From 78cd5a3ecfc49b0b06fcdb6cd209dae3efff1a6e Mon Sep 17 00:00:00 2001
From: Joao Fernandes <joaofnfernandes@gmail.com>
Date: Fri, 8 Sep 2017 10:48:47 -0700
Subject: [PATCH] Fix issues around UCP, DTR, content trust (#4558)

* Explain behavior with UCP and DCT

* Disable DCT before upgrading DTR
---
 datacenter/dtr/2.3/guides/admin/upgrade.md           | 12 +++++-------
 .../admin/configure/run-only-the-images-you-trust.md |  4 +++-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/datacenter/dtr/2.3/guides/admin/upgrade.md b/datacenter/dtr/2.3/guides/admin/upgrade.md
index a757f77d71..ac945bcc2f 100644
--- a/datacenter/dtr/2.3/guides/admin/upgrade.md
+++ b/datacenter/dtr/2.3/guides/admin/upgrade.md
@@ -37,13 +37,11 @@ to ensure the impact on your business is close to none.
 
 ## Minor upgrade
 
-Before starting your upgrade planning, make sure that the version of UCP you are
-using is supported by the version of DTR you are trying to upgrade to.
-
-> Backup DTR before upgrading
->
-> Before performing any upgrade it’s important to backup. See
-> [DTR backups and recovery](backups-and-disaster-recovery.md).
+Before starting your upgrade, make sure that:
+* The version of UCP you are using is supported by the version of DTR you
+are trying to upgrade to.
+* You have a recent [DTR backup](backups-and-disaster-recovery.md).
+* You [disable Docker content trust in UCP](/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust.md).
 
 ### Step 1. Upgrade DTR to 2.2 if necessary
 
diff --git a/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust.md b/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust.md
index 4d9843b5e7..14c893c7b0 100644
--- a/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust.md
+++ b/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust.md
@@ -50,7 +50,9 @@ dropdown and select those teams from the list.
 If you specify multiple teams, the image needs to be signed by a member of each
 team, or someone that is a member of all those teams.
 
-Click **Save** for UCP to start enforcing the policy.
+Click **Save** for UCP to start enforcing the policy. From now on, existing
+services will continue running and can be restarted if needed, but UCP will only
+allow deploying new services that use a trusted image.
 
 ## Where to go next