diff --git a/architecture.md b/architecture.md index e84f5da686..a612b6b1ff 100644 --- a/architecture.md +++ b/architecture.md @@ -22,62 +22,64 @@ Universal Control Plane cluster. When you install DTR on a node, the following containers are started: -| Name | Description | -|:------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------| -| dtr-nginx-<replica_id> | Receives http and https requests and proxies them to other DTR components. By default it listens to ports 80 and 443 of the host. | -| dtr-api-<replica_id> | Executes the DTR business logic. It serves the DTR web application, and API. | -| dtr-registry-<replica_id> | Implements the functionality for pulling and pushing Docker images. It also handles how images are stored. | -| dtr-etcd-<replica_id> | A key-value store for persisting DTR configuration settings. Don't use it in your applications, since it's for internal use only. | -| dtr-jobrunner-<replica_id> | Runs cleanup jobs in the background. It is not exposed to DTR, and is for internal use only. | -| dtr-rethinkdb-<replica_id> | A database for persisting repository metadata. Don't use it in your applications, since it's for internal use only. | -| dtr-notary-server-<replica_id> | Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to DTR with content trust enabled. | -| dtr-notary-signer-<replica_id> | Performs server-side timestamp and snapshot signing for content trust metadata. Is not exposed to DTR, and is for internal use only. | +| Name | Description | +|:-------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------| +| dtr-api-<replica_id> | Executes the DTR business logic. It serves the DTR web application, and API | +| dtr-etcd-<replica_id> | A key-value store for persisting DTR configuration settings | +| dtr-jobrunner-<replica_id> | Runs cleanup jobs in the background | +| dtr-nginx-<replica_id> | Receives http and https requests and proxies them to other DTR components. By default it listens to ports 80 and 443 of the host | +| dtr-notary-server-<replica_id> | Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to DTR with content trust enabled | +| dtr-notary-signer-<replica_id> | Performs server-side timestamp and snapshot signing for content trust metadata | +| dtr-registry-<replica_id> | Implements the functionality for pulling and pushing Docker images. It also handles how images are stored | +| dtr-rethinkdb-<replica_id> | A database for persisting repository metadata | +All these components are for internal use of DTR. Don't use them in your applications. ## Networks To allow containers to communicate, when installing DTR the following networks are created: -| Name | Type | Description | -|:-------|:--------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| dtr-br | bridge | Allows containers on the same node to communicate with each other in a secure way. | -| dtr-ol | overlay | Allows containers running on different nodes to communicate. This network is used in high-availability installations, to allow Etcd and RethinkDB containers to replicate their data. | +| Name | Type | Description | +|:-------|:--------|:---------------------------------------------------------------------------------------| +| dtr-br | bridge | Allows DTR components on the same node to communicate with each other in a secure way | +| dtr-ol | overlay | Allows DTR components running on different nodes to communicate, to replicate DTR data | -The communication between all DTR components is secured using TLS. Also, when -installing DTR, two Certificate Authorities (CAs) are created. These CAs are -used to create the certificates used by Etcd and RethinkDB when communicating -across nodes. ## Volumes DTR uses these named volumes for persisting data: -| Volume name | Location on host (/var/lib/docker/volumes/) | Description | -|:--------------------------------|:--------------------------------------------|:-------------------------------------------------------------------------------------------------------------| -| dtr-ca-<replica_id> | dtr-ca/_data | The volume where the private keys and certificates are stored so that containers can use TLS to communicate. | -| dtr-etcd-<replica_id> | dtr-etcd/_data | The volume used by etcd to persist DTR configurations. | -| dtr-registry-<replica_id> | dtr-registry/_data | The volume where images are stored, if DTR is configured to store images on the local filesystem. | -| dtr-rethink-<replica_id> | dtr-rethink/_data | The volume used by RethinkDB to persist DTR data, like users and repositories. | -| dtr-notary-<replica_id> | dtr-notary/_data | The volume where the Notary private TLS keys and certificates are stored so that the Notary containers can use TLS to communicate. | +| Volume name | Description | +|:--------------------------------|:---------------------------------------------------------------------------------| +| dtr-ca-<replica_id> | Root key material for the DTR root CA that issues certificates | +| dtr-etcd-<replica_id> | DTR configuration data | +| dtr-notary-<replica_id> | Certificate and keys for the Notary components | +| dtr-registry-<replica_id> | Docker images data, if DTR is configured to store images on the local filesystem | +| dtr-rethink-<replica_id> | Repository metadata | -If you don’t create these volumes, when installing DTR they are created with -the default volume driver and flags. +You can customize the volume driver used for these volumes, by creating the +volumes before installing DTR. During the installation, DTR checks which volumes +don't exist in the node, and creates them using the default volume driver. + +By default, the data for these volumes can be found at +`/var/lib/docker/volumes//_data`. ## Image storage -By default, Docker Trusted Registry stores images on the filesystem of the host +By default, Docker Trusted Registry stores images on the filesystem of the node where it is running. -You can also configure DTR to using these cloud storage backends: +You can also configure DTR to use these storage backends: +* NFS * Amazon S3 +* Cleversafe * OpenStack Swift * Microsoft Azure -For highly available installations, configure DTR to use a cloud storage -backend or a network filesystem like NFS. - +For highly available installations, you should use a cloud storage system +instead of an NFS mount, since they usually have better performance. ## High-availability support diff --git a/images/architecture-1.png b/images/architecture-1.png index 5d20fc7970..1528ddecf1 100644 Binary files a/images/architecture-1.png and b/images/architecture-1.png differ diff --git a/install/index.md b/install/index.md index b4e2e0329b..2b5b67b525 100644 --- a/install/index.md +++ b/install/index.md @@ -18,8 +18,8 @@ weight=20 # Install Docker Trusted Registry Docker Trusted Registry (DTR) is a containerized application that runs on a -Docker Universal Control Plane (UCP) cluster. It can be installed on-premises -or on a cloud infrastructure. +swarm managed by Docker Universal Control Plane (UCP). It can be installed +on-premises or on a cloud infrastructure. Use these instructions to install DTR. @@ -30,10 +30,11 @@ infrastructure has all the [requirements DTR needs to run](system-requirements.m ## Step 2. Install UCP -Since DTR requires a Docker Universal Control Plane (UCP) cluster -to run, you need to install UCP first. -[Learn how to install UCP](https://docs.docker.com/ucp/installation/install-production/). Make sure that the node you install DTR on is already joined to the UCP cluster. +Since DTR requires Docker Universal Control Plane (UCP) +to run, you need to install UCP on all the nodes where you plan to install DTR. +[Learn how to install UCP](https://docs.docker.com/ucp/installation/install-production/). +Make sure all the nodes you plan on installing DTR are being managed by UCP. ## Step 3. Install DTR @@ -44,34 +45,25 @@ To install DTR: 1. Download a UCP client bundle. - Having a UCP client bundle allows you to run Docker commands on a UCP - cluster. + Having a UCP client bundle allows you to run Docker commands on a swarm + being managed by UCP. [Download a UCP client bundle](https://docs.docker.com/ucp/access-ucp/cli-based-access/) and set up your CLI client to use it. -2. Run the following command to install DTR. +2. Run the following commands to install DTR. ```bash # Get the certificates used by UCP - $ curl -k https://$UCP_HOST/ca > ucp-ca.pem + $ curl -k https:///ca > ucp-ca.pem # Install DTR $ docker run -it --rm \ docker/dtr install \ - --ucp-url $UCP_URL \ - --ucp-node $NODE_HOSTNAME \ - --dtr-external-url $DTR_PUBLIC_IP \ - --ucp-username $USER --ucp-password $PASSWORD \ --ucp-ca "$(cat ucp-ca.pem)" ``` - Where: - - * ucp-url, is the URL of the UCP controller, - * ucp-node, is the hostname of the UCP node where DTR will be installed, - * dtr-external-url, is the public IP or domain name where DTR can be reached, - * ucp-username, and ucp-password are the credentials of a UCP administrator, - * ucp-ca, is the certificate authority used by UCP. + The install command has other flags for customizing DTR at install time. + Check the [reference documentation to learn more](../reference/install.md). 3. Check that DTR is running. @@ -113,12 +105,14 @@ This step is optional. To set up DTR for [high availability](../high-availability/index.md), you can add more replicas to your DTR cluster. Adding more replicas allows you to load-balance requests across all replicas, and keep DTR working if a -replica fails. Each replica must be located on a node already joined to the UCP cluster. +replica fails. + +For high-availability you should set 3, 5, or 7 DTR replicas. The nodes where +you're going to install these replicas also need to be managed by UCP. To add replicas to a DTR cluster, use the `docker/dtr join` command. To add replicas: - 1. Load you UCP user bundle. 2. Run the join command. @@ -131,25 +125,13 @@ replicas: ```bash # Get the certificates used by UCP - $ curl -k https://$UCP_HOST/ca > ucp-ca.pem + $ curl -k https:///ca > ucp-ca.pem $ docker run -it --rm \ docker/dtr join \ - --ucp-url $UCP_URL \ - --ucp-node $UCP_NODE \ - --existing-replica-id $REPLICA_TO_JOIN \ - --ucp-username $USER --ucp-password $PASSWORD \ --ucp-ca "$(cat ucp-ca.pem)" ``` - Where: - - * ucp-url, is the URL of the UCP controller, - * ucp-node, is the node on the ucp cluster where the DTR replica will be installed, - * existing-replica-id, is the ID of the DTR replica you want to replicate, - * ucp-username, and ucp-password are the credentials of a UCP administrator, - * ucp-ca, is the certificate used by UCP. - 3. Check that all replicas are running. In your browser, navigate to the the Docker **Universal Control Plane** @@ -158,12 +140,6 @@ replicas: ![](../images/install-dtr-4.png) -4. Follow steps 1 to 3, to add more replicas to the DTR cluster. - - When configuring your DTR cluster for high-availability, you should install - 3, 5, or 7 replicas. - [Learn more about high availability](../high-availability/index.md) - ## See also * [Install DTR offline](install-dtr-offline.md) diff --git a/install/install-dtr-offline.md b/install/install-dtr-offline.md index 0cfc57ad57..0076404ac6 100644 --- a/install/install-dtr-offline.md +++ b/install/install-dtr-offline.md @@ -42,7 +42,7 @@ copy that package to the nodes where you’ll install DTR. 3. Login into the host where you transferred the images. -4. Load the UCP images. +4. Load the images. Once the package is on the node where you want to install DTR, you can use the `docker load` command, to load the images from the .tar file. diff --git a/install/system-requirements.md b/install/system-requirements.md index 367acb3fa2..5b8ed80f7f 100644 --- a/install/system-requirements.md +++ b/install/system-requirements.md @@ -18,26 +18,21 @@ Before installing, be sure your infrastructure has these requirements. ## Software requirements -To install DTR on a node, that node node must be part of a Docker Universal -Control Plane 1.1 cluster. +You can only install DTR on a node that is being managed by Docker Universal +Control Plane 2.0. + ## Ports used When installing DTR on a node, make sure the following ports are open on that node: -| Direction | Port | Purpose | -|:---------:|:-----|:---------------------------------------------------------------------------------| -| in | 80 | Web app and API client access to DTR. | -| in | 443 | Web app and API client access to DTR. | -| out | 443 | Check if new versions are available, and send anonymous usage reports to Docker. | +| Direction | Port | Purpose | +|:---------:|:-----|:--------------------------------------| +| in | 80 | Web app and API client access to DTR. | +| in | 443 | Web app and API client access to DTR. | -The inbound ports are configurable. - -DTR collects anonymous usage metrics, to help us improve it. These metrics -are entirely anonymous, don’t identify your company, users, applications, -or any other sensitive information. You can disable this on the DTR settings -page. +These ports are configurable when installing DTR. ## Compatibility and maintenance lifecycle