docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add UCP 2.1, update left nav

This commit is contained in:
Joao Fernandes 2016-12-20 11:22:23 -08:00
parent 3f959afd8b
commit 53b6a0d8a0
98 changed files with 4262 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
_data/toc.yaml
View File

@ -1085,6 +1085,118 @@ toc:
title: Release notes
- path: /datacenter/dtr/2.1/guides/support/
title: Get support
- sectiontitle: (BETA) Universal Control Plane 2.1
section:
- path: /datacenter/ucp/2.1/guides/
title: Universal Control Plane overview
- path: /datacenter/ucp/2.1/guides/architecture/
title: Architecture
- sectiontitle: Installation
section:
- path: /datacenter/ucp/2.1/guides/installation/system-requirements/
title: System requirements
- path: /datacenter/ucp/2.1/guides/installation/plan-production-install/
title: Plan a production installation
- path: /datacenter/ucp/2.1/guides/installation/
title: Install UCP for production
- path: /datacenter/ucp/2.1/guides/installation/install-offline/
title: Install offline
- path: /datacenter/ucp/2.1/guides/installation/license/
title: License UCP
- path: /datacenter/ucp/2.1/guides/installation/scale-your-cluster/
title: Scale your cluster
- path: /datacenter/ucp/2.1/guides/installation/upgrade/
title: Upgrade UCP
- path: /datacenter/ucp/2.1/guides/installation/uninstall/
title: Uninstall UCP
- sectiontitle: Access UCP
section:
- path: /datacenter/ucp/2.1/guides/access-ucp/
title: Web-based access
- path: /datacenter/ucp/2.1/guides/access-ucp/cli-based-access/
title: CLI-based access
- sectiontitle: Configuration
section:
- path: /datacenter/ucp/2.1/guides/configuration/
title: Use externally-signed certificates
- path: /datacenter/ucp/2.1/guides/configuration/configure-logs/
title: Configure UCP logging
- path: /datacenter/ucp/2.1/guides/configuration/integrate-with-dtr/
title: Integrate with Docker Trusted Registry
- path: /datacenter/ucp/2.1/guides/configuration/integrate-with-ldap/
title: Integrate with LDAP
- path: /datacenter/ucp/2.1/guides/configuration/route-hostnames/
title: Route hostnames to services
- sectiontitle: Monitor and troubleshoot
section:
- path: /datacenter/ucp/2.1/guides/monitor/
title: Monitor your cluster
- path: /datacenter/ucp/2.1/guides/monitor/troubleshoot/
title: Troubleshoot your cluster
- path: /datacenter/ucp/2.1/guides/monitor/troubleshoot-configurations/
title: Troubleshoot cluster configurations
- sectiontitle: High-availability
section:
- path: /datacenter/ucp/2.1/guides/high-availability/
title: Set up high availability
- path: /datacenter/ucp/2.1/guides/high-availability/backups-and-disaster-recovery/
title: Backups and disaster recovery
- sectiontitle: User management
section:
- path: /datacenter/ucp/2.1/guides/user-management/
title: Authentication and authorization
- path: /datacenter/ucp/2.1/guides/user-management/create-and-manage-users/
title: Create and manage users
- path: /datacenter/ucp/2.1/guides/user-management/create-and-manage-teams/
title: Create and manage teams
- path: /datacenter/ucp/2.1/guides/user-management/permission-levels/
title: Permission levels
- sectiontitle: Applications
section:
- path: /datacenter/ucp/2.1/guides/applications/
title: Deploy an app from the UI
- path: /datacenter/ucp/2.1/guides/applications/deploy-app-cli/
title: Deploy an app from the CLI
- sectiontitle: Content trust
section:
- path: /datacenter/ucp/2.1/guides/content-trust/
title: Run only images you trust
- path: /datacenter/ucp/2.1/guides/content-trust/manage-trusted-repositories/
title: Manage trusted repositories
- path: /datacenter/ucp/2.1/guides/content-trust/continuous-integration/
title: Use trusted images for continuous integration
- sectiontitle: CLI reference
section:
- path: /datacenter/ucp/2.1/reference/cli/
title: docker/ucp overview
- path: /datacenter/ucp/2.1/reference/cli/backup/
title: backup
- path: /datacenter/ucp/2.1/reference/cli/dump-certs/
title: dump-certs
- path: /datacenter/ucp/2.1/reference/cli/fingerprint/
title: fingerprint
- path: /datacenter/ucp/2.1/reference/cli/id/
title: id
- path: /datacenter/ucp/2.1/reference/cli/images/
title: images
- path: /datacenter/ucp/2.1/reference/cli/install/
title: install
- path: /datacenter/ucp/2.1/reference/cli/restart/
title: restart
- path: /datacenter/ucp/2.1/reference/cli/restore/
title: restore
- path: /datacenter/ucp/2.1/reference/cli/stop/
title: stop
- path: /datacenter/ucp/2.1/reference/cli/support/
title: support
- path: /datacenter/ucp/2.1/reference/cli/uninstall-ucp/
title: uninstall-ucp
- path: /datacenter/ucp/2.1/reference/cli/upgrade/
title: upgrade
- path: /datacenter/ucp/2.1/guides/support/
title: Get support
- path: /datacenter/ucp/2.1/guides/release-notes/
title: Release Notes
- sectiontitle: (BETA) Docker Trusted Registry 2.2
section:
- path: /datacenter/dtr/2.2/guides/

87
datacenter/ucp/2.1/guides/access-ucp/cli-based-access.md Normal file
View File

@ -0,0 +1,87 @@
---
description: Learn how to access Docker Universal Control Plane from the CLI.
keywords: docker, ucp, cli, administration
title: CLI-based access
---
Docker UCP secures your cluster with role-based access control, so that only
authorized users can perform changes to the cluster.
For this reason, when running docker commands on a UCP node, you need to
authenticate your request using client certificates. When trying to run docker
commands without a valid certificate, you get an authentication error:
```none
$ docker ps
x509: certificate signed by unknown authority
```
There are two different types of client certificates:
* Admin user certificate bundles: allow running docker commands on the
Docker Engine of any node,
* User certificate bundles: only allow running docker commands through a UCP
controller node.
## Download client certificates
To download a client certificate bundle, log into the **UCP web UI**, and
navigate to your user **profile page**.
![](../images/cli-based-access-1.png){: .with-border}
Click the **Create a Client Bundle** button, to download the certificate bundle.
## Use client certificates
Once you've downloaded a client certificate bundle to your local computer, you
can use it to authenticate your requests.
Navigate to the directory where you downloaded the user bundle, and unzip it.
Then source the `env.sh` script.
```none
$ unzip ucp-bundle-dave.lauper.zip
$ cd ucp-bundle-dave.lauper
$ eval $(<env.sh)
```
The `env.sh` script updates the `DOCKER_HOST` environment variable to make your
local Docker CLI communicate with UCP. It also updates the `DOCKER_CERT_PATH`
environment variables to use the client certificates that are included in the
client bundle you downloaded.
From now on, when you use the Docker CLI client, it includes your client
certificates as part of the request to the Docker Engine.
You can now use the Docker CLI to create services, networks, volumes and other
resources on a swarm managed by UCP.
## Download client certificates using the REST API
You can also download client bundles using the UCP REST API. In
this example we'll be using `curl` for making the web requests to the API, and
`jq` to parse the responses.
To install these tools on a Ubuntu distribution, you can run:
```none
$ sudo apt-get update && apt-get install curl jq
```
Then you get an authentication token from UCP, and use it to download the
client certificates.
```none
# Create an environment variable with the user security token
$ AUTHTOKEN=$(curl -sk -d '{"username":"<username>","password":"<password>"}' https://<ucp-ip>/auth/login | jq -r .auth_token)
# Download the client certificate bundle
$ curl -k -H "Authorization: Bearer $AUTHTOKEN" https://<ucp-ip>/api/clientbundle -o bundle.zip
```
## Where to go next
* [Access the UCP web UI](index.md)
* [Deploy an app from the CLI](../applications/deploy-app-cli.md)

27
datacenter/ucp/2.1/guides/access-ucp/index.md Normal file
View File

@ -0,0 +1,27 @@
---
description: Learn how to access Docker Universal Control Plane from the web browser.
keywords: docker, ucp, web, administration
title: Web-based access
---
Docker Universal Control Plane allows you to manage your cluster in a visual
way, from your browser.
![](../images/web-based-access-1.png){: .with-border}
Docker UCP secures your cluster with role-based access control. From the
browser, Administrators can:
* Manage cluster configurations,
* Manage the permissions of users and teams,
* See all images, networks, volumes, and containers.
![](../images/web-based-access-2.png){: .with-border}
Non-admin users can only see and change the images, networks, volumes, and
containers, they are granted access.
# Where to go next
* [Access UCP from the CLI](cli-based-access.md)

87
datacenter/ucp/2.1/guides/applications/deploy-app-cli.md Normal file
View File

@ -0,0 +1,87 @@
---
description: Learn how to deploy containerized applications on a swarm, with Docker
Universal Control Plane.
keywords: deploy, application
title: Deploy an app from the CLI
---
With Docker Universal Control Plane you can deploy your apps from the CLI,
using Docker Compose. In this example we're going to deploy a WordPress
application.
## Get a client certificate bundle
Docker UCP secures your Docker swarm with role-based access control, so that only
authorized users can deploy applications. To be able to run
Docker commands on a swarm managed by UCP, you need to configure your Docker CLI
client to authenticate to UCP using client certificates.
[Learn how to set your CLI to use client certificates](../access-ucp/cli-based-access.md).
## Deploy WordPress
The WordPress application we're going to deploy is composed of two services:
* wordpress: The service that runs Apache, PHP, and WordPress.
* db: A MariaDB database used for data persistence.
After setting up your Docker CLI client to authenticate using client certificates,
create a file named `docker-compose.yml` with the following service definition:
```none
version: '2'
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: wordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_PASSWORD: wordpress
volumes:
db_data:
```
In your command line, navigate to the place where you've created the
`docker-compose.yml` file and deploy the application to UCP by running:
```bash
$ docker-compose --project-name wordpress up -d
```
Test that the WordPress service is up and running, and find on which node it
was deployed.
```bash
$ docker-compose --project-name wordpress ps
Name Command State Ports
------------------------------------------------------------------------------------------
wordpress_db_1 docker-entrypoint.sh mysqld Up 3306/tcp
wordpress_wordpress_1 docker-entrypoint.sh apach ... Up 172.31.18.153:8000->80/tcp
```
In this example, WordPress was deployed to 172.31.18.153:8000. Navigate to
this address in your browser, to start using the WordPress app you just
deployed.
![](../images/deploy-app-cli-1.png){: .with-border}
## Where to go next
* [Deploy an app from the UI](index.md)

98
datacenter/ucp/2.1/guides/applications/index.md Normal file
View File

@ -0,0 +1,98 @@
---
description: Learn how to deploy containerized applications on a cluster, with Docker
Universal Control Plane.
keywords: ucp, deploy, application
title: Deploy an app from the UI
---
With Docker Universal Control Plane you can deploy applications from the
UI using `docker-compose.yml` files. In this example, we're going to deploy a
WordPress application.
## Deploy WordPress
In your browser, **log in** to UCP, and navigate to the **Applications** page.
There, click the **Deploy compose.yml** button, to deploy a new application.
![](../images/deploy-app-ui-1.png){: .with-border}
The WordPress application we're going to deploy is composed of two services:
* wordpress: The service that runs Apache, PHP, and WordPress.
* db: A MariaDB database used for data persistence.
```none
version: '2'
services:
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: wordpress
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: wordpress
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_PASSWORD: wordpress
volumes:
db_data:
```
Name the application 'wordpress', and paste the docker-compose.yml definition.
You can also upload a docker-compose.yml file from your machine, by clicking on
the 'Upload an existing docker-compose.yml' link.
![](../images/deploy-app-ui-2.png){: .with-border}
Click the **Create** button, to create the WordPress application.
Once UCP deploys the WordPress application, you can
**click on the wordpress_wordpress_1** container, to see its details.
![](../images/deploy-app-ui-3.png){: .with-border}
In the container details page, search for the **Ports** the container is
exposing.
![](../images/deploy-app-ui-4.png){: .with-border}
In this example, WordPress can be accessed at `172.31.18.152:8000`.
Navigate to this address in your browser, to start using the WordPress app you
just deployed.
![](../images/deploy-app-ui-5.png){: .with-border}
## Limitations
There are some limitations when deploying docker-compose.yml applications from
the UI. You can't reference any external files, so the following Docker
Compose keywords are not supported:
* build
* dockerfile
* env_file
![](../images/deploy-app-ui-6.png){: .with-border}
To overcome these limitations, you can
[deploy your apps from the CLI](deploy-app-cli.md).
Also, UCP doesn't store the compose file used to deploy the application. You can
use your version control system to persist that file.
## Where to go next
* [Deploy an app from the CLI](deploy-app-cli.md)

133
datacenter/ucp/2.1/guides/architecture.md Normal file
View File

@ -0,0 +1,133 @@
---
description: Learn about the architecture of Docker Universal Control Plane.
keywords: docker, ucp, architecture
title: UCP architecture
---
Universal Control Plane is a containerized application that runs on the
Commercially Supported (CS) Docker Engine, and extends its functionality to
make it easier to deploy, configure, and monitor your applications at scale.
It also secures Docker with role-based access control so that only authorized
users can make changes and deploy applications to your Docker cluster.
![](images/architecture-1.svg)
Once Universal Control Plane (UCP) is deployed, developers and IT operations
no longer interact with Docker Engine directly, but interact with UCP instead.
Since UCP exposes the standard Docker API this is all done transparently, so
that you can use the tools you already know and love like the Docker CLI client
and Docker Compose.
## Under the hood
Docker UCP leverages the clustering and orchestration functionality provided
by Docker.
![](images/architecture-2.svg)
When you deploy UCP, it starts running a globally scheduled service called
`ucp-agent`. This service monitors the node where it is running and starts
and stops UCP services, based on whether that node is a
[manager or a worker node](https://docs.docker.com/engine/swarm/key-concepts/).
If the node is a:
* **Manager**: the `ucp-agent` service automatically starts serving all UCP
components including the UCP web UI and data stores used by UCP. By promoting
a node to manager, UCP automatically becomes highly available and fault tolerant.
* **Worker**: on worker nodes the `ucp-agent` service starts serving a proxy
service that ensures only authorized users and other UCP services can run Docker
commands in that node.
## UCP internal components
The core component of UCP is a globally-scheduled service called `ucp-agent`.
When you install UCP on a node, or join a node to a swarm that is being managed
by UCP, the `ucp-agent` service starts running on that node.
Once this service is running, it deploys containers with other UCP components,
and ensures they keep running. The UCP components that are deployed
on a node depend on whether that node is a manager or a worker.
### UCP components in manager nodes
Manager nodes run all UCP services, including the web UI and data stores that
persist the state of UCP. These are the UCP services running on manager nodes:
| UCP component | Description |
|:--------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ucp-agent | Monitors the node and ensures the right UCP services are running |
| ucp-reconcile | When ucp-agent detects that the node is not running the right UCP services, it starts the ucp-reconcile service to start or stop the necessary services to converge the node to its desired state |
| ucp-auth-api | The centralized service for identity and authentication used by UCP and DTR |
| ucp-auth-store | Stores authentication configurations, and data for users, organizations and teams |
| ucp-auth-worker | Performs scheduled LDAP synchronizations and cleans authentication and authorization data |
| ucp-client-root-ca | A certificate authority to sign client bundles |
| ucp-cluster-root-ca | A certificate authority used for TLS communication between UCP components |
| ucp-controller | The UCP web server |
| ucp-kv | Used to store the UCP configurations. Don't use it in your applications, since it's for internal use only |
| ucp-proxy | A TLS proxy. It allows secure access to the local Docker Engine to UCP components |
| ucp-swarm-manager | Used to provide backwards-compatibility with Docker Swarm |
### UCP components in worker nodes
Worker nodes are the ones where you run your applications. These are the UCP
services running on worker nodes:
| UCP component | Description |
|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ucp-agent | Monitors the node and ensures the right UCP services are running |
| ucp-reconcile | When ucp-agent detects that the node is not running the right UCP services, it starts the ucp-reconcile service to start or stop the necessary services to converge the node to its desired state |
| ucp-proxy | A TLS proxy. It allows secure access to the local Docker Engine to UCP components |
## Volumes used by UCP
Docker UCP uses these named volumes to persist data in all nodes where it runs:
| Volume name | Description |
|:----------------------------|:-----------------------------------------------------------------------------------------|
| ucp-auth-api-certs | Certificate and keys for the authentication and authorization service |
| ucp-auth-store-certs | Certificate and keys for the authentication and authorization store |
| ucp-auth-store-data | Data of the authentication and authorization store |
| ucp-auth-worker-certs | Certificate and keys for authentication worker |
| ucp-auth-worker-data | Data of the authentication worker |
| ucp-client-root-ca | Root key material for the UCP root CA that issues client certificates |
| ucp-cluster-root-ca | Root key material for the UCP root CA that issues certificates for swarm members |
| ucp-controller-client-certs | Certificate and keys used by the UCP web server to communicate with other UCP components |
| ucp-controller-server-certs | Certificate and keys for the UCP web server running in the node |
| ucp-kv | UCP configuration data |
| ucp-kv-certs | Certificates and keys for the key-value store |
| ucp-node-certs | Certificate and keys for node communication |
You can customize the volume driver used for these volumes, by creating
the volumes before installing UCP. During the installation, UCP checks which
volumes don't exist in the node, and creates them using the default volume
driver.
By default, the data for these volumes can be found at
`/var/lib/docker/volumes/<volume-name>/_data`.
## How you interact with UCP
There are two ways to interact with UCP: the web UI or the CLI.
You can use the UCP web UI to manage your cluster, grant and revoke user
permissions, deploy, configure, manage, and monitor your applications.
![](images/architecture-3.svg)
UCP also exposes the standard Docker API, so you can continue using existing
tools like the Docker CLI client. Since UCP secures your cluster with role-based
access control, you need to configure your Docker CLI client and other client
tools to authenticate your requests using
[client certificates](access-ucp/cli-based-access.md) that you can download
from your UCP profile page.
## Where to go next
* [System requirements](installation/index.md)
* [Plan a production installation](installation/plan-production-install.md)

59
datacenter/ucp/2.1/guides/configuration/configure-logs.md Normal file
View File

@ -0,0 +1,59 @@
---
description: Learn how to configure Docker Universal Control Plane to store your logs
on an external log system.
keywords: docker, ucp, integrate, logs
title: Configure UCP logging
---
## Configure UCP logging
You can configure UCP for sending logs to a remote logging service:
1. Login into UCP with an administrator account
2. Navigate to the **Settings** page
3. Set the information about your logging server, and click
**Enable Remote Logging**
![](../images/configure-logs-1.png){: .with-border}
## Example: Setting up an ELK stack
One popular logging stack is composed of Elasticsearch, Logstash and
Kibana. The following example demonstrates how to set up an example
deployment which can be used for logging.
```none
docker volume create --name orca-elasticsearch-data
docker run -d \
--name elasticsearch \
-v orca-elasticsearch-data:/usr/share/elasticsearch/data \
elasticsearch elasticsearch -Des.network.host=0.0.0.0
docker run -d \
-p 514:514 \
--name logstash \
--link elasticsearch:es \
logstash \
sh -c "logstash -e 'input { syslog { } } output { stdout { } elasticsearch { hosts => [ \"es\" ] } } filter { json { source => \"message\" } }'"
docker run -d \
--name kibana \
--link elasticsearch:elasticsearch \
-p 5601:5601 \
kibana
```
Once you have these containers running, configure UCP to send logs to
the IP of the Logstash container. You can then browse to port 5601 on the system
running Kibana and browse log/event entries. You should specify the "time"
field for indexing.
When deployed in a production environment, you should secure your ELK
stack. UCP does not do this itself, but there are a number of 3rd party
options that can accomplish this (e.g. Shield plug-in for Kibana)
## Where to go next
* [Integrate with DTR](integrate-with-dtr.md)
* [Set up high availability](../high-availability/index.md)

60
datacenter/ucp/2.1/guides/configuration/index.md Normal file
View File

@ -0,0 +1,60 @@
---
description: Learn how to configure Docker Universal Control Plane to use your own
certificates.
keywords: Universal Control Plane, UCP, certificate, authentiation, tls
title: Use externally-signed certificates
---
All UCP services are exposed using HTTPS, to ensure all communications between
clients and UCP are encrypted. By default this is done using self-signed TLS
certificates that are not trusted by client tools like web browsers. So when
you try to access UCP, your browser will warn that it doesn't trust UCP or that
UCP has an invalid certificate.
![invalid certificate](../images/use-externally-signed-certs-1.png)
The same happens with other client tools.
```none
$ curl https://ucp.example.org
SSL certificate problem: Invalid certificate chain
```
You can configure UCP to use your own TLS certificates, so that it is
automatically trusted by your browser and client tools.
To ensure minimal impact to your business, you should plan for this change to
happen outside business peak hours. Your applications will continue running
normally, but existing UCP client certificates will become invalid, so users
will have to download new ones to [access UCP from the CLI](../access-ucp/cli-based-access.md).
## Customize the UCP TLS certificates
To configure UCP to use your own TLS certificates and keys, go to the
**UCP web UI**, navigate to the **Admin Settings** page,
and click **Certificates**.
![](../images/use-externally-signed-certs-2.png)
Upload your certificates and keys:
* A ca.pem file with the root CA public certificate.
* A cert.pem file with the TLS certificate and any intermediate CA public
certificates. This certificate should also have SANs for all addresses used to
access UCP, including load balancers.
* A key.pem file with TLS private key.
Finally, click **Update** for the changes to take effect.
After replacing the TLS certificates your users won't be able to authenticate
with their old client certificate bundles. Ask your users to go to the UCP
web UI and [get new client certificate bundles](../access-ucp/cli-based-access.md).
If you deployed Docker Trusted Registry, you'll also need to reconfigure it
to trust the new UCP TLS certificates.
[Learn how to configure DTR](/datacenter/dtr/2.1/reference/cli/reconfigure.md).
## Where to go next
* [Access UCP from the CLI](../access-ucp/cli-based-access.md)

142
datacenter/ucp/2.1/guides/configuration/integrate-with-dtr.md Normal file
View File

@ -0,0 +1,142 @@
---
description: Integrate UCP with Docker Trusted Registry
keywords: trusted, registry, integrate, UCP, DTR
title: Integrate with Docker Trusted Registry
---
Once you deploy Docker Trusted Registry (DTR), you can use it to store your Docker
images and deploy services to UCP using those images.
[Learn how deploy DTR](/datacenter/dtr/2.1/guides/install/index.md).
Docker UCP integrates out of the box with Docker Trusted Registry (DTR).
This means that you can deploy services from the UCP web UI, using Docker
images that are stored in DTR. You can also use a
[UCP client bundle](../access-ucp/cli-based-access.md) to do the same from the
CLI.
If you've configured DTR to use TLS certificates issued by a globally-trusted
certificate authority you can skip this since all clients will automatically
trust the TLS certificates used by DTR.
If you're using the DTR default configurations or configured DTR to use
self-signed certificates, you need to configure all hosts that want to push
or pull Docker images from DTR. This includes:
* All UCP nodes
* Your local computer or any other that wants to push or pull Docker images from DTR
If your host is not configured to trust the DTR TLS certificates, you'll get an
error like:
```none
docker login dtr.example.org
x509: certificate signed by unknown authority
```
## 1. Configure your local computer
If you want to use your local computer to interact with DTR, you need to
configure it to trust the DTR TLS certificates. This depends on the operating
system:
* For macOS:
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the macOS trust store](https://support.apple.com/kb/PH18677?locale=en_US).
* For Windows:
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the Windows trust store](https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx).
* For Ubuntu:
```bash
# Download the DTR CA certificate
$ sudo curl -k https://<dtr-url>/ca -o /usr/local/share/ca-certificates/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
$ sudo update-ca-certificates
# Restart the Docker daemon
$ sudo service docker restart
```
* For CentOS or RHEL:
```bash
# Download the DTR CA certificate
$ sudo curl -k https://<dtr-url>/ca -o /etc/pki/ca-trust/source/anchors/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
$ sudo update-ca-trust
# Restart the Docker daemon
$ sudo /bin/systemctl restart docker.service
```
## 2. Test your local setup
The best way to confirm that your computer is correctly configured, is by
trying to pull and push images from your local Docker installation to DTR.
1. Create a test repository on DTR.
Navigate to the **DTR web UI**, and create a new **hello-world** repository
so that you can push and pull images. Set it as **private**, and save
the changes.
![](../images/dtr-integration-1.png)
2. Pull the `hello-world` image from Docker Store, re-tag it, and push it to the
DTR repository you created.
```none
# Pull hello-world from Docker Store
docker pull hello-world:latest
# Re-tag it
docker tag hello-world:latest <dtr-domain>/<user>/hello-world:latest
# Log into DTR
docker login <dtr-domain>
# Push your image to DTR
docker push <dtr-domain>/<user>/hello-world:latest
```
3. Validate that your image is now stored in DTR.
When successfully pushing the image you should see a result like:
```none
The push refers to a repository [dtr/username/hello-world]
5f70bf18a086: Pushed
33e7801ac047: Pushed
1: digest: sha256:7d9e482c0cc9e68c7f07bf76e0aafcb1869d32446547909200db990e7bc5461a size: 1930
```
You can also check that the tag exists on the DTR web UI.
![](../images/dtr-integration-2.png)
## 3. Configure UCP Docker Engines
You also need to configure the Docker Engine on every UCP node to trust the
DTR TLS certificates. This allows you do deploy services to UCP using images
that are stored in DTR.
For each UCP node:
1. Log into the node as an administrator, using ssh
2. Configure the system to trust the DTR TLS certificates, following the same
steps as you used to configure your local computer.
## Where to go next
* [Use externally-signed certificates](index.md)

93
datacenter/ucp/2.1/guides/configuration/integrate-with-ldap.md Normal file
View File

@ -0,0 +1,93 @@
---
description: Learn how to integrate UCP with an LDAP service, so that you can manage
users from a single place.
keywords: LDAP, authentication, user management
title: Integrate with LDAP
---
Docker UCP integrates with LDAP services, so that you can manage users from a
single place.
## Configure the LDAP integration
To configure UCP to authenticate users using an LDAP service, go to
the **UCP web UI**, navigate to the **Settings** page, and click the **Auth**
tab.
![](../images/ldap-integration-1.png){: .with-border}
Then configure your LDAP integration.
**Authentication**
| Field | Description |
|:-------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Method | The method used to authenticate users. Managed authentication uses the UCP built-in authentication mechanism. LDAP uses an LDAP service to authenticate users. |
| Default permission for newly discovered accounts | The permission level assigned by default to a new user. Learn more about default permission levels. |
**LDAP server configuration**
| Field | Description |
|:------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|
| LDAP server URL | The URL where the LDAP server can be reached. |
| Recovery admin username | The username for a recovery user that can access UCP even when the integration with LDAP is misconfigured or the LDAP server is offline. |
| Recovery admin password | The password for the recovery user. |
| Reader DN | The distinguished name of the LDAP account used for searching entries in the LDAP server. As a best practice this should be an LDAP read-only user. |
| Reader password | The password of the account used for searching entries in the LDAP server. |
**LDAP security options**
| Field | Description |
|:----------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|
| Skip verification of server certificate | Whether to verify or not the LDAP server certificate when using TLS. The connection is still encrypted, but vulnerable to man-in-the-middle attacks. |
| Use StartTLS | Whether to connect to the LDAP server using TLS or not. If you set the LDAP Server URL field with `ldaps://`, this field is ignored. |
**User search configurations**
| Field | Description |
|:--------------------|:---------------------------------------------------------------------------------------------------------------------------------------|
| Base DN | The distinguished name on the LDAP tree where the search should start looking for users. |
| Username attribute | The LDAP attribute to use as username on UCP. |
| Full name attribute | The LDAP attribute to use as user name on UCP. |
| Filter | The LDAP search filter used to find LDAP users. If you leave this field empty, all LDAP entries on the Base DN, are imported as users. |
| Search scope | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
**Advanced LDAP configuration**
| Field | Description |
|:---------------------------|:----------------------------------------------------|
| No simple pagination | If your LDAP server doesn't support pagination. |
| Enable sync of admin users | Whether to import LDAP users as UCP administrators. |
**Sync configuration**
| Field | Description |
|:--------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sync interval | The interval in hours to synchronize users between UCP and the LDAP server. When the synchronization job runs, new users found in the LDAP server are created in UCP with the default permission level. UCP users that don't exist in the LDAP server become inactive. |
**Test LDAP connection**
| Field | Description |
|:-------------------|:---------------------------------------------------------------------|
| LDAP test username | An LDAP user to test that the configuration is correctly configured. |
| LDAP test password | The password of the LDAP user. |
Before you save the configuration changes, you should test that the integration
is correctly configured. You can do this by providing the credentials of an
LDAP user, and clicking the **Test** button.
## Synchronize users
Once you've configure the LDAP integration, UCP synchronizes users based on the
interval you've defined. When the synchronization runs, UCP stores logs that
can help you troubleshoot when something goes wrong.
You can also manually synchronize users by clicking the **Sync Now** button.
## Revoke user access
When a user is removed from LDAP, that user becomes inactive after the LDAP
synchronization runs.
Also, when you switch from the built-in authentication to using LDAP
authentication, all manually created users become inactive.

95
datacenter/ucp/2.1/guides/configuration/route-hostnames.md Normal file
View File

@ -0,0 +1,95 @@
---
description: Docker Universal Control Plane
keywords: networking, kv, engine-discovery, ucp
title: Enable container networking with UCP
---
UCP provides an HTTP routing mesh, that extends the networking capabilities
of Docker Engine. Docker Engine provides load balancing and service discovery
at the transport layer for TCP and UDP connections. UCP's HTTP routing mesh
allows you to extend service discovery to have name-based virtual hosting for
HTTP services.
See the
[Docker Engine documentation on overlay networks](/engine/swarm/networking.md)
for more information on what Docker Engine provides.
This feature is currently experimental.
## Enable the HTTP routing mesh
To enable the HTTP routing mesh, go to the **UCP web UI**, navigate to the
**Settings** page, and click the **Routing Mesh** tab.
<!-- todo: add screenshot -->
The default port for HTTP services is **80**. You may choose an alternate port
on this screen.
Check the checkbox to enable the HTTP routing mesh. This will create a service
called `ucp-hrm` and a network called `ucp-hrm`.
## Route to a service
The HTTP routing mesh can route to a Docker service that runs a webserver.
This service must meet three criteria:
* The service must be connected to the `ucp-hrm` network
* The service must publish one or more ports
* The service must have a `com.docker.ucp.mesh.http` label to specify the ports
to route
The syntax for the `com.docker.ucp.mesh.http` label is a list of one or more
values separated by commas. Each of these values is in the form of
`internal_port=protocol://host`, where:
* `internal_port` is the port the service is listening on (and may be omitted
if there is only one port published)
* `protocol` is `http`
* `host` is the hostname that should be routed to this service
Examples:
A service based on the image `myimage/mywebserver:latest` with a webserver running on port
8080 can be routed to `http://foo.example.com` can be created using the
following:
```sh
$ docker service create \
-p 8080 \
--network ucp-hrm \
--label com.docker.ucp.mesh.http=8080=http://foo.example.com \
--name myservice \
myimage/mywebserver:latest
```
The HTTP Routing Mesh checks for new services every 60 seconds, so it may take
up to one minute for configuration to complete.
Next, you will need to route the referenced domains to the HTTP routing mesh.
## Route domains to the HTTP routing mesh
The HTTP routing mesh uses the `Host` HTTP header to determine which service
should receive a particular HTTP request. This is typically done using DNS and
pointing one or more domains to one or more nodes in the UCP cluster.
## Disable the HTTP routing mesh
To disable the HTTP routing mesh, first ensure that all services that are using
the HTTP routing mesh are disconnected from the **ucp-hrm** network.
Next, go to the **UCP web UI**, navigate to the **Settings** page, and click
the **Routing Mesh** tab. Uncheck the checkbox to disable the HTTP routing mesh.
## Access Control
To route a domain to the HTTP Routing Mesh, the service must be on the
`ucp-hrm` network which has the `ucp-hrm` access label. Adding a service to
this network either requires administrator-level access, or the user must be in
a group that gives them `ucp-hrm` access.
## Troubleshoot
Check the logs of the `ucp-controller` containers on your UCP controller nodes
for logging from the HTTP routing mesh.

149
datacenter/ucp/2.1/guides/content-trust/continuous-integration.md Normal file
View File

@ -0,0 +1,149 @@
---
description: Set up and configure content trust and signing policy for use with a continuous integration system
keywords: cup, trust, notary, security, continuous integration
title: Use trusted images for continuous integration
---
The document provides a minimal example on setting up Docker Content Trust (DCT) in
Universal Control Plane (UCP) for use with a Continuous Integration (CI) system. It
covers setting up the necessary accounts and trust delegations to restrict only those
images built by your CI system to be deployed to your UCP managed cluster.
## Set up UCP accounts and teams
The first step is to create a user account for your CI system. For the purposes of
this document we will assume you are using Jenkins as your CI system and will therefore
name the account "jenkins". As an admin user logged in to UCP, navigate to "User Management"
and select "Add User". Create a user with the name "jenkins" and set a strong password.
Next, create a team called "CI" and add the "jenkins" user to this team. All signing
policy is team based, so if we want only a single user to be able to sign images
destined to be deployed on the cluster, we must create a team for this one user.
## Set up the signing policy
While still logged in as an admin, navigate to "Admin Settings" and select the "Content Trust"
subsection. Select the checkbox to enable content trust and in the select box that appears,
select the "CI" team we have just created. Save the settings.
This policy will require that every image that referenced in a `docker pull`, `docker run`,
or `docker service create` must be signed by a key corresponding to a member of the "CI" team.
In this case, the only member is the "jenkins" user.
## Create keys for the Jenkins user
The signing policy implementation uses the certificates issued in user client bundles
to connect a signature to a user. Using an incognito browser window (or otherwise),
log in to the "jenkins" user account you created earlier. Download a client bundle for
this user. It is also recommeneded to change the description associated with the public
key stored in UCP such that you can identify in the future which key is being used for
signing.
N.B. each time a user retrieves a new client bundle, a new keypair is generated. It is therefore
necessary to keep track of a specific bundle that a user chooses to designate as their signing bundle.
Once you have decompressed the client bundle, the only two files you need for the purposes
of signing are `cert.pem` and `key.pem`. These represent the public and private parts of
the user's signing identity respectively. We will load the `key.pem` file onto the Jenkins
servers, and user `cert.pem` to create delegations for the "jenkins" user in our
Trusted Collection.
## Prepare the Jenkins server
### Load `key.pem` on Jenkins
You will need to use the notary client to load keys onto your Jenkins server. Simply run
`notary -d /path/to/.docker/trust key import /path/to/key.pem`. You will be asked to set
a password to encrypt the key on disk. For automated signing, this password can be configured
into the environment under the variable name `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`. The `-d`
flag to the command specifies the path to the `trust` subdirectory within the server's `docker`
configuration directory. Typically this is found at `~/.docker/trust`.
### Enable content trust
There are two ways to enable content trust: globally, and per operation. To enabled content
trust globally, set the environment variable `DOCKER_CONTENT_TRUST=1`. To enable on a per
operation basis, wherever you run `docker push` in your Jenkins scripts, add the flag
`--disable-content-trust=false`. You may wish to use this second option if you only want
to sign some images.
The Jenkins server is now prepared to sign images, but we need to create delegations referencing
the key to give it the necessary permissions.
## Initialize a repository
Any commands displayed in this section should _not_ be run from the Jenkins server. You
will most likely want to run them from your local system.
If this is a new repository, create it in Docker Trusted Registry (DTR) or Docker Hub,
depending on which you use to store your images, before proceeding further.
We will now initialize the trust data and create the delegation that provides the Jenkins
key with permissions to sign content. The following commands initialize the trust data and
rotate snapshotting responsibilities to the server. This is necessary to ensure human involvement
it not required to publish new content.
```
notary -s https://my_notary_server.com -d ~/.docker/trust init my_repository
notary -s https://my_notary_server.com -d ~/.docker/trust key rotate my_repository snapshot -r
notary -s https://my_notary_server.com -d ~/.docker/trust publish my_repository
```
N.B. the `-s` flag provides the server hosting a notary service. If you are operating against
Docker Hub, this will be `https://notary.docker.io`. If you are operating against your own DTR
instance, this will be the same hostname you use in image names when running docker commands preceded
by the `https://` scheme. For example, if you would run `docker push my_dtr:4443/me/an_image` the value
of the `-s` flag would be expected to be `https://my_dtr:4443`.
N.B. if you are using DTR, the name of the repository should be identical to the full name you use
in a `docker push` command. If however you use Docker Hub, the name you use in a `docker push`
must be preceded by `docker.io/`. i.e. if you ran `docker push me/alpine`, you would
`notary init docker.io/me/alpine`.
For brevity, we will exclude the `-s` and `-d` flags from subsequent command, but be aware you
will still need to provide them for the commands to work correctly.
Now that the repository is initialized, we need to create the delegations for Jenkins. Docker
Content Trust treats a delegation role called `targets/releases` specially. It considers this
delegation to contain the canonical list of published images for the repository. It is therefore
generally desiable to add all users to this delegation with the following command:
```
notary delegation add my_repository targets/releases --all-paths /path/to/cert.pem
```
This solves a number of prioritization problems that would result from needing to determine
which delegation should ultimately be trusted for a specific image. However, because it
is anticipated that any user will be able to sign the `targets/releases` role it is not trusted
in determining if a signing policy has been met. Therefore it is also necessary to create a
delegation specifically for Jenkins:
```
notary delegation add my_repository targets/jenkins --all-paths /path/to/cert.pem
```
We will then publish both these updates (remember to add the correct `-s` and `-d` flags):
```
notary publish my_repository
```
Informational (Advanced): If we included the `targets/releases` role in determining if a signing policy
had been met, we would run into the situation of images being opportunistically deployed when
an appropriate user signs. In the scenario we have described so far, only images signed by
the "CI" team (containing only the "jenkins" user) should be deployable. If a user "Moby" could
also sign images but was not part of the "CI" team, they might sign and publish a new `targets/releases`
that contained their image. UCP would refuse to deploy this image because it was not signed
by the "CI" team. However, the next time Jenkins published an image, it would update and sign
the `targets/releases` role as whole, enabling "Moby" to deploy their image.
## Conclusion
With the Trusted Collection initialized, and delegations created, the Jenkins server will
now use the key we imported to sign any images we push to this repository.
Through either the Docker CLI, or the UCP browser interface, we will find that any images
that do not meet our signing policy cannot be used. The signing policy we set up requires
that the "CI" team must have signed any image we attempt to `docker pull`, `docker run`,
or `docker service create`, and the only member of that team is the "jenkins" user. This
restricts us to only running images that were published by our Jenkins CI system.

179
datacenter/ucp/2.1/guides/content-trust/index.md Normal file
View File

@ -0,0 +1,179 @@
---
description: Configure a Docker Universal Plane cluster to only allow running applications
that use images you trust.
keywords: docker, ucp, backup, restore, recovery
title: Run only the images you trust
---
With Docker Universal Control Plane you can enforce applications to only use
Docker images signed by UCP users you trust. When a user tries to deploy an
application to the cluster, UCP checks if the application uses a Docker image
that is not trusted, and won't continue with the deployment if that's the case.
By signing and verifying the Docker images, you ensure that the images being
used in your cluster are the ones you trust and haven't been altered either
in the image registry or on their way from the image registry to your UCP
cluster.
## Configure UCP
To configure UCP to only allow running applications that use Docker images you
trust, go to the **UCP web UI**, navigate to the **Settings** page, and click
the **Content Trust** tab.
<!-- todo: add screenshot -->
Select the **Run only signed images** option to only allow deploying
applications if they use images you trust.
Then, in the **Require signature from** field, you can specify all the teams
that need sign the image, before it is trusted to run in the UCP cluster. If
you specify multiple teams, the image needs to be signed by a member of each
team, or someone that is a member of all those teams.
If you don't specify any team, the image will be trusted as long as it is signed
by any UCP user whose keys are trusted in a Notary delegation role.
## Set up the Docker Notary CLI client
Once you've configured UCP to only run applications that use Docker images you
trust, you'll need to specify which Docker images can be trusted. This is done
by using the Docker Notary server that is built into Docker Trusted Registry.
You'll configure the Notary server to store signed metadata about the Docker
images you trust.
To interact with the Notary server, you need to
[install the Notary CLI client](https://github.com/docker/notary/releases).
Once you've installed the Notary client, you need to configure it to talk to
the Notary server that is built into Docker Trusted Registry. This can be done
using a [Notary configuration file](/notary/reference/client-config.md)
or by running:
```bash
# Create an alias to always have the notary client talking to the right server
$ alias notary="notary -s https://<dtr_url> -d ~/.docker/trust"
```
Where `-s` specifies the notary server to talk to, and `-d` specifies the
directory to store private keys and cache data.
If your Docker Trusted Registry is not using certificates signed by a globally
trusted certificate authority, you'll also need to configure notary to use the
certificate of the DTR CA:
```bash
$ alias notary="notary -s https://<dtr_url> -d ~/.docker/trust --tlscacert <dtr_ca.pem>"
```
## Set up a trusted image repository
Once your Docker Notary CLI client is configured, you can check if Notary has
information about a specific repository:
```bash
# <dtr_url>/<account>/<repository> is also known as a Globally Unique Name (GUN)
$ notary list <dtr_url>/<account>/<repository>
```
If notary has information about the repository it returns the list of
image tags it knows about, their expected digests, and the role of the private
key used to sign the metadata.
If Notary doesn't know yet about an image repository, run:
```bash
$ notary init -p <dtr_url>/<account>/<repository>
```
The Notary CLI client generates public and private key pairs, prompts you for
a passphrase to encrypt the private key, and stores the key pair in the
directory you've specified with the `notary -d` flag.
You should ensure you create backups for these keys, and that they are kept
securely and offline.
[Learn more about the keys used by Docker Notary.](/engine/security/trust/trust_key_mng.md)
## Sign and push an image
Now you can sign your images before pushing them to Docker Trusted Registry:
```bash
# Setting Docker content trust makes the Docker CLI client sign images before pushing them
$ export DOCKER_CONTENT_TRUST=1
# Push the image
$ docker push <dtr_url>/<account>/<repository>:<tag>
```
The Docker CLI client will prompt you for the passphrase you used to encrypt the
private keys, sign the image, and push it to the registry.
## Delegate image signing
Instead of signing the Docker images yourself, you can delegate that task
to other users.
Delegation roles simplify collaborator workflows in Notary trusted collections,
and also allow for fine-grained permissions within a collection's contents
across delegations.
Delegation roles act as signers in Notary that are managed by the targets key
and can be configured to use external signing keys. Keys can be dynamically
added to or removed from delegation roles as collaborators join and leave
trusted repositories.
[Learn more about Notary delegation roles.](/notary/advanced_usage.md)
Every change to the repository now needs to be signed by the snapshot key that
was generated with the `notary init` command.
To avoid having to distribute this key to other members so that they can also
sign images with this key, you can rotate the key and make it be managed by
the Notary server.
This operation only needs to be done once for the repository.
```bash
# This only needs to be done once for the repository
$ notary key rotate <dtr_url>/<account>/<repository> snapshot --server-managed
```
Then ask the users you want to delegate the image signing to share with you
the `cert.pem` files that are included in their client bundles. These files
should be shared using a trusted channel.
Then run the following command to create a new Notary delegation role, using the
user certificates:
```bash
$ notary delegation add -p <dtr_url>/<account>/<repository> targets/releases --all-paths user1.pem user2.pem
```
The above command adds the the `targets/releases` delegation role to a trusted
repository.
This role is treated as an actual release branch for Docker Content Trust,
since `docker pull` commands with trust enabled will pull directly from this
role, if data exists.
All users that can release images should be added to this role.
[Learn more about the targets/releases role](/engine/security/trust/trust_delegation.md).
Notary has no limit on how many delegation roles can exist, so you can add more
delegation roles such as `targets/qa_team` or `targets/security_team` to the
trusted repository.
Valid delegation roles take the form of `targets/<delegation>`, where
`<delegation>` does not include further slashes.
You will need to add the key to at least one delegation in addition to the `targets/releases` delegation in order for UCP to honor the signed content:
```bash
$ notary delegation add -p <dtr_url>/<account>/<repository> targets/devops --all-paths user1.pem user2.pem
```
Before delegation role users can publish signed content with Notary or
Docker Content Trust, they must import the private key associated with the user certificate:
```bash
$ notary key import key.pem
```
## Where to go next
* [Manage trusted repositories](manage-trusted-repositories.md)
* [Get started with Notary](/notary/getting_started.md)

126
datacenter/ucp/2.1/guides/content-trust/manage-trusted-repositories.md Normal file
View File

@ -0,0 +1,126 @@
---
description: Learn how to use the Notary CLI client to manage trusted repositories
keywords: UCP, trust, notary, registry, security
title: Manage trusted repositories
---
Once you install the Notary CLI client, you can use it to manage your signing
keys, authorize other team members to sign images, and rotate the keys if
a private key has been compromised.
When using the Notary CLI client you need to specify where is Notary server
you want to communicate with, and where to store the private keys and cache for
the CLI client.
```bash
# Create an alias to always have the notary client talking to the right server
$ alias notary="notary -s https://<dtr_url> -d ~/.docker/trust"
```
## Manage staged changes
The Notary CLI client stages changes before publishing them to the server.
You can manage the changes that are staged by running:
```bash
# Check what changes are staged
$ notary status <dtr_url>/<account>/<repository>
# Unstage a specific change
$ notary status <dtr_url>/<account>/<repository> --unstage 0
# Alternatively, unstage all changes
$ notary status <dtr_url>/<account>/<repository> --reset
```
When you're ready to publish your chages to the Notary server, run:
```bash
$ notary publish <dtr_url>/<account>/<repository>
```
## Delete trust data
Administrator users can remove all signatures from a trusted repository by
running:
```bash
$ notary delete <dtr_url>/<account>/<repository> --remote
```
If you don't include the `--remote` flag, Notary deletes local cached content
but will not delete data from the Notary server.
## Change the passphrase for a key
The Notary CLI client manages the keys used to sign the image metadata. To
list all the keys managed by the Notary CLI client, run:
```bash
$ notary key list
```
To chance the passphrase used to encrypt one of the keys, run:
```bash
$ notary key passwd <key_id>
```
## Rotate keys
If one of the private keys is compromised you can rotate that key, so that
images that were signed with those keys stop being trusted.
For keys that are kept offline and managed by the Notary CLI client, such the
keys with the root, targets, and snapshot roles, you can rotate them with:
```bash
$ notary key rotate <dtr_url>/<account>/<repository> <key_role>
```
The Notary CLI client generates a new key for the role you specified, and
prompts you for a passphrase to encrypt it.
Then you're prompted for the passphrase for the key you're rotating, and if it
is correct, the Notary CLI client contacts the Notary server to publish the
change.
You can also rotate keys that are stored in the Notary server, such as the keys
with the snapshot or timestamp role. For that, run:
```bash
$ notary key rotate <dtr_url>/<account>/<repository> <key_role> --server-managed
```
## Manage keys for delegation roles
To delegate image signing to other UCP users, get the `cert.pem` file that's
included in their client bundle and run:
```bash
$ notary delegation add -p <dtr_url>/<account>/<repository> targets/<role> --all-paths user1.pem user2.pem
```
You can also remove keys from a delegation role:
```bash
# Remove the given keys from a delegation role
$ notary delegation remove -p <dtr_url>/<account>/<repository> targets/<role> <keyID1> <keyID2>
# Alternatively, you can remove keys from all delegation roles
$ notary delegation purge <dtr_url>/<account>/<repository> --key <keyID1> --key <keyID2>
```
## Troubleshooting
Notary CLI has a `-D` flag that you can use to increase the logging level. You
can use this for troubleshooting.
Usually most problems are fixed by ensuring you're communicating with the
correct Notary server, using the `-s` flag, and that you're using the correct
directory where your private keys are stored, with the `-d` flag.
## Where to go next
* [Run only the images you trust](index.md)
* [Get started with Notary](/notary/getting_started.md)

120
datacenter/ucp/2.1/guides/high-availability/backups-and-disaster-recovery.md Normal file
View File

@ -0,0 +1,120 @@
---
description: Learn how to backup your Docker Universal Control Plane cluster, and
to recover your cluster from an existing backup.
keywords: docker, ucp, backup, restore, recovery
title: Backups and disaster recovery
---
When you decide to start using Docker Universal Control Plane on a production
setting, you should
[configure it for high availability](index.md).
The next step is creating a backup policy and disaster recovery plan.
## Backup policy
Docker UCP nodes persist data using [named volumes](../architecture.md).
As part of your backup policy you should regularly create backups of the
controller nodes. Since the nodes used for running user containers don't
persist data, you can decide not to create any backups for them.
To perform a backup of a UCP controller node, use the `docker/ucp backup`
command. This creates a tar archive with the contents of the volumes used by
UCP on that node, and streams it to stdout.
To create a consistent backup, the backup command temporarily stops the UCP
containers running on the node where the backup is being performed. User
containers and services are not affected by this.
To have minimal impact on your business, you should:
* Schedule the backup to take place outside business hours.
* Configure UCP for high availability. This allows load-balancing user requests
across multiple UCP controller nodes.
## Backup command
The example below shows how to create a backup of a UCP controller node:
```bash
# Create a backup, encrypt it, and store it on /tmp/backup.tar
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp backup --interactive \
--passphrase "secret" > /tmp/backup.tar
# Decrypt the backup and list its contents
$ gpg --decrypt /tmp/backup.tar | tar --list
```
## Restore command
The example below shows how to restore a UCP controller node from an existing
backup:
```bash
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp restore < backup.tar
```
The restore command may also be invoked in interactive mode:
```bash
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /path/to/backup.tar:/config/backup.tar \
docker/ucp restore -i
```
## Restore your cluster
The restore command can be used to create a new UCP cluster from a backup file.
After the restore operation is complete, the following data will be copied from
the backup file:
* Users, Teams and Permissions.
* Cluster Configuration, such as the default Controller Port or the KV store
timeout.
* DDC Subscription License.
* Options on Scheduling, Content Trust, Authentication Methods and Reporting.
The restore operation may be performed against any Docker Engine, regardless of
swarm membership, as long as the target Engine is not already managed by a UCP
installation. If the Docker Engine is already part of a swarm, that swarm and
all deployed containers and services will be managed by UCP after the restore
operation completes.
As an example, if you have a cluster with three controller nodes, A, B, and C,
and your most recent backup was of node A:
1. Uninstall UCP from the swarm using the `uninstall-ucp` operation.
2. Restore one of the swarm managers, such as node B, using the most recent
backup from node A.
3. Wait for all nodes of the swarm to become healthy UCP nodes.
You should now have your UCP cluster up and running.
Additionally, in the event where half or more controller nodes are lost and
cannot be recovered to a healthy state, the system can only be restored through
the following disaster recovery procedure. It is important to note that this
proceedure is not guaranteed to succeed with no loss of either swarm services or
UCP configuration data:
1. On one of the remaining manager nodes, perform `docker swarm init
--force-new-cluster`. This will instantiate a new single-manager swarm by
recovering as much state as possible from the existing manager. This is a
disruptive operation and any existing tasks will be either terminated or
suspended.
2. Obtain a backup of one of the remaining manager nodes if one is not already
available.
3. Perform a restore operation on the recovered swarm manager node.
4. For all other nodes of the cluster, perform a `docker swarm leave --force`
and then a `docker swarm join` operation with the cluster's new join-token.
5. Wait for all nodes of the swarm to become healthy UCP nodes.
## Where to go next
* [Set up high availability](index.md)
* [UCP architecture](../architecture.md)

60
datacenter/ucp/2.1/guides/high-availability/index.md Normal file
View File

@ -0,0 +1,60 @@
---
description: Docker Universal Control plane has support for high availability. Learn
how to set up your installation to ensure it tolerates failures.
keywords: docker, ucp, high-availability, replica
title: Set up high availability
---
Docker Universal Control Plane is designed for high availability (HA). You can
join multiple manager nodes to the cluster, so that if one manager node fails,
another can automatically take its place without impact to the cluster.
Having multiple manager nodes in your cluster, allows you to:
* Handle manager node failures,
* Load-balance user requests across all manager nodes.
## Size your deployment
To make the cluster tolerant to more failures, add additional replica nodes to
your cluster.
| Manager nodes | Failures tolerated |
|:-------------:|:------------------:|
| 1 | 0 |
| 3 | 1 |
| 5 | 2 |
| 7 | 3 |
For production-grade deployments, follow these rules of thumb:
* When a manager node fails, the number of failures tolerated by your cluster
decreases. Don't leave that node offline for too long.
* You should distribute your manager nodes across different availability zones.
This way your cluster can continue working even if an entire availability zone
goes down.
* Adding many manager nodes to the cluster might lead to performance
degradation, as changes to configurations need to be replicated across all
manager nodes. The maximum advisable is having 7 manager nodes.
After provisioning the new nodes, you can
[add them to the cluster](../installation/scale-your-cluster.md).
## Load-balancing on UCP
Docker UCP does not include a load balancer. You can configure your own
load balancer to balance user requests across all manager nodes.
[Learn more about the UCP reference architecture](https://www.docker.com/sites/default/files/RA_UCP%20Load%20Balancing-Feb%202016_0.pdf).
Since Docker UCP uses mutual TLS, make sure you configure your load balancer to:
* Load-balance TCP traffic on port 443,
* Not terminate HTTPS connections,
* Use the `/_ping` endpoint on each manager node, to check if the node
is healthy and if it should remain on the load balancing pool or not.
## Where to go next
* [UCP architecture](../architecture.md)
* [Scale your cluster](../installation/scale-your-cluster.md)

71
datacenter/ucp/2.1/guides/images/architecture-1.svg Normal file
View File

@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="250px" viewBox="0 0 740 250" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>architecture-1</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="architecture-1">
<g id="Group" transform="translate(28.000000, 51.000000)">
<g id="stack">
<g id="servers" transform="translate(0.000000, 114.000000)">
<g id="cloud">
<rect id="Rectangle-138" fill="#82949E" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="cloud-servers" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="42.5097656" y="23">cloud servers</tspan>
</text>
</g>
<g id="virtual" transform="translate(176.000000, 0.000000)">
<rect id="Rectangle-138" fill="#82949E" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="virtual-servers" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="39.8608398" y="23">virtual servers</tspan>
</text>
</g>
<g id="physical" transform="translate(352.000000, 0.000000)">
<rect id="Rectangle-138" fill="#82949E" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="physical-servers" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="34.2075195" y="23">physical servers</tspan>
</text>
</g>
</g>
<g id="docker" transform="translate(0.000000, 76.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="524" height="34" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="205.464355" y="23">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(0.000000, 38.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="524" height="34" rx="2"></rect>
<text id="Universal-Control-Pl" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="185.536621" y="23">Universal Control Plane</tspan>
</text>
</g>
<g id="dtr">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="Docker-Trusted-Regis" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="8.13183594" y="23">Docker Trusted Registry</tspan>
</text>
</g>
<g id="your-apps" transform="translate(176.000000, 0.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="348" height="34" rx="2"></rect>
<text id="your-applications" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="118.428223" y="23">your applications</tspan>
</text>
</g>
</g>
<g id="user" transform="translate(528.000000, 44.000000)">
<g transform="translate(44.000000, 0.000000)" fill="#82949E">
<text id="deploy-and-manage" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal">
<tspan x="0" y="39">deploy and manage</tspan>
</text>
<path d="M56,13 C59.59125,13 62.5,10.083125 62.5,6.5 C62.5,2.90875 59.59125,0 56,0 C52.40875,0 49.5,2.90875 49.5,6.5 C49.5,10.083125 52.40875,13 56,13 L56,13 Z M56,16.25 C51.669375,16.25 43,18.419375 43,22.75 L43,26 L69,26 L69,22.75 C69,18.419375 60.330625,16.25 56,16.25 L56,16.25 Z" id="Shape"></path>
</g>
<g id="arrow" transform="translate(0.000000, 8.000000)">
<path d="M1.5,5 L60,5" id="Line" stroke="#82949E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<circle id="Oval" fill="#8F9EA8" cx="5" cy="5" r="5"></circle>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
datacenter/ucp/2.1/guides/images/architecture-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

166
datacenter/ucp/2.1/guides/images/architecture-2.svg Normal file
View File

@ -0,0 +1,166 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="250px" viewBox="0 0 740 250" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>architecture-2</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="architecture-2">
<text id="Docker-swarm" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="178.025" y="239.009524">Docker swarm</tspan>
</text>
<g id="nodes" transform="translate(215.000000, 15.000000)">
<g id="workers" transform="translate(53.000000, 118.000000)">
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFB463" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-3" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFB463" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
<g id="managers">
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-2" transform="translate(214.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
</g>
<rect id="group" stroke="#82949E" stroke-width="2" stroke-dasharray="5,5,5,5" x="169" y="3" width="401" height="245" rx="2"></rect>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

233
datacenter/ucp/2.1/guides/images/architecture-3.svg Normal file
View File

@ -0,0 +1,233 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="350px" viewBox="0 0 740 350" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>architecture-3</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<circle id="path-3" cx="4" cy="4" r="4"></circle>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-3" fill="black"></use>
</mask>
<circle id="path-5" cx="4" cy="4" r="4"></circle>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-5" fill="black"></use>
</mask>
</defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="architecture-3">
<g id="ddc" transform="translate(169.000000, 56.000000)">
<g id="swarm-group" transform="translate(0.000000, 42.000000)">
<text id="Docker-swarm" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#E0E4E7">
<tspan x="9.025" y="236.009524">Docker swarm</tspan>
</text>
<rect id="group" stroke="#E0E4E7" stroke-width="2" stroke-dasharray="5,5,5,5" x="0" y="0" width="401" height="245" rx="2"></rect>
</g>
<g id="load-balancer" transform="translate(47.000000, 0.000000)">
<g id="main">
<rect id="Rectangle-138" fill="#445D6E" x="0" y="0" width="309" height="22" rx="2"></rect>
<text id="your-load-balancer" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="111.437988" y="15">your load balancer</tspan>
</text>
</g>
<g id="arrows" transform="translate(43.000000, 21.000000)">
<g id="arrow-copy-3" transform="translate(218.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-218.500000, -17.000000) translate(202.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#F7F8F9" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="arrow-copy" transform="translate(111.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-111.500000, -17.000000) translate(95.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-3"></use>
<use stroke="#F7F8F9" mask="url(#mask-4)" stroke-width="4" xlink:href="#path-3"></use>
</g>
</g>
<g id="arrow-copy-2" transform="translate(4.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-4.500000, -17.000000) translate(-12.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-5"></use>
<use stroke="#F7F8F9" mask="url(#mask-6)" stroke-width="4" xlink:href="#path-5"></use>
</g>
</g>
</g>
</g>
<g id="swam" transform="translate(46.000000, 54.000000)">
<g id="nodes">
<g id="workers" transform="translate(53.000000, 118.000000)">
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#E0E4E7" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFE1C0" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-3" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#E0E4E7" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFE1C0" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
<g id="managers">
<g id="node-1-copy-2" transform="translate(214.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
</g>
</g>
</g>
<g id="user" transform="translate(337.000000, 5.000000)" fill="#82949E">
<g>
<text id="UI" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal">
<tspan x="7" y="41">UI</tspan>
</text>
<path d="M13,13 C16.59125,13 19.5,10.083125 19.5,6.5 C19.5,2.90875 16.59125,0 13,0 C9.40875,0 6.5,2.90875 6.5,6.5 C6.5,10.083125 9.40875,13 13,13 L13,13 Z M13,16.25 C8.669375,16.25 0,18.419375 0,22.75 L0,26 L26,26 L26,22.75 C26,18.419375 17.330625,16.25 13,16.25 L13,16.25 Z" id="Shape"></path>
</g>
<g id="user-copy" transform="translate(42.000000, 0.000000)">
<text id="CLI" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal">
<tspan x="4" y="41">CLI</tspan>
</text>
<path d="M13,13 C16.59125,13 19.5,10.083125 19.5,6.5 C19.5,2.90875 16.59125,0 13,0 C9.40875,0 6.5,2.90875 6.5,6.5 C6.5,10.083125 9.40875,13 13,13 L13,13 Z M13,16.25 C8.669375,16.25 0,18.419375 0,22.75 L0,26 L26,26 L26,22.75 C26,18.419375 17.330625,16.25 13,16.25 L13,16.25 Z" id="Shape"></path>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
datacenter/ucp/2.1/guides/images/cli-based-access-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 206 KiB

BIN
datacenter/ucp/2.1/guides/images/configure-logs-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 223 KiB

BIN
datacenter/ucp/2.1/guides/images/container-detail-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
datacenter/ucp/2.1/guides/images/container_detail.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
datacenter/ucp/2.1/guides/images/create-and-manage-teams-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 251 KiB

BIN
datacenter/ucp/2.1/guides/images/create-and-manage-teams-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 253 KiB

BIN
datacenter/ucp/2.1/guides/images/create-and-manage-teams-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 261 KiB

BIN
datacenter/ucp/2.1/guides/images/create-and-manage-teams-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 221 KiB

BIN
datacenter/ucp/2.1/guides/images/create-users-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 241 KiB

BIN
datacenter/ucp/2.1/guides/images/create-users-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 205 KiB

BIN
datacenter/ucp/2.1/guides/images/deploy-app-cli-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 226 KiB

BIN
datacenter/ucp/2.1/guides/images/deploy-app-ui-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 219 KiB

BIN
datacenter/ucp/2.1/guides/images/deploy-app-ui-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 331 KiB

BIN
datacenter/ucp/2.1/guides/images/deploy-app-ui-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 283 KiB

BIN
datacenter/ucp/2.1/guides/images/deploy-app-ui-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 266 KiB

BIN
datacenter/ucp/2.1/guides/images/deploy-app-ui-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 226 KiB

BIN
datacenter/ucp/2.1/guides/images/deploy-app-ui-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 262 KiB

BIN
datacenter/ucp/2.1/guides/images/docker-hub-license.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 141 KiB

BIN
datacenter/ucp/2.1/guides/images/docker-hub-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
datacenter/ucp/2.1/guides/images/dtr-integration-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
datacenter/ucp/2.1/guides/images/dtr-integration-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
datacenter/ucp/2.1/guides/images/install-production-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 230 KiB

BIN
datacenter/ucp/2.1/guides/images/install-production-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 206 KiB

BIN
datacenter/ucp/2.1/guides/images/install-production-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 269 KiB

BIN
datacenter/ucp/2.1/guides/images/install-production-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 240 KiB

BIN
datacenter/ucp/2.1/guides/images/ldap-integration-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 272 KiB

BIN
datacenter/ucp/2.1/guides/images/license-ucp-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 373 KiB

BIN
datacenter/ucp/2.1/guides/images/license-ucp-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 237 KiB

BIN
datacenter/ucp/2.1/guides/images/monitor-ucp-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 223 KiB

BIN
datacenter/ucp/2.1/guides/images/monitor-ucp-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 223 KiB

BIN
datacenter/ucp/2.1/guides/images/monitor-ucp-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 394 KiB

BIN
datacenter/ucp/2.1/guides/images/multiple-replicas.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
datacenter/ucp/2.1/guides/images/overview-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 279 KiB

BIN
datacenter/ucp/2.1/guides/images/overview-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 224 KiB

BIN
datacenter/ucp/2.1/guides/images/overview-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 228 KiB

BIN
datacenter/ucp/2.1/guides/images/scale-your-cluster-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 206 KiB

156
datacenter/ucp/2.1/guides/images/scale-your-cluster-1.svg Normal file
View File

@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="307px" viewBox="0 0 740 307" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>scale-your-cluster-1</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<circle id="path-3" cx="4" cy="4" r="4"></circle>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-3" fill="black"></use>
</mask>
<circle id="path-5" cx="4" cy="4" r="4"></circle>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-5" fill="black"></use>
</mask>
</defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="scale-your-cluster-1">
<g id="ddc" transform="translate(170.000000, 8.000000)">
<g id="swarm-group" transform="translate(0.000000, 42.000000)">
<text id="Docker-swarm" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#E0E4E7">
<tspan x="9.025" y="236.009524">Docker swarm</tspan>
</text>
<rect id="group" stroke="#E0E4E7" stroke-width="2" stroke-dasharray="5,5,5,5" x="0" y="0" width="401" height="245" rx="2"></rect>
</g>
<g id="load-balancer" transform="translate(47.000000, 0.000000)">
<g id="main">
<rect id="Rectangle-138" fill="#445D6E" x="0" y="0" width="309" height="22" rx="2"></rect>
<text id="your-load-balancer" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="111.437988" y="15">your load balancer</tspan>
</text>
</g>
<g id="arrows" transform="translate(43.000000, 21.000000)">
<g id="arrow-copy" transform="translate(111.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-111.500000, -17.000000) translate(95.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#E0E4E7" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#E0E4E7" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#F7F8F9" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="arrow-copy-4" transform="translate(218.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-218.500000, -17.000000) translate(202.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#E0E4E7" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#E0E4E7" fill-rule="evenodd" xlink:href="#path-3"></use>
<use stroke="#F7F8F9" mask="url(#mask-4)" stroke-width="4" xlink:href="#path-3"></use>
</g>
</g>
<g id="arrow-copy-2" transform="translate(4.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-4.500000, -17.000000) translate(-12.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-5"></use>
<use stroke="#F7F8F9" mask="url(#mask-6)" stroke-width="4" xlink:href="#path-5"></use>
</g>
</g>
</g>
</g>
<g id="swam" transform="translate(46.000000, 34.000000)">
<g id="nodes">
<g id="workers" transform="translate(53.000000, 121.000000)">
<g id="node-1" transform="translate(0.000000, 17.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFB463" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" fill="#E0E4E7" x="0" y="17" width="97" height="102" rx="2"></rect>
<g id="node" transform="translate(0.000000, 17.000000)">
<g id="node-label"></g>
</g>
<text id="+" font-family="OpenSans, Open Sans" font-size="100" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4111328" y="104">+</tspan>
</text>
</g>
</g>
<g id="managers">
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" fill="#E0E4E7" x="0" y="20" width="97" height="102" rx="2"></rect>
<text id="+" font-family="OpenSans, Open Sans" font-size="100" font-weight="normal" fill="#F7F8F9">
<tspan x="20.4111328" y="107">+</tspan>
</text>
</g>
<g id="node-1-copy-4" transform="translate(214.000000, 0.000000)">
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" fill="#E0E4E7" x="0" y="20" width="97" height="102" rx="2"></rect>
<g id="node" transform="translate(0.000000, 20.000000)">
<g id="node-label"></g>
</g>
<text id="+" font-family="OpenSans, Open Sans" font-size="100" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4111328" y="107">+</tspan>
</text>
</g>
<g id="node-1" transform="translate(0.000000, 20.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
datacenter/ucp/2.1/guides/images/scale-your-cluster-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 270 KiB

BIN
datacenter/ucp/2.1/guides/images/scale-your-cluster-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 224 KiB

BIN
datacenter/ucp/2.1/guides/images/scale-your-cluster-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 278 KiB

94
datacenter/ucp/2.1/guides/images/secure-your-infrastructure-1.svg Normal file
View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="690px" height="213px" viewBox="0 0 690 213" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 3.8.3 (29802) - http://www.bohemiancoding.com/sketch -->
<title>secure-your-infrastructure-1</title>
<desc>Created with Sketch.</desc>
<defs>
<rect id="path-1" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-1"></use>
</mask>
<rect id="path-3" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-3"></use>
</mask>
</defs>
<g id="Apps" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="secure-your-infrastructure-1">
<g id="apps" transform="translate(214.000000, 11.000000)">
<g id="billing" transform="translate(0.000000, 105.000000)">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-2)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-1"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = billing</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<path d="M40.25,0 L5.75,0 C2.5875,0 0,2.5875 0,5.75 L0,40.25 C0,43.4125 2.5875,46 5.75,46 L40.25,46 C43.4125,46 46,43.4125 46,40.25 L46,5.75 C46,2.5875 43.4125,0 40.25,0 L40.25,0 Z M40.25,40.25 L5.75,40.25 L5.75,5.75 L40.25,5.75 L40.25,40.25 L40.25,40.25 Z M31.625,14.375 L14.375,14.375 L14.375,31.625 L31.625,31.625 L31.625,14.375 L31.625,14.375 Z" id="container" fill="#00CBCA"></path>
<path d="M94.25,0 L59.75,0 C56.5875,0 54,2.5875 54,5.75 L54,40.25 C54,43.4125 56.5875,46 59.75,46 L94.25,46 C97.4125,46 100,43.4125 100,40.25 L100,5.75 C100,2.5875 97.4125,0 94.25,0 L94.25,0 Z M94.25,40.25 L59.75,40.25 L59.75,5.75 L94.25,5.75 L94.25,40.25 L94.25,40.25 Z M85.625,14.375 L68.375,14.375 L68.375,31.625 L85.625,31.625 L85.625,14.375 L85.625,14.375 Z" id="container-copy" fill="#00CBCA"></path>
<path d="M148.25,0 L113.75,0 C110.5875,0 108,2.5875 108,5.75 L108,40.25 C108,43.4125 110.5875,46 113.75,46 L148.25,46 C151.4125,46 154,43.4125 154,40.25 L154,5.75 C154,2.5875 151.4125,0 148.25,0 L148.25,0 Z M148.25,40.25 L113.75,40.25 L113.75,5.75 L148.25,5.75 L148.25,40.25 L148.25,40.25 Z M139.625,14.375 L122.375,14.375 L122.375,31.625 L139.625,31.625 L139.625,14.375 L139.625,14.375 Z" id="container-copy-2" fill="#00CBCA"></path>
<path d="M202.25,0 L167.75,0 C164.5875,0 162,2.5875 162,5.75 L162,40.25 C162,43.4125 164.5875,46 167.75,46 L202.25,46 C205.4125,46 208,43.4125 208,40.25 L208,5.75 C208,2.5875 205.4125,0 202.25,0 L202.25,0 Z M202.25,40.25 L167.75,40.25 L167.75,5.75 L202.25,5.75 L202.25,40.25 L202.25,40.25 Z M193.625,14.375 L176.375,14.375 L176.375,31.625 L193.625,31.625 L193.625,14.375 L193.625,14.375 Z" id="container-copy-3" fill="#00CBCA"></path>
<g id="container-copy-8">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-9" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-10" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-11" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
<g id="crm">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-4)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-3"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = crm</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<g id="container">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-4" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-5" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-6" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.6 KiB

147
datacenter/ucp/2.1/guides/images/secure-your-infrastructure-2.svg Normal file
View File

@ -0,0 +1,147 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="690px" height="317px" viewBox="0 0 690 317" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 3.8.3 (29802) - http://www.bohemiancoding.com/sketch -->
<title>secure-your-infrastructure-2</title>
<desc>Created with Sketch.</desc>
<defs>
<rect id="path-1" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-1"></use>
</mask>
<rect id="path-3" x="0" y="7.10542736e-15" width="263" height="87" rx="2"></rect>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="263" height="87" fill="white">
<use xlink:href="#path-3"></use>
</mask>
<rect id="path-5" x="0" y="0" width="690" height="317"></rect>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="690" height="317" fill="white">
<use xlink:href="#path-5"></use>
</mask>
</defs>
<g id="Apps" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="secure-your-infrastructure-2">
<g id="Group" transform="translate(68.000000, 26.000000)">
<g id="teams" transform="translate(312.000000, 0.000000)">
<g id="ops-team" transform="translate(189.000000, 0.000000)">
<path d="M26.5,26.5 C33.820625,26.5 39.75,20.5540625 39.75,13.25 C39.75,5.929375 33.820625,0 26.5,0 C19.179375,0 13.25,5.929375 13.25,13.25 C13.25,20.5540625 19.179375,26.5 26.5,26.5 L26.5,26.5 Z M26.5,33.125 C17.6721875,33.125 0,37.5471875 0,46.375 L0,53 L53,53 L53,46.375 C53,37.5471875 35.3278125,33.125 26.5,33.125 L26.5,33.125 Z" id="Shape-Copy" fill="#9967FF"></path>
<text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="0" y="68">ops team</tspan>
</text>
</g>
<g id="billing-team" transform="translate(88.000000, 0.000000)">
<text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="0" y="68">billing team</tspan>
</text>
<path d="M34.5,26.5 C41.820625,26.5 47.75,20.5540625 47.75,13.25 C47.75,5.929375 41.820625,0 34.5,0 C27.179375,0 21.25,5.929375 21.25,13.25 C21.25,20.5540625 27.179375,26.5 34.5,26.5 L34.5,26.5 Z M34.5,33.125 C25.6721875,33.125 8,37.5471875 8,46.375 L8,53 L61,53 L61,46.375 C61,37.5471875 43.3278125,33.125 34.5,33.125 L34.5,33.125 Z" id="Shape-Copy-2" fill="#00CBCA"></path>
</g>
<g id="crm-team">
<text font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="0" y="68">crm team</tspan>
</text>
<path d="M28.5,26.5 C35.820625,26.5 41.75,20.5540625 41.75,13.25 C41.75,5.929375 35.820625,0 28.5,0 C21.179375,0 15.25,5.929375 15.25,13.25 C15.25,20.5540625 21.179375,26.5 28.5,26.5 L28.5,26.5 Z M28.5,33.125 C19.6721875,33.125 2,37.5471875 2,46.375 L2,53 L55,53 L55,46.375 C55,37.5471875 37.3278125,33.125 28.5,33.125 L28.5,33.125 Z" id="Shape" fill="#1AAAF8"></path>
</g>
</g>
<g id="apps" transform="translate(0.000000, 72.000000)">
<g id="billing" transform="translate(0.000000, 105.000000)">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-2)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-1"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = billing</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<path d="M40.25,0 L5.75,0 C2.5875,0 0,2.5875 0,5.75 L0,40.25 C0,43.4125 2.5875,46 5.75,46 L40.25,46 C43.4125,46 46,43.4125 46,40.25 L46,5.75 C46,2.5875 43.4125,0 40.25,0 L40.25,0 Z M40.25,40.25 L5.75,40.25 L5.75,5.75 L40.25,5.75 L40.25,40.25 L40.25,40.25 Z M31.625,14.375 L14.375,14.375 L14.375,31.625 L31.625,31.625 L31.625,14.375 L31.625,14.375 Z" id="container" fill="#00CBCA"></path>
<path d="M94.25,0 L59.75,0 C56.5875,0 54,2.5875 54,5.75 L54,40.25 C54,43.4125 56.5875,46 59.75,46 L94.25,46 C97.4125,46 100,43.4125 100,40.25 L100,5.75 C100,2.5875 97.4125,0 94.25,0 L94.25,0 Z M94.25,40.25 L59.75,40.25 L59.75,5.75 L94.25,5.75 L94.25,40.25 L94.25,40.25 Z M85.625,14.375 L68.375,14.375 L68.375,31.625 L85.625,31.625 L85.625,14.375 L85.625,14.375 Z" id="container-copy" fill="#00CBCA"></path>
<path d="M148.25,0 L113.75,0 C110.5875,0 108,2.5875 108,5.75 L108,40.25 C108,43.4125 110.5875,46 113.75,46 L148.25,46 C151.4125,46 154,43.4125 154,40.25 L154,5.75 C154,2.5875 151.4125,0 148.25,0 L148.25,0 Z M148.25,40.25 L113.75,40.25 L113.75,5.75 L148.25,5.75 L148.25,40.25 L148.25,40.25 Z M139.625,14.375 L122.375,14.375 L122.375,31.625 L139.625,31.625 L139.625,14.375 L139.625,14.375 Z" id="container-copy-2" fill="#00CBCA"></path>
<path d="M202.25,0 L167.75,0 C164.5875,0 162,2.5875 162,5.75 L162,40.25 C162,43.4125 164.5875,46 167.75,46 L202.25,46 C205.4125,46 208,43.4125 208,40.25 L208,5.75 C208,2.5875 205.4125,0 202.25,0 L202.25,0 Z M202.25,40.25 L167.75,40.25 L167.75,5.75 L202.25,5.75 L202.25,40.25 L202.25,40.25 Z M193.625,14.375 L176.375,14.375 L176.375,31.625 L193.625,31.625 L193.625,14.375 L193.625,14.375 Z" id="container-copy-3" fill="#00CBCA"></path>
<g id="container-copy-8">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-9" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-10" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-11" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#00CBCA" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
<g id="crm">
<g id="label">
<use id="Rectangle-153" stroke="#C0C9CE" mask="url(#mask-4)" stroke-width="4" stroke-dasharray="5,5,5,5" fill="#FFFFFF" xlink:href="#path-3"></use>
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="12" font-weight="500" fill="#C0C9CE">
<tspan x="6" y="16">com.docker.ucp.access.label = crm</tspan>
</text>
</g>
<g id="containers" transform="translate(27.000000, 32.000000)">
<g id="container">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-4" transform="translate(54.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-5" transform="translate(108.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
<g id="container-copy-6" transform="translate(162.000000, 0.000000)">
<rect id="Rectangle-206" fill="#1AAAF8" x="0" y="0.425607717" width="45.5743923" height="45.5743923" rx="4"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="10.1276427" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="20.2552855" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
<rect id="Rectangle-207" fill="#FFFFFF" x="30.3829282" y="10.5532504" width="5.06382136" height="25.3191068"></rect>
</g>
</g>
</g>
</g>
</g>
<g id="permissions" transform="translate(388.000000, 143.000000)">
<g id="permissions-copy-5" transform="translate(185.000000, 88.000000)" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy-4" transform="translate(91.000000, 88.000000)" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy-3" transform="translate(0.000000, 88.000000)" fill="#C0C9CE">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy-2" transform="translate(185.000000, 0.000000)" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-copy" transform="translate(91.000000, 0.000000)" fill="#C0C9CE">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="Shape" fill="#445D6E">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,-8.8817842e-15 46.573478,-8.8817842e-15 C46.9237573,-8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z"></path>
</g>
</g>
<use id="border" stroke="#C0C9CE" mask="url(#mask-6)" stroke-width="2" xlink:href="#path-5"></use>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
datacenter/ucp/2.1/guides/images/troubleshoot-ucp-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 394 KiB

BIN
datacenter/ucp/2.1/guides/images/use-externally-signed-certs-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 172 KiB

BIN
datacenter/ucp/2.1/guides/images/use-externally-signed-certs-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 259 KiB

BIN
datacenter/ucp/2.1/guides/images/web-based-access-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 279 KiB

BIN
datacenter/ucp/2.1/guides/images/web-based-access-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 228 KiB

76
datacenter/ucp/2.1/guides/index.md Normal file
View File

@ -0,0 +1,76 @@
---
description: Learn about Docker Universal Control Plane, the enterprise-grade cluster
management solution from Docker.
keywords: docker, ucp, overview, orchestration, clustering
title: Universal Control Plane overview
---
Docker Universal Control Plane (UCP) is the enterprise-grade cluster management
solution from Docker. You install it on-premises or in your virtual private
cloud, and it helps you manage your Docker cluster and applications from a
single place.
![](images/overview-1.png){: .with-border}
## Centralized cluster management
With Docker you can join up to thousands of physical or virtual machines
together to create a container cluster, allowing you to deploy your applications
at scale. Docker Universal Control Plane extends the functionality provided
by Docker to make it easier to manage your cluster from a centralized place.
You can manage and monitor your container cluster using a graphical UI.
![](images/overview-2.png){: .with-border}
Since UCP exposes the standard Docker API, you can continue using the tools
you already know, including the Docker CLI client, to deploy and manage your
applications.
As an example, you can use the `docker info` command to check the
status of a Docker cluster managed by UCP:
```bash
$ docker info
Containers: 30
Images: 24
Server Version: ucp/2.0.1
Role: primary
Strategy: spread
Filters: health, port, containerslots, dependency, affinity, constraint
Nodes: 2
ucp-node-1: 192.168.99.100:12376
└ Status: Healthy
└ Containers: 20
ucp-node-2: 192.168.99.101:12376
└ Status: Healthy
└ Containers: 10
```
## Deploy, manage, and monitor
With Docker UCP you can manage from a centralized place all the computing
resources you have available like nodes, volumes, and networks.
You can also deploy and monitor your applications and services.
## Built-in security and access control
Docker UCP has its own built-in authentication mechanism and integrates with
LDAP services. It also has Role Based Access Control (RBAC), so that you can
control who can access and make changes to your cluster and applications.
![](images/overview-3.png){: .with-border}
Docker UCP integrates with Docker Trusted Registry so that you can keep the
Docker images you use for your applications behind your firewall, where they
are safe and can't be tampered.
You can also enforce security policies and only allow running applications
that use Docker images you know and trust.
## Where to go next
* [UCP architecture](architecture.md)
* [Install UCP](installation/index.md)

137
datacenter/ucp/2.1/guides/installation/index.md Normal file
View File

@ -0,0 +1,137 @@
---
description: Learn how to install Docker Universal Control Plane on production
keywords: Universal Control Plane, UCP, install
title: Install UCP for production
---
Docker Universal Control Plane (UCP) is a containerized application that can be
installed on-premise or on a cloud infrastructure.
## Step 1: Validate the system requirements
The first step to installing UCP, is ensuring your
infrastructure has all the [requirements UCP needs to run](system-requirements.md).
## Step 2: Install CS Docker on all nodes
UCP is a containerized application that requires the commercially supported
Docker Engine to run.
For each host that you plan to manage with UCP:
1. Log in into that host using ssh.
2. Install CS Docker Engine:
```bash
curl -SLf https://packages.docker.com/1.12/install.sh | sh
```
[You can also install CS Docker Engine using a package manager](/cs-engine/install.md)
Make sure you install the same CS Docker Engine version on all the nodes. Also,
if you're creating virtual machine templates with CS Docker Engine already
installed, make sure the `/etc/docker/key.json` file is not included in the
virtual machine image. When provisioning the virtual machine, restart the Docker
daemon to generate a new `/etc/docker/key.json` file.
## Step 3: Customize named volumes
Skip this step if you want to use the defaults provided by UCP.
Docker UCP uses named volumes to persist data. If you want
to customize the drivers used to manage these volumes, you can create the
volumes before installing UCP. When you install UCP, the installer
will notice that the volumes already exist, and will start using them.
[Learn about the named volumes used by UCP](../architecture.md).
If these volumes don't exist, they'll be automatically created when installing
UCP.
## Step 4: Install UCP
To install UCP you use the `docker/ucp` image, which has commands to install and
manage UCP.
To install UCP:
1. Use ssh to log in into the host where you want to install UCP.
2. Run the following command:
```none
# Pull the latest version of UCP
$ docker pull docker/ucp:latest
# Install UCP
$ docker run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp install \
--host-address <node-ip-address> \
--interactive
```
This runs the install command in interactive mode, so that you're
prompted for any necessary configuration values.
To find what other options are available in the install command, check the
[reference documentation](../../reference/cli/install.md).
## Step 5: License your installation
Now that UCP is installed, you need to license it. In your browser, navigate
to the UCP web UI, login with your administrator credentials and upload your
license.
![](../images/install-production-1.png){: .with-border}
If you don't have a license yet, [learn how to get a free trial license](license.md).
## Step 6: Join manager nodes
Skip this step if you don't want UCP to be highly available.
To make your Docker swarm and UCP fault-tolerant and highly available, you can
join more manager nodes to your it. Manager nodes are the nodes in the swarm
that perform the orchestration and swarm management tasks, and dispatch tasks
for worker nodes to execute.
[Learn more about high-availability](../high-availability/index.md).
To join manager nodes to the swarm, go to the **UCP web UI**, navigate to
the **Resources** page, and go to the **Nodes** section.
![](../images/install-production-2.png){: .with-border}
Click the **Add Node button** to add a new node.
![](../images/install-production-3.png){: .with-border}
Check the 'Add node as a manager' to turn this node into a manager and replicate
UCP for high-availability.
Set the 'Use a custom listen address' option if you want to customize the
network and port where this node will listen for swarm management traffic. By
default the node listens on port 2377.
Set the 'Use a custom advertise address' option if you want to customize the
network and port this node will advertise to other swarm members so that they
can reach it.
For each manager node that you want to join to UCP, login into that
node using ssh, and run the join command that is displayed on UCP.
![](../images/install-production-4.png){: .with-border}
After you run the join command in the node, the node starts being displayed
in UCP.
## Step 7: Join worker nodes
Skip this step if you don't want to add more nodes to run and scale your apps.
To add more computational resources to your swarm, you can join worker nodes.
These nodes execute tasks assigned to them by the manager nodes. For this,
use the same steps as before, but don't check the 'Add node as a manager'
option.
## Where to go next
* [Use externally-signed certificates](../configuration/index.md)
* [Integrate with LDAP](../configuration/integrate-with-ldap.md)

60
datacenter/ucp/2.1/guides/installation/install-offline.md Normal file
View File

@ -0,0 +1,60 @@
---
description: Learn how to install Docker Universal Control Plane. on a machine with
no internet access.
keywords: docker, ucp, install, offline
title: Install UCP offline
---
The procedure to install Docker Universal Control Plane on a host is the same,
whether that host has access to the internet or not.
The only difference when installing on an offline host,
is that instead of pulling the UCP images from Docker Hub, you use a
computer that is connected to the internet to download a single package with
all the images. Then you copy that package to the host where youll install UCP.
## Versions available
{% include components/ddc_url_list.html %}
## Download the offline package
Use a computer with internet access to download a single package with all
Docker Datacenter components:
```bash
$ wget <package-url> -O docker-datacenter.tar.gz
```
Now that you have the package in your local machine, you can transfer it to
the machines where you want to install UCP.
For each machine that you want to manage with UCP:
1. Copy the Docker Datacenter package to that machine.
```bash
$ scp docker-datacenter.tar.gz <user>@<host>:/tmp
```
2. Use ssh to login into the hosts where you transferred the package.
3. Load the Docker Datacenter images.
Once the package is transferred to the hosts, you can use the
`docker load` command, to load the Docker images from the tar archive:
```bash
$ docker load < docker-datacenter.tar.gz
```
## Install UCP
Now that the offline hosts have all the images needed to install UCP,
you can [install Docker UCP on that host](index.md).
## Where to go next
* [Install UCP for production](index.md).
* [UCP system requirements](system-requirements.md)

33
datacenter/ucp/2.1/guides/installation/license.md Normal file
View File

@ -0,0 +1,33 @@
---
description: Learn how to license your Docker Universal Control Plane installation.
keywords: Universal Control Plane, UCP, install, license
title: License UCP
---
After installing Docker Universal Control Plane, you need to license your
installation. Here's how to do it.
## Download your license
Go to [Docker Store](https://store.docker.com/bundles/docker-datacenter) and
download your UCP license or get a free trial license.
![](../images/license-ucp-1.png){: .with-border}
## License your installation
Once you've downloaded the license file, you can apply it to your UCP
installation. Navigate to the **UCP web UI**, and then go to the **Settings
page**.
On the **License** page you can upload the new license.
![](../images/license-ucp-2.png){: .with-border}
Click **Upload License** for the changes to take effect.
## Where to go next
* [Install UCP](index.md)
* [Install UCP offline](install-offline.md)

106
datacenter/ucp/2.1/guides/installation/plan-production-install.md Normal file
View File

@ -0,0 +1,106 @@
---
description: Learn about the Docker Universal Control Plane architecture, and the
requirements to install it on production.
keywords: docker, ucp, install, checklist
title: Plan a production installation
---
Docker Universal Control Plane helps you manage your container cluster from a
centralized place. This article explains what you need to consider before
deploying Docker Universal Control Plane for production.
## System requirements
Before installing UCP you should make sure that all nodes (physical or virtual
machines) that you'll manage with UCP:
* [Comply the the system requirements](system-requirements.md)
* Are running the same version of CS Docker Engine
## Hostname strategy
Docker UCP requires CS Docker Engine to run. Before installing the commercially
supported Docker Engine on your cluster nodes, you should plan for a common
hostname strategy.
Decide if you want to use short hostnames like `engine01` or Fully Qualified
Domain Names (FQDN) likes `engine01.docker.vm`. Independently of your choice,
ensure your naming strategy is consistent across the cluster, since Docker
Engine and UCP use hostnames.
As an example, if your cluster has 4 hosts you can name them:
```bash
engine01.docker.vm
engine02.docker.vm
engine03.docker.vm
engine04.docker.vm
```
## Static IP addresses
Docker UCP requires each node on the cluster to have a static IP address.
Before installing UCP, ensure your network and nodes are configured to support
this.
## Time Synchronization
In distributed systems such as Docker UCP, time synchronization is critical
to ensure proper operation. As a best practice to ensure consistency between
then engines in a UCP cluster, all engines should regularly synchronize time
with a NTP server. If a server's clock is skewed, unexpected behavior may
cause poor performance or even failures.
## Load balancing strategy
Docker UCP does not include a load balancer. You can configure your own
load balancer to balance user requests across all controller nodes.
If you plan on using a load balancer, you need to decide whether you are going
to add the nodes to the load balancer using their IP address, or their FQDN.
Independently of what you choose, it should be consistent across nodes.
After that, you should take note of all IPs or FQDNs before starting the
installation.
## Load balancing UCP and DTR
By default, both UCP and DTR use port 443. If you plan on deploying UCP and DTR,
your load balancer needs to distinguish traffic between the two by IP address
or port number.
* If you want to configure your load balancer to listen on port 443:
* Use one load balancer for UCP, and another for DTR,
* Use the same load balancer with multiple virtual IPs.
* Configure your load balancer to expose UCP or DTR on a port other than 443.
## Using external CAs
You can customize UCP to use certificates signed by an external Certificate
Authority. When using your own certificates, take in consideration that you
need to have a certificate bundle that has:
* A ca.pem file with the root CA public certificate,
* A cert.pem file with the server certificate and any intermediate CA public
certificates. This certificate should also have SANs for all addresses used to
reach the UCP controller,
* A key.pem file with server private key.
You can have a certificate for each controller, with a common SAN. As an
example, on a three node cluster you can have:
* engine01.docker.vm with SAN ducp.docker.vm
* engine02.docker.vm with SAN ducp.docker.vm
* engine03.docker.vm with SAN ducp.docker.vm
Alternatively, you can also install UCP with a single externally-signed
certificate for all controllers rather than one for each controller node.
In that case, the certificate files will automatically be copied to any new
controller nodes joining the cluster or being promoted into controllers.
## Where to go next
* [UCP system requirements](system-requirements.md)
* [Install UCP for production](index.md)

83
datacenter/ucp/2.1/guides/installation/scale-your-cluster.md Normal file
View File

@ -0,0 +1,83 @@
---
description: Learn how to scale Docker Universal Control Plane cluster, by adding
and removing nodes.
keywords: UCP, cluster, scale
title: Scale your cluster
---
Docker UCP is designed for scaling horizontally as your applications grow in
size and usage. You can add or remove nodes from the UCP cluster to make it
scale to your needs.
![](../images/scale-your-cluster-1.svg)
Since UCP leverages the clustering functionality provided by Docker Engine,
you use the [docker swarm join](/engine/swarm/swarm-tutorial/add-nodes.md)
command to add more nodes to your cluster. When joining new nodes, the UCP
services automatically start running in that node.
When joining a node a a cluster you can specify its role: manager or worker.
* **Manager nodes**
Manager nodes are responsible for cluster management functionality and
dispatching tasks to worker nodes. Having multiple manager nodes allows
your cluster to be highly-available and tolerate node failures.
Manager nodes also run all UCP components in a replicated way, so by adding
additional manager nodes you're also making UCP highly available.
[Learn more about the UCP architecture.](../architecture.md)
* **Worker nodes**
Worker nodes receive and execute your services and applications. Having
multiple worker nodes allows you to scale the computing capacity of your
cluster.
When deploying Docker Trusted Registry in your cluster, you deploy it to a
worker node.
## Join nodes to the cluster
To add join nodes to the cluster, go to the **UCP web UI**, navigate to
the **Resources** page, and go to the **Nodes** section.
![](../images/scale-your-cluster-1.png){: .with-border}
Click the **Add Node button** to add a new node.
![](../images/scale-your-cluster-2.png){: .with-border}
Check the 'Add node as a manager' option if you want to add the node as manager.
Also, set the 'Use a custom listen address' option to specify the IP of the
host that you'll be joining to the cluster.
Then you can copy the command displayed, use ssh to **log into the host** that
you want to join to the cluster, and **run the command** on that host.
![](../images/scale-your-cluster-3.png){: .with-border}
After you run the join command in the node, the node starts being displayed
in UCP.
## Pause, drain, and remove nodes
Once a node is part of the cluster you can change its role making a manager
node into a worker and vice versa. You can also configure the node availability
so that it is:
* Active: the node can receive and execute tasks.
* Paused: the node continues running existing tasks, but doesn't receive new ones.
* Drained: the node won't receive new tasks. Existing tasks are stopped and
replica tasks are launched in active nodes.
![](../images/scale-your-cluster-4.png){: .with-border}
If you're load-balancing user requests to UCP across multiple manager nodes,
when demoting those nodes into workers, don't forget to remove them from your
load-balancing pool.
## Where to go next
* [Monitor your cluster](../monitor/index.md)

59
datacenter/ucp/2.1/guides/installation/system-requirements.md Normal file
View File

@ -0,0 +1,59 @@
---
description: Learn about the system requirements for installing Docker Universal Control
Plane.
keywords: docker, ucp, architecture, requirements
title: UCP System requirements
---
Docker Universal Control Plane can be installed on-premises or on the cloud.
Before installing, be sure your infrastructure has these requirements.
## Hardware and software requirements
You can install UCP on-premises or on a cloud provider. To install UCP,
all nodes must have:
* Linux kernel version 3.10 or higher
* CS Docker Engine version 1.12.1 or higher
* 2.00 GB of RAM
* 3.00 GB of available disk space
* A static IP address
For highly-available installations, you also need a way to transfer files
between hosts.
## Ports used
When installing UCP on a host, make sure the following ports are open:
| Hosts | Direction | Port | Purpose |
|:------------------|:---------:|:------------------------|:----------------------------------------------------------------------------------|
| managers, workers | in | TCP 443 (configurable) | Port for the UCP web UI and API |
| managers | in | TCP 2376 (configurable) | Port for the Docker Swarm manager. Used for backwards compatibility |
| managers, workers | in | TCP 2377 (configurable) | Port for communication between swarm nodes |
| managers, workers | in, out | TCP, UDP 4789 | Port for overlay networking |
| managers, workers | in, out | TCP, UDP 7946 | Port for overlay networking |
| managers, workers | in | TCP 12376 | Port for a TLS proxy that provides access to UCP, Docker Engine, and Docker Swarm |
| managers | in | TCP 12379 | Port for internal node configuration, cluster configuration, and HA |
| managers | in | TCP 12380 | Port for internal node configuration, cluster configuration, and HA |
| managers | in | TCP 12381 | Port for the certificate authority |
| managers | in | TCP 12382 | Port for the UCP certificate authority |
| managers | in | TCP 12383 | Port for the authentication storage backend |
| managers | in | TCP 12384 | Port for the authentication storage backend for replication across managers |
| managers | in | TCP 12385 | Port for the authentication service API |
| managers | in | TCP 12386 | Port for the authentication worker |
## Compatibility and maintenance lifecycle
Docker Datacenter is a software subscription that includes 3 products:
* CS Docker Engine,
* Docker Trusted Registry,
* Docker Universal Control Plane.
[Learn more about the maintenance lifecycle for these products](http://success.docker.com/Get_Help/Compatibility_Matrix_and_Maintenance_Lifecycle).
## Where to go next
* [UCP architecture](../architecture.md)
* [Plan a production installation](plan-production-install.md)

38
datacenter/ucp/2.1/guides/installation/uninstall.md Normal file
View File

@ -0,0 +1,38 @@
---
description: Learn how to uninstall a Docker Universal Control Plane cluster.
keywords: docker, ucp, uninstall
title: Uninstall UCP
---
Docker UCP is designed to scale as your applications grow in size and usage.
You can [add and remove nodes](scale-your-cluster.md) from the cluster, to make
it scale to your needs.
You can also uninstall Docker Universal Control plane from your cluster. In this
case the UCP services are stopped and removed, but your Docker Engines will
continue running in swarm mode. You applications will continue running normally.
After you uninstall UCP from the cluster, you'll no longer be able to enforce
role-based access control to the cluster, or have a centralized way to monitor
and manage the cluster.
WARNING: After uninstalling UCP from the cluster, you will no longer be able to
join new nodes using `docker swarm join` unless you reinstall UCP.
To uninstall UCP, log in into a manager node using ssh, and run:
```bash
$ docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
--name ucp \
docker/ucp uninstall-ucp --interactive
```
This runs the uninstall command in interactive mode, so that you are prompted
for any necessary configuration values.
[Check the reference documentation](../../reference/cli/index.md) to learn the options
available in the `uninstall-ucp` command.
## Where to go next
* [Scale your cluster](scale-your-cluster.md)

107
datacenter/ucp/2.1/guides/installation/upgrade.md Normal file
View File

@ -0,0 +1,107 @@
---
description: Learn how to upgrade Docker Universal Control Plane with minimal impact
to your users.
keywords: Docker, UCP, upgrade, update
redirect_from:
- /ucp/upgrade-ucp/
- /ucp/installation/upgrade/
title: Upgrade to UCP 2.0
---
This page guides you in upgrading Docker Universal Control Plane (UCP) to
version 2.0.
Before upgrading to a new version of UCP, check the
[release notes](../release-notes.md) for the version you are upgrading to.
There you'll find information about the new features, breaking changes, and
other relevant information for upgrading to a particular version.
## Plan the upgrade
As part of the upgrade process, you'll be upgrading the CS Docker Engine
installed in each node of the cluster to version 1.12. If you're currently
running CS Docker Engine 1.11.2-cs3, all containers will be stopped during the
upgrade, causing some downtime to UCP and your applications.
You should plan for the upgrade to take place outside business hours, to ensure
there's minimal impact to your users.
Also, don't make changes to UCP configurations while you're upgrading it. That
can lead to misconfigurations that are difficult to troubleshoot.
## Backup your cluster
Before starting an upgrade, make sure your cluster is healthy. If a problem
occurs that will make it easier to find and troubleshoot any problems.
Then, [create a backup](../high-availability/backups-and-disaster-recovery.md)
of your cluster. This will allow you to recover from an existing backup if
something goes wrong during the upgrade process.
## Upgrade CS Docker Engine
For each node that is part of your cluster, upgrade the CS Docker Engine
installed on that node to CS Docker Engine version 1.12 or higher.
Starting with the controller nodes, and then worker nodes:
1. Log into the node using ssh.
2. Upgrade the CS Docker Engine to version 1.12 or higher.
If you're upgrading from CS Docker Engine 1.11.3 or previous this will cause
some downtime on that node, since all containers will be stopped.
Containers that have a restart policy set to
'always', are automatically started after the upgrade. This is the case of
UCP and DTR components. All other containers need to be started manually.
3. Make sure the node is healthy.
In your browser, navigate to the **UCP web UI**, and validate that the
node is healthy and is part of the cluster.
## Upgrade the first controller node
Start by upgrading a controller node that has valid root CA material. This
can be the first node where you installed UCP or any controller replica
that you've installed using that node's root CA material.
1. Log into the controller node using ssh.
2. Pull the docker/ucp image for the version you want to upgrade to.
```bash
# Check on Docker Hub which versions are available
$ docker pull docker/ucp:<version>
```
3. Upgrade UCP by running:
```bash
$ docker run --rm -it \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp:<version> \
upgrade --interactive
```
This runs the upgrade command in interactive mode, so that you are prompted
for any necessary configuration values.
The upgrade command will make configuration changes to Docker Engine.
You'll be prompted to restart the Docker Engine, and run the upgrade
command again, to continue the upgrade.
4. Make sure the node is healthy.
In your browser, navigate to the **UCP web UI**, and validate that the
node is healthy and is part of the cluster.
## Upgrade other nodes
Follow the procedure described above to upgrade other nodes in the cluster.
Start by upgrading the remaining controller nodes, and then upgrade any worker
nodes.
## Where to go next
* [UCP release notes](../release-notes.md)

71
datacenter/ucp/2.1/guides/monitor/index.md Normal file
View File

@ -0,0 +1,71 @@
---
description: Monitor your Docker Universal Control Plane installation, and learn how
to troubleshoot it.
keywords: Docker, UCP, troubleshoot
title: Monitor your cluster
---
This article gives you an overview of how to monitor your Docker UCP.
## Check the cluster status from the UI
To monitor your UCP cluster, the first thing to check is the **Nodes**
screen on the UCP web app.
![UCP dashboard](../images/monitor-ucp-1.png){: .with-border}
In the nodes screen you can see if all the nodes in the cluster are healthy, or
if there is any problem.
If you're an administrator you can also check the state and logs of the
UCP internal services.
To check the state of the `ucp-agent` service, navigate to the **Services** page
and toggle the **Show system services** option.
![](../images/monitor-ucp-2.png){: .with-border}
The `ucp-agent` service monitors the node where it is running, deploys other
UCP internal components, and ensures they keep running. The UCP components that
are deployed on a node, depend on whether the node is a manager or worker.
[Learn more about the UCP architecture](../architecture.md)
To check the state and logs of other UCP internal components, go to the
**Containers** page, and appply the **System containers** filter.
This can help validate that all UCP internal components are up and running.
![](../images/monitor-ucp-3.png){: .with-border}
It's normal for the `ucp-reconcile` to be stopped. This container only runs when
the `ucp-agent` detects that a UCP internal component should be running but for
some reason it's not. In this case the `ucp-agent` starts the `ucp-reconcile`
service to start all UCP services that need to be running. Once that is done,
the `ucp-agent` stops.
## Check the cluster status from the CLI
You can also monitor the status of a UCP cluster using the Docker CLI client.
There are two ways to do this, using a
[client certificate bundle](../access-ucp/cli-based-access.md), or logging into
one of the manager nodes using ssh.
Then you can use regular Docker CLI commands to check the status and logs
of the [UCP internal services and containers](../architecture.md).
## Automated status checking
You can use the `https://<ucp-url>/_ping` endpoint to perform automated
monitoring tasks. When you access this endpoint, UCP validates that all its
internal components are working, and returns the following HTTP error codes:
* 200, if all components are healthy
* 500, if one or more components are not healthy
If you're accessing this endpoint through a load balancer, you'll have no way to
know which UCP manager node is not healthy. So make sure you make a request
directly to each manager node.
## Where to go next
* [Troubleshoot your cluster](troubleshoot.md)
* [Get support](../support.md)

77
datacenter/ucp/2.1/guides/monitor/troubleshoot-configurations.md Normal file
View File

@ -0,0 +1,77 @@
---
description: Learn how to troubleshoot your Docker Universal Control Plane cluster.
keywords: ectd, key, value, store, ucp
title: Troubleshoot cluster configurations
---
Docker UCP persists configuration data on an [etcd](https://coreos.com/etcd/)
key-value store that is replicated on all controller nodes of
the UCP cluster. This key-value store is for internal use only, and should not
be used by other applications.
This article shows how you can access the key-value store, for
troubleshooting configuration problems in your cluster.
## Using the REST API
In this example we'll be using `curl` for making requests to the key-value
store REST API, and `jq` to process the responses.
You can install these tools on a Ubuntu distribution by running:
```bash
$ sudo apt-get update && apt-get install curl jq
```
1. Use a client bundle to authenticate your requests.
[Learn more](../access-ucp/cli-based-access.md).
2. Use the REST API to access the cluster configurations.
```bash
# $DOCKER_HOST and $DOCKER_CERT_PATH are set when using the client bundle
$ export KV_URL="https://$(echo $DOCKER_HOST | cut -f3 -d/ | cut -f1 -d:):12379"
$ curl -s \
--cert ${DOCKER_CERT_PATH}/cert.pem \
--key ${DOCKER_CERT_PATH}/key.pem \
--cacert ${DOCKER_CERT_PATH}/ca.pem \
${KV_URL}/v2/keys | jq "."
```
To learn more about the key-value store rest API check the
[etcd official documentation](https://coreos.com/etcd/docs/latest/).
## Using a CLI client
The containers running the key-value store, include `etcdctl`, a command line
client for etcd. You can run it using the `docker exec` command.
The examples below assume you are logged in with ssh into a UCP controller node.
### Check the health of the etcd cluster
```bash
$ docker exec -it ucp-kv etcdctl \
--endpoint https://127.0.0.1:2379 \
--ca-file /etc/docker/ssl/ca.pem \
--cert-file /etc/docker/ssl/cert.pem \
--key-file /etc/docker/ssl/key.pem \
cluster-health
member 16c9ae1872e8b1f0 is healthy: got healthy result from https://192.168.122.64:12379
member c5a24cfdb4263e72 is healthy: got healthy result from https://192.168.122.196:12379
member ca3c1bb18f1b30bf is healthy: got healthy result from https://192.168.122.223:12379
cluster is healthy
```
On failure the command exits with an error code, and no output.
To learn more about the `etcdctl` utility, check the
[etcd official documentation](https://coreos.com/etcd/docs/latest/).
## Where to go next
* [Monitor your cluster](index.md)
* [Get support](../support.md)

59
datacenter/ucp/2.1/guides/monitor/troubleshoot.md Normal file
View File

@ -0,0 +1,59 @@
---
description: Learn how to troubleshoot your Docker Universal Control Plane cluster.
keywords: docker, ucp, troubleshoot
title: Troubleshoot your cluster
---
If you detect problems in your UCP cluster, you can start your troubleshooting
session by checking the logs of the
[individual UCP components](../architecture.md). Only administrator users can
see information about UCP system containers.
## Check the logs from the UI
To see the logs of the UCP system containers, navigate to the **Containers**
page of UCP. By default the UCP system containers are hidden. Click the
**Show all containers** option for the UCP system containers to be listed as
well.
![](../images/troubleshoot-ucp-1.png){: .with-border}
You can click on a container to see more details like its configurations and
logs.
## Check the logs from the CLI
You can also check the logs of UCP system containers from the CLI. This is
specially useful if the UCP web application is not working.
1. Get a client certificate bundle.
When using the Docker CLI client you need to authenticate using client
certificates.
[Learn how to use client certificates](../access-ucp/cli-based-access.md).
If your client certificate bundle is for a non-admin user, you won't have
permissions to see the UCP system containers.
2. Check the logs of UCP system containers.
```bash
# By default system containers are not displayed. Use the -a flag to display them
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
922503c2102a docker/ucp-controller:1.1.0-rc2 "/bin/controller serv" 4 hours ago Up 30 minutes 192.168.10.100:444->8080/tcp ucp/ucp-controller
1b6d429f1bd5 docker/ucp-swarm:1.1.0-rc2 "/swarm join --discov" 4 hours ago Up 4 hours 2375/tcp ucp/ucp-swarm-join
# See the logs of the ucp/ucp-controller container
$ docker logs ucp/ucp-controller
{"level":"info","license_key":"PUagrRqOXhMH02UgxWYiKtg0kErLY8oLZf1GO4Pw8M6B","msg":"/v1.22/containers/ucp/ucp-controller/json","remote_addr":"192.168.10.1:59546","tags":["api","v1.22","get"],"time":"2016-04-25T23:49:27Z","type":"api","username":"dave.lauper"}
{"level":"info","license_key":"PUagrRqOXhMH02UgxWYiKtg0kErLY8oLZf1GO4Pw8M6B","msg":"/v1.22/containers/ucp/ucp-controller/logs","remote_addr":"192.168.10.1:59546","tags":["api","v1.22","get"],"time":"2016-04-25T23:49:27Z","type":"api","username":"dave.lauper"}
```
## Where to go next
* [Monitor your cluster](index.md)
* [Troubleshoot cluster configurations](troubleshoot-configurations.md)

118
datacenter/ucp/2.1/guides/release-notes.md Normal file
View File

@ -0,0 +1,118 @@
---
description: Release notes for Docker Universal Control Plane. Learn more about the
changes introduced in the latest versions.
keywords: Docker, UCP, Release notes, Versions
title: UCP release notes
---
Here you can learn about new features, bug fixes, breaking changes and
known issues for the latest UCP version.
You can then use [the upgrade instructions](installation/upgrade.md), to
upgrade your installation to the latest release.
## Version 2.0.1
(22 Nov 2016)
**Features**
* UI/UX
* The node details page now shows information about the node's CPU and RAM
* Improved applications page to provide more guidance when there are no apps deployed
**Bug fixes**
* Core
* Fixed an issue with rethinkDB sync that causes timeout failures during upgrades
* HTTP routing mesh no longer crashes if a routed service fails. It also
provides better error messages in the CLI
* docker/ucp image
* Install and upgrade timeouts were increased to ensure the swarm managed by
UCP is fully operational
* Using `--external-server-cert` at install time now correctly preserves
pre-existing server certificates
* Joining a node that's using a non-default Docker runtime path now works as
expected
* UI/UX
* Several buttons and links are now hidden if the user has "Read-Only"
permissions, e.g. deploy application, create volumes, create images
* When importing users from LDAP, the change password fields are no longer
displayed in the user profile
* When integrating with LDAP, the LDAP reader password is no longer displayed
on the UI or HTML
* Clarified that service resource constraints use absolute instead of nano CPU
shares. This is consistent with the Docker CLI
* UI now prompts for confirmation when switching from LDAP to built-in
authentication
* Improved DTR integration screen, to provide more guidance on how to install
DTR
**Known issues**
* When deploying applications from the UI or CLI with the compose file format
2.1, overlay networks will not be created in attachable mode, so containers
will fail to attach to that network. As a workaround you can create the networks
upfront and make them attachable, and change your compose file to use those
networks.
## Version 2.0.0
(10 Nov 2016)
**Features**
* Native support for Docker Engine 1.12 running in swarm mode
* Support for declaring the application desired state with `docker service`
* Backwards compatibility for using `docker run`, `docker-compose`,
`docker logs`, and `docker exec` commands on UCP
* Pause and drain nodes for putting nodes in maintenance
* Specify container health checks in a Dockerfile and view container status
in the web UI
* Granular label-based access control for services and networks
* Use Docker content trust to enforce only running images signed by members
of specific teams
* Built-in TCP load balancing and service discovery for services
* Added an HTTP routing mesh for enabling hostname routing for services
(experimental)
* The UCP web UI now lets you know when a new version is available, and upgrades
to the new version with a single click
**Installer**
* You can now install UCP on an existing Docker Engine 1.12 swarm, by running
the UCP install command on manager node. Requires CS Engine 1.12 or higher.
* It's now possible to install a new UCP cluster using a backup using the
`restore` command. This preserves the UCP cluster configurations but not any
application services or networks from the old cluster.
**Web UI**
* Web UI has been significantly redesigned for this release
* Add, remove, pause, and drain nodes from the web UI and see their status
in real-time
* One-click promotion of worker nodes to managers for high availability
* You can now reconfigure certificates, SANs, and key-value store parameters
from the UI
* Added getting started guides and tooltips for guiding new users on the
platform
* Added instructions to the web UI on how to install and integrate with DTR
* Added a wizard to make it simpler to deploy Docker services from the UI
**General improvements**
* UCP and DTR system resources are now hidden and protected from non-admin users
* Improved support dump with more system information, readable file formats,
and container names/IDs
* LDAP/AD now lists up to 1 million users
**Known issues**
* When deploying applications from the UI or CLI with the compose file format
2.1, overlay networks will not be created in attachable mode, so containers
will fail to attach to that network. As a workaround you can create the networks
upfront and make them attachable, and change your compose file to use those
networks.

24
datacenter/ucp/2.1/guides/support.md Normal file
View File

@ -0,0 +1,24 @@
---
description: Your Docker subscription gives you access to prioritized support. You
can file tickets via email, your the support portal.
keywords: Docker, support, help
title: Get support
---
Your Docker Data Center, or Universal Control Plane subscription gives you
access to prioritized support. The service levels depend on your subscription.
If you need help, you can file a ticket via:
* [Email](mailto:support@docker.com)
* [Docker support page](https://support.docker.com/)
Be sure to use your company email when filing tickets.
## Download a support dump
Docker Support engineers may ask you to provide a UCP support dump. For this:
1. Log into UCP with an administrator account.
2. On the top-right menu, **click your username**, and choose **Support Dump**.

55
datacenter/ucp/2.1/guides/user-management/create-and-manage-teams.md Normal file
View File

@ -0,0 +1,55 @@
---
description: Learn how to create and manage user permissions, using teams in your
Docker Universal Control Plane cluster.
keywords: authorize, authentication, users, teams, UCP, Docker
title: Create and manage teams
---
You can extend the user's default permissions by granting them fine-grain
permissions over resources. You do this by adding the user to a team.
A team defines the permissions users have for resources that have the label
`com.docker.ucp.access.label` applied to them.
To create a new team, go to the **UCP web UI**, and navigate to the
**Users & Teams** page.
![](../images/create-and-manage-teams-1.png){: .with-border}
Click the **Create** button to create a new team, and assign it a name.
![](../images/create-and-manage-teams-2.png){: .with-border}
## Add users to a team
You can now add and remove users from the team.
Navigate to the **Members** tab, and click the **Add User to Team** button.
Then choose the list of users that you want to add to the team.
![](../images/create-and-manage-teams-3.png){: .with-border}
## Manage team permissions
To manage the permissions of the team, click the **Permissions** tab.
Here you can specify a list of labels and the permission level users will have
for resources with those labels.
![](../images/create-and-manage-teams-4.png){: .with-border}
In the example above, members of the 'Operations' team have permissions to
create and edit resources that have the labels
`com.docker.ucp.access.label=operations` applied, but can only view resources
that have the `com.docker.ucp.access.label=blog` label.
There are four permission levels available:
| Team permission level | Description |
|:----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view resources with this label. |
| `View Only` | The user can view but can't create resources with this label. |
| `Restricted Control` | The user can view and create resources with this label. The user can't run `docker exec`, or services that require privileged access to the host. |
| `Full Control` | The user can view and create resources with this label, without any restriction. |
## Where to go next
* [UCP permission levels](permission-levels.md)

42
datacenter/ucp/2.1/guides/user-management/create-and-manage-users.md Normal file
View File

@ -0,0 +1,42 @@
---
description: Learn how to create and manage users in your Docker Universal Control
Plane cluster.
keywords: authorize, authentication, users, teams, UCP, Docker
title: Create and manage users
---
When using the UCP built-in authentication, you need to create users and
assign them with a default permission level so that they can access the
cluster.
To create a new user, go to the **UCP web UI**, and navigate to the
**Users & Teams** page.
![](../images/create-users-1.png){: .with-border}
Click the **Create User** button, and fill-in the user information.
![](../images/create-users-2.png){: .with-border}
Check the 'Is a UCP admin' option, if you want to grant permissions for the
user to change cluster configurations. Also, assign the user with a default
permission level.
Default permissions specify the permission a user has for resources that don't
have the `com.docker.access.label` label applied to them. There are four
permission levels:
| Default permission level | Description |
|:-------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view resource, like services, images, networks, and volumes. |
| `View Only` | The user can view images and volumes, but can't create services. |
| `Restricted Control` | The user can view and edit volumes and networks. They can create services, but can't see other users services, run `docker exec`, or run containers that require privileged access to the host. |
| `Full Control` | The user can view and edit volumes and networks. They can create containers without any restriction, but can't see other users containers. |
[Learn more about the UCP permission levels](permission-levels.md). Finally,
click the **Create User** button, to create the user.
## Where to go next
* [Create and manage teams](create-and-manage-teams.md)
* [UCP permission levels](permission-levels.md)

55
datacenter/ucp/2.1/guides/user-management/index.md Normal file
View File

@ -0,0 +1,55 @@
---
description: Learn how to manage permissions in Docker Universal Control Plane.
keywords: authorization, authentication, users, teams, UCP
title: Authentication and authorization
---
With Docker Universal Control Plane you get to control who can create and edit
resources like services, images, networks, and volumes in your cluster.
By default no one can make changes to your cluster. You can then grant and
manage permissions to enforce fine-grained access control. For that:
* Start by creating a user and assigning them with a default permission.
Default permissions specify the permission a user has to create and edit
resources. You can choose from four permission levels that range from
no access to full control over the resources.
* Extend the user permissions by adding users to a team.
You can extend the user's default permissions by adding the user to a team.
A team defines the permissions users have for a collection of labels, and
thus the resources that have those labels applied to them.
## Users and teams
When users create services or networks with no label, those resources are only
visible to them and administrator users.
For a team of users to be able to see and edit the same resources, the
resources needs to have the `com.docker.ucp.access.label` label applied.
![](../images/secure-your-infrastructure-1.svg)
In the example above, we have two sets of containers. One set has all containers
labeled with `com.docker.ucp.access.label=crm`, the other has all containers
labeled with `com.docker.ucp.access.label=billing`.
You can now create different teams, and tune the permission level each
team has for those containers.
![](../images/secure-your-infrastructure-2.svg)
As an example you can create three different teams:
* The team that's developing the CRM app has access to create and edit
containers with the label `com.docker.ucp.access.label=crm`.
* The team that's developing the Billing app, has access to create and edit
containers with the label `com.docker.ucp.access.label=billing`.
* And of course, the operations team has access to create and edit containers
with any of the two labels.
## Where to go next
* [Create and manage users](create-and-manage-users.md)
* [Create and manage teams](create-and-manage-teams.md)

57
datacenter/ucp/2.1/guides/user-management/permission-levels.md Normal file
View File

@ -0,0 +1,57 @@
---
description: Learn about the permission levels available in Docker Universal Control
Plane.
keywords: authorization, authentication, users, teams, UCP
title: Permission levels
---
Docker Universal Control Plane has two types of users: administrators and
regular users. Administrators can make changes to the UCP cluster, while
regular users have permissions that range from no access to full control over
volumes, networks, images, and containers.
## Administrator users
In Docker UCP, only users with administrator privileges can make changes to
cluster settings. This includes:
* Managing user and team permissions,
* Managing cluster configurations like adding and removing nodes to the cluster.
## Default permission levels
Regular users can't change cluster settings, and they are assigned with a
default permission level.
The default permission level specify the permission a user has to access or
edit resources. You can choose from four permission levels that range from no
access to full control over the resources.
| Default permission level | Description |
|:-------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view any resource, like volumes, networks, images, or containers. |
| `View Only` | The user can view volumes, networks and images, but can't create any containers. |
| `Restricted Control` | The user can view and edit volumes, networks, and images. They can create containers, but can't see other users containers, run `docker exec`, or run containers that require privileged access to the host. |
| `Full Control` | The user can view and edit volumes, networks, and images, They can create containers without any restriction, but can't see other users containers. |
When a user only has a default permission assigned, only them and admin
users can see the containers they deploy in the cluster.
## Team permission levels
Teams allow you to define fine-grain permissions to services, containers, and
networks that have the label `com.docker.ucp.access.label` applied to them.
There are four permission levels:
| Team permission level | Description |
|:----------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view containers with this label. |
| `View Only` | The user can view but can't create containers with this label. |
| `Restricted Control` | The user can view and create containers with this label. The user can't run `docker exec`, or containers that require privileged access to the host. |
| `Full Control` | The user can view and create containers with this label, without any restriction. |
## Where to go next
* [Create and manage users](create-and-manage-users.md)
* [Create and manage teams](create-and-manage-teams.md)

49
datacenter/ucp/2.1/reference/cli/backup.md Normal file
View File

@ -0,0 +1,49 @@
---
description: Create a backup of a UCP manager node
keywords: docker, dtr, cli, backup
title: docker/ucp backup
---
Create a backup of a UCP manager node
## Usage
```bash
docker run -i --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
backup [command options] > backup.tar
```
## Description
This command creates a tar file with the contents of the volumes used by
this UCP manager node, and prints it. You can then use the 'restore' command to
restore the data from an existing backup.
To create backups of a multi-node swarm, you should create backups for all manager
nodes, one at a time in a quick succession, and keep track of the exact time and
sequence when you performed each backup. You will need this sequence information
if you restore more than one manager node at a time.
Note:
* During the backup, UCP is temporarily stopped. This does not affect your
applications.
* The backup contains private keys and other sensitive information. Use the
'--passphrase' flag to encrypt the backup with PGP-compatible encryption.
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|
|`--interactive, i`|Run in interactive mode and prompt for configuration values|
|`--id`|The ID of the UCP instance to backup|
|`--passphrase`|Encrypt the tar file with a passphrase|

37
datacenter/ucp/2.1/reference/cli/dump-certs.md Normal file
View File

@ -0,0 +1,37 @@
---
description: Print the public certificates used by this UCP web server
keywords: docker, dtr, cli, dump-certs
title: docker/ucp dump-certs
---
Print the public certificates used by this UCP web server
## Usage
```bash
docker run --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
dump-certs [command options]
```
## Description
This command outputs the public certificates for the UCP web server running on
this node. By default it prints the contents of the ca.pem and cert.pem files.
When integrating UCP and DTR, use this command with the '--cluster --ca' flags
to configure DTR.
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|
|`--ca`|Only print the contents of the ca.pem file|
|`--cluster`|Print the internal UCP swarm root CA and cert instead of the public server cert|

24
datacenter/ucp/2.1/reference/cli/fingerprint.md Normal file
View File

@ -0,0 +1,24 @@
---
description: Print the TLS fingerprint for this UCP web server
keywords: docker, dtr, cli, fingerprint
title: docker/ucp fingerprint
---
Print the TLS fingerprint for this UCP web server
## Usage
```bash
docker run --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
fingerprint [command options]
```
## Description
This command displays the fingerprint of the certificate used in the UCP web
server running on this node.

27
datacenter/ucp/2.1/reference/cli/id.md Normal file
View File

@ -0,0 +1,27 @@
---
description: Print the ID of UCP running on this node
keywords: docker, dtr, cli, id
title: docker/ucp id
---
Print the ID of UCP running on this node
## Usage
```bash
docker run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
id [command options]
```
## Description
This command prints the ID of the UCP components running on this node. This ID
matches what you see when running the 'docker info' command while using
a client bundle.
This ID is used by other commands as confirmation.

36
datacenter/ucp/2.1/reference/cli/images.md Normal file
View File

@ -0,0 +1,36 @@
---
description: Verify the UCP images on this node
keywords: docker, dtr, cli, images
title: docker/ucp images
---
Verify the UCP images on this node
## Usage
```bash
docker run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
images [command options]
```
## Description
This command checks the UCP images that are available in this node, and pulls
the ones that are missing.
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|
|`--pull`|Pull UCP images: 'always', when 'missing', or 'never'|
|`--registry-username`|Username to use when pulling images|
|`--registry-password`|Password to use when pulling images|
|`--list`|List all images used by UCP but don't pull them|

44
datacenter/ucp/2.1/reference/cli/index.md Normal file
View File

@ -0,0 +1,44 @@
---
description: Learn about the commands available in the docker/ucp image.
keywords: docker, ucp, cli, ucp
title: docker/ucp overview
---
This image has commands to install and manage
Docker Universal Control Plane (UCP) on a Docker Engine.
You can configure the commands using flags or environment variables. When using
environment variables use the 'docker run -e VARIABLE_NAME' syntax to pass the
value from your shell, or 'docker run -e VARIABLE_NAME=value' to specify the
value explicitly on the command line.
The container running this image needs to be named 'ucp' and bind-mount the
Docker daemon socket. Below you can find an example of how to run this image.
Additional help is available for each command with the '--help' flag.
## Usage
```bash
docker run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
command [command arguments]
```
## Commands
| Option | Description |
|:-----------------------------|:---------------------------|
|`install`| Install UCP on this node|
|`restart`| Start or restart UCP components running on this node|
|`stop`| Stop UCP components running on this node|
|`upgrade`| Upgrade the UCP components on this node|
|`images`| Verify the UCP images on this node|
|`uninstall-ucp`| Uninstall UCP from this swarm|
|`dump-certs`| Print the public certificates used by this UCP web server|
|`fingerprint`| Print the TLS fingerprint for this UCP web server|
|`support`| Create a support dump for this UCP node|
|`id`| Print the ID of UCP running on this node|
|`backup`| Create a backup of a UCP manager node|
|`restore`| Restore a UCP manager node from a backup|

84
datacenter/ucp/2.1/reference/cli/install.md Normal file
View File

@ -0,0 +1,84 @@
---
description: Install UCP on this node
keywords: docker, dtr, cli, install
title: docker/ucp install
---
Install UCP on this node
## Usage
```bash
docker run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
install [command options]
```
## Description
This command initializes a new swarm, turns this node into a manager, and installs
Docker Universal Control Plane (UCP).
When installing UCP you can customize:
* The certificates used by the UCP web server. Create a volume
named 'ucp-controller-server-certs' and copy the ca.pem, cert.pem, and key.pem
files to the root directory. Then run the install command with the
'--external-server-cert' flag.
* The license used by UCP, by bind-mounting the file at
'/config/docker_subscription.lic' in the tool.
E.g. -v /path/to/my/config/docker_subscription.lic:/config/docker_subscription.lic
* The initial users, permissions and settings of the system, using a backup of
an existing UCP cluster. Bind-mount the backup file under
'/config/backup.tar' in the tool and use the '--from-backup' flag. When
using the '--from-backup' flag, all other configuration flags are
respected, except for the '--admin-username' and '--admin-password' flags.
If you're joining more nodes to this swarm, open the following ports in your
firewall:
* 443 or the '--controller-port'
* 2376 or the '--swarm-port'
* 12376, 4789, 12379, 12380, 12381, 12382, 12383, 12384, 12385, 12386
* 4789(udp) and 7946(tcp/udp) for overlay networking
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|
|`--interactive, i`|Run in interactive mode and prompt for configuration values|
|`--admin-username`|The UCP administrator username|
|`--admin-password`|The UCP administrator password|
|`--san`|Add subject alternative names to certificates (e.g. --san www1.acme.com --san www2.acme.com)|
|`--host-address`|The network address to advertise to other nodes. Format: IP address or network interface name|
|`--swarm-port`|Port for the Docker Swarm manager. Used for backwards compatibility|
|`--controller-port`|Port for the web UI and API|
|`--swarm-grpc-port`|Port for communication between nodes|
|`--dns`|Set custom DNS servers for the UCP containers|
|`--dns-opt`|Set DNS options for the UCP containers|
|`--dns-search`|Set custom DNS search domains for the UCP containers|
|`--pull`|Pull UCP images: 'always', when 'missing', or 'never'|
|`--registry-username`|Username to use when pulling images|
|`--registry-password`|Password to use when pulling images|
|`--kv-timeout`|Timeout in milliseconds for the key-value store|
|`--kv-snapshot-count`|Number of changes between key-value store snapshots|
|`--from-backup`|Initialize a system from a backup of a UCP cluster|
|`--passphrase`|The passphrase needed to decrypt the backup file. To be used together with --from-backup if the backup is encrypted.|
|`--swarm-experimental`|Enable Docker Swarm experimental features. Used for backwards compatibility|
|`--disable-tracking`|Disable anonymous tracking and analytics|
|`--disable-usage`|Disable anonymous usage reporting|
|`--external-server-cert`|Customize the certificates used by the UCP web server|
|`--preserve-certs`|Don't generate certificates if they already exist|
|`--binpack`|Set the Docker Swarm scheduler to binpack mode. Used for backwards compatibility|
|`--random`|Set the Docker Swarm scheduler to random mode. Used for backwards compatibility|
|`--external-service-lb`|Set the external service load balancer reported in the UI|
|`--enable-profiling`|Enable performance profiling|

26
datacenter/ucp/2.1/reference/cli/restart.md Normal file
View File

@ -0,0 +1,26 @@
---
description: Start or restart UCP components running on this node
keywords: docker, dtr, cli, restart
title: docker/ucp restart
---
Start or restart UCP components running on this node
## Usage
```bash
docker run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
restart [command options]
```
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|

51
datacenter/ucp/2.1/reference/cli/restore.md Normal file
View File

@ -0,0 +1,51 @@
---
description: Restore a UCP manager node from a backup
keywords: docker, dtr, cli, restore
title: docker/ucp restore
---
Restore a UCP manager node from a backup
## Usage
```bash
docker run -i --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
restore [command options] < restore.tar
```
## Description
This command restores the state of this UCP manager node using a tar file
generated by the 'backup' command.
The restore command stops the UCP components running on this node and restores
the data from a backup, overwriting all existing data.
By default the backup tar file is read from stdin. You can also bind-mount the
backup file under /config/backup.tar, and run the restore command with the
'--interactive' flag.
Note:
* Before restoring a manager node, you need to stop all other managers.
* During the restore, UCP is temporarily stopped on this node. This does not
affect your applications.
* You need to restore using a backup you created for that specific node.
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|
|`--interactive, i`|Run in interactive mode and prompt for configuration values|
|`--id`|The ID of the UCP instance to backup|
|`--passphrase`|Decrypt the tar file with the provided passphrase|

25
datacenter/ucp/2.1/reference/cli/stop.md Normal file
View File

@ -0,0 +1,25 @@
---
description: Stop UCP components running on this node
keywords: docker, dtr, cli, stop
title: docker/ucp stop
---
Stop UCP components running on this node
## Usage
```bash
docker run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
stop [command options]
```
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|

23
datacenter/ucp/2.1/reference/cli/support.md Normal file
View File

@ -0,0 +1,23 @@
---
description: Create a support dump for this UCP node
keywords: docker, dtr, cli, support
title: docker/ucp support
---
Create a support dump for this UCP node
## Usage
```bash
docker run --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
support [command options] > docker-support.tgz
```
## Description
This command creates a support dump file for this node, and prints it to stdout.

42
datacenter/ucp/2.1/reference/cli/uninstall-ucp.md Normal file
View File

@ -0,0 +1,42 @@
---
description: Uninstall UCP from this swarm
keywords: docker, dtr, cli, uninstall-ucp
title: docker/ucp uninstall-ucp
---
Uninstall UCP from this swarm
## Usage
```bash
docker run -it --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp \
uninstall-ucp [command options]
```
## Description
This command uninstalls UCP from the swarm, but preserves the swarm so that
your applications can continue running.
After UCP is uninstalled you can use the 'docker swarm leave' and
'docker node rm' commands to remove nodes from the swarm.
Once UCP is uninstalled, you won't be able to join nodes to the swarm unless
UCP is installed again.
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|
|`--interactive, i`|Run in interactive mode and prompt for configuration values|
|`--pull`|Pull UCP images: 'always', when 'missing', or 'never'|
|`--registry-username`|Username to use when pulling images|
|`--registry-password`|Password to use when pulling images|
|`--id`|The ID of the UCP instance to uninstall|

43
datacenter/ucp/2.1/reference/cli/upgrade.md Normal file
View File

@ -0,0 +1,43 @@
---
description: Upgrade the UCP components on this node
keywords: docker, dtr, cli, upgrade
title: docker/ucp upgrade
---
Upgrade the UCP components on this node
## Usage
```bash
docker run -it --rm docker/ucp \
upgrade [command options]
```
## Description
This commands upgrades the UCP running on this node.
To upgrade UCP:
* Upgrade the Docker Engine in all nodes (optional)
* Run the upgrade command in all manager nodes
* Run the upgrade command in all worker nodes
After upgrading UCP in a node, go to the UCP web UI and confirm the node is
healthy, before upgrading other nodes.
## Options
| Option | Description |
|:--------------------------|:---------------------------|
|`--debug, D`|Enable debug mode|
|`--jsonlog`|Produce json formatted output for easier parsing|
|`--interactive, i`|Run in interactive mode and prompt for configuration values|
|`--admin-username`|The UCP administrator username|
|`--admin-password`|The UCP administrator password|
|`--pull`|Pull UCP images: 'always', when 'missing', or 'never'|
|`--registry-username`|Username to use when pulling images|
|`--registry-password`|Password to use when pulling images|
|`--id`|The ID of the UCP instance to upgrade|
|`--host-address`|Override the previously configured host address with this IP or network interface|