docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Introduce UCP 2.2

This commit is contained in:
Joao Fernandes 2017-04-25 13:30:08 -07:00 committed by Jim Galasyn
parent aef65e40de
commit 5dc157d05d
149 changed files with 6383 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

244
_data/toc.yaml
View File

@ -1584,137 +1584,137 @@ manuals:
title: Deploy Datacenter on Azure
- sectiontitle: Universal Control Plane
section:
- path: /datacenter/ucp/2.1/guides/
- path: /datacenter/ucp/2.2/guides/
title: Universal Control Plane overview
- path: /datacenter/ucp/2.1/guides/architecture/
- path: /datacenter/ucp/2.2/guides/architecture/
title: Architecture
- sectiontitle: Administration
section:
- sectiontitle: Install
section:
- path: /datacenter/ucp/2.1/guides/admin/install/system-requirements/
- path: /datacenter/ucp/2.2/guides/admin/install/system-requirements/
title: System requirements
- path: /datacenter/ucp/2.1/guides/admin/install/plan-installation/
- path: /datacenter/ucp/2.2/guides/admin/install/plan-installation/
title: Plan your installation
- path: /datacenter/ucp/2.1/guides/admin/install/
- path: /datacenter/ucp/2.2/guides/admin/install/
title: Install
- path: /datacenter/ucp/2.1/guides/admin/install/install-offline/
- path: /datacenter/ucp/2.2/guides/admin/install/install-offline/
title: Install offline
- path: /datacenter/ucp/2.1/guides/admin/upgrade/
- path: /datacenter/ucp/2.2/guides/admin/upgrade/
title: Upgrade
- path: /datacenter/ucp/2.1/guides/admin/upgrade-offline/
- path: /datacenter/ucp/2.2/guides/admin/upgrade-offline/
title: Upgrade offline
- path: /datacenter/ucp/2.1/guides/admin/install/uninstall/
- path: /datacenter/ucp/2.2/guides/admin/install/uninstall/
title: Uninstall
- sectiontitle: Configure
section:
- path: /datacenter/ucp/2.1/guides/admin/configure/license-your-installation/
- path: /datacenter/ucp/2.2/guides/admin/configure/license-your-installation/
title: License your installation
- path: /datacenter/ucp/2.1/guides/admin/configure/use-your-own-tls-certificates/
- path: /datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/
title: Use your own TLS certificates
- path: /datacenter/ucp/2.1/guides/admin/configure/scale-your-cluster/
- path: /datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster/
title: Scale your cluster
- path: /datacenter/ucp/2.1/guides/admin/configure/set-up-high-availability/
- path: /datacenter/ucp/2.2/guides/admin/configure/set-up-high-availability/
title: Set up high availability
- path: /datacenter/ucp/2.1/guides/admin/configure/use-a-load-balancer/
- path: /datacenter/ucp/2.2/guides/admin/configure/use-a-load-balancer/
title: Use a load balancer
- path: /datacenter/ucp/2.1/guides/admin/configure/add-labels-to-cluster-nodes/
- path: /datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes/
title: Add labels to cluster nodes
- path: /datacenter/ucp/2.1/guides/admin/configure/add-sans-to-cluster/
- path: /datacenter/ucp/2.2/guides/admin/configure/add-sans-to-cluster/
title: Add SANs to cluster certificates
- path: /datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
- path: /datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system/
title: Store logs in an external system
- path: /datacenter/ucp/2.1/guides/admin/configure/restrict-services-to-worker-nodes/
- path: /datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes/
title: Restrict services to worker nodes
- path: /datacenter/ucp/2.1/guides/admin/configure/use-domain-names-to-access-services/
- path: /datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services/
title: Use domain names to access services
- path: /datacenter/ucp/2.1/guides/admin/configure/run-only-the-images-you-trust/
- path: /datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/
title: Run only the images you trust
- path: /datacenter/ucp/2.1/guides/admin/configure/external-auth/
- path: /datacenter/ucp/2.2/guides/admin/configure/external-auth/
title: Integrate with LDAP
- sectiontitle: Manage users
section:
- path: /datacenter/ucp/2.1/guides/admin/manage-users/
- path: /datacenter/ucp/2.2/guides/admin/manage-users/
title: Authentication and authorization
- path: /datacenter/ucp/2.1/guides/admin/manage-users/create-and-manage-users/
- path: /datacenter/ucp/2.2/guides/admin/manage-users/create-and-manage-users/
title: Create and manage users
- path: /datacenter/ucp/2.1/guides/admin/manage-users/create-and-manage-teams/
- path: /datacenter/ucp/2.2/guides/admin/manage-users/create-and-manage-teams/
title: Create and manage teams
- path: /datacenter/ucp/2.1/guides/admin/manage-users/permission-levels/
- path: /datacenter/ucp/2.2/guides/admin/manage-users/permission-levels/
title: Permission levels
- path: /datacenter/ucp/2.1/guides/admin/manage-users/recover-a-user-password/
- path: /datacenter/ucp/2.2/guides/admin/manage-users/recover-a-user-password/
title: Recover a user password
- sectiontitle: Monitor and troubleshoot
section:
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/
- path: /datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/
title: Monitor the cluster status
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/
- path: /datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/
title: Troubleshoot node messages
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/
- path: /datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/
title: Troubleshoot with logs
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/
- path: /datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/
title: Troubleshoot configurations
- path: /datacenter/ucp/2.1/guides/admin/backups-and-disaster-recovery/
- path: /datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery/
title: Backups and disaster recovery
- sectiontitle: CLI reference
section:
- path: /datacenter/ucp/2.1/reference/cli/
- path: /datacenter/ucp/2.2/reference/cli/
title: docker/ucp overview
- path: /datacenter/ucp/2.1/reference/cli/backup/
- path: /datacenter/ucp/2.2/reference/cli/backup/
title: backup
- path: /datacenter/ucp/2.1/reference/cli/dump-certs/
- path: /datacenter/ucp/2.2/reference/cli/dump-certs/
title: dump-certs
- path: /datacenter/ucp/2.1/reference/cli/fingerprint/
- path: /datacenter/ucp/2.2/reference/cli/fingerprint/
title: fingerprint
- path: /datacenter/ucp/2.1/reference/cli/id/
- path: /datacenter/ucp/2.2/reference/cli/id/
title: id
- path: /datacenter/ucp/2.1/reference/cli/images/
- path: /datacenter/ucp/2.2/reference/cli/images/
title: images
- path: /datacenter/ucp/2.1/reference/cli/install/
- path: /datacenter/ucp/2.2/reference/cli/install/
title: install
- path: /datacenter/ucp/2.1/reference/cli/restart/
- path: /datacenter/ucp/2.2/reference/cli/restart/
title: restart
- path: /datacenter/ucp/2.1/reference/cli/restore/
- path: /datacenter/ucp/2.2/reference/cli/restore/
title: restore
- path: /datacenter/ucp/2.1/reference/cli/stop/
- path: /datacenter/ucp/2.2/reference/cli/stop/
title: stop
- path: /datacenter/ucp/2.1/reference/cli/support/
- path: /datacenter/ucp/2.2/reference/cli/support/
title: support
- path: /datacenter/ucp/2.1/reference/cli/uninstall-ucp/
- path: /datacenter/ucp/2.2/reference/cli/uninstall-ucp/
title: uninstall-ucp
- path: /datacenter/ucp/2.1/reference/cli/upgrade/
- path: /datacenter/ucp/2.2/reference/cli/upgrade/
title: upgrade
- sectiontitle: User guides
section:
- sectiontitle: Access UCP
section:
- path: /datacenter/ucp/2.1/guides/user/access-ucp/
- path: /datacenter/ucp/2.2/guides/user/access-ucp/
title: Web-based access
- path: /datacenter/ucp/2.1/guides/user/access-ucp/cli-based-access/
- path: /datacenter/ucp/2.2/guides/user/access-ucp/cli-based-access/
title: CLI-based access
- sectiontitle: Deploy an application
section:
- path: /datacenter/ucp/2.1/guides/user/services/deploy-a-service/
- path: /datacenter/ucp/2.2/guides/user/services/deploy-a-service/
title: Deploy a service
- path: /datacenter/ucp/2.1/guides/user/services/use-domain-names-to-access-services/
- path: /datacenter/ucp/2.2/guides/user/services/use-domain-names-to-access-services/
title: Use domain names to access services
- path: /datacenter/ucp/2.1/guides/user/services/
- path: /datacenter/ucp/2.2/guides/user/services/
title: Deploy an app from the UI
- path: /datacenter/ucp/2.1/guides/user/services/deploy-app-cli/
- path: /datacenter/ucp/2.2/guides/user/services/deploy-app-cli/
title: Deploy an app from the CLI
- sectiontitle: Secrets
section:
- path: /datacenter/ucp/2.1/guides/user/secrets/
- path: /datacenter/ucp/2.2/guides/user/secrets/
title: Manage secrets
- path: /datacenter/ucp/2.1/guides/user/secrets/grant-revoke-access/
- path: /datacenter/ucp/2.2/guides/user/secrets/grant-revoke-access/
title: Grant access to secrets
- sectiontitle: Release notes
section:
- path: /datacenter/ucp/2.1/guides/release-notes/
- path: /datacenter/ucp/2.2/guides/release-notes/
title: Release notes
- path: /datacenter/ucp/2.1/guides/release-notes/incompatibilities-and-breaking-changes/
- path: /datacenter/ucp/2.2/guides/release-notes/incompatibilities-and-breaking-changes/
title: Incompatibilities and breaking changes
- path: /datacenter/ucp/2.1/guides/get-support/
- path: /datacenter/ucp/2.2/guides/get-support/
title: Get support
- sectiontitle: Docker Trusted Registry
section:
@ -1850,6 +1850,140 @@ manuals:
title: Get support
- sectiontitle: Previous versions
section:
- sectiontitle: Universal Control Plane 2.2
section:
- path: /datacenter/ucp/2.1/guides/
title: Universal Control Plane overview
- path: /datacenter/ucp/2.1/guides/architecture/
title: Architecture
- sectiontitle: Administration
section:
- sectiontitle: Install
section:
- path: /datacenter/ucp/2.1/guides/admin/install/system-requirements/
title: System requirements
- path: /datacenter/ucp/2.1/guides/admin/install/plan-installation/
title: Plan your installation
- path: /datacenter/ucp/2.1/guides/admin/install/
title: Install
- path: /datacenter/ucp/2.1/guides/admin/install/install-offline/
title: Install offline
- path: /datacenter/ucp/2.1/guides/admin/upgrade/
title: Upgrade
- path: /datacenter/ucp/2.1/guides/admin/upgrade-offline/
title: Upgrade offline
- path: /datacenter/ucp/2.1/guides/admin/install/uninstall/
title: Uninstall
- sectiontitle: Configure
section:
- path: /datacenter/ucp/2.1/guides/admin/configure/license-your-installation/
title: License your installation
- path: /datacenter/ucp/2.1/guides/admin/configure/use-your-own-tls-certificates/
title: Use your own TLS certificates
- path: /datacenter/ucp/2.1/guides/admin/configure/scale-your-cluster/
title: Scale your cluster
- path: /datacenter/ucp/2.1/guides/admin/configure/set-up-high-availability/
title: Set up high availability
- path: /datacenter/ucp/2.1/guides/admin/configure/use-a-load-balancer/
title: Use a load balancer
- path: /datacenter/ucp/2.1/guides/admin/configure/add-labels-to-cluster-nodes/
title: Add labels to cluster nodes
- path: /datacenter/ucp/2.1/guides/admin/configure/add-sans-to-cluster/
title: Add SANs to cluster certificates
- path: /datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
title: Store logs in an external system
- path: /datacenter/ucp/2.1/guides/admin/configure/restrict-services-to-worker-nodes/
title: Restrict services to worker nodes
- path: /datacenter/ucp/2.1/guides/admin/configure/use-domain-names-to-access-services/
title: Use domain names to access services
- path: /datacenter/ucp/2.1/guides/admin/configure/run-only-the-images-you-trust/
title: Run only the images you trust
- path: /datacenter/ucp/2.1/guides/admin/configure/external-auth/
title: Integrate with LDAP
- sectiontitle: Manage users
section:
- path: /datacenter/ucp/2.1/guides/admin/manage-users/
title: Authentication and authorization
- path: /datacenter/ucp/2.1/guides/admin/manage-users/create-and-manage-users/
title: Create and manage users
- path: /datacenter/ucp/2.1/guides/admin/manage-users/create-and-manage-teams/
title: Create and manage teams
- path: /datacenter/ucp/2.1/guides/admin/manage-users/permission-levels/
title: Permission levels
- path: /datacenter/ucp/2.1/guides/admin/manage-users/recover-a-user-password/
title: Recover a user password
- sectiontitle: Monitor and troubleshoot
section:
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/
title: Monitor the cluster status
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages/
title: Troubleshoot node messages
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/
title: Troubleshoot with logs
- path: /datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations/
title: Troubleshoot configurations
- path: /datacenter/ucp/2.1/guides/admin/backups-and-disaster-recovery/
title: Backups and disaster recovery
- sectiontitle: CLI reference
section:
- path: /datacenter/ucp/2.1/reference/cli/
title: docker/ucp overview
- path: /datacenter/ucp/2.1/reference/cli/backup/
title: backup
- path: /datacenter/ucp/2.1/reference/cli/dump-certs/
title: dump-certs
- path: /datacenter/ucp/2.1/reference/cli/fingerprint/
title: fingerprint
- path: /datacenter/ucp/2.1/reference/cli/id/
title: id
- path: /datacenter/ucp/2.1/reference/cli/images/
title: images
- path: /datacenter/ucp/2.1/reference/cli/install/
title: install
- path: /datacenter/ucp/2.1/reference/cli/restart/
title: restart
- path: /datacenter/ucp/2.1/reference/cli/restore/
title: restore
- path: /datacenter/ucp/2.1/reference/cli/stop/
title: stop
- path: /datacenter/ucp/2.1/reference/cli/support/
title: support
- path: /datacenter/ucp/2.1/reference/cli/uninstall-ucp/
title: uninstall-ucp
- path: /datacenter/ucp/2.1/reference/cli/upgrade/
title: upgrade
- sectiontitle: User guides
section:
- sectiontitle: Access UCP
section:
- path: /datacenter/ucp/2.1/guides/user/access-ucp/
title: Web-based access
- path: /datacenter/ucp/2.1/guides/user/access-ucp/cli-based-access/
title: CLI-based access
- sectiontitle: Deploy an application
section:
- path: /datacenter/ucp/2.1/guides/user/services/deploy-a-service/
title: Deploy a service
- path: /datacenter/ucp/2.1/guides/user/services/use-domain-names-to-access-services/
title: Use domain names to access services
- path: /datacenter/ucp/2.1/guides/user/services/
title: Deploy an app from the UI
- path: /datacenter/ucp/2.1/guides/user/services/deploy-app-cli/
title: Deploy an app from the CLI
- sectiontitle: Secrets
section:
- path: /datacenter/ucp/2.1/guides/user/secrets/
title: Manage secrets
- path: /datacenter/ucp/2.1/guides/user/secrets/grant-revoke-access/
title: Grant access to secrets
- sectiontitle: Release notes
section:
- path: /datacenter/ucp/2.1/guides/release-notes/
title: Release notes
- path: /datacenter/ucp/2.1/guides/release-notes/incompatibilities-and-breaking-changes/
title: Incompatibilities and breaking changes
- path: /datacenter/ucp/2.1/guides/get-support/
title: Get support
- sectiontitle: Universal Control Plane 2.0
section:
- path: /datacenter/ucp/2.0/guides/

159
datacenter/ucp/2.2/guides/admin/backups-and-disaster-recovery.md Normal file
View File

@ -0,0 +1,159 @@
---
description: Learn how to backup your Docker Universal Control Plane cluster, and
to recover your cluster from an existing backup.
keywords: docker, ucp, backup, restore, recovery
title: Backups and disaster recovery
---
When you decide to start using Docker Universal Control Plane on a production
setting, you should
[configure it for high availability](configure/set-up-high-availability.md).
The next step is creating a backup policy and disaster recovery plan.
## Backup policy
As part of your backup policy you should regularly create backups of UCP.
To create a UCP backup, you can run the `{{ page.docker_image }} backup` command
on a single UCP manager. This command creates a tar archive with the
contents of all the [volumes used by UCP](../architecture.md) to persist data
and streams it to stdout.
You only need to run the backup command on a single UCP manager node. Since UCP
stores the same data on all manager nodes, you only need to take periodic
backups of a single manager node.
To create a consistent backup, the backup command temporarily stops the UCP
containers running on the node where the backup is being performed. User
resources, such as services, containers, and stacks are not affected by this
operation and will continue operating as expected. Any long-lasting `exec`,
`logs`, `events` or `attach` operations on the affected manager node will
be disconnected.
Additionally, if UCP is not configured for high availability, you will be
temporarily unable to:
* Log in to the UCP Web UI
* Perform CLI operations using existing client bundles
To minimize the impact of the backup policy on your business, you should:
* Configure UCP for high availability. This allows load-balancing user requests
across multiple UCP manager nodes.
* Schedule the backup to take place outside business hours.
## Backup command
The example below shows how to create a backup of a UCP manager node and
verify its contents:
```none
# Create a backup, encrypt it, and store it on /tmp/backup.tar
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.docker_image }} backup --interactive > /tmp/backup.tar
# Ensure the backup is a valid tar and list its contents
# In a valid backup file, over 100 files should appear in the list
# and the `./ucp-node-certs/key.pem` file should be present
$ tar --list -f /tmp/backup.tar
```
A backup file may optionally be encrypted using a passphrase, as in the
following example:
```none
# Create a backup, encrypt it, and store it on /tmp/backup.tar
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.docker_image }} backup --interactive \
--passphrase "secret" > /tmp/backup.tar
# Decrypt the backup and list its contents
$ gpg --decrypt /tmp/backup.tar | tar --list
```
## Restore your cluster
The restore command can be used to create a new UCP cluster from a backup file.
When restoring, make sure you use the same version of the `docker/dtr` image that you've used to create the backup.
After the restore operation is complete, the following data will be recovered
from the backup file:
* Users, teams, and permissions.
* All UCP configuration options available under `Admin Settings`, such as the
DDC subscription license, scheduling options, Content Trust and authentication
backends.
There are two ways to restore a UCP cluster:
* On a manager node of an existing swarm, which is not part of a UCP
installation. In this case, a UCP cluster will be restored from the backup.
* On a docker engine that is not participating in a swarm. In this case, a new
swarm will be created and UCP will be restored on top.
In order to restore an existing UCP installation from a backup, you will need to
first uninstall UCP from the cluster by using the `uninstall-ucp` command.
The example below shows how to restore a UCP cluster from an existing backup
file, presumed to be located at `/tmp/backup.tar`:
```none
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.docker_image }} restore < /tmp/backup.tar
```
If the backup file is encrypted with a passphrase, you will need to provide the
passphrase to the restore operation:
```none
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.docker_image }} restore --passphrase "secret" < /tmp/backup.tar
```
The restore command may also be invoked in interactive mode, in which case the
backup file should be mounted to the container rather than streamed through
stdin:
```none
$ docker run --rm -i --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp/backup.tar:/config/backup.tar \
{{ page.docker_image }} restore -i
```
## Disaster recovery
In the event where half or more manager nodes are lost and cannot be recovered
to a healthy state, the system is considered to have lost quorum and can only be
restored through the following disaster recovery procedure.
It is important to note that this procedure is not guaranteed to succeed with
no loss of running services or configuration data. To properly protect against
manager failures, the system should be configured for [high availability](configure/set-up-high-availability.md).
1. On one of the remaining manager nodes, perform `docker swarm init
--force-new-cluster`. You may also need to specify an
`--advertise-addr` parameter which is equivalent to the `--host-address`
parameter of the `docker/ucp install` operation. This will instantiate a new
single-manager swarm by recovering as much state as possible from the
existing manager. This is a disruptive operation and existing tasks may be
either terminated or suspended.
2. Obtain a backup of one of the remaining manager nodes if one is not already
available.
3. If UCP is still installed on the cluster, uninstall UCP using the
`uninstall-ucp` command.
4. Perform a restore operation on the recovered swarm manager node.
5. Log in to UCP and browse to the nodes page, or use the CLI `docker node ls`
command.
6. If any nodes are listed as `down`, you'll have to manually [remove these
nodes](../configure/scale-your-cluster.md) from the cluster and then re-join
them using a `docker swarm join` operation with the cluster's new join-token.
## Where to go next
* [Set up high availability](configure/set-up-high-availability.md)
* [UCP architecture](../architecture.md)

63
datacenter/ucp/2.2/guides/admin/configure/add-labels-to-cluster-nodes.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Add labels to cluster nodes
description: Learn how to add metadata to cluster nodes, that can be used to specify constraints when deploying services.
keywords: Docker, cluster, nodes, labels
---
After deploying UCP you can add labels to your nodes. Labels are metadata that
you can use to organize nodes.
You can also use these labels as deployment constraints for your services.
When deploying a service, you can specify constraints, so that the service only
gets scheduled on a node that has a label that fulfills all the constraints
you specify.
As an example, you can apply labels based on their role in the development
lifecycle, or the hardware resources they have.
![](../../images/add-labels-to-cluster-nodes-1.svg)
## Apply labels to a node
Log in with administrator credentials in the **UCP web UI**, navigate to the
**Nodes** page, and choose the node you want to apply labels to.
Click the **Add label** button, and add one or more labels to the node.
![](../../images/add-labels-to-cluster-nodes-2.png){: .with-border}
Once you're done, click **Save Changes**.
You can also do this from the CLI by running:
```none
docker node update --label-add <key>=<value> <node-id>
```
## Add constraint to a service
When deploying a service, you can specify constraints, so that the service only
gets scheduled on a node that has a label that fulfills all the constraints
you specify.
In this example, when users deploy a service they can add constraints for the
service to be scheduled on nodes that have an SSD storage.
You can add deployment constraints to your docker-stack.yml file or when you are creating a stack:
![](../../images/use-contraints-in-stack-deployement.png)
Or you can apply them when you are creating a service.
![](../../images/add-constraint-to-service.png)
You can check if a service have deployment constraints, navigate to the **Services** page,
and choose the service your want to check.
Once you're done, click **Scheduling**.
![](../../images/check-contraints.png)
From here, you can add or remove deployment constraint too.
## Where to go next
* [Store logs in an external system](store-logs-in-an-external-system.md)

56
datacenter/ucp/2.2/guides/admin/configure/add-sans-to-cluster.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Add SANs to cluster certificates
description: Learn how to add new SANs to cluster nodes, allowing you to connect to UCP with a different hostname
keywords: Docker, cluster, nodes, labels, certificates, SANs
---
UCP always runs with HTTPS enabled. When you connect to UCP, you need to make
sure that the hostname that you use to connect is recognized by UCP's
certificates. If, for instance, you put UCP behind a load balancer that
forwards its traffic to your UCP instance, your requests will be for the load
balancer's hostname or IP address, not UCP's. UCP will reject these requests
unless you include the load balancer's address as a Subject Alternative Name
(or SAN) in UCP's certificates.
If you [use your own TLS certificates](use-your-own-tls-certificates.md), you
need to make sure that they have the correct SAN values. You can learn more
at the above link.
If you want to use the self-signed certificate that UCP has out of the box, you
can set up the SANs when you install UCP with the `--san` argument. You can
also add them after installation.
## Add new SANs to UCP after installation
Log in with administrator credentials in the **UCP web UI**, navigate to the
**Nodes** page, and choose a node.
Click the **Add SAN** button, and add one or more SANs to the node.
![](../../images/add-sans-to-cluster-1.png){: .with-border}
Once you're done, click **Save Changes**.
You will have to do this on every manager node in the cluster, but once you
have done so, the SANs will be automatically applied to any new manager nodes
that join the cluster.
You can also do this from the CLI by first running:
```bash
{% raw %}
$ docker node inspect --format '{{ index .Spec.Labels "com.docker.ucp.SANs" }}' <node-id>
default-cs,127.0.0.1,172.17.0.1
{% endraw %}
```
This will get the current set of SANs for the given manager node. Append your
desired SAN to this list (e.g. `default-cs,127.0.0.1,172.17.0.1,example.com`)
and then run:
```bash
$ docker node update --label-add com.docker.ucp.SANs=<SANs-list> <node-id>
```
`<SANs-list>` is the list of SANs with your new SAN appended at the end. As in
the web UI, you must do this for every manager node.

154
datacenter/ucp/2.2/guides/admin/configure/external-auth/index.md Normal file
View File

@ -0,0 +1,154 @@
---
description: Learn how to integrate UCP with an LDAP service, so that you can
manage users from a single place.
keywords: LDAP, directory, authentication, user management
title: Integrate with an LDAP Directory
---
Docker UCP integrates with LDAP directory services, so that you can manage
users and groups from your organization's directory and it will automatically
propagate that information to UCP and DTR.
When you switch from built-in authentication to LDAP authentication,
all manually created users whose usernames do not match any LDAP search results
become inactive with the exception of the recovery admin user which can still
log in with the recovery admin password.
## Configure the LDAP integration
To configure UCP to create and authenticate users using an LDAP directory,
go to the **UCP web UI**, navigate to the **Admin Settings** page, and click the
**Auth** tab.
![](../../../images/ldap-integration-1.png){: .with-border}
Then configure your LDAP directory integration.
**Authentication**
| Field | Description |
|:-------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Method | The method used to create and authenticate users. The *LDAP* method uses a remote directory server to automatically create users and all logins will be forwarded to the directory server. |
| Default permission for newly discovered accounts | The permission level assigned by default to a new user. [Learn more about default permission levels](../../manage-users/permission-levels.md). |
**LDAP server configuration**
| Field | Description |
|:------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| LDAP server URL | The URL where the LDAP server can be reached. |
| Recovery admin username | The username for a recovery user that can access UCP even when the integration with LDAP is misconfigured or the LDAP server is offline. |
| Recovery admin password | The password for the recovery user which is securely salted and hashed and stored in UCP. The recovery admin user can use this password to login if the LDAP server is misconfigured or offline. |
| Reader DN | The distinguished name of the LDAP account used for searching entries in the LDAP server. As a best practice this should be an LDAP read-only user. |
| Reader password | The password of the account used for searching entries in the LDAP server. |
**LDAP security options**
| Field | Description |
|:----------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Skip verification of server certificate | Whether to verify the LDAP server certificate when using TLS. The connection is still encrypted, but vulnerable to man-in-the-middle attacks. |
| Use StartTLS | Whether to authenticate/encrypt the connection after connecting to the LDAP server over TCP. If you set the LDAP Server URL field with `ldaps://`, this field is ignored. |
**User search configurations**
| Field | Description |
|:------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. |
| Username attribute | The LDAP attribute to use as username on UCP. Only user entries with a valid username will be created. A valid username is no longer than 100 characters and does not contain any unprintable characters, whitespace characters, or any of the following characters: `/` `\` `[` `]` `:` `;` `|` `=` `,` `+` `*` `?` `<` `>` `'` `"`. |
| Full name attribute | The LDAP attribute to use as the user's full name for display purposes. If left empty, UCP will not create new users with a full name value. |
| Filter | The LDAP search filter used to find users. If you leave this field empty, all directory entries in the search scope with valid username attributes are created as users. |
| Search scope | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
| Match group members | Whether to further filter users by selecting those who are also members of a specific group on the directory server. This feature is helpful if the LDAP server does not support `memberOf` search filters. |
| Iterate through group members | If `Match Group Members` is selected, this option searches for users by first iterating over the target group's membership and makes a separate LDAP query for each member, as opposed to first querying for all users which match the above search query and intersecting those with the set of group members. This option can be more efficient in situations where the number of members of the target group is significantly smaller than the number of users which would match the above search filter or if your directory server does not support simple pagination of search results. |
| Group DN | If `Match Group Members` is selected, this specifies the distinguished name of the group from which to select users. |
| Group member attribute | If `Match Group Members` is selected, the value of this group attribute corresponds to the distinguished names of the members of the group. |
![](../../../images/ldap-integration-2.png){: .with-border}
Clicking **+ Add another user search configuration** will expand additional
sections for configuring more user search queries. This is useful in cases
where users may be found in multiple distinct subtrees of your organization's
directory. Any user entry which matches at least one of the search
configurations will be synced as a user.
**Advanced LDAP configuration**
| Field | Description |
|:---------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| No simple pagination | If your LDAP server doesn't support pagination. |
| Enable sync of admin users | Whether to import LDAP users as UCP administrators. |
| LDAP Match Method | If admin user sync is enabled, this option specifies whether to match admin user entries using a search query or by selecting them as members from a group. For the expanded options, refer to the options described below. |
**Match LDAP Group Members**
This option specifies that system admins should be synced directly with members
of a group in your organization's LDAP directory. The admins will be synced to
match the membership of the group. The configured recovery admin user will also
remain a system admin.
| Field | Description |
|:-----------------------|:------------------------------------------------------------------------------------------------------|
| Group DN | This specifies the distinguished name of the group from which to select users. |
| Group member attribute | The value of this group attribute corresponds to the distinguished names of the members of the group. |
**Match LDAP Search Results**
This option specifies that system admin should be synced using a search query
against your organization's LDAP directory. The admins will by synced to match
the users in the search results. The configured recovery admin user will also
remain a system admin.
| Field | Description |
|:--------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------|
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. |
| Search scope | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
| Search Filter | The LDAP search filter used to find users. If you leave this field empty, all existing users in the search scope will be added as members of the team. |
**Sync configuration**
| Field | Description |
|:--------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Sync interval | The interval in hours to synchronize users between UCP and the LDAP server. When the synchronization job runs, new users found in the LDAP server are created in UCP with the default permission level. UCP users that don't exist in the LDAP server become inactive. |
**Test LDAP connection**
| Field | Description |
|:---------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|
| Username | The username with which the user will login to this application. This value should correspond to the Username Attribute specified in the form above. |
| Password | The user's password used to authenticate (BIND) to the directory server. |
Before you save the configuration changes, you should test that the integration
is correctly configured. You can do this by providing the credentials of an
LDAP user, and clicking the **Test** button.
## Synchronize users
Once you've configured the LDAP integration, UCP synchronizes users based on the
interval you've defined starting at the top of the hour. When the
synchronization runs, UCP stores logs that can help you troubleshoot when
something goes wrong.
You can also manually synchronize users by clicking the **Sync Now** button.
## Revoke user access
When a user is removed from LDAP, that user becomes inactive after the LDAP
synchronization runs.
Also, when you switch from the built-in authentication to using LDAP
authentication, all manually created users whose usernames do not match any
LDAP search results become inactive with the exception of the recovery admin
user which can still login with the recovery admin password.
## Data synced from your organization's LDAP directory
UCP saves a minimum amount of user data required to operate. This includes
the value of the username and full name attributes that you have specified in
the configuration as well as the distinguished name of each synced user.
UCP does not query, or store any additional data from the directory server.
## Syncing Teams
For syncing teams in UCP with a search query or group in your organization's
LDAP directory, refer to [the documentation on creating and managing teams](../../manage-users/create-and-manage-teams.md).

142
datacenter/ucp/2.2/guides/admin/configure/integrate-with-dtr.md Normal file
View File

@ -0,0 +1,142 @@
---
description: Integrate UCP with Docker Trusted Registry
keywords: trusted, registry, integrate, UCP, DTR
title: Integrate with Docker Trusted Registry
---
Once you deploy Docker Trusted Registry (DTR), you can use it to store your Docker
images and deploy services to UCP using those images.
[Learn how deploy DTR](/datacenter/dtr/2.1/guides/install/index.md).
Docker UCP integrates out of the box with Docker Trusted Registry (DTR).
This means that you can deploy services from the UCP web UI, using Docker
images that are stored in DTR. You can also use a
[UCP client bundle](../access-ucp/cli-based-access.md) to do the same from the
CLI.
If you've configured DTR to use TLS certificates issued by a globally-trusted
certificate authority you can skip this since all clients will automatically
trust the TLS certificates used by DTR.
If you're using the DTR default configurations or configured DTR to use
self-signed certificates, you need to configure all hosts that want to push
or pull Docker images from DTR. This includes:
* All UCP nodes
* Your local computer or any other that wants to push or pull Docker images from DTR
If your host is not configured to trust the DTR TLS certificates, you'll get an
error like:
```none
docker login dtr.example.org
x509: certificate signed by unknown authority
```
## 1. Configure your local computer
If you want to use your local computer to interact with DTR, you need to
configure it to trust the DTR TLS certificates. This depends on the operating
system:
* For macOS:
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the macOS trust store](https://support.apple.com/kb/PH18677?locale=en_US).
* For Windows:
In your browser navigate to `https://<dtr-url>/ca` to download the TLS
certificate used by DTR. Then
[add that certificate to the Windows trust store](https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx).
* For Ubuntu:
```bash
# Download the DTR CA certificate
$ sudo curl -k https://<dtr-url>/ca -o /usr/local/share/ca-certificates/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
$ sudo update-ca-certificates
# Restart the Docker daemon
$ sudo service docker restart
```
* For CentOS or RHEL:
```bash
# Download the DTR CA certificate
$ sudo curl -k https://<dtr-url>/ca -o /etc/pki/ca-trust/source/anchors/<dtr-domain-name>.crt
# Refresh the list of certificates to trust
$ sudo update-ca-trust
# Restart the Docker daemon
$ sudo /bin/systemctl restart docker.service
```
## 2. Test your local setup
The best way to confirm that your computer is correctly configured, is by
trying to pull and push images from your local Docker installation to DTR.
1. Create a test repository on DTR.
Navigate to the **DTR web UI**, and create a new **hello-world** repository
so that you can push and pull images. Set it as **private**, and save
the changes.
![](../images/dtr-integration-1.png)
2. Pull the `hello-world` image from Docker Store, re-tag it, and push it to the
DTR repository you created.
```none
# Pull hello-world from Docker Store
docker pull hello-world:latest
# Re-tag it
docker tag hello-world:latest <dtr-domain>/<user>/hello-world:latest
# Log into DTR
docker login <dtr-domain>
# Push your image to DTR
docker push <dtr-domain>/<user>/hello-world:latest
```
3. Validate that your image is now stored in DTR.
When successfully pushing the image you should see a result like:
```none
The push refers to a repository [dtr/username/hello-world]
5f70bf18a086: Pushed
33e7801ac047: Pushed
1: digest: sha256:7d9e482c0cc9e68c7f07bf76e0aafcb1869d32446547909200db990e7bc5461a size: 1930
```
You can also check that the tag exists on the DTR web UI.
![](../images/dtr-integration-2.png)
## 3. Configure UCP Docker Engines
You also need to configure the Docker Engine on every UCP node to trust the
DTR TLS certificates. This allows you do deploy services to UCP using images
that are stored in DTR.
For each UCP node:
1. Log into the node as an administrator, using ssh
2. Configure the system to trust the DTR TLS certificates, following the same
steps as you used to configure your local computer.
## Where to go next
* [Use externally-signed certificates](index.md)

33
datacenter/ucp/2.2/guides/admin/configure/license-your-installation.md Normal file
View File

@ -0,0 +1,33 @@
---
description: Learn how to license your Docker Universal Control Plane installation.
keywords: Universal Control Plane, UCP, install, license
title: License your installation
---
After installing Docker Universal Control Plane, you need to license your
installation. Here's how to do it.
## Download your license
Go to [Docker Store](https://store.docker.com/bundles/docker-datacenter) and
download your UCP license or get a free trial license.
![](../../images/license-ucp-1.png){: .with-border}
## License your installation
Once you've downloaded the license file, you can apply it to your UCP
installation. Navigate to the **UCP web UI**, and then go to the **Settings**
page.
On the **License** page you can upload the new license.
![](../../images/license-ucp-2.png){: .with-border}
Click **Upload License** for the changes to take effect.
## Where to go next
* [Install UCP](../install/index.md)
* [Install UCP offline](../install/install-offline.md)

26
datacenter/ucp/2.2/guides/admin/configure/restrict-services-to-worker-nodes.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Restrict services to worker nodes
description: Learn how to configure Universal Control Plane to only allow running services in worker nodes.
keywords: docker, ucp, configuration, worker
---
You can configure UCP to only allow users to deploy and run services in
worker nodes. This ensures all cluster management functionality stays
performant, and makes the cluster more secure.
If a user deploys a malicious service that can affect the node where it
is running, it won't be able to affect other nodes in the cluster, or
any cluster management functionality.
To restrict users from deploying to manager nodes, log in with administrator
credentials to the **UCP web UI**, navigate to the **Admin Settings**
page, and choose **Scheduler**.
![](../../images/restrict-services-to-worker-nodes-1.png){: .with-border}
You can then choose if user services should be allowed to run on manager nodes
or not.
## Where to go next
* [Use domain names to access your services](use-domain-names-to-access-services.md)

60
datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Run only the images you trust
description: Configure a Docker UCP cluster to only allow running applications that use images you trust.
keywords: docker, ucp, security, trust
redirect_from:
- /datacenter/ucp/2.1/guides/admin/configure/only-allow-running-signed-images/
- /datacenter/ucp/2.1/guides/admin/configure/use-trusted-images-for-ci/
---
With Docker Universal Control Plane you can enforce applications to only use
Docker images signed by UCP users you trust. When a user tries to deploy an
application to the cluster, UCP checks if the application uses a Docker image
that is not trusted, and wont continue with the deployment if thats the case.
![Enforce image signing](../../images/run-only-the-images-you-trust-1.svg)
By signing and verifying the Docker images, you ensure that the images being
used in your cluster are the ones you trust and havent been altered either in
the image registry or on their way from the image registry to your UCP cluster.
## Example workflow
Here's an example of a typical workflow:
1. A developer makes changes to a service and pushes their changes to a version
control system
2. A CI system creates a build, runs tests, and pushes an image to DTR with the
new changes
3. The quality engineering team pulls the image and runs more tests. If
everything looks good they sign and push the image
4. The IT operations team deploys a service. If the image used for the service
was signed by the QA team, UCP deploys it. Otherwise UCP refuses to deploy.
## Configure UCP
To configure UCP to only allow running services that use Docker images you
trust, go to the **UCP web UI**, navigate to the **Settings** page, and click
the **Content Trust** tab.
Select the **Run only signed images** option to only allow deploying
applications if they use images you trust.
![UCP settings](../../images/run-only-the-images-you-trust-2.png){: .with-border}
With this setting, UCP allows deploying any image as long as the image has
been signed. It doesn't matter who signed the image.
To enforce that the image needs to be signed by specific teams, include those
teams in the **Require signature from** field.
![UCP settings](../../images/run-only-the-images-you-trust-3.png){: .with-border}
If you specify multiple teams, the image needs to be signed by a member of each
team, or someone that is a member of all those teams.
Click **Update** for UCP to start enforcing the policy.
## Where to go next
* [Sign and push images to DTR](/datacenter/dtr/2.2/guides/user/manage-images/sign-images/index.md)

152
datacenter/ucp/2.2/guides/admin/configure/scale-your-cluster.md Normal file
View File

@ -0,0 +1,152 @@
---
description: Learn how to scale Docker Universal Control Plane cluster, by adding
and removing nodes.
keywords: UCP, cluster, scale
title: Scale your cluster
---
Docker UCP is designed for scaling horizontally as your applications grow in
size and usage. You can add or remove nodes from the UCP cluster to make it
scale to your needs.
![](../../images/scale-your-cluster-0.svg)
Since UCP leverages the clustering functionality provided by Docker Engine,
you use the [docker swarm join](/engine/swarm/swarm-tutorial/add-nodes.md)
command to add more nodes to your cluster. When joining new nodes, the UCP
services automatically start running in that node.
When joining a node to a cluster you can specify its role: manager or worker.
* **Manager nodes**
Manager nodes are responsible for cluster management functionality and
dispatching tasks to worker nodes. Having multiple manager nodes allows
your cluster to be highly-available and tolerate node failures.
Manager nodes also run all UCP components in a replicated way, so by adding
additional manager nodes you're also making UCP highly available.
[Learn more about the UCP architecture.](../../architecture.md)
* **Worker nodes**
Worker nodes receive and execute your services and applications. Having
multiple worker nodes allows you to scale the computing capacity of your
cluster.
When deploying Docker Trusted Registry in your cluster, you deploy it to a
worker node.
## Join nodes to the cluster
To join nodes to the cluster, go to the **UCP web UI**, navigate to
the **Resources** page, and go to the **Nodes** section.
![](../../images/scale-your-cluster-1.png){: .with-border}
Click the **Add Node** button to add a new node.
![](../../../../../images/try-ddc-3.png){: .with-border}
Check the 'Add node as a manager' option if you want to add the node as manager.
Also, set the 'Use a custom listen address' option to specify the IP of the
host that you'll be joining to the cluster.
Then you can copy the command displayed, use ssh to **log into the host** that
you want to join to the cluster, and **run the command** on that host.
![](../../images/scale-your-cluster-2.png){: .with-border}
After you run the join command in the node, the node starts being displayed
in UCP.
## Remove nodes from the cluster
1. If the target node is a manager, you will need to first demote the node into
a worker before proceeding with the removal:
* From the UCP web UI, navigate to the **Resources** section and then go to
the **Nodes** page. Select the node you wish to remove and switch its role
to **Worker**, wait until the operation is completed and confirm that the
node is no longer a manager.
* From the CLI, perform `docker node ls` and identify the nodeID or hostname
of the target node. Then, run `docker node demote <nodeID or hostname>`.
2. If the status of the worker node is `Ready`, you'll need to manually force
the node to leave the swarm. To do this, connect to the target node through
SSH and run `docker swarm leave --force` directly against the local docker
engine.
>**Warning**:
>Do not perform this step if the node is still a manager, as
>that may cause loss of quorum.
{:.warning}
3. Now that the status of the node is reported as `Down`, you may remove the
node:
* From the UCP web UI, browse to the **Nodes** page, select the node and
click on the **Remove Node** button. You will need to click on the button
again within 5 seconds to confirm the operation.
* From the CLI, perform `docker node rm <nodeID or hostname>`
## Pause and drain nodes
Once a node is part of the cluster you can change its role making a manager
node into a worker and vice versa. You can also configure the node availability
so that it is:
* Active: the node can receive and execute tasks.
* Paused: the node continues running existing tasks, but doesn't receive new ones.
* Drained: the node won't receive new tasks. Existing tasks are stopped and
replica tasks are launched in active nodes.
![](../../images/scale-your-cluster-3.png){: .with-border}
If you're load-balancing user requests to UCP across multiple manager nodes,
when demoting those nodes into workers, don't forget to remove them from your
load-balancing pool.
## Scale your cluster from the CLI
You can also use the command line to do all of the above operations. To get the
join token, run the following command on a manager node:
```none
$ docker swarm join-token worker
```
If you want to add a new manager node instead of a worker node, use
`docker swarm join-token manager` instead. If you want to use a custom listen
address, add the `--listen-addr` arg:
```none
docker swarm join \
--token SWMTKN-1-2o5ra9t7022neymg4u15f3jjfh0qh3yof817nunoioxa9i7lsp-dkmt01ebwp2m0wce1u31h6lmj \
--listen-addr 234.234.234.234 \
192.168.99.100:2377
```
Once your node is added, you can see it by running `docker node ls` on a manager:
```none
$ docker node ls
```
To change the node's availability, use:
```
$ docker node update --availability drain node2
```
You can set the availability to `active`, `pause`, or `drain`.
To remove the node, use:
```
$ docker node rm <node-hostname>
```
## Where to go next
* [Use your own TLS certificates](use-your-own-tls-certificates.md)
* [Set up high availability](set-up-high-availability.md)

45
datacenter/ucp/2.2/guides/admin/configure/set-up-high-availability.md Normal file
View File

@ -0,0 +1,45 @@
---
description: Docker Universal Control plane has support for high availability. Learn
how to set up your installation to ensure it tolerates failures.
keywords: docker, ucp, high-availability, replica
title: Set up high availability
---
Docker Universal Control Plane is designed for high availability (HA). You can
join multiple manager nodes to the cluster, so that if one manager node fails,
another can automatically take its place without impact to the cluster.
Having multiple manager nodes in your cluster, allows you to:
* Handle manager node failures,
* Load-balance user requests across all manager nodes.
## Size your deployment
To make the cluster tolerant to more failures, add additional replica nodes to
your cluster.
| Manager nodes | Failures tolerated |
|:-------------:|:------------------:|
| 1 | 0 |
| 3 | 1 |
| 5 | 2 |
| 7 | 3 |
For production-grade deployments, follow these rules of thumb:
* When a manager node fails, the number of failures tolerated by your cluster
decreases. Don't leave that node offline for too long.
* You should distribute your manager nodes across different availability zones.
This way your cluster can continue working even if an entire availability zone
goes down.
* Adding many manager nodes to the cluster might lead to performance
degradation, as changes to configurations need to be replicated across all
manager nodes. The maximum advisable is having 7 manager nodes.
## Where to go next
* [Scale your cluster](scale-your-cluster.md)
* [Use a load balancer](use-a-load-balancer.md)

58
datacenter/ucp/2.2/guides/admin/configure/store-logs-in-an-external-system.md Normal file
View File

@ -0,0 +1,58 @@
---
description: Learn how to configure Docker Universal Control Plane to store your logs
on an external log system.
keywords: docker, ucp, integrate, logs
title: Configure UCP logging
---
## Configure UCP logging
You can configure UCP for sending logs to a remote logging service:
1. Log in to UCP with an administrator account
2. Navigate to the **Settings** page
3. Set the information about your logging server, and click
**Enable Remote Logging**
![](../../images/configure-logs-1.png){: .with-border}
## Example: Setting up an ELK stack
One popular logging stack is composed of Elasticsearch, Logstash, and
Kibana. The following example demonstrates how to set up an example
deployment which can be used for logging.
```none
docker volume create --name orca-elasticsearch-data
docker run -d \
--name elasticsearch \
-v orca-elasticsearch-data:/usr/share/elasticsearch/data \
elasticsearch elasticsearch -Des.network.host=0.0.0.0
docker run -d \
-p 514:514 \
--name logstash \
--link elasticsearch:es \
logstash \
sh -c "logstash -e 'input { syslog { } } output { stdout { } elasticsearch { hosts => [ \"es\" ] } } filter { json { source => \"message\" } }'"
docker run -d \
--name kibana \
--link elasticsearch:elasticsearch \
-p 5601:5601 \
kibana
```
Once you have these containers running, configure UCP to send logs to
the IP of the Logstash container. You can then browse to port 5601 on the system
running Kibana and browse log/event entries. You should specify the "time"
field for indexing.
When deployed in a production environment, you should secure your ELK
stack. UCP does not do this itself, but there are a number of 3rd party
options that can accomplish this (e.g. Shield plug-in for Kibana)
## Where to go next
* [Require all images to be signed](restrict-services-to-worker-nodes.md)

39
datacenter/ucp/2.2/guides/admin/configure/use-a-load-balancer.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Use a load balancer
description: Learn how to set up a load balancer to access the UCP web UI using an hostname.
keywords: Docker, UCP, high-availability, load balancer
---
Once you've joined multiple manager nodes for high-availability, you can
configure your own load balancer to balance user requests across all
manager nodes.
![](../../images/use-a-load-balancer-1.svg)
This allows users to access UCP using a centralized domain name. If
a manager node goes down, the load balancer can detect that and stop forwarding
requests to that node, so that the failure goes unnoticed by users.
## Load-balancing on UCP
Since Docker UCP uses mutual TLS, make sure you configure your load balancer to:
* Load-balance TCP traffic on port 443,
* Not terminate HTTPS connections,
* Use the `/_ping` endpoint on each manager node, to check if the node
is healthy and if it should remain on the load balancing pool or not.
## Load balancing UCP and DTR
By default, both UCP and DTR use port 443. If you plan on deploying UCP and DTR,
your load balancer needs to distinguish traffic between the two by IP address
or port number.
* If you want to configure your load balancer to listen on port 443:
* Use one load balancer for UCP, and another for DTR,
* Use the same load balancer with multiple virtual IPs.
* Configure your load balancer to expose UCP or DTR on a port other than 443.
## Where to go next
* [Add labels to cluster nodes](add-labels-to-cluster-nodes.md)

82
datacenter/ucp/2.2/guides/admin/configure/use-domain-names-to-access-services.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Use domain names to access services
description: Docker Universal Control Plane has an HTTP routing mesh that
allows you to make your services accessible through a domain name. Learn more.
keywords: ucp, services, http, dns
---
Docker has a transport-layer load balancer, also known as an L4 load balancer.
This allows you to access your services independently of the node where they are
running.
![swarm routing mesh](../../images/use-domain-names-1.svg)
In this example, the wordpress service is being served on port 8080.
Users can access wordpress using the IP address of any node
in the cluster and port 8080. If wordpress is not running in that node, the
request is redirected to a node that is.
UCP extends this and provides an HTTP routing mesh for application-layer
load balancing. This allows you to access services with HTTP and HTTPS endpoints
using a domain name instead of an IP.
![http routing mesh](../../images/use-domain-names-2.svg)
In this example, the Wordpress service listens on port 8080 and is attached to
the `ucp-hrm` network. There's also a DNS entry mapping `wordpress.example.org`
to the IP addresses of the UCP nodes.
When users access `wordpress.example.org:80`, the HTTP routing mesh routes
the request to the service running Wordpress in a way that is transparent to
the user.
## Enable the HTTP routing mesh
To enable the HTTP routing mesh, go to the **UCP web UI**, navigate to the
**Settings** page, and click the **Routing Mesh** option.
Check the **Enable HTTP routing mesh** option.
![http routing mesh](../../images/use-domain-names-3.png){: .with-border}
By default the HTTP routing mesh service listens on port 80 for HTTP and port
8443 for HTTPS. Change the ports if you already have services that are using
them.
## Under the hood
Once you enable the HTTP routing mesh, UCP deploys:
| Name | What | Description |
|:----------|:--------|:------------------------------------------------------------------------------|
| `ucp-hrm` | Service | Receive HTTP and HTTPS requests and send them to the right service |
| `ucp-hrm` | Network | The network used to communicate with the services using the HTTP routing mesh |
You then deploy a service that exposes a port, attach that service to the
`ucp-hrm` network, and create a DNS entry to map a domain name to the IP
address of the UCP nodes.
When a user tries to access an HTTP service from that domain name:
1. The DNS resolution will point them to the IP of one of the UCP nodes
2. The HTTP routing mesh looks at the Hostname header in the HTTP request
3. If there's a service that maps to that hostname, the request is routed to the
port where the service is listening
4. If not, the user receives an HTTP 503, bad gateway error
For services exposing HTTPS things are similar. The HTTP routing mesh doesn't
terminate the TLS connection, and instead leverages an extension to TLS called
Server Name Indication, that allows a client to announce in clear the domain
name it is trying to reach.
When receiving a connection in the HTTPS port, the routing mesh looks at the
Server Name Indication header and routes the request to the right service.
The service is responsible for terminating the HTTPS connection. Note that
the routing mesh uses the SSL session ID to make sure that a single SSL
session always goes to the same task for the service. This is done for
performance reasons so that the same SSL session can be maintained across
requests.
## Where to go next
* [Run only the images you trust](run-only-the-images-you-trust.md)

149
datacenter/ucp/2.2/guides/admin/configure/use-trusted-images-for-ci.md Normal file
View File

@ -0,0 +1,149 @@
---
description: Set up and configure content trust and signing policy for use with a continuous integration system
keywords: cup, trust, notary, security, continuous integration
title: Use trusted images for continuous integration
---
The document provides a minimal example on setting up Docker Content Trust (DCT) in
Universal Control Plane (UCP) for use with a Continuous Integration (CI) system. It
covers setting up the necessary accounts and trust delegations to restrict only those
images built by your CI system to be deployed to your UCP managed cluster.
## Set up UCP accounts and teams
The first step is to create a user account for your CI system. For the purposes of
this document we will assume you are using Jenkins as your CI system and will therefore
name the account "jenkins". As an admin user logged in to UCP, navigate to "User Management"
and select "Add User". Create a user with the name "jenkins" and set a strong password.
Next, create a team called "CI" and add the "jenkins" user to this team. All signing
policy is team based, so if we want only a single user to be able to sign images
destined to be deployed on the cluster, we must create a team for this one user.
## Set up the signing policy
While still logged in as an admin, navigate to "Admin Settings" and select the "Content Trust"
subsection. Select the checkbox to enable content trust and in the select box that appears,
select the "CI" team we have just created. Save the settings.
This policy will require that every image that referenced in a `docker pull`, `docker run`,
or `docker service create` must be signed by a key corresponding to a member of the "CI" team.
In this case, the only member is the "jenkins" user.
## Create keys for the Jenkins user
The signing policy implementation uses the certificates issued in user client bundles
to connect a signature to a user. Using an incognito browser window (or otherwise),
log in to the "jenkins" user account you created earlier. Download a client bundle for
this user. It is also recommended to change the description associated with the public
key stored in UCP such that you can identify in the future which key is being used for
signing.
N.B. each time a user retrieves a new client bundle, a new keypair is generated. It is therefore
necessary to keep track of a specific bundle that a user chooses to designate as their signing bundle.
Once you have decompressed the client bundle, the only two files you need for the purposes
of signing are `cert.pem` and `key.pem`. These represent the public and private parts of
the user's signing identity respectively. We will load the `key.pem` file onto the Jenkins
servers, and user `cert.pem` to create delegations for the "jenkins" user in our
Trusted Collection.
## Prepare the Jenkins server
### Load `key.pem` on Jenkins
You will need to use the notary client to load keys onto your Jenkins server. Simply run
`notary -d /path/to/.docker/trust key import /path/to/key.pem`. You will be asked to set
a password to encrypt the key on disk. For automated signing, this password can be configured
into the environment under the variable name `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`. The `-d`
flag to the command specifies the path to the `trust` subdirectory within the server's `docker`
configuration directory. Typically this is found at `~/.docker/trust`.
### Enable content trust
There are two ways to enable content trust: globally, and per operation. To enabled content
trust globally, set the environment variable `DOCKER_CONTENT_TRUST=1`. To enable on a per
operation basis, wherever you run `docker push` in your Jenkins scripts, add the flag
`--disable-content-trust=false`. You may wish to use this second option if you only want
to sign some images.
The Jenkins server is now prepared to sign images, but we need to create delegations referencing
the key to give it the necessary permissions.
## Initialize a repository
Any commands displayed in this section should _not_ be run from the Jenkins server. You
will most likely want to run them from your local system.
If this is a new repository, create it in Docker Trusted Registry (DTR) or Docker Hub,
depending on which you use to store your images, before proceeding further.
We will now initialize the trust data and create the delegation that provides the Jenkins
key with permissions to sign content. The following commands initialize the trust data and
rotate snapshotting responsibilities to the server. This is necessary to ensure human involvement
it not required to publish new content.
```
notary -s https://my_notary_server.com -d ~/.docker/trust init my_repository
notary -s https://my_notary_server.com -d ~/.docker/trust key rotate my_repository snapshot -r
notary -s https://my_notary_server.com -d ~/.docker/trust publish my_repository
```
N.B. the `-s` flag provides the server hosting a notary service. If you are operating against
Docker Hub, this will be `https://notary.docker.io`. If you are operating against your own DTR
instance, this will be the same hostname you use in image names when running docker commands preceded
by the `https://` scheme. For example, if you would run `docker push my_dtr:4443/me/an_image` the value
of the `-s` flag would be expected to be `https://my_dtr:4443`.
N.B. if you are using DTR, the name of the repository should be identical to the full name you use
in a `docker push` command. If however you use Docker Hub, the name you use in a `docker push`
must be preceded by `docker.io/`. i.e. if you ran `docker push me/alpine`, you would
`notary init docker.io/me/alpine`.
For brevity, we will exclude the `-s` and `-d` flags from subsequent command, but be aware you
will still need to provide them for the commands to work correctly.
Now that the repository is initialized, we need to create the delegations for Jenkins. Docker
Content Trust treats a delegation role called `targets/releases` specially. It considers this
delegation to contain the canonical list of published images for the repository. It is therefore
generally desirable to add all users to this delegation with the following command:
```
notary delegation add my_repository targets/releases --all-paths /path/to/cert.pem
```
This solves a number of prioritization problems that would result from needing to determine
which delegation should ultimately be trusted for a specific image. However, because it
is anticipated that any user will be able to sign the `targets/releases` role it is not trusted
in determining if a signing policy has been met. Therefore it is also necessary to create a
delegation specifically for Jenkins:
```
notary delegation add my_repository targets/jenkins --all-paths /path/to/cert.pem
```
We will then publish both these updates (remember to add the correct `-s` and `-d` flags):
```
notary publish my_repository
```
Informational (Advanced): If we included the `targets/releases` role in determining if a signing policy
had been met, we would run into the situation of images being opportunistically deployed when
an appropriate user signs. In the scenario we have described so far, only images signed by
the "CI" team (containing only the "jenkins" user) should be deployable. If a user "Moby" could
also sign images but was not part of the "CI" team, they might sign and publish a new `targets/releases`
that contained their image. UCP would refuse to deploy this image because it was not signed
by the "CI" team. However, the next time Jenkins published an image, it would update and sign
the `targets/releases` role as whole, enabling "Moby" to deploy their image.
## Conclusion
With the Trusted Collection initialized, and delegations created, the Jenkins server will
now use the key we imported to sign any images we push to this repository.
Through either the Docker CLI, or the UCP browser interface, we will find that any images
that do not meet our signing policy cannot be used. The signing policy we set up requires
that the "CI" team must have signed any image we attempt to `docker pull`, `docker run`,
or `docker service create`, and the only member of that team is the "jenkins" user. This
restricts us to only running images that were published by our Jenkins CI system.

60
datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates.md Normal file
View File

@ -0,0 +1,60 @@
---
description: Learn how to configure Docker Universal Control Plane to use your own
certificates.
keywords: Universal Control Plane, UCP, certificate, authentication, tls
title: Use your own TLS certificates
---
All UCP services are exposed using HTTPS, to ensure all communications between
clients and UCP are encrypted. By default this is done using self-signed TLS
certificates that are not trusted by client tools like web browsers. So when
you try to access UCP, your browser will warn that it doesn't trust UCP or that
UCP has an invalid certificate.
![invalid certificate](../../images/use-externally-signed-certs-1.png)
The same happens with other client tools.
```none
$ curl https://ucp.example.org
SSL certificate problem: Invalid certificate chain
```
You can configure UCP to use your own TLS certificates, so that it is
automatically trusted by your browser and client tools.
To ensure minimal impact to your business, you should plan for this change to
happen outside business peak hours. Your applications will continue running
normally, but existing UCP client certificates will become invalid, so users
will have to download new ones to [access UCP from the CLI](../../user/access-ucp/cli-based-access.md).
## Customize the UCP TLS certificates
To configure UCP to use your own TLS certificates and keys, go to the
**UCP web UI**, navigate to the **Admin Settings** page,
and click **Certificates**.
![](../../images/use-externally-signed-certs-2.png)
Upload your certificates and keys:
* A `ca.pem` file with the root CA public certificate.
* A `cert.pem` file with the TLS certificate for your domain and any intermediate public
certificates, in this order.
* A `key.pem` file with TLS private key. Make sure it is not encrypted with a password.
Encrypted keys should have `ENCRYPTED` in the first line.
Finally, click **Update** for the changes to take effect.
After replacing the TLS certificates your users won't be able to authenticate
with their old client certificate bundles. Ask your users to go to the UCP
web UI and [get new client certificate bundles](../../user/access-ucp/cli-based-access.md).
If you deployed Docker Trusted Registry, you'll also need to reconfigure it
to trust the new UCP TLS certificates.
[Learn how to configure DTR](/datacenter/dtr/2.2/reference/cli/reconfigure.md).
## Where to go next
* [Access UCP from the CLI](../../user/access-ucp/cli-based-access.md)

139
datacenter/ucp/2.2/guides/admin/install/index.md Normal file
View File

@ -0,0 +1,139 @@
---
description: Learn how to install Docker Universal Control Plane on production
keywords: Universal Control Plane, UCP, install
title: Install UCP for production
---
Docker Universal Control Plane (UCP) is a containerized application that can be
installed on-premise or on a cloud infrastructure.
## Step 1: Validate the system requirements
The first step to installing UCP, is ensuring your
infrastructure has all the [requirements UCP needs to run](system-requirements.md). You also need to ensure that all nodes (physical or virtual) are running the same version of CS Docker Engine.
## Step 2: Install CS Docker on all nodes
UCP is a containerized application that requires the commercially supported
Docker Engine to run.
For each host that you plan to manage with UCP:
1. Log in to that host using ssh.
2. Install Docker Engine 1.13:
```bash
curl -SLf https://packages.docker.com/1.13/install.sh | sh
```
[You can also install Docker Engine using a package manager](/cs-engine/1.13/index.md).
Make sure you install the same Docker Engine version on all the nodes. Also,
if you're creating virtual machine templates with Docker Engine already
installed, make sure the `/etc/docker/key.json` file is not included in the
virtual machine image. When provisioning the virtual machine, restart the Docker
daemon to generate a new `/etc/docker/key.json` file.
## Step 3: Customize named volumes
Skip this step if you want to use the defaults provided by UCP.
Docker UCP uses named volumes to persist data. If you want
to customize the drivers used to manage these volumes, you can create the
volumes before installing UCP. When you install UCP, the installer
will notice that the volumes already exist, and will start using them.
[Learn about the named volumes used by UCP](../../architecture.md).
If these volumes don't exist, they'll be automatically created when installing
UCP.
## Step 4: Install UCP
To install UCP you use the `docker/ucp` image, which has commands to install and
manage UCP.
To install UCP:
1. Use ssh to log in to the host where you want to install UCP.
2. Run the following command:
```none
# Pull the latest version of UCP
$ docker pull {{ page.ucp_latest_image }}
# Install UCP
$ docker run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.ucp_latest_image }} install \
--host-address <node-ip-address> \
--interactive
```
This runs the install command in interactive mode, so that you're
prompted for any necessary configuration values.
To find what other options are available in the install command, check the
[reference documentation](../../../reference/cli/install.md).
## Step 5: License your installation
Now that UCP is installed, you need to license it. In your browser, navigate
to the UCP web UI, log in with your administrator credentials and upload your
license.
![](../../../../../images/try-ddc-1.png){: .with-border}
If you're registered in the beta program and don't have a license yet, you
can get it from your [Docker Store subscriptions](https://store.docker.com/?overlay=subscriptions).
<!-- If you don't have a license yet, [learn how to get a free trial license](license.md). -->
## Step 6: Join manager nodes
Skip this step if you don't want UCP to be highly available.
To make your Docker swarm and UCP fault-tolerant and highly available, you can
join more manager nodes to it. Manager nodes are the nodes in the swarm
that perform the orchestration and swarm management tasks, and dispatch tasks
for worker nodes to execute.
To join manager nodes to the swarm, go to the **UCP web UI**, navigate to
the **Resources** page, and go to the **Nodes** section.
![](../../images/step-6-one-node.png){: .with-border}
Click the **Add Node** button to add a new node.
![](../../../../../images/try-ddc-3.png){: .with-border}
Check the 'Add node as a manager' to turn this node into a manager and replicate
UCP for high-availability.
Set the 'Use a custom listen address' option if you want to customize the
network and port where this node will listen for swarm management traffic. By
default the node listens on port 2377.
Set the 'Use a custom advertise address' option if you want to customize the
network and port this node will advertise to other swarm members so that they
can reach it.
For each manager node that you want to join to UCP, log in to that
node using ssh, and run the join command that is displayed on UCP.
![](../../images/step-6-two-nodes.png){: .with-border}
After you run the join command in the node, the node starts being displayed
in UCP.
## Step 7: Join worker nodes
Skip this step if you don't want to add more nodes to run and scale your apps.
To add more computational resources to your swarm, you can join worker nodes.
These nodes execute tasks assigned to them by the manager nodes. For this,
use the same steps as before, but don't check the 'Add node as a manager'
option.
## Where to go next
* [Use your own TLS certificates](../configure/use-your-own-tls-certificates.md)
* [Scale your cluster](../configure/scale-your-cluster.md)

65
datacenter/ucp/2.2/guides/admin/install/install-offline.md Normal file
View File

@ -0,0 +1,65 @@
---
description: Learn how to install Docker Universal Control Plane. on a machine with
no internet access.
keywords: docker, ucp, install, offline
title: Install UCP offline
---
The procedure to install Docker Universal Control Plane on a host is the same,
whether that host has access to the internet or not.
The only difference when installing on an offline host,
is that instead of pulling the UCP images from Docker Hub, you use a
computer that is connected to the internet to download a single package with
all the images. Then you copy that package to the host where youll install UCP. The offline installation process only works if one of the following is true:
* All of the cluster nodes (managers and workers alike) have internet access to Docker Hub
* None of the cluster (managers and workers alike) have internet access to Docker Hub
If the managers have access to Docker Hub while the workers do not, installation will fail.
## Versions available
{% include components/ddc_url_list.html %}
## Download the offline package
Use a computer with internet access to download a single package with all
Docker Datacenter components:
```bash
$ wget <package-url> -O docker-datacenter.tar.gz
```
Now that you have the package in your local machine, you can transfer it to
the machines where you want to install UCP.
For each machine that you want to manage with UCP:
1. Copy the Docker Datacenter package to that machine.
```bash
$ scp docker-datacenter.tar.gz <user>@<host>:/tmp
```
2. Use ssh to login into the hosts where you transferred the package.
3. Load the Docker Datacenter images.
Once the package is transferred to the hosts, you can use the
`docker load` command, to load the Docker images from the tar archive:
```bash
$ docker load < docker-datacenter.tar.gz
```
## Install UCP
Now that the offline hosts have all the images needed to install UCP,
you can [install Docker UCP on that host](index.md).
## Where to go next
* [Install UCP](index.md).
* [System requirements](system-requirements.md)

104
datacenter/ucp/2.2/guides/admin/install/plan-installation.md Normal file
View File

@ -0,0 +1,104 @@
---
description: Learn about the Docker Universal Control Plane architecture, and the
requirements to install it on production.
keywords: docker, ucp, install, checklist
title: Plan a production installation
---
Docker Universal Control Plane helps you manage your container cluster from a
centralized place. This article explains what you need to consider before
deploying Docker Universal Control Plane for production.
## System requirements
Before installing UCP you should make sure that all nodes (physical or virtual
machines) that you'll manage with UCP:
* [Comply with the system requirements](system-requirements.md)
* Are running the same version of Docker Engine
## Hostname strategy
Docker UCP requires Docker Engine to run. Before installing the commercially
supported Docker Engine on your cluster nodes, you should plan for a common
hostname strategy.
Decide if you want to use short hostnames like `engine01` or Fully Qualified
Domain Names (FQDN) likes `engine01.docker.vm`. Independently of your choice,
ensure your naming strategy is consistent across the cluster, since Docker
Engine and UCP use hostnames.
As an example, if your cluster has 3 hosts you can name them:
```none
node1.company.example.org
node2.company.example.org
node3.company.example.org
```
## Static IP addresses
Docker UCP requires each node on the cluster to have a static IP address.
Before installing UCP, ensure your network and nodes are configured to support
this.
## Time Synchronization
In distributed systems such as Docker UCP, time synchronization is critical
to ensure proper operation. As a best practice to ensure consistency between
the engines in a UCP cluster, all engines should regularly synchronize time
with a NTP server. If a server's clock is skewed, unexpected behavior may
cause poor performance or even failures.
## Load balancing strategy
Docker UCP does not include a load balancer. You can configure your own
load balancer to balance user requests across all manager nodes.
If you plan on using a load balancer, you need to decide whether you are going
to add the nodes to the load balancer using their IP address, or their FQDN.
Independently of what you choose, it should be consistent across nodes.
After that, you should take note of all IPs or FQDNs before starting the
installation.
## Load balancing UCP and DTR
By default, both UCP and DTR use port 443. If you plan on deploying UCP and DTR,
your load balancer needs to distinguish traffic between the two by IP address
or port number.
* If you want to configure your load balancer to listen on port 443:
* Use one load balancer for UCP, and another for DTR,
* Use the same load balancer with multiple virtual IPs.
* Configure your load balancer to expose UCP or DTR on a port other than 443.
## Using external CAs
You can customize UCP to use certificates signed by an external Certificate
Authority. When using your own certificates, take in consideration that you
need to have a certificate bundle that has:
* A ca.pem file with the root CA public certificate,
* A cert.pem file with the server certificate and any intermediate CA public
certificates. This certificate should also have SANs for all addresses used to
reach the UCP manager,
* A key.pem file with server private key.
You can have a certificate for each manager, with a common SAN. As an
example, on a three node cluster you can have:
* node1.company.example.org with SAN ucp.company.org
* node2.company.example.org with SAN ucp.company.org
* node3.company.example.org with SAN ucp.company.org
Alternatively, you can also install UCP with a single externally-signed
certificate for all managers rather than one for each manager node.
In that case, the certificate files will automatically be copied to any new
manager nodes joining the cluster or being promoted into managers.
## Where to go next
* [UCP system requirements](system-requirements.md)
* [Install UCP](index.md)

68
datacenter/ucp/2.2/guides/admin/install/system-requirements.md Normal file
View File

@ -0,0 +1,68 @@
---
description: Learn about the system requirements for installing Docker Universal Control
Plane.
keywords: docker, ucp, architecture, requirements
title: UCP System requirements
---
Docker Universal Control Plane can be installed on-premises or on the cloud.
Before installing, be sure your infrastructure has these requirements.
## Hardware and software requirements
You can install UCP on-premises or on a cloud provider. To install UCP,
all nodes must have:
* Linux kernel version 3.10 or higher
* CS Docker Engine version 1.13.0 or higher
* 4.00 GB of RAM
* 3.00 GB of available disk space
* A static IP address
For highly-available installations, you also need a way to transfer files
between hosts.
## Ports used
When installing UCP on a host, make sure the following ports are open:
| Hosts | Direction | Port | Purpose |
|:------------------|:---------:|:------------------------|:----------------------------------------------------------------------------------|
| managers, workers | in | TCP 443 (configurable) | Port for the UCP web UI and API |
| managers | in | TCP 2376 (configurable) | Port for the Docker Swarm manager. Used for backwards compatibility |
| managers, workers | in | TCP 2377 (configurable) | Port for communication between swarm nodes |
| managers, workers | in, out | UDP 4789 | Port for overlay networking |
| managers, workers | in, out | TCP, UDP 7946 | Port for gossip-based clustering |
| managers, workers | in | TCP 12376 | Port for a TLS proxy that provides access to UCP, Docker Engine, and Docker Swarm |
| managers | in | TCP 12379 | Port for internal node configuration, cluster configuration, and HA |
| managers | in | TCP 12380 | Port for internal node configuration, cluster configuration, and HA |
| managers | in | TCP 12381 | Port for the certificate authority |
| managers | in | TCP 12382 | Port for the UCP certificate authority |
| managers | in | TCP 12383 | Port for the authentication storage backend |
| managers | in | TCP 12384 | Port for the authentication storage backend for replication across managers |
| managers | in | TCP 12385 | Port for the authentication service API |
| managers | in | TCP 12386 | Port for the authentication worker |
| managers | in | TCP 12387 | Port for the metrics service |
## Compatibility and maintenance lifecycle
Docker Datacenter is a software subscription that includes 3 products:
* CS Docker Engine,
* Docker Trusted Registry,
* Docker Universal Control Plane.
[Learn more about the maintenance lifecycle for these products](http://success.docker.com/Get_Help/Compatibility_Matrix_and_Maintenance_Lifecycle).
## Version compatibility
UCP 2.1 requires minimum versions of the following Docker components:
- Docker Engine 1.13.0
- Docker Remote API 1.25
- Compose 1.9
## Where to go next
* [UCP architecture](../../architecture.md)
* [Plan your installation](plan-installation.md)

53
datacenter/ucp/2.2/guides/admin/install/uninstall.md Normal file
View File

@ -0,0 +1,53 @@
---
description: Learn how to uninstall a Docker Universal Control Plane cluster.
keywords: docker, ucp, uninstall
title: Uninstall UCP
---
Docker UCP is designed to scale as your applications grow in size and usage.
You can [add and remove nodes](../configure/scale-your-cluster.md) from the
cluster, to make it scale to your needs.
You can also uninstall Docker Universal Control Plane from your cluster. In this
case the UCP services are stopped and removed, but your Docker Engines will
continue running in swarm mode. You applications will continue running normally.
If you wish to remove a single node from the UCP cluster, you should instead
[Remove that node from the cluster](../configure/scale-your-cluster.md).
After you uninstall UCP from the cluster, you'll no longer be able to enforce
role-based access control to the cluster, or have a centralized way to monitor
and manage the cluster.
After uninstalling UCP from the cluster, you will no longer be able to join new
nodes using `docker swarm join` unless you reinstall UCP.
To uninstall UCP, log in to a manager node using ssh, and run the following
command:
```bash
$ docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
--name ucp \
{{ page.docker_image }} uninstall-ucp --interactive
```
This runs the uninstall command in interactive mode, so that you are prompted
for any necessary configuration values. Running this command on a single manager
node will uninstall UCP from the entire cluster. [Check the reference
documentation](../../../reference/cli/index.md) to learn the options available
in the `uninstall-ucp` command.
## Swarm mode CA
After uninstalling UCP, the nodes in your cluster will still be in swarm mode, but you cannot
join new nodes until you reinstall UCP, because swarm mode was relying on UCP to provide the
CA certificates that allow nodes in the cluster to identify each other. Additionally, since
swarm mode is no longer controlling its own certificates, if the certificates expire after
you uninstall UCP the nodes in the cluster will not be able to communicate at all. To fix this,
either reinstall UCP before the certificates expire or disable swarm mode by running
`docker swarm leave --force` on every node.
## Where to go next
* [Scale your cluster](../configure/scale-your-cluster.md)

97
datacenter/ucp/2.2/guides/admin/manage-users/create-and-manage-teams.md Normal file
View File

@ -0,0 +1,97 @@
---
description: Learn how to create and manage user permissions, using teams in
your Docker Universal Control Plane cluster.
keywords: authorize, authentication, users, teams, groups, sync, UCP, Docker
title: Create and manage teams
---
You can extend the user's default permissions by granting them fine-grain
permissions over resources. You do this by adding the user to a team.
A team defines the permissions users have for resources that have the label
`com.docker.ucp.access.label` applied to them. Keep in mind that a label can
be applied to multiple teams with different permission levels.
To create a new team, go to the **UCP web UI**, and navigate to the
**Users & Teams** page.
![](../../images/create-and-manage-teams-1.png){: .with-border}
Click the **Create** button to create a new team, and assign it a name.
![](../../images/create-and-manage-teams-2.png){: .with-border}
## Add users to a team
You can now add and remove users from the team.
Navigate to the **Members** tab, and click the **Add User to Team** button.
Then choose the list of users that you want to add to the team.
![](../../images/create-and-manage-teams-3.png){: .with-border}
## Sync team members with your organization's LDAP directory.
If UCP is configured to sync users with your organization's LDAP directory
server, you will have the option to enable syncing the new team's members when
creating a new team or when modifying settings of an existing team.
[Learn how to configure integration with an LDAP directory](../configure/external-auth/index.md).
Enabling this option will expand the form with additional field for configuring
the sync of team members.
![](../../images/create-and-manage-teams-5.png){: .with-border}
There are two methods for matching group members from an LDAP directory:
**Match LDAP Group Members**
This option specifies that team members should be synced directly with members
of a group in your organization's LDAP directory. The team's membership will by
synced to match the membership of the group.
| Field | Description |
|:-----------------------|:------------------------------------------------------------------------------------------------------|
| Group DN | This specifies the distinguished name of the group from which to select users. |
| Group member attribute | The value of this group attribute corresponds to the distinguished names of the members of the group. |
**Match LDAP Search Results**
This option specifies that team members should be synced using a search query
against your organization's LDAP directory. The team's membership will be
synced to match the users in the search results.
| Field | Description |
|:--------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------|
| Base DN | The distinguished name of the node in the directory tree where the search should start looking for users. |
| Search scope | Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN. |
| Search Filter | The LDAP search filter used to find users. If you leave this field empty, all existing users in the search scope will be added as members of the team. |
**Immediately Sync Team Members**
Select this option to immediately run an LDAP sync operation after saving the
configuration for the team. It may take a moment before the members of the team
are fully synced.
## Manage team permissions
To manage the permissions of the team, click the **Permissions** tab.
Here you can specify a list of labels and the permission level users will have
for resources with those labels.
![](../../images/create-and-manage-teams-4.png){: .with-border}
In the example above, members of the 'Operations' team have permissions to
create and edit resources that have the labels
`com.docker.ucp.access.label=operations` applied, but can only view resources
that have the `com.docker.ucp.access.label=blog` label.
There are four permission levels available:
| Team permission level | Description |
|:----------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view resources with this label. |
| `View Only` | The user can view but can't create resources with this label. |
| `Restricted Control` | The user can view and create resources with this label. The user can't run `docker exec`, or services that require privileged access to the host. |
| `Full Control` | The user can view and create resources with this label, without any restriction. |
## Where to go next
* [UCP permission levels](permission-levels.md)

42
datacenter/ucp/2.2/guides/admin/manage-users/create-and-manage-users.md Normal file
View File

@ -0,0 +1,42 @@
---
description: Learn how to create and manage users in your Docker Universal Control
Plane cluster.
keywords: authorize, authentication, users, teams, UCP, Docker
title: Create and manage users
---
When using the UCP built-in authentication, you need to create users and
assign them a default permission level so that they can access the
cluster.
To create a new user, go to the **UCP web UI**, and navigate to the
**Users & Teams** page.
![](../../images/create-users-1.png){: .with-border}
Click the **Create User** button, and fill-in the user information.
![](../../images/create-users-2.png){: .with-border}
Check the `Is a UCP admin` option, if you want to grant permissions for the
user to change cluster configurations. Also, assign the user a default
permission level.
Default permissions specify the permission a user has for resources that don't
have the `com.docker.access.label` label applied to them. There are four
permission levels:
| Default permission level | Description |
|:-------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view resource, like services, images, networks, and volumes. |
| `View Only` | The user can view images and volumes, but can't create services. |
| `Restricted Control` | The user can view and edit volumes and networks. They can create services, but can't see other users' services, run `docker exec`, or run containers that require privileged access to the host. |
| `Full Control` | The user can view and edit volumes and networks. They can create containers without any restriction, but can't see other users' containers. |
[Learn more about the UCP permission levels](permission-levels.md). Finally,
click the **Create User** button, to create the user.
## Where to go next
* [Create and manage teams](create-and-manage-teams.md)
* [UCP permission levels](permission-levels.md)

55
datacenter/ucp/2.2/guides/admin/manage-users/index.md Normal file
View File

@ -0,0 +1,55 @@
---
description: Learn how to manage permissions in Docker Universal Control Plane.
keywords: authorization, authentication, users, teams, UCP
title: Authentication and authorization
---
With Docker Universal Control Plane you get to control who can create and edit
resources like services, images, networks, and volumes in your cluster.
By default no one can make changes to your cluster. You can then grant and
manage permissions to enforce fine-grained access control. For that:
* Start by creating a user and assigning them a default permission.
Default permissions specify the permission a user has to create and edit
resources. You can choose from four permission levels that range from
no access to full control over the resources.
* Extend the user permissions by adding users to a team.
You can extend the user's default permissions by adding the user to a team.
A team defines the permissions users have for a collection of labels, and
thus the resources that have those labels applied to them.
## Users and teams
When users create services or networks with no label, those resources are only
visible to them and administrative users.
For a team of users to be able to see and edit the same resources, the
resources needs to have the `com.docker.ucp.access.label` label applied.
![](../../images/secure-your-infrastructure-1.svg)
In the example above, we have two sets of containers. One set has all containers
labeled with `com.docker.ucp.access.label=crm`, the other has all containers
labeled with `com.docker.ucp.access.label=billing`.
You can now create different teams, and tune the permission level each
team has for those containers.
![](../../images/secure-your-infrastructure-2.svg)
As an example you can create three different teams:
* The team that's developing the CRM app has access to create and edit
containers with the label `com.docker.ucp.access.label=crm`.
* The team that's developing the Billing app, has access to create and edit
containers with the label `com.docker.ucp.access.label=billing`.
* And of course, the operations team has access to create and edit containers
with any of the two labels.
## Where to go next
* [Create and manage users](create-and-manage-users.md)
* [Create and manage teams](create-and-manage-teams.md)

56
datacenter/ucp/2.2/guides/admin/manage-users/permission-levels.md Normal file
View File

@ -0,0 +1,56 @@
---
description: Learn about the permission levels available in Docker Universal
Control Plane.
keywords: authorization, authentication, users, teams, UCP
title: Permission levels
---
Docker Universal Control Plane has two types of users: administrators and
regular users. Administrators can make changes to the UCP cluster, while
regular users have permissions that range from no access to full control over
volumes, networks, images, and containers.
## Administrator users
In Docker UCP, only users with administrator privileges can make changes to
cluster settings. This includes:
* Managing user and team permissions,
* Managing cluster configurations like adding and removing nodes to the cluster.
## Default permission levels
Regular users can't change cluster settings, and they are assigned with a
default permission level.
The default permission level specify the permission a user has to access or
edit resources. You can choose from four permission levels that range from no
access to full control over the resources.
| Default permission level | Description |
|:-------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view any resource, like volumes, networks, images, or containers. |
| `View Only` | The user can view volumes, networks, and images, but can't create any containers. |
| `Restricted Control` | The user can view and edit volumes, networks, and images. They can create containers, but can't see other users' containers, run `docker exec`, or run containers that require privileged access to the host. |
| `Full Control` | The user can view and edit volumes, networks, and images, They can create containers without any restriction, but can't see other users' containers. |
If a user has Restricted Control or Full Control default permissions, they can create resources without labels, and only the user and Admins can see and access the resources. Default permissions also affect ability for a user to access things that can't have labels, images and nodes.
## Team permission levels
Teams and labels give the administrator fine-grained control over permissions. Each team can have multiple labels. Each label has a key of `com.docker.ucp.access.label`. The label is then applied to the containers, services, networks, secrets, and volumes. Labels are not currently available for nodes and images. DTR has its own permissions.
There are four permission levels:
| Team permission level | Description |
|:----------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------|
| `No Access` | The user can't view containers with this label. |
| `View Only` | The user can view but can't create containers with this label. |
| `Restricted Control` | The user can view and create containers with this label. The user can't run `docker exec`, or containers that require privileged access to the host. |
| `Full Control` | The user can view and create containers with this label, without any restriction. |
## Where to go next
* [Create and manage users](create-and-manage-users.md)
* [Create and manage teams](create-and-manage-teams.md)
* [Docker Reference Architecture: Securing Docker Datacenter and Security Best Practices](https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices)

28
datacenter/ucp/2.2/guides/admin/manage-users/recover-a-user-password.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Recover a user password
description: Learn how to recover your Docker Datacenter credentials
keywords: docker, ucp, authentication
---
If you have administrator credentials to UCP, you can reset the password of
other users.
If that user is being managed using an LDAP service, you need to change the
user password on that system. If the user account is managed using UCP,
log in with administrator credentials to the **UCP web UI**, navigate to
the **User Management** tab, and choose the user whose password you want to change.
![](../../images/recover-a-user-password-1.png){: .with-border}
If you're an administrator and forgot your password, you can ask other users
with administrator credentials to change your password.
If you're the only administrator, use **ssh** to log in to a manager
node managed by UCP, and run:
```none
{% raw %}
docker exec -it ucp-auth-api enzi \
"$(docker inspect --format '{{ index .Args 0 }}' ucp-auth-api)" \
passwd -i
{% endraw %}
```

65
datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/index.md Normal file
View File

@ -0,0 +1,65 @@
---
title: Monitor the cluster status
description: Monitor your Docker Universal Control Plane installation, and learn how
to troubleshoot it.
keywords: Docker, UCP, troubleshoot
---
You can monitor the status of UCP by using the web UI or the CLI.
You can also use the `_ping` endpoint to build monitoring automation.
## Check status from the UI
The first place to check the status of UCP is the **UCP web UI**, since it
shows warnings for situations that require your immediate attention.
Administrators might see more warnings than regular users.
![UCP dashboard](../../images/monitor-ucp-0.png){: .with-border}
You can also navigate to the **Nodes** page, to see if all the nodes
managed by UCP are healthy or not.
![UCP dashboard](../../images/monitor-ucp-1.png){: .with-border}
Each node has a status message explaining any problems with the node.
[Learn more about node status](troubleshoot-node-messages.md).
## Check status from the CLI
You can also monitor the status of a UCP cluster using the Docker CLI client.
Download [a UCP client certificate bundle](../../user/access-ucp/cli-based-access.md)
and then run:
```none
$ docker node ls
```
As a rule of thumb, if the status message starts with `[Pending]`, then the
current state is transient and the node is expected to correct itself back
into a healthy state. [Learn more about node status](troubleshoot-node-messages.md).
## Monitoring automation
You can use the `https://<ucp-manager-url>/_ping` endpoint to check the health
of a single UCP manager node. When you access this endpoint, the UCP manager
validates that all its internal components are working, and returns one of the
following HTTP error codes:
* 200, if all components are healthy
* 500, if one or more components are not healthy
If an administrator client certificate is used as a TLS client certificate for
the `_ping` endpoint, a detailed error message is returned if any component is
unhealthy.
If you're accessing the `_ping` endpoint through a load balancer, you'll have no
way of knowing which UCP manager node is not healthy, since any manager node
might be serving your request. Make sure you're connecting directly to the
URL of a manager node, and not a load balancer.
## Where to go next
* [Troubleshoot with logs](troubleshoot-with-logs.md)
* [Troubleshoot node states](./troubleshoot-node-messages.md)

121
datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-configurations.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Troubleshoot cluster configurations
description: Learn how to troubleshoot your Docker Universal Control Plane cluster.
keywords: ectd, rethinkdb, key, value, store, database, ucp
---
UCP automatically tries to heal itself by monitoring it's internal
components and trying to bring them to a healthy state.
In most cases, if a single UCP component is persistently in a
failed state, you should be able to restore the cluster to a healthy state by
removing the unhealthy node from the cluster and joining it again.
[Lean how to remove and join modes](../configure/scale-your-cluster.md).
## Troubleshoot the etcd key-value store
UCP persists configuration data on an [etcd](https://coreos.com/etcd/)
key-value store and [RethinkDB](https://rethinkdb.com/) database that are
replicated on all manager nodes of the UCP cluster. These data stores are for
internal use only, and should not be used by other applications.
### With the HTTP API
In this example we'll use `curl` for making requests to the key-value
store REST API, and `jq` to process the responses.
You can install these tools on a Ubuntu distribution by running:
```bash
$ sudo apt-get update && apt-get install curl jq
```
1. Use a client bundle to authenticate your requests.
[Learn more](../../user/access-ucp/cli-based-access.md).
2. Use the REST API to access the cluster configurations.
```bash
# $DOCKER_HOST and $DOCKER_CERT_PATH are set when using the client bundle
$ export KV_URL="https://$(echo $DOCKER_HOST | cut -f3 -d/ | cut -f1 -d:):12379"
$ curl -s \
--cert ${DOCKER_CERT_PATH}/cert.pem \
--key ${DOCKER_CERT_PATH}/key.pem \
--cacert ${DOCKER_CERT_PATH}/ca.pem \
${KV_URL}/v2/keys | jq "."
```
To learn more about the key-value store REST API check the
[etcd official documentation](https://coreos.com/etcd/docs/latest/).
### With the CLI client
The containers running the key-value store, include `etcdctl`, a command line
client for etcd. You can run it using the `docker exec` command.
The examples below assume you are logged in with ssh into a UCP manager node.
```bash
$ docker exec -it ucp-kv etcdctl \
--endpoint https://127.0.0.1:2379 \
--ca-file /etc/docker/ssl/ca.pem \
--cert-file /etc/docker/ssl/cert.pem \
--key-file /etc/docker/ssl/key.pem \
cluster-health
member 16c9ae1872e8b1f0 is healthy: got healthy result from https://192.168.122.64:12379
member c5a24cfdb4263e72 is healthy: got healthy result from https://192.168.122.196:12379
member ca3c1bb18f1b30bf is healthy: got healthy result from https://192.168.122.223:12379
cluster is healthy
```
On failure the command exits with an error code, and no output.
To learn more about the `etcdctl` utility, check the
[etcd official documentation](https://coreos.com/etcd/docs/latest/).
## RethinkDB Database
User and organization data for Docker Datacenter is stored in a RethinkDB
database which is replicated across all manager nodes in the UCP cluster.
Replication and failover of this database is typically handled automatically by
UCP's own configuration management processes, but detailed database status and
manual reconfiguration of database replication is available through a command
line tool available as part of UCP.
The examples below assume you are logged in with ssh into a UCP manager node.
### Check the status of the database
```bash
{% raw %}
# NODE_ADDRESS will be the IP address of this Docker Swarm manager node
NODE_ADDRESS=$(docker info --format '{{.Swarm.NodeAddr}}')
# VERSION will be your most recent version of the docker/ucp-auth image
VERSION=$(docker image ls --format '{{.Tag}}' docker/ucp-auth | head -n 1)
# This command will output detailed status of all servers and database tables
# in the RethinkDB cluster.
docker run --rm -v ucp-auth-store-certs:/tls docker/ucp-auth:${VERSION} --db-addr=${NODE_ADDRESS}:12383 db-status
{% endraw %}
```
### Manually reconfigure database replication
```bash
{% raw %}
# NODE_ADDRESS will be the IP address of this Docker Swarm manager node
NODE_ADDRESS=$(docker info --format '{{.Swarm.NodeAddr}}')
# NUM_MANAGERS will be the current number of manager nodes in the cluster
NUM_MANAGERS=$(docker node ls --filter role=manager -q | wc -l)
# VERSION will be your most recent version of the docker/ucp-auth image
VERSION=$(docker image ls --format '{{.Tag}}' docker/ucp-auth | head -n 1)
# This reconfigure-db command will repair the RethinkDB cluster to have a
# number of replicas equal to the number of manager nodes in the cluster.
docker run --rm -v ucp-auth-store-certs:/tls docker/ucp-auth:${VERSION} --db-addr=${NODE_ADDRESS}:12383 --debug reconfigure-db --num-replicas ${NUM_MANAGERS} --emergency-repair
{% endraw %}
```
## Where to go next
* [Get support](../../get-support.md)

29
datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-node-messages.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Troubleshoot UCP Node States
description: Learn how to troubleshoot individual UCP nodes.
keywords: Docker, UCP, troubleshoot, health, swarm
---
There are several cases in the lifecycle of UCP when a node is actively
transitioning from one state to another, such as when a new node is joining the
cluster or during node promotion and demotion. In these cases, the current step
of the transition will be reported by UCP as a node message. You can view the
state of each individual node by following the same steps required to [monitor
cluster status](index.md).
## UCP node states
The following table lists all possible node states that may be reported for a
UCP node, their explanation, and the expected duration of a given step.
| Message | Description | Typical step duration |
|:-----------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------|
| Completing node registration | Waiting for the node to appear in KV node inventory. This is expected to occur when a node first joins the UCP cluster. | 5 - 30 seconds |
| The ucp-agent task is <state> | The `ucp-agent` task on the target node is not in a running state yet. This is an expected message when configuration has been updated, or when a new node was first joined to the UCP cluster. This step may take a longer time duration than expected if the UCP images need to be pulled from Docker Hub on the affected node. | 1-10 seconds |
| Unable to determine node state | The `ucp-reconcile` container on the target node just started running and we are not able to determine its state. | 1-10 seconds |
| Node is being reconfigured | The `ucp-reconcile` container is currently converging the current state of the node to the desired state. This process may involve issuing certificates, pulling missing images, and starting containers, depending on the current node state. | 1 - 60 seconds |
| Reconfiguration pending | The target node is expected to be a manager but the `ucp-reconcile` container has not been started yet. | 1 - 10 seconds |
| Unhealthy UCP Controller: node is unreachable | Other manager nodes of the cluster have not received a heartbeat message from the affected node within a predetermined timeout. This usually indicates that there's either a temporary or permanent interruption in the network link to that manager node. Please ensure the underlying networking infrastructure is operational and contact support if the symptom persists. | Until resolved |
| Unhealthy UCP Controller: unable to reach controller | The controller that we are currently communicating with is not reachable within a predetermined timeout. Please refresh the node listing to see if the symptom persists. If the symptom appears intermittently, this could indicate latency spikes between manager nodes, which can lead to temporary loss in the availability of UCP itself. Please ensure the underlying networking infrastructure is operational and contact support if the symptom persists. | Until resolved |
| Unhealthy UCP Controller: Docker Swarm Cluster: Local node `<ip>` has status Pending | The Engine ID of an engine is not unique in the swarm. When a node first joins the cluster, it's added to the node inventory and discovered as `Pending` by Docker Swarm. The engine is "validated" if a `ucp-swarm-manager` container can connect to it via TLS, and if its Engine ID is unique in the swarm. If you see this issue repeatedly, make sure that your engines don't have duplicate IDs. Use `docker info` to see the Engine ID. Refresh the ID by removing the `/etc/docker/key.json` file and restarting the daemon. | Until resolved |

95
datacenter/ucp/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs.md Normal file
View File

@ -0,0 +1,95 @@
---
description: Learn how to troubleshoot your Docker Universal Control Plane cluster.
keywords: docker, ucp, troubleshoot
title: Troubleshoot your cluster
---
If you detect problems in your UCP cluster, you can start your troubleshooting
session by checking the logs of the
[individual UCP components](../../architecture.md). Only administrator users can
see information about UCP system containers.
## Check the logs from the UI
To see the logs of the UCP system containers, navigate to the **Containers**
page of UCP. By default the UCP system containers are hidden. Click the
**Show all containers** option for the UCP system containers to be listed as
well.
![](../../images/troubleshoot-with-logs-1.png){: .with-border}
You can click on a container to see more details like its configurations and
logs.
## Check the logs from the CLI
You can also check the logs of UCP system containers from the CLI. This is
specially useful if the UCP web application is not working.
1. Get a client certificate bundle.
When using the Docker CLI client you need to authenticate using client
certificates.
[Learn how to use client certificates](../../user/access-ucp/cli-based-access.md).
If your client certificate bundle is for a non-admin user, you won't have
permissions to see the UCP system containers.
2. Check the logs of UCP system containers.
```bash
# By default system containers are not displayed. Use the -a flag to display them
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
922503c2102a docker/ucp-controller:1.1.0-rc2 "/bin/controller serv" 4 hours ago Up 30 minutes 192.168.10.100:444->8080/tcp ucp/ucp-controller
1b6d429f1bd5 docker/ucp-swarm:1.1.0-rc2 "/swarm join --discov" 4 hours ago Up 4 hours 2375/tcp ucp/ucp-swarm-join
# See the logs of the ucp/ucp-controller container
$ docker logs ucp/ucp-controller
{"level":"info","license_key":"PUagrRqOXhMH02UgxWYiKtg0kErLY8oLZf1GO4Pw8M6B","msg":"/v1.22/containers/ucp/ucp-controller/json","remote_addr":"192.168.10.1:59546","tags":["api","v1.22","get"],"time":"2016-04-25T23:49:27Z","type":"api","username":"dave.lauper"}
{"level":"info","license_key":"PUagrRqOXhMH02UgxWYiKtg0kErLY8oLZf1GO4Pw8M6B","msg":"/v1.22/containers/ucp/ucp-controller/logs","remote_addr":"192.168.10.1:59546","tags":["api","v1.22","get"],"time":"2016-04-25T23:49:27Z","type":"api","username":"dave.lauper"}
```
## Get a support dump
Before making any changes to UCP, download a [support dump](../../get-support.md).
This allows you to troubleshoot problems which were already happening before
changing UCP configurations.
Then you can increase the UCP log level to debug, making it easier to understand
the status of the UCP cluster. Changing the UCP log level restarts all UCP
system components and introduces a small downtime window to UCP. Your
applications won't be affected by this.
To increase the UCP log level, navigate to the **UCP web UI**, go to the
**Admin Settings** tab, and choose **Logs**.
![](../../images/troubleshoot-with-logs-2.png){: .with-border}
Once you change the log level to **Debug** the UCP containers are restarted.
Now that the UCP components are creating more descriptive logs, you can download
again a support dump and use it to troubleshoot the component causing the
problem.
Depending on the problem you are experiencing, it's more likely that you'll
find related messages in the logs of specific components on manager nodes:
* If the problem occurs after a node was added or removed, check the logs
of the `ucp-reconcile` container.
* If the problem occurs in the normal state of the system, check the logs
of the `ucp-controller` container.
* If you are able to visit the UCP web UI but unable to log in, check the
logs of the `ucp-auth-api` and `ucp-auth-store` containers.
It's normal for the `ucp-reconcile` container to be in a stopped state. This
container is only started when the `ucp-agent` detects that a node needs to
transition to a different state, and it is responsible for creating and removing
containers, issuing certificates, and pulling missing images.
## Where to go next
* [Troubleshoot configurations](troubleshoot-configurations.md)

60
datacenter/ucp/2.2/guides/admin/upgrade-offline.md Normal file
View File

@ -0,0 +1,60 @@
---
description: Learn how to upgrade Docker Universal Control Plane. on a machine with
no internet access.
keywords: docker, ucp, upgrade, offline
title: Upgrade UCP offline
---
Upgrading Universal Control Plane is the same, whether your hosts have access to
the internet or not.
The only difference when upgrading on an offline host,
is that instead of pulling the UCP images from Docker Store, you use a
computer that is connected to the internet to download a single package with
all the images. Then you copy that package to the host where youll upgrade UCP.
## Versions available
{% include components/ddc_url_list.html %}
## Download the offline package
Use a computer with internet access to download a single package with all
UCP components:
```bash
$ wget <package-url> -O docker-datacenter.tar.gz
```
Now that you have the package in your local machine, you can transfer it to
the machines where you want to upgrade UCP.
For each machine that you want to manage with UCP:
1. Copy the offline package to that machine.
```bash
$ scp docker-datacenter.tar.gz <user>@<host>:/tmp
```
2. Use ssh to log in to the hosts where you transferred the package.
3. Load the UCP images.
Once the package is transferred to the hosts, you can use the
`docker load` command, to load the Docker images from the tar archive:
```bash
$ docker load < docker-datacenter.tar.gz
```
## Upgrade UCP
Now that the offline hosts have all the images needed to upgrade UCP,
you can [upgrade Docker UCP](index.md).
## Where to go next
* [Upgrade UCP](index.md)
* [Release Notes](release-notes.md)

103
datacenter/ucp/2.2/guides/admin/upgrade.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Upgrade to UCP 2.1
description: Learn how to upgrade Docker Universal Control Plane with minimal impact
to your users.
keywords: Docker, UCP, upgrade, update
---
This page guides you in upgrading Docker Universal Control Plane (UCP) to
version 2.1.
Before upgrading to a new version of UCP, check the
[release notes](../release-notes/index.md) for this version.
There you'll find information about the new features, breaking changes, and
other relevant information for upgrading to a particular version.
## Plan the upgrade
As part of the upgrade process, you'll be upgrading the Docker Engine
installed in each node of the cluster to version 1.13.
You should plan for the upgrade to take place outside business hours, to ensure
there's minimal impact to your users.
Also, don't make changes to UCP configurations while you're upgrading it. That
can lead to misconfigurations that are difficult to troubleshoot.
## Backup your cluster
Before starting an upgrade, make sure your cluster is healthy. If a problem
occurs that will make it easier to find and troubleshoot any problems.
Then, [create a backup](backups-and-disaster-recovery.md)
of your cluster. This will allow you to recover from an existing backup if
something goes wrong during the upgrade process.
## Upgrade Docker Engine
For each node that is part of your cluster, upgrade the Docker Engine
installed on that node to Docker Engine version 1.13 or higher.
Starting with the manager nodes, and then worker nodes:
1. Log into the node using ssh.
2. Upgrade the Docker Engine to version 1.13 or higher.
3. Make sure the node is healthy.
In your browser, navigate to the **UCP web UI**, and validate that the
node is healthy and is part of the cluster.
## Upgrade UCP
You can upgrade UCP from the web UI or the CLI.
### Using the UI to perform an upgrade
When an upgrade is available for a UCP installation, a banner will be shown.
![](../images/upgrade-ucp-1.png){: .with-border}
Clicking this message takes an admin user directly to the upgrade process.
It can be found under the **Cluster Configuration** tab of the **Admin
Settings** section.
![](../images/upgrade-ucp-2.png){: .with-border}
Select a version to upgrade to using the **Available UCP Versions** dropdown,
then click to upgrade.
Before the upgrade happens, a confirmation dialog along with important
information regarding cluster and UI availability will be displayed.
![](../images/upgrade-ucp-3.png){: .with-border}
During the upgrade the UI will be unavailable and it is recommended to wait
until completion before continuing to interact with it. Upon upgrade
completion, the user will see a notification that a newer version of the UI
is available and a browser refresh is required to see the latest UI.
### Using the CLI to perform an upgrade
To upgrade from the CLI, log into a UCP manager node using ssh, and run:
```
# Get the latest version of UCP
$ docker pull {{ page.docker_image }}
$ docker run --rm -it \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.docker_image }} \
upgrade --interactive
```
This runs the upgrade command in interactive mode, so that you are prompted
for any necessary configuration values.
Once the upgrade finishes, navigate to the **UCP web UI** and make sure that
all the nodes managed by UCP are healthy.
![](../images/upgrade-ucp-4.png)
## Where to go next
* [UCP release notes](../release-notes/index.md)

139
datacenter/ucp/2.2/guides/architecture.md Normal file
View File

@ -0,0 +1,139 @@
---
description: Learn about the architecture of Docker Universal Control Plane.
keywords: docker, ucp, architecture
title: UCP architecture
---
Universal Control Plane is a containerized application that runs on [Docker Enterprise Edition](/enterprise/index.md) and extends its functionality to
make it easier to deploy, configure, and monitor your applications at scale.
It also secures Docker with role-based access control so that only authorized
users can make changes and deploy applications to your Docker cluster.
![](images/architecture-1.svg)
Once Universal Control Plane (UCP) is deployed, developers and IT operations
no longer interact with Docker Engine directly, but interact with UCP instead.
Since UCP exposes the standard Docker API this is all done transparently, so
that you can use the tools you already know and love like the Docker CLI client
and Docker Compose.
## Under the hood
Docker UCP leverages the clustering and orchestration functionality provided
by Docker.
![](images/architecture-2.svg)
A swarm is a collection of nodes that are in the same Docker swarm. [Nodes](/engine/swarm/key-concepts.md) in a Docker swarm operate in one of two modes: Manager or Worker. If nodes are not already running in a swarm when installing UCP, nodes will be configured to run in swarm mode.
When you deploy UCP, it starts running a globally scheduled service called
`ucp-agent`. This service monitors the node where it is running and starts
and stops UCP services, based on whether that node is a
[manager or a worker node](/engine/swarm/key-concepts.md).
If the node is a:
* **Manager**: the `ucp-agent` service automatically starts serving all UCP
components including the UCP web UI and data stores used by UCP. The `ucp-agent` accomplishes this by [deploying several containers](#ucp-components-in-manager-nodes) on the node. By promoting a node to manager, UCP automatically becomes highly available and fault tolerant.
* **Worker**: on worker nodes the `ucp-agent` service starts serving a proxy
service that ensures only authorized users and other UCP services can run Docker
commands in that node. The `ucp-agent` only deploys a [subset of containers](#ucp-components-in-worker-nodes) on worker nodes.
## UCP internal components
The core component of UCP is a globally-scheduled service called `ucp-agent`.
When you install UCP on a node, or join a node to a swarm that is being managed
by UCP, the `ucp-agent` service starts running on that node.
Once this service is running, it deploys containers with other UCP components,
and ensures they keep running. The UCP components that are deployed
on a node depend on whether that node is a manager or a worker.
### UCP components in manager nodes
Manager nodes run all UCP services, including the web UI and data stores that
persist the state of UCP. These are the UCP services running on manager nodes:
| UCP component | Description |
|:--------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ucp-agent | Monitors the node and ensures the right UCP services are running |
| ucp-reconcile | When ucp-agent detects that the node is not running the right UCP components, it starts the ucp-reconcile container to converge the node to its desired state. It is expected for the ucp-reconcile container to remain in an exited state when the node is healthy. |
| ucp-auth-api | The centralized service for identity and authentication used by UCP and DTR |
| ucp-auth-store | Stores authentication configurations, and data for users, organizations and teams |
| ucp-auth-worker | Performs scheduled LDAP synchronizations and cleans authentication and authorization data |
| ucp-client-root-ca | A certificate authority to sign client bundles |
| ucp-cluster-root-ca | A certificate authority used for TLS communication between UCP components |
| ucp-controller | The UCP web server |
| ucp-kv | Used to store the UCP configurations. Don't use it in your applications, since it's for internal use only |
| ucp-metrics | Used to collect and process metrics for a node, like the disk space available |
| ucp-proxy | A TLS proxy. It allows secure access to the local Docker Engine to UCP components |
| ucp-swarm-manager | Used to provide backwards-compatibility with Docker Swarm |
### UCP components in worker nodes
Worker nodes are the ones where you run your applications. These are the UCP
services running on worker nodes:
| UCP component | Description |
|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ucp-agent | Monitors the node and ensures the right UCP services are running |
| ucp-reconcile | When ucp-agent detects that the node is not running the right UCP components, it starts the ucp-reconcile container to converge the node to its desired state. It is expected for the ucp-reconcile container to remain in an exited state when the node is healthy. |
| ucp-proxy | A TLS proxy. It allows secure access to the local Docker Engine to UCP components |
## Volumes used by UCP
Docker UCP uses these named volumes to persist data in all nodes where it runs:
| Volume name | Description |
|:----------------------------|:-----------------------------------------------------------------------------------------|
| ucp-auth-api-certs | Certificate and keys for the authentication and authorization service |
| ucp-auth-store-certs | Certificate and keys for the authentication and authorization store |
| ucp-auth-store-data | Data of the authentication and authorization store, replicated across managers |
| ucp-auth-worker-certs | Certificate and keys for authentication worker |
| ucp-auth-worker-data | Data of the authentication worker |
| ucp-client-root-ca | Root key material for the UCP root CA that issues client certificates |
| ucp-cluster-root-ca | Root key material for the UCP root CA that issues certificates for swarm members |
| ucp-controller-client-certs | Certificate and keys used by the UCP web server to communicate with other UCP components |
| ucp-controller-server-certs | Certificate and keys for the UCP web server running in the node |
| ucp-kv | UCP configuration data, replicated across managers. |
| ucp-kv-certs | Certificates and keys for the key-value store |
| ucp-metrics-data | Monitoring data gathered by UCP |
| ucp-metrics-inventory | Configuration file used by the ucp-metrics service |
| ucp-node-certs | Certificate and keys for node communication |
You can customize the volume driver used for these volumes, by creating
the volumes before installing UCP. During the installation, UCP checks which
volumes don't exist in the node, and creates them using the default volume
driver.
By default, the data for these volumes can be found at
`/var/lib/docker/volumes/<volume-name>/_data`.
## How you interact with UCP
There are two ways to interact with UCP: the web UI or the CLI.
You can use the UCP web UI to manage your cluster, grant and revoke user
permissions, deploy, configure, manage, and monitor your applications.
![](images/architecture-3.svg)
UCP also exposes the standard Docker API, so you can continue using existing
tools like the Docker CLI client. Since UCP secures your cluster with role-based
access control, you need to configure your Docker CLI client and other client
tools to authenticate your requests using
[client certificates](user/access-ucp/index.md) that you can download
from your UCP profile page.
## Where to go next
* [System requirements](admin/install/system-requirements.md)
* [Plan your installation](admin/install/system-requirements.md)

44
datacenter/ucp/2.2/guides/get-support.md Normal file
View File

@ -0,0 +1,44 @@
---
description: Your Docker subscription gives you access to prioritized support. You
can file tickets via email, your the support portal.
keywords: Docker, support, help
title: Get support
---
Your Docker Data Center, or Universal Control Plane subscription gives you
access to prioritized support. The service levels depend on your subscription.
If you need help, you can file a ticket via:
* [Email](mailto:support@docker.com)
* [Docker support page](https://support.docker.com/)
Be sure to use your company email when filing tickets.
Docker Support engineers may ask you to provide a UCP support dump, which is an
archive that contains UCP system logs and diagnostic information. To obtain a
support dump:
## From the UI
1. Log into the UCP UI with an administrator account.
2. On the top-right menu, **click your username**, and choose **Support Dump**.
![](images/get-support-1.png){: .with-border}
## From the CLI
To get the support dump from the CLI, use SSH to log into a UCP manager node
and run:
```none
docker run --rm \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
{{ page.docker_image }} \
support > docker-support.tgz
```
This support dump only contains logs for the node where you're running the
command. If your UCP is highly available, you should collect support dumps
from all the manager nodes.

BIN
datacenter/ucp/2.2/guides/images/add-constraint-to-service.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 393 KiB

139
datacenter/ucp/2.2/guides/images/add-labels-to-cluster-nodes-1.svg Normal file
View File

@ -0,0 +1,139 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="250px" viewBox="0 0 740 250" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>add-labels-1</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="ucp-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="add-labels-1">
<text id="Docker-swarm" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="18.025" y="239.009524">Docker swarm</tspan>
</text>
<g id="nodes" transform="translate(107.000000, 15.000000)">
<g id="workers" transform="translate(0.000000, 118.000000)">
<g id="node-1-copy-3" transform="translate(428.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
<text id="storage=ssd" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="93">storage=ssd</tspan>
</text>
<text id="environment=prod" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="79">environment=prod</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-4" transform="translate(321.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
<text id="storage=ssd" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="93">storage=ssd</tspan>
</text>
<text id="environment=prod" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="79">environment=prod</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-5" transform="translate(214.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
<text id="storage=ssd" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="93">storage=ssd</tspan>
</text>
<text id="environment=test" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="79">environment=test</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-6" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
<text id="storage=disk" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="93">storage=disk</tspan>
</text>
<text id="environment=dev" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="79">environment=dev</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-7">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
<text id="storage=disk" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="93">storage=disk</tspan>
</text>
<text id="environment=dev" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="3" y="79">environment=dev</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
<g id="managers" transform="translate(108.000000, 0.000000)">
<g id="node-1-copy-2" transform="translate(214.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
</g>
<rect id="group" stroke="#82949E" stroke-width="2" stroke-dasharray="5,5,5,5" x="11" y="3" width="718" height="245" rx="2"></rect>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 9.6 KiB

BIN
datacenter/ucp/2.2/guides/images/add-labels-to-cluster-nodes-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 253 KiB

BIN
datacenter/ucp/2.2/guides/images/add-sans-to-cluster-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

71
datacenter/ucp/2.2/guides/images/architecture-1.svg Normal file
View File

@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="250px" viewBox="0 0 740 250" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>architecture-1</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="architecture-1">
<g id="Group" transform="translate(28.000000, 51.000000)">
<g id="stack">
<g id="servers" transform="translate(0.000000, 114.000000)">
<g id="cloud">
<rect id="Rectangle-138" fill="#82949E" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="cloud-servers" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="42.5097656" y="23">cloud servers</tspan>
</text>
</g>
<g id="virtual" transform="translate(176.000000, 0.000000)">
<rect id="Rectangle-138" fill="#82949E" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="virtual-servers" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="39.8608398" y="23">virtual servers</tspan>
</text>
</g>
<g id="physical" transform="translate(352.000000, 0.000000)">
<rect id="Rectangle-138" fill="#82949E" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="physical-servers" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="34.2075195" y="23">physical servers</tspan>
</text>
</g>
</g>
<g id="docker" transform="translate(0.000000, 76.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="524" height="34" rx="2"></rect>
<text id="Docker-Enterprise-Edition" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="225.464355" y="23">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(0.000000, 38.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="524" height="34" rx="2"></rect>
<text id="Universal-Control-Pl" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="185.536621" y="23">Universal Control Plane</tspan>
</text>
</g>
<g id="dtr">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="172" height="34" rx="2"></rect>
<text id="Docker-Trusted-Regis" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="8.13183594" y="23">Docker Trusted Registry</tspan>
</text>
</g>
<g id="your-apps" transform="translate(176.000000, 0.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="348" height="34" rx="2"></rect>
<text id="your-applications" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="118.428223" y="23">your applications</tspan>
</text>
</g>
</g>
<g id="user" transform="translate(528.000000, 44.000000)">
<g transform="translate(44.000000, 0.000000)" fill="#82949E">
<text id="deploy-and-manage" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal">
<tspan x="0" y="39">deploy and manage</tspan>
</text>
<path d="M56,13 C59.59125,13 62.5,10.083125 62.5,6.5 C62.5,2.90875 59.59125,0 56,0 C52.40875,0 49.5,2.90875 49.5,6.5 C49.5,10.083125 52.40875,13 56,13 L56,13 Z M56,16.25 C51.669375,16.25 43,18.419375 43,22.75 L43,26 L69,26 L69,22.75 C69,18.419375 60.330625,16.25 56,16.25 L56,16.25 Z" id="Shape"></path>
</g>
<g id="arrow" transform="translate(0.000000, 8.000000)">
<path d="M1.5,5 L60,5" id="Line" stroke="#82949E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<circle id="Oval" fill="#8F9EA8" cx="5" cy="5" r="5"></circle>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
datacenter/ucp/2.2/guides/images/architecture-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

166
datacenter/ucp/2.2/guides/images/architecture-2.svg Normal file
View File

@ -0,0 +1,166 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="250px" viewBox="0 0 740 250" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>architecture-2</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="architecture-2">
<text id="Docker-swarm" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="178.025" y="239.009524">Docker swarm</tspan>
</text>
<g id="nodes" transform="translate(215.000000, 15.000000)">
<g id="workers" transform="translate(53.000000, 118.000000)">
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFB463" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-3" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFB463" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
<g id="managers">
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-2" transform="translate(214.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
</g>
<rect id="group" stroke="#82949E" stroke-width="2" stroke-dasharray="5,5,5,5" x="169" y="3" width="401" height="245" rx="2"></rect>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

233
datacenter/ucp/2.2/guides/images/architecture-3.svg Normal file
View File

@ -0,0 +1,233 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="350px" viewBox="0 0 740 350" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>architecture-3</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<circle id="path-3" cx="4" cy="4" r="4"></circle>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-3" fill="black"></use>
</mask>
<circle id="path-5" cx="4" cy="4" r="4"></circle>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-5" fill="black"></use>
</mask>
</defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="architecture-3">
<g id="ddc" transform="translate(169.000000, 56.000000)">
<g id="swarm-group" transform="translate(0.000000, 42.000000)">
<text id="Docker-swarm" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#E0E4E7">
<tspan x="9.025" y="236.009524">Docker swarm</tspan>
</text>
<rect id="group" stroke="#E0E4E7" stroke-width="2" stroke-dasharray="5,5,5,5" x="0" y="0" width="401" height="245" rx="2"></rect>
</g>
<g id="load-balancer" transform="translate(47.000000, 0.000000)">
<g id="main">
<rect id="Rectangle-138" fill="#445D6E" x="0" y="0" width="309" height="22" rx="2"></rect>
<text id="your-load-balancer" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="111.437988" y="15">your load balancer</tspan>
</text>
</g>
<g id="arrows" transform="translate(43.000000, 21.000000)">
<g id="arrow-copy-3" transform="translate(218.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-218.500000, -17.000000) translate(202.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#F7F8F9" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="arrow-copy" transform="translate(111.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-111.500000, -17.000000) translate(95.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-3"></use>
<use stroke="#F7F8F9" mask="url(#mask-4)" stroke-width="4" xlink:href="#path-3"></use>
</g>
</g>
<g id="arrow-copy-2" transform="translate(4.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-4.500000, -17.000000) translate(-12.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-5"></use>
<use stroke="#F7F8F9" mask="url(#mask-6)" stroke-width="4" xlink:href="#path-5"></use>
</g>
</g>
</g>
</g>
<g id="swam" transform="translate(46.000000, 54.000000)">
<g id="nodes">
<g id="workers" transform="translate(53.000000, 118.000000)">
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#E0E4E7" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Edition" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFE1C0" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy-3" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#E0E4E7" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Edition" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#A1CFE8" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFE1C0" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
<g id="managers">
<g id="node-1-copy-2" transform="translate(214.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Edition" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Edition" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="Docker-Enterprise-Edition" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="24" y="15">Docker EE</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
</g>
</g>
</g>
<g id="user" transform="translate(337.000000, 5.000000)" fill="#82949E">
<g>
<text id="UI" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal">
<tspan x="7" y="41">UI</tspan>
</text>
<path d="M13,13 C16.59125,13 19.5,10.083125 19.5,6.5 C19.5,2.90875 16.59125,0 13,0 C9.40875,0 6.5,2.90875 6.5,6.5 C6.5,10.083125 9.40875,13 13,13 L13,13 Z M13,16.25 C8.669375,16.25 0,18.419375 0,22.75 L0,26 L26,26 L26,22.75 C26,18.419375 17.330625,16.25 13,16.25 L13,16.25 Z" id="Shape"></path>
</g>
<g id="user-copy" transform="translate(42.000000, 0.000000)">
<text id="CLI" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal">
<tspan x="4" y="41">CLI</tspan>
</text>
<path d="M13,13 C16.59125,13 19.5,10.083125 19.5,6.5 C19.5,2.90875 16.59125,0 13,0 C9.40875,0 6.5,2.90875 6.5,6.5 C6.5,10.083125 9.40875,13 13,13 L13,13 Z M13,16.25 C8.669375,16.25 0,18.419375 0,22.75 L0,26 L26,26 L26,22.75 C26,18.419375 17.330625,16.25 13,16.25 L13,16.25 Z" id="Shape"></path>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
datacenter/ucp/2.2/guides/images/check-contraints.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 368 KiB

BIN
datacenter/ucp/2.2/guides/images/cli-based-access-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 206 KiB

BIN
datacenter/ucp/2.2/guides/images/configure-logs-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 223 KiB

BIN
datacenter/ucp/2.2/guides/images/container-detail-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
datacenter/ucp/2.2/guides/images/container_detail.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
datacenter/ucp/2.2/guides/images/create-and-manage-teams-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 251 KiB

BIN
datacenter/ucp/2.2/guides/images/create-and-manage-teams-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 253 KiB

BIN
datacenter/ucp/2.2/guides/images/create-and-manage-teams-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 261 KiB

BIN
datacenter/ucp/2.2/guides/images/create-and-manage-teams-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 221 KiB

BIN
datacenter/ucp/2.2/guides/images/create-and-manage-teams-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
datacenter/ucp/2.2/guides/images/create-users-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 241 KiB

BIN
datacenter/ucp/2.2/guides/images/create-users-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 205 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-a-service-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 216 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-a-service-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-a-service-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-a-service-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 187 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-app-cli-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 226 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-app-ui-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-app-ui-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-app-ui-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 283 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-app-ui-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 266 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-app-ui-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 226 KiB

BIN
datacenter/ucp/2.2/guides/images/deploy-app-ui-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 262 KiB

BIN
datacenter/ucp/2.2/guides/images/deployed_visualizer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 180 KiB

BIN
datacenter/ucp/2.2/guides/images/deployed_visualizer_detail.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 251 KiB

BIN
datacenter/ucp/2.2/guides/images/docker-hub-license.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 141 KiB

BIN
datacenter/ucp/2.2/guides/images/docker-hub-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
datacenter/ucp/2.2/guides/images/dtr-integration-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
datacenter/ucp/2.2/guides/images/dtr-integration-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
datacenter/ucp/2.2/guides/images/get-support-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
datacenter/ucp/2.2/guides/images/grant-access-secrets-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 245 KiB

71
datacenter/ucp/2.2/guides/images/grant-access-secrets-2.svg Normal file
View File

@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="217px" viewBox="0 0 740 217" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>grant-access-secrets-2</title>
<desc>Created with Sketch.</desc>
<defs></defs>
<g id="dtr-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="grant-access-secrets-2">
<g id="group" transform="translate(148.000000, 30.000000)">
<g id="permissions" transform="translate(250.000000, 0.000000)">
<g transform="translate(0.000000, 116.000000)">
<g id="permissions-3" transform="translate(144.000000, 0.000000)" fill="#E0E4E7">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,8.8817842e-15 46.573478,8.8817842e-15 C46.9237573,8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
<g id="permissions-2" transform="translate(72.000000, 0.000000)">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape" fill="#637986"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,8.8817842e-15 46.573478,8.8817842e-15 C46.9237573,8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape" fill="#E0E4E7"></path>
</g>
<g id="permissions-1" fill="#637986">
<path d="M12.09,0 C4.5,0 0,9 0,9 C0,9 4.5,18 12.09,18 C19.5,18 24,9 24,9 C24,9 19.5,0 12.09,0 L12.09,0 Z M12,15 C8.7,15 6,12.33 6,9 C6,5.7 8.7,3 12,3 C15.33,3 18,5.7 18,9 C18,12.33 15.33,15 12,15 L12,15 Z M15,9 C15,10.665 13.665,12 12,12 C10.335,12 9,10.665 9,9 C9,7.335 10.335,6 12,6 C13.665,6 15,7.335 15,9 L15,9 Z" id="Shape"></path>
<path d="M32,14.0272045 L32,18 L35.9727791,18 L46.5668567,7.40587876 L42.5940776,3.4330833 L32,14.0272045 L32,14.0272045 Z M35.9727791,16.6757348 L33.3242597,16.6757348 L33.3242597,14.0272045 L34.6485194,14.0272045 L34.6485194,15.3514697 L35.9727791,15.3514697 L35.9727791,16.6757348 L35.9727791,16.6757348 Z M49.612654,4.36006891 L47.8911164,6.08161361 L43.9183373,2.10881814 L45.6398749,0.387273441 C45.8873057,0.139333807 46.2231988,8.8817842e-15 46.573478,8.8817842e-15 C46.9237573,8.8817842e-15 47.2596503,0.139333807 47.5070811,0.387273441 L49.612654,2.49285504 C50.1291153,3.00931845 50.1291153,3.8436055 49.612654,4.36006891 L49.612654,4.36006891 Z" id="Shape"></path>
</g>
</g>
<g id="teams" transform="translate(1.000000, 0.000000)">
<g id="team-3" transform="translate(150.000000, 0.000000)">
<text id="others" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="1.8359375" y="50">others</tspan>
</text>
<path d="M18,18 C22.9725,18 27,13.96125 27,9 C27,4.0275 22.9725,0 18,0 C13.0275,0 9,4.0275 9,9 C9,13.96125 13.0275,18 18,18 L18,18 Z M18,22.5 C12.00375,22.5 0,25.50375 0,31.5 L0,36 L36,36 L36,31.5 C36,25.50375 23.99625,22.5 18,22.5 L18,22.5 Z" id="Shape" fill="#FFB463"></path>
</g>
<g id="team-2" transform="translate(72.000000, 0.000000)">
<text id="crm-team" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="0.262695312" y="50">crm team</tspan>
</text>
<path d="M24,18 C28.9725,18 33,13.96125 33,9 C33,4.0275 28.9725,0 24,0 C19.0275,0 15,4.0275 15,9 C15,13.96125 19.0275,18 24,18 L24,18 Z M24,22.5 C18.00375,22.5 6,25.50375 6,31.5 L6,36 L42,36 L42,31.5 C42,25.50375 29.99625,22.5 24,22.5 L24,22.5 Z" id="Shape" fill="#00CBCA"></path>
</g>
<g id="team-1">
<text id="blog-team" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="0.330078125" y="50">blog team</tspan>
</text>
<path d="M25,18 C29.9725,18 34,13.96125 34,9 C34,4.0275 29.9725,0 25,0 C20.0275,0 16,4.0275 16,9 C16,13.96125 20.0275,18 25,18 L25,18 Z M25,22.5 C19.00375,22.5 7,25.50375 7,31.5 L7,36 L43,36 L43,31.5 C43,25.50375 30.99625,22.5 25,22.5 L25,22.5 Z" id="Shape" fill="#1488C6"></path>
</g>
</g>
</g>
<g id="resources" transform="translate(-30.000000, 67.000000)">
<g id="services-secrets" transform="translate(17.000000, 34.000000)" fill="#1488C6">
<g id="secret" transform="translate(71.000000, 0.000000)">
<text id="wordpress-password-v" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500">
<tspan x="0.029296875" y="45">wordpress-password-v0</tspan>
</text>
<path d="M66.5714286,11.2380813 L64.8571429,11.2380813 L64.8571429,6.42176072 C64.8571429,2.87373792 61.7885714,0 58,0 C54.2114286,0 51.1428571,2.87373792 51.1428571,6.42176072 L51.1428571,11.2380813 L49.4285714,11.2380813 C47.536,11.2380813 46,12.6765557 46,14.4489616 L46,27.2924831 C46,29.064889 47.536,30.5033634 49.4285714,30.5033634 L66.5714286,30.5033634 C68.464,30.5033634 70,29.064889 70,27.2924831 L70,14.4489616 C70,12.6765557 68.464,11.2380813 66.5714286,11.2380813 L66.5714286,11.2380813 Z M58,24.0816027 C56.1142857,24.0816027 54.5714286,22.6367065 54.5714286,20.8707223 C54.5714286,19.1047381 56.1142857,17.659842 58,17.659842 C59.8857143,17.659842 61.4285714,19.1047381 61.4285714,20.8707223 C61.4285714,22.6367065 59.8857143,24.0816027 58,24.0816027 L58,24.0816027 Z M61.4285714,11.2380813 L54.5714286,11.2380813 L54.5714286,6.42176072 C54.5714286,4.64935476 56.1074286,3.21088036 58,3.21088036 C59.8925714,3.21088036 61.4285714,4.64935476 61.4285714,6.42176072 L61.4285714,11.2380813 L61.4285714,11.2380813 Z" id="lock"></path>
</g>
<g id="services" transform="translate(0.000000, 1.000000)">
<text id="wordpress" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500">
<tspan x="0.0703125" y="44">wordpress</tspan>
</text>
<path d="M39.34,12.486757 L34.3333333,12.486757 L34.3333333,1.55460124 C34.3333333,0.711745147 33.5916667,0 32.6733333,0 L19.3266667,0 C18.4266667,0 17.6666667,0.6961367 17.6666667,1.55460124 L17.6666667,12.486757 L12.66,12.486757 C11.76,12.486757 11,13.1828937 11,14.0413582 L11,26.5406019 C11,27.383458 11.7433333,28.0952032 12.66,28.0952032 L39.3433333,28.0952032 C40.2433333,28.0952032 41,27.4006273 41,26.5406019 L41,14.0413582 C41,13.1985021 40.2583333,12.486757 39.34,12.486757 L39.34,12.486757 Z M21,3.12168924 L31,3.12168924 L31,12.486757 L21,12.486757 L21,3.12168924 L21,3.12168924 Z M24.3333333,24.9735139 L14.3333333,24.9735139 L14.3333333,15.6084462 L24.3333333,15.6084462 L24.3333333,24.9735139 L24.3333333,24.9735139 Z M37.6666667,24.9735139 L27.6666667,24.9735139 L27.6666667,15.6084462 L37.6666667,15.6084462 L37.6666667,24.9735139 L37.6666667,24.9735139 Z M21,18.7301354 L17.6666667,18.7301354 L17.6666667,21.8518247 L21,21.8518247 L21,18.7301354 L21,18.7301354 Z M24.3333333,9.36506772 L27.6666667,9.36506772 L27.6666667,6.24337848 L24.3333333,6.24337848 L24.3333333,9.36506772 L24.3333333,9.36506772 Z M34.3333333,18.7301354 L31,18.7301354 L31,21.8518247 L34.3333333,21.8518247 L34.3333333,18.7301354 L34.3333333,18.7301354 Z"></path>
</g>
</g>
<g id="group">
<text id="com.docker.ucp.acces" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#82949E">
<tspan x="28.4033203" y="11">com.docker.ucp.access.label=blog</tspan>
</text>
<rect stroke="#82949E" stroke-width="2" stroke-dasharray="5,5,5,5" x="0" y="23" width="220" height="68" rx="2"></rect>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
datacenter/ucp/2.2/guides/images/ldap-integration-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 272 KiB

BIN
datacenter/ucp/2.2/guides/images/ldap-integration-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
datacenter/ucp/2.2/guides/images/license-ucp-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
datacenter/ucp/2.2/guides/images/license-ucp-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 237 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 159 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 153 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 251 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 159 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 233 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 135 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 148 KiB

BIN
datacenter/ucp/2.2/guides/images/manage-secrets-9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 197 KiB

BIN
datacenter/ucp/2.2/guides/images/monitor-ucp-0.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 242 KiB

BIN
datacenter/ucp/2.2/guides/images/monitor-ucp-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 257 KiB

BIN
datacenter/ucp/2.2/guides/images/monitor-ucp-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 172 KiB

BIN
datacenter/ucp/2.2/guides/images/monitor-ucp-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 113 KiB

BIN
datacenter/ucp/2.2/guides/images/multiple-replicas.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
datacenter/ucp/2.2/guides/images/overview-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 228 KiB

BIN
datacenter/ucp/2.2/guides/images/recover-a-user-password-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 264 KiB

BIN
datacenter/ucp/2.2/guides/images/restrict-services-to-worker-nodes-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 226 KiB

109
datacenter/ucp/2.2/guides/images/run-only-the-images-you-trust-1.svg Normal file
View File

@ -0,0 +1,109 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="178px" viewBox="0 0 740 178" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 42 (36781) - http://www.bohemiancoding.com/sketch -->
<title>content-trust-3</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<circle id="path-3" cx="4" cy="4" r="4"></circle>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-3" fill="black"></use>
</mask>
<rect id="path-5" x="0" y="0" width="228" height="144"></rect>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="228" height="144" fill="white">
<use xlink:href="#path-5"></use>
</mask>
</defs>
<g id="dtr-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="content-trust-3">
<g id="Group" transform="translate(14.000000, 17.000000)">
<g id="user" transform="translate(0.000000, 47.000000)">
<text id="&gt;-docker-service-cre" font-family="CourierNewPS-BoldMT, Courier New" font-size="12" font-weight="bold" line-spacing="16" fill="#637986">
<tspan x="0" y="46">&gt; docker service create \</tspan>
<tspan x="0" y="62"> dtr.example.org/dev/nginx:1</tspan>
</text>
<path d="M90,13 C93.59125,13 96.5,10.083125 96.5,6.5 C96.5,2.90875 93.59125,-1.77635684e-15 90,-1.77635684e-15 C86.40875,-1.77635684e-15 83.5,2.90875 83.5,6.5 C83.5,10.083125 86.40875,13 90,13 L90,13 Z M90,16.25 C85.669375,16.25 77,18.419375 77,22.75 L77,26 L103,26 L103,22.75 C103,18.419375 94.330625,16.25 90,16.25 L90,16.25 Z" id="Shape" fill="#82949E"></path>
</g>
<g id="arrow" transform="translate(238.500000, 72.000000) scale(1, -1) translate(-238.500000, -72.000000) translate(216.000000, 68.000000)">
<path d="M2,4 L45,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#FFFFFF" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="ucp" transform="translate(262.000000, 0.000000)">
<g transform="translate(1.000000, 116.000000)">
<rect id="ucp-box" fill="#1488C6" x="0" y="0" width="180" height="27"></rect>
<text id="UCP" font-family="OpenSans, Open Sans" font-size="14" font-weight="normal" fill="#FFFFFF">
<tspan x="75.3596444" y="19">UCP</tspan>
</text>
</g>
<rect id="Rectangle-138" stroke="#82949E" stroke-width="2" x="0" y="0" width="181.124057" height="144" rx="2"></rect>
<g id="service" transform="translate(3.000000, 85.000000)">
<rect fill="#1488C6" x="0" y="2" width="30" height="27" rx="2"></rect>
<g id="signed" transform="translate(21.000000, 0.000000)">
<circle id="sign" fill="#00B6B5" cx="5.5" cy="5.5" r="5.5"></circle>
<polyline id="Path-2" stroke="#FFFFFF" stroke-linecap="round" points="2.33138415 5.0401346 4.66576739 7.30973903 8.53446401 3.34959331"></polyline>
</g>
</g>
</g>
<g id="arrow" transform="translate(466.500000, 72.000000) scale(1, -1) translate(-466.500000, -72.000000) translate(440.000000, 68.000000)">
<path d="M2,4 L52.5,4" id="Line" stroke="#1488C6" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#1488C6" fill-rule="evenodd" xlink:href="#path-3"></use>
<use stroke="#FFFFFF" mask="url(#mask-4)" stroke-width="4" xlink:href="#path-3"></use>
</g>
</g>
<g id="dtr" transform="translate(485.000000, 0.000000)">
<use id="chrome" stroke="#82949E" mask="url(#mask-6)" stroke-width="2" fill="#FFFFFF" xlink:href="#path-5"></use>
<g id="table" transform="translate(9.000000, 60.000000)">
<g id="data" transform="translate(0.000000, 25.000000)" font-size="12" font-family="OpenSans, Open Sans" fill="#82949E" font-weight="normal">
<text id="dave">
<tspan x="145" y="13">dave.lauper</tspan>
</text>
<text id="9baa">
<tspan x="61" y="13">9baa16</tspan>
</text>
<text id="1">
<tspan x="0" y="13">1</tspan>
</text>
</g>
<g id="signed" transform="translate(9.000000, 28.000000)">
<circle id="sign" fill="#00B6B5" cx="5.5" cy="5.5" r="5.5"></circle>
<polyline id="Path-2" stroke="#FFFFFF" stroke-linecap="round" points="2.33138415 5.0401346 4.66576739 7.30973903 8.53446401 3.34959331"></polyline>
</g>
<g id="header" font-size="12" font-family="OpenSans, Open Sans" fill="#82949E" font-weight="normal">
<text id="last">
<tspan x="145" y="13">last pushed</tspan>
</text>
<text id="id">
<tspan x="61" y="13">id</tspan>
</text>
<text id="tag">
<tspan x="0" y="13">tag</tspan>
</text>
</g>
</g>
<g id="repo" transform="translate(0.000000, 26.000000)">
<rect id="header" fill="#82949E" x="0" y="0" width="228" height="27"></rect>
<text id="dev/nginx" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">dev/nginx</tspan>
</text>
</g>
<g id="header">
<path d="M9.5,79.5 L217.5,79.5" id="Line" stroke="#E0E4E7" stroke-linecap="square"></path>
<rect fill="#1488C6" x="0" y="0" width="228" height="27"></rect>
<text id="docker-trusted-regis" font-family="OpenSans, Open Sans" font-size="12" font-weight="normal" fill="#FFFFFF">
<tspan x="9" y="18">docker trusted registry</tspan>
</text>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 7.5 KiB

BIN
datacenter/ucp/2.2/guides/images/run-only-the-images-you-trust-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 202 KiB

BIN
datacenter/ucp/2.2/guides/images/run-only-the-images-you-trust-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 212 KiB

156
datacenter/ucp/2.2/guides/images/scale-your-cluster-0.svg Normal file
View File

@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="740px" height="307px" viewBox="0 0 740 307" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 40.1 (33804) - http://www.bohemiancoding.com/sketch -->
<title>scale-your-cluster-1</title>
<desc>Created with Sketch.</desc>
<defs>
<circle id="path-1" cx="4" cy="4" r="4"></circle>
<mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-1" fill="black"></use>
</mask>
<circle id="path-3" cx="4" cy="4" r="4"></circle>
<mask id="mask-4" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-3" fill="black"></use>
</mask>
<circle id="path-5" cx="4" cy="4" r="4"></circle>
<mask id="mask-6" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="-2" y="-2" width="12" height="12">
<rect x="-2" y="-2" width="12" height="12" fill="white"></rect>
<use xlink:href="#path-5" fill="black"></use>
</mask>
</defs>
<g id="architecture-diagrams" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<g id="scale-your-cluster-1">
<g id="ddc" transform="translate(170.000000, 8.000000)">
<g id="swarm-group" transform="translate(0.000000, 42.000000)">
<text id="Docker-swarm" font-family="OpenSans-Semibold, Open Sans" font-size="10" font-weight="500" fill="#E0E4E7">
<tspan x="9.025" y="236.009524">Docker swarm</tspan>
</text>
<rect id="group" stroke="#E0E4E7" stroke-width="2" stroke-dasharray="5,5,5,5" x="0" y="0" width="401" height="245" rx="2"></rect>
</g>
<g id="load-balancer" transform="translate(47.000000, 0.000000)">
<g id="main">
<rect id="Rectangle-138" fill="#445D6E" x="0" y="0" width="309" height="22" rx="2"></rect>
<text id="your-load-balancer" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="111.437988" y="15">your load balancer</tspan>
</text>
</g>
<g id="arrows" transform="translate(43.000000, 21.000000)">
<g id="arrow-copy" transform="translate(111.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-111.500000, -17.000000) translate(95.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#E0E4E7" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#E0E4E7" fill-rule="evenodd" xlink:href="#path-1"></use>
<use stroke="#F7F8F9" mask="url(#mask-2)" stroke-width="4" xlink:href="#path-1"></use>
</g>
</g>
<g id="arrow-copy-4" transform="translate(218.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-218.500000, -17.000000) translate(202.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#E0E4E7" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#E0E4E7" fill-rule="evenodd" xlink:href="#path-3"></use>
<use stroke="#F7F8F9" mask="url(#mask-4)" stroke-width="4" xlink:href="#path-3"></use>
</g>
</g>
<g id="arrow-copy-2" transform="translate(4.500000, 17.000000) scale(1, -1) rotate(-90.000000) translate(-4.500000, -17.000000) translate(-12.000000, 13.000000)">
<path d="M2,4 L33,4" id="Line" stroke="#445D6E" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<g id="Oval">
<use fill="#445D6E" fill-rule="evenodd" xlink:href="#path-5"></use>
<use stroke="#F7F8F9" mask="url(#mask-6)" stroke-width="4" xlink:href="#path-5"></use>
</g>
</g>
</g>
</g>
<g id="swam" transform="translate(46.000000, 34.000000)">
<g id="nodes">
<g id="workers" transform="translate(53.000000, 121.000000)">
<g id="node-1" transform="translate(0.000000, 17.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="worker-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">worker node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#FFB463" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-worker" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4755859" y="15">UCP worker</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" fill="#E0E4E7" x="0" y="17" width="97" height="102" rx="2"></rect>
<g id="node" transform="translate(0.000000, 17.000000)">
<g id="node-label"></g>
</g>
<text id="+" font-family="OpenSans, Open Sans" font-size="100" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4111328" y="104">+</tspan>
</text>
</g>
</g>
<g id="managers">
<g id="node-1-copy" transform="translate(107.000000, 0.000000)">
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" fill="#E0E4E7" x="0" y="20" width="97" height="102" rx="2"></rect>
<text id="+" font-family="OpenSans, Open Sans" font-size="100" font-weight="normal" fill="#F7F8F9">
<tspan x="20.4111328" y="107">+</tspan>
</text>
</g>
<g id="node-1-copy-4" transform="translate(214.000000, 0.000000)">
<rect id="node-border" stroke="#E0E4E7" stroke-width="2" fill="#E0E4E7" x="0" y="20" width="97" height="102" rx="2"></rect>
<g id="node" transform="translate(0.000000, 20.000000)">
<g id="node-label"></g>
</g>
<text id="+" font-family="OpenSans, Open Sans" font-size="100" font-weight="normal" fill="#FFFFFF">
<tspan x="20.4111328" y="107">+</tspan>
</text>
</g>
<g id="node-1" transform="translate(0.000000, 20.000000)">
<g id="node">
<g id="node-label">
<rect id="Rectangle-127" fill="#445D6E" x="0" y="0" width="71" height="21.2904762" rx="2"></rect>
<text id="manager-node" font-family="OpenSans, Open Sans" font-size="8" font-weight="normal" fill="#FFFFFF">
<tspan x="6" y="14">manager node</tspan>
</text>
</g>
</g>
<g id="engine" transform="translate(1.000000, 79.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="CS-Docker-Engine" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="7.26025391" y="15">CS Docker Engine</tspan>
</text>
</g>
<g id="ucp" transform="translate(1.000000, 56.000000)">
<rect id="Rectangle-138" fill="#1488C6" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-agent" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="23.7373047" y="15">UCP agent</tspan>
</text>
</g>
<g id="app" transform="translate(1.000000, 33.000000)">
<rect id="Rectangle-138" fill="#00B6B5" x="0" y="0" width="95" height="22" rx="2"></rect>
<text id="UCP-manager" font-family="OpenSans, Open Sans" font-size="10" font-weight="normal" fill="#FFFFFF">
<tspan x="16.0297852" y="15">UCP manager</tspan>
</text>
</g>
<rect id="node-border" stroke="#445D6E" stroke-width="2" x="0" y="0" width="97" height="102" rx="2"></rect>
</g>
</g>
</g>
</g>
</g>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
datacenter/ucp/2.2/guides/images/scale-your-cluster-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 220 KiB

Some files were not shown because too many files have changed in this diff Show More