docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up the internal docs 

There was some confusion on where we were going to store internal
docs.  Final decision was ./project so lets move all these over.
This commit is contained in:
Daniel Hiltgen 2016-01-15 10:55:02 -08:00 committed by Joao Fernandes
parent 2fdf2dffc8
commit 4fd17c886e
7 changed files with 0 additions and 1546 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
specs/high_availability.md
View File

@ -1,66 +0,0 @@
+++
draft = "true"
+++
# UCP High Availability
This document outlines how UCP high availability works, and general
guidelines for deploying a highly available UCP in production.
When adding nodes to your cluster, you decide which nodes you want to
be replicas, and which nodes are simply additional engines for extra
capacity. If you are planning an HA deployment, you should have a
minimum of 3 nodes (primary + two replicas)
It is **highly** recommended that you deploy your initial 3 controller
nodes (primary + at least 2 replicas) **before** you start adding
non-replica nodes or start running workloads on your cluster. When adding
the first replica, if an error occurrs, the cluster will be come unusable.
## Architecture
* **Primary Controller** This is the first node you run the `install` against. It runs the following containers/services:
* **ucp-kv** This etcd container runs the replicated KV store
* **ucp-swarm-manger** This Swarm Manager uses the replicated KV store for leader election and cluster membership tracking
* **ucp-controller** This container runs the UCP server, using the replicated KV store for configuration state
* **ucp-swarm-join** Runs the swarm join command to periodically publish this nodes existence to the KV store. If the node goes down, this publishing stops, and the registration times out, and the node is automatically dropped from the cluster
* **ucp-proxy** Runs a local TLS proxy for the docker socket to enable secure access of the local docker daemon
* **ucp-swarm-ca[-proxy]** These **unreplicated** containers run the Swarm CA used for admin certificate bundles, and adding new nodes
* **ucp-ca[-proxy]** These **unreplicated** containers run the (optional) UCP CA used for signing user bundles.
* **Replica Node** This is a node you `join` to the primary using the `--replica` flag and it contributes to the availability of the cluster
* **ucp-kv** This etcd container runs the replicated KV store
* **ucp-swarm-manger** This Swarm Manager uses the replicated KV store for leader election and cluster membership tracking
* **ucp-controller** This container runs the UCP server, using the replicated KV store for configuration state
* **ucp-swarm-join** Runs the swarm join command to periodically publish this nodes existence to the KV store. If the node goes down, this publishing stops, and the registration times out, and the node is automatically dropped from the cluster
* **ucp-proxy** Runs a local TLS proxy for the docker socket to enable secure access of the local docker daemon
* **Non-Replica Node** These nodes provide additional capacity, but do not enhance the availability of the UCP/Swarm infrastructure
* **ucp-swarm-join** Runs the swarm join command to periodically publish this nodes existence to the KV store. If the node goes down, this publishing stops, and the registration times out, and the node is automatically dropped from the cluster
* **ucp-proxy** Runs a local TLS proxy for the docker socket to enable secure access of the local docker daemon
Notes:
* At present, UCP does not include a load-balancer. Users may provide one exernally and load balance between the primary and replica nodes on port 443 for web access to the system via a single IP/hostname if desired. If no external load balancer is used, admins should note the IP/hostname of the primary and all replicas so they can access them when needed.
* Backups:
* Users should always back up their volumes (see the other guides for a complete list of named volumes)
* The CAs (swarm and UCP) are not currently replicated.
* Swarm CA:
* Used for admin cert bundle generation
* Used for adding hosts to the cluster
* During an outage, no new admin cert bundles can be downloaded, but existing ones will still work.
* During an outage, no new nodes can be added to the cluster, but existing nodes will continue to operate
* UCP CA:
* Used for user bundle generation
* Used to sign certs for new replica nodes
* During an outage, no new user cert bundles can be downloaded, but existing ones will still work
* During an outage, no new replica nodes can be joined to the cluster
**WARNING** You should never run a cluster with only the primary
controller and a single replica. This will result in an HA configuration
of "2-nodes" where quorum is also "2-nodes" (to prevent split-brain.)
If either the primary or single replica were to fail, the cluster will be
unusable until they are repaired. (So you actually have a higher failure
probability than if you just ran a non-HA setup with no replica.) You
should have a minimum of 2 replicas (aka, "3-nodes") so that you can
tolerate at least a single failure.
**TODO** In the future this document should describe best practices for layout,
target number of nodes, etc. For now, that's an exercise for the reader
based on etcd/raft documentation.

374
specs/install_upgrade_spec.md
View File

@ -1,374 +0,0 @@
+++
draft = "true"
+++
# Installation and Upgrade of Orca
![Components](orca_components.png)
Not shown in the diagram is the orca-bootstrap container, which is
only used during **install**, **upgrade**, **join**, and **uninstall**
operartions. The remainder of this document describes the business
logic that resides largely within this bootstrapper.
## Known gaps
* Swarm must talk to consul with TLS enabled - https://github.com/docker/swarm/issues/404 - slated for 1.9
## Assumptions
* Orca will not be HA in v1
* We will use named volumes for persistence
* Our goal is to get as close to a full end-to-end deployment as possible (from bare-metal up to orca)
* Advanced customers may be able to cherry-pick, but that's not the focus in v1
* We'll deploy an internal consul instance for swarm (not HA)
* Bare-metal ISO based installer not (yet) covered in this document
* Swarm requires a common single CA "on both sides" (incoming client communication and outgoing engine communication)
* Swarm Managers must have visibility to all the engines (or proxies) and be secured with TLS. All Engines/Proxies must trust the CA who signed the swarm cert
* Swarm manager and docker proxy may fold into one component, but this shouldn't fundamentally change the flow
* We'll "own" two internal root CAs for orca/swarm to provide access control
* Set up so that certs can be replaced post v1
* We'll store the certs in a named volume
* The volume could be swapped out for a keywhiz volume mount in the future (unclear if we can write to it though...)
* Laying the groundwork of a central CA for our managed swarm will enable keywhiz for secret management post v1
* Installation logic should be idempotent, and not clobber any pertinent state unless the user asks us to
## Images
The following images are used in developer mode. In general, the names will morph to docker/orca-xxx at GA.
* progrium/consul
* dockerorca/orca-proxy
* dockerorca/orca
* dockerorca/rethinkdb
* swarm
* dockerorca/orca-cfssl
## User Entrypoint
All scenarios described below start with the same user visible action, run on a system with a local docker.sock
```bash
curl https://get.docker.com/orca | bash
```
* This could also be run through notary to verify it wasn't tampered with
* If we meet our stretch goal of the ISO based installer, this script would be bundled there and run after the engine comes up.
* Business logic in this script will be kept to a minimum, most logic resides within the bootstrap container
* Ideally it should be possible to run the container "by hand" (as long as the right flags are passed to docker run) and have it work
* The bootstrap container uses a two-phase model to abstract away the version specific details of volume mounts or other flags required by the system.
* During implementation, if this becomes unwieldy, we'll just have the script launch "phase 2" automatically
## Common Flags
Where possible, common flags will be used across subcommands for consistency. The following list represents the initial set we expect to implement for v1
* **--debug** Enable more verbose output, typically useful for developers, or support if something fails unexpectedly
* **--help** Display usage information for the command
* **--jsonlog** Change the log format to be machine parseable (expected to be useful for our (future) GUI installer)
* **--interactive** Run the bootstrap code in interactive mode, prompting for required information, or confirmation on dangerous operations.
## Deploy Orca
Description: Deploy orca+swarm onto a single "local" engine. Once deployed, additional engines can be added to the swarm.
Use-case specific flags:
* --image-version: Specify an exact version to pull, default is "latest"
* --fresh-install: destroy any existing state and orca containers on this node and deploy fresh. Default is to leave any state if detected, and if existing containers are detected, to redeploy them.
* --san: Specify additional alternate names for the certificate. Useful if the docker host doesn't have a FQDN
* --host-address: Specify the visible IP/hostname for this engine. Useful for NAT or other network topologies where the docker engine doesn't know what the actual external IP is for the system.
* --swarm-port: Allows the user to specify an alternate swarm port. By default, we try to claim the standard/well-known docker TLS port
* --preserve-certs: Allow re-use of existing certs on the host.
* --external-orca-ca: Allow the user to "bring your own" CA for Orca (swarm's CA is still internal for v1)
Steps:
1. (script) Load local images if --image-dir specified
2. (script) Prompt user for the admin password they want
* Implementation details TBD: most likely pre-hash/salt, store in a file, and mount it, then the container removes the file once it's loaded up
3. (script) Launch phase 1 container
* Do:
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/orca-bootstrap [flags]
```
4. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
* Check for available ports for all our services, fail fast if they're taken
* Check for existing orca (fail if --upgrade wasn't passed - see upgrade flows below)
5. Launch phase2 container
* Same image as phase1, with additional mounts so the user doesn't have to get all the extra host mounts right
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
-v $DB_PATH_TBD:... \
-v $CONSUL_DATA_TBD:...
-v ...any other paths... \
docker/orca-bootstrap $PHASE1_FLAGS
```
6. Check for images on the engine, pull if missing
* If this fails, inform user to "docker login" using their hub credentials and try again
7. Stop any existing orca containers already running on the host
8. (conditional) clobber existing state if requested
9. Generate Root CA and certs if not present in named volume:
* Orca CA cert
* Swarm CA cert
10. Generate cert for proxy/swarm manager signed by Swarm CA
11. Deploy proxy with random exposed port
12. Verify we can see the proxy we just deployed using the engines external IP
* if not warn user firewall settings may need to be opened for port XXX (moot in bare metal case - should never fail)
13. Deploy Consul
* Use swarm CA for TLS configuration so it will only allow connections from swarm CA signed certs
* https://www.consul.io/docs/agent/encryption.html
* Map specific pem files, not the whole dir so unnecessary private keys aren't leaked
* Data directory mounted to host (to allow upgrades without loss of context)
* **Recommend mapping to non-standard ports so end-customer consul deployed with default ports on the same node works**
* RPC: 8300 - required
* HTTP API: 8500? - might not be needed
* DNS: 8600? - probably not needed
14. Deploy swarm manager pointed at proxy and consul external port(s)
* Bind to port 2376 so this becomes the "default" way to talk to this node
15. Verify we can see the swarm manager we just deployed
* if not warn user firewall settings may need to be opened for port XXX (moot in baremetal case)
16. Deploy DB with named volume data directory
17. Deploy Orca server
* Linked to DB, pointed at consul external port
* Bind 80/443, use random ports if unavailable
19. Verify the Orca server is up
20. Report the Orca server cert fingerprint (via host path to prevent man-in-the-middle) for later in-browser TOFU
21. Report the URL to connect to Orca
## Add Host To Orca
Description: Used to add a single "local" engine to an existing orca swarm.
Use-case specific flags:
* --url: Specify the orca to join
* --fingerprint: Specify the TLS fingerprint of the orca to join (or use interactive to avoid cut-and-paste error)
* --image-version: Specify an exact version to pull, default is "latest"
* --fresh-install: destroy any existing state and orca containers on this node and deploy fresh. Default is to leave any state if detected, and if existing containers are detected, to redeploy them.
* --san: Specify additional alternate names for the certificate. Useful if the docker host doesn't have a FQDN
* --host-address: Specify the visible IP/hostname for this engine. Useful for NAT or other network topologies where the docker engine doesn't know what the actual external IP is for the system.
Steps:
1. (script) TOFU to the URL in question if not already trusted, prompt user to accept
* record CA public cert in /etc/docker/ssl/orca
* **Note: Probably have to run our nested container to accomplish this cross-platform**
2. (script) Prompt user for admin credentials once cert trusted, load into shell environment
3. (script) Load local images if --image-dir specified
4. (script) Launch phase 1
* Do:
```bash
docker run --rm -t \
-e ORCA_ADMIN_USER \
-e ORCA_ADMIN_PASSWORD \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
docker/orca-bootstrap --join https://myorca [--swarm "label"]
```
5. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
* Check for available ports for all our services, fail fast if they're taken
6. (Phase 1) Call some low-cost API on orca to verify admin credentials so we can fail fast
7. (Phase 1) Check for required images on the engine, pull if missing
* If this fails, inform user to "docker login" using their hub credentials and try again
8. Launch phase2 container
* Same image as phase1, with additional mounts
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-e ORCA_ADMIN_USER \
-e ORCA_ADMIN_PASSWORD \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
docker/orca-bootstrap $PHASE1_FLAGS
```
9. Generate new key pair and generate CSR for swarm/proxy
10. Call Orca API using admin credentials, request to add host, passing CSR
* Use /etc/docker/ssl/orca CA to verify TLS connection to server
* (server) verifies permissions to add host
* (server) signs CSR using swarm CA
* (server) returns signed cert, swarm number (always 0 in v1?), location of consul (and any other config required...)
11. Plase certs in /etc/docker/ssl/orca -- match swarm number from orca
12. Deploy proxy with random exposed port
13. Verify we can see the proxy we just deployed
* if not warn user firewall settings may need to be opened for port XXX (moot in bare metal case - should never fail)
14. Deploy swarm manager pointed at proxy, with config details returned by orca server
* Bind to port 2376 so this becomes the "default" way to talk to this node
15. Verify we can see the swarm manager we just deployed
* if not warn user firewall settings may need to be opened for port XXX (moot in baremetal case)
16. Verify host appears in Orca
Potential Refinements:
* Consider allowing certificate based auth, might make it easier to generate short-lived certs to use in scripted install/add-host (PXE boot scenarios in the future...)
## Upgrade/Patch a single node deployment
Identical to deployment flow above.
## Upgrade/Patch an Existing multi-node Orca deployment
Description: Pointed at an existing deployment, upgrade all the orca and swarm related components while persisting the configuration state of the system
Use-case specific flags:
* --upgrade: Upgrade an entire orca cluster
Precondition:
* User can run script on the master node, or with DOCKER\_HOST pointed at orca or the swarm with an admin account
Steps:
1. (script) Load local images if --image-dir specified
2. (script) Launch phase 1 (with affinity to the orca server)
* Do:
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
-e affinity:container=orca-server \
docker/orca-bootstrap --update [flags]
```
3. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
* Find orca and/or swarm nodes on this engine, and determine their IP addresses
4. Launch phase2 container
* Same image as phase1, with additional mounts so the user doesn't have to get all the extra host mounts right
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-e affinity:container=orca-server \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
docker/orca-bootstrap --phase2 $PHASE1_FLAGS
```
5. Generate temporary swarm client cert signed by the existing swarm CA (so we can connect to swarm directly)
* Use direct /etc/docker/ssl/swarm# access and cfssl
6. Connect to primary swarm manager
7. distribute/pull images
* Look for images on the local engine, if present, distribute to the swarm
* If images not present on local engine, pull on the swarm
8. Stop consul, rm consul, start consul
9. For each secondary node (skip the primary)
* Deploy new proxy, verify it can be reached
* Shutdown manager on this node
* Deploy new manager, pointed at new proxy, verify it can be reached
* Shutdown old proxy
* Remove old proxy and manager
10. **Can we trigger a manager switch for swarm at this point?**
11. Stop and remove Orca server and db
12. Start Orca db and server
13. Stop primary swarm manager
14. Switch to communicating with secondary swarm manager
15. On old primary node
* Deploy new proxy, verify it can be reached
* Deploy new manager, pointed at new proxy, verify it can be reached
* Shutdown old proxy
* Remove old proxy and manager
16. Health check swarm/orca
17. Discard temporary swarm connection cert
## Remove host from Orca
* Ultimately we should use OCSP and revoke the swarm certificate for the node
* Probably not doable in v1 timeframe
* Uninstall on the individual engine (see below) probably sufficient for v1
* Will destroy the proxy/swarm manager on that node, and wipe the local copy of the swarm certificate
## Uninstall Orca
Description: Run on an engine, clear all orca content from the individual system (will not touch other engines, or customer workloads running on the engine)
Use-case specific flags:
* --uninstall: Remove any orca components running on this engine
Steps:
1. (script) Launch phase 1 container
* Do:
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/orca-bootstrap --uninstall [flags]
```
2. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
3. Launch phase2 container
* Same image as phase1, with additional mounts so the user doesn't have to get all the extra host mounts right
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
-v $DB_PATH_TBD:... \
-v $CONSUL_DATA_TBD:...
-v ...any other paths... \
docker/orca-bootstrap --phase2 $PHASE1_FLAGS
```
4. Stop all orca containers on the host (except the bootstrappers)
5. Clear certs in /etc/docker/ssl/orca
6. Remove any other data directories (consul, db, etc.) if detected on the host
7. Remove all orca containers
8. Remove orca images (except bootstrapper, since it's still running)
## Potential Refinements
* Include another curl|bash style script for "env" like "docker-machine env <machine>"
* eval "$(curl -u myorcauser https://myorca/env | bash)" generate user cert (if not already generated) download it, store it in ~/.docker/orca\_$NAME and echo the eval goop to set up the environment to use it
* Allow pluggable KV store
* Start with single node consul, but let user re-wire post initial deployment with their own HA consul, or alternative
* Have bootstrapper spit out progress reporting information to stdout with a common pattern so GUI installer can generate reasonable progress bars and status messages
* Gather desired initial admin password from user in GUI and feed that through to the bootstrapper via environment variable, then set up orca with that password instead of the static default
## Installation Matrix
This table captures the potential installation scenarios we could support.
All scenarios assume an orca managed swarm. We do not plan to support
an externally managed swarm in the 1.0 timeframe. Our goal is to focus
on the "Internal self-signed Root CA" model for v1.
||Self signed Swarm cert, unable to sign new certs|Internal self-signed Root CA (aka cfssl or equiv)|External Root CA, our cert can sign as an intermediary|External Root CA, our cert can't sign|
|---|---|---|---|---|---|
| Install On swarm|N|N|N|N|
| Install On local engine|Y|Y|Y|Y|
| Install On remote engine, self signed|Y|Y|Y|Y|
| Install On remote engine, external CA|Y|Y|Y (could skip proxy)|Y (must skip proxy)|
| Install On orca|N|N|N|N|
| Add Host via orca, local engine |N|Y|Y|N|
| Add Host via orca, Remote engine, self signed cert|N|Y|Y|N|
| Add Host via orca, Remote Engine, external CA|N|Y|Y (could skip proxy)|Y (must skip proxy)|
| Add Host external (not through orca), local engine |N|N|Maybe, via kv?|Maybe, via kv?|
| Add Host external (not through orca), Remote engine, self signed cert|N|N|Maybe, via kv?|Maybe, via kv?|
| Add Host external (not through orca), Remote Engine, external CA|N|N|Maybe, via kv?|Maybe, via kv?|
| Upgrade/Patch Orca|Y|Y|Y|Y|
| Upgrade/Patch OrcaSwarm|Y|Y|Y|Y|

86
specs/logging.md
View File

@ -1,86 +0,0 @@
+++
draft = "true"
+++
# Remote logging configuration
To setup remote logging in UCP you must edit the API directly.
You'll need to run explicit curl commands described below. This
assumes you've already set up your environment with a downloaded
bundle.
## Display the current settings
```sh
export UCP_URL="https://$(echo $DOCKER_HOST | cut -f3 -d/ )"
curl -s \
--cert ${DOCKER_CERT_PATH}/cert.pem \
--key ${DOCKER_CERT_PATH}/key.pem \
--cacert ${DOCKER_CERT_PATH}/ca.pem \
${UCP_URL}/api/config/logging | jq "."
```
## Setup remote logging
```sh
curl -s \
--cert ${DOCKER_CERT_PATH}/cert.pem \
--key ${DOCKER_CERT_PATH}/key.pem \
--cacert ${DOCKER_CERT_PATH}/ca.pem \
-XPOST -d '{"host":"mylogger:514","protocol":"tcp","level":"INFO"}' \
${UCP_URL}/api/config/logging | jq "."
```
## Stopping remote logging
If you set the host to an empty string, remote logging will be disabled.
```sh
curl -s \
--cert ${DOCKER_CERT_PATH}/cert.pem \
--key ${DOCKER_CERT_PATH}/key.pem \
--cacert ${DOCKER_CERT_PATH}/ca.pem \
-XPOST -d '{"host":"","level":"DEBUG"}' \
${UCP_URL}/api/config/logging | jq "."
```
# Setting up an ELK stack
One popular logging stack is composed of Elasticsearch, Logstash and
Kibana. The following example demonstrates how to set up an example
deployment which can be used for logging. Once you have these containers
running, configure UCP to send logs to the logstash container.
```sh
docker volume create --name orca-elasticsearch-data
docker run -d \
--name elasticsearch \
-v orca-elasticsearch-data:/usr/share/elasticsearch/data \
elasticsearch elasticsearch -Des.network.host=0.0.0.0
docker run -d \
-p 514:514 \
--name logstash \
--link elasticsearch:es \
logstash \
sh -c "logstash -e 'input { syslog { } } output { stdout { } elasticsearch { hosts => [ \"es\" ] } } filter { json { source => \"message\" } }'"
docker run -d \
--name kibana \
--link elasticsearch:elasticsearch \
-p 5601:5601 \
kibana
```
You can then browse to port 5601 on the system running kibana and browse log/event entries. You should specify the "time" field
for indexing.
Note: When deployed in production, you should secure kibana (not described in this doc)
## Example Searches
Here are a few examples demonstrating some ways to view the aggregated log data:
* `type:"api" AND (tags:"post" OR tags:"put" OR tags:"delete")` -- Show all the modifications on the system
* `username:"admin"` -- Show all access from a given user
* `type:"auth fail"` -- Show all authentication failures on the system

753
specs/orca_components.svg
View File

@ -1,753 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="297mm"
height="210mm"
viewBox="0 0 1052.3622 744.09448"
id="svg2"
version="1.1"
inkscape:version="0.91 r13725"
sodipodi:docname="orca_components.svg"
inkscape:export-filename="/home/daniel/code/docker/orca/docs/orca_components.png"
inkscape:export-xdpi="90"
inkscape:export-ydpi="90">
<defs
id="defs4">
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0.0"
refX="0.0"
id="SemiCircleIn"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path8311"
d="M -0.37450702,-0.045692580 C -0.37450702,2.7143074 1.8654930,4.9543074 4.6254930,4.9543074 L 4.6254930,-5.0456926 C 1.8654930,-5.0456926 -0.37450702,-2.8056926 -0.37450702,-0.045692580 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.6)" />
</marker>
<marker
inkscape:stockid="Arrow1Lstart"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lstart"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path8133"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lend"
style="overflow:visible;"
inkscape:isstock="true">
<path
id="path8136"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) rotate(180) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-3"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-4"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-6"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-7"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-8"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-6"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69-3"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8-5"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69-6"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8-1"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69-65"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8-10"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69-65-6"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8-10-4"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69-3-3"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8-5-5"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-6-5"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-7-3"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
</defs>
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="1.4"
inkscape:cx="378.33262"
inkscape:cy="426.09652"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
inkscape:window-width="1918"
inkscape:window-height="1061"
inkscape:window-x="0"
inkscape:window-y="17"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title />
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(0,-308.26772)">
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="528.57147"
y="685.96118"
id="text8115"
sodipodi:linespacing="125%"><tspan
sodipodi:role="line"
id="tspan8117"
x="528.57147"
y="685.96118"
style="font-size:35px">. . .</tspan></text>
<g
id="g8785"
transform="translate(49.857143,0)">
<rect
ry="5.3747001"
y="569.50507"
x="236.42857"
height="75.714287"
width="47.142857"
id="rect8119"
style="opacity:1;fill:#80ffe0;fill-opacity:1;fill-rule:evenodd;stroke:#0cb188;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121"
y="254.76318"
x="-608.09094"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="254.76318"
x="-608.09094"
id="tspan8123"
sodipodi:role="line">Docker</tspan><tspan
id="tspan8125"
style="font-size:15px;text-align:center;text-anchor:middle"
y="273.51318"
x="-608.09094"
sodipodi:role="line">Proxy</tspan></text>
<path
sodipodi:nodetypes="cc"
inkscape:connection-start="#rect8119"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127"
d="m 260.39435,645.21935 1.03422,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn)" />
</g>
<g
transform="translate(224.28572,0.6721514)"
id="g8785-9">
<rect
ry="5.3747001"
y="569.50507"
x="236.42857"
height="75.714287"
width="47.142857"
id="rect8119-6"
style="opacity:1;fill:#80ffe0;fill-opacity:1;fill-rule:evenodd;stroke:#0cb188;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-8"
y="254.76318"
x="-608.09094"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="254.76318"
x="-608.09094"
id="tspan8123-9"
sodipodi:role="line">Docker</tspan><tspan
id="tspan8125-2"
style="font-size:15px;text-align:center;text-anchor:middle"
y="273.51318"
x="-608.09094"
sodipodi:role="line">Proxy</tspan></text>
<path
sodipodi:nodetypes="cc"
inkscape:connection-start="#rect8119-6"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-9"
d="m 260.39435,645.21935 1.03422,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-6)" />
</g>
<g
id="g9664"
transform="translate(115.57143,132.14286)">
<rect
ry="5.3747001"
y="437.17722"
x="69.285713"
height="75.714287"
width="47.142857"
id="rect8119-2"
style="opacity:1;fill:#80ffa9;fill-opacity:1;fill-rule:evenodd;stroke:#0cb134;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4"
y="87.620323"
x="-475.76309"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan8125-58"
style="font-size:15px;text-align:center;text-anchor:middle"
y="87.620323"
x="-475.76309"
sodipodi:role="line">Swarm</tspan><tspan
id="tspan9011"
style="font-size:15px;text-align:center;text-anchor:middle"
y="106.37032"
x="-475.76309"
sodipodi:role="line">Manager</tspan></text>
<path
sodipodi:nodetypes="cc"
inkscape:connection-start="#rect8119-2"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-7"
d="m 93.251486,512.8915 1.034224,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69)" />
</g>
<g
id="g7530">
<rect
ry="5.3747001"
y="570.89148"
x="407.85715"
height="75.714287"
width="47.142857"
id="rect8119-2-2"
style="opacity:1;fill:#80ffa9;fill-opacity:1;fill-rule:evenodd;stroke:#0cb134;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-3"
y="426.19174"
x="-609.47736"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan8125-58-4"
style="font-size:15px;text-align:center;text-anchor:middle"
y="426.19174"
x="-609.47736"
sodipodi:role="line">Swarm</tspan><tspan
id="tspan9011-1"
style="font-size:15px;text-align:center;text-anchor:middle"
y="444.94174"
x="-609.47736"
sodipodi:role="line">Join</tspan></text>
</g>
<g
id="g7447">
<rect
ry="5.3934851"
y="649.38525"
x="352.02304"
height="68.811081"
width="158.8111"
id="rect8068-6"
style="opacity:0.8;fill:#80d8ff;fill-opacity:1;fill-rule:evenodd;stroke:#0c73b1;stroke-width:1.760337;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text8070-1"
y="690.68774"
x="431.36145"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:25px;text-align:center;text-anchor:middle"
y="690.68774"
x="431.36145"
id="tspan8072-5"
sodipodi:role="line">Engine 1</tspan></text>
</g>
<g
id="g7494">
<rect
ry="5.3747001"
y="569.32007"
x="82.85714"
height="75.714287"
width="47.142857"
id="rect8119-2-1"
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-9"
y="101.19175"
x="-607.90594"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan9011-6"
style="font-size:15px;text-align:center;text-anchor:middle"
y="101.19175"
x="-607.90594"
sodipodi:role="line">Orca</tspan><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="119.94175"
x="-607.90594"
sodipodi:role="line"
id="tspan9885">Server</tspan></text>
<path
sodipodi:nodetypes="cc"
inkscape:connection-start="#rect8119-2-1"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-7-6"
d="m 106.82291,645.03436 1.03423,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69-65)" />
</g>
<g
transform="translate(-150.57143,128)"
id="g9942">
<rect
ry="5.3747001"
y="440.93365"
x="182.14285"
height="75.714287"
width="47.142857"
id="rect8119-2-1-3"
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-9-3"
y="200.47746"
x="-479.51953"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan9011-6-2"
style="font-size:15px;text-align:center;text-anchor:middle"
y="200.47746"
x="-479.51953"
sodipodi:role="line">Orca</tspan><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="219.22746"
x="-479.51953"
sodipodi:role="line"
id="tspan9885-8">DB</tspan></text>
</g>
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="-70.714287"
y="730.21936"
id="text9948"
sodipodi:linespacing="125%"><tspan
sodipodi:role="line"
id="tspan9950"
x="-70.714287"
y="730.21936">Externally</tspan><tspan
sodipodi:role="line"
x="-70.714287"
y="745.21936"
id="tspan9952">Visible</tspan><tspan
sodipodi:role="line"
x="-70.714287"
y="760.21936"
id="tspan9954">Ports</tspan></text>
<g
id="g7501">
<g
transform="translate(102,0)"
id="g7418">
<rect
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect8119-2-1-3-6"
width="47.142857"
height="75.714287"
x="31.428574"
y="568.93365"
ry="5.3747001" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="-607.51953"
y="60.592041"
id="text8121-4-9-3-7"
sodipodi:linespacing="125%"
transform="matrix(0,-1,1,0,0,0)"><tspan
id="tspan9885-8-7"
sodipodi:role="line"
x="-607.51953"
y="60.592041"
style="font-size:15px;text-align:center;text-anchor:middle">Consul</tspan></text>
</g>
<path
sodipodi:nodetypes="cc"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-7-6-6"
d="m 157.42084,643.82528 1.03423,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69-65-6)" />
</g>
<g
id="g7563">
<rect
ry="5.3126082"
y="649.90118"
x="-66.746765"
height="67.779243"
width="405.63641"
id="rect8068"
style="opacity:0.8;fill:#80d8ff;fill-opacity:1;fill-rule:evenodd;stroke:#0c73b1;stroke-width:2.79217744;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text8070"
y="690.68774"
x="135.68082"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:25px;text-align:center;text-anchor:middle"
y="690.68774"
x="135.68082"
id="tspan8072"
sodipodi:role="line">Engine 0</tspan></text>
</g>
<g
transform="translate(-201,128)"
id="g9942-0">
<rect
ry="5.3747001"
y="440.93365"
x="182.14285"
height="75.714287"
width="47.142857"
id="rect8119-2-1-3-2"
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-9-3-8"
y="200.47746"
x="-479.51953"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="200.47746"
x="-479.51953"
sodipodi:role="line"
id="tspan9885-8-1">SwarmCA</tspan><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="219.22746"
x="-479.51953"
sodipodi:role="line"
id="tspan7397">(cfssl)</tspan></text>
</g>
<g
transform="translate(-251.42857,128)"
id="g9942-0-4">
<rect
ry="5.3747001"
y="440.93365"
x="182.14285"
height="75.714287"
width="47.142857"
id="rect8119-2-1-3-2-6"
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-9-3-8-7"
y="200.47746"
x="-479.51953"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="200.47746"
x="-479.51953"
sodipodi:role="line"
id="tspan9885-8-1-3">Orca CA</tspan><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="219.22746"
x="-479.51953"
sodipodi:role="line"
id="tspan7397-8">(cfssl)</tspan></text>
</g>
<g
transform="translate(475.85714,1.243579)"
id="g8785-9-7">
<rect
ry="5.3747001"
y="569.50507"
x="236.42857"
height="75.714287"
width="47.142857"
id="rect8119-6-9"
style="opacity:1;fill:#80ffe0;fill-opacity:1;fill-rule:evenodd;stroke:#0cb188;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-8-8"
y="254.76318"
x="-608.09094"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="254.76318"
x="-608.09094"
id="tspan8123-9-5"
sodipodi:role="line">Docker</tspan><tspan
id="tspan8125-2-9"
style="font-size:15px;text-align:center;text-anchor:middle"
y="273.51318"
x="-608.09094"
sodipodi:role="line">Proxy</tspan></text>
<path
sodipodi:nodetypes="cc"
inkscape:connection-start="#rect8119-6-9"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-9-9"
d="m 260.39435,645.21935 1.03422,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-6-5)" />
</g>
<rect
style="opacity:1;fill:#80ffa9;fill-opacity:1;fill-rule:evenodd;stroke:#0cb134;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect8119-2-2-8"
width="47.142857"
height="75.714287"
x="659.42859"
y="571.46289"
ry="5.3747001" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="-610.04877"
y="677.76318"
id="text8121-4-3-1"
sodipodi:linespacing="125%"
transform="matrix(0,-1,1,0,0,0)"><tspan
sodipodi:role="line"
x="-610.04877"
y="677.76318"
style="font-size:15px;text-align:center;text-anchor:middle"
id="tspan8125-58-4-1">Swarm</tspan><tspan
sodipodi:role="line"
x="-610.04877"
y="696.51318"
style="font-size:15px;text-align:center;text-anchor:middle"
id="tspan9011-1-5">Join</tspan></text>
<g
transform="translate(251.57142,0.571429)"
id="g7447-3">
<rect
ry="5.3934851"
y="649.38525"
x="352.02304"
height="68.811081"
width="158.8111"
id="rect8068-6-4"
style="opacity:0.8;fill:#80d8ff;fill-opacity:1;fill-rule:evenodd;stroke:#0c73b1;stroke-width:1.760337;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text8070-1-8"
y="690.68774"
x="431.36145"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:25px;text-align:center;text-anchor:middle"
y="690.68774"
x="431.36145"
id="tspan8072-5-1"
sodipodi:role="line">Engine 1</tspan></text>
</g>
<g
transform="translate(-172.71429,-1.9578247)"
id="g7530-8">
<rect
ry="5.3747001"
y="570.89148"
x="407.85715"
height="75.714287"
width="47.142857"
id="rect8119-2-2-5"
style="opacity:1;fill:#80ffa9;fill-opacity:1;fill-rule:evenodd;stroke:#0cb134;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-3-8"
y="426.19174"
x="-609.47736"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan8125-58-4-0"
style="font-size:15px;text-align:center;text-anchor:middle"
y="426.19174"
x="-609.47736"
sodipodi:role="line">Swarm</tspan><tspan
id="tspan9011-1-53"
style="font-size:15px;text-align:center;text-anchor:middle"
y="444.94174"
x="-609.47736"
sodipodi:role="line">Join</tspan></text>
</g>
</g>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

57
specs/profiling.md
View File

@ -1,57 +0,0 @@
+++
title = "Profiling UCP"
description = "Docker Universal Control Plane"
[menu.ucp]
weight="1"
+++
# Profiling UCP
If you run the UCP server with the debug flag set, not only will you get more
logging output, but we enable remote
[`pprof`](https://golang.org/pkg/net/http/pprof/) access. Because UCP is a go
program, it is a good idea to make yourself familiar with [profiling go
programs](http://blog.golang.org/profiling-go-programs).
# Examples
First deploy UCP with debug. If you're using TLS (e.g., with bootstrap install) you'll need to add the certs to the local system's trusted certs (unfortunately `pprof` doesn't have an `--insecure` flag)
```bash
sudo bash -c "docker run --rm -it \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
dump-certs > /usr/local/share/ca-certificates/orca.crt"
sudo update-ca-certificates
```
Now you can point `pprof` at the server
```bash
UCP=https://192.168.104.73:443
go tool pprof ${UCP}/debug/pprof/block
web
```
That will pop up a nice SVG image on your default browser showing the accumulated blocking calls
Other URL endpoints of interest: (`web` should produce a nice summary in each of these)
* `go tool pprof ${UCP}/debug/pprof/profile` - The CPU usage
* `go tool pprof ${UCP}/debug/pprof/heap` - The memory usage
* `go tool pprof ${UCP}/debug/pprof/goroutine` - The goroutine usage
* `curl --insecure ${UCP}/debug/pprof/` - Display the entry points (or use your browser)
# Dropped nodes
It looks like `nodefraction` can be used to include nodes that would otherwise be dropped, but the web visualization seems to ignore it
```bash
go tool pprof -nodefraction=0.00000001 ${UCP}/debug/pprof/block
peek swarm
```

147
specs/quickstart.md
View File

@ -1,147 +0,0 @@
+++
draft = "true"
+++
# UCP Quick Start Guide
For all the gory details about how our installer works, check out
[install spec](install_upgrade_spec.md) but you came here to get up and
running quickly, so lets dive right in!
# Prerequisites
* You'll need at leasts one docker engine (local or remote should work)
* If you want to build a multi-node deployment, **all** the nodes must be able to see eachother, so make sure if you're using remote engines, they're all on the same remote network.
* UCP installs its own Swarm, so don't set up Swarm first, just install UCP directly on your engine(s)
* Ports - If you have firewalls configured, please make sure each node can access the following ports on the other nodes in the cluster.
* UCP Server: 443
* Swarm Manager: 2376 (user configurable) - Protected via mutual TLS
* Engine Proxy: 12376 - Protected via mutual TLS
* KV Store: 12379, 12380 - Protected by mutual TLS
* CAs: 12381, 12382 - Protected by mutual TLS
# Initial Installation
(line wrapped for readability)
```bash
docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
--name ucp \
docker/ucp \
install --swarm-port 3376 -i
```
The above command will prompt you for some basic information to get UCP
stood up. You can use "install --help" as the last line above to get
information about various options to the installer.
Important notes for first time users:
* We try to get the hostname/IPs right, but NAT can lead us astray. Make sure you specify the **real** external hostname when prompted (or use --san for non-interactive mode)
* The last line of the installer output tells you where to go log in.
* If you didn't enter an admin password, the default login is "admin/orca"
* The first thing you probably want to do is download a cert bundle (upper right corner of UI, but subject to change)
* With this, you can run docker CLI commands against UCP (and/or the swarm/engines if you're account is an admin account)
* Take a look at the env.sh within the zip file for instructions (should be familiar if you've used machine)
## Data Persistence
UCP uses named volumes for persistence of user data. By default,
the bootstrapper will create these using the default volume driver and
flags if they are not detected. If you use a custom volume driver, you
can pre-create volumes prior to installing UCP.
* **orca-root-ca** - The certificate and key for the UCP Root CA
* **orca-swarm-root-ca** - The certificate and key for the Swarm Root CA
* **orca-server-certs** - The server certificates for the UCP web server
* **orca-swarm-node-certs** - The swarm certificates for the current node (repeated on every node in the cluster)
* **orca-swarm-kv-certs** The Swarm KV client certificates for the current node (repeated on every node in the cluster)
* **orca-swarm-controller-certs** The UCP Controller Swarm client certificates for the current node
* **orca-kv** - KV store persistence
## User Supplied Certificates
UCP uses two separate root CAs for access control - one for Swarm,
and one for the UCP server itself. The motivation for the dual root
certificates is to differentiate Docker remote API access to UCP
vs. Swarm. UCP implements ACL and audit logging on a per-users basis
which are not offered in Swarm or the engines. Swarm and the engine
proxies trust only the Swarm Root CA, while the UCP server trusts both
Root CAs. Admins can access UCP, Swarm and the engines while normal
users are only granted access to UCP.
In UCP v1.0 we support user provided externally signed certificates
for the UCP server. This cert is used by the main management web UI
(visible to your browser when you connect) as well as the Docker remote
API (visible to the Docker CLI and friends.) The Swarm Root CA is
always manged by UCP itself in this release. This external UCP Root
CA model supports customers managing their own CA, or purchasing certs
from a commercial CA. When operating in this mode, UCP can not generate
regular user certificates, as those must be managed and signed externally,
however admin account certs can be generated as they are signed by the
internal Swarm Root CA. Normal user accounts should be signed by the
same external Root CA (or a trusted intermediary), and the public keys
manually added through the UI.
To install UCP with an external Root CA, create a named volume called **orca-server-certs**
on the engine host where you will install UCP **before** running the install, and ensure the following
files are present in the top-level directory of this volume:
* **ca.pem** - Your Root CA Certificate chain (including any intermediaries)
* **cert.pem** - Your signed UCP server cert
* **key.pem** - Your UCP server private key
After setting up these files on the host, you can install with the "--external-orca-ca" flag.
If you are creating your own storage volumes (for example, to take
advantage of a 3rd party storage driver) you can omit the **orca-root-ca**
volume as it will not be used when using an external UCP Root CA.
```bash
docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
--name ucp \
docker/ucp \
install --swarm-port 3376 -i --external-orca-ca
```
# Adding Nodes to the Cluster
To add capacity to your cluster, run the following on the engine you want to add (**not** the engine where you installed UCP above)
```bash
docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
--name ucp \
docker/ucp \
join -i
```
As with install, you can use "join --help" for more information.
# Cross-host Networking
See [networking.md](networking.md) for more details on the steps required
to enable cross-host networking
# Uninstalling
The installer can also uninstall the UCP software on either the primary
UCP node, as well as the secondary UCP nodes. Run the following directly
against the engine you want to uninstall (**not** against UCP itself)
```bash
docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
--name ucp \
docker/ucp \
uninstall
```
As above, use "uninstall --help" to see what other flags are available to tune behavior.
# Upgrading
**Coming soon!** (before GA)
For now, just uninstall and re-install. Your containers will remain on the engines and survive across the uninstall/install.

63
specs/user_certs.md
View File

@ -1,63 +0,0 @@
+++
draft = "true"
+++
# Generating User certificates by Hand
This shouldn't be required once UCP can generate user certs, but might be useful in some instances...
All of these commands must be run against the engine where UCP is running
E.g. Locally, or via a machine driver that mounts your home directory.
If you can't mount home on the machine, then use docker-machine ssh
... to run these commands from within the host.
```bash
mkdir orca_user
cat << EOF > orca_user/client.json
{
"hosts": [
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 4096
},
"CN": "Orca User"
}
EOF
docker run --rm -it \
--link=orca-ca:orca_ca \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
-v $(pwd)/orca_user:/orca_user \
-w /orca_user \
--entrypoint=/bin/sh \
dockerorca/orca-cfssl -c \
'cfssl gencert -remote $ORCA_CA_PORT_8888_TCP_ADDR -profile=client client.json | cfssljson -bare client '
cp /etc/docker/ssl/orca/orca_ca_chain.pem orca_user/ca.pem
mv orca_user/client.pem orca_user/cert.pem
mv orca_user/client-key.pem orca_user/key.pem
openssl x509 -pubkey -noout -in orca_user/cert.pem > orca_user/pub_key.pem
tar czvf orca_user.tgz orca_user
```
Now get the file off the machine. If you're using docker machine, something along these lines might work
```bash
NAME=node0
docker-machine ssh ${NAME} "cat orca_user.tgz" | tar zxvf -
```
Now login to UCP, Click on "Security" and paste in the contents of the pub\_key.pem into the Public Key field
Then you should be able to run docker CLI commands with:
```bash
export DOCKER_TLS_VERIFY=1
export DOCKER_HOST=tcp://192.168.122.116:443
export DOCKER_CERT_PATH=$(pwd)/orca_user/
docker info
```