docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1023 from docker/patch-03-2019 

Update UCP 3.1 API reference page with additional LDAP endpoints
This commit is contained in:
Maria Bermudez 2019-03-28 15:21:10 -04:00 committed by GitHub
parent f532a54c98 d153b80e39
commit 2404ddbc1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 207 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
_config.yml
View File

@ -94,7 +94,7 @@ defaults:
- scope:
path: "install"
values:
win_latest_build: "docker-18.09.3"
win_latest_build: "docker-18.09.4"
- scope:
path: "datacenter"
values:
@ -104,14 +104,14 @@ defaults:
values:
dtr_org: "docker"
dtr_repo: "dtr"
dtr_version: "2.6.3"
dtr_version: "2.6.4"
- scope:
path: "datacenter/dtr/2.5"
values:
hide_from_sitemap: true
dtr_org: "docker"
dtr_repo: "dtr"
dtr_version: "2.5.9"
dtr_version: "2.5.10"
- scope:
path: "datacenter/dtr/2.4"
values:
@ -147,15 +147,15 @@ defaults:
values:
ucp_org: "docker"
ucp_repo: "ucp"
ucp_version: "3.1.4"
ucp_version: "3.1.5"
- scope: # This is a bit of a hack for the get-support.md topic.
path: "ee"
values:
ucp_org: "docker"
ucp_repo: "ucp"
dtr_repo: "dtr"
ucp_version: "3.1.4"
dtr_version: "2.6.3"
ucp_version: "3.1.5"
dtr_version: "2.6.4"
- scope:
path: "datacenter/ucp/3.0"
values:

73
ee/dtr/release-notes.md
View File

@ -22,6 +22,33 @@ to upgrade your installation to the latest release.
# Version 2.6
## 2.6.4
(2019-3-27)
### Enhancements
* Added `--storage-migrated` option to reconfigure and restore with migrated content when moving content to a new NFS URL. (ENGDTR-794)
* Added a job log status filter which allows users to exclude jobs that are not currently ***running***. (docker/dhe-deploy #10077)
### Bug Fixes
* If you have a repository in DTR 2.4 with manifest lists enabled, `docker pull` would fail on images that have been pushed to the repository after you upgrade to 2.5 and opt into garbage collection. This also applied when upgrading from 2.5 to 2.6. The issue has been fixed in DTR 2.6.4. (ENGDTR-330 and docker/dhe-deploy #10105)
### Known issues
* Docker Engine Enterprise Edition (Docker EE) Upgrade
* There are [important changes to the upgrade process](/ee/upgrade) that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before `18.09` to version `18.09` or greater. For DTR-specific changes, see [2.5 to 2.6 upgrade](/ee/dtr/admin/upgrade/#25-to-26-upgrade).
* Web Interface
* Poll mirroring for Docker plugins such as `docker/imagefs` is currently broken. (docker/dhe-deploy #9490)
* When viewing the details of a scanned image tag, the header may display a different vulnerability count from the layer details. (docker/dhe-deploy #9474)
* In order to set a tag limit for pruning purposes, immutability must be turned off for a repository. This limitation is not clear in the **Repository Settings** view. (docker/dhe-deploy #9554)
* Webhooks
* When configured for "Image promoted from repository" events, a webhook notification is triggered twice during an image promotion when scanning is enabled on a repository. (docker/dhe-deploy #9685)
* HTTPS webhooks do not go through HTTPS proxy when configured. (docker/dhe-deploy #9492)
* System
* When upgrading from `2.5` to `2.6`, the system will run a `metadatastoremigration` job after a successful upgrade. This is necessary for online garbage collection. If the three system attempts fail, you will have to retrigger the `metadatastoremigration` job manually. [Learn about manual metadata store migration](/ee/dtr/admin/upgrade/#25-to-26-upgrade).
## 2.6.3
(2019-2-28)
@ -186,6 +213,46 @@ to upgrade your installation to the latest release.
# Version 2.5
> **Important DTR Upgrade Information**
> If you have manifest lists enabled on any of your repositories:
>
> Upgrade path from 2.5.x to 2.6: Upgrade directly to 2.6.4.
## 2.5.10
(2019-3-27)
### Bug Fixes
* If you have a repository in DTR 2.4 with manifest lists enabled, `docker pull` would fail on images that have been pushed to the repository after you upgrade to 2.5 and opt into garbage collection. This has been fixed in 2.5.10. (docker/dhe-deploy#10106)
### Known Issues
* Web Interface
* The web interface shows "This repository has no tags" in repositories where tags
have long names. As a workaround, reduce the length of the name for the
repository and tag.
* When deleting a repository with signed images, the DTR web interface no longer
shows instructions on how to delete trust data.
* There's no web interface support to update mirroring policies when rotating the TLS
certificates used by DTR. Use the API instead.
* The web interface for promotion policies is currently broken if you have a large number
of repositories.
* Clicking "Save & Apply" on a promotion policy doesn't work.
* Webhooks
* There is no webhook event for when an image is pulled.
* HTTPS webhooks do not go through HTTPS proxy when configured. (docker/dhe-deploy #9492)
* When configured for "Image promoted from repository" events, a webhook notification will be triggered twice during an image promotion when scanning is enabled on a repository. (docker/dhe-deploy #9685)
* Online garbage collection
* The events API won't report events when tags and manifests are deleted.
* The events API won't report blobs deleted by the garbage collection job.
* Docker EE Advanced features
* Scanning any new push after metadatastore migration will not yet work.
* Pushes to repos with promotion policies (repo as source) are broken when an
image has a layer over 100MB.
* On upgrade the scanningstore container may restart with this error message:
FATAL: database files are incompatible with server
## 2.5.9
(2019-2-28)
@ -616,6 +683,12 @@ specify `--log-protocol`.
# Version 2.4
> **Important DTR Upgrade Information**
> If you have manifest lists enabled on any of your repositories:
>
> Upgrade path from 2.4.x to 2.5: Do not opt into garbage collection, or directly upgrade to 2.5.10 if you need to opt into > garbage collection.
> Upgrade path from 2.5.x to 2.6: Upgrade directly to 2.6.4.
## 2.4.10
(2019-2-28)

13
ee/ucp/admin/configure/external-auth/index.md
View File

@ -30,7 +30,7 @@ the *distinguished name* of the node in the LDAP directory tree where the
search starts looking for users.
Access LDAP settings by navigating to the **Authentication & Authorization**
page in the UCP web UI. There are two sections for controlling LDAP searches
page in the UCP web interface. There are two sections for controlling LDAP searches
and servers.
- **LDAP user search configurations:** This is the section of the
@ -105,7 +105,7 @@ email address, for example, `jane.doe@subsidiary1.com`.
## Configure the LDAP integration
To configure UCP to create and authenticate users by using an LDAP directory,
go to the UCP web UI, navigate to the **Admin Settings** page and click
go to the UCP web interface, navigate to the **Admin Settings** page and click
**Authentication & Authorization** to select the method used to create and
authenticate users.
@ -220,6 +220,15 @@ UCP enables syncing teams with a search query or group in your organization's
LDAP directory.
[Sync team members with your organization's LDAP directory](../../../authorization/create-teams-with-ldap.md).
## LDAP Configuration via API
As of UCP 3.1.5, LDAP-specific `GET` and `PUT` API endpoints have been added to the Config resource. Note that swarm mode has to be enabled before you can hit the following endpoints:
- `GET /api/ucp/config/auth/ldap` - Returns information on your current system LDAP configuration.
- `PUT /api/ucp/config/auth/ldap` - Lets you update your LDAP configuration.
See [UCP API Documentation](/reference/ucp/3.1/api/) for additonal information.
## Where to go next
- [Create users and teams manually](../../../authorization/create-users-and-teams-manually.md)

97
ee/ucp/release-notes.md
View File

@ -21,6 +21,63 @@ upgrade your installation to the latest release.
# Version 3.1
## 3.1.5
2019-03-27
### Kubernetes
* Updated Kubernetes to version 1.11.8. (ENGORC-2024)
### Networking
* Updated Calico to version 3.5.2. (ENGORC-2045)
### Authentication and Authorization
* Added LDAP Settings API to the list of publicly documented API endpoints. (ENGORC-98)
* Added a new `exclude_server_identity_headers` field to the UCP config. If set to true, the headers are not included in UCP API responses. (docker/orca#16039)
* Hid most of the UCP banners for non-admin users. (docker/orca#14631)
* When LDAP or SAML is enabled, provided admin users an option to disable managed password authentication, which includes login and creation of new users. (ENGORC-1999)
### Bug Fixes
* Changed Interlock proxy service default `update-action-failure` to rollback. (ENGCORE-117)
* Added validation for service configuration label values. (ENGCORE-114)
* Fixed an issue with continuous interlock reconciliation if `ucp-interlock` service image does not match expected version. (ENGORC-2081)
### Known Issues
* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during uprades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade)
* You must use the ID of the user, organization, or team if you manually create a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects. (#14935)
* For the `User` subject Kind, the `Name` field contains the ID of the user.
* For the `Group` subject Kind, the format depends on whether you are create a Binding for a team or an organization:
* For an organization, the format is `org:{org-id}`
* For a team, the format is `team:{org-id}:{team-id}`
* To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a **ClusterRoleBinding** with `cluster-admin` as the **ClusterRole**. Restricted Parameters on Containers include:
* Host Bind Mounts
* Privileged Mode
* Extra Capabilities
* Host Networking
* Host IPC
* Host PID
* If you delete the built-in **ClusterRole** or **ClusterRoleBinding** for `cluster-admin`, restart the `ucp-kube-apiserver` container on any manager node to recreate them. (#14483)
* Pod Security Policies are not supported in this release. (#15105)
* The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the `/var` partition. See [System Requirements](/ee/ucp/admin/install/system-requirements) for details.
### Components
| Component | Version |
| ----------- | ----------- |
| UCP | 3.1.5 |
| Kubernetes | 1.11.8 |
| Calico | 3.5.2 |
| Interlock (nginx) | 1.14.0 |
### Components
| Component | Version |
| ----------- | ----------- |
| UCP | 3.1.5 |
| Kubernetes | 1.11.8 |
| Calico | 3.5.2 |
| Interlock (nginx) | 1.14.0 |
## 3.1.4
2019-02-28
@ -39,6 +96,7 @@ upgrade your installation to the latest release.
* Fixed an issue to ensure that non-admin user actions (with the RestrictedControl role) against RBAC resources are read-only. (docker/orca#16121)
* Fixed an issue to prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855)
* Fixed an issue to validate Calico certs expiration dates and update accordingly. (escalation#981)
* Kubelet no longer deletes images, starting with the oldest unused images, after exceeding 85% disk space utilization. This was an issue in air-gapped environments. (docker/orca#16082)
### Enhancements
* Changed packaging and builds for UCP to build bootstrapper last. This avoids the "upgrade available" banner on all UCPs until the entirety of UCP is available.
@ -46,7 +104,6 @@ upgrade your installation to the latest release.
### Known Issues
* Newly added Windows node reports "Awaiting healthy status in classic node inventory". [Learn more](https://success.docker.com/article/newly-added-windows-node-reports-awaiting-healthy-status-in-classic-node-inventory).
* By default, Kubelet begins deleting images, starting with the oldest unused images, after exceeding 85% disk space utilization. This causes an issue in an air-gapped environment. (docker/orca#16082)
* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during uprades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade)
* In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (docker/orca#15503)
* You must use the ID of the user, organization, or team if you manually create a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects. (docker/orca#14935)
@ -65,6 +122,15 @@ upgrade your installation to the latest release.
* Pod Security Policies are not supported in this release. (docker/orca#15105)
* The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the `/var` partition. See [System Requirements](/ee/ucp/admin/install/system-requirements) for details.
### Components
| Component | Version |
| ----------- | ----------- |
| UCP | 3.1.4 |
| Kubernetes | 1.11.7 |
| Calico | 3.5.0 |
| Interlock (nginx) | 1.14.0 |
## 3.1.3
2019-01-29
@ -123,6 +189,10 @@ now configurable within the UCP web interface. (#15466)
* Now upgrading Interlock will also upgrade interlock proxy and interlock extension as well (escalation/871)
* Added support for 'VIP' backend mode, in which the Interlock proxy connects to the backend service's Virtual IP instead of load-balancing directly to each task IP. (docker/interlock#206) (escalation/920)
### Known Issues
* In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (docker/orca#15503)
* By default, Kubelet begins deleting images, starting with the oldest unused images, after exceeding 85% disk space utilization. This causes an issue in an air-gapped environment. (docker/orca#16082)
### Components
| Component | Version |
@ -151,7 +221,7 @@ now configurable within the UCP web interface. (#15466)
2018-11-08
## Bug Fixes
### Bug Fixes
* Swarm placement constraint warning banner no longer shows up for `ucp-auth` services (#14539)
* "update out of sequence" error messages no longer appear when changing admin settings (#7093)
@ -160,7 +230,7 @@ now configurable within the UCP web interface. (#15466)
* `docker network ls --filter id=<id>` now works with a UCP client bundle (#14840)
* Collection deletes are correctly blocked if there is a node in the collection (#13704)
## New Features
### New Features
### Kubernetes
@ -190,34 +260,26 @@ Admins can configure UCP to use a SAML-enabled identity provider for user authen
* UCP now stores its configurations in its internal key-value store instead of in a Swarm configuration so changes can propagate across the cluster more quickly.
* You can now use the `custom_api_server_headers` field in the UCP configuration to set arbitrary headers that are included with every UCP response.
## API updates
### API updates
There are several backward-incompatible changes in the Kubernetes API that may affect user workloads. They are:
* A compatibility issue with the `allowPrivilegeEscalation` field that caused policies to start denying pods they previously allowed was fixed. If you defined `PodSecurityPolicy` objects using a 1.8.0 client or server and set `allowPrivilegeEscalation` to false, these objects must be reapplied after you upgrade.
* These changes are automatically updated for taints. Tolerations for these taints must be updated manually. Specifically, you must:
* A compatibility issue with the `allowPrivilegeEscalation` field that caused policies to start denying pods they previously allowed was fixed. If you defined `PodSecurityPolicy` objects using a 1.8.0 client or server and set `allowPrivilegeEscalation` to false, these objects must be reapplied after you upgrade.
* These changes are automatically updated for taints. Tolerations for these taints must be updated manually. Specifically, you must:
* Change `node.alpha.kubernetes.io/notReady` to `node.kubernetes.io/not-ready`
* Change `node.alpha.kubernetes.io/unreachable` to `node.kubernetes.io/unreachable`
For more information about taints and tolerations, see [Taints and Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
* JSON configuration used with `kubectl create -f pod.json` containing fields with incorrect casing are no longer valid. You must correct these files before upgrading. When specifying keys in JSON resource definitions during direct API server communication, the keys are case-sensitive. A bug introduced in Kubernetes 1.8 caused the API server to accept a request with incorrect case and coerce it to correct case, but this behaviour has been fixed in 1.11 so the API server will again enforce correct casing. During this time, the `kubectl` tool continued to enforce case-sensitive keys, so users that strictly manage resources with `kubectl` will be unaffected by this change.
* If you have a pod with a subpath volume PVC, theres a chance that after the upgrade, it will conflict with some other pod; see [this pull request](https://github.com/kubernetes/kubernetes/pull/61373). Its not clear if this issue will just prevent those pods from starting or if the whole cluster will fail.
## Known issues
### Known issues
* There are important changes to the upgrade process that, if not correctly followed, can impact the availability of applications running on the Swarm during uprades. These constraints impact any upgrades coming from any Docker Engine version before 18.09 to version 18.09 or greater. For more information about about upgrading Docker Enterprise to version 2.1, see [Upgrade Docker](../upgrade)
* In the UCP web interface, LDAP settings disappear after submitting them. However, the settings are properly saved. (#15503)
* You must use the ID of the user, organization, or team if you manually create a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects. (#14935)
* For the `User` subject Kind, the `Name` field contains the ID of the user.
* For the `Group` subject Kind, the format depends on whether you are create a Binding for a team or an organization:
* For an organization, the format is `org:{org-id}`
* For a team, the format is `team:{org-id}:{team-id}`
* To deploy Pods with containers using Restricted Parameters, the user must be an admin and a service account must explicitly have a **ClusterRoleBinding** with `cluster-admin` as the **ClusterRole**. Restricted Parameters on Containers include:
* Host Bind Mounts
* Privileged Mode
@ -225,14 +287,11 @@ There are several backward-incompatible changes in the Kubernetes API that may a
* Host Networking
* Host IPC
* Host PID
* If you delete the built-in **ClusterRole** or **ClusterRoleBinding** for `cluster-admin`, restart the `ucp-kube-apiserver` container on any manager node to recreate them. (#14483)
* Pod Security Policies are not supported in this release. (#15105)
* The default Kubelet configuration for UCP Manager nodes is expecting 4GB of free disk space in the `/var` partition. See [System Requirements](/ee/ucp/admin/install/system-requirements) for details.
## Deprecated features
### Deprecated features
The following features are deprecated in UCP 3.1.

38
engine/release-notes.md
View File

@ -29,6 +29,27 @@ consistency and compatibility reasons.
> `sudo apt install docker-ce docker-ce-cli containerd.io`. See the install instructions
> for the corresponding linux distro for details.
## 18.09.4
2019-03-27
### Builder
* Added validation for `git ref` to avoid misinterpretation as a flag. [moby/moby#38944](https://github.com/moby/moby/pull/38944)
### Runtime
* Fixed `docker cp` error for filenames greater than 100 characters. [moby/moby#38634](https://github.com/moby/moby/pull/38634)
* Fixed `layer/layer_store` to ensure `NewInputTarStream` resources are released. [moby/moby#38413](https://github.com/moby/moby/pull/38413)
* Increased GRPC limit for `GetConfigs`. [moby/moby#38800](https://github.com/moby/moby/pull/38800)
* Updated `containerd` 1.2.5. [docker/engine#173](https://github.com/docker/engine/pull/173)
### Swarm Mode
* Fixed nil pointer exception when joining node to swarm. [moby/moby#38618](https://github.com/moby/moby/issues/38618)
### Known Issues
* There are [important changes to the upgrade process](/ee/upgrade) that, if not correctly followed, can have impact on the availability of applications running on the Swarm during upgrades. These constraints impact any upgrades coming from any version before 18.09 to version 18.09 or later.
## 18.09.3
2019-02-28
@ -263,6 +284,23 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
## Older Docker Engine EE Release notes
## 18.03.1-ee-8
2019-03-27
### Builder
* Added validation for `git ref` to avoid misinterpreation as a flag. [moby/moby#38944](https://github.com/moby/moby/pull/38944)
### Runtime
* Fixed `docker cp` error for filenames greater than 100 characters. [moby/moby#38634]
* Fixed `layer/layer_store` to ensure `NewInputTarStream` resources are released. [moby/moby#38413]
### Swarm Mode
* Fixed issue for swarm nodes not being able to join as masters if http proxy is set. [moby/moby#36951]
## 18.03.1-ee-7
2019-02-28

29
reference/ucp/3.1/api/index.md
View File

@ -1,29 +0,0 @@
---
description: Learn how to use the Universal Control Plane REST API
keywords: ucp, api, reference
title: Universal Control Plane 3.1 API
---
<div class="swagger-section">
<div id="swagger-ui-container" class="swagger-ui-wrap"></div>
<link href='custom/custom.css' media='screen' rel='stylesheet' type='text/css'/>
<link href='css/typography.css' media='screen' rel='stylesheet' type='text/css'/>
<link href='css/reset.css' media='screen' rel='stylesheet' type='text/css'/>
<link href='css/screen.css' media='screen' rel='stylesheet' type='text/css'/>
<link href='css/reset.css' media='print' rel='stylesheet' type='text/css'/>
<link href='css/print.css' media='print' rel='stylesheet' type='text/css'/>
<script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
<script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
<script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>
<script src='lib/jquery.ba-bbq.min.js' type='text/javascript'></script>
<script src='lib/handlebars-2.0.0.js' type='text/javascript'></script>
<script src='lib/underscore-min.js' type='text/javascript'></script>
<script src='lib/backbone-min.js' type='text/javascript'></script>
<script src='swagger-ui.min.js' type='text/javascript'></script>
<script src='lib/highlight.7.3.pack.js' type='text/javascript'></script>
<script src='lib/marked.js' type='text/javascript'></script>
<script src='lib/swagger-oauth.js' type='text/javascript'></script>
<script src='main.js' type='text/javascript'></script>
</div>

3
reference/ucp/3.1/api/main.js
View File

File diff suppressed because one or more lines are too long