Merge branch 'master' into usha-aug-patch

2019-09-03 15:04:57 +01:00 · 2019-09-03 15:04:57 +01:00 · 8aa892fd94
parent 1fb601690f 3279c447b6
commit 8aa892fd94
8 changed files with 71 additions and 25 deletions
--- a/_data/glossary.yaml
+++ b/_data/glossary.yaml
@ -1,4 +1,4 @@
-amd64: |
+amd64: |
  AMD64 is AMD's 64-bit extension of Intel's x86 architecture, and is also
  referred to as x86_64 (or x86-64).
 aufs: |
@ -26,6 +26,8 @@ cgroups: |
  of processes. Docker relies on cgroups to control and isolate resource limits.

  *Also known as : control groups*
+cluster: |
+  A cluster is a group of machines that work together to run workloads and provide high availability.		
 collection: |
  A collection is a group of swarm resources that Docker Engine - Enterprise uses for role-based
  access control. Collections enable organizing permissions for resources like
@ -219,6 +221,8 @@ parent image: |
  in the image's Dockerfile. All subsequent commands are applied to this parent
  image. A Dockerfile with no `FROM` directive has no parent image, and is called
  a **base image**.
+persistent storage: |
+  Persistent storage or volume storage provides a way for a user to add a persistent layer to the running container's file system. This persistent layer could live on the container host or an external device. The lifecycle of this persistent layer is not connected to the life cycle of the container, allowing a user to retain state.
 registry: |
  A Registry is a hosted service containing [repositories](#repository) of [images](#image)
  which responds to the Registry API.
--- a/develop/develop-images/dockerfile_best-practices.md
+++ b/develop/develop-images/dockerfile_best-practices.md
@ -222,7 +222,7 @@ docker build [OPTIONS] -f- PATH
 ```

 This syntax can be useful in situations where you want to build an image from a
-repository does not contain a `Dockerfile`, or if you want to build with a custom
+repository that does not contain a `Dockerfile`, or if you want to build with a custom
 `Dockerfile`, without maintaining your own fork of the repository.

 The example below builds an image using a `Dockerfile` from `stdin`, and adds
@ -898,7 +898,7 @@ image. For example, you would use `ONBUILD` for a language stack image that
 builds arbitrary user software written in that language within the
 `Dockerfile`, as you can see in [Ruby’s `ONBUILD` variants](https://github.com/docker-library/ruby/blob/c43fef8a60cea31eb9e7d960a076d633cb62ba8d/2.4/jessie/onbuild/Dockerfile).

-Images built from `ONBUILD` should get a separate tag, for example:
+Images built with `ONBUILD` should get a separate tag, for example:
 `ruby:1.9-onbuild` or `ruby:2.0-onbuild`.

 Be careful when putting `ADD` or `COPY` in `ONBUILD`. The "onbuild" image
--- a/ee/desktop/admin/install/mac.md
+++ b/ee/desktop/admin/install/mac.md
@ -84,7 +84,7 @@ When you install Docker Desktop Enterprise, the command line tool is installed a

 Run the following command to install or upgrade a version pack to the version contained in the specified `.ddvp` archive:

-    dockerdesktop-admin version-pack install [path-to-archive]
+    sudo /Applications/Docker.app/Contents/Resources/bin/dockerdesktop-admin version-pack install [path-to-archive]

 >**Note:** You must stop Docker Desktop before installing a version pack.

@ -92,7 +92,7 @@ Run the following command to install or upgrade a version pack to the version co

 Run the following command to uninstall the specified version pack:

-    dockerdesktop-admin version-pack uninstall [version-pack-name]
+    sudo /Applications/Docker.app/Contents/Resources/bin/dockerdesktop-admin version-pack uninstall [version-pack-name]

 >**Note:** You must stop Docker Desktop before uninstalling a version pack.

--- a/ee/ucp/admin/configure/external-auth/index.md
+++ b/ee/ucp/admin/configure/external-auth/index.md
@ -17,13 +17,13 @@ all manually created users whose usernames don't match any LDAP search results
 are still available.

 When you enable LDAP authentication, you can choose whether UCP creates user
-accounts only when users log in for the first time. Select the 
+accounts only when users log in for the first time. Select the
 **Just-In-Time User Provisioning** option to ensure that the only LDAP
 accounts that exist in UCP are those that have had a user log in to UCP.

 ## How UCP integrates with LDAP

-You control how UCP integrates with LDAP by creating searches for users. 
+You control how UCP integrates with LDAP by creating searches for users.
 You can specify multiple search configurations, and you can specify multiple
 LDAP servers to integrate with. Searches start with the `Base DN`, which is
 the *distinguished name* of the node in the LDAP directory tree where the
@ -44,7 +44,7 @@ and servers.
  server is considered the default domain server. Any others are associated
  with the domain that you specify in the page.

-Here's what happens when UCP synchronizes with LDAP: 
+Here's what happens when UCP synchronizes with LDAP:

 1. UCP creates a set of search results by iterating over each of the user
   search configs, in the order that you specify.
@ -82,7 +82,7 @@ Here are three user search configs with the following `Base DNs`:

  For this search config, two of the domain servers have a domain which is a
  suffix of this base DN, but `dc=subsidiary2,dc=subsidiary1,dc=com` is the
-  longer of the two, so UCP uses the server `ldaps://ldap.subsidiary2.com` 
+  longer of the two, so UCP uses the server `ldaps://ldap.subsidiary2.com`
  for the search request.

 - baseDN=`ou=eng,dc=example,dc=com`
@ -127,7 +127,7 @@ remain unchanged for all existing users.

 ## LDAP enabled

-Click **Yes** to enable integrating UCP users and teams with LDAP servers.  
+Click **Yes** to enable integrating UCP users and teams with LDAP servers.

 ## LDAP server

@ -198,7 +198,7 @@ You can also manually synchronize users by clicking **Sync Now**.
 ## Revoke user access

 When a user is removed from LDAP, the effect on the user's UCP account depends
-on the **Just-In-Time User Provisioning** setting: 
+on the **Just-In-Time User Provisioning** setting:

 - **Just-In-Time User Provisioning** is `false`: Users deleted from LDAP become
  inactive in UCP after the next LDAP synchronization runs.
@ -225,9 +225,9 @@ LDAP directory.
 As of UCP 3.1.5, LDAP-specific `GET` and `PUT` API endpoints have been added to the Config resource. Note that swarm mode has to be enabled before you can hit the following endpoints:

 - `GET /api/ucp/config/auth/ldap` - Returns information on your current system LDAP configuration.
- `PUT /api/ucp/config/auth/ldap` - Lets you update your LDAP configuration. 
+- `PUT /api/ucp/config/auth/ldap` - Lets you update your LDAP configuration.

-See [UCP API Documentation](/reference/ucp/3.1/api/) for additonal information.
+See [UCP API Documentation](/reference/ucp/3.2/api/) for additonal information.

 ## Where to go next

--- a/ee/ucp/admin/install/index.md
+++ b/ee/ucp/admin/install/index.md
@ -78,10 +78,11 @@ To install UCP:
      --interactive
    ```

-    This runs the install command in interactive mode, so that you're
-    prompted for any necessary configuration values.
-    To find what other options are available in the install command, check the
-    [reference documentation](/reference/ucp/3.2/cli/install.md).
+    This runs the install command in interactive mode, so that you're prompted
+    for any necessary configuration values.  To find what other options are
+    available in the install command, including how to install UCP on a system
+    with SELinux enabled, check the [reference
+    documentation](/reference/ucp/3.2/cli/install.md).

 > Custom Container Networking Interface (CNI) plugins
 >
--- a/ee/ucp/release-notes.md
+++ b/ee/ucp/release-notes.md
@ -291,7 +291,7 @@ In order to optimize user experience and security, support for Internet Explorer
    $ sudo yum downgrade container-selinux-2.74-1.el7
    ```
 - Attempts to deploy local PV fail with regular UCP configuration unless PV binder SA is bound to cluster admin role.
-    - Workaround: Create a `ClusterRoleBinding` that binds the `persistent-volume-binder` serviceaccount
+    - Workaround: Create a `ClusterRoleBinding` that binds the `persistent-volume-binder` ServiceAccount
   to a `cluster-admin` `ClusterRole`, as shown in the following example:

      ```
--- a/machine/install-machine.md
+++ b/machine/install-machine.md
@ -34,7 +34,8 @@ on GitHub.
    ```console
    $ base=https://github.com/docker/machine/releases/download/v{{site.machine_version}} &&
      curl -L $base/docker-machine-$(uname -s)-$(uname -m) >/tmp/docker-machine &&
-      sudo mv /tmp/docker-machine /usr/local/bin/docker-machine
+      sudo mv /tmp/docker-machine /usr/local/bin/docker-machine &&
+      chmod +x /usr/local/bin/docker-machine
    ```

    If you are running **Windows** with [Git BASH](https://git-for-windows.github.io/){: target="_blank" class="_"}:
--- a/reference/ucp/3.2/cli/install.md
+++ b/reference/ucp/3.2/cli/install.md
@ -9,9 +9,12 @@ Install UCP on a node
 ## Usage

 ```bash
-docker container run --rm -it \
+docker container run \
+    --rm \
+    --interactive \
+    --tty \
    --name ucp \
-    -v /var/run/docker.sock:/var/run/docker.sock \
+    --volume /var/run/docker.sock:/var/run/docker.sock \
    docker/ucp \
    install [command options]
 ```
@ -34,11 +37,48 @@ firewall:
  * 12376, 12379, 12380, 12381, 12382, 12383, 12384, 12385, 12386, 12387
  * 4789 (udp) and 7946 (tcp/udp) for overlay networking

-If you have SELinux policies enabled for your Docker install, you will need to
-use `docker container run --rm -it --security-opt label=disable ...` when running this
-command.
+### SELinux

-If you are installing on Azure, see [Install UCP on Azure](/ee/ucp/admin/install/install-on-azure/).
+If you are installing UCP on a manager node with SELinunx enabled at the daemon
+and operating system level, you will need to pass `--security-opt
+label=disable` in to your install command. This flag will disable SELinux
+policies on the installation container.  The UCP installation container mounts
+and configures the Docker Socket as part of the UCP installation container,
+therefore the UCP installation will fail with a permission denied error if you
+fail to pass in this flag.
+
+```
+FATA[0000] unable to get valid Docker client: unable to ping Docker daemon: Got
+permission denied while trying to connect to the Docker daemon socket at
+unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/_ping: dial
+unix /var/run/docker.sock: connect: permission denied - If SELinux is enabled
+on the Docker daemon, make sure you run UCP with "docker run --security-opt
+label=disable -v /var/run/docker.sock:/var/run/docker.sock ..."
+```
+
+An installation command for a system with SELinux enabled at the daemon level
+would be:
+
+```bash
+docker container run \
+    --rm \
+    --interactive \
+    --tty \
+    --name ucp \
+    --security-opt label=disable \
+    --volume /var/run/docker.sock:/var/run/docker.sock \
+    docker/ucp \
+    install [command options]
+```
+
+### Cloud Providers
+
+If you are installing on a public cloud platform there is cloud specific UCP
+installation documentation:
+
+- For [Microsoft Azure](./cloudproviders/install-on-azure/) this is
+  **mandatory**
+- For [AWS](./cloudproviders/install-on-aws/) this is optional.

 ## Options