docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updates installation docs

This commit is contained in:
Joao Fernandes 2016-10-03 13:30:15 -07:00
parent f206a3b9d0
commit 1fdfe678e3
5 changed files with 60 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
architecture.md
View File

@ -22,62 +22,64 @@ Universal Control Plane cluster.
When you install DTR on a node, the following containers are started:
| Name | Description |
|:------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------|
| dtr-nginx-<replica_id> | Receives http and https requests and proxies them to other DTR components. By default it listens to ports 80 and 443 of the host. |
| dtr-api-<replica_id> | Executes the DTR business logic. It serves the DTR web application, and API. |
| dtr-registry-<replica_id> | Implements the functionality for pulling and pushing Docker images. It also handles how images are stored. |
| dtr-etcd-<replica_id> | A key-value store for persisting DTR configuration settings. Don't use it in your applications, since it's for internal use only. |
| dtr-jobrunner-<replica_id> | Runs cleanup jobs in the background. It is not exposed to DTR, and is for internal use only. |
| dtr-rethinkdb-<replica_id> | A database for persisting repository metadata. Don't use it in your applications, since it's for internal use only. |
| dtr-notary-server-<replica_id> | Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to DTR with content trust enabled. |
| dtr-notary-signer-<replica_id> | Performs server-side timestamp and snapshot signing for content trust metadata. Is not exposed to DTR, and is for internal use only. |
| Name | Description |
|:-------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------|
| dtr-api-<replica_id> | Executes the DTR business logic. It serves the DTR web application, and API |
| dtr-etcd-<replica_id> | A key-value store for persisting DTR configuration settings |
| dtr-jobrunner-<replica_id> | Runs cleanup jobs in the background |
| dtr-nginx-<replica_id> | Receives http and https requests and proxies them to other DTR components. By default it listens to ports 80 and 443 of the host |
| dtr-notary-server-<replica_id> | Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to DTR with content trust enabled |
| dtr-notary-signer-<replica_id> | Performs server-side timestamp and snapshot signing for content trust metadata |
| dtr-registry-<replica_id> | Implements the functionality for pulling and pushing Docker images. It also handles how images are stored |
| dtr-rethinkdb-<replica_id> | A database for persisting repository metadata |
All these components are for internal use of DTR. Don't use them in your applications.
## Networks
To allow containers to communicate, when installing DTR the following networks
are created:
| Name | Type | Description |
|:-------|:--------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| dtr-br | bridge | Allows containers on the same node to communicate with each other in a secure way. |
| dtr-ol | overlay | Allows containers running on different nodes to communicate. This network is used in high-availability installations, to allow Etcd and RethinkDB containers to replicate their data. |
| Name | Type | Description |
|:-------|:--------|:---------------------------------------------------------------------------------------|
| dtr-br | bridge | Allows DTR components on the same node to communicate with each other in a secure way |
| dtr-ol | overlay | Allows DTR components running on different nodes to communicate, to replicate DTR data |
The communication between all DTR components is secured using TLS. Also, when
installing DTR, two Certificate Authorities (CAs) are created. These CAs are
used to create the certificates used by Etcd and RethinkDB when communicating
across nodes.
## Volumes
DTR uses these named volumes for persisting data:
| Volume name | Location on host (/var/lib/docker/volumes/) | Description |
|:--------------------------------|:--------------------------------------------|:-------------------------------------------------------------------------------------------------------------|
| dtr-ca-<replica_id> | dtr-ca/_data | The volume where the private keys and certificates are stored so that containers can use TLS to communicate. |
| dtr-etcd-<replica_id> | dtr-etcd/_data | The volume used by etcd to persist DTR configurations. |
| dtr-registry-<replica_id> | dtr-registry/_data | The volume where images are stored, if DTR is configured to store images on the local filesystem. |
| dtr-rethink-<replica_id> | dtr-rethink/_data | The volume used by RethinkDB to persist DTR data, like users and repositories. |
| dtr-notary-<replica_id> | dtr-notary/_data | The volume where the Notary private TLS keys and certificates are stored so that the Notary containers can use TLS to communicate. |
| Volume name | Description |
|:--------------------------------|:---------------------------------------------------------------------------------|
| dtr-ca-<replica_id> | Root key material for the DTR root CA that issues certificates |
| dtr-etcd-<replica_id> | DTR configuration data |
| dtr-notary-<replica_id> | Certificate and keys for the Notary components |
| dtr-registry-<replica_id> | Docker images data, if DTR is configured to store images on the local filesystem |
| dtr-rethink-<replica_id> | Repository metadata |
If you dont create these volumes, when installing DTR they are created with
the default volume driver and flags.
You can customize the volume driver used for these volumes, by creating the
volumes before installing DTR. During the installation, DTR checks which volumes
don't exist in the node, and creates them using the default volume driver.
By default, the data for these volumes can be found at
`/var/lib/docker/volumes/<volume-name>/_data`.
## Image storage
By default, Docker Trusted Registry stores images on the filesystem of the host
By default, Docker Trusted Registry stores images on the filesystem of the node
where it is running.
You can also configure DTR to using these cloud storage backends:
You can also configure DTR to use these storage backends:
* NFS
* Amazon S3
* Cleversafe
* OpenStack Swift
* Microsoft Azure
For highly available installations, configure DTR to use a cloud storage
backend or a network filesystem like NFS.
For highly available installations, you should use a cloud storage system
instead of an NFS mount, since they usually have better performance.
## High-availability support

BIN
images/architecture-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 43 KiB

58
install/index.md
View File

@ -18,8 +18,8 @@ weight=20
# Install Docker Trusted Registry
Docker Trusted Registry (DTR) is a containerized application that runs on a
Docker Universal Control Plane (UCP) cluster. It can be installed on-premises
or on a cloud infrastructure.
swarm managed by Docker Universal Control Plane (UCP). It can be installed
on-premises or on a cloud infrastructure.
Use these instructions to install DTR.
@ -30,10 +30,11 @@ infrastructure has all the [requirements DTR needs to run](system-requirements.m
## Step 2. Install UCP
Since DTR requires a Docker Universal Control Plane (UCP) cluster
to run, you need to install UCP first.
[Learn how to install UCP](https://docs.docker.com/ucp/installation/install-production/). Make sure that the node you install DTR on is already joined to the UCP cluster.
Since DTR requires Docker Universal Control Plane (UCP)
to run, you need to install UCP on all the nodes where you plan to install DTR.
[Learn how to install UCP](https://docs.docker.com/ucp/installation/install-production/).
Make sure all the nodes you plan on installing DTR are being managed by UCP.
## Step 3. Install DTR
@ -44,34 +45,25 @@ To install DTR:
1. Download a UCP client bundle.
Having a UCP client bundle allows you to run Docker commands on a UCP
cluster.
Having a UCP client bundle allows you to run Docker commands on a swarm
being managed by UCP.
[Download a UCP client bundle](https://docs.docker.com/ucp/access-ucp/cli-based-access/)
and set up your CLI client to use it.
2. Run the following command to install DTR.
2. Run the following commands to install DTR.
```bash
# Get the certificates used by UCP
$ curl -k https://$UCP_HOST/ca > ucp-ca.pem
$ curl -k https://<ucp-url>/ca > ucp-ca.pem
# Install DTR
$ docker run -it --rm \
docker/dtr install \
--ucp-url $UCP_URL \
--ucp-node $NODE_HOSTNAME \
--dtr-external-url $DTR_PUBLIC_IP \
--ucp-username $USER --ucp-password $PASSWORD \
--ucp-ca "$(cat ucp-ca.pem)"
```
Where:
* ucp-url, is the URL of the UCP controller,
* ucp-node, is the hostname of the UCP node where DTR will be installed,
* dtr-external-url, is the public IP or domain name where DTR can be reached,
* ucp-username, and ucp-password are the credentials of a UCP administrator,
* ucp-ca, is the certificate authority used by UCP.
The install command has other flags for customizing DTR at install time.
Check the [reference documentation to learn more](../reference/install.md).
3. Check that DTR is running.
@ -113,12 +105,14 @@ This step is optional.
To set up DTR for [high availability](../high-availability/index.md),
you can add more replicas to your DTR cluster. Adding more replicas allows you
to load-balance requests across all replicas, and keep DTR working if a
replica fails. Each replica must be located on a node already joined to the UCP cluster.
replica fails.
For high-availability you should set 3, 5, or 7 DTR replicas. The nodes where
you're going to install these replicas also need to be managed by UCP.
To add replicas to a DTR cluster, use the `docker/dtr join` command. To add
replicas:
1. Load you UCP user bundle.
2. Run the join command.
@ -131,25 +125,13 @@ replicas:
```bash
# Get the certificates used by UCP
$ curl -k https://$UCP_HOST/ca > ucp-ca.pem
$ curl -k https://<ucp-url>/ca > ucp-ca.pem
$ docker run -it --rm \
docker/dtr join \
--ucp-url $UCP_URL \
--ucp-node $UCP_NODE \
--existing-replica-id $REPLICA_TO_JOIN \
--ucp-username $USER --ucp-password $PASSWORD \
--ucp-ca "$(cat ucp-ca.pem)"
```
Where:
* ucp-url, is the URL of the UCP controller,
* ucp-node, is the node on the ucp cluster where the DTR replica will be installed,
* existing-replica-id, is the ID of the DTR replica you want to replicate,
* ucp-username, and ucp-password are the credentials of a UCP administrator,
* ucp-ca, is the certificate used by UCP.
3. Check that all replicas are running.
In your browser, navigate to the the Docker **Universal Control Plane**
@ -158,12 +140,6 @@ replicas:
![](../images/install-dtr-4.png)
4. Follow steps 1 to 3, to add more replicas to the DTR cluster.
When configuring your DTR cluster for high-availability, you should install
3, 5, or 7 replicas.
[Learn more about high availability](../high-availability/index.md)
## See also
* [Install DTR offline](install-dtr-offline.md)

2
install/install-dtr-offline.md
View File

@ -42,7 +42,7 @@ copy that package to the nodes where youll install DTR.
3. Login into the host where you transferred the images.
4. Load the UCP images.
4. Load the images.
Once the package is on the node where you want to install DTR, you can use
the `docker load` command, to load the images from the .tar file.

21
install/system-requirements.md
View File

@ -18,26 +18,21 @@ Before installing, be sure your infrastructure has these requirements.
## Software requirements
To install DTR on a node, that node node must be part of a Docker Universal
Control Plane 1.1 cluster.
You can only install DTR on a node that is being managed by Docker Universal
Control Plane 2.0.
## Ports used
When installing DTR on a node, make sure the following ports are open on that
node:
| Direction | Port | Purpose |
|:---------:|:-----|:---------------------------------------------------------------------------------|
| in | 80 | Web app and API client access to DTR. |
| in | 443 | Web app and API client access to DTR. |
| out | 443 | Check if new versions are available, and send anonymous usage reports to Docker. |
| Direction | Port | Purpose |
|:---------:|:-----|:--------------------------------------|
| in | 80 | Web app and API client access to DTR. |
| in | 443 | Web app and API client access to DTR. |
The inbound ports are configurable.
DTR collects anonymous usage metrics, to help us improve it. These metrics
are entirely anonymous, dont identify your company, users, applications,
or any other sensitive information. You can disable this on the DTR settings
page.
These ports are configurable when installing DTR.
## Compatibility and maintenance lifecycle