docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update UCP config topics (#114) 

* Update config topics

* Update config topics

* Incorporate feedback

* Add topics to TOC
This commit is contained in:
Jim Galasyn 2017-07-11 15:40:46 -07:00
parent 22c5d1f6c8
commit 4ebc5a04e5
30 changed files with 360 additions and 375 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
_data/toc.yaml
View File

@ -1615,7 +1615,7 @@ manuals:
- path: /datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/
title: Scale your cluster
- path: /datacenter/ucp/2.2/guides/admin/configure/join-windows-worker-nodes/
title: Scale your cluster with Windows nodes
title: Join Windows worker nodes to a swarm
- path: /datacenter/ucp/2.2/guides/admin/configure/set-up-high-availability/
title: Set up high availability
- path: /datacenter/ucp/2.2/guides/admin/configure/use-a-load-balancer/
@ -1634,6 +1634,8 @@ manuals:
title: Use domain names to access services
- path: /datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/
title: Run only the images you trust
- path: /datacenter/ucp/2.2/guides/admin/configure/integrate-with-dtr/
title: Integrate with Docker Trusted Registry
- path: /datacenter/ucp/2.2/guides/admin/configure/external-auth/
title: Integrate with LDAP
- sectiontitle: Manage users
@ -1646,10 +1648,10 @@ manuals:
title: Create and manage teams
- path: /datacenter/ucp/2.2/guides/admin/manage-users/deploy-view-only-service/
title: Deploy a service with view-only access across an organization
- path: /datacenter/ucp/2.2/guides/admin/manage-users/deploy-view-only-service/
title: Deploy a service with view-only access across an organization
- path: /datacenter/ucp/2.2/guides/admin/manage-users/grant-permissions/
title: Grant permissions to users based on roles
- path: /datacenter/ucp/2.2/guides/admin/manage-users/isolate-nodes-between-teams/
title: Isolate swarm nodes between two different teams
- path: /datacenter/ucp/2.2/guides/admin/manage-users/isolate-volumes-between-teams/
title: Isolate volumes between two different teams
- path: /datacenter/ucp/2.2/guides/admin/manage-users/manage-access-with-collections/

75
datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes.md
View File

@ -1,62 +1,75 @@
---
title: Add labels to cluster nodes
description: Learn how to add metadata to cluster nodes, that can be used to specify constraints when deploying services.
keywords: Docker, cluster, nodes, labels
title: Add labels to swarm nodes
description: Learn how to add metadata to swarm nodes that can be used to specify constraints when deploying services.
keywords: cluster, node, label, swarm, metadata
---
After deploying UCP you can add labels to your nodes. Labels are metadata that
you can use to organize nodes.
You can also use these labels as deployment constraints for your services.
With Docker UCP, you can add labels to your nodes. Labels are metadata that
describe the node, like its role (development, QA, production), its region
(US, EU, APAC), or the kind of disk (hdd, ssd). Once you have labeled your
nodes, you can add deployment constraints to your services, to ensure they
are scheduled on a node with a specific label.
When deploying a service, you can specify constraints, so that the service only
gets scheduled on a node that has a label that fulfills all the constraints
you specify.
As an example, you can apply labels based on their role in the development
For example, you can apply labels based on their role in the development
lifecycle, or the hardware resources they have.
![](../../images/add-labels-to-cluster-nodes-1.svg)
Don't create labels for authorization and permissions to resources.
Instead, use collections to organize access to your swarm.
[Learn about managing access with collections](../manage-access-with-collections.md).
## Apply labels to a node
Log in with administrator credentials in the **UCP web UI**, navigate to the
**Nodes** page, and choose the node you want to apply labels to.
In this example we'll apply the `ssd` label to a node. Then we'll deploy
a service with a deployment constraint to make sure the service is always
scheduled to run on a node that has the `ssd` label.
Click the **Add label** button, and add one or more labels to the node.
Log in with administrator credentials in the UCP web UI, navigate to the
**Nodes** page, and choose the node you want to apply labels to. In the
details pane, click **Configure**.
In the **Edit Node** page, scroll down to the **Labels** section.
Click **Add Label**, and add a label that has a key set to `nodel.labels.disk`
and a value of `ssd`.
![](../../images/add-labels-to-cluster-nodes-2.png){: .with-border}
Once you're done, click **Save Changes**.
When you're done, click **Save** and dismiss the **Edit Node** page.
In the node's details pane, click **Labels** to view the labels that are
applied to the node.
You can also do this from the CLI by running:
```none
docker node update --label-add <key>=<value> <node-id>
```bash
$ docker node update --label-add <key>=<value> <node-id>
```
## Add constraint to a service
## Add a constraint to a service
When deploying a service, you can specify constraints, so that the service only
gets scheduled on a node that has a label that fulfills all the constraints
When deploying a service, you can specify constraints, so that the service gets
scheduled only on a node that has a label that fulfills all of the constraints
you specify.
In this example, when users deploy a service they can add constraints for the
service to be scheduled on nodes that have an SSD storage.
In this example, when users deploy a service, they can add constraints for the
service to be scheduled on nodes that have SSD storage.
You can add deployment constraints to your docker-stack.yml file or when you are creating a stack:
You can add deployment constraints to your docker-stack.yml file or when you're
creating a stack:
![](../../images/use-contraints-in-stack-deployement.png)
Or you can apply them when you are creating a service.
Or you can apply them when you're creating a service.
To check if a service has deployment constraints, navigate to the
**Services** page and choose the service that you want to check.
In the details pane, click **Constraints** to list the constraint labels.
To edit the labels on the service, click **Configure** and select
**Environment**
![](../../images/add-constraint-to-service.png)
You can check if a service have deployment constraints, navigate to the **Services** page,
and choose the service your want to check.
Once you're done, click **Scheduling**.
![](../../images/check-contraints.png)
From here, you can add or remove deployment constraint too.
From here, you can add or remove deployment constraints, too.
## Where to go next

33
datacenter/ucp/2.2/guides/admin/configure/add-sans-to-cluster.md
View File

@ -1,7 +1,7 @@
---
title: Add SANs to cluster certificates
description: Learn how to add new SANs to cluster nodes, allowing you to connect to UCP with a different hostname
keywords: Docker, cluster, nodes, labels, certificates, SANs
keywords: cluster, node, label, certificate, SAN
---
UCP always runs with HTTPS enabled. When you connect to UCP, you need to make
@ -12,28 +12,27 @@ balancer's hostname or IP address, not UCP's. UCP will reject these requests
unless you include the load balancer's address as a Subject Alternative Name
(or SAN) in UCP's certificates.
If you [use your own TLS certificates](use-your-own-tls-certificates.md), you
need to make sure that they have the correct SAN values. You can learn more
at the above link.
If you use your own TLS certificates, make sure that they have the correct SAN
values.
[Learn about using your own TLS certificates](use-your-own-tls-certificates.md).
If you want to use the self-signed certificate that UCP has out of the box, you
can set up the SANs when you install UCP with the `--san` argument. You can
also add them after installation.
## Add new SANs to UCP after installation
## Add new SANs to UCP
Log in with administrator credentials in the **UCP web UI**, navigate to the
**Nodes** page, and choose a node.
1. In the UCP web UI, log in with administrator credentials and navigate to
the **Nodes** page.
2. Click on a manager node, and in the details pane, click **Configure**.
3. In the **SANs** section, click **Add SAN**, and enter one or more SANs
for the swarm.
![](../../images/add-sans-to-cluster-1.png){: .with-border}
4. Once you're done, click **Save**.
Click the **Add SAN** button, and add one or more SANs to the node.
![](../../images/add-sans-to-cluster-1.png){: .with-border}
Once you're done, click **Save Changes**.
You will have to do this on every manager node in the cluster, but once you
have done so, the SANs will be automatically applied to any new manager nodes
that join the cluster.
You will have to do this on every manager node in the swarm, but once you
have done so, the SANs are applied automatically to any new manager nodes
that join the swarm.
You can also do this from the CLI by first running:
@ -45,7 +44,7 @@ default-cs,127.0.0.1,172.17.0.1
```
This will get the current set of SANs for the given manager node. Append your
desired SAN to this list (e.g. `default-cs,127.0.0.1,172.17.0.1,example.com`)
desired SAN to this list, for example `default-cs,127.0.0.1,172.17.0.1,example.com`,
and then run:
```bash

182
datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md
View File

@ -1,14 +1,17 @@
---
title: Integrate with an LDAP Directory
description: Learn how to integrate UCP with an LDAP service, so that you can
manage users from a single place.
keywords: LDAP, directory, authentication, user management
title: Integrate with an LDAP Directory
keywords: LDAP, UCP, authentication, user management
---
Docker UCP integrates with LDAP directory services, so that you can manage
users and groups from your organization's directory and it will automatically
propagate that information to UCP and DTR.
If you enable LDAP, UCP uses a remote directory server to create users
automatically, and all logins are forwarded to the directory server.
When you switch from built-in authentication to LDAP authentication,
all manually created users whose usernames do not match any LDAP search results
become inactive with the exception of the recovery admin user which can still
@ -17,119 +20,91 @@ log in with the recovery admin password.
## Configure the LDAP integration
To configure UCP to create and authenticate users using an LDAP directory,
go to the **UCP web UI**, navigate to the **Admin Settings** page, and click the
**Authentication** tab.
go to the UCP web UI, navigate to the **Admin Settings** page and click
**Authentication & Authorization** to select the method used to create and
authenticate users.
In the **LDAP Enabled** section, click **Yes** to The LDAP settings appear.
Now configure your LDAP directory integration.
## Default Role For All Private Collections
Click the dropdown to select the permission level assigned by default to
the private collections of new users.
[Learn more about permission levels](../../manage-users/permission-levels.md).
## LDAP domains
Click **Add LDAP Domain** to show the LDAP server configuration settings.
| Field | Description |
| :-------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| LDAP server URL | The URL where the LDAP server can be reached. |
| Reader DN | The distinguished name of the LDAP account used for searching entries in the LDAP server. As a best practice, this should be an LDAP read-only user. |
| Reader password | The password of the account used for searching entries in the LDAP server. |
| Use Start TLS | Whether to authenticate/encrypt the connection after connecting to the LDAP server over TCP. If you set the LDAP Server URL field with `ldaps://`, this field is ignored. |
| Skip TLS verification | Whether to verify the LDAP server certificate when using TLS. The connection is still encrypted but vulnerable to man-in-the-middle attacks. |
| No simple pagination | If your LDAP server doesn't support pagination. |
![](../../../images/ldap-integration-1.png){: .with-border}
Then configure your LDAP directory integration.
Click **Confirm** to add your LDAP domain.
**Authentication**
## LDAP user search configurations
| Field | Description |
|:-------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Method | The method used to create and authenticate users. The *LDAP* method uses a remote directory server to automatically create users and all logins will be forwarded to the directory server. |
| Default permission for newly discovered accounts | The permission level assigned by default to a new user. [Learn more about default permission levels](../../manage-users/permission-levels.md). |
**LDAP server configuration**
| Field | Description |
|:------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| LDAP server URL | The URL where the LDAP server can be reached. |
| Recovery admin username | The username for a recovery user that can access UCP even when the integration with LDAP is misconfigured or the LDAP server is offline. |
| Recovery admin password | The password for the recovery user which is securely salted and hashed and stored in UCP. The recovery admin user can use this password to login if the LDAP server is misconfigured or offline. |
| Reader DN | The distinguished name of the LDAP account used for searching entries in the LDAP server. As a best practice this should be an LDAP read-only user. |
| Reader password | The password of the account used for searching entries in the LDAP server. |
**LDAP security options**
| Field | Description |
|:----------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Skip verification of server certificate | Whether to verify the LDAP server certificate when using TLS. The connection is still encrypted, but vulnerable to man-in-the-middle attacks. |
| Use StartTLS | Whether to authenticate/encrypt the connection after connecting to the LDAP server over TCP. If you set the LDAP Server URL field with `ldaps://`, this field is ignored. |
**User search configurations**
| Field | Description |
|:------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. |
| Username attribute | The LDAP attribute to use as username on UCP. Only user entries with a valid username will be created. A valid username is no longer than 100 characters and does not contain any unprintable characters, whitespace characters, or any of the following characters: `/` `\` `[` `]` `:` `;` `|` `=` `,` `+` `*` `?` `<` `>` `'` `"`. |
| Full name attribute | The LDAP attribute to use as the user's full name for display purposes. If left empty, UCP will not create new users with a full name value. |
| Filter | The LDAP search filter used to find users. If you leave this field empty, all directory entries in the search scope with valid username attributes are created as users. |
| Search scope | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
| Match group members | Whether to further filter users by selecting those who are also members of a specific group on the directory server. This feature is helpful if the LDAP server does not support `memberOf` search filters. |
| Iterate through group members | If `Match Group Members` is selected, this option searches for users by first iterating over the target group's membership and makes a separate LDAP query for each member, as opposed to first querying for all users which match the above search query and intersecting those with the set of group members. This option can be more efficient in situations where the number of members of the target group is significantly smaller than the number of users which would match the above search filter or if your directory server does not support simple pagination of search results. |
| Group DN | If `Match Group Members` is selected, this specifies the distinguished name of the group from which to select users. |
| Group member attribute | If `Match Group Members` is selected, the value of this group attribute corresponds to the distinguished names of the members of the group. |
| Field | Description | |
| :--------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. | |
| Username attribute | The LDAP attribute to use as username on UCP. Only user entries with a valid username will be created. A valid username is no longer than 100 characters and does not contain any unprintable characters, whitespace characters, or any of the following characters: `/` `\` `[` `]` `:` `;` `|` `=` `,` `+` `*` `?` `<` `>` `'` `"`. |
| Full name attribute | The LDAP attribute to use as the user's full name for display purposes. If left empty, UCP will not create new users with a full name value. | |
| Filter | The LDAP search filter used to find users. If you leave this field empty, all directory entries in the search scope with valid username attributes are created as users. | |
| Search subtree instead of just one level | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. | |
| Select Group Members | Whether to further filter users by selecting those who are also members of a specific group on the directory server. This feature is helpful if the LDAP server does not support `memberOf` search filters. | |
| Iterate through group members | If `Select Group Members` is selected, this option searches for users by first iterating over the target group's membership, making a separate LDAP query for each member. as opposed to first querying for all users which match the above search query and intersecting those with the set of group members. This option can be more efficient in situations where the number of members of the target group is significantly smaller than the number of users which would match the above search filter, or if your directory server does not support simple pagination of search results. | |
| Group DN | If `Select Group Members` is selected, this specifies the distinguished name of the group from which to select users. | |
| Group Member Attribute | If `Select Group Members` is selected, the value of this group attribute corresponds to the distinguished names of the members of the group. | |
![](../../../images/ldap-integration-2.png){: .with-border}
Clicking **+ Add another user search configuration** will expand additional
sections for configuring more user search queries. This is useful in cases
where users may be found in multiple distinct subtrees of your organization's
directory. Any user entry which matches at least one of the search
configurations will be synced as a user.
To configure more user search queries, click **Add LDAP User Search Configuration**
again. This is useful in cases where users may be found in multiple distinct
subtrees of your organization's directory. Any user entry which matches at
least one of the search configurations will be synced as a user.
**Advanced LDAP configuration**
## LDAP Test Login
| Field | Description |
|:---------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| No simple pagination | If your LDAP server doesn't support pagination. |
| Enable sync of admin users | Whether to import LDAP users as UCP administrators. |
| LDAP Match Method | If admin user sync is enabled, this option specifies whether to match admin user entries using a search query or by selecting them as members from a group. For the expanded options, refer to the options described below. |
**Match LDAP Group Members**
This option specifies that system admins should be synced directly with members
of a group in your organization's LDAP directory. The admins will be synced to
match the membership of the group. The configured recovery admin user will also
remain a system admin.
| Field | Description |
|:-----------------------|:------------------------------------------------------------------------------------------------------|
| Group DN | This specifies the distinguished name of the group from which to select users. |
| Group member attribute | The value of this group attribute corresponds to the distinguished names of the members of the group. |
**Match LDAP Search Results**
This option specifies that system admin should be synced using a search query
against your organization's LDAP directory. The admins will by synced to match
the users in the search results. The configured recovery admin user will also
remain a system admin.
| Field | Description |
|:--------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------|
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. |
| Search scope | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
| Search Filter | The LDAP search filter used to find users. If you leave this field empty, all existing users in the search scope will be added as members of the team. |
**Sync configuration**
| Field | Description |
|:--------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sync interval | The interval in hours to synchronize users between UCP and the LDAP server. When the synchronization job runs, new users found in the LDAP server are created in UCP with the default permission level. UCP users that don't exist in the LDAP server become inactive. |
**Test LDAP connection**
| Field | Description |
|:---------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|
| Username | The username with which the user will login to this application. This value should correspond to the Username Attribute specified in the form above. |
| Password | The user's password used to authenticate (BIND) to the directory server. |
| Field | Description |
| :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Username | An LDAP username for testing authentication to this application. This value corresponds with the **Username Attribute** specified in the **LDAP user search configurations** section. |
| Password | The user's password used to authenticate (BIND) to the directory server. |
Before you save the configuration changes, you should test that the integration
is correctly configured. You can do this by providing the credentials of an
LDAP user, and clicking the **Test** button.
## Synchronize users
## LDAP Sync Configuration
Once you've configured the LDAP integration, UCP synchronizes users based on the
interval you've defined starting at the top of the hour. When the
| Field | Description |
| :------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Sync interval | The interval, in hours, to synchronize users between UCP and the LDAP server. When the synchronization job runs, new users found in the LDAP server are created in UCP with the default permission level. UCP users that don't exist in the LDAP server become inactive. |
| Enable sync of admin users | This option specifies that system admins should be synced directly with members of a group in your organization's LDAP directory. The admins will be synced to match the membership of the group. The configured recovery admin user will also remain a system admin. |
Once you've configured the LDAP integration, UCP synchronizes users based on
the interval you've defined starting at the top of the hour. When the
synchronization runs, UCP stores logs that can help you troubleshoot when
something goes wrong.
You can also manually synchronize users by clicking the **Sync Now** button.
You can also manually synchronize users by clicking **Sync Now**.
## Login Session Controls
| Field | Description |
| :---------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Lifetime Hours | The maxiumum length of a login session. When this time expires, UCP invalidates the session, and the user must authenticate again to establish a new session. The default is 72 hours. |
| Renewal Threshold Hours | The time to wait before UCP renews the session automatically. Typically, this occurs during a user session and is independent of session activity. The default is 24 hours. |
| Per User Limit | The maximum number of simultaneous logins for a user. |
## Revoke user access
@ -138,7 +113,7 @@ synchronization runs.
Also, when you switch from the built-in authentication to using LDAP
authentication, all manually created users whose usernames do not match any
LDAP search results become inactive with the exception of the recovery admin
LDAP search results become inactive, with the exception of the recovery admin
user which can still login with the recovery admin password.
## Data synced from your organization's LDAP directory
@ -148,7 +123,14 @@ the value of the username and full name attributes that you have specified in
the configuration as well as the distinguished name of each synced user.
UCP does not query, or store any additional data from the directory server.
## Syncing Teams
## Sync teams
For syncing teams in UCP with a search query or group in your organization's
LDAP directory, refer to [the documentation on creating and managing teams](../../manage-users/create-and-manage-teams.md).
UCP enables syncing teams with a search query or group in your organization's
LDAP directory.
[Sync team members with your organization's LDAP directory](../../manage-users/create-and-manage-teams.md).
## Where to go next
- [Create and manage users](../../manage-users/create-and-manage-users.md)
- [Create and manage teams](../../manage-users/create-and-manage-teams.md)
- [UCP permission levels](../../permission-levels.md)

21
datacenter/ucp/2.2/guides/admin/configure/integrate-with-dtr.md
View File

@ -4,9 +4,9 @@ keywords: trusted, registry, integrate, UCP, DTR
title: Integrate with Docker Trusted Registry
---
Once you deploy Docker Trusted Registry (DTR), you can use it to store your Docker
images and deploy services to UCP using those images.
[Learn how deploy DTR](/datacenter/dtr/2.1/guides/install/index.md).
Once you deploy Docker Trusted Registry (DTR), you can use it to store your
Docker images and deploy services to UCP using these images.
[Learn how to deploy DTR](/datacenter/dtr/2.3/guides/install/index.md).
Docker UCP integrates out of the box with Docker Trusted Registry (DTR).
This means that you can deploy services from the UCP web UI, using Docker
@ -15,7 +15,7 @@ images that are stored in DTR. You can also use a
CLI.
If you've configured DTR to use TLS certificates issued by a globally-trusted
certificate authority you can skip this since all clients will automatically
certificate authority, you can skip this, since all clients will automatically
trust the TLS certificates used by DTR.
If you're using the DTR default configurations or configured DTR to use
@ -23,9 +23,10 @@ self-signed certificates, you need to configure all hosts that want to push
or pull Docker images from DTR. This includes:
* All UCP nodes
* Your local computer or any other that wants to push or pull Docker images from DTR
* Your local computer or any other that wants to push or pull Docker images
from DTR
If your host is not configured to trust the DTR TLS certificates, you'll get an
If your host isn't configured to trust the DTR TLS certificates, you'll get an
error like:
```none
@ -44,13 +45,13 @@ system:
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the macOS trust store](https://support.apple.com/kb/PH18677?locale=en_US).
[add this certificate to the macOS trust store](https://support.apple.com/kb/PH18677?locale=en_US).
* For Windows:
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the Windows trust store](https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx).
[add this certificate to the Windows trust store](https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx).
* For Ubuntu:
@ -80,8 +81,8 @@ system:
## 2. Test your local setup
The best way to confirm that your computer is correctly configured, is by
trying to pull and push images from your local Docker installation to DTR.
To confirm that your computer is configured correctly, try to pull and push
images from your local Docker installation to DTR.
1. Create a test repository on DTR.

18
datacenter/ucp/2.2/guides/admin/configure/license-your-installation.md
View File

@ -1,7 +1,7 @@
---
title: License your installation
description: Learn how to license your Docker Universal Control Plane installation.
keywords: Universal Control Plane, UCP, install, license
title: License your installation
---
After installing Docker Universal Control Plane, you need to license your
@ -9,24 +9,24 @@ installation. Here's how to do it.
## Download your license
Go to [Docker Store](https://store.docker.com/bundles/docker-datacenter) and
download your UCP license or get a free trial license.
Go to [Docker Store](https://www.docker.com/enterprise-edition) and
download your UCP license, or get a free trial license.
![](../../images/license-ucp-1.png){: .with-border}
## License your installation
Once you've downloaded the license file, you can apply it to your UCP
installation. Navigate to the **UCP web UI**, and then go to the **Settings**
page.
installation.
On the **License** page you can upload the new license.
In the UCP web UI, log in with administrator credentials and
navigate to the **Admin Settings** page.
In the left pane, click **License** and click **Upload License**. The
license refreshes immediately, and you don't need to click **Save**.
![](../../images/license-ucp-2.png){: .with-border}
Click **Upload License** for the changes to take effect.
## Where to go next
* [Install UCP](../install/index.md)

75
datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster.md
View File

@ -1,8 +1,7 @@
---
description: Learn how to scale Docker Universal Control Plane cluster, by adding
and removing nodes.
keywords: UCP, cluster, scale
title: Scale your cluster
description: Learn how to scale Docker Universal Control Plane cluster, by adding and removing nodes.
keywords: UCP, cluster, scale
---
Docker UCP is designed for scaling horizontally as your applications grow in
@ -20,12 +19,12 @@ When joining a node to a cluster you can specify its role: manager or worker.
* **Manager nodes**
Manager nodes are responsible for cluster management functionality and
Manager nodes are responsible for swarm management functionality and
dispatching tasks to worker nodes. Having multiple manager nodes allows
your cluster to be highly-available and tolerate node failures.
your swarm to be highly-available and tolerate node failures.
Manager nodes also run all UCP components in a replicated way, so by adding
additional manager nodes you're also making UCP highly available.
additional manager nodes, you're also making UCP highly available.
[Learn more about the UCP architecture.](../../architecture.md)
* **Worker nodes**
@ -40,27 +39,30 @@ When joining a node to a cluster you can specify its role: manager or worker.
## Join nodes to the cluster
To join nodes to the cluster, go to the **UCP web UI**, navigate to
the **Resources** page, and go to the **Nodes** section.
To join nodes to the swarm, go to the UCP web UI and navigate to the **Nodes**
page.
![](../../images/scale-your-cluster-1.png){: .with-border}
Click the **Add Node** button to add a new node.
Click **Add Node** to add a new node.
![](../../../../../images/try-ddc-3.png){: .with-border}
Check the 'Add node as a manager' option if you want to add the node as manager.
Also, set the 'Use a custom listen address' option to specify the IP of the
host that you'll be joining to the cluster.
- Check the **Add node as a manager** option if you want to add the node as
manager.
- Check the **Use a custom listen address** option to specify the
IP address of the host that you'll be joining to the cluster.
- Check the **Use a custom listen address** option to specify the
IP address that's advertised to all members of the swarm for API access.
Then you can copy the command displayed, use ssh to **log into the host** that
you want to join to the cluster, and **run the command** on that host.
Copy the displayed command, use ssh to log into the host that you want to
join to the cluster, and run the `docker swarm join` command on the host.
After you run the join command in the node, the node is displayed in the UCP
web UI.
![](../../images/scale-your-cluster-2.png){: .with-border}
After you run the join command in the node, the node starts being displayed
in UCP.
To add Windows nodes, follow the instructions in
[Join Windows worker nodes to a swarm](join-windows-worker-nodes.md).
@ -68,10 +70,9 @@ To add Windows nodes, follow the instructions in
1. If the target node is a manager, you will need to first demote the node into
a worker before proceeding with the removal:
* From the UCP web UI, navigate to the **Resources** section and then go to
the **Nodes** page. Select the node you wish to remove and switch its role
to **Worker**, wait until the operation is completed and confirm that the
node is no longer a manager.
* From the UCP web UI, navigate to the **Nodes** page. Select the node you
wish to remove and switch its role to **Worker**, wait until the operation
completes, and confirm that the node is no longer a manager.
* From the CLI, perform `docker node ls` and identify the nodeID or hostname
of the target node. Then, run `docker node demote <nodeID or hostname>`.
@ -80,17 +81,17 @@ To add Windows nodes, follow the instructions in
SSH and run `docker swarm leave --force` directly against the local docker
engine.
>**Warning**:
>Do not perform this step if the node is still a manager, as
>that may cause loss of quorum.
{:.warning}
> Loss of quorum
>
> Do not perform this step if the node is still a manager, as
> this may cause loss of quorum.
3. Now that the status of the node is reported as `Down`, you may remove the
node:
* From the UCP web UI, browse to the **Nodes** page, select the node and
click on the **Remove Node** button. You will need to click on the button
again within 5 seconds to confirm the operation.
* From the CLI, perform `docker node rm <nodeID or hostname>`
* From the UCP web UI, browse to the **Nodes** page and select the node.
In the details pane, click **Actions** and select **Remove**.
Click **Confirm** when you're prompted.
* From the CLI, perform `docker node rm <nodeID or hostname>`.
## Pause and drain nodes
@ -101,7 +102,9 @@ so that it is:
* Active: the node can receive and execute tasks.
* Paused: the node continues running existing tasks, but doesn't receive new ones.
* Drained: the node won't receive new tasks. Existing tasks are stopped and
replica tasks are launched in active nodes.
replica tasks are launched in active nodes.
In the UCP web UI, browse to the **Nodes** page and select the node. In the details pane, click the **Configure** to open the **Edit Node** page.
![](../../images/scale-your-cluster-3.png){: .with-border}
@ -114,7 +117,7 @@ load-balancing pool.
You can also use the command line to do all of the above operations. To get the
join token, run the following command on a manager node:
```none
```bash
$ docker swarm join-token worker
```
@ -122,8 +125,8 @@ If you want to add a new manager node instead of a worker node, use
`docker swarm join-token manager` instead. If you want to use a custom listen
address, add the `--listen-addr` arg:
```none
docker swarm join \
```bash
$ docker swarm join \
--token SWMTKN-1-2o5ra9t7022neymg4u15f3jjfh0qh3yof817nunoioxa9i7lsp-dkmt01ebwp2m0wce1u31h6lmj \
--listen-addr 234.234.234.234 \
192.168.99.100:2377
@ -131,13 +134,13 @@ docker swarm join \
Once your node is added, you can see it by running `docker node ls` on a manager:
```none
```bash
$ docker node ls
```
To change the node's availability, use:
```
```bash
$ docker node update --availability drain node2
```
@ -145,7 +148,7 @@ You can set the availability to `active`, `pause`, or `drain`.
To remove the node, use:
```
```bash
$ docker node rm <node-hostname>
```

30
datacenter/ucp/2.2/guides/admin/configure/set-up-high-availability.md
View File

@ -1,23 +1,22 @@
---
description: Docker Universal Control plane has support for high availability. Learn
how to set up your installation to ensure it tolerates failures.
keywords: docker, ucp, high-availability, replica
title: Set up high availability
description: Docker Universal Control plane has support for high availability. Learn how to set up your installation to ensure it tolerates failures.
keywords: ucp, high availability, replica
---
Docker Universal Control Plane is designed for high availability (HA). You can
join multiple manager nodes to the cluster, so that if one manager node fails,
another can automatically take its place without impact to the cluster.
join multiple manager nodes to the swarm, so that if one manager node fails,
another can automatically take its place without impact to the swarm.
Having multiple manager nodes in your cluster, allows you to:
Having multiple manager nodes in your cluster allows you to:
* Handle manager node failures,
* Load-balance user requests across all manager nodes.
## Size your deployment
To make the cluster tolerant to more failures, add additional replica nodes to
your cluster.
To make the swarm tolerant to more failures, add additional replica nodes to
your swarm.
| Manager nodes | Failures tolerated |
|:-------------:|:------------------:|
@ -29,15 +28,14 @@ your cluster.
For production-grade deployments, follow these rules of thumb:
* When a manager node fails, the number of failures tolerated by your cluster
decreases. Don't leave that node offline for too long.
* You should distribute your manager nodes across different availability zones.
This way your cluster can continue working even if an entire availability zone
goes down.
* When a manager node fails, the number of failures tolerated by your swarm
decreases. Don't leave that node offline for too long.
* You should distribute your manager nodes across different availability
zones. This way your cluster can continue working even if an entire
availability zone goes down.
* Adding many manager nodes to the cluster might lead to performance
degradation, as changes to configurations need to be replicated across all
manager nodes. The maximum advisable is having 7 manager nodes.
degradation, as changes to configurations need to be replicated across all
manager nodes. The maximum advisable is 7 manager nodes.
## Where to go next

12
datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system.md
View File

@ -1,18 +1,16 @@
---
title: Configure UCP logging
description: Learn how to configure Docker Universal Control Plane to store your logs
on an external log system.
keywords: docker, ucp, integrate, logs
title: Configure UCP logging
---
## Configure UCP logging
You can configure UCP for sending logs to a remote logging service:
1. Log in to UCP with an administrator account
2. Navigate to the **Settings** page
1. Log in to UCP with an administrator account.
2. Navigate to the **Admin Settings** page.
3. Set the information about your logging server, and click
**Enable Remote Logging**
**Enable Remote Logging**
![](../../images/configure-logs-1.png){: .with-border}
@ -51,7 +49,7 @@ field for indexing.
When deployed in a production environment, you should secure your ELK
stack. UCP does not do this itself, but there are a number of 3rd party
options that can accomplish this (e.g. Shield plug-in for Kibana)
options that can accomplish this, like the Shield plug-in for Kibana.
## Where to go next

190
datacenter/ucp/2.2/guides/admin/configure/ucp-configuration-file.md
View File

@ -1,7 +1,7 @@
---
title: UCP configuration file
description: Configure UCP deployments.
keywords: docker enterprise edition, ucp, universal control plane, swarm, cluster configuration, deploy
title: UCP configuration file
---
Override the default UCP settings by providing a configuration file when you create
@ -16,117 +16,99 @@ Specify your configuration settings in a TOML file. For more info, see
## Example configuration file
Here's an example TOML config file that shows how to configure UCP settings.
You can see an example TOML config file that shows how to configure UCP
settings. From the command line, run UCP with the `example-config` option:
```
// ExampleConfig contains an example config to help users understand how to configure UCP.
[[registries]]
# The address used to connect to the DTR instance tied to this UCP cluster.
host_address="example.com:444"
# The DTR instance's OpenID Connect Client ID, as registered with our auth provider.
service_id=""
# The root CA bundle for the DTR instance (if using a custom CA).
ca_bundle="-----BEGIN CERTIFICATE-----\nMIIEyjCCArKgAwIBAgIRAJYDdNEtRX3njQ4JJVCuaScwDQYJKoZIhvcNAQELBQAw\n..."
[scheduling_configuration]
# Allow admins to schedule containers on managers
# Set to true to allow admins to schedule on manager
enable_admin_ucp_scheduling=true
# Allow non-admin users to schedule containers on managers
# Set to true to allow users to schedule on managers
enable_user_ucp_scheduling=true
[tracking_configuration]
# Disable analytics of usage information
# Set to true to disable analytics
disable_usageinfo=false
# Disable analytics of API call information
# Set to true to disable analytics
disable_tracking=false
# Anonymize analytic data
# Set to true to hide your license ID
anonymize_tracking=false
[trust_configuration]
# Require images be signed by content trust
require_content_trust=false
# Specify users or teams which must sign images
require_signature_from=["team1", "team2"]
[log_configuration]
# Specify the protocol to use for remote logging
protocol="tcp"
# Specify a remote syslog server to send UCP controller logs to
# if omitted, controller logs will be sent through the default
# docker daemon logging driver from the ucp-controller container
host="example.com"
# Set the logging level for UCP components - uses syslog levels
level="DEBUG"
[license_configuration]
# Enable attempted automatic license renewal when the license nears expiration
# If disabled, you must manually upload renewed licesnse after expiration.
auto_refresh=true
[cluster_config]
# Configures the port the ucp-controller listens to
controller_port=443
# Configures the port the ucp-swarm-manager listens to
swarm_port=2376
# Configures Swarm scheduler strategy for container scheduling
# This does not affect swarm-mode services
swarm_strategy="spread"
# Configures DNS settings for the UCP components
dns=[]
dns_opt=[]
dns_search=[]
# Turn on specialized debugging endpoints for profiling UCP performance
profiling_enabled=false
# Tune the KV store timeout and snapshot settings
kv_timeout=5000 # milliseconds
kv_snapshot_count=20000
# Specify an optional external LB for default links to services with expose ports in the UI
external_service_lb="example.com"
# Adjust the metrics retention time
metrics_retention_time="24h"
# Set the interval for how frequently managers gather metrics from nodes in the cluster
metrics_scrape_interval="1m"
# Set the interval for how frequently storage metrics are gathered
# this operation can be expensive when large volumes are present
metrics_disk_usage_interval="2h"
```bash
$ docker container run --rm docker/ucp:2.2.0-latest example-config
```
## Config file and web UI
## Configuration file and web UI
Admin users can open the UCP web UI, navigate to **Admin Settings**,
and change UCP settings there. In most cases, the web UI is a front end
for modifying this config file.
## auth table
| Parameter | Required | Description |
| ----------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `backend` | no | The name of the authorization backend to use, either `managed` or `ldap`. The default is `managed`. |
| `default_new_user_role` | no | The role that new users get for their private collections. Values are `admin`, `viewonly`, `scheduler`, `restrictedcontrol`, or `fullcontrol`. The default is `restrictedcontrol`. |
## auth.sessions
| Parameter | Required | Description |
| --------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `lifetime_minutes` | no | The initial session lifetime, in minutes. The default is 4320, which is 72 hours. |
| `renewal_threshold_minutes` | no | The length of time, in minutes, before the expiration of a session where, if used, a session will be extended by the current configured lifetime from then. A zero value disables session extension. The default is 1440, which is 24 hours. |
| `per_user_limit` | no | The maximum number of sessions that a user can have active simultaneously. If creating a new session would put a user over this limit, the least recently used session will be deleted. A value of zero disables limiting the number of sessions that users may have. The default is 5. |
## auth.ldap (optional)
| Parameter | Required | Description |
| ----------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `server_url` | no | The URL of the LDAP server. |
| `no_simple_pagination` | no | Set to `true` if the LDAP server doesn't support the Simple Paged Results control extension (RFC 2696). The default is `false`. |
| `start_tls` | no | Set to `true` to use StartTLS to secure the connection to the server, ignored if the server URL scheme is 'ldaps://'. The default is `false`. |
| `root_certs` | no | A root certificate PEM bundle to use when establishing a TLS connection to the server. |
| `tls_skip_verify` | no | Set to `true` to skip verifying the server's certificate when establishing a TLS connection, which isn't recommended unless testing on a secure network. The default is `false`. |
| `reader_dn` | no | The distinguished name the system uses to bind to the LDAP server when performing searches. |
| `reader_password` | no | The password that the system uses to bind to the LDAP server when performing searches. |
| `sync_schedule` | no | The scheduled time for automatic LDAP sync jobs, in CRON format with seconds omitted, default is @hourly if empty or omitted. |
| `jit_user_provisioning` | no | Whether to only create user accounts upon first login (recommended). The default is `true`. |
## auth.ldap.additional_domains array (optional)
A list of additional LDAP domains and corresponding server configs from which
to sync users and team members. This is an advanced feature which most
environments don't need.
| Parameter | Required | Description |
| ---------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `domain` | no | The root domain component of this server, for example, `dc=example,dc=com`. A longest-suffix match of the base DN for LDAP searches is used to select which LDAP server to use for search requests. If no matching domain is found, the default LDAP server config is used. |
| `server_url` | no | The URL of the LDAP server for the current additional domain. |
| `no_simple_pagination` | no | Set to true if the LDAP server for this additional domain does not support the Simple Paged Results control extension (RFC 2696). The default is `false`. |
| `server_url` | no | The URL of the LDAP server. |
| `start_tls` | no | Whether to use StartTLS to secure the connection to the server, ignored if the server URL scheme is 'ldaps://'. |
| `root_certs` | no | A root certificate PEM bundle to use when establishing a TLS connection to the server for the current additional domain. |
| `tls_skip_verify` | no | Whether to skip verifying the additional domain server's certificate when establishing a TLS connection, not recommended unless testing on a secure network. The default is `true`. |
| `reader_dn` | no | The distinguished name the system uses to bind to the LDAP server when performing searches under the additional domain. |
| `reader_password` | no | The password that the system uses to bind to the LDAP server when performing searches under the additional domain. |
## auth.ldap.user_search_configs array (optional)
Settings for syncing users.
| Parameter | Required | Description |
| ------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `base_dn` | no | The distinguished name of the element from which the LDAP server will search for users, for example, `ou=people,dc=example,dc=com`. |
| `scope_subtree` | no | Set to `true` to search for users in the entire subtree of the base DN. Set to `false` to search only one level under the base DN. The default is `false`. |
| `username_attr` | no | The name of the attribute of the LDAP user element which should be selected as the username. The default is `uid`. |
| `full_name_attr` | no | The name of the attribute of the LDAP user element which should be selected as the full name of the user. The default is `cn`. |
| `filter` | no | The LDAP search filter used to select user elements, for example, `(&(objectClass=person)(objectClass=user))`. May be left blank. |
| `match_group` | no | Whether to additionally filter users to those who are direct members of a group. The default is `true`. |
| `match_group_dn` | no | The distinguished name of the LDAP group, for example, `cn=ddc-users,ou=groups,dc=example,dc=com`. Required if `matchGroup` is `true`. |
| `match_group_member_attr` | no | The name of the LDAP group entry attribute which corresponds to distinguished names of members. Required if `matchGroup` is `true`. The default is `member`. |
| `match_group_iterate` | no | Set to `true` to to get all of the user attributes by iterating through the group members and performing a lookup for each one separately. Use this instead of searching users first, then applying the group selection filter. Ignored if `matchGroup` is `false`. The default is `false`. |
## auth.ldap.admin_sync_opts (optional)
Settings for syncing system admininistrator users.
| Parameter | Required | Description |
| ---------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `enable_sync` | no | Set to `true` to to enable syncing admins. If `false`, all other fields in this table are ignored. The default is `true`. |
| `select_group_members` | no | Set to `true` to sync using a group DN and member attribute selection. Set to `false` to use a search filter. The default is `true`. |
| `group_dn` | no | The distinguished name of the LDAP group, for example, `cn=ddc-admins,ou=groups,dc=example,dc=com`. Required if `select_group_members` is `true`. |
| `group_member_attr` | no | The name of the LDAP group entry attribute which corresponds to distinguished names of members. Required if `select_group_members` is `true`. The default is `member`. |
| `search_base_dn` | no | The distinguished name of the element from which the LDAP server will search for users, for example, `ou=people,dc=example,dc=com`. Required if `select_group_members` is `false`. |
| `search_scope_subtree` | no | Set to `true` to search for users in the entire subtree of the base DN. Set to `false` to search only one level under the base DN. The default is `false`. Required if `select_group_members` is `false`. |
| `search_filter` | no | The LDAP search filter used to select users if `select_group_members` is `false`, for example, `(memberOf=cn=ddc-admins,ou=groups,dc=example,dc=com)`. May be left blank. |
## registries array (required)
An array of tables that specifies the DTR instances that the current UCP instance manages.

24
datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates.md
View File

@ -1,14 +1,13 @@
---
description: Learn how to configure Docker Universal Control Plane to use your own
certificates.
keywords: Universal Control Plane, UCP, certificate, authentication, tls
title: Use your own TLS certificates
description: Learn how to configure Docker Universal Control Plane to use your own certificates.
keywords: Universal Control Plane, UCP, certificate, authentication, tls
---
All UCP services are exposed using HTTPS, to ensure all communications between
clients and UCP are encrypted. By default this is done using self-signed TLS
clients and UCP are encrypted. By default, this is done using self-signed TLS
certificates that are not trusted by client tools like web browsers. So when
you try to access UCP, your browser will warn that it doesn't trust UCP or that
you try to access UCP, your browser warns that it doesn't trust UCP or that
UCP has an invalid certificate.
![invalid certificate](../../images/use-externally-signed-certs-1.png)
@ -29,11 +28,12 @@ happen outside business peak hours. Your applications will continue running
normally, but existing UCP client certificates will become invalid, so users
will have to download new ones to [access UCP from the CLI](../../user/access-ucp/cli-based-access.md).
## Customize the UCP TLS certificates
## Configure UCP to use your own TLS certificates and keys
To configure UCP to use your own TLS certificates and keys, go to the
**UCP web UI**, navigate to the **Admin Settings** page,
and click **Certificates**.
In the UCP web UI, log in with administrator credentials and
navigate to the **Admin Settings** page.
In the left pane, click **Certificates**.
![](../../images/use-externally-signed-certs-2.png)
@ -45,15 +45,15 @@ certificates, in this order.
* A `key.pem` file with TLS private key. Make sure it is not encrypted with a password.
Encrypted keys should have `ENCRYPTED` in the first line.
Finally, click **Update** for the changes to take effect.
Finally, click **Save** for the changes to take effect.
After replacing the TLS certificates your users won't be able to authenticate
After replacing the TLS certificates, your users won't be able to authenticate
with their old client certificate bundles. Ask your users to go to the UCP
web UI and [get new client certificate bundles](../../user/access-ucp/cli-based-access.md).
If you deployed Docker Trusted Registry, you'll also need to reconfigure it
to trust the new UCP TLS certificates.
[Learn how to configure DTR](/datacenter/dtr/2.2/reference/cli/reconfigure.md).
[Learn how to configure DTR](/datacenter/dtr/2.3/reference/cli/reconfigure.md).
## Where to go next

28
datacenter/ucp/2.2/guides/admin/manage-users/create-and-manage-teams.md
View File

@ -8,7 +8,7 @@ keywords: authorize, authentication, users, teams, groups, sync, UCP, Docker
You can extend the user's default permissions by granting them fine-grained
permissions over resources. You do this by adding the user to a team.
To create a new team, go to the **UCP web UI**, and navigate to the
To create a new team, go to the UCP web UI, and navigate to the
**Organizations** page.
![](../../images/create-and-manage-teams-1.png){: .with-border}
@ -32,13 +32,13 @@ you want to add to the team.
![](../../images/create-and-manage-teams-3.png){: .with-border}
## Sync team members with your organization's LDAP directory.
## Sync team members with your organization's LDAP directory
If UCP is configured to sync users with your organization's LDAP directory
server, you will have the option to enable syncing the new team's members when
creating a new team or when modifying settings of an existing team.
[Learn how to configure integration with an LDAP directory](../configure/external-auth/index.md).
Enabling this option will expand the form with additional field for configuring
Enabling this option will expand the form with additional fields for configuring
the sync of team members.
![](../../images/create-and-manage-teams-5.png){: .with-border}
@ -54,7 +54,7 @@ synced to match the membership of the group.
| Field | Description |
|:-----------------------|:------------------------------------------------------------------------------------------------------|
| Group DN | This specifies the distinguished name of the group from which to select users. |
| Group member attribute | The value of this group attribute corresponds to the distinguished names of the members of the group. |
| Group Member Attribute | The value of this group attribute corresponds to the distinguished names of the members of the group. |
**Match LDAP Search Results**
@ -62,13 +62,13 @@ This option specifies that team members should be synced using a search query
against your organization's LDAP directory. The team's membership will be
synced to match the users in the search results.
| Field | Description |
|:--------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------|
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. |
| Search scope | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
| Search Filter | The LDAP search filter used to find users. If you leave this field empty, all existing users in the search scope will be added as members of the team. |
| Field | Description |
| :--------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- |
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. |
| Search subtree instead of just one level | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
| Filter | The LDAP search filter used to find users. If you leave this field empty, all existing users in the search scope will be added as members of the team. |
**Immediately Sync Team Members**
**Sync Now**
Select this option to immediately run an LDAP sync operation after saving the
configuration for the team. It may take a moment before the members of the team
@ -76,12 +76,14 @@ are fully synced.
## Manage team permissions
Create a grant to manage the team's permissions. [Learn how to grant permissions to users based on roles](grant-permissions.md).
Create a grant to manage the team's permissions.
[Learn how to grant permissions to users based on roles](grant-permissions.md).
![](../../images/create-and-manage-teams-4.png){: .with-border}
In the example above, members of the "Operations" team have permissions to
create and edit resources.
In the example above, members of the `Data Center` team have
`Restricted Control` permissions to create and edit resources in
the `Data Center Resources` collection.
## Where to go next

15
datacenter/ucp/2.2/guides/admin/manage-users/create-and-manage-users.md
View File

@ -5,13 +5,18 @@ description: Learn how to create and manage users in your Docker Universal Contr
keywords: authorize, authentication, users, teams, UCP, Docker
---
Docker Universal Control Plane provides built-in authentication and also
integrates with LDAP directory services. If you want to manage
users and groups from your organization's directory, choose LDAP.
[Learn to integrate with an LDAP directory](../configure/external-auth/index.md).
When using the UCP built-in authentication, you need to create users and
optionally grant them UCP administrator permissions.
optionally grant them UCP administrator permissions.
Each new user gets a default permission level so that they can access the
swarm.
To create a new user, go to the **UCP web UI**, and navigate to the
To create a new user, go to the UCP web UI, and navigate to the
**Users** page.
![](../../images/create-users-1.png){: .with-border}
@ -20,9 +25,9 @@ Click the **Create User** button, and fill-in the user information.
![](../../images/create-users-2.png){: .with-border}
Check the `Is a UCP admin` option, if you want to grant permissions for the
user to change cluster configurations. Also, assign the user a default
permission level.
Check the `Is a UCP admin?` option, if you want to grant permissions for the
user to change the swarm configuration and manage grants, roles, and
collections.
Finally, click the **Create** button to create the user.

BIN
datacenter/ucp/2.2/guides/images/add-constraint-to-service.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 393 KiB

After

Width:  |  Height:  |  Size: 70 KiB

BIN
datacenter/ucp/2.2/guides/images/add-labels-to-cluster-nodes-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 253 KiB

After

Width:  |  Height:  |  Size: 65 KiB

BIN
datacenter/ucp/2.2/guides/images/add-sans-to-cluster-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 116 KiB

After

Width:  |  Height:  |  Size: 66 KiB

BIN
datacenter/ucp/2.2/guides/images/check-contraints.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 368 KiB

After

Width:  |  Height:  |  Size: 70 KiB

BIN
datacenter/ucp/2.2/guides/images/configure-logs-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 223 KiB

After

Width:  |  Height:  |  Size: 63 KiB

BIN
datacenter/ucp/2.2/guides/images/create-and-manage-teams-4.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 221 KiB

After

Width:  |  Height:  |  Size: 89 KiB

BIN
datacenter/ucp/2.2/guides/images/ldap-integration-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 272 KiB

After

Width:  |  Height:  |  Size: 66 KiB

BIN
datacenter/ucp/2.2/guides/images/ldap-integration-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
datacenter/ucp/2.2/guides/images/license-ucp-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 99 KiB

After

Width:  |  Height:  |  Size: 119 KiB

BIN
datacenter/ucp/2.2/guides/images/license-ucp-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 237 KiB

After

Width:  |  Height:  |  Size: 57 KiB

4
datacenter/ucp/2.2/guides/images/scale-your-cluster-0.svg
View File

@ -75,7 +75,7 @@
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
<tspan x="7.26025391" y="15">Docker EE Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
@ -130,7 +130,7 @@
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
<tspan x="7.26025391" y="15">Docker EE Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

BIN
datacenter/ucp/2.2/guides/images/scale-your-cluster-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 220 KiB

After

Width:  |  Height:  |  Size: 78 KiB

BIN
datacenter/ucp/2.2/guides/images/scale-your-cluster-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 257 KiB

After

Width:  |  Height:  |  Size: 91 KiB

BIN
datacenter/ucp/2.2/guides/images/scale-your-cluster-3.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 56 KiB

10
datacenter/ucp/2.2/guides/images/use-a-load-balancer-1.svg
View File

@ -75,7 +75,7 @@
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
<tspan x="7.26025391" y="15">Docker EE Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
@ -104,7 +104,7 @@
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
<tspan x="7.26025391" y="15">Docker EE Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
@ -135,7 +135,7 @@
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
<tspan x="7.26025391" y="15">Docker EE Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
@ -164,7 +164,7 @@
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
<tspan x="7.26025391" y="15">Docker EE Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
@ -193,7 +193,7 @@
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
<tspan x="7.26025391" y="15">Docker EE Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

BIN
datacenter/ucp/2.2/guides/images/use-externally-signed-certs-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 259 KiB

After

Width:  |  Height:  |  Size: 84 KiB

10
datacenter/ucp/2.2/guides/user/services/deploy-app-cli.md
View File

@ -118,11 +118,11 @@ volumes:
db-data:
```
> You can define services in this YAML file that feature a `deploy:` key, which
schedules the containers on certain nodes, defines their restart behavior,
configures the number of replicas, and so on. These features are provided
by the Compose V3 file format.
[Learn about Compose files](/compose/compose-file/).
> You can define services in this YAML file that feature a `deploy:` key, which
> schedules the containers on certain nodes, defines their restart behavior,
> configures the number of replicas, and so on. These features are provided
> by the Compose V3 file format.
> [Learn about Compose files](/compose/compose-file/).
In your command line, navigate to the place where you've created the
`docker-compose.yml` file and deploy the application to UCP by running `docker