you to set the `DOCKER_CONTENT_TRUST` variable and configure
+your system to trust Docker Trusted Registry's TLS certificate if it doesn't
+already.
+
+## See also
+
+* [Configure storage settings](config-storage.md)

datacenter/dtr/2.1/configure/config-security.md

@@ -0,0 +1,228 @@
++++
+title = "Security configuration"
+description = "Security configuration for Docker Trusted Registry"
+keywords = ["docker, documentation, about, technology, understanding, configuration, security, enterprise, hub, registry"]
+[menu.main]
+parent="workw_dtr_configure"
+identifier="dtr_configure_security"
+weight=4
++++
+
+# Security configuration
+
+This document describes the security settings you need to configure.
+
+* *SSL Certificate*: Used to enter the hash (string) from the SSL Certificate.
+This cert must be accompanied by its private key, entered below.
+* *SSL Private Key*: The hash from the private key associated with the provided
+SSL Certificate (as a standard x509 key pair).
+
+In order to run, the Trusted Registry requires encrypted communications through HTTPS/SSL between (a) the Trusted Registry and your Docker Engine(s), and (b) between your web browser and the Trusted Registry admin server. There are a few options for setting this up:
+
+1. You can use the self-signed certificate Docker Trusted Registry generates by default.
+2. You can generate your own certificates using a public service or your enterprise's infrastructure. See the [Generating SSL certificates](#generating-ssl-certificates) section for the options available.
+
+If you are generating your own certificates, you can install them by following the instructions for
+[Adding your own registry certificates to Docker Trusted Registry](#adding-your-own-registry-certificates-to-dtr).
+
+However, if you choose to use the Trusted Registry-generated certificates, or
+the certificates you generate yourself are not trusted by your client Docker
+hosts, you will need to do one of the following:
+
+* [Install](#installing-registry-certificates-on-client-docker-daemons) a registry certificate on all of your client Docker daemons, or
+
+* Set your [client Docker daemons](#if-you-can-t-install-the-certificates) to run with an unconfirmed connection to the registry.
+
+### Generate SSL certificates
+
+There are three basic approaches to generating certificates:
+
+1.  Most enterprises will have private key infrastructure (PKI) in place to
+generate keys. Consult with your security team or whomever manages your private
+key infrastructure. If you have this resource available, Docker recommends you
+use it.
+
+2. If your enterprise can't provide keys, you can use a public Certificate
+Authority (CA) like "InstantSSL.com" or "RapidSSL.com" to generate a
+certificate. If your certificates are generated using a globally trusted
+Certificate Authority, you won't need to install them on all of your
+client Docker daemons.
+
+3. Use the self-signed registry certificate generated by Docker Trusted
+Registry, and install it onto the client Docker daemon hosts as seen in the
+following section.
+
+
+### Add your own registry certificates
+
+Whichever method you use to generate certificates, once you have them you can
+set up your Trusted Registry server to use them.
+
+1. Navigate to Settings > Security, and put the SSL Certificate text
+(including all intermediate Certificates, starting with the host) into the "SSL
+Certificate" edit box, and the previously generated Private key into the "SSL
+Private Key" edit box.
+
+2. Click Save, and then wait for the Trusted Registry Admin site to restart
+and reload. It should now be using the new certificate. Once the Security page has reloaded, it displays `#` hashes instead of the
+certificate text you pasted.
+
+If your certificate is signed by a chain of Certificate Authorities that are
+already trusted by your Docker daemon servers, you can skip the following
+"Install registry certificates" step.
+
+
+### Install registry certificates on client Docker daemons
+
+If your certificates do not have a trusted Certificate Authority, you will need
+to install them on each client Docker daemon host.
+
+The procedure for installing the Trusted Registry certificates on each
+Linux distribution has slightly different steps.
+
+You can test this certificate using `curl`:
+
+```
+$ curl https://dtr.yourdomain.com/v2/
+curl: (60) SSL certificate problem: self signed certificate
+```
+
+For details see: http://curl.haxx.se/docs/sslcerts.html
+
+Curl performs SSL certificate verification by default, using a "bundle" of
+Certificate Authority (CA) public keys (CA certs). If the default bundle file
+isn't adequate, you can specify an alternate file using the `--cacert` option.
+If this HTTPS server uses a certificate signed by a CA represented in the
+bundle, the certificate verification probably failed due to a problem with the
+certificate. For example, it might be expired, or the name might not match the
+domain name in the URL.
+
+If you'd like to turn off curl's verification of the certificate, use
+ the -k (or --insecure) option.
+
+```
+$ curl --cacert /usr/local/etc/dtr/ssl/server.pem https://dtr.yourdomain.com/v2/
+{"errors":[{"code":"UNAUTHORIZED","message":"access to the requested resource is not authorized","detail":null}]}
+```
+
+Continue by following the steps corresponding to your chosen OS. Run the following commands on the Trusted Registry host.
+
+#### Ubuntu/Debian
+
+```
+    $ export DOMAIN_NAME=dtr.yourdomain.com
+    $ openssl s_client -connect $DOMAIN_NAME:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/$DOMAIN_NAME.crt
+    $ sudo update-ca-certificates
+    Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
+    Running hooks in /etc/ca-certificates/update.d....done.
+    $ sudo service docker restart
+    docker stop/waiting
+    docker start/running, process 29291
+```
+
+#### RHEL/Centos
+
+```
+    $ export DOMAIN_NAME=dtr.yourdomain.com
+    $ openssl s_client -connect $DOMAIN_NAME:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /etc/pki/ca-trust/source/anchors/$DOMAIN_NAME.crt
+    $ sudo update-ca-trust
+    $ sudo /bin/systemctl restart docker.service
+```
+
+#### Docker Machine and Boot2Docker
+
+You'll need to make some persistent changes using `bootsync.sh` in your
+Boot2Docker-based virtual machine (as documented in [local customization](https://github.com/boot2docker/boot2docker/blob/master/doc/FAQ.md#local-customisation-with-persistent-partition)). To do this:
+
+1. `docker-machine ssh dev` to enter the VM
+2. `vi /var/lib/boot2docker/bootsync.sh` creates it if it doesn't exist, or edit it if it does.
+3. Install the CA cert (or the auto-generated cert) by adding the following code to your `/var/lib/boot2docker/bootsync.sh`:
+
+        ```
+        #!/bin/sh
+
+        cat /var/lib/boot2docker/server.pem >> /etc/ssl/certs/ca-certificates.crt
+        ```
+
+4. Next get the certificate from the new Docker Trusted Registry server using:
+
+    ```
+    $ openssl s_client -connect dtr.yourdomain.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee -a /var/lib/boot2docker/server.pem
+    ```
+
+    If your certificate chain is complicated, you can use the changes in [Pull request 807](https://github.com/boot2docker/boot2docker/pull/807/files)
+
+5. Either reboot your virtual machine, or run the following commands to
+install the server certificate. Restart the Docker daemon.
+
+    ```
+    $ sudo chmod 755 /var/lib/boot2docker/bootsync.sh
+    $ sudo /var/lib/boot2docker/bootsync.sh
+    $ sudo /etc/init.d/docker restart`.
+    ```
+
+### If you can't install the certificates
+
+If for some reason you can't install the certificate chain on a client Docker
+host, or your certificates do not have a global CA, you can configure your
+Docker daemon to run in "insecure" mode. This is done by adding an extra flag,
+`--insecure-registry host-ip|domain-name`, to your client Docker daemon startup
+flags. You'll need to restart the Docker daemon for the change to take effect.
+
+This flag means that the communications between your Docker client and the Trusted Registry server are still encrypted, but the client Docker daemon is not
+confirming that the Registry connection is not being hijacked or diverted.
+
+If you enter a "Domain Name" into the Security settings, it needs to be DNS
+resolvable on any client daemons that are running in `insecure-registry`
+mode.
+
+To set the flag, perform the following directions for your operating system.
+
+#### Ubuntu
+
+On Ubuntu 14.04 LTS, customize the Docker daemon configuration with the
+`/etc/defaults/docker` file.
+
+Open or create the `/etc/defaults/docker` file, and add the
+`--insecure-registry` flag to the `DOCKER_OPTS` setting (which may need to be
+added or uncommented) as follows:
+
+```
+DOCKER_OPTS="--insecure-registry dtr.yourdomain.com"
+```
+
+Then restart the Docker daemon with `sudo service docker restart`.
+
+#### RHEL/Centos
+
+On RHEL/Centos, customize the Docker daemon configuration with the
+`/etc/sysconfig/docker` file.
+
+Open or create the `/etc/sysconfig/docker` file, and add the
+`--insecure-registry` flag to the `OPTIONS` setting (which may need to be
+added or uncommented) as follows:
+
+```
+OPTIONS="--insecure-registry dtr.yourdomain.com"
+```
+
+Then restart the Docker daemon with `sudo service docker restart`.
+
+### Docker Machine and Boot2Docker
+
+In your Boot2Docker-based virtual machine, customize the Docker daemon
+configuration with the `/var/lib/boot2docker/profile` file.
+
+Open or create the `/var/lib/boot2docker/profile` file, and add an `EXTRA_ARGS`
+setting as follows:
+
+```
+EXTRA_ARGS="--insecure-registry dtr.yourdomain.com"
+```
+
+Then restart the Docker daemon with `sudo /etc/init.d/docker restart`.
+
+
+## See also
+
+* [Configure storage options](config-storage.md)

datacenter/dtr/2.1/configure/config-storage.md

@@ -0,0 +1,217 @@
++++
+title = "Storage configuration"
+description = "Storage configuration for Docker Trusted Registry"
+keywords = ["docker, documentation, about, technology, understanding, configuration, storage, storage drivers, Azure, S3, Swift,  enterprise, hub, registry"]
+[menu.main]
+parent="workw_dtr_configure"
+identifier="dtr_configure_storage"
+weight=5
++++
+
+# Storage configuration
+
+After installing Docker Trusted Registry, one of your first tasks is to
+designate and configure the Trusted Registry storage backend. This document provides the following:
+
+* Information describing your storage backend options.
+* Configuration steps using either the Trusted Registry UI or a YAML file.
+
+While there is a default storage backend, `filesystem`, the Trusted Registry offers other options that are cloud-based. This flexibility to configure to a different storage backend allows you to:
+
+* Scale your Trusted Registry
+* Leverage storage redundancy
+* Store your images anywhere in the cloud
+* Take advantage of other features that are critical to your organization
+
+At first, you might have explored Docker Trusted Registry and Docker Engine by
+ [installing](../install/index.md)
+them on your system in order to familiarize yourself with them.
+However, for various reasons such as deployment purposes or continuous
+integration, it makes sense to think about your long term organization’s needs
+when selecting a storage backend. The Trusted Registry natively supports TLS and
+basic authentication. It also ships with a [notification system](/registry/notifications.md), calling webhooks in response to activity. The notification system also provides both extensive logging and
+reporting, which is useful for organizations that want to collect metrics.
+
+## Understand the Trusted Registry storage backend
+
+By default, your Trusted Registry data resides as a data volume on the host
+`filesystem`. This is where your repositories and images are stored. This
+storage driver is the local posix `filesystem` and is configured to use a
+directory tree in the local filesystem. It's suitable for development or small
+deployments. The `filesystem` can be located on the same computer as the Trusted Registry, or on a separate system.
+
+Additionally, the Trusted Registry supports these cloud-based storage drivers:
+
+* Amazon Simple Storage Solution **S3**
+* OpenStack **Swift**
+* Microsoft **Azure** Blob Storage
+
+<!--* **Rados**:  A driver storing objects in a Ceph Object Storage pool. -->
+
+### Filesystem
+
+If you select `filesystem`, then the Trusted Registry uses the local disk to
+store registry files. This backend has a single, required `rootdirectory`
+parameter which specifies a subdirectory of `/var/local/dtr/imagestorage` in
+which all registry files are stored. The default value of `/local` means the
+files are stored in `/var/local/dtr/image-storage/local`.
+
+The Trusted Registry stores all its data at this location, so ensure there is
+adequate space available. To do so, you can run the following commands:
+
+* To analyze the disk usage: `docker exec -it <container_name> bash` then run `df -h`.
+* To see the file size of your containers, use the `-s` argument of `docker ps -s`.
+
+### Amazon S3
+
+S3 stores data as objects within “buckets” where you read, write, and delete
+objects in that container. It too, has a `rootdirectory` parameter. If you select this option, there will be some tasks that you need to first perform [on AWS](https://aws.amazon.com/s3/getting-started/).   
+
+1. You must create an S3 bucket, and write down its name and the AWS zone it
+runs on.
+2. Determine write permissions for your bucket.
+3. S3 flavor comes with DEBUG=false by default. If you need to debug, then you need to add `-e DEBUG=True`.
+4. Specify an AWS region, which is dependent on your S3 location, for example, use `-e AWS_REGION=”eu-west-1”`.
+5. Ensure your host time is correct. If your host clock is still running on the main computer, but not on the docker host virtual machine, then you will have
+time differences. This may cause an issue if you try to authenticate with Amazon
+web services.
+6. You will also need your AWS access key and secret key. Learn [more about it ](http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) here.
+
+Conversely, you can further limit what users access in the Trusted Registry when you use AW to host your Trusted Registry. Instead of using the UI to enter information, you can create an [IAM user policy](http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html) which is a JSON description of the effects, actions, and resources available to
+a user. The advantage of using this method instead of configuring through the Trusted Registry UI is that you can restrict what users can access. You apply the policy as part of the process of installing the Trusted Registry on AW. To set a policy through the AWS command line, save the policy into a file,
+for example `TrustedRegistryUserPerms.json`, and pass it to the
+put-user-policy AWS command:
+
+```
+$ aws iam put-user-policy --user-name MyUser --policy-name TrustedRegistryUserPerms --policy-document file://C:\Temp\TrustedRegistryUserPerms.json
+```
+
+You can also set a policy through your AWS console. For more information about
+setting IAM policies using the command line or the console, review the AWS
+[Overview of IAM Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) article or visit the console Policies page.
+
+The following example describes the minimum permissions set which allows
+Trusted Registry users to access, push, pull, and delete images.
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "s3:ListAllMyBuckets",
+            "Resource": "arn:aws:s3:::*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:GetBucketLocation"
+            ],
+            "Resource": "arn:aws:s3:::<INSERT YOUR BUCKET HERE>"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:DeleteObject"
+            ],
+            "Resource": "arn:aws:s3:::<INSERT YOUR BUCKET HERE>/*"
+        }
+    ]
+}
+
+```
+
+### OpenStack Swift
+
+OpenStack Swift, also known as OpenStack Object Storage, is an open source
+object storage system that is licensed under the Apache 2.0 license. Refer to [Swift documentation](http://docs.openstack.org/developer/swift/) to get started.
+
+<!--
+### Ceph Rados
+
+**(Details are missing as this is currently being developed for DTR 1.4.3?)**
+
+Ceph implements distributed object storage. The object storage “product”,
+service or capabilities, consist of a Ceph Storage Cluster and a Ceph
+Object Gateway.
+
+For additional information see the Ceph documentation  [here](http://docs.ceph.com/docs/master/rados/) and [here](http://docs.ceph.com/docs/hammer/radosgw/).
+-->
+
+### Microsoft Azure
+
+This storage backend uses Microsoft’s Azure Blob storage. Data is stored within
+a paid Windows Azure storage account. Refer to Microsoft's Azure
+[documentation](https://azure.microsoft.com/en-us/services/storage/) which
+explains how to set up your Storage account.
+
+## Configure your Trusted Registry storage backend
+
+Once you select your driver, you need to configure it through the UI or use a
+YAML file (which is discussed further in this document.)
+
+1. From the main Trusted Registry screen, navigate to Settings > Storage.
+2. Under Storage Backend, use the drop down menu to select your storage. The screen refreshes to reflect your option.
+3. Enter your configuration settings. If you're not sure what a particular parameter does, then find your driver from the following headings so that you can see a detailed explanation.
+4. Click Save. The Trusted Registry restarts so that your changes take effect.
+
+>**Note**: Changing your storage backend requires you to restart the Trusted Registry.
+
+See the [Registry configuration](/registry/configuration.md)
+documentation for the full options specific to each driver. Storage drivers can
+be customized through the [Docker Registry storage driver
+API](/registry/storage-drivers/index.md#storage-driver-api).
+
+
+### Filesystem settings
+
+The [filesystem storage backend](/registry/configuration.md#filesystem)
+has only one setting, the "Storage directory".
+
+### S3 settings
+
+If you select the [S3 storage backend](/registry/configuration.md#s3), then you
+need to set  "AWS region", "Bucket name", "Access Key", and "Secret Key".
+
+### Azure settings
+
+Set the "Account name", "Account key", "Container", and "Realm" on the [Azure storage backend](/registry/configuration.md#azure) page.
+
+### Openstack Swift settings
+
+View the [Openstack Swift settings](/registry/configuration.md#openstack-swift)
+documentation so that you can set up your storage settings: authurl, username,
+password, container, tenant, tenantid, domain, domainid, insecureskipverify,
+region, chunksize, and prefix.
+
+## Configure using a YAML file
+
+If the previous quick setup options are not sufficient to configure your
+Registry options, you can upload a YAML file. The schema of this file is
+identical to that used by the [Registry](/registry/configuration.md).
+
+There are several benefits to using a YAML file as it can provide an
+additional level of granularity in defining your storage backend. Advantages
+include:
+
+* Overriding specific configuration options.
+* Overriding the entire configuration file.
+* Selecting from the entire list of configuration options.
+
+**To configure**:
+
+1. Navigate to the Trusted Registry UI > Settings > Storage.
+2. Select Download to get the text based file. It contains a minimum amount
+of information and you're going to need additional data based on your driver and
+business requirements.
+3. Go [here](/registry/configuration.md#list-of-configuration-options") to see the open source YAML file. Copy the sections you need and paste into your `storage.yml` file. Note that some settings may contradict others, so
+ensure your choices make sense.
+4. Save the YAML file and return to the UI.
+5. On the Storage screen, upload the file, review your changes, and click Save.
+
+## See also
+
+* [Configure security settings](config-security.md)

datacenter/dtr/2.1/configure/configuration.md

@@ -0,0 +1,43 @@
++++
+title = "Configuration overview"
+description = "Configuration overview for Docker Trusted Registry"
+keywords = ["docker, documentation, about, technology, understanding, enterprise, hub,  registry"]
+[menu.main]
+parent="workw_dtr_configure"
+identifier="dtr_configuration"
+weight=2
++++
+
+# Configure overview
+
+When you first install Docker Trusted Registry, you need to configure it. Use
+this overview to see what you can configure.
+
+To start, navigate to the Trusted Registry user interface (UI) > Settings, to
+view configuration options. Configuring is grouped by the following:
+
+* [General settings](config-general.md) (ports, proxies)
+* [Security settings](config-security.md)
+* [Storage settings](config-storage.md)
+* [License](../install/license.md)
+* Updates
+
+
+Saving changes you've made to settings will restart various services, as follows:
+
+ * General settings: full Docker Trusted Registry restart
+ * License change: full Docker Trusted Registry restart
+ * SSL change: Nginx reload
+ * Storage config: only registries restart
+
+## Docker daemon logs
+
+Both the Trusted Registry and the Docker daemon collect and store log messages. To limit duplication of the Docker daemon logs, add the following parameters in a Trusted Registry CLI to the Docker daemon and then restart the daemon.
+
+`docker daemon --log-opt max-size 100m max-file=1`
+
+
+## See also
+
+* [Monitor DTR](../monitor-troubleshoot/index.md)
+* [Troubleshoot DTR](../monitor-troubleshoot/troubleshoot.md)

datacenter/dtr/2.1/configure/index.md

@@ -0,0 +1,20 @@
+<!--[metadata]>
++++
+title = "Configuration"
+description = "Trusted Registry configuration options"
+keywords = ["docker, documentation, about, technology, install, enterprise, hub, CS engine, Docker Trusted Registry, configure, storage, backend, drivers"]
+[menu.main]
+parent="workw_dtr"
+identifier="workw_dtr_configure"
+weight=50
++++
+<![end-metadata]-->
+
+# Configure DTR
+
+This section includes the following topics:
+
+* [Configuration overview](configuration.md)
+* [Configure general settings](config-general.md)
+* [Security configuration](config-security.md)
+* [Storage configuration](config-storage.md)

datacenter/dtr/2.1/configure/use-your-certificates.md

@@ -0,0 +1,51 @@
++++
+title = "Use your own certificates"
+description = "Learn how to configure Docker Trusted Registry to use your own certificates"
+keywords = ["Universal Control Plane, UCP, certificate, authentiation, tls"]
+[menu.main]
+parent="workw_dtr_configure"
+identifier="dtr-configure-certs"
+weight=0
++++
+
+# Use your own certificates
+
+By default the DTR services are exposed using HTTPS, to ensure all
+communications between clients and DTR is encrypted. Since DTR
+replicas use self-signed certificates for this, when a client accesses
+DTR, their browsers won't trust this certificate, so the browser displays a
+warning message.
+
+You can configure DTR to use your own certificates, so that it is automatically
+trusted by your users' browser and client tools.
+
+## Replace the server certificates
+
+To configure DTR to use your own certificates and keys, go to the
+**DTR web UI**, navigate to the **Settings** page, and scroll down to the
+**Domain** section.
+
+![](../images/use-your-certificates-1.png)
+
+
+Set the DTR domain name and upload the certificates and key:
+
+* Load balancer/public address, is the domain name clients will use to access DTR.
+* TLS certificate, is the server certificate and any intermediate CA public
+certificates. This certificate needs to be valid for the DTR public address,
+and have SANs for all addresses used to reach the DTR replicas, including load
+balancers.
+* TLS private key is the server private key.
+* TLS CA is the root CA public certificate.
+
+Finally, click **Save** for the changes to take effect.
+
+If you're using certificates issued by a globally trusted certificate authority,
+any web browser or client tool should now trust DTR. If you're using an internal
+certificate authority, you'll need to [configure your system to trust that
+certificate authority](../repos-and-images/index.md).
+
+## Where to go next
+
+* [Configure your Docker Engine](../repos-and-images/index.md)
+* [Pull an image](../repos-and-images/pull-an-image.md)

datacenter/dtr/2.1/high-availability/backups-and-disaster-recovery.md

@@ -0,0 +1,138 @@
+<!--[metadata]>
++++
+title = "Backups and disaster recovery"
+description = "Learn how to backup your Docker Trusted Registry cluster, and to recover your cluster from an existing backup."
+keywords = ["docker, registry, high-availability, backup, recovery"]
+[menu.main]
+parent="dtr_menu_high_availability"
+identifier="dtr_backup_disaster_recovery"
+weight=10
++++
+<![end-metadata]-->
+
+
+# Backups and disaster recovery
+
+When you decide to start using Docker Trusted Registry on a production
+setting, you should [configure it for high availability](index.md).
+
+The next step is creating a backup policy and disaster recovery plan.
+
+## DTR data persistency
+
+Docker Trusted Registry persists:
+
+* Configurations: the cluster configurations are stored on a key-value store
+that is replicated through all DTR replicas.
+* Repository metadata: the information about the repositories and
+images deployed. This information is replicated through all DTR replicas.
+* Certificates and keys: the certificates, public keys, and private keys that
+are used for mutual TLS communication.
+
+This data is persisted on the host where DTR is running, using named volumes.
+[Learn more about DTR named volumes](../architecture.md).
+
+DTR also persists Docker images on the filesystem of the host running DTR, or
+on a cloud provider, depending on the way DTR is configured.
+
+## Backup DTR data
+
+To perform a backup of a DTR node, use the `backup` command. This
+command creates a backup of DTR:
+
+* Configurations,
+* Repository metadata,
+* Certificates and keys used by DTR.
+
+These files are added to a tar archive, and the result is streamed to stdout.
+
+The backup command does not create a backup of Docker images. You should
+implement a separate backup policy for the Docker images, taking in
+consideration whether your DTR installation is configured to store images on the
+filesystem or using a cloud provider.
+
+The backup command also doesn't create a backup of the users and organizations.
+That data is managed by UCP, so when you create a UCP backup you're creating
+a backup of the users and organizations metadata.
+
+When creating a backup, the resulting .tar file contains sensitive information
+like private keys. You should ensure the backups are stored securely.
+
+You can check the
+[reference documentation](../reference/backup.md), for the
+backup command to learn about all the available flags.
+
+As an example, to create a backup of a DTR node, you can use:
+
+```bash
+# Create the backup
+$ docker run -i --rm docker/dtr:2.1.0-beta3 backup \
+  --ucp-url <ucp-url> \
+  --ucp-insecure-tls \
+  --existing-replica-id <replica-id> \
+  --ucp-username <ucp-admin> \
+  --ucp-password <ucp-password> > /tmp/backup.tar
+```
+
+Where:
+
+* `--ucp-url` is the address of UCP,
+* `--ucp-insecure-tls` is to trust the UCP TLS certificate,
+* `--existing-replica-id` is the id of the replica to backup,
+* `--ucp-username`, and `--ucp-password` are the credentials of a UCP administrator.
+
+To validate that the backup was correctly performed, you can print the contents
+of the tar file created:
+
+```bash
+$ tar -tf /tmp/backup.tar
+```
+
+## Restore DTR data
+
+You can restore a DTR node from a backup using the `restore`
+command.
+This command performs a fresh installation of DTR, and reconfigures it with
+the configuration created during a backup.
+
+The command starts by installing DTR, restores the configurations stored on
+etcd, and then restores the repository metadata stored on RethinkDB. You
+can use the `--config-only` option, to only restore the configurations stored
+on etcd.
+
+This command does not restore Docker images. You should implement a separate
+restore procedure for the Docker images stored in your registry, taking in
+consideration whether your DTR installation is configured to store images on
+the filesystem or using a cloud provider.
+
+You can check the
+[reference documentation](../reference/backup.md), for the
+backup command to learn about all the available flags.
+
+
+As an example, to install DTR on the host and restore its
+state from an existing backup:
+
+```bash
+# Install and restore configurations from an existing backup
+$ docker run -i --rm \
+  docker/dtr:2.1.0-beta3 restore \
+  --ucp-url <ucp-url> \
+  --ucp-insecure-tls \  
+  --ucp-username <ucp-admin> \
+  --ucp-password <ucp-password> \
+  --dtr-load-balancer <dtr-domain-name> < /tmp/backup.tar
+```
+
+Where:
+
+* `--ucp-url` is the address of UCP,
+* `--ucp-insecure-tls` is to trust the UCP TLS certificate,
+* `--ucp-username`, and `--ucp-password` are the credentials of a UCP administrator,
+* `--dtr-load-balancer` is the domain name or ip where DTR can be reached.
+
+
+## Where to go next
+
+* [Set up high availability](index.md)
+* [DTR architecture](../architecture.md)

datacenter/dtr/2.1/high-availability/index.md

@@ -0,0 +1,92 @@
+<!--[metadata]>
++++
+aliases = ["/docker-trusted-registry/high-availability/high-availability/"]
+title = "Set up high availability"
+description = "Learn how to set up Docker Trusted Registry for high availability."
+keywords = ["docker, registry, high-availability, backup, recovery"]
+[menu.main]
+parent="dtr_menu_high_availability"
+identifier="dtr_high_availability"
+weight=0
++++
+<![end-metadata]-->
+
+# Set up high availability
+
+Docker Trusted Registry (DTR) is designed for high availability.
+
+When you first install DTR, you create a cluster with a single DTR replica.
+Replicas are single instances of DTR that can be joined together to form a
+cluster.
+When joining new replicas to the cluster, you'll be creating new DTR instances
+that are running the same set of services. Any change to the state of an
+instance is replicated across all other instances.
+
+![](../images/high-availability-1.png)
+
+Having a DTR cluster with multiple replicas, allows you to:
+
+* Load-balance user requests across the DTR replicas,
+* Keep the DTR cluster working if a replica fails.
+
+To make a DTR installation tolerant to failures, add additional replicas to
+the DTR cluster.
+
+| DTR replicas | Failures tolerated |
+|:------------:|:------------------:|
+|      1       |         0          |
+|      3       |         1          |
+|      5       |         2          |
+|      7       |         3          |
+
+
+When sizing your DTR installation for high-availability,
+follow these rules of thumb:
+
+* Don't create a DTR cluster with just two replicas. Your cluster
+won't tolerate any failures, and it's possible that you experience performance
+degradation.
+* When a replica fails, the number of failures tolerated by your cluster
+decreases. Don't leave that replica offline for long.
+* Adding too many replicas to the cluster might also lead to performance
+degradation, as data needs to be replicated across all replicas.
+
+## Size your cluster
+
+When installing DTR for production, you should have dedicated nodes for running:
+
+* Docker Universal Control Plane (UCP) controller nodes,
+* DTR replicas,
+* Your own applications.
+
+Having dedicated nodes ensures all applications will remain performant since
+they have dedicated resources for them.
+It also makes it easier to implement backup policies and disaster recovery
+plans for UCP and DTR.
+
+To have have high-availability on UCP and DTR, you need a minimum of:
+
+* 3 dedicated nodes to install UCP with high availability,
+* 3 dedicated nodes to install DTR with high availability,
+* As many nodes as you want for running your containers and applications.
+
+
+![](../images/high-availability-2.png)
+
+## Load balancing
+
+DTR does not provide a load balancing service. You can use use an on-premises
+or cloud-based load balancer to balance requests across multiple DTR replicas.
+
+Make sure you configure your load balancer to:
+
+* Load-balance TCP traffic on ports 80 and 443,
+* Not terminate HTTPS connections,
+* Use the `/load_balancer_status` endpoint on each DTR replica, to check if
+the replica is healthy and if it should remain on the load balancing pool or
+not.
+
+## Where to go next
+
+* [Backups and disaster recovery](backups-and-disaster-recovery.md)
+* [DTR architecture](../architecture.md)

datacenter/dtr/2.1/high-availability/menu.md

@@ -0,0 +1,12 @@
+<!--[metadata]>
++++
+title = "High-availability"
+description = "Learn how to set up Docker Trusted Registry for high availability."
+keywords = ["docker, registry, high-availability, backup, recovery"]
+type = "menu"
+[menu.main]
+parent="workw_dtr"
+identifier="dtr_menu_high_availability"
+weight=70
++++
+<![end-metadata]-->

datacenter/dtr/2.1/images/Makefile

@@ -0,0 +1,47 @@
+
+SIZE="1280px"
+HOST=dtr.domain.com
+HOSTIP:=192.168.18.131
+HOSTURL=https://$(HOST)
+IMAGE=svendowideit/screenshot
+#IMAGE=screenshot
+RUNOPTS=docker run --rm -v $(CURDIR):/srv --add-host $(HOST):$(HOSTIP)
+RUN=$(RUNOPTS) $(IMAGE)
+
+all:
+	# Needs to be run with no authentication
+	$(RUN) $(HOSTURL)/admin/ admin-metrics.png $(SIZE)
+	$(RUN) $(HOSTURL)/admin/logs/ admin-logs.png $(SIZE)
+	$(RUN) $(HOSTURL)/admin/settings/auth/ admin-settings-authentication.png $(SIZE)
+	$(RUN) $(HOSTURL)/admin/settings/general admin-settings.png $(SIZE)
+	$(RUN) $(HOSTURL)/admin/settings/security admin-settings-security.png $(SIZE)
+	$(RUN) $(HOSTURL)/admin/settings/storage admin-settings-storage.png $(SIZE)
+	$(RUN) $(HOSTURL)/admin/settings/license admin-settings-license.png $(SIZE)
+
+manual:
+	#  --env-file=passwords.env
+	$(RUNOPTS)  --env-file=passwords.env \
+		$(IMAGE) \
+		$(HOSTURL)/admin/settings#auth admin-settings-authentication-basic.png $(SIZE)
+
+	#admin-settings-authentication-ldap.png
+
+
+# TODO: needs manual intervention atm
+qs1:
+	# this requires the hostname to resolve.
+	echo "$HOST $HOSTIP" >> /etc/hosts
+	# and requires that host to be added to the docker daemon's insecure registry settings
+	# maybe use a dind daemon?
+	
+	docker pull jenkins
+	docker tag -f jenkins t400s.home.org.au/ci-infrastructure/jnkns-img
+	docker push t400s.home.org.au/ci-infrastructure/jnkns-img
+	sleep 1
+	$(RUN) $(HOSTURL)/admin/ console-push.png $(SIZE)
+	sleep 10
+qs2:
+	docker rmi jenkins t400s.home.org.au/ci-infrastructure/jnkns-img
+	docker pull t400s.home.org.au/ci-infrastructure/jnkns-img
+	sleep 1
+	$(RUN) $(HOSTURL)/admin/ console-pull.png $(SIZE)

datacenter/dtr/2.1/images/authentication-authorization-1.svg

@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="690px" height="282px" viewBox="0 0 690 282" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <!-- Generator: Sketch 3.8.3 (29802) - http://www.bohemiancoding.com/sketch -->
+    <title>dtr-authorization-1</title>
+    <desc>Created with Sketch.</desc>
+    <defs>
+        <rect id="path-1" x="0" y="0" width="690" height="282"></rect>
+        <mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="690" height="282" fill="white">
+            <use xlink:href="#path-1"></use>
+        </mask>
+    </defs>
+    <g id="Apps" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="dtr-authorization-1">
+            <g id="all" transform="translate(175.000000, 62.000000)">
+                <g id="Group" transform="translate(168.000000, 0.000000)">
+                    <g id="teams">
+                        <g id="billing-team" transform="translate(100.000000, 0.000000)">
+                            <path d="M34.5,26.5 C41.820625,26.5 47.75,20.5540625 47.75,13.25 C47.75,5.929375 41.820625,0 34.5,0 C27.179375,0 21.25,5.929375 21.25,13.25 C21.25,20.5540625 27.179375,26.5 34.5,26.5 L34.5,26.5 Z M34.5,33.125 C25.6721875,33.125 8,37.5471875 8,46.375 L8,53 L61,53 L61,46.375 C61,37.5471875 43.3278125,33.125 34.5,33.125 L34.5,33.125 Z" id="Shape-Copy" fill="#9967FF"></path>
+                            <text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
+                                <tspan x="0" y="68">billing team</tspan>
+                            </text>
+                        </g>
+                        <g id="blog-team">
+                            <text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
+                                <tspan x="0" y="68">blog team</tspan>
+                            </text>
+                            <path d="M29.5,26.5 C36.820625,26.5 42.75,20.5540625 42.75,13.25 C42.75,5.929375 36.820625,0 29.5,0 C22.179375,0 16.25,5.929375 16.25,13.25 C16.25,20.5540625 22.179375,26.5 29.5,26.5 L29.5,26.5 Z M29.5,33.125 C20.6721875,33.125 3,37.5471875 3,46.375 L3,53 L56,53 L56,46.375 C56,37.5471875 38.3278125,33.125 29.5,33.125 L29.5,33.125 Z" id="Shape-Copy-2" fill="#00CBCA"></path>
+                        </g>
+                    </g>
+                </g>
+                <g id="permissions" transform="translate(160.000000, 101.000000)">
+                    <g id="6" transform="translate(105.000000, 84.000000)" fill="#C0C9CE">
+                        <path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
+                        <path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
+                        <path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
+                    </g>
+                    <g id="5" transform="translate(0.000000, 84.000000)" fill="#C0C9CE">
+                        <path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
+                        <path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
+                        <path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
+                    </g>
+                    <g id="4" transform="translate(105.000000, 42.000000)">
+                        <path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings" fill="#C0C9CE"></path>
+                        <path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape" fill="#445D6E"></path>
+                        <path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape" fill="#445D6E"></path>
+                    </g>
+                    <g id="3" transform="translate(0.000000, 42.000000)">
+                        <path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings" fill="#C0C9CE"></path>
+                        <path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape" fill="#445D6E"></path>
+                        <path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape" fill="#C0C9CE"></path>
+                    </g>
+                    <g id="2" transform="translate(105.000000, 0.000000)" fill="#445D6E">
+                        <path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
+                        <path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
+                        <path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
+                    </g>
+                    <g id="1" fill="#C0C9CE">
+                        <path d="M75,11.3466667 L75,8.65333333 C73.6241667,8.16416667 72.755,8.02666667 72.3175,6.97083333 L72.3175,6.97 C71.8783333,5.91083333 72.4008333,5.19166667 73.0233333,3.88083333 L71.1191667,1.97666667 C69.8183333,2.595 69.0916667,3.1225 68.03,2.6825 L68.0291667,2.6825 C66.9716667,2.24416667 66.8333333,1.36916667 66.3466667,0 L63.6533333,0 C63.1683333,1.3625 63.0291667,2.24333333 61.9708333,2.6825 L61.97,2.6825 C60.9108333,3.1225 60.1933333,2.60083333 58.8808333,1.97666667 L56.9766667,3.88083333 C57.5975,5.1875 58.1225,5.90916667 57.6825,6.97 C57.2433333,8.02916667 56.3625,8.16833333 55,8.65333333 L55,11.3466667 C56.36,11.83 57.2433333,11.9708333 57.6825,13.0291667 C58.1241667,14.0975 57.5875,14.8341667 56.9766667,16.1183333 L58.8808333,18.0233333 C60.1825,17.4041667 60.9091667,16.8775 61.97,17.3175 L61.9708333,17.3175 C63.0291667,17.7558333 63.1675,18.6333333 63.6533333,20 L66.3466667,20 C66.8316667,18.6366667 66.9716667,17.7583333 68.0358333,17.315 L68.0366667,17.315 C69.0883333,16.8783333 69.8033333,17.3991667 71.1183333,18.0241667 L73.0225,16.1191667 C72.4025,14.8166667 71.8766667,14.0916667 72.3158333,13.0308333 C72.755,11.9716667 73.6391667,11.8308333 75,11.3466667 L75,11.3466667 Z M65,13.3333333 C63.1591667,13.3333333 61.6666667,11.8408333 61.6666667,10 C61.6666667,8.15916667 63.1591667,6.66666667 65,6.66666667 C66.8408333,6.66666667 68.3333333,8.15916667 68.3333333,10 C68.3333333,11.8408333 66.8408333,13.3333333 65,13.3333333 L65,13.3333333 Z" id="settings"></path>
+                        <path d="M12.09,1 C4.5,1 0,10 0,10 C0,10 4.5,19 12.09,19 C19.5,19 24,10 24,10 C24,10 19.5,1 12.09,1 L12.09,1 Z M12,16 C8.7,16 6,13.33 6,10 C6,6.7 8.7,4 12,4 C15.33,4 18,6.7 18,10 C18,13.33 15.33,16 12,16 L12,16 Z M15,10 C15,11.665 13.665,13 12,13 C10.335,13 9,11.665 9,10 C9,8.335 10.335,7 12,7 C13.665,7 15,8.335 15,10 L15,10 Z" id="Shape"></path>
+                        <path d="M31,15.0272045 L31,19 L34.9727791,19 L45.5668567,8.40587876 L41.5940776,4.4330833 L31,15.0272045 L31,15.0272045 Z M34.9727791,17.6757348 L32.3242597,17.6757348 L32.3242597,15.0272045 L33.6485194,15.0272045 L33.6485194,16.3514697 L34.9727791,16.3514697 L34.9727791,17.6757348 L34.9727791,17.6757348 Z M48.612654,5.36006891 L46.8911164,7.08161361 L42.9183373,3.10881814 L44.6398749,1.38727344 C44.8873057,1.13933381 45.2231988,1 45.573478,1 C45.9237573,1 46.2596503,1.13933381 46.5070811,1.38727344 L48.612654,3.49285504 C49.1291153,4.00931845 49.1291153,4.8436055 48.612654,5.36006891 L48.612654,5.36006891 Z" id="Shape"></path>
+                    </g>
+                </g>
+                <g id="repos" transform="translate(0.000000, 98.000000)">
+                    <g id="node" transform="translate(0.000000, 84.000000)">
+                        <text id="whale/node" font-family="OpenSans-Semibold, Open Sans" font-size="16" font-weight="500" fill="#C0C9CE">
+                            <tspan x="33" y="19">whale/node</tspan>
+                        </text>
+                        <path d="M27.5661032,5.88472594 C28.0144632,6.52363904 28.1153442,7.24661966 27.8687462,8.05366778 L23.245033,23.2867012 C23.0320619,24.0040773 22.6033176,24.6065612 21.9588,25.0941528 C21.3142824,25.5817443 20.6277311,25.8255401 19.8991459,25.8255401 L4.38028296,25.8255401 C3.51718982,25.8255401 2.68492144,25.5256993 1.88347781,24.9260177 C1.08203418,24.3263361 0.524386344,23.5893443 0.210534294,22.7150421 C-0.0584817485,21.964039 -0.0696907502,21.2522674 0.176907289,20.5797273 C0.176907289,20.5348913 0.193720792,20.3835698 0.227347797,20.1257627 C0.260974802,19.8679557 0.283392806,19.6605891 0.294601808,19.5036631 C0.30581081,19.4139911 0.288997307,19.2934943 0.2441613,19.1421728 C0.199325293,18.9908513 0.18251179,18.8815635 0.193720792,18.8143095 C0.216138795,18.6910105 0.260974802,18.573316 0.328228813,18.4612259 C0.395482824,18.3491359 0.487957089,18.2174302 0.605651607,18.0661086 C0.723346126,17.9147871 0.815820391,17.7830813 0.883074402,17.6709913 C1.14088144,17.2450492 1.39308398,16.7322374 1.63968202,16.1325558 C1.88628006,15.5328742 2.05441509,15.0200624 2.1440871,14.5941203 C2.17771411,14.4820303 2.18051636,14.3138953 2.15249385,14.0897152 C2.12447135,13.8655352 2.1216691,13.7086092 2.1440871,13.6189372 C2.17771411,13.4956382 2.27299062,13.3387121 2.42991665,13.1481591 C2.58684267,12.9576061 2.68211919,12.8287025 2.71574619,12.7614485 C2.95113523,12.3579245 3.18652427,11.8423104 3.42191331,11.2146063 C3.65730234,10.5869022 3.79741487,10.0824971 3.84225087,9.70139105 C3.85345988,9.60051003 3.83944862,9.421166 3.80021712,9.16335896 C3.76098561,8.90555192 3.76378786,8.7486259 3.80862387,8.69258089 C3.85345988,8.54686386 3.9767589,8.37592659 4.17852093,8.17976905 C4.38028296,7.98361152 4.50358198,7.85751025 4.54841799,7.80146524 C4.76138902,7.5100312 4.99958031,7.03645087 5.26299185,6.38072427 C5.52640339,5.72499766 5.68052717,5.18416333 5.72536317,4.75822126 C5.73657218,4.66854924 5.71975867,4.52563447 5.67492267,4.32947694 C5.63008666,4.13331941 5.61887766,3.98480014 5.64129566,3.88391912 C5.66371366,3.79424711 5.71415417,3.69336609 5.79261718,3.58127607 C5.8710802,3.46918605 5.97196121,3.34028253 6.09526023,3.19456551 C6.21855925,3.04884849 6.31383577,2.93115397 6.38108978,2.84148195 C6.47076179,2.70697393 6.56323606,2.53603665 6.65851257,2.32867012 C6.75378909,2.12130359 6.8378566,1.92514606 6.91071511,1.74019753 C6.98357362,1.555249 7.07324564,1.35348697 7.17973116,1.13491143 C7.28621667,0.916335896 7.39550444,0.736991868 7.50759446,0.596879345 C7.61968448,0.456766823 7.76820375,0.325061052 7.95315228,0.201762032 C8.13810081,0.0784630125 8.33986284,0.0140112522 8.55843838,0.00840675134 C8.77701391,0.00280225045 9.0432277,0.0336270054 9.35707975,0.100881016 L9.34026625,0.151321524 C9.76620832,0.050440508 10.0520379,0 10.1977549,0 L22.9928304,0 C23.8222966,0 24.4612097,0.31385205 24.9095697,0.94155615 C25.3579298,1.56926025 25.4588108,2.29784537 25.2122128,3.1273115 L20.605313,18.3603449 C20.201789,19.6942161 19.8010672,20.554507 19.4031476,20.9412176 C19.005228,21.3279282 18.2850497,21.5212834 17.2426125,21.5212834 L2.63167868,21.5212834 C2.32903563,21.5212834 2.1160646,21.6053509 1.99276558,21.773486 C1.86946656,21.95283 1.86386206,22.1938235 1.97595208,22.4964666 C2.24496812,23.2810967 3.05201625,23.6734118 4.39709646,23.6734118 L19.9159594,23.6734118 C20.2410205,23.6734118 20.5548725,23.586542 20.8575156,23.4128025 C21.1601586,23.239063 21.3563162,23.0064762 21.4459882,22.7150421 L26.490039,6.12011498 C26.568502,5.87351694 26.5965245,5.55406039 26.5741065,5.16174532 C27.0000486,5.32988035 27.3307141,5.57087389 27.5661032,5.88472594 L27.5661032,5.88472594 Z M9.6765363,5.91835294 C9.6317003,6.06406997 9.6429093,6.19017124 9.71016331,6.29665675 C9.77741732,6.40314227 9.88950734,6.45638503 10.0464334,6.45638503 L20.269043,6.45638503 C20.41476,6.45638503 20.5576748,6.40314227 20.6977873,6.29665675 C20.8378998,6.19017124 20.9303741,6.06406997 20.9752101,5.91835294 L21.3282937,4.84228877 C21.3731297,4.69657175 21.3619207,4.57047048 21.2946667,4.46398496 C21.2274126,4.35749944 21.1153226,4.30425669 20.9583966,4.30425669 L10.735787,4.30425669 C10.5900699,4.30425669 10.4471552,4.35749944 10.3070427,4.46398496 C10.1669301,4.57047048 10.0744559,4.69657175 10.0296199,4.84228877 L9.6765363,5.91835294 Z M8.28101558,10.2226096 C8.23617957,10.3683267 8.24738858,10.4944279 8.31464259,10.6009134 C8.3818966,10.707399 8.49398662,10.7606417 8.65091264,10.7606417 L18.8735223,10.7606417 C19.0192393,10.7606417 19.1621541,10.707399 19.3022666,10.6009134 C19.4423791,10.4944279 19.5348534,10.3683267 19.5796894,10.2226096 L19.9327729,9.14654546 C19.9776089,9.00082844 19.9663999,8.87472717 19.8991459,8.76824165 C19.8318919,8.66175613 19.7198019,8.60851337 19.5628759,8.60851337 L9.34026625,8.60851337 C9.19454923,8.60851337 9.05163445,8.66175613 8.91152193,8.76824165 C8.77140941,8.87472717 8.67893514,9.00082844 8.63409914,9.14654546 L8.28101558,10.2226096 Z" id="Shape" fill="#1AAAF8"></path>
+                    </g>
+                    <g id="java" transform="translate(0.000000, 42.000000)">
+                        <text id="whale/java" font-family="OpenSans-Semibold, Open Sans" font-size="16" font-weight="500" fill="#C0C9CE">
+                            <tspan x="33" y="19">whale/java</tspan>
+                        </text>
+                        <path d="M27.5661032,5.88472594 C28.0144632,6.52363904 28.1153442,7.24661966 27.8687462,8.05366778 L23.245033,23.2867012 C23.0320619,24.0040773 22.6033176,24.6065612 21.9588,25.0941528 C21.3142824,25.5817443 20.6277311,25.8255401 19.8991459,25.8255401 L4.38028296,25.8255401 C3.51718982,25.8255401 2.68492144,25.5256993 1.88347781,24.9260177 C1.08203418,24.3263361 0.524386344,23.5893443 0.210534294,22.7150421 C-0.0584817485,21.964039 -0.0696907502,21.2522674 0.176907289,20.5797273 C0.176907289,20.5348913 0.193720792,20.3835698 0.227347797,20.1257627 C0.260974802,19.8679557 0.283392806,19.6605891 0.294601808,19.5036631 C0.30581081,19.4139911 0.288997307,19.2934943 0.2441613,19.1421728 C0.199325293,18.9908513 0.18251179,18.8815635 0.193720792,18.8143095 C0.216138795,18.6910105 0.260974802,18.573316 0.328228813,18.4612259 C0.395482824,18.3491359 0.487957089,18.2174302 0.605651607,18.0661086 C0.723346126,17.9147871 0.815820391,17.7830813 0.883074402,17.6709913 C1.14088144,17.2450492 1.39308398,16.7322374 1.63968202,16.1325558 C1.88628006,15.5328742 2.05441509,15.0200624 2.1440871,14.5941203 C2.17771411,14.4820303 2.18051636,14.3138953 2.15249385,14.0897152 C2.12447135,13.8655352 2.1216691,13.7086092 2.1440871,13.6189372 C2.17771411,13.4956382 2.27299062,13.3387121 2.42991665,13.1481591 C2.58684267,12.9576061 2.68211919,12.8287025 2.71574619,12.7614485 C2.95113523,12.3579245 3.18652427,11.8423104 3.42191331,11.2146063 C3.65730234,10.5869022 3.79741487,10.0824971 3.84225087,9.70139105 C3.85345988,9.60051003 3.83944862,9.421166 3.80021712,9.16335896 C3.76098561,8.90555192 3.76378786,8.7486259 3.80862387,8.69258089 C3.85345988,8.54686386 3.9767589,8.37592659 4.17852093,8.17976905 C4.38028296,7.98361152 4.50358198,7.85751025 4.54841799,7.80146524 C4.76138902,7.5100312 4.99958031,7.03645087 5.26299185,6.38072427 C5.52640339,5.72499766 5.68052717,5.18416333 5.72536317,4.75822126 C5.73657218,4.66854924 5.71975867,4.52563447 5.67492267,4.32947694 C5.63008666,4.13331941 5.61887766,3.98480014 5.64129566,3.88391912 C5.66371366,3.79424711 5.71415417,3.69336609 5.79261718,3.58127607 C5.8710802,3.46918605 5.97196121,3.34028253 6.09526023,3.19456551 C6.21855925,3.04884849 6.31383577,2.93115397 6.38108978,2.84148195 C6.47076179,2.70697393 6.56323606,2.53603665 6.65851257,2.32867012 C6.75378909,2.12130359 6.8378566,1.92514606 6.91071511,1.74019753 C6.98357362,1.555249 7.07324564,1.35348697 7.17973116,1.13491143 C7.28621667,0.916335896 7.39550444,0.736991868 7.50759446,0.596879345 C7.61968448,0.456766823 7.76820375,0.325061052 7.95315228,0.201762032 C8.13810081,0.0784630125 8.33986284,0.0140112522 8.55843838,0.00840675134 C8.77701391,0.00280225045 9.0432277,0.0336270054 9.35707975,0.100881016 L9.34026625,0.151321524 C9.76620832,0.050440508 10.0520379,0 10.1977549,0 L22.9928304,0 C23.8222966,0 24.4612097,0.31385205 24.9095697,0.94155615 C25.3579298,1.56926025 25.4588108,2.29784537 25.2122128,3.1273115 L20.605313,18.3603449 C20.201789,19.6942161 19.8010672,20.554507 19.4031476,20.9412176 C19.005228,21.3279282 18.2850497,21.5212834 17.2426125,21.5212834 L2.63167868,21.5212834 C2.32903563,21.5212834 2.1160646,21.6053509 1.99276558,21.773486 C1.86946656,21.95283 1.86386206,22.1938235 1.97595208,22.4964666 C2.24496812,23.2810967 3.05201625,23.6734118 4.39709646,23.6734118 L19.9159594,23.6734118 C20.2410205,23.6734118 20.5548725,23.586542 20.8575156,23.4128025 C21.1601586,23.239063 21.3563162,23.0064762 21.4459882,22.7150421 L26.490039,6.12011498 C26.568502,5.87351694 26.5965245,5.55406039 26.5741065,5.16174532 C27.0000486,5.32988035 27.3307141,5.57087389 27.5661032,5.88472594 L27.5661032,5.88472594 Z M9.6765363,5.91835294 C9.6317003,6.06406997 9.6429093,6.19017124 9.71016331,6.29665675 C9.77741732,6.40314227 9.88950734,6.45638503 10.0464334,6.45638503 L20.269043,6.45638503 C20.41476,6.45638503 20.5576748,6.40314227 20.6977873,6.29665675 C20.8378998,6.19017124 20.9303741,6.06406997 20.9752101,5.91835294 L21.3282937,4.84228877 C21.3731297,4.69657175 21.3619207,4.57047048 21.2946667,4.46398496 C21.2274126,4.35749944 21.1153226,4.30425669 20.9583966,4.30425669 L10.735787,4.30425669 C10.5900699,4.30425669 10.4471552,4.35749944 10.3070427,4.46398496 C10.1669301,4.57047048 10.0744559,4.69657175 10.0296199,4.84228877 L9.6765363,5.91835294 Z M8.28101558,10.2226096 C8.23617957,10.3683267 8.24738858,10.4944279 8.31464259,10.6009134 C8.3818966,10.707399 8.49398662,10.7606417 8.65091264,10.7606417 L18.8735223,10.7606417 C19.0192393,10.7606417 19.1621541,10.707399 19.3022666,10.6009134 C19.4423791,10.4944279 19.5348534,10.3683267 19.5796894,10.2226096 L19.9327729,9.14654546 C19.9776089,9.00082844 19.9663999,8.87472717 19.8991459,8.76824165 C19.8318919,8.66175613 19.7198019,8.60851337 19.5628759,8.60851337 L9.34026625,8.60851337 C9.19454923,8.60851337 9.05163445,8.66175613 8.91152193,8.76824165 C8.77140941,8.87472717 8.67893514,9.00082844 8.63409914,9.14654546 L8.28101558,10.2226096 Z" id="Shape" fill="#1AAAF8"></path>
+                    </g>
+                    <g id="golang">
+                        <text id="whale/golang" font-family="OpenSans-Semibold, Open Sans" font-size="16" font-weight="500" fill="#C0C9CE">
+                            <tspan x="33" y="19">whale/golang</tspan>
+                        </text>
+                        <path d="M27.5661032,5.88472594 C28.0144632,6.52363904 28.1153442,7.24661966 27.8687462,8.05366778 L23.245033,23.2867012 C23.0320619,24.0040773 22.6033176,24.6065612 21.9588,25.0941528 C21.3142824,25.5817443 20.6277311,25.8255401 19.8991459,25.8255401 L4.38028296,25.8255401 C3.51718982,25.8255401 2.68492144,25.5256993 1.88347781,24.9260177 C1.08203418,24.3263361 0.524386344,23.5893443 0.210534294,22.7150421 C-0.0584817485,21.964039 -0.0696907502,21.2522674 0.176907289,20.5797273 C0.176907289,20.5348913 0.193720792,20.3835698 0.227347797,20.1257627 C0.260974802,19.8679557 0.283392806,19.6605891 0.294601808,19.5036631 C0.30581081,19.4139911 0.288997307,19.2934943 0.2441613,19.1421728 C0.199325293,18.9908513 0.18251179,18.8815635 0.193720792,18.8143095 C0.216138795,18.6910105 0.260974802,18.573316 0.328228813,18.4612259 C0.395482824,18.3491359 0.487957089,18.2174302 0.605651607,18.0661086 C0.723346126,17.9147871 0.815820391,17.7830813 0.883074402,17.6709913 C1.14088144,17.2450492 1.39308398,16.7322374 1.63968202,16.1325558 C1.88628006,15.5328742 2.05441509,15.0200624 2.1440871,14.5941203 C2.17771411,14.4820303 2.18051636,14.3138953 2.15249385,14.0897152 C2.12447135,13.8655352 2.1216691,13.7086092 2.1440871,13.6189372 C2.17771411,13.4956382 2.27299062,13.3387121 2.42991665,13.1481591 C2.58684267,12.9576061 2.68211919,12.8287025 2.71574619,12.7614485 C2.95113523,12.3579245 3.18652427,11.8423104 3.42191331,11.2146063 C3.65730234,10.5869022 3.79741487,10.0824971 3.84225087,9.70139105 C3.85345988,9.60051003 3.83944862,9.421166 3.80021712,9.16335896 C3.76098561,8.90555192 3.76378786,8.7486259 3.80862387,8.69258089 C3.85345988,8.54686386 3.9767589,8.37592659 4.17852093,8.17976905 C4.38028296,7.98361152 4.50358198,7.85751025 4.54841799,7.80146524 C4.76138902,7.5100312 4.99958031,7.03645087 5.26299185,6.38072427 C5.52640339,5.72499766 5.68052717,5.18416333 5.72536317,4.75822126 C5.73657218,4.66854924 5.71975867,4.52563447 5.67492267,4.32947694 C5.63008666,4.13331941 5.61887766,3.98480014 5.64129566,3.88391912 C5.66371366,3.79424711 5.71415417,3.69336609 5.79261718,3.58127607 C5.8710802,3.46918605 5.97196121,3.34028253 6.09526023,3.19456551 C6.21855925,3.04884849 6.31383577,2.93115397 6.38108978,2.84148195 C6.47076179,2.70697393 6.56323606,2.53603665 6.65851257,2.32867012 C6.75378909,2.12130359 6.8378566,1.92514606 6.91071511,1.74019753 C6.98357362,1.555249 7.07324564,1.35348697 7.17973116,1.13491143 C7.28621667,0.916335896 7.39550444,0.736991868 7.50759446,0.596879345 C7.61968448,0.456766823 7.76820375,0.325061052 7.95315228,0.201762032 C8.13810081,0.0784630125 8.33986284,0.0140112522 8.55843838,0.00840675134 C8.77701391,0.00280225045 9.0432277,0.0336270054 9.35707975,0.100881016 L9.34026625,0.151321524 C9.76620832,0.050440508 10.0520379,0 10.1977549,0 L22.9928304,0 C23.8222966,0 24.4612097,0.31385205 24.9095697,0.94155615 C25.3579298,1.56926025 25.4588108,2.29784537 25.2122128,3.1273115 L20.605313,18.3603449 C20.201789,19.6942161 19.8010672,20.554507 19.4031476,20.9412176 C19.005228,21.3279282 18.2850497,21.5212834 17.2426125,21.5212834 L2.63167868,21.5212834 C2.32903563,21.5212834 2.1160646,21.6053509 1.99276558,21.773486 C1.86946656,21.95283 1.86386206,22.1938235 1.97595208,22.4964666 C2.24496812,23.2810967 3.05201625,23.6734118 4.39709646,23.6734118 L19.9159594,23.6734118 C20.2410205,23.6734118 20.5548725,23.586542 20.8575156,23.4128025 C21.1601586,23.239063 21.3563162,23.0064762 21.4459882,22.7150421 L26.490039,6.12011498 C26.568502,5.87351694 26.5965245,5.55406039 26.5741065,5.16174532 C27.0000486,5.32988035 27.3307141,5.57087389 27.5661032,5.88472594 L27.5661032,5.88472594 Z M9.6765363,5.91835294 C9.6317003,6.06406997 9.6429093,6.19017124 9.71016331,6.29665675 C9.77741732,6.40314227 9.88950734,6.45638503 10.0464334,6.45638503 L20.269043,6.45638503 C20.41476,6.45638503 20.5576748,6.40314227 20.6977873,6.29665675 C20.8378998,6.19017124 20.9303741,6.06406997 20.9752101,5.91835294 L21.3282937,4.84228877 C21.3731297,4.69657175 21.3619207,4.57047048 21.2946667,4.46398496 C21.2274126,4.35749944 21.1153226,4.30425669 20.9583966,4.30425669 L10.735787,4.30425669 C10.5900699,4.30425669 10.4471552,4.35749944 10.3070427,4.46398496 C10.1669301,4.57047048 10.0744559,4.69657175 10.0296199,4.84228877 L9.6765363,5.91835294 Z M8.28101558,10.2226096 C8.23617957,10.3683267 8.24738858,10.4944279 8.31464259,10.6009134 C8.3818966,10.707399 8.49398662,10.7606417 8.65091264,10.7606417 L18.8735223,10.7606417 C19.0192393,10.7606417 19.1621541,10.707399 19.3022666,10.6009134 C19.4423791,10.4944279 19.5348534,10.3683267 19.5796894,10.2226096 L19.9327729,9.14654546 C19.9776089,9.00082844 19.9663999,8.87472717 19.8991459,8.76824165 C19.8318919,8.66175613 19.7198019,8.60851337 19.5628759,8.60851337 L9.34026625,8.60851337 C9.19454923,8.60851337 9.05163445,8.66175613 8.91152193,8.76824165 C8.77140941,8.87472717 8.67893514,9.00082844 8.63409914,9.14654546 L8.28101558,10.2226096 Z" id="Shape" fill="#1AAAF8"></path>
+                    </g>
+                </g>
+            </g>
+            <text id="Whale-organization" font-family="OpenSans-Semibold, Open Sans" font-size="16" font-weight="500" fill="#C0C9CE">
+                <tspan x="270" y="19">Whale organization</tspan>
+            </text>
+            <use id="border" stroke="#C0C9CE" mask="url(#mask-2)" stroke-width="2" xlink:href="#path-1"></use>
+        </g>
+    </g>
+</svg>

datacenter/dtr/2.1/index.md

@@ -0,0 +1,48 @@
+<!--[metadata]>
++++
+aliases = ["/docker-hub-enterprise/",
+          "/docker-trusted-registry/overview/"]
+title = "Docker Trusted Registry overview"
+description = "Learn how to install, configure, and use Docker Trusted Registry."
+keywords = ["docker, registry, repository, images"]
+[menu.main]
+parent="workw_dtr"
+identifier="dtr_overview"
+weight=0
++++
+<![end-metadata]-->
+
+# Docker Trusted Registry overview
+
+Docker Trusted Registry (DTR) is the enterprise-grade image storage solution
+from Docker. You install it behind your firewall so that you can securely store
+and manage the Docker images you use in your applications.
+
+## Image management
+
+Docker Trusted Registry can be installed on-premises, or on a virtual private
+cloud. And with it, you can store your Docker images securely, behind your
+firewall.
+
+![](images/overview-1.png)
+
+You can use DTR as part of your continuous integration, and continuous
+delivery processes to build, run, and ship your applications.
+
+
+## Built-in security and access control
+
+DTR uses the same authentication mechanism as Docker Universal Control Plane.
+It has a built-in authentication mechanism, and also integrates with LDAP
+and Active Directory. It also supports Role Based Access Control (RBAC).
+
+This allows you to implement fine-grain access control policies, on who has
+access to your Docker images.
+
+![](images/overview-2.png)
+
+
+## Where to go next
+
+* [DTR architecture](architecture.md)
+* [Install DTR](install/index.md)

datacenter/dtr/2.1/install/index.md

@@ -0,0 +1,173 @@
+<!--[metadata]>
++++
+aliases = [ "/docker-trusted-registry/install/dtr-ami-byol-launch/",
+            "/docker-trusted-registry/install/dtr-ami-bds-launch/",
+            "/docker-trusted-registry/install/dtr-vhd-azure/",
+            "/docker-trusted-registry/install/install-dtr/"]
+title = "Install Docker Trusted Registry"
+description = "Learn how to install Docker Trusted Registry for production."
+keywords = ["docker, dtr, registry, install"]
+[menu.main]
+parent="dtr-menu-install"
+identifier="dtr_install_production"
+weight=20
++++
+<![end-metadata]-->
+
+
+# Install Docker Trusted Registry
+
+Docker Trusted Registry (DTR) is a containerized application that runs on a
+swarm managed by Docker Universal Control Plane (UCP). It can be installed
+on-premises or on a cloud infrastructure.
+
+Use these instructions to install DTR.
+
+## Step 1. Validate the system requirements
+
+The first step in installing DTR, is ensuring your
+infrastructure has all the [requirements DTR needs to run](system-requirements.md).
+
+## Step 2. Install UCP
+
+Since DTR requires Docker Universal Control Plane (UCP)
+to run, you need to install UCP on all the nodes where you plan to install DTR.
+[Learn how to install UCP](https://docs.docker.com/ucp/installation/install-production/).
+
+Make sure all the nodes you plan on installing DTR are being managed by UCP.
+
+## Step 3. Install DTR
+
+To install DTR you use the `docker/dtr` image. This image has commands to
+install, configure, and backup DTR.
+
+To install DTR:
+
+1. Get the DTR package.
+
+    ```bash
+    $ wget https://packages.docker.com/caas/ucp-2.0.0-beta3_dtr-2.1.0-beta3.tar.gz -O docker-datacenter.tar.gz
+    ```
+
+2. Transfer the package to the nodes.
+
+    Now that you have the DTR package in your machine, you can transfer it to the
+    nodes that you want to install DTR. For each node run:
+
+    ```bash
+    $ scp docker-datacenter.tag.gz <user>@<host>:/tmp
+    ```
+
+3. Load the images.
+
+    Once the package is on the nodes where you want to install DTR, you can use
+    the `docker load` command, to load the images from the .tar file. Log
+    into each node where you plan on installing DTR and run:
+
+    ```bash
+    $ docker load < /tmp/docker-datacenter.tar.gz
+    ```
+
+4. Download a UCP client bundle.
+
+    Having a UCP client bundle allows you to run Docker commands on a swarm
+    being managed by UCP.
+    [Download a UCP client bundle](https://docs.docker.com/ucp/access-ucp/cli-based-access/)
+    and set up your CLI client to use it.
+
+5. Run the following commands to install DTR.
+
+    ```bash
+
+    # Install DTR
+    $ docker run -it --rm \
+      docker/dtr:2.1.0-beta3 install \
+      --ucp-node <hostname> \
+      --ucp-insecure-tls
+    ```
+
+    Where the `--ucp-node` is the hostname of the node where you've previously
+    loaded the DTR images, and `--ucp-insecure-tls` tells the installer to
+    trust the certificates used by UCP.
+    The install command has other flags for customizing DTR at install time.
+    Check the [reference documentation to learn more](../reference/install.md).
+
+
+6. Check that DTR is running.
+
+    In your browser, navigate to the the Docker **Universal Control Plane**
+    web UI, and navigate to the **Applications** screen. DTR should be listed
+    as an application.
+
+    ![](../images/install-dtr-1.png)
+
+    You can also access the **DTR web UI**, to make sure it is working. In your
+    browser, navigate to the address were you installed DTR.
+
+    ![](../images/install-dtr-2.png)
+
+
+## Step 4. Configure DTR
+
+After installing DTR, you should configure:
+
+  * The Domain Name used to access DTR,
+  * The certificates used for TLS communication,
+  * The storage backend to store the Docker images.
+
+  To perform these configurations, navigate to the **Settings** page of DTR.
+
+  ![](../images/install-dtr-3.png)
+
+## Step 5. Test pushing and pulling
+
+Now that you have a working installation of DTR, you should test that you can
+push and pull images to it.
+[Learn how to push and pull images](../repos-and-images/index.md).
+
+## Step 6. Join replicas to the cluster
+
+This step is optional.
+
+To set up DTR for [high availability](../high-availability/index.md),
+you can add more replicas to your DTR cluster. Adding more replicas allows you
+to load-balance requests across all replicas, and keep DTR working if a
+replica fails.
+
+For high-availability you should set 3, 5, or 7 DTR replicas. The nodes where
+you're going to install these replicas also need to be managed by UCP.
+
+To add replicas to a DTR cluster, use the `docker/dtr join` command. To add
+replicas:
+
+1. Make sure the DTR images are loaded into the node.
+
+2. Load you UCP user bundle.
+
+3. Run the join command.
+
+    When you join a replica to a DTR cluster, you need to specify the
+    ID of a replica that is already part of the cluster. You can find an
+    existing replica ID by going to the **Applications** page on UCP.
+
+    Then run:
+
+    ```bash
+    $ docker run -it --rm \
+      docker/dtr:2.1.0-beta3 join \
+      --ucp-node <hostname> \
+      --ucp-insecure-tls
+    ```
+
+4. Check that all replicas are running.
+
+    In your browser, navigate to the the Docker **Universal Control Plane**
+    web UI, and navigate to the **Applications** screen. All replicas should
+    be displayed.
+
+    ![](../images/install-dtr-4.png)
+
+## See also
+
+* [Install DTR offline](install-dtr-offline.md)
+* [Upgrade DTR](upgrade/upgrade-major.md)

datacenter/dtr/2.1/install/install-dtr-offline.md

@@ -0,0 +1,63 @@
+<!--[metadata]>
++++
+title = "Install offline"
+description = "Learn how to install Docker Trusted Registry on a machine with no internet access."
+keywords = ["docker, registry, install, offline"]
+[menu.main]
+parent="dtr-menu-install"
+identifier="dtr_install_offline"
+weight=30
++++
+<![end-metadata]-->
+
+
+# Install DTR offline
+
+The procedure to install Docker Trusted Registry on a node is the same,
+whether that node has access to the internet or not.
+
+The only difference when installing DTR on an offline node, is that instead
+of pulling the DTR images from Docker Hub, you use a computer that is connected
+to the internet to download a single package with all DTR images. Then you
+copy that package to the nodes where you’ll install DTR.
+
+1. Get the DTR package.
+
+    Use a computer with internet access to download a single package with all
+    Docker Datacenter components:
+
+    ```bash
+    $ wget https://packages.docker.com/caas/ucp-2.0.0-beta3_dtr-2.1.0-beta3.tar.gz -O docker-datacenter.tar.gz
+    ```
+
+2. Transfer the package to the offline nodes.
+
+    Now that you have the DTR package in your machine, you can transfer it to the
+    nodes that you want to install DTR. For each node run:
+
+    ```bash
+    $ scp docker-datacenter.tag.gz <user>@<host>:/tmp
+    ```
+
+3. Login into the nodes where you transferred the images.
+
+4. Load the images.
+
+    Once the package is on the nodes where you want to install DTR, you can use
+    the `docker load` command, to load the images from the .tar file. On each
+    node, run:
+
+    ```bash
+    $ docker load < /tmp/docker-datacenter.tar.gz
+    ```
+
+5. Install DTR.
+
+    Now that the offline node has all the images needed to install DTR,
+    you can [install DTR that host](index.md).
+
+
+## Where to go next
+
+* [DTR architecture](../architecture.md)
+* [Install DTR](index.md)

datacenter/dtr/2.1/install/license.md

@@ -0,0 +1,50 @@
+<!--[metadata]>
++++
+aliases = ["/docker-trusted-registry/license/"]
+title = "License DTR"
+description = "Learn how to license your Docker Trusted Registry installation."
+keywords = ["docker, dtr, install, license"]
+[menu.main]
+parent="dtr-menu-install"
+identifier="dtr_license"
+weight=31
++++
+<![end-metadata]-->
+
+
+# License DTR
+
+By default, you don't need to license your Docker Trusted Registry. When
+installing DTR, it automatically starts using the same license file used on
+your Docker Universal Control Plane cluster.
+
+However, there are some situations when you have to manually license your
+DTR installation:
+
+* When upgrading to a new major version,
+* When your current license expires.
+
+
+## Download your license
+
+Go to [Docker Store](https://store.docker.com/bundles/docker-datacenter) and
+download your license.
+
+![](../images/license-1.png)
+
+
+## License your installation
+
+Once you've downloaded the license file, you can apply it to your DTR
+installation. Navigate to the **DTR web UI**, and then go to the **Settings
+page**.
+
+![](../images/license-2.png)
+
+Click the **Apply new license** button, and upload your new license file.
+
+
+## Where to go next
+
+* [Install DTR](index.md)
+* [Install DTR offline](install-dtr-offline.md)

datacenter/dtr/2.1/install/menu.md

@@ -0,0 +1,12 @@
+<!--[metadata]>
++++
+title = "Installation"
+description = "Trusted Registry Installation Overview"
+keywords = ["docker, documentation, about, technology, install, enterprise, hub, CS engine, Docker Trusted Registry"]
+type = "menu"
+[menu.main]
+parent="workw_dtr"
+identifier="dtr-menu-install"
+weight=30
++++
+<![end-metadata]-->

datacenter/dtr/2.1/install/system-requirements.md

@@ -0,0 +1,50 @@
+<!--[metadata]>
++++
+title = "System requirements"
+description = "Learn about the system requirements for installing Docker Trusted Registry."
+keywords = ["docker, DTR, architecture, requirements"]
+[menu.main]
+parent="dtr-menu-install"
+identifier="dtr_system_requirements"
+weight=0
++++
+<![end-metadata]-->
+
+
+# DTR system requirements
+
+Docker Trusted Registry can be installed on-premises or on the cloud.
+Before installing, be sure your infrastructure has these requirements.
+
+## Software requirements
+
+You can only install DTR on a node that is being managed by Docker Universal
+Control Plane 2.0.
+
+
+## Ports used
+
+When installing DTR on a node, make sure the following ports are open on that
+node:
+
+| Direction | Port | Purpose                               |
+|:---------:|:-----|:--------------------------------------|
+|    in     | 80   | Web app and API client access to DTR. |
+|    in     | 443  | Web app and API client access to DTR. |
+
+These ports are configurable when installing DTR.
+
+## Compatibility and maintenance lifecycle
+
+Docker Datacenter is a software subscription that includes 3 products:
+
+* CS Docker Engine,
+* Docker Trusted Registry,
+* Docker Universal Control Plane.
+
+[Learn more about the maintenance lifecycle for these products](http://success.docker.com/Get_Help/Compatibility_Matrix_and_Maintenance_Lifecycle).
+
+## Where to go next
+
+* [DTR architecture](../architecture.md)
+* [Install DTR](index.md)

datacenter/dtr/2.1/install/uninstall.md

@@ -0,0 +1,67 @@
+<!--[metadata]>
++++
+title = "Uninstall"
+description = "Learn how to uninstall your Docker Trusted Registry installation."
+keywords = ["docker, dtr, install, uninstall"]
+[menu.main]
+parent="dtr-menu-install"
+identifier="dtr_uninstall"
+weight=50
++++
+<![end-metadata]-->
+
+# Uninstall Docker Trusted Registry
+
+Use the `remove` command, to remove a DTR replica from a cluster.
+To uninstall a DTR cluster you remove all DTR replicas one at a time.
+The remove command:
+
+* Removes the replica from the cluster,
+* Stops and removes all DTR containers,
+* Deletes all DTR volumes.
+
+To see what options are available in the uninstall command, check the
+[uninstall command reference](../reference/remove.md), or run:
+
+```bash
+$ docker run -it --rm docker/dtr:2.1.0-beta3 remove --help
+```
+
+To remove a replica safely, you must tell the bootstrapper about one healthy replica
+using the `--existing-replica-id` flag and the replica to remove with the
+`--replica-id` flag. It uses the healthy replica to safely inform your DTR cluster
+that the replica is about to be removed before it performs the actual removal.
+
+## Example
+
+The following example illustrates how use the remove command interactively to
+remove a DTR replica from a cluster with multiple replicas:
+
+```bash
+
+$ docker run -it --rm \
+  docker/dtr:2.1.0-beta3 remove \
+  --ucp-insecure-tls
+
+existing-replica-id (ID of an existing replica in a cluster): 7ae3cb044b70
+replica-id (Specify the replica Id. Must be unique per replica, leave blank for random): a701a510126c
+ucp-username (Specify the UCP admin username): $UCP_ADMIN
+ucp-password: $UCP_PASSWORD
+ucp-url (Specify the UCP host using the host[:port] format): $UCP_HOST
+```
+
+Where:
+
+* existing-replica-id: is the id of any healthy DTR replica of that cluster,
+* replica-id: is the id of the DTR replica you want to remove,
+* ucp-username and ucp-password: are the username and password of a UCP administrator.
+
+
+Now you can confirm on Docker Universal Control Plane that the DTR replica
+`a701a510126c` no longer exists.
+
+
+## Where to go next
+
+* [Install DTR](index.md)
+* [Install DTR offline](install-dtr-offline.md)

datacenter/dtr/2.1/install/upgrade/index.md

@@ -0,0 +1,71 @@
+<!--[metadata]>
++++
+aliases = ["/docker-trusted-registry/install/upgrade/upgrade-minor/"]
+title = "Upgrade from 2.0.0"
+description = "Learn how to upgrade your Docker Trusted Registry to a new minor version or patch release."
+keywords = ["docker, dtr, upgrade, install"]
+[menu.main]
+parent="menu_dtr_upgrade"
+identifier="dtr_upgrade_minor"
+weight=10
++++
+<![end-metadata]-->
+
+# Upgrade from 2.0.0
+
+<!-- beta: remove after this goes to GA -->
+
+> You can't upgrade from one beta version to another. To test the latest
+> beta version, start by uninstalling the previous version.
+
+The first step in upgrading to a new minor version or patch release of DTR 2.0,
+is ensuring you're running DTR 2.0. If that's not the case, start by upgrading
+your installation to version 2.0.0, and then upgrade to the latest version
+available.
+
+There is no downtime when upgrading an highly-available DTR cluster. If your
+DTR deployment has a single replica, schedule the upgrade to take place outside
+business peak hours to ensure the impact on your business is close to none.
+
+## Step 1. Upgrade DTR to 2.0
+
+Make sure you're running DTR 2.0. If that's not the case, [upgrade your
+installation to the 2.0 version](upgrade-major.md).
+
+## Step 2. Upgrade DTR
+
+To upgrade DTR you use the `upgrade` command.
+
+1. Download a UCP client bundle.
+
+    Having a UCP client bundle allows you to run Docker commands on a UCP
+    cluster. Download a UCP client bundle and set up your CLI client to use it.
+
+2. Pull the latest `docker/dtr` image.
+
+    ```bash
+    $ docker pull docker/dtr:<version>
+    ```
+
+    If the node you're upgrading doesn't have access to the internet, you can
+    use a machine with internet connection to
+    [pull all the DTR images](../install-dtr-offline.md).
+
+4. Run the upgrade command.
+
+    The upgrade command upgrades all DTR replicas that are part of your cluster:
+
+    ```bash
+    $ docker run -it --rm \
+      docker/dtr:<version> upgrade \
+      --ucp-insecure-tls
+    ```
+
+    By default the upgrade command runs in interactive mode and prompts you for
+    any necessary information. You can also check the
+    [reference documentation](../reference/index.md) for other existing flags.
+
+## Where to go next
+
+* [Upgrade to DTR 2.0](upgrade-major.md)
+* [Monitor DTR](../../monitor-troubleshoot/index.md)

datacenter/dtr/2.1/install/upgrade/menu.md

@@ -0,0 +1,12 @@
+<!--[metadata]>
++++
+title = "Upgrade"
+description = "Learn how to upgrade your Docker Trusted Registry."
+keywords = ["docker, dtr, upgrade, install"]
+type = "menu"
+[menu.main]
+parent="dtr-menu-install"
+identifier="menu_dtr_upgrade"
+weight=40
++++
+<![end-metadata]-->

datacenter/dtr/2.1/install/upgrade/upgrade-major.md

@@ -0,0 +1,209 @@
+<!--[metadata]>
++++
+draft=true
+aliases = ["/docker-trusted-registry/install/upgrade/"]
+title = "Upgrade from 1.4.3"
+description = "Learn how to upgrade your Docker Trusted Registry to the latest major release."
+keywords = ["docker, dtr, upgrade, install"]
+[menu.main]
+parent="menu_dtr_upgrade"
+identifier="dtr_upgrade_major"
+weight=0
++++
+<![end-metadata]-->
+
+# Upgrade from DTR 1.4.3
+
+The first step in upgrading to Docker Trusted Registry (DTR) 2.0, is ensuring
+you are running DTR 1.4.3. If that's not the case, start by upgrading your
+installation to version 1.4.3, and then upgrade to DTR 2.0.
+
+To upgrade from DTR 1.4.3 to 2.0 you first need to do a fresh installation of
+DTR 2.0. Then you migrate the data from your DTR 1.4.3 installation to the 2.0
+installation. Finally, you decommission your 1.4.3 by uninstalling it.
+
+## Step 1. Upgrade DTR to 1.4.3
+
+Make sure you're running DTR 1.4.3. If that's not the case, upgrade your
+installation to the 1.4.3 version.
+
+## Step 2. Install DTR 2.0
+
+To upgrade to DTR 2.0, you first need to do a fresh installation of DTR 2.0.
+This can be done on the same node where DTR 1.4.3 is already running or on a
+new node.
+
+If you decide to install the new DTR on the same node, you'll need
+to install it on a port other than 443, since DTR 1.4.3 is already using it.
+Use these instructions to install DTR 2.0:
+
+* [Release notes](../../release-notes/index.md)
+* [System requirements](../system-requirements.md)
+* [DTR architecture](../../architecture.md)
+* [Install DTR 2.0](../index.md)
+
+
+## Step 3. Migrate metadata
+
+Once you have your DTR 1.4.3 and the new DTR 2.0 running, you can migrate
+configurations, accounts, and repository metadata from one installation to
+another.
+
+For this, you can use the `docker/dtr migrate` command. This command
+migrates configurations, accounts, and repository metadata. It doesn't migrate
+the images that are on the storage backend used by DTR 1.4.3.
+
+Before running the migration, get the DTR 2.0 CA certificate used for the `--dtr-ca` parameter:
+
+1. Log into the **DTR 2.0 web UI**, and navigate to the **Settings** screen.
+
+2. In the **Domain** section, click the **Show TLS settings** link.
+
+3. Copy the content of the **TLS CA** field.
+
+    ![](../../images/dtr-integration-1.png)
+
+To start the migration:
+
+1. Log into the host running DTR 1.4.3 using ssh.
+
+2. Use the docker/dtr migrate command.
+
+    When you run the docker/dtr migrate command, Docker pulls the necessary
+    images from Docker Hub. If the the host where DTR 1.4.3 is not connected
+    to the internet, you need to
+    [download the images to the host](../install-dtr-offline.md).
+
+    Then run the migrate command:
+
+    ```bash
+    # Migrate configurations, accounts, and repository metadata
+    docker run -it --rm \
+      -v /var/run/docker.sock:/var/run/docker.sock \
+      docker/dtr migrate \
+      --ucp-url $UCP_HOST \
+      --dtr-external-url $DTR_HOST \
+      --ucp-insecure-tls \
+      --dtr-ca "$(cat dtrca.crt)"
+    ```
+
+## Step 4. Validate your configurations
+
+After the migration finishes, test your DTR 2.0 installation to make sure it is
+properly configured.
+In your browser navigate to the DTR 2.0 **Settings page**, and check that DTR:
+
+* Is correctly licensed,
+* The storage backend is correctly configured,
+* The user authentication method is correctly configured.
+
+You need to manually configure the following settings:
+
+* Domain name,
+* Certificates.
+
+You can find the certificates of DTR 1.4.3 under `/usr/local/etc/dtr/ssl`.
+
+## Step 5. Transfer image data to DTR 2.0
+
+If utilizing local filesystem storage, the image data is not copied during by
+the migrate command and should be transferred manually.
+
+To transfer the images:
+
+1. Log into the host running DTR 2.0 using ssh.
+
+2. Get the filesystem volume path DTR 2.0 stores images:
+
+    ```bash
+    $ docker volume inspect --format '{{ .Mountpoint }}' $(docker volume ls -q | grep dtr-registry)
+    ```
+
+    The path returned will be similar to: `/var/lib/docker/volumes/dtr-registry-fa61225dc006/_data`
+
+3. Log into the host running DTR 1.4.3 using ssh.
+
+4. Copy the image data:
+
+    ```bash
+    $ scp -r /var/local/dtr/image-storage/local/* $DTR_HOST:$DTR_2_FS_VOLUME_PATH
+    ```
+
+    For example:
+
+    ```bash
+    $ scp -r /var/local/dtr/image-storage/local/* \
+      dtr2:/var/lib/docker/volumes/dtr-registry-4fb637dbbecc/_data/
+    ```
+
+## Step 6. Test your installation
+
+Now that you have a working installation of DTR 2.0, you should test that you
+can push and pull images to it.
+[Learn how to push and pull images](../../repos-and-images/pull-an-image.md).
+
+## Step 7. Join replicas to your cluster
+
+This step is optional.
+
+To set up DTR for [high availability](../../high-availability/index.md),
+you can add more replicas to your DTR cluster. Adding more replicas allows you
+to load-balance requests across all replicas, and keep DTR working if a
+replica fails.
+
+To add replicas to a DTR cluster, use the `docker/dtr join` command. To add
+replicas:
+
+
+1. Load you UCP user bundle.
+
+2. Run the join command.
+
+    When you join a replica to a DTR cluster, you need to specify the
+    ID of a replica that is already part of the cluster. You can find an
+    existing replica ID by going to the **Applications** page on UCP.
+
+    Then run:
+
+    ```bash
+    $ docker run -it --rm \
+      docker/dtr join \
+      --ucp-url $UCP_URL \
+      --ucp-node $UCP_NODE \
+      --existing-replica-id $REPLICA_TO_JOIN \
+      --ucp-username $USER --ucp-password $PASSWORD \
+      --ucp-insecure-tls
+    ```
+
+    Where:
+
+    * ucp-url, is the URL of the UCP controller,
+    * ucp-node, is the node on the ucp cluster where the DTR  replica will be installed,
+    * existing-replica-id, is the ID of the DTR replica you want to replicate,
+    * ucp-username, and ucp-password are the credentials of a UCP administrator,
+    * ucp-ca, is the certificate used by UCP.
+
+3. Check that all replicas are running.
+
+    In your browser, navigate to the the Docker **Universal Control Plane**
+    web UI, and navigate to the **Applications** screen. All replicas should
+    be displayed.
+
+    ![](../../images/install-dtr-4.png)
+
+4. Follow steps 1 to 3, to add more replicas to the DTR cluster.
+
+    When configuring your DTR cluster for high-availability, you should install
+    3, 5, or 7 replicas.
+    [Learn more about high availability](../../high-availability/index.md)
+
+## Step 8. Decommission DTR 1.4.3
+
+Once you've fully tested your new installation, you can uninstall DTR 1.4.3
+by deleting `/usr/local/etc/dtr` and `/var/local/dtr` and removing all dtr
+containers.
+
+## Where to go next
+
+* [Upgrade to DTR 2.x](index.md)
+* [Monitor DTR](../../monitor-troubleshoot/index.md)

datacenter/dtr/2.1/menu.md

@@ -0,0 +1,11 @@
+<!--[metadata]>
++++
+title = "Docker Trusted Registry"
+description = "Docker Trusted Registry"
+keywords = ["docker, documentation, about, technology, understanding, enterprise, hub,  registry"]
+type = "menu"
+[menu.main]
+identifier="workw_dtr"
+weight=-63
++++
+<![end-metadata]-->

datacenter/dtr/2.1/monitor-troubleshoot/index.md

@@ -0,0 +1,40 @@
+<!--[metadata]>
++++
+aliases = ["/docker-trusted-registry/monitor-troubleshoot/monitor/"]
+title = "Monitor DTR"
+description = "Learn how to monitor your DTR installation."
+keywords = ["docker, registry, monitor, troubleshoot"]
+[menu.main]
+parent="dtr_menu_monitor_troubleshoot"
+identifier="dtr_monitor"
+weight=0
++++
+<![end-metadata]-->
+
+# Monitor DTR
+
+Docker Trusted Registry is a Dockerized application. To monitor it, you can
+use the same tools and techniques you're already using to monitor other
+containerized applications running on your cluster. One way to monitor
+DTR is using the monitoring capabilities of Docker Universal Control Plane.
+
+In your browser, log in to **Docker Universal Control Plane** (UCP), and
+navigate to the **Applications** page.
+
+To make it easier to find DTR, use the search box to **search for the
+DTR application**. If you have DTR set up for high-availability, then all the
+DTR nodes are displayed.
+
+![](../images/monitor-1.png)
+
+**Click on the DTR application** to see all of its containers, and if they're
+running. **Click on a container** to see its details, like configurations,
+resources, and logs.
+
+![](../images/monitor-2.png)
+
+
+## Where to go next
+
+* [Troubleshoot DTR](troubleshoot.md)
+* [DTR architecture](../architecture.md)

datacenter/dtr/2.1/monitor-troubleshoot/menu.md

@@ -0,0 +1,12 @@
+<!--[metadata]>
++++
+title = "Monitor and troubleshoot"
+description = "Learn how to monitor and troubleshoot your DTR cluster"
+keywords = ["docker, registry, monitor, troubleshoot"]
+type = "menu"
+[menu.main]
+parent="workw_dtr"
+identifier="dtr_menu_monitor_troubleshoot"
+weight=60
++++
+<![end-metadata]-->

datacenter/dtr/2.1/monitor-troubleshoot/troubleshoot.md

@@ -0,0 +1,73 @@
+<!--[metadata]>
++++
+aliases = ["/docker-trusted-registry/adminguide/"]
+title = "Troubleshoot DTR"
+description = "Learn how to troubleshoot your DTR installation."
+keywords = ["docker, registry, monitor, troubleshoot"]
+[menu.main]
+parent="dtr_menu_monitor_troubleshoot"
+identifier="dtr_troubleshoot"
+weight=10
++++
+<![end-metadata]-->
+
+# Troubleshoot DTR
+
+## Overlay networking
+
+High availability in DTR depends on having overlay networking working in UCP.
+To manually test that overlay networking is working in UCP run the following
+commands on two different UCP machines.
+
+```
+docker run -it --rm --net dtr-ol --name overlay-test1 --entrypoint sh docker/dtr
+docker run -it --rm --net dtr-ol --name overlay-test2 --entrypoint ping docker/dtr -c 3 overlay-test1
+```
+
+You can create new new overlay network for this test with `docker network create -d overaly network-name`.
+You can also use any images that contain `sh` and `ping` for this test.
+
+If the second command succeeds, overlay networking is working.
+
+## DTR doesn't come up after a Docker restart
+
+This is a known issue with Docker restart policies when DTR is running on the same
+machine as a UCP controller. If this happens, you can simply restart the DTR replica
+from the UCP UI under "Applications". The best workaround right now is to not run
+DTR on the same node as a UCP controller.
+
+## Etcd refuses to start after a Docker restart
+
+If you see the following log message in etcd's logs after a DTR restart it means that
+your DTR replicas are on machines that don't have their clocks synchronized. Etcd requires
+synchronized clocks to function correctly.
+
+```
+2016-04-27 17:56:34.086748 W | rafthttp: the clock difference against peer aa4fdaf4c562342d is too high [8.484795885s > 1s]
+```
+
+## Accessing the RethinkDB Admin UI
+
+ > Warning: This command will expose your database to the internet with no authentication. Use with caution.
+
+Run this on the UCP node that has a DTR replica with the given replica id:
+
+```
+docker run --rm -it --net dtr-br -p 9999:8080 svendowideit/ambassador dtr-rethinkdb-$REPLICA_ID 8080
+```
+
+Options to make this more secure:
+
+* Use `-p 127.0.0.1:9999:8080` to expose the admin UI only to localhost
+* Use an SSH tunnel in combination with exposing the port only to localhost
+* Use a firewall to limit which IPs are allowed to connect
+* Use a second proxy with TLS and basic auth to provide secure access over the Internet
+
+## Accessing etcd directly
+
+You can execute etcd commands on a UCP node hosting a DTR replica using etcdctl
+via the following docker command:
+
+```
+docker run --rm -v dtr-ca-$REPLICA_ID:/ca --net dtr-br -it --entrypoint /etcdctl docker/dtr-etcd:v2.2.4 --endpoint https://dtr-etcd-$REPLICA_ID.dtr-br:2379 --ca-file /ca/etcd/cert.pem --key-file /ca/etcd-client/key.pem --cert-file /ca/etcd-client/cert.pem
+```

datacenter/dtr/2.1/reference/backup.md

@@ -0,0 +1,59 @@
+<!--[metadata]>
++++
+title ="backup"
+description="Create a backup of DTR"
+keywords= ["docker, dtr, cli, backup"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_backup"
++++
+<![end-metadata]-->
+
+# docker/dtr backup
+
+Create a backup of DTR
+
+## Usage
+
+```bash
+docker run -i --rm docker/dtr \
+    backup [command options] > backup.tar
+```
+
+## Description
+
+
+This command creates a tar file with the contents of the volumes used by
+DTR, and prints it. You can then use the 'restore' command to restore the data
+from an existing backup.
+
+Note:
+
+  * This command only creates backups of configurations, and image metadata.
+    It doesn't backup users and organizations. Users and organizations can be
+    backed up when performing a UCP backup.
+
+    It also doesn't backup the Docker images stored in your registry.
+    You should implement a separate backup policy for the Docker images stored
+    in your registry, taking in consideration whether your DTR installation is
+    configured to store images on the filesystem or using a cloud provider.
+
+  * This backup contains sensitive information and should be
+    stored securely.
+
+
+## Options
+
+| Option                    | Description                |
+|:--------------------------|:---------------------------|
+|`--ucp-url`|The UCP URL including domain and port|
+|`--ucp-username`|The UCP administrator username|
+|`--ucp-password`|The UCP administrator password|
+|`--debug`|Enable debug mode for additional logging|
+|`--hub-username`|Username to use when pulling images|
+|`--hub-password`|Password to use when pulling images|
+|`--ucp-insecure-tls`|Disable TLS verification for UCP|
+|`--ucp-ca`|Use a PEM-encoded TLS CA certificate for UCP|
+|`--existing-replica-id`|The ID of an existing DTR replica|
+|`--config-only`|Backup/restore only the configurations of DTR and not the database|
+

datacenter/dtr/2.1/reference/dumpcerts.md

@@ -0,0 +1,43 @@
+<!--[metadata]>
++++
+title ="dumpcerts"
+description="Print the TLS certificates used by DTR"
+keywords= ["docker, dtr, cli, dumpcerts"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_dumpcerts"
++++
+<![end-metadata]-->
+
+# docker/dtr dumpcerts
+
+Print the TLS certificates used by DTR
+
+## Usage
+
+```bash
+docker run -i --rm docker/dtr \
+    dumpcerts [command options] > backup.tar
+```
+
+## Description
+
+
+This command creates a backup of the certificates used by DTR for
+communicating across replicas with TLS.
+
+
+## Options
+
+| Option                    | Description                |
+|:--------------------------|:---------------------------|
+|`--ucp-url`|The UCP URL including domain and port|
+|`--ucp-username`|The UCP administrator username|
+|`--ucp-password`|The UCP administrator password|
+|`--debug`|Enable debug mode for additional logging|
+|`--hub-username`|Username to use when pulling images|
+|`--hub-password`|Password to use when pulling images|
+|`--ucp-insecure-tls`|Disable TLS verification for UCP|
+|`--ucp-ca`|Use a PEM-encoded TLS CA certificate for UCP|
+|`--existing-replica-id`|The ID of an existing DTR replica|
+

datacenter/dtr/2.1/reference/images.md

@@ -0,0 +1,29 @@
+<!--[metadata]>
++++
+title ="images"
+description="List all the images necessary to install DTR"
+keywords= ["docker, dtr, cli, images"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_images"
++++
+<![end-metadata]-->
+
+# docker/dtr images
+
+List all the images necessary to install DTR
+
+## Usage
+
+```bash
+docker run -it --rm docker/dtr \
+    images [command options]
+```
+
+## Description
+
+
+This command lists all the images necessary to install DTR.
+
+
+

datacenter/dtr/2.1/reference/index.md

@@ -0,0 +1,44 @@
+<!--[metadata]>
++++
+title = "Overview"
+description = "Learn about the commands available in the docker/dtr image."
+keywords = ["docker, dtr, install, uninstall, configure"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_overview"
+weight=-10
++++
+<![end-metadata]-->
+
+# docker/dtr overview
+
+This tool has commands to install, configure, and backup Docker
+Trusted Registry (DTR). It also allows uninstalling DTR.
+By default the tool runs in interactive mode. It prompts you for
+the values needed.
+
+Additional help is available for each command with the '--help' option.
+
+
+## Usage
+
+```bash
+docker run -it --rm docker/dtr \
+    command [command options]
+```
+
+
+## Commands
+
+| Option                       | Description                |
+|:-----------------------------|:---------------------------|
+|`install`| Install Docker Trusted Registry|
+|`join`| Add a new replica to an existing DTR cluster|
+|`reconfigure`| Change DTR configurations|
+|`remove`| Remove a DTR replica|
+|`restore`| Install and restore DTR from an existing backup|
+|`backup`| Create a backup of DTR|
+|`upgrade`| Upgrade DTR 2.0.0 or later cluster to this version|
+|`dumpcerts`| Print the TLS certificates used by DTR|
+|`images`| List all the images necessary to install DTR|
+

datacenter/dtr/2.1/reference/install.md

@@ -0,0 +1,68 @@
+<!--[metadata]>
++++
+title ="install"
+description="Install Docker Trusted Registry"
+keywords= ["docker, dtr, cli, install"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_install"
++++
+<![end-metadata]-->
+
+# docker/dtr install
+
+Install Docker Trusted Registry
+
+## Usage
+
+```bash
+docker run -it --rm docker/dtr \
+    install [command options]
+```
+
+## Description
+
+
+This command installs Docker Trusted Registry (DTR) on a node managed by
+Docker Universal Control Plane (UCP).
+
+After installing DTR, you can join additional DTR replicas using the 'join'
+command.
+
+
+## Options
+
+| Option                    | Description                |
+|:--------------------------|:---------------------------|
+|`--ucp-url`|The UCP URL including domain and port|
+|`--ucp-username`|The UCP administrator username|
+|`--ucp-password`|The UCP administrator password|
+|`--debug`|Enable debug mode for additional logging|
+|`--hub-username`|Username to use when pulling images|
+|`--hub-password`|Password to use when pulling images|
+|`--http-proxy`|The HTTP proxy used for outgoing requests|
+|`--https-proxy`|The HTTPS proxy used for outgoing requests|
+|`--no-proxy`|Don't use a proxy for these domains. Format acme.org[, acme.com]|
+|`--replica-http-port`|The public HTTP port for the DTR replica. Default is 80|
+|`--replica-https-port`|The public HTTPS port for the DTR replica. Default is 443|
+|`--log-protocol`|The protocol for sending container logs: tcp, tcp+tls, udp or internal. Default: internal|
+|`--log-host`|Endpoint to send logs to, required if --log-protocol is tcp or udp|
+|`--log-level`|Log level for container logs. Default: INFO|
+|`--log-tls-ca-cert`|PEM-encoded TLS CA cert for DTR logging driver. Ignored if the logging protocol is not tcp+tls|
+|`--log-tls-cert`|PEM-encoded TLS cert for DTR logging driver. Ignored if the logging protocol is not tcp+tls|
+|`--log-tls-key`|PEM-encoded TLS key for DTR logging driver. Ignored if the address protocol is not tcp+tls|
+|`--log-tls-skip-verify`|Disable TLS verification for the logging service. Ignored if the logging address is not tcp+tls|
+|`--dtr-external-url`|URL of the host or load balancer clients use to reach DTR. Format https://host[:port]|
+|`--dtr-storage-volume`|Full path or volume name to store Docker images in the local filesystem|
+|`--nfs-storage-url`|NFS to store Docker images. Requires NFS client libraries. Format nfs://<ip|hostname>/<mountpoint>|
+|`--enable-pprof`|Enables pprof profiling of the server|
+|`--etcd-heartbeat-interval`|Frequency in milliseconds that the key-value store leader notifies followers|
+|`--etcd-election-timeout`|Timeout in milliseconds for key-value store membership|
+|`--etcd-snapshot-count`|Number of changes between key-value store snapshots|
+|`--ucp-insecure-tls`|Disable TLS verification for UCP|
+|`--ucp-ca`|Use a PEM-encoded TLS CA certificate for UCP|
+|`--ucp-node`|The hostname of the node to install DTR|
+|`--replica-id`|Assign an ID to the DTR replica. By default the ID is random|
+|`--unsafe`|Allow DTR to be installed on a UCP manager node|
+|`--extra-envs`|Environment variables or swarm constraints for DTR containers. Format var=val[&var=val]|
+

datacenter/dtr/2.1/reference/join.md

@@ -0,0 +1,47 @@
+<!--[metadata]>
++++
+title ="join"
+description="Add a new replica to an existing DTR cluster"
+keywords= ["docker, dtr, cli, join"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_join"
++++
+<![end-metadata]-->
+
+# docker/dtr join
+
+Add a new replica to an existing DTR cluster
+
+
+
+## Description
+
+
+This command creates a replica of an existing DTR on a node managed by
+Docker Universal Control Plane (UCP).
+
+For setting DTR for high-availability, create 3, 5, or 7 replicas of DTR.
+
+
+## Options
+
+| Option                    | Description                |
+|:--------------------------|:---------------------------|
+|`--ucp-url`|The UCP URL including domain and port|
+|`--ucp-username`|The UCP administrator username|
+|`--ucp-password`|The UCP administrator password|
+|`--debug`|Enable debug mode for additional logging|
+|`--hub-username`|Username to use when pulling images|
+|`--hub-password`|Password to use when pulling images|
+|`--ucp-insecure-tls`|Disable TLS verification for UCP|
+|`--ucp-ca`|Use a PEM-encoded TLS CA certificate for UCP|
+|`--ucp-node`|The hostname of the node to install DTR|
+|`--replica-id`|Assign an ID to the DTR replica. By default the ID is random|
+|`--unsafe`|Allow DTR to be installed on a UCP manager node|
+|`--existing-replica-id`|The ID of an existing DTR replica|
+|`--replica-http-port`|The public HTTP port for the DTR replica. Default is 80|
+|`--replica-https-port`|The public HTTPS port for the DTR replica. Default is 443|
+|`--skip-network-test`|Don't test if overlay networks are working correctly between UCP nodes|
+|`--extra-envs`|Environment variables or swarm constraints for DTR containers. Format var=val[&var=val]|
+

datacenter/dtr/2.1/reference/menu.md

@@ -0,0 +1,12 @@
+<!--[metadata]>
++++
+title = "docker/dtr image reference"
+description = "Learn about the commands available in the docker/dtr image."
+keywords = ["docker, dtr, install, uninstall, configure"]
+type = "menu"
+[menu.main]
+parent="dtr-menu-install"
+identifier="dtr_menu_reference"
+weight=60
++++
+<![end-metadata]-->

datacenter/dtr/2.1/reference/migrate.md

@@ -0,0 +1,51 @@
+<!--[metadata]>
++++
+title = "migrate"
+description = "Learn about the options available on the docker/dtr image."
+keywords = ["docker, dtr, install, uninstall, configure"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_migrate"
++++
+<![end-metadata]-->
+
+# docker/dtr migrate
+
+Migrate configurations, accounts, and repository metadata from DTR 1.4.3 to 2.0.
+Only available in `docker/dtr` version 2.0.x.
+
+## Usage
+
+```bash
+$ docker run -it --rm docker/dtr \
+    migrate [command options]
+```
+
+## Description
+
+This command migrates configurations, accounts, and repository metadata from
+Docker Trusted Registry 1.4.3 to 2.0.
+
+To upgrade from DTR 1.4.3 to 2.0 you first need to do a fresh installation of
+DTR 2.0. Then you run this command on the host where DTR 1.4.3 is running, to
+migrate the data to the new installation. Finally, you decommission your
+DTR 1.4.3 by uninstalling it.
+
+
+| Option                 | Description                                                                          |
+|:-----------------------|:-------------------------------------------------------------------------------------|
+| `--ucp-url `           | Specify the UCP controller URL [$UCP_URL]                                            |
+| `--ucp-username`       | Specify the UCP admin username [$UCP_USERNAME]                                       |
+| `--ucp-password`       | Specify the UCP admin password [$UCP_PASSWORD]                                       |
+| `--debug`              | Enable debug mode, provides additional logging [$DEBUG]                              |
+| `--hub-username`       | Specify the Docker Hub username for pulling images [$HUB_USERNAME]                   |
+| `--hub-password`       | Specify the Docker Hub password for pulling images [$HUB_PASSWORD]                   |
+| `--ucp-insecure-tls`   | Disable TLS verification for UCP [$UCP_INSECURE_TLS]                                 |
+| `--ucp-ca`             | Use a PEM-encoded TLS CA certificate for UCP [$UCP_CA]                               |
+| `--run-full-migration` | Run full migration procedure instead of dumping configurations [$RUN_FULL_MIGRATION] |
+| `--dtr-load-balancer`  | Specify the domain name and port for the DTR load balancer [$DTR_LOAD_BALANCER]      |
+| `--dtr-insecure-tls`   | Disable TLS verification for DTR [$DTR_INSECURE_TLS]                                 |
+| `--dtr-ca`             | PEM-encoded TLS CA cert for DTR [$DTR_CA]                                            |
+| `--http-proxy`         | Set the HTTP proxy for outgoing requests [$DTR_HTTP_PROXY]                           |
+| `--https-proxy`        | Set the HTTPS proxy for outgoing requests [$DTR_HTTPS_PROXY]                         |
+| `--no-proxy`           | Set the list of domains to not proxy to [$DTR_NO_PROXY]                              |

datacenter/dtr/2.1/reference/reconfigure.md

@@ -0,0 +1,64 @@
+<!--[metadata]>
++++
+title ="reconfigure"
+description="Change DTR configurations"
+keywords= ["docker, dtr, cli, reconfigure"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_reconfigure"
++++
+<![end-metadata]-->
+
+# docker/dtr reconfigure
+
+Change DTR configurations
+
+## Usage
+
+```bash
+docker run -it --rm docker/dtr \
+    reconfigure [command options]
+```
+
+## Description
+
+
+This command changes DTR configuration settings.
+
+DTR is restarted for the new configurations to take effect. To have no down
+time, configure your DTR for high-availability.
+
+
+## Options
+
+| Option                    | Description                |
+|:--------------------------|:---------------------------|
+|`--ucp-url`|The UCP URL including domain and port|
+|`--ucp-username`|The UCP administrator username|
+|`--ucp-password`|The UCP administrator password|
+|`--debug`|Enable debug mode for additional logging|
+|`--hub-username`|Username to use when pulling images|
+|`--hub-password`|Password to use when pulling images|
+|`--http-proxy`|The HTTP proxy used for outgoing requests|
+|`--https-proxy`|The HTTPS proxy used for outgoing requests|
+|`--no-proxy`|Don't use a proxy for these domains. Format acme.org[, acme.com]|
+|`--replica-http-port`|The public HTTP port for the DTR replica. Default is 80|
+|`--replica-https-port`|The public HTTPS port for the DTR replica. Default is 443|
+|`--log-protocol`|The protocol for sending container logs: tcp, tcp+tls, udp or internal. Default: internal|
+|`--log-host`|Endpoint to send logs to, required if --log-protocol is tcp or udp|
+|`--log-level`|Log level for container logs. Default: INFO|
+|`--log-tls-ca-cert`|PEM-encoded TLS CA cert for DTR logging driver. Ignored if the logging protocol is not tcp+tls|
+|`--log-tls-cert`|PEM-encoded TLS cert for DTR logging driver. Ignored if the logging protocol is not tcp+tls|
+|`--log-tls-key`|PEM-encoded TLS key for DTR logging driver. Ignored if the address protocol is not tcp+tls|
+|`--log-tls-skip-verify`|Disable TLS verification for the logging service. Ignored if the logging address is not tcp+tls|
+|`--dtr-external-url`|URL of the host or load balancer clients use to reach DTR. Format https://host[:port]|
+|`--dtr-storage-volume`|Full path or volume name to store Docker images in the local filesystem|
+|`--nfs-storage-url`|NFS to store Docker images. Requires NFS client libraries. Format nfs://<ip|hostname>/<mountpoint>|
+|`--enable-pprof`|Enables pprof profiling of the server|
+|`--etcd-heartbeat-interval`|Frequency in milliseconds that the key-value store leader notifies followers|
+|`--etcd-election-timeout`|Timeout in milliseconds for key-value store membership|
+|`--etcd-snapshot-count`|Number of changes between key-value store snapshots|
+|`--ucp-insecure-tls`|Disable TLS verification for UCP|
+|`--ucp-ca`|Use a PEM-encoded TLS CA certificate for UCP|
+|`--existing-replica-id`|The ID of an existing DTR replica|
+

datacenter/dtr/2.1/reference/remove.md

@@ -0,0 +1,45 @@
+<!--[metadata]>
++++
+title ="remove"
+description="Remove a DTR replica"
+keywords= ["docker, dtr, cli, remove"]
+[menu.main]
+parent="dtr_menu_reference"
+identifier="dtr_reference_remove"
++++
+<![end-metadata]-->
+
+# docker/dtr remove
+
+Remove a DTR replica
+
+## Usage
+
+```bash
+docker run -it --rm docker/dtr \
+    remove [command options]
+```
+
+## Description
+
+
+This command removes a replica from a DTR deployment. All DTR containers and
+volumes are removed from the node.
+
+
+## Options
+
+| Option                    | Description                |
+|:--------------------------|:---------------------------|
+|`--ucp-url`|The UCP URL including domain and port|
+|`--ucp-username`|The UCP administrator username|
+|`--ucp-password`|The UCP administrator password|
+|`--debug`|Enable debug mode for additional logging|
+|`--hub-username`|Username to use when pulling images|
+|`--hub-password`|Password to use when pulling images|
+|`--ucp-insecure-tls`|Disable TLS verification for UCP|
+|`--ucp-ca`|Use a PEM-encoded TLS CA certificate for UCP|
+|`--force-remove`|Force a DTR replica to be removed|
+|`--replica-id`|Assign an ID to the DTR replica. By default the ID is random|
+|`--existing-replica-id`|The ID of an existing DTR replica|
+