From 88f14ae4cc3884533e08ed433a460299f77a2624 Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Mon, 22 Apr 2019 18:20:04 -0600 Subject: [PATCH 1/6] Sync published with master (#8693) * Adding Azure note (#8566) * Adding Azure note * Rephrase additional line and update link * Revert "Netlify redirects interlock (#8595)" This reverts commit a7793edc746fc3374f1b4a637bf4d528dd2bbcef. * UCP Install on Azure Patch (#8522) * Fix grammar on the 2nd pre-req, and did markdown formatting on the rest :) * Correct Pod-CIDR Warning * Content cleanup Please check that I haven't changed the meaning of the updated prerequisites. * Create a new section on configuring the IP Count value, also responded to feedback from Follis, Steve R and Xinfeng. * Incorporated Steven F's feedback and Issue 8551 * Provide a warning when setting a small IP Count variable * Final edits * Update install-on-azure.md * Following feedback I have expanded on the 0644 azure.json file permissions and Added the --existing-config file to the UCP install command * Removed Orchestrator Tag Pre Req from Azure Docs * Clarifying need for 0644 permissions * Improved backup commands (#8597) * Improved backup commands DTR image backup command improvements: 1. Local and NFS mount image backup commands were invalid (incorrectly used -C flag). Replaced them with commands that work. 2. The new commands automatically populate the correct replica ID and add a datestamp to the backup filename. DTR Metadata backup command improvements: DTR metadata backups are more difficult than they need to be and generate many support tickets. I updated the DTR command to avoid common user pitfalls: 1. The prior metadata backup command was subject to user error. Improved the command to automatically collect the DTR version and select a replica. 2. Improved security of the command by automatically collecting UCP CA certificate for verification rather than using --ucp-insecure-tls flag. 3. Improved the backup filename by adding the backed-up version information and date of backup. Knowledge of the version information is required for restoring a backup. 4. Described these improvements for the user. Image backup commands were tested with local and NFS image storage. The metadata backup command was tested by running it directly on a DTR node and through a UCP client bundle with multiple replicas. * Technical and editorial review * More edits * line 8; remove unnecessary a (#8672) * line 8; remove unnecessary a * Minor edit * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Added examples Added examples with more detail and automation to help customers backup DTR without creating support tickets. * Linked to explanation of example command @omegamormegil I removed the example with prepopulated fields, as I think it doesn't add much, and will only add confusion. Users who need this much detail can run the basic command and follow the terminal prompts. We can re-add in a follow-up PR, if you think that example is crucial to this page. * Remove deadlink in the Interlock ToC (#8668) * Found a deadlink in the Interlock ToC * Added Redirect * Published (#8674) * add slack webhook to Jenkinsfile * make jenkinsfile serve private and public docs After a couple of Jenkins-based mix-ups it became obvious we needed a Jenkinsfile that would serve both public and private projects, that we could move between repos without worry. This Jenkinsfile knows which images to build and push and which swarm services to update because of the use of git_url and branch conditions. * Sync published with master (#8619) * Update install.md add note: 8 character password minimum length * Include Ubuntu version in Dockerfile more recent versions of Ubuntu don't work with the given Dockerfile * Updated the 3.1.4 release notes to include Centos 7.6 support * Remove redundant "be" * Update the "role-based access control" link On page "https://docs.docker.com/ee/ucp/user-access/", update the hyperlink "role-based access control" to point to "https://docs.docker.com/ee/ucp/authorization/" instead of "https://docs.docker.com/ee/access-control". * Add UCP user password limitation * Revert "Updated the UCP 3.1.4 release notes to include Centos 7.6 support" * Adding emphasis on Static IP requirement (#7276) * Adding emphasis on Static IP requirement We had a customer (00056641) who changed IPs like this all at once, and they are in a messy status. We should make it clear that static IP is absolutely required. ```***-ucp-0-dw original="10.15.89.6" updated="10.15.89.7" ***-ucp-1-dw original="10.15.89.5" updated="10.15.89.6" ***-ucp-2-dw original="10.15.89.7" updated="10.15.89.5" ``` * Link to prod requirement of static IP addresses * Adding warning about layer7 config (#8617) * Adding warning about layer7 config Adding warning about layer7 config not being included in the backup * Text edit * Sync published with master (#8673) * Revert "Netlify redirects interlock (#8595)" This reverts commit a7793edc746fc3374f1b4a637bf4d528dd2bbcef. * UCP Install on Azure Patch (#8522) * Fix grammar on the 2nd pre-req, and did markdown formatting on the rest :) * Correct Pod-CIDR Warning * Content cleanup Please check that I haven't changed the meaning of the updated prerequisites. * Create a new section on configuring the IP Count value, also responded to feedback from Follis, Steve R and Xinfeng. * Incorporated Steven F's feedback and Issue 8551 * Provide a warning when setting a small IP Count variable * Final edits * Update install-on-azure.md * Following feedback I have expanded on the 0644 azure.json file permissions and Added the --existing-config file to the UCP install command * Removed Orchestrator Tag Pre Req from Azure Docs * Clarifying need for 0644 permissions * Improved backup commands (#8597) * Improved backup commands DTR image backup command improvements: 1. Local and NFS mount image backup commands were invalid (incorrectly used -C flag). Replaced them with commands that work. 2. The new commands automatically populate the correct replica ID and add a datestamp to the backup filename. DTR Metadata backup command improvements: DTR metadata backups are more difficult than they need to be and generate many support tickets. I updated the DTR command to avoid common user pitfalls: 1. The prior metadata backup command was subject to user error. Improved the command to automatically collect the DTR version and select a replica. 2. Improved security of the command by automatically collecting UCP CA certificate for verification rather than using --ucp-insecure-tls flag. 3. Improved the backup filename by adding the backed-up version information and date of backup. Knowledge of the version information is required for restoring a backup. 4. Described these improvements for the user. Image backup commands were tested with local and NFS image storage. The metadata backup command was tested by running it directly on a DTR node and through a UCP client bundle with multiple replicas. * Technical and editorial review * More edits * line 8; remove unnecessary a (#8672) * line 8; remove unnecessary a * Minor edit * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Added examples Added examples with more detail and automation to help customers backup DTR without creating support tickets. * Linked to explanation of example command @omegamormegil I removed the example with prepopulated fields, as I think it doesn't add much, and will only add confusion. Users who need this much detail can run the basic command and follow the terminal prompts. We can re-add in a follow-up PR, if you think that example is crucial to this page. * Remove deadlink in the Interlock ToC (#8668) * Found a deadlink in the Interlock ToC * Added Redirect * Trying to fix command rendering of '--format "{{ .Names }}"' (#8678) * Trying to fix command rendering of '--format "{{ .Names }}"' --format "{{ .Names }}" is showing up in the markup but is rendering as --format "" in the published version. Added {% raw %} tags to try to fix. * Fixed heading inconsistency * Trying to fix command rendering of '--format "{{ .Names }}"' (#8677) * Trying to fix command rendering of '--format "{{ .Names }}"' --format "{{ .Names }}" is showing up in the markup but is rendering as --format "" in the published version. Added {% raw %} tags to try to fix. * Update concatenated to chained * Minor fix * interlock --> ucp-interlock (#8675) * interlock --> ucp-interlock * Fixed code samples - Use the latest UCP version and the latest ucp-interlock image - Leverage ucp page version Jekyll variable * Typo * Final syntax fix * Update backup.md * Removed Reference to Interlock Preview Image, and added relevant UCP Image Org and Tag * Fix syntax error which caused the master build to fail --- .../user/interlock/deploy/configuration-reference.md | 4 ++-- .../guides/user/interlock/usage/service-clusters.md | 10 +++++----- ee/dtr/admin/disaster-recovery/create-a-backup.md | 1 + ee/ucp/interlock/config/host-mode-networking.md | 6 +++--- ee/ucp/interlock/config/index.md | 4 ++-- ee/ucp/interlock/config/updates.md | 2 +- ee/ucp/interlock/deploy/index.md | 10 +++++----- ee/ucp/interlock/deploy/offline-install.md | 11 ++++++----- ee/ucp/interlock/usage/service-clusters.md | 2 +- 9 files changed, 26 insertions(+), 24 deletions(-) diff --git a/datacenter/ucp/3.0/guides/user/interlock/deploy/configuration-reference.md b/datacenter/ucp/3.0/guides/user/interlock/deploy/configuration-reference.md index daf93c97c3..ffdcfbf82b 100644 --- a/datacenter/ucp/3.0/guides/user/interlock/deploy/configuration-reference.md +++ b/datacenter/ucp/3.0/guides/user/interlock/deploy/configuration-reference.md @@ -22,11 +22,11 @@ PollInterval = "3s" [Extensions] [Extensions.default] - Image = "docker/ucp-interlock-extension:3.0.1" + Image = "{{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }}" ServiceName = "ucp-interlock-extension" Args = [] Constraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true", "node.platform.os==linux"] - ProxyImage = "docker/ucp-interlock-proxy:3.0.1" + ProxyImage = "{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}" ProxyServiceName = "ucp-interlock-proxy" ProxyConfigPath = "/etc/nginx/nginx.conf" ProxyReplicas = 2 diff --git a/datacenter/ucp/3.0/guides/user/interlock/usage/service-clusters.md b/datacenter/ucp/3.0/guides/user/interlock/usage/service-clusters.md index b5baf30a55..c2d1f2ce9d 100644 --- a/datacenter/ucp/3.0/guides/user/interlock/usage/service-clusters.md +++ b/datacenter/ucp/3.0/guides/user/interlock/usage/service-clusters.md @@ -49,10 +49,10 @@ PollInterval = "3s" [Extensions] [Extensions.us-east] - Image = "interlockpreview/interlock-extension-nginx:2.0.0-preview" + Image = "{{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }}" Args = ["-D"] ServiceName = "interlock-ext-us-east" - ProxyImage = "nginx:alpine" + ProxyImage = "{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}" ProxyArgs = [] ProxyServiceName = "interlock-proxy-us-east" ProxyConfigPath = "/etc/nginx/nginx.conf" @@ -74,10 +74,10 @@ PollInterval = "3s" proxy_region = "us-east" [Extensions.us-west] - Image = "interlockpreview/interlock-extension-nginx:2.0.0-preview" + Image = "{{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }}" Args = ["-D"] ServiceName = "interlock-ext-us-west" - ProxyImage = "nginx:alpine" + ProxyImage = "{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}" ProxyArgs = [] ProxyServiceName = "interlock-proxy-us-west" ProxyConfigPath = "/etc/nginx/nginx.conf" @@ -119,7 +119,7 @@ $> docker service create \ --network interlock \ --constraint node.role==manager \ --config src=service.interlock.conf,target=/config.toml \ - interlockpreview/interlock:2.0.0-preview -D run -c /config.toml + { page.ucp_org }}/ucp-interlock:{{ page.ucp_version }} -D run -c /config.toml sjpgq7h621exno6svdnsvpv9z ``` diff --git a/ee/dtr/admin/disaster-recovery/create-a-backup.md b/ee/dtr/admin/disaster-recovery/create-a-backup.md index 38b0902e7b..ed26b99be3 100644 --- a/ee/dtr/admin/disaster-recovery/create-a-backup.md +++ b/ee/dtr/admin/disaster-recovery/create-a-backup.md @@ -132,6 +132,7 @@ recommended for that system. To create a DTR backup, load your UCP client bundle, and run the following chained commands: +{% raw %} ```none DTR_VERSION=$(docker container inspect $(docker container ps -f name=dtr-registry -q) | \ grep -m1 -Po '(?<=DTR_VERSION=)\d.\d.\d'); \ diff --git a/ee/ucp/interlock/config/host-mode-networking.md b/ee/ucp/interlock/config/host-mode-networking.md index 152fb7b97a..2307f095a4 100644 --- a/ee/ucp/interlock/config/host-mode-networking.md +++ b/ee/ucp/interlock/config/host-mode-networking.md @@ -143,10 +143,10 @@ PollInterval = "3s" [Extensions] [Extensions.default] - Image = "interlockpreview/interlock-extension-nginx:2.0.0-preview" + Image = "{{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }}" Args = [] ServiceName = "interlock-ext" - ProxyImage = "nginx:alpine" + ProxyImage = "{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}" ProxyArgs = [] ProxyServiceName = "interlock-proxy" ProxyConfigPath = "/etc/nginx/nginx.conf" @@ -177,7 +177,7 @@ $> docker service create \ --constraint node.role==manager \ --publish mode=host,target=8080 \ --config src=service.interlock.conf,target=/config.toml \ - interlockpreview/interlock:2.0.0-preview -D run -c /config.toml + { page.ucp_org }}/ucp-interlock:{{ page.ucp_version }} -D run -c /config.toml sjpgq7h621exno6svdnsvpv9z ``` diff --git a/ee/ucp/interlock/config/index.md b/ee/ucp/interlock/config/index.md index e38ba7bc4b..f531e28952 100644 --- a/ee/ucp/interlock/config/index.md +++ b/ee/ucp/interlock/config/index.md @@ -173,10 +173,10 @@ DockerURL = "unix:///var/run/docker.sock" PollInterval = "3s" [Extensions.default] - Image = "docker/interlock-extension-nginx:latest" + Image = "{{ page.ucp_org }}/interlock-extension-nginx:{{ page.ucp_version }}" Args = ["-D"] ServiceName = "interlock-ext" - ProxyImage = "nginx:alpine" + ProxyImage = "{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}" ProxyArgs = [] ProxyServiceName = "interlock-proxy" ProxyConfigPath = "/etc/nginx/nginx.conf" diff --git a/ee/ucp/interlock/config/updates.md b/ee/ucp/interlock/config/updates.md index 44cc163f0f..cca9967d0b 100644 --- a/ee/ucp/interlock/config/updates.md +++ b/ee/ucp/interlock/config/updates.md @@ -84,6 +84,6 @@ performs a rolling deploy to update all extensions. ```bash $> docker service update \ - --image docker/ucp-interlock:{{ page.ucp_version }} \ + --image { page.ucp_org }}/ucp-interlock:{{ page.ucp_version }} \ ucp-interlock ``` diff --git a/ee/ucp/interlock/deploy/index.md b/ee/ucp/interlock/deploy/index.md index f282b28c64..0843ad7719 100644 --- a/ee/ucp/interlock/deploy/index.md +++ b/ee/ucp/interlock/deploy/index.md @@ -134,9 +134,9 @@ PollInterval = "3s" [Extensions] [Extensions.default] - Image = "interlockpreview/interlock-extension-nginx:2.0.0-preview" + Image = "{{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }}" Args = ["-D"] - ProxyImage = "nginx:alpine" + ProxyImage = "{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}" ProxyArgs = [] ProxyConfigPath = "/etc/nginx/nginx.conf" ProxyReplicas = 1 @@ -178,7 +178,7 @@ $> docker service create \ --network interlock \ --constraint node.role==manager \ --config src=service.interlock.conf,target=/config.toml \ - interlockpreview/interlock:2.0.0-preview -D run -c /config.toml + {{ page.ucp_org }}/ucp-interlock:{{ page.ucp_version }} -D run -c /config.toml sjpgq7h621exno6svdnsvpv9z ``` @@ -189,8 +189,8 @@ one for the extension service, and one for the proxy service: $> docker service ls ID NAME MODE REPLICAS IMAGE PORTS lheajcskcbby modest_raman replicated 1/1 nginx:alpine *:80->80/tcp *:443->443/tcp -oxjvqc6gxf91 keen_clarke replicated 1/1 interlockpreview/interlock-extension-nginx:2.0.0-preview -sjpgq7h621ex interlock replicated 1/1 interlockpreview/interlock:2.0.0-preview +oxjvqc6gxf91 keen_clarke replicated 1/1 {{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }} +sjpgq7h621ex interlock replicated 1/1 {{ page.ucp_org }}/ucp-interlock:{{ page.ucp_version }} ``` The Interlock traffic layer is now deployed. diff --git a/ee/ucp/interlock/deploy/offline-install.md b/ee/ucp/interlock/deploy/offline-install.md index 4b27f8c4c5..c9b9d49b5e 100644 --- a/ee/ucp/interlock/deploy/offline-install.md +++ b/ee/ucp/interlock/deploy/offline-install.md @@ -10,13 +10,14 @@ engine and then loading them to the Docker Swarm cluster. First, using an existing Docker engine, save the images: ```bash -$> docker save docker/interlock:latest > interlock.tar -$> docker save docker/interlock-extension-nginx:latest > interlock-extension-nginx.tar -$> docker save nginx:alpine > nginx.tar +$> docker save {{ page.ucp_org }}/ucp-interlock:{{ page.ucp_version }} > interlock.tar +$> docker save {{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }} > interlock-extension-nginx.tar +$> docker save {{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }} > nginx.tar ``` -Note: replace `docker/interlock-extension-nginx:latest` and `nginx:alpine` with the corresponding -extension and proxy image if you are not using Nginx. +Note: replace `{{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version +}}` and `{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}` with the +corresponding extension and proxy image if you are not using Nginx. You should have the following two files: diff --git a/ee/ucp/interlock/usage/service-clusters.md b/ee/ucp/interlock/usage/service-clusters.md index 181ad9bcfb..3f0432f3f9 100644 --- a/ee/ucp/interlock/usage/service-clusters.md +++ b/ee/ucp/interlock/usage/service-clusters.md @@ -161,7 +161,7 @@ PollInterval = "3s" Image = "{{ page.ucp_org }}/ucp-interlock-extension:{{ page.ucp_version }}" Args = [] ServiceName = "ucp-interlock-extension-us-west" - ProxyImage = "docker/ucp-interlock-proxy:3.1.2" + ProxyImage = "{{ page.ucp_org }}/ucp-interlock-proxy:{{ page.ucp_version }}" ProxyArgs = [] ProxyServiceName = "ucp-interlock-proxy-us-west" ProxyConfigPath = "/etc/nginx/nginx.conf" From 145eab42c11c7aff17369ff14c478cb8ec85c723 Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Mon, 22 Apr 2019 18:53:09 -0600 Subject: [PATCH 2/6] Sync published with master (#8695) * Sync published with master (#8693) (#8694) * Adding Azure note (#8566) * Adding Azure note * Rephrase additional line and update link * Revert "Netlify redirects interlock (#8595)" This reverts commit a7793edc746fc3374f1b4a637bf4d528dd2bbcef. * UCP Install on Azure Patch (#8522) * Fix grammar on the 2nd pre-req, and did markdown formatting on the rest :) * Correct Pod-CIDR Warning * Content cleanup Please check that I haven't changed the meaning of the updated prerequisites. * Create a new section on configuring the IP Count value, also responded to feedback from Follis, Steve R and Xinfeng. * Incorporated Steven F's feedback and Issue 8551 * Provide a warning when setting a small IP Count variable * Final edits * Update install-on-azure.md * Following feedback I have expanded on the 0644 azure.json file permissions and Added the --existing-config file to the UCP install command * Removed Orchestrator Tag Pre Req from Azure Docs * Clarifying need for 0644 permissions * Improved backup commands (#8597) * Improved backup commands DTR image backup command improvements: 1. Local and NFS mount image backup commands were invalid (incorrectly used -C flag). Replaced them with commands that work. 2. The new commands automatically populate the correct replica ID and add a datestamp to the backup filename. DTR Metadata backup command improvements: DTR metadata backups are more difficult than they need to be and generate many support tickets. I updated the DTR command to avoid common user pitfalls: 1. The prior metadata backup command was subject to user error. Improved the command to automatically collect the DTR version and select a replica. 2. Improved security of the command by automatically collecting UCP CA certificate for verification rather than using --ucp-insecure-tls flag. 3. Improved the backup filename by adding the backed-up version information and date of backup. Knowledge of the version information is required for restoring a backup. 4. Described these improvements for the user. Image backup commands were tested with local and NFS image storage. The metadata backup command was tested by running it directly on a DTR node and through a UCP client bundle with multiple replicas. * Technical and editorial review * More edits * line 8; remove unnecessary a (#8672) * line 8; remove unnecessary a * Minor edit * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Added examples Added examples with more detail and automation to help customers backup DTR without creating support tickets. * Linked to explanation of example command @omegamormegil I removed the example with prepopulated fields, as I think it doesn't add much, and will only add confusion. Users who need this much detail can run the basic command and follow the terminal prompts. We can re-add in a follow-up PR, if you think that example is crucial to this page. * Remove deadlink in the Interlock ToC (#8668) * Found a deadlink in the Interlock ToC * Added Redirect * Published (#8674) * add slack webhook to Jenkinsfile * make jenkinsfile serve private and public docs After a couple of Jenkins-based mix-ups it became obvious we needed a Jenkinsfile that would serve both public and private projects, that we could move between repos without worry. This Jenkinsfile knows which images to build and push and which swarm services to update because of the use of git_url and branch conditions. * Sync published with master (#8619) * Update install.md add note: 8 character password minimum length * Include Ubuntu version in Dockerfile more recent versions of Ubuntu don't work with the given Dockerfile * Updated the 3.1.4 release notes to include Centos 7.6 support * Remove redundant "be" * Update the "role-based access control" link On page "https://docs.docker.com/ee/ucp/user-access/", update the hyperlink "role-based access control" to point to "https://docs.docker.com/ee/ucp/authorization/" instead of "https://docs.docker.com/ee/access-control". * Add UCP user password limitation * Revert "Updated the UCP 3.1.4 release notes to include Centos 7.6 support" * Adding emphasis on Static IP requirement (#7276) * Adding emphasis on Static IP requirement We had a customer (00056641) who changed IPs like this all at once, and they are in a messy status. We should make it clear that static IP is absolutely required. ```***-ucp-0-dw original="10.15.89.6" updated="10.15.89.7" ***-ucp-1-dw original="10.15.89.5" updated="10.15.89.6" ***-ucp-2-dw original="10.15.89.7" updated="10.15.89.5" ``` * Link to prod requirement of static IP addresses * Adding warning about layer7 config (#8617) * Adding warning about layer7 config Adding warning about layer7 config not being included in the backup * Text edit * Sync published with master (#8673) * Revert "Netlify redirects interlock (#8595)" This reverts commit a7793edc746fc3374f1b4a637bf4d528dd2bbcef. * UCP Install on Azure Patch (#8522) * Fix grammar on the 2nd pre-req, and did markdown formatting on the rest :) * Correct Pod-CIDR Warning * Content cleanup Please check that I haven't changed the meaning of the updated prerequisites. * Create a new section on configuring the IP Count value, also responded to feedback from Follis, Steve R and Xinfeng. * Incorporated Steven F's feedback and Issue 8551 * Provide a warning when setting a small IP Count variable * Final edits * Update install-on-azure.md * Following feedback I have expanded on the 0644 azure.json file permissions and Added the --existing-config file to the UCP install command * Removed Orchestrator Tag Pre Req from Azure Docs * Clarifying need for 0644 permissions * Improved backup commands (#8597) * Improved backup commands DTR image backup command improvements: 1. Local and NFS mount image backup commands were invalid (incorrectly used -C flag). Replaced them with commands that work. 2. The new commands automatically populate the correct replica ID and add a datestamp to the backup filename. DTR Metadata backup command improvements: DTR metadata backups are more difficult than they need to be and generate many support tickets. I updated the DTR command to avoid common user pitfalls: 1. The prior metadata backup command was subject to user error. Improved the command to automatically collect the DTR version and select a replica. 2. Improved security of the command by automatically collecting UCP CA certificate for verification rather than using --ucp-insecure-tls flag. 3. Improved the backup filename by adding the backed-up version information and date of backup. Knowledge of the version information is required for restoring a backup. 4. Described these improvements for the user. Image backup commands were tested with local and NFS image storage. The metadata backup command was tested by running it directly on a DTR node and through a UCP client bundle with multiple replicas. * Technical and editorial review * More edits * line 8; remove unnecessary a (#8672) * line 8; remove unnecessary a * Minor edit * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Added examples Added examples with more detail and automation to help customers backup DTR without creating support tickets. * Linked to explanation of example command @omegamormegil I removed the example with prepopulated fields, as I think it doesn't add much, and will only add confusion. Users who need this much detail can run the basic command and follow the terminal prompts. We can re-add in a follow-up PR, if you think that example is crucial to this page. * Remove deadlink in the Interlock ToC (#8668) * Found a deadlink in the Interlock ToC * Added Redirect * Trying to fix command rendering of '--format "{{ .Names }}"' (#8678) * Trying to fix command rendering of '--format "{{ .Names }}"' --format "{{ .Names }}" is showing up in the markup but is rendering as --format "" in the published version. Added {% raw %} tags to try to fix. * Fixed heading inconsistency * Trying to fix command rendering of '--format "{{ .Names }}"' (#8677) * Trying to fix command rendering of '--format "{{ .Names }}"' --format "{{ .Names }}" is showing up in the markup but is rendering as --format "" in the published version. Added {% raw %} tags to try to fix. * Update concatenated to chained * Minor fix * interlock --> ucp-interlock (#8675) * interlock --> ucp-interlock * Fixed code samples - Use the latest UCP version and the latest ucp-interlock image - Leverage ucp page version Jekyll variable * Typo * Final syntax fix * Update backup.md * Removed Reference to Interlock Preview Image, and added relevant UCP Image Org and Tag * Fix syntax error which caused the master build to fail * docs: fix typo in removal of named volumes (#8686) --- storage/volumes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/storage/volumes.md b/storage/volumes.md index b3472f7680..1c5b42c570 100644 --- a/storage/volumes.md +++ b/storage/volumes.md @@ -512,7 +512,7 @@ testing using your preferred tools. A Docker data volume persists after a container is deleted. There are two types of volumes to consider: -- **Named volumes** have a specific source form outside the container, for example `awesome:/bar`. +- **Named volumes** have a specific source from outside the container, for example `awesome:/bar`. - **Anonymous volumes** have no specific source so when the container is deleted, instruct the Docker Engine daemon to remove them. ### Remove anonymous volumes From 04601b4e137e60b4628fddd0d164394356298baf Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Tue, 23 Apr 2019 18:01:31 -0600 Subject: [PATCH 3/6] Sync published with master (#8709) * Sync published with master (#8693) (#8694) * Adding Azure note (#8566) * Rephrase additional line and update link * Revert "Netlify redirects interlock (#8595)" This reverts commit a7793edc746fc3374f1b4a637bf4d528dd2bbcef. * UCP Install on Azure Patch (#8522) * Improved backup commands (#8597) * Improved backup commands DTR image backup command improvements: 1. Local and NFS mount image backup commands were invalid (incorrectly used -C flag). Replaced them with commands that work. 2. The new commands automatically populate the correct replica ID and add a datestamp to the backup filename. DTR Metadata backup command improvements: DTR metadata backups are more difficult than they need to be and generate many support tickets. I updated the DTR command to avoid common user pitfalls: 1. The prior metadata backup command was subject to user error. Improved the command to automatically collect the DTR version and select a replica. 2. Improved security of the command by automatically collecting UCP CA certificate for verification rather than using --ucp-insecure-tls flag. 3. Improved the backup filename by adding the backed-up version information and date of backup. Knowledge of the version information is required for restoring a backup. 4. Described these improvements for the user. Image backup commands were tested with local and NFS image storage. The metadata backup command was tested by running it directly on a DTR node and through a UCP client bundle with multiple replicas. * Technical and editorial review * More edits * line 8; remove unnecessary a (#8672) * line 8; remove unnecessary a * Minor edit * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Added examples Added examples with more detail and automation to help customers backup DTR without creating support tickets. * Linked to explanation of example command @omegamormegil I removed the example with prepopulated fields, as I think it doesn't add much, and will only add confusion. Users who need this much detail can run the basic command and follow the terminal prompts. We can re-add in a follow-up PR, if you think that example is crucial to this page. * Remove deadlink in the Interlock ToC (#8668) * Found a deadlink in the Interlock ToC * Added Redirect * Published (#8674) * add slack webhook to Jenkinsfile * make jenkinsfile serve private and public docs After a couple of Jenkins-based mix-ups it became obvious we needed a Jenkinsfile that would serve both public and private projects, that we could move between repos without worry. This Jenkinsfile knows which images to build and push and which swarm services to update because of the use of git_url and branch conditions. * Sync published with master (#8619) * Update install.md add note: 8 character password minimum length * Include Ubuntu version in Dockerfile more recent versions of Ubuntu don't work with the given Dockerfile * Updated the 3.1.4 release notes to include Centos 7.6 support * Remove redundant "be" * Update the "role-based access control" link On page "https://docs.docker.com/ee/ucp/user-access/", update the hyperlink "role-based access control" to point to "https://docs.docker.com/ee/ucp/authorization/" instead of "https://docs.docker.com/ee/access-control". * Add UCP user password limitation * Revert "Updated the UCP 3.1.4 release notes to include Centos 7.6 support" * Adding emphasis on Static IP requirement (#7276) * Adding emphasis on Static IP requirement We had a customer (00056641) who changed IPs like this all at once, and they are in a messy status. We should make it clear that static IP is absolutely required. ```***-ucp-0-dw original="10.15.89.6" updated="10.15.89.7" ***-ucp-1-dw original="10.15.89.5" updated="10.15.89.6" ***-ucp-2-dw original="10.15.89.7" updated="10.15.89.5" ``` * Link to prod requirement of static IP addresses * Adding warning about layer7 config (#8617) * Adding warning about layer7 config Adding warning about layer7 config not being included in the backup * Text edit * Sync published with master (#8673) * Revert "Netlify redirects interlock (#8595)" This reverts commit a7793edc746fc3374f1b4a637bf4d528dd2bbcef. * UCP Install on Azure Patch (#8522) * Improved backup commands (#8597) * line 8; remove unnecessary a (#8672) * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Remove deadlink in the Interlock ToC (#8668) * Trying to fix command rendering of '--format "{{ .Names }}"' (#8678) * interlock --> ucp-interlock (#8675) * Fixed code samples - Use the latest UCP version and the latest ucp-interlock image - Leverage ucp page version Jekyll variable * Typo * Final syntax fix * Update backup.md * Removed Reference to Interlock Preview Image, and added relevant UCP Image Org and Tag * Fix syntax error which caused the master build to fail * docs: fix typo in removal of named volumes (#8686) * Updated the ToC for Upgrading Interlock * Update index.md (#8690) Fix typo - missing word. * Update bind-mounts.md (#8696) * Minor edits (#8708) * Minor edits - Standardized setting of replica ID as per @caervs - Fix broken link * Consistency edits - Standardized setting of replica ID - Added note that this command only works on Linux * Standardize replica setting - Update commands for creating tar files for local and NFS-mounted images --- _data/toc.yaml | 2 +- ee/dtr/admin/disaster-recovery/create-a-backup.md | 15 +++++++-------- reference/dtr/2.6/cli/backup.md | 7 ++++--- storage/bind-mounts.md | 4 ++-- storage/index.md | 2 +- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/_data/toc.yaml b/_data/toc.yaml index 67f7982d67..3b125c6b0b 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1318,7 +1318,7 @@ manuals: - title: Offline installation path: /ee/ucp/interlock/deploy/offline-install/ - title: Layer 7 routing upgrade - path: /ee/ucp/interlock/upgrade/ + path: /ee/ucp/interlock/deploy/upgrade/ - sectiontitle: Configuration section: - title: Configure your deployment diff --git a/ee/dtr/admin/disaster-recovery/create-a-backup.md b/ee/dtr/admin/disaster-recovery/create-a-backup.md index ed26b99be3..95373f2f77 100644 --- a/ee/dtr/admin/disaster-recovery/create-a-backup.md +++ b/ee/dtr/admin/disaster-recovery/create-a-backup.md @@ -103,8 +103,7 @@ and creating a `tar` archive of the [dtr-registry volume](../../architecture.md) {% raw %} ```none sudo tar -cf dtr-image-backup-$(date +%Y%m%d-%H_%M_%S).tar \ - /var/lib/docker/volumes/dtr-registry-$(docker ps --filter name=dtr-rethinkdb \ - --format "{{ .Names }}" | sed 's/dtr-rethinkdb-//') +/var/lib/docker/volumes/dtr-registry-$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-') ``` {% endraw %} @@ -113,8 +112,7 @@ sudo tar -cf dtr-image-backup-$(date +%Y%m%d-%H_%M_%S).tar \ {% raw %} ```none sudo tar -cf dtr-image-backup-$(date +%Y%m%d-%H_%M_%S).tar \ - /var/lib/docker/volumes/dtr-registry-nfs-$(docker ps --filter name=dtr-rethinkdb \ - --format "{{ .Names }}" | sed 's/dtr-rethinkdb-//') + /var/lib/docker/volumes/dtr-registry-nfs-$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-') ``` {% endraw %} @@ -130,14 +128,15 @@ recommended for that system. ### Back up DTR metadata To create a DTR backup, load your UCP client bundle, and run the following -chained commands: +command. + +#### Chained commands (Linux only) {% raw %} ```none DTR_VERSION=$(docker container inspect $(docker container ps -f name=dtr-registry -q) | \ grep -m1 -Po '(?<=DTR_VERSION=)\d.\d.\d'); \ -REPLICA_ID=$(docker ps --filter name=dtr-rethinkdb --format "{{ .Names }}" | head -1 | \ - sed 's|.*/||' | sed 's/dtr-rethinkdb-//'); \ +REPLICA_ID=$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-')); \ read -p 'ucp-url (The UCP URL including domain and port): ' UCP_URL; \ read -p 'ucp-username (The UCP administrator username): ' UCP_ADMIN; \ read -sp 'ucp password: ' UCP_PASSWORD; \ @@ -168,7 +167,7 @@ flag with `--ucp-insecure-tls`. Docker does not recommend this flag for producti 5. Includes DTR version and timestamp to your `tar` backup file. You can learn more about the supported flags in -the [reference documentation](/reference/dtr/2.6/cli/backup.md). +the [DTR backup reference documentation](/reference/dtr/2.6/cli/backup.md). By default, the backup command does not pause the DTR replica being backed up to prevent interruptions of user access to DTR. Since the replica diff --git a/reference/dtr/2.6/cli/backup.md b/reference/dtr/2.6/cli/backup.md index 3c0e213dcb..17b2a5de76 100644 --- a/reference/dtr/2.6/cli/backup.md +++ b/reference/dtr/2.6/cli/backup.md @@ -26,12 +26,13 @@ docker run -i --rm --log-driver none docker/dtr:{{ page.dtr_version }} \ #### Advanced (with chained commands) +The following command has been tested on Linux: + {% raw %} ```none DTR_VERSION=$(docker container inspect $(docker container ps -f \ name=dtr-registry -q) | grep -m1 -Po '(?<=DTR_VERSION=)\d.\d.\d'); \ -REPLICA_ID=$(docker ps --filter name=dtr-rethinkdb \ - --format "{{ .Names }}" | head -1 | sed 's|.*/||' | sed 's/dtr-rethinkdb-//'); \ +REPLICA_ID=$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-')); \ read -p 'ucp-url (The UCP URL including domain and port): ' UCP_URL; \ read -p 'ucp-username (The UCP administrator username): ' UCP_ADMIN; \ read -sp 'ucp password: ' UCP_PASSWORD; \ @@ -47,7 +48,7 @@ docker run --log-driver none -i --rm \ {% endraw %} For a detailed explanation on the advanced example, see -[Back up your DTR metadata](ee/dtr/admin/disaster-recovery/create-a-backup/#back-up-dtr-metadata). +[Back up your DTR metadata](/ee/dtr/admin/disaster-recovery/create-a-backup/#back-up-dtr-metadata). To learn more about the `--log-driver` option for `docker run`, see [docker run reference](/engine/reference/run/#logging-drivers---log-driver). ## Description diff --git a/storage/bind-mounts.md b/storage/bind-mounts.md index c8d69fd266..d20ca5f742 100644 --- a/storage/bind-mounts.md +++ b/storage/bind-mounts.md @@ -23,7 +23,7 @@ manage bind mounts. ![bind mounts on the Docker host](images/types-of-mounts-bind.png) -## Choosing the -v or --mount flag +## Choose the -v or --mount flag Originally, the `-v` or `--volume` flag was used for standalone containers and the `--mount` flag was used for swarm services. However, starting with Docker @@ -159,7 +159,7 @@ $ docker container stop devtest $ docker container rm devtest ``` -### Mounting into a non-empty directory on the container +### Mount into a non-empty directory on the container If you bind-mount into a non-empty directory on the container, the directory's existing contents are obscured by the bind mount. This can be beneficial, diff --git a/storage/index.md b/storage/index.md index 47a8d076b7..a82609311a 100644 --- a/storage/index.md +++ b/storage/index.md @@ -100,7 +100,7 @@ mounts is to think about where the data lives on the Docker host. information. For instance, internally, swarm services use `tmpfs` mounts to mount [secrets](/engine/swarm/secrets.md) into a service's containers. -Bind mounts and volumes can both mounted into containers using the `-v` or +Bind mounts and volumes can both be mounted into containers using the `-v` or `--volume` flag, but the syntax for each is slightly different. For `tmpfs` mounts, you can use the `--tmpfs` flag. However, in Docker 17.06 and higher, we recommend using the `--mount` flag for both containers and services, for From ea559a29bbf7623660419944df74e4b84fd450c4 Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Thu, 25 Apr 2019 17:18:54 -0600 Subject: [PATCH 4/6] Sync published with master (#8727) * Sync published with master (#8693) (#8694) * Adding Azure note (#8566) * Revert "Netlify redirects interlock (#8595)" * UCP Install on Azure Patch (#8522) * Removed Orchestrator Tag Pre Req from Azure Docs * Clarifying need for 0644 permissions * Improved backup commands (#8597) * Improved backup commands DTR image backup command improvements: 1. Local and NFS mount image backup commands were invalid (incorrectly used -C flag). Replaced them with commands that work. 2. The new commands automatically populate the correct replica ID and add a datestamp to the backup filename. DTR Metadata backup command improvements: DTR metadata backups are more difficult than they need to be and generate many support tickets. I updated the DTR command to avoid common user pitfalls: 1. The prior metadata backup command was subject to user error. Improved the command to automatically collect the DTR version and select a replica. 2. Improved security of the command by automatically collecting UCP CA certificate for verification rather than using --ucp-insecure-tls flag. 3. Improved the backup filename by adding the backed-up version information and date of backup. Knowledge of the version information is required for restoring a backup. 4. Described these improvements for the user. Image backup commands were tested with local and NFS image storage. The metadata backup command was tested by running it directly on a DTR node and through a UCP client bundle with multiple replicas. * Technical and editorial review * More edits * line 8; remove unnecessary a (#8672) * line 8; remove unnecessary a * Minor edit * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Added examples Added examples with more detail and automation to help customers backup DTR without creating support tickets. * Linked to explanation of example command @omegamormegil I removed the example with prepopulated fields, as I think it doesn't add much, and will only add confusion. Users who need this much detail can run the basic command and follow the terminal prompts. We can re-add in a follow-up PR, if you think that example is crucial to this page. * Remove deadlink in the Interlock ToC (#8668) * Found a deadlink in the Interlock ToC * Added Redirect * Published (#8674) * add slack webhook to Jenkinsfile * make jenkinsfile serve private and public docs After a couple of Jenkins-based mix-ups it became obvious we needed a Jenkinsfile that would serve both public and private projects, that we could move between repos without worry. This Jenkinsfile knows which images to build and push and which swarm services to update because of the use of git_url and branch conditions. * Sync published with master (#8619) * Update install.md add note: 8 character password minimum length * Include Ubuntu version in Dockerfile more recent versions of Ubuntu don't work with the given Dockerfile * Updated the 3.1.4 release notes to include Centos 7.6 support * Remove redundant "be" * Update the "role-based access control" link On page "https://docs.docker.com/ee/ucp/user-access/", update the hyperlink "role-based access control" to point to "https://docs.docker.com/ee/ucp/authorization/" instead of "https://docs.docker.com/ee/access-control". * Add UCP user password limitation * Revert "Updated the UCP 3.1.4 release notes to include Centos 7.6 support" * Adding emphasis on Static IP requirement (#7276) * Adding emphasis on Static IP requirement We had a customer (00056641) who changed IPs like this all at once, and they are in a messy status. We should make it clear that static IP is absolutely required. ```***-ucp-0-dw original="10.15.89.6" updated="10.15.89.7" ***-ucp-1-dw original="10.15.89.5" updated="10.15.89.6" ***-ucp-2-dw original="10.15.89.7" updated="10.15.89.5" ``` * Link to prod requirement of static IP addresses * Adding warning about layer7 config (#8617) * Adding warning about layer7 config Adding warning about layer7 config not being included in the backup * Text edit * Sync published with master (#8673) * Revert "Netlify redirects interlock (#8595)" This reverts commit a7793edc746fc3374f1b4a637bf4d528dd2bbcef. * UCP Install on Azure Patch (#8522) * Fix grammar on the 2nd pre-req, and did markdown formatting on the rest :) * Correct Pod-CIDR Warning * Content cleanup Please check that I haven't changed the meaning of the updated prerequisites. * Create a new section on configuring the IP Count value, also responded to feedback from Follis, Steve R and Xinfeng. * Incorporated Steven F's feedback and Issue 8551 * Provide a warning when setting a small IP Count variable * Final edits * Update install-on-azure.md * Following feedback I have expanded on the 0644 azure.json file permissions and Added the --existing-config file to the UCP install command * Removed Orchestrator Tag Pre Req from Azure Docs * Clarifying need for 0644 permissions * Improved backup commands (#8597) * Improved backup commands DTR image backup command improvements: 1. Local and NFS mount image backup commands were invalid (incorrectly used -C flag). Replaced them with commands that work. 2. The new commands automatically populate the correct replica ID and add a datestamp to the backup filename. DTR Metadata backup command improvements: DTR metadata backups are more difficult than they need to be and generate many support tickets. I updated the DTR command to avoid common user pitfalls: 1. The prior metadata backup command was subject to user error. Improved the command to automatically collect the DTR version and select a replica. 2. Improved security of the command by automatically collecting UCP CA certificate for verification rather than using --ucp-insecure-tls flag. 3. Improved the backup filename by adding the backed-up version information and date of backup. Knowledge of the version information is required for restoring a backup. 4. Described these improvements for the user. Image backup commands were tested with local and NFS image storage. The metadata backup command was tested by running it directly on a DTR node and through a UCP client bundle with multiple replicas. * Technical and editorial review * More edits * line 8; remove unnecessary a (#8672) * line 8; remove unnecessary a * Minor edit * Updated the UCP Logging page to include UCP 3.1 screenshots (#8646) * Added examples (#8599) * Added examples Added examples with more detail and automation to help customers backup DTR without creating support tickets. * Linked to explanation of example command @omegamormegil I removed the example with prepopulated fields, as I think it doesn't add much, and will only add confusion. Users who need this much detail can run the basic command and follow the terminal prompts. We can re-add in a follow-up PR, if you think that example is crucial to this page. * Remove deadlink in the Interlock ToC (#8668) * Found a deadlink in the Interlock ToC * Added Redirect * Trying to fix command rendering of '--format "{{ .Names }}"' (#8678) * Trying to fix command rendering of '--format "{{ .Names }}"' --format "{{ .Names }}" is showing up in the markup but is rendering as --format "" in the published version. Added {% raw %} tags to try to fix. * Fixed heading inconsistency * Trying to fix command rendering of '--format "{{ .Names }}"' (#8677) * Trying to fix command rendering of '--format "{{ .Names }}"' --format "{{ .Names }}" is showing up in the markup but is rendering as --format "" in the published version. Added {% raw %} tags to try to fix. * Update concatenated to chained * Minor fix * interlock --> ucp-interlock (#8675) * interlock --> ucp-interlock * Fixed code samples - Use the latest UCP version and the latest ucp-interlock image - Leverage ucp page version Jekyll variable * Typo * Final syntax fix * Update backup.md * Removed Reference to Interlock Preview Image, and added relevant UCP Image Org and Tag * Fix syntax error which caused the master build to fail * docs: fix typo in removal of named volumes (#8686) * Updated the ToC for Upgrading Interlock * Removed the Previous Interlock SSL Page * Moved Redirect to latest page * Update index.md (#8690) Fix typo - missing word. * Update bind-mounts.md (#8696) * Minor edits (#8708) * Minor edits - Standardized setting of replica ID as per @caervs - Fix broken link * Consistency edits - Standardized setting of replica ID - Added note that this command only works on Linux * Standardize replica setting - Update commands for creating tar files for local and NFS-mounted images * Fixed broken 'important changes' link (#8721) * Interlock fix - remove haproxy and custom template files (#8722) * Removed haproxy and custom template info * Delete file * Delete file * Render DTR version (#8726) --- _data/toc.yaml | 6 - .../3.0/guides/user/interlock/usage/tls.md | 2 - ee/ucp/interlock/config/custom-template.md | 304 ------------------ ee/ucp/interlock/config/haproxy-config.md | 28 -- ee/ucp/interlock/usage/ssl.md | 224 ------------- ee/ucp/interlock/usage/tls.md | 2 + engine/release-notes.md | 2 +- reference/dtr/2.6/cli/backup.md | 2 +- 8 files changed, 4 insertions(+), 566 deletions(-) delete mode 100644 ee/ucp/interlock/config/custom-template.md delete mode 100644 ee/ucp/interlock/config/haproxy-config.md delete mode 100644 ee/ucp/interlock/usage/ssl.md diff --git a/_data/toc.yaml b/_data/toc.yaml index 3b125c6b0b..5c0b4f0011 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1323,10 +1323,6 @@ manuals: section: - title: Configure your deployment path: /ee/ucp/interlock/config/ - - title: Using a custom extension template - path: /ee/ucp/interlock/config/custom-template/ - - title: Configuring an HAProxy extension - path: /ee/ucp/interlock/config/haproxy-config/ - title: Configuring host mode networking path: /ee/ucp/interlock/config/host-mode-networking/ - title: Configuring an nginx extension @@ -1355,8 +1351,6 @@ manuals: path: /ee/ucp/interlock/usage/service-clusters/ - title: Implementing persistent (sticky) sessions path: /ee/ucp/interlock/usage/sessions/ - - title: Implementing SSL - path: /ee/ucp/interlock/usage/ssl/ - title: Securing services with TLS path: /ee/ucp/interlock/usage/tls/ - title: Configuring websockets diff --git a/datacenter/ucp/3.0/guides/user/interlock/usage/tls.md b/datacenter/ucp/3.0/guides/user/interlock/usage/tls.md index 5e23c44ddc..9e619f97a1 100644 --- a/datacenter/ucp/3.0/guides/user/interlock/usage/tls.md +++ b/datacenter/ucp/3.0/guides/user/interlock/usage/tls.md @@ -3,8 +3,6 @@ title: Applications with SSL description: Learn how to configure your swarm services with TLS using the layer 7 routing solution for UCP. keywords: routing, proxy, tls -redirect_from: - - /ee/ucp/interlock/usage/ssl/ --- Once the [layer 7 routing solution is enabled](../deploy/index.md), you can diff --git a/ee/ucp/interlock/config/custom-template.md b/ee/ucp/interlock/config/custom-template.md deleted file mode 100644 index cc8e63cd8a..0000000000 --- a/ee/ucp/interlock/config/custom-template.md +++ /dev/null @@ -1,304 +0,0 @@ ---- -title: Custom templates -description: Learn how to use a custom extension template -keywords: routing, proxy, interlock, load balancing ---- - -Use a custom extension if a needed option is not available in the extension configuration. - -> Warning: - This should be used with extreme caution as this completely bypasses the built-in - extension template. Therefore, if you update the extension image in the future, - you will not receive the updated template because you are using a custom one. - -To use a custom template: - -1. Create a Swarm configuration using a new template -2. Create a Swarm configuration object -3. Update the extension - -## Create a Swarm configuration using a new template -First, create a Swarm config using the new template, as shown in the following example. This example uses a custom Nginx configuration template, but you can use any extension configuration (for example, HAProxy). - -The contents of the example `custom-template.conf` include: - -{% raw %} -``` -# CUSTOM INTERLOCK CONFIG -user {{ .ExtensionConfig.User }}; -worker_processes {{ .ExtensionConfig.WorkerProcesses }}; - -error_log {{ .ExtensionConfig.ErrorLogPath }} warn; -pid {{ .ExtensionConfig.PidPath }}; - - -events { - worker_connections {{ .ExtensionConfig.MaxConnections }}; - -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - server_names_hash_bucket_size 128; - - # add custom HTTP options here, etc. - - log_format main {{ .ExtensionConfig.MainLogFormat }} - - log_format trace {{ .ExtensionConfig.TraceLogFormat }} - - access_log {{ .ExtensionConfig.AccessLogPath }} main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout {{ .ExtensionConfig.KeepaliveTimeout }}; - client_max_body_size {{ .ExtensionConfig.ClientMaxBodySize }}; - client_body_buffer_size {{ .ExtensionConfig.ClientBodyBufferSize }}; - client_header_buffer_size {{ .ExtensionConfig.ClientHeaderBufferSize }}; - large_client_header_buffers {{ .ExtensionConfig.LargeClientHeaderBuffers }}; - client_body_timeout {{ .ExtensionConfig.ClientBodyTimeout }}; - underscores_in_headers {{ if .ExtensionConfig.UnderscoresInHeaders }}on{{ else }}off{{ end }}; - - add_header x-request-id $request_id; - add_header x-proxy-id $hostname; - add_header x-server-info "{{ .Version }}"; - add_header x-upstream-addr $upstream_addr; - add_header x-upstream-response-time $upstream_response_time; - - proxy_connect_timeout {{ .ExtensionConfig.ConnectTimeout }}; - proxy_send_timeout {{ .ExtensionConfig.SendTimeout }}; - proxy_read_timeout {{ .ExtensionConfig.ReadTimeout }}; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header x-request-id $request_id; - send_timeout {{ .ExtensionConfig.SendTimeout }}; - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; - - ssl_prefer_server_ciphers on; - ssl_ciphers {{ .ExtensionConfig.SSLCiphers }}; - ssl_protocols {{ .ExtensionConfig.SSLProtocols }}; - {{ if (and (gt .ExtensionConfig.SSLDefaultDHParam 0) (ne .ExtensionConfig.SSLDefaultDHParamPath "")) }}ssl_dhparam {{ .ExtensionConfig.SSLDefaultDHParamPath }};{{ end }} - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - {{ if not .HasDefaultBackend }} - # default host return 503 - server { - listen {{ .Port }} default_server; - server_name _; - - root /usr/share/nginx/html; - - error_page 503 /503.html; - location = /503.html { - try_files /503.html @error; - internal; - } - - location @error { - root /usr/share/nginx/html; - } - - location / { - return 503; - - } - - location /nginx_status { - stub_status on; - access_log off; - } - - } - {{ end }} - - {{ range $host, $backends := .Hosts }} - {{ with $hostBackend := index $backends 0 }} - {{ $sslBackend := index $.SSLBackends $host }} - upstream {{ backendName $host }} { - {{ if $hostBackend.IPHash }}ip_hash; {{else}}zone {{ backendName $host }}_backend 64k;{{ end }} - {{ if ne $hostBackend.StickySessionCookie "" }}hash $cookie_{{ $hostBackend.StickySessionCookie }} consistent; {{ end }} - {{ range $backend := $backends }} - {{ range $up := $backend.Targets }}server {{ $up }}; - {{ end }} - {{ end }} {{/* end range backends */}} - - } - {{ if not $sslBackend.Passthrough }} - server { - listen {{ $.Port }}{{ if $hostBackend.DefaultBackend }} default_server{{ end }}; - {{ if $hostBackend.DefaultBackend }}server_name _;{{ else }}server_name {{$host}};{{ end }} - - {{ if (isRedirectHost $host $hostBackend.Redirects) }} - {{ range $redirect := $hostBackend.Redirects }} - {{ if isRedirectMatch $redirect.Source $host }}return 302 {{ $redirect.Target }}$request_uri;{{ end }} - {{ end }} - {{ else }} - - {{ if eq ( len $hostBackend.ContextRoots ) 0 }} - {{ if not (isWebsocketRoot $hostBackend.WebsocketEndpoints) }} - location / { - proxy_pass {{ if $hostBackend.SSLBackend }}https://{{ else }}http://{{ backendName $host }};{{ end }} - } - {{ end }} - - {{ range $ws := $hostBackend.WebsocketEndpoints }} - location {{ $ws }} { - proxy_pass {{ if $hostBackend.SSLBackend }}https://{{ else }}http://{{ backendName $host }};{{ end }} - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Origin ''; - } - {{ end }} {{/* end range WebsocketEndpoints */}} - {{ else }} - - {{ range $ctxroot := $hostBackend.ContextRoots }} - location {{ $ctxroot.Path }} { - {{ if $ctxroot.Rewrite }}rewrite ^([^.]*[^/])$ $1/ permanent; - rewrite ^{{ $ctxroot.Path }}/(.*) /$1 break;{{ end }} - proxy_pass http://{{ backendName $host }}; - } - {{ end }} {{/* end range contextroots */}} - - {{ end }} {{/* end len $hostBackend.ContextRoots */}} - location /nginx_status { - stub_status on; - access_log off; - } - {{ end }}{{/* end isRedirectHost */}} - - } - {{ end }} {{/* end if not sslBackend.Passthrough */}} - - {{/* SSL */}} - {{ if ne $hostBackend.SSLCert "" }} - {{ $sslBackend := index $.SSLBackends $host }} - server { - listen 127.0.0.1:{{ $sslBackend.Port }} ssl proxy_protocol; - server_name {{ $host }}; - ssl on; - ssl_certificate /run/secrets/{{ $hostBackend.SSLCertTarget }}; - {{ if ne $hostBackend.SSLKey "" }}ssl_certificate_key /run/secrets/{{ $hostBackend.SSLKeyTarget }};{{ end }} - set_real_ip_from 127.0.0.1/32; - real_ip_header proxy_protocol; - - {{ if eq ( len $hostBackend.ContextRoots ) 0 }} - {{ if not (isWebsocketRoot $hostBackend.WebsocketEndpoints) }} - location / { - proxy_pass {{ if $hostBackend.SSLBackend }}https://{{ else }}http://{{ backendName $host }};{{ end }} - } - {{ end }} - - {{ range $ws := $hostBackend.WebsocketEndpoints }} - location {{ $ws }} { - proxy_pass {{ if $hostBackend.SSLBackend }}https://{{ else }}http://{{ backendName $host }};{{ end }} - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Origin {{$host}}; - - } - {{ end }} {{/* end range WebsocketEndpoints */}} - {{ else }} - - {{ range $ctxroot := $hostBackend.ContextRoots }} - location {{ $ctxroot.Path }} { - {{ if $ctxroot.Rewrite }}rewrite ^([^.]*[^/])$ $1/ permanent; - rewrite ^{{ $ctxroot.Path }}/(.*) /$1 break;{{ end }} - proxy_pass http://{{ backendName $host }}; - } - {{ end }} {{/* end range contextroots */}} - - {{ end }} {{/* end len $hostBackend.ContextRoots */}} - location /nginx_status { - stub_status on; - access_log off; - } - - } {{ end }} {{/* end $hostBackend.SSLCert */}} - {{ end }} {{/* end with hostBackend */}} - - {{ end }} {{/* end range .Hosts */}} - - include /etc/nginx/conf.d/*.conf; -} -stream { - # main log compatible format - log_format stream '$remote_addr - - [$time_local] "$ssl_preread_server_name -> $name ($protocol)" ' - '$status $bytes_sent "" "" "" '; - map $ssl_preread_server_name $name { - {{ range $host, $sslBackend := $.SSLBackends }} - {{ $sslBackend.Host }} {{ if $sslBackend.Passthrough }}pt-{{ backendName $host }};{{ else }}127.0.0.1:{{ $sslBackend.Port }}; {{ end }} - {{ if $sslBackend.DefaultBackend }}default {{ if $sslBackend.Passthrough }}pt-{{ backendName $host }};{{ else }}127.0.0.1:{{ $sslBackend.Port }}; {{ end }}{{ end }} - {{ end }} - - } - {{ range $host, $sslBackend := $.SSLBackends }} - upstream pt-{{ backendName $sslBackend.Host }} { - {{ $h := index $.Hosts $sslBackend.Host }}{{ $hostBackend := index $h 0 }} - {{ if $sslBackend.Passthrough }} - server 127.0.0.1:{{ $sslBackend.ProxyProtocolPort }}; - {{ else }} - {{ range $up := $hostBackend.Targets }}server {{ $up }}; - {{ end }} {{/* end range backend targets */}} - {{ end }} {{/* end range sslbackend */}} - - }{{ end }} {{/* end range SSLBackends */}} - - {{ range $host, $sslBackend := $.SSLBackends }} - {{ $proxyProtocolPort := $sslBackend.ProxyProtocolPort }} - {{ $h := index $.Hosts $sslBackend.Host }}{{ $hostBackend := index $h 0 }} - {{ if ne $proxyProtocolPort 0 }} - upstream proxy-{{ backendName $sslBackend.Host }} { - {{ range $up := $hostBackend.Targets }}server {{ $up }}; - {{ end }} {{/* end range backend targets */}} - - } - server { - listen {{ $proxyProtocolPort }} proxy_protocol; - proxy_pass proxy-{{ backendName $sslBackend.Host }}; - - } - {{ end }} {{/* end if ne proxyProtocolPort 0 */}} - {{ end }} {{/* end range SSLBackends */}} - - server { - listen {{ $.SSLPort }}; - proxy_pass $name; - proxy_protocol on; - ssl_preread on; - access_log {{ .ExtensionConfig.AccessLogPath }} stream; - } -} -``` -{% endraw %} - -## Create a Swarm configuration object -To create a Swarm config object: - -``` -$> docker config create interlock-custom-template custom.conf -``` - -## Update the extension -Now update the extension to use this new template: - -``` -$> docker service update --config-add source=interlock-custom-template,target=/etc/docker/extension-template.conf interlock-ext -``` - -This should trigger an update and a new proxy configuration will be generated. - -## Remove the custom template -To remove the custom template and revert to using the built-in template: - -``` -$> docker service update --config-rm interlock-custom-template interlock-ext -``` diff --git a/ee/ucp/interlock/config/haproxy-config.md b/ee/ucp/interlock/config/haproxy-config.md deleted file mode 100644 index 6108e8ca75..0000000000 --- a/ee/ucp/interlock/config/haproxy-config.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Configure HAProxy -description: Learn how to configure an HAProxy extension -keywords: routing, proxy, interlock, load balancing ---- - -The following HAProxy configuration options are available: - -| Option | Type | Description | -| --- | --- | --- | -| `PidPath` | string | path to the pid file for the proxy service | -| `MaxConnections` | int | maximum number of connections for proxy service | -| `ConnectTimeout` | int | timeout in seconds for clients to connect | -| `ClientTimeout` | int | timeout in seconds for the service to send a request to the proxied upstream | -| `ServerTimeout` | int | timeout in seconds for the service to read a response from the proxied upstream | -| `AdminUser` | string | username to be used with authenticated access to the proxy service | -| `AdminPass` | string | password to be used with authenticated access to the proxy service | -| `SSLOpts` | string | options to be passed when configuring SSL | -| `SSLDefaultDHParam` | int | size of DH parameters | -| `SSLVerify` | string | SSL client verification | -| `SSLCiphers` | string | SSL ciphers to use for the proxy service | -| `SSLProtocols` | string | enable the specified TLS protocols | -| `GlobalOptions` | []string | list of options that are included in the global configuration | -| `DefaultOptions` | []string | list of options that are included in the default configuration | - -## Notes - -When using SSL termination, the certificate and key must be combined into a single certificate (i.e. `cat cert.pem key.pem > combined.pem`). The HAProxy extension only uses the certificate label to configure SSL. diff --git a/ee/ucp/interlock/usage/ssl.md b/ee/ucp/interlock/usage/ssl.md deleted file mode 100644 index 154636f2fe..0000000000 --- a/ee/ucp/interlock/usage/ssl.md +++ /dev/null @@ -1,224 +0,0 @@ ---- -title: Implement applications with SSL -description: Learn how to configure your swarm services with SSL. -keywords: routing, proxy, tls, ssl -redirect_from: - - /ee/ucp/interlock/usage/ssl/ ---- - -This topic covers Swarm services implementation with: - -- SSL termination -- SSL passthrough - -## SSL termination -In the following example, Docker [Secrets](/engine/swarm/secrets/) -are used to centrally and securely store SSL certificates in order to terminate SSL at the proxy service. -Application traffic is encrypted in transport to the proxy service, which terminates SSL and then -uses unencrypted traffic inside the secure datacenter. - -![Interlock SSL Termination](../../images/interlock_ssl_termination.png) - -First, certificates are generated: - -```bash -$> openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj "/C=US/ST=SomeState/L=SomeCity/O=Interlock/CN=demo.local" \ - -keyout demo.local.key \ - -out demo.local.cert -``` - -Two files are created: `demo.local.cert` and `demo.local.key`. Next, we - use these to create Docker Secrets. - -```bash -$> docker secret create demo.local.cert demo.local.cert -ywn8ykni6cmnq4iz64um1pj7s -$> docker secret create demo.local.key demo.local.key -e2xo036ukhfapip05c0sizf5w -``` - -Next, we create an overlay network so that service traffic is isolated and secure: - -```bash -$> docker network create -d overlay demo -1se1glh749q1i4pw0kf26mfx5 -``` - -```bash -$> docker service create \ - --name demo \ - --network demo \ - --label com.docker.lb.hosts=demo.local \ - --label com.docker.lb.port=8080 \ - --label com.docker.lb.ssl_cert=demo.local.cert \ - --label com.docker.lb.ssl_key=demo.local.key \ - ehazlett/docker-demo -6r0wiglf5f3bdpcy6zesh1pzx -``` - -Interlock detects when the service is available and publishes it. After tasks are running -and the proxy service is updated, the application should be available via `https://demo.local`. - -Note: You must have an entry for `demo.local` in your local hosts (i.e. `/etc/hosts`) file. -You cannot use a host header as shown in other examples due to the way [SNI](https://tools.ietf.org/html/rfc3546#page-8) works. - -```bash -$> curl -vsk https://demo.local/ping -* Trying 127.0.0.1... -* TCP_NODELAY set -* Connected to demo.local (127.0.0.1) port 443 (#0) -* ALPN, offering http/1.1 -* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH -* successfully set certificate verify locations: -* CAfile: /etc/ssl/certs/ca-certificates.crt - CApath: none -* TLSv1.2 (OUT), TLS handshake, Client hello (1): -* TLSv1.2 (IN), TLS handshake, Server hello (2): -* TLSv1.2 (IN), TLS handshake, Certificate (11): -* TLSv1.2 (IN), TLS handshake, Server key exchange (12): -* TLSv1.2 (IN), TLS handshake, Server finished (14): -* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): -* TLSv1.2 (OUT), TLS change cipher, Client hello (1): -* TLSv1.2 (OUT), TLS handshake, Finished (20): -* TLSv1.2 (IN), TLS change cipher, Client hello (1): -* TLSv1.2 (IN), TLS handshake, Finished (20): -* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 -* ALPN, server accepted to use http/1.1 -* Server certificate: -* subject: C=US; ST=SomeState; L=SomeCity; O=Interlock; CN=demo.local -* start date: Nov 8 16:23:03 2017 GMT -* expire date: Nov 6 16:23:03 2027 GMT -* issuer: C=US; ST=SomeState; L=SomeCity; O=Interlock; CN=demo.local -* SSL certificate verify result: self signed certificate (18), continuing anyway. -> GET /ping HTTP/1.1 -> Host: demo.local -> User-Agent: curl/7.54.0 -> Accept: */* -> -< HTTP/1.1 200 OK -< Server: nginx/1.13.6 -< Date: Wed, 08 Nov 2017 16:26:55 GMT -< Content-Type: text/plain; charset=utf-8 -< Content-Length: 92 -< Connection: keep-alive -< Set-Cookie: session=1510158415298009207; Path=/; Expires=Thu, 09 Nov 2017 16:26:55 GMT; Max-Age=86400 -< x-request-id: 4b15ab2aaf2e0bbdea31f5e4c6b79ebd -< x-proxy-id: a783b7e646af -< x-server-info: interlock/2.0.0-development (147ff2b1) linux/amd64 -< x-upstream-addr: 10.0.2.3:8080 - -{"instance":"c2f1afe673d4","version":"0.1",request_id":"7bcec438af14f8875ffc3deab9215bc5"} -``` - -Because the certificate and key are stored securely in Swarm, you can safely scale this service, as well as the proxy -service, and Swarm handles granting access to the credentials as needed. - -## SSL passthrough -In the following example, SSL passthrough is used to ensure encrypted communication from the request to the application -service. This ensures maximum security because there is no unencrypted transport. - -![Interlock SSL Passthrough](../../images/interlock_ssl_passthrough.png) - -First, generate certificates for the application: - -```bash -$> openssl req \ - -new \ - -newkey rsa:4096 \ - -days 3650 \ - -nodes \ - -x509 \ - -subj "/C=US/ST=SomeState/L=SomeCity/O=Interlock/CN=demo.local" \ - -keyout app.key \ - -out app.cert -``` - -Two files are created: `app.cert` and `app.key`. Next, we - use these to create Docker Secrets. - -```bash -$> docker secret create app.cert app.cert -ywn8ykni6cmnq4iz64um1pj7s -$> docker secret create app.key app.key -e2xo036ukhfapip05c0sizf5w -``` - -Now create an overlay network to isolate and secure service traffic: - -```bash -$> docker network create -d overlay demo -1se1glh749q1i4pw0kf26mfx5 -``` - -```bash -$> docker service create \ - --name demo \ - --network demo \ - --detach=false \ - --secret source=app.cert,target=/run/secrets/cert.pem \ - --secret source=app.key,target=/run/secrets/key.pem \ - --label com.docker.lb.hosts=demo.local \ - --label com.docker.lb.port=8080 \ - --label com.docker.lb.ssl_passthrough=true \ - --env METADATA="demo-ssl-passthrough" \ - ehazlett/docker-demo --tls-cert=/run/secrets/cert.pem --tls-key=/run/secrets/key.pem -``` - -Interlock detects when the service is available and publishes it. When tasks are running -and the proxy service is updated, the application is available via `https://demo.local`. - -Note: You must have an entry for `demo.local` in your local hosts (i.e. `/etc/hosts`) file. -You cannot use a host header as in other examples due to the way [SNI](https://tools.ietf.org/html/rfc3546#page-8) works. - -```bash -$> curl -vsk https://demo.local/ping -* Trying 127.0.0.1... -* TCP_NODELAY set -* Connected to demo.local (127.0.0.1) port 443 (#0) -* ALPN, offering http/1.1 -* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH -* successfully set certificate verify locations: -* CAfile: /etc/ssl/certs/ca-certificates.crt - CApath: none -* TLSv1.2 (OUT), TLS handshake, Client hello (1): -* TLSv1.2 (IN), TLS handshake, Server hello (2): -* TLSv1.2 (IN), TLS handshake, Certificate (11): -* TLSv1.2 (IN), TLS handshake, Server key exchange (12): -* TLSv1.2 (IN), TLS handshake, Server finished (14): -* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): -* TLSv1.2 (OUT), TLS change cipher, Client hello (1): -* TLSv1.2 (OUT), TLS handshake, Finished (20): -* TLSv1.2 (IN), TLS change cipher, Client hello (1): -* TLSv1.2 (IN), TLS handshake, Finished (20): -* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 -* ALPN, server accepted to use http/1.1 -* Server certificate: -* subject: C=US; ST=SomeState; L=SomeCity; O=Interlock; CN=demo.local -* start date: Nov 8 16:39:45 2017 GMT -* expire date: Nov 6 16:39:45 2027 GMT -* issuer: C=US; ST=SomeState; L=SomeCity; O=Interlock; CN=demo.local -* SSL certificate verify result: self signed certificate (18), continuing anyway. -> GET /ping HTTP/1.1 -> Host: demo.local -> User-Agent: curl/7.54.0 -> Accept: */* -> -< HTTP/1.1 200 OK -< Connection: close -< Set-Cookie: session=1510159255159600720; Path=/; Expires=Thu, 09 Nov 2017 16:40:55 GMT; Max-Age=86400 -< Date: Wed, 08 Nov 2017 16:40:55 GMT -< Content-Length: 78 -< Content-Type: text/plain; charset=utf-8 -< -{"instance":"327d5a26bc30","version":"0.1","metadata":"demo-ssl-passthrough"} -``` - -Application traffic travels securely, fully encrypted from the request to the application service. -Notice that Interlock cannot add the metadata response headers (version info, request ID, etc), because this is using -TCP passthrough and cannot add the metadata. diff --git a/ee/ucp/interlock/usage/tls.md b/ee/ucp/interlock/usage/tls.md index 08216228cf..6f746d9470 100644 --- a/ee/ucp/interlock/usage/tls.md +++ b/ee/ucp/interlock/usage/tls.md @@ -2,6 +2,8 @@ title: Secure services with TLS description: Learn how to configure your swarm services with TLS. keywords: routing, proxy, tls +redirect_from: + - /ee/ucp/interlock/usage/ssl/ --- After [deploying a layer 7 routing solution](../deploy/index.md), you have two options for securing your diff --git a/engine/release-notes.md b/engine/release-notes.md index 27772a8358..80c2d1500b 100644 --- a/engine/release-notes.md +++ b/engine/release-notes.md @@ -58,7 +58,7 @@ consistency and compatibility reasons. ### Known Issues -* There are [important changes](https://github.com/docker/docker.github.io/blob/patch-04-2019/ee/upgrade) to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later. +* There are [important changes](/ee/upgrade) to the upgrade process that, if not correctly followed, can have an impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later. ## 18.09.4 diff --git a/reference/dtr/2.6/cli/backup.md b/reference/dtr/2.6/cli/backup.md index 17b2a5de76..b69f099a40 100644 --- a/reference/dtr/2.6/cli/backup.md +++ b/reference/dtr/2.6/cli/backup.md @@ -20,7 +20,7 @@ docker run -i --rm docker/dtr \ #### Basic ```bash -docker run -i --rm --log-driver none docker/dtr:{{ page.dtr_version }} \ +docker run -i --rm --log-driver none docker/dtr:2.6.5 \ backup --ucp-ca "$(cat ca.pem)" --existing-replica-id 5eb9459a7832 > backup.tar ``` From a1074ebff32995aea1d180095f864ff29f04fcdf Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Tue, 7 May 2019 18:17:46 -0700 Subject: [PATCH 5/6] Sync published with master (#8778) * Fixed syntax error (#8732) Last edit to the REPLICA_ID command introduced a syntax error by adding an extra ')'. Removed it. * Fix replica ID setting examples - Accept suggestion from @thajeztah based on product testing - Apply change to page examples - Remove NFS backup example based on the following errors: tar: /var/lib/docker/volumes/dtr-registry-nfs-36e6bf87816d: Cannot stat: No such file or directory tar: Exiting with failure status due to previous errors * Update header for example tar * Fixed link title * Added new example and deprecation info (#8773) * Updated multi-stage build doc (#8769) Changed the 'as' keyword to 'AS' to match the Dockerfile reference docs here: https://docs.docker.com/engine/reference/builder/#from * Fix typo (#8766) * Fixed a sentence (#8728) * Minor edit * Update configure-tls.md (#8719) * Update upgrade.md (#8718) * Update index.md (#8717) * Update configure-tls.md (#8716) * Add TOC entry for Hub page title change (#8777) * Update upgrade.md * Fix left navigation TOC * Update get-started.md (#8713) * Update tmpfs.md (#8711) * Add an indentation in compose-gettingstarted.md (#8487) * Fix messaging on service dependencies --- _data/toc.yaml | 2 +- compose/extends.md | 2 +- compose/gettingstarted.md | 17 +++++++++------- develop/develop-images/multistage-build.md | 4 ++-- docker-hub/index.md | 2 +- docker-hub/upgrade.md | 6 +++--- .../disaster-recovery/create-a-backup.md | 19 +++++------------- ee/dtr/release-notes.md | 2 +- .../admin/configure/ucp-configuration-file.md | 20 +++++++++++++------ ee/ucp/kubernetes/storage/use-nfs-volumes.md | 2 +- ee/ucp/release-notes.md | 2 +- machine/get-started.md | 2 +- storage/tmpfs.md | 2 +- swarm/configure-tls.md | 2 +- 14 files changed, 43 insertions(+), 41 deletions(-) diff --git a/_data/toc.yaml b/_data/toc.yaml index 5c0b4f0011..fd834bfa11 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -3341,7 +3341,7 @@ manuals: - path: /docker-hub/slack_integration/ title: Slack Integration - path: /docker-hub/upgrade/ - title: Upgrading your plan + title: Upgrade your plan - sectiontitle: Automated Builds section: - path: /docker-hub/builds/ diff --git a/compose/extends.md b/compose/extends.md index 4a253012b6..0af8391a61 100644 --- a/compose/extends.md +++ b/compose/extends.md @@ -44,7 +44,7 @@ relative to the base file. ### Example use case -In this section are two common use cases for multiple compose files: changing a +In this section, there are two common use cases for multiple Compose files: changing a Compose app for different environments, and running administrative tasks against a Compose app. diff --git a/compose/gettingstarted.md b/compose/gettingstarted.md index 822df6a0e9..35189c3ce4 100644 --- a/compose/gettingstarted.md +++ b/compose/gettingstarted.md @@ -119,15 +119,18 @@ the following: redis: image: "redis:alpine" -This Compose file defines two services, `web` and `redis`. The `web` service: +This Compose file defines two services: `web` and `redis`. -* Uses an image that's built from the `Dockerfile` in the current directory. -* Forwards the exposed port 5000 on the container to port 5000 on the host - machine. We use the default port for the Flask web server, `5000`. +### Web service -The `redis` service uses a public -[Redis](https://registry.hub.docker.com/_/redis/) image pulled from the Docker -Hub registry. +The `web` service uses an image that's built from the `Dockerfile` in the current directory. +It then binds the container and the host machine to the exposed port, `5000`. This example service uses the default port for +the Flask web server, `5000`. + +### Redis service + +The `redis` service uses a public [Redis](https://registry.hub.docker.com/_/redis/) +image pulled from the Docker Hub registry. ## Step 4: Build and run your app with Compose diff --git a/develop/develop-images/multistage-build.md b/develop/develop-images/multistage-build.md index 2f3ae15005..022a1741db 100644 --- a/develop/develop-images/multistage-build.md +++ b/develop/develop-images/multistage-build.md @@ -131,13 +131,13 @@ intermediate artifacts are left behind, and not saved in the final image. By default, the stages are not named, and you refer to them by their integer number, starting with 0 for the first `FROM` instruction. However, you can -name your stages, by adding an `as ` to the `FROM` instruction. This +name your stages, by adding an `AS ` to the `FROM` instruction. This example improves the previous one by naming the stages and using the name in the `COPY` instruction. This means that even if the instructions in your Dockerfile are re-ordered later, the `COPY` doesn't break. ```conf -FROM golang:1.7.3 as builder +FROM golang:1.7.3 AS builder WORKDIR /go/src/github.com/alexellis/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go . diff --git a/docker-hub/index.md b/docker-hub/index.md index ce1d4491da..e2ed1c6f4b 100644 --- a/docker-hub/index.md +++ b/docker-hub/index.md @@ -141,7 +141,7 @@ Congratulations! You've successfully: - Built a Docker container image on your computer - Pushed it to Docker Hub -### Next Steps +### Next steps - Create an [Organization](orgs.md) to use Docker Hub with your team. - Automatically build container images from code through [Builds](builds/index.md). diff --git a/docker-hub/upgrade.md b/docker-hub/upgrade.md index 54a133e39e..b842b3b93d 100644 --- a/docker-hub/upgrade.md +++ b/docker-hub/upgrade.md @@ -1,12 +1,12 @@ --- description: Upgrading your Docker Hub Plan keywords: Docker, docker, trusted, registry, accounts, plans, Dockerfile, Docker Hub, webhooks, docs, documentation -title: Upgrading your Plan +title: Upgrade your Plan --- User and organization accounts maintain separate Docker Hub billing profiles. -### Upgrading your personal plan +### Upgrade your personal plan Docker Hub includes one private Docker Hub repository for free. If you need more private repositories, you can upgrade from your free account to a paid @@ -17,7 +17,7 @@ To upgrade: 2. Click Change Plan 3. Select your plan and provide your payment information to upgrade ![Upgrade Plan](images/index-upgrade-plan.png) -### Upgrading your organization's plan +### Upgrade your organization's plan To upgrade an Organization's plan: diff --git a/ee/dtr/admin/disaster-recovery/create-a-backup.md b/ee/dtr/admin/disaster-recovery/create-a-backup.md index 95373f2f77..75787441db 100644 --- a/ee/dtr/admin/disaster-recovery/create-a-backup.md +++ b/ee/dtr/admin/disaster-recovery/create-a-backup.md @@ -78,11 +78,11 @@ docker ps --format "{{.Names}}" | grep dtr ##### SSH access -Another way to determine the replica ID is to SSH into a DTR node and run the following: +Another way to determine the replica ID is to log into a DTR node using SSH and run the following: {% raw %} ```bash -REPLICA_ID=$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-') +REPLICA_ID=$(docker ps --format '{{.Names}}' -f name=dtr-rethink | cut -f 3 -d '-') && echo $REPLICA_ID ``` {% endraw %} @@ -96,23 +96,14 @@ If you've configured DTR to store images on the local file system or NFS mount, you can back up the images by using SSH to log into a DTR node, and creating a `tar` archive of the [dtr-registry volume](../../architecture.md): -#### Example backup commands +#### Example backup command ##### Local images {% raw %} ```none sudo tar -cf dtr-image-backup-$(date +%Y%m%d-%H_%M_%S).tar \ -/var/lib/docker/volumes/dtr-registry-$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-') -``` -{% endraw %} - -##### NFS-mounted images - -{% raw %} -```none -sudo tar -cf dtr-image-backup-$(date +%Y%m%d-%H_%M_%S).tar \ - /var/lib/docker/volumes/dtr-registry-nfs-$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-') +/var/lib/docker/volumes/dtr-registry-$(docker ps --format '{{.Names}}' -f name=dtr-rethink | cut -f 3 -d '-') ``` {% endraw %} @@ -136,7 +127,7 @@ command. ```none DTR_VERSION=$(docker container inspect $(docker container ps -f name=dtr-registry -q) | \ grep -m1 -Po '(?<=DTR_VERSION=)\d.\d.\d'); \ -REPLICA_ID=$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-')); \ +REPLICA_ID=$(docker ps --format '{{.Names}}' -f name=dtr-rethink | cut -f 3 -d '-'); \ read -p 'ucp-url (The UCP URL including domain and port): ' UCP_URL; \ read -p 'ucp-username (The UCP administrator username): ' UCP_ADMIN; \ read -sp 'ucp password: ' UCP_PASSWORD; \ diff --git a/ee/dtr/release-notes.md b/ee/dtr/release-notes.md index e679649fb3..362bad8d26 100644 --- a/ee/dtr/release-notes.md +++ b/ee/dtr/release-notes.md @@ -26,7 +26,7 @@ to upgrade your installation to the latest release. ### Security -* Refer to [Docker Hub Maintenance](https://success.docker.com/article/dtr-image-vulnerabilities) for details regarding actions to be taken, timeline, and any status updates/issues/recommendations. +* Refer to [DTR image vulnerabilities](https://success.docker.com/article/dtr-image-vulnerabilities) for details regarding actions to be taken, timeline, and any status updates/issues/recommendations. ### Enhancements diff --git a/ee/ucp/admin/configure/ucp-configuration-file.md b/ee/ucp/admin/configure/ucp-configuration-file.md index 78ce30c8a5..5e38256f03 100644 --- a/ee/ucp/admin/configure/ucp-configuration-file.md +++ b/ee/ucp/admin/configure/ucp-configuration-file.md @@ -31,16 +31,22 @@ Specify your configuration settings in a TOML file. Use the `config-toml` API to export the current settings and write them to a file. Within the directory of a UCP admin user's [client certificate bundle](../../user-access/cli.md), the following command exports the current configuration for the UCP hostname `UCP_HOST` to a file named `ucp-config.toml`: -```bash -curl --cacert ca.pem --cert cert.pem --key key.pem https://UCP_HOST/api/ucp/config-toml > ucp-config.toml +### Get an authtoken + +``` +AUTHTOKEN=$(curl --silent --insecure --data '{"username":"","password":""}' https://UCP_HOST/auth/login | jq --raw-output .auth_token) ``` -Edit `ucp-config.toml`, then use the following `curl` command to import it back into -UCP and apply your configuration changes: +### Download config file +``` +curl -X GET "https://UCP_HOST/api/ucp/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > ucp-config.toml +``` -```bash -curl --cacert ca.pem --cert cert.pem --key key.pem --upload-file ucp-config.toml https://UCP_HOST/api/ucp/config-toml +### Upload config file + +``` +curl -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'path/to/ucp-config.toml' https://UCP_HOST/api/ucp/config-toml ``` ## Apply an existing configuration file at install time @@ -141,6 +147,8 @@ Specifies whether DTR images require signing. ### log_configuration table (optional) +> Note: This feature has been deprecated. Refer to the [Deprecation notice](https://docs.docker.com/ee/ucp/release-notes/#deprecation-notice) for additional information. + Configures the logging options for UCP components. | Parameter | Required | Description | diff --git a/ee/ucp/kubernetes/storage/use-nfs-volumes.md b/ee/ucp/kubernetes/storage/use-nfs-volumes.md index e344b4a31a..f2561a1ca7 100644 --- a/ee/ucp/kubernetes/storage/use-nfs-volumes.md +++ b/ee/ucp/kubernetes/storage/use-nfs-volumes.md @@ -20,7 +20,7 @@ To mount existing NFS shares within Kubernetes Pods, we have 2 options: - Define NFS shares within the Pod definitions. NFS shares are defined manually by each tenant when creating a workload. - Define NFS shares as a Cluster object through Persistent Volumes, with - the CLuster object lifecycle handled separately from the workload. This is common for + the Cluster object lifecycle handled separately from the workload. This is common for operators who want to define a range of NFS shares for tenants to request and consume. diff --git a/ee/ucp/release-notes.md b/ee/ucp/release-notes.md index f34629078b..d8b66cd54f 100644 --- a/ee/ucp/release-notes.md +++ b/ee/ucp/release-notes.md @@ -25,7 +25,7 @@ upgrade your installation to the latest release. (2019-05-06) ### Security -* Refer to [Docker Hub Maintenance](https://success.docker.com/article/ucp-image-vulnerabilities) for details regarding actions to be taken, timeline, and any status updates/issues/recommendations. +* Refer to [UCP image vulnerabilities](https://success.docker.com/article/ucp-image-vulnerabilities) for details regarding actions to be taken, timeline, and any status updates/issues/recommendations. ### Bug Fixes * Updated the UCP base image layers to fix a number of old libraries and components that had security vulnerabilities. diff --git a/machine/get-started.md b/machine/get-started.md index 9177a9bf1c..45d0e147da 100644 --- a/machine/get-started.md +++ b/machine/get-started.md @@ -7,7 +7,7 @@ title: Get started with Docker Machine and a local VM Let's take a look at using `docker-machine` to create, use and manage a Docker host inside of a local virtual machine. -## Prerequisite Information +## Prerequisite information With the advent of [Docker Desktop for Mac](/docker-for-mac/index.md) and [Docker Desktop for Windows](/docker-for-windows/index.md) as replacements for [Docker diff --git a/storage/tmpfs.md b/storage/tmpfs.md index faf1326012..a7ffe16b90 100644 --- a/storage/tmpfs.md +++ b/storage/tmpfs.md @@ -29,7 +29,7 @@ persist in either the host or the container writable layer. containers. * This functionality is only available if you're running Docker on Linux. -## Choosing the --tmpfs or --mount flag +## Choose the --tmpfs or --mount flag Originally, the `--tmpfs` flag was used for standalone containers and the `--mount` flag was used for swarm services. However, starting with Docker diff --git a/swarm/configure-tls.md b/swarm/configure-tls.md index eb18596ade..3034ce94ad 100644 --- a/swarm/configure-tls.md +++ b/swarm/configure-tls.md @@ -543,7 +543,7 @@ do this for the `ubuntu` user on your Docker Engine client. Congratulations! You have configured a Docker swarm cluster to use TLS. -## Related Information +## Related information * [Secure Docker Swarm with TLS](secure-swarm-tls.md) * [Docker security](/engine/security/security/) From da6c0eb2c485fc6206be7a9d2b9cba9cbf415e8f Mon Sep 17 00:00:00 2001 From: Maria Bermudez Date: Tue, 14 May 2019 17:47:08 -0700 Subject: [PATCH 6/6] Sync published with master (#8800) * Interlock link fixes (#8798) * Logging driver 920 (#8625) --- _data/toc.yaml | 4 + config/containers/logging/configure.md | 28 +++++- config/containers/logging/dual-logging.md | 114 ++++++++++++++++++++++ config/containers/logging/json-file.md | 17 ++-- config/containers/logging/local.md | 52 ++++++---- ee/ucp/interlock/deploy/production.md | 2 +- ee/ucp/interlock/usage/index.md | 3 +- 7 files changed, 183 insertions(+), 37 deletions(-) create mode 100644 config/containers/logging/dual-logging.md diff --git a/_data/toc.yaml b/_data/toc.yaml index fd834bfa11..e9cef0d3f1 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -325,12 +325,16 @@ guides: title: View a container's logs - path: /config/containers/logging/configure/ title: Configure logging drivers + - path: /config/containers/logging/dual-logging/ + title: Use docker logs with a logging driver - path: /config/containers/logging/plugins/ title: Use a logging driver plugin - path: /config/containers/logging/log_tags/ title: Customize log driver output - sectiontitle: Logging driver details section: + - path: /config/containers/logging/local/ + title: Local file logging driver - path: /config/containers/logging/logentries/ title: Logentries logging driver - path: /config/containers/logging/json-file/ diff --git a/config/containers/logging/configure.md b/config/containers/logging/configure.md index f281ed2140..4d44f688c4 100644 --- a/config/containers/logging/configure.md +++ b/config/containers/logging/configure.md @@ -19,7 +19,6 @@ unless you configure it to use a different logging driver. In addition to using the logging drivers included with Docker, you can also implement and use [logging driver plugins](/engine/admin/logging/plugins.md). - ## Configure the default logging driver To configure the Docker daemon to default to a specific logging driver, set the @@ -60,7 +59,7 @@ the default output for commands such as `docker inspect ` is JSON. To find the current default logging driver for the Docker daemon, run `docker info` and search for `Logging Driver`. You can use the following -command: +command on Linux, macOS, or PowerShell on Windows: {% raw %} ```bash @@ -146,8 +145,8 @@ see more options. | Driver | Description | |:------------------------------|:--------------------------------------------------------------------------------------------------------------| | `none` | No logs are available for the container and `docker logs` does not return any output. | +| [`local`](local.md) | Logs are stored in a custom format designed for minimal overhead. | | [`json-file`](json-file.md) | The logs are formatted as JSON. The default logging driver for Docker. | -| [`local`](local.md) | Writes logs messages to local filesystem in binary files using Protobuf. | | [`syslog`](syslog.md) | Writes logging messages to the `syslog` facility. The `syslog` daemon must be running on the host machine. | | [`journald`](journald.md) | Writes log messages to `journald`. The `journald` daemon must be running on the host machine. | | [`gelf`](gelf.md) | Writes log messages to a Graylog Extended Log Format (GELF) endpoint such as Graylog or Logstash. | @@ -160,6 +159,25 @@ see more options. ## Limitations of logging drivers -The `docker logs` command is not available for drivers other than `json-file` -and `journald`. +- Users of Docker Enterprise can make use of "dual logging", which enables you to use the `docker logs` +command for any logging driver. Refer to +[Reading logs when using remote logging drivers](/config/containers/logging/dual-logging/) for information about +using `docker logs` to read container logs locally for many third party logging solutions, including: + - syslog + - gelf + - fluentd + - awslogs + - splunk + - etwlogs + - gcplogs + - Logentries + +- When using Docker Community Engine, the `docker logs` command is only available on the following drivers: + + - `local` + - `json-file` + - `journald` + +- Reading log information requires decompressing rotated log files, which causes a temporary increase in disk usage (until the log entries from the rotated files are read) and an increased CPU usage while decompressing. +- The capacity of the host storage where docker’s data directory resides determines the maximum size of the log file information. diff --git a/config/containers/logging/dual-logging.md b/config/containers/logging/dual-logging.md new file mode 100644 index 0000000000..2f3d395582 --- /dev/null +++ b/config/containers/logging/dual-logging.md @@ -0,0 +1,114 @@ +--- +description: Learn how to read container logs locally when using a third party logging solution. +keywords: docker, logging, driver +title: Using docker logs to read container logs for remote logging drivers +--- + +## Overview + +Prior to Docker Engine Enterprise 18.03, the `jsonfile` and `journald` log drivers supported reading +container logs using `docker logs`. However, many third party logging drivers had no +support for locally reading logs using `docker logs`, including: + +- syslog +- gelf +- fluentd +- awslogs +- splunk +- etwlogs +- gcplogs +- Logentries + +This created multiple problems, especially with UCP, when attempting to gather log data in an +automated and standard way. Log information could only be accessed and viewed through the +third-party solution in the format specified by that third-party tool. + +Starting with Docker Engine Enterprise 18.03.1-ee-1, you can use `docker logs` to read container +logs regardless of the configured logging driver or plugin. This capability, sometimes referred to +as dual logging, allows you to use `docker logs` to read container logs locally in a consistent format, +regardless of the remote log driver used, because the engine is configured to log information to the “local” +logging driver. Refer to [Configure the default logging driver](/configure) for additional information. + +## Prerequisites + +- Docker Enterprise - Dual logging is only supported for Docker Enterprise, and is enabled by default starting with +Engine Enterprise 18.03.1-ee-1. + +## Usage +Dual logging is enabled by default. You must configure either the docker daemon or the container with remote logging driver. + +The following example shows the results of running a `docker logs` command with and without dual logging availability: + +### Without dual logging capability: +When a container or `dockerd` was configured with a remote logging driver such as splunk, an error was +displayed when attempting to read container logs locally: + +- Step 1: Configure Docker daemon + + ``` + $ cat /etc/docker/daemon.json + { + "log-driver": "splunk", + "log-opts": { + ... + } + } + ``` + +- Step 2: Start the container + + ``` + $ docker run -d busybox --name testlog top + ``` + +- Step 3: Read the container logs + ``` + $ docker logs 7d6ac83a89a0 + The docker logs command was not available for drivers other than json-file and journald. + ``` + +### With dual logging capability: +To configure a container or docker with a remote logging driver such as splunk: + +- Step 1: Configure Docker daemon + ``` + $ cat /etc/docker/daemon.json + { + "log-driver": "splunk", + "log-opts": { + ... + } + } + ``` + +- Step 2: Start the container + ``` + $ docker run -d busybox --name testlog top + ``` + +- Step 3: Read the container logs + ``` + $ docker logs 7d6ac83a89a0 + 2019-02-04T19:48:15.423Z [INFO] core: marked as sealed + 2019-02-04T19:48:15.423Z [INFO] core: pre-seal teardown starting + 2019-02-04T19:48:15.423Z [INFO] core: stopping cluster listeners + 2019-02-04T19:48:15.423Z [INFO] core: shutting down forwarding rpc listeners + 2019-02-04T19:48:15.423Z [INFO] core: forwarding rpc listeners stopped + 2019-02-04T19:48:15.599Z [INFO] core: rpc listeners successfully shut down + 2019-02-04T19:48:15.599Z [INFO] core: cluster listeners successfully shut down + ``` + +Note: +For a local driver, such as json-file and journald, there is no difference in functionality +before or after the dual logging capability became available. The log is locally visible in both scenarios. + + +## Limitations + +- You cannot specify more than one log driver. +- If a container using a logging driver or plugin that sends logs remotely suddenly has a "network" issue, +no ‘write’ to the local cache occurs. +- If a write to `logdriver` fails for any reason (file system full, write permissions removed), +the cache write fails and is logged in the daemon log. The log entry to the cache is not retried. +- Some logs might be lost from the cache in the default configuration because a ring buffer is used to +prevent blocking the stdio of the container in case of slow file writes. An admin must repair these while the daemon is shut down. diff --git a/config/containers/logging/json-file.md b/config/containers/logging/json-file.md index 913f08d305..c05825f476 100644 --- a/config/containers/logging/json-file.md +++ b/config/containers/logging/json-file.md @@ -13,10 +13,6 @@ and writes them in files using the JSON format. The JSON format annotates each l origin (`stdout` or `stderr`) and its timestamp. Each log file contains information about only one container. -```json -{"log":"Log line is here\n","stream":"stdout","time":"2019-01-01T11:11:11.111111111Z"} -``` - ## Usage To use the `json-file` driver as the default logging driver, set the `log-driver` @@ -26,22 +22,20 @@ located in `/etc/docker/` on Linux hosts or configuring Docker using `daemon.json`, see [daemon.json](/engine/reference/commandline/dockerd.md#daemon-configuration-file). -The following example sets the log driver to `json-file` and sets the `max-size` -and `max-file` options. +The following example sets the log driver to `json-file` and sets the `max-size` and 'max-file' options. ```json { "log-driver": "json-file", "log-opts": { "max-size": "10m", - "max-file": "3" + "max-file": "3" } } ``` - -> **Note**: `log-opt` configuration options in the `daemon.json` configuration -> file must be provided as strings. Boolean and numeric values (such as the value -> for `max-file` in the example above) must therefore be enclosed in quotes (`"`). +**Note**: `log-opt` configuration options in the `daemon.json` configuration +file must be provided as strings. Boolean and numeric values (such as the value +for `max-file` in the example above) must therefore be enclosed in quotes (`"`). Restart Docker for the changes to take effect for newly created containers. Existing containers do not use the new logging configuration. @@ -65,6 +59,7 @@ The `json-file` logging driver supports the following logging options: | `labels` | Applies when starting the Docker daemon. A comma-separated list of logging-related labels this daemon accepts. Used for advanced [log tag options](log_tags.md). | `--log-opt labels=production_status,geo` | | `env` | Applies when starting the Docker daemon. A comma-separated list of logging-related environment variables this daemon accepts. Used for advanced [log tag options](log_tags.md). | `--log-opt env=os,customer` | | `env-regex` | Similar to and compatible with `env`. A regular expression to match logging-related environment variables. Used for advanced [log tag options](log_tags.md). | `--log-opt env-regex=^(os|customer).` | +| `compress` | Toggles compression for rotated logs. Default is `disabled`. | `--log-opt compress=true` | ### Examples diff --git a/config/containers/logging/local.md b/config/containers/logging/local.md index 708e4a3ee8..dbd9d9974d 100644 --- a/config/containers/logging/local.md +++ b/config/containers/logging/local.md @@ -1,46 +1,53 @@ --- -description: Describes how to use the local binary (Protobuf) logging driver. -keywords: local, protobuf, docker, logging, driver +description: Describes how to use the local logging driver. +keywords: local, docker, logging, driver redirect_from: - /engine/reference/logging/local/ - /engine/admin/logging/local/ -title: local binary file Protobuf logging driver +title: Local File logging driver --- -This `log-driver` writes to `local` binary files using Protobuf [Protocol Buffers](https://en.wikipedia.org/wiki/Protocol_Buffers) +The `local` logging driver captures output from container's stdout/stderr and +writes them to an internal storage that is optimized for performance and disk +use. + +By default the `local` driver preserves 100MB of log messages per container and +uses automatic compression to reduce the size on disk. + +> *Note*: the `local` logging driver currently uses file-based storage. The +> file-format and storage mechanism are designed to be exclusively accessed by +> the Docker daemon, and should not be used by external tools as the +> implementation may change in future releases. ## Usage To use the `local` driver as the default logging driver, set the `log-driver` and `log-opt` keys to appropriate values in the `daemon.json` file, which is located in `/etc/docker/` on Linux hosts or -`C:\ProgramData\docker\config\daemon.json` on Windows Server. For more information about +`C:\ProgramData\docker\config\daemon.json` on Windows Server. For more about configuring Docker using `daemon.json`, see [daemon.json](/engine/reference/commandline/dockerd.md#daemon-configuration-file). -The following example sets the log driver to `local`. +The following example sets the log driver to `local` and sets the `max-size` +option. ```json { "log-driver": "local", - "log-opts": {} + "log-opts": { + "max-size": "10m" + } } ``` -> **Note**: `log-opt` configuration options in the `daemon.json` configuration -> file must be provided as strings. Boolean and numeric values (such as the value -> for `max-file` in the example above) must therefore be enclosed in quotes (`"`). - -Restart Docker for the changes to take effect for newly created containers. - -Existing containers will not use the new logging configuration. +Restart Docker for the changes to take effect for newly created containers. Existing containers do not use the new logging configuration. You can set the logging driver for a specific container by using the `--log-driver` flag to `docker container create` or `docker run`: ```bash $ docker run \ - --log-driver local --log-opt compress="false" \ + --log-driver local --log-opt max-size=10m \ alpine echo hello world ``` @@ -50,6 +57,15 @@ The `local` logging driver supports the following logging options: | Option | Description | Example value | |:------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------| -| `max-size` | The maximum size of each binary log file before rotation. A positive integer plus a modifier representing the unit of measure (`k`, `m`, or `g`). Defaults to `20m`. | `--log-opt max-size=10m` | -| `max-file` | The maximum number of binary log files. If rotating the logs creates an excess file, the oldest file is removed. **Only effective when `max-size` is also set.** A positive integer. Defaults to `5`. | `--log-opt max-file=5` | -| `compress` | Whether or not the binary files should be compressed. Defaults to `true` | `--log-opt compress=true` | +| `max-size` | The maximum size of the log before it is rolled. A positive integer plus a modifier representing the unit of measure (`k`, `m`, or `g`). Defaults to 20m. | `--log-opt max-size=10m` | +| `max-file` | The maximum number of log files that can be present. If rolling the logs creates excess files, the oldest file is removed. **Only effective when `max-size` is also set.** A positive integer. Defaults to 5. | `--log-opt max-file=3` | +| `compress` | Toggle compression of rotated log files. Enabled by default. | `--log-opt compress=false` | + +### Examples + +This example starts an `alpine` container which can have a maximum of 3 log +files no larger than 10 megabytes each. + +```bash +$ docker run -it --log-opt max-size=10m --log-opt max-file=3 alpine ash +``` diff --git a/ee/ucp/interlock/deploy/production.md b/ee/ucp/interlock/deploy/production.md index 0a353b4e8c..61ebc16e20 100644 --- a/ee/ucp/interlock/deploy/production.md +++ b/ee/ucp/interlock/deploy/production.md @@ -128,4 +128,4 @@ to provide more bandwidth for the user services. ## Next steps - [Configure Interlock](../config/index.md) -- [Deploy applications](../usage.index.md) +- [Deploy applications](./index.md) diff --git a/ee/ucp/interlock/usage/index.md b/ee/ucp/interlock/usage/index.md index 0a488ccf26..ccdf7bcb33 100644 --- a/ee/ucp/interlock/usage/index.md +++ b/ee/ucp/interlock/usage/index.md @@ -151,13 +151,12 @@ able to start using the service from your browser. ## Next steps - [Publish a service as a canary instance](./canary.md) -- [Usie context or path-based routing](./context.md) +- [Use context or path-based routing](./context.md) - [Publish a default host service](./interlock-vip-mode.md) - [Specify a routing mode](./interlock-vip-mode.md) - [Use routing labels](./labels-reference.md) - [Implement redirects](./redirects.md) - [Implement a service cluster](./service-clusters.md) - [Implement persistent (sticky) sessions](./sessions.md) -- [Implement SSL](./ssl.md) - [Secure services with TLS](./tls.md) - [Configure websockets](./websockets.md)