From 77f8c6e856033636986382f51ee202426df5c727 Mon Sep 17 00:00:00 2001 From: Traci Morrison Date: Mon, 26 Aug 2019 11:44:46 -0400 Subject: [PATCH 1/7] Change API URL to 3.2 --- ee/ucp/admin/configure/external-auth/index.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/ee/ucp/admin/configure/external-auth/index.md b/ee/ucp/admin/configure/external-auth/index.md index 821640870b..1b359da723 100644 --- a/ee/ucp/admin/configure/external-auth/index.md +++ b/ee/ucp/admin/configure/external-auth/index.md @@ -17,13 +17,13 @@ all manually created users whose usernames don't match any LDAP search results are still available. When you enable LDAP authentication, you can choose whether UCP creates user -accounts only when users log in for the first time. Select the +accounts only when users log in for the first time. Select the **Just-In-Time User Provisioning** option to ensure that the only LDAP accounts that exist in UCP are those that have had a user log in to UCP. ## How UCP integrates with LDAP -You control how UCP integrates with LDAP by creating searches for users. +You control how UCP integrates with LDAP by creating searches for users. You can specify multiple search configurations, and you can specify multiple LDAP servers to integrate with. Searches start with the `Base DN`, which is the *distinguished name* of the node in the LDAP directory tree where the @@ -44,7 +44,7 @@ and servers. server is considered the default domain server. Any others are associated with the domain that you specify in the page. -Here's what happens when UCP synchronizes with LDAP: +Here's what happens when UCP synchronizes with LDAP: 1. UCP creates a set of search results by iterating over each of the user search configs, in the order that you specify. @@ -82,7 +82,7 @@ Here are three user search configs with the following `Base DNs`: For this search config, two of the domain servers have a domain which is a suffix of this base DN, but `dc=subsidiary2,dc=subsidiary1,dc=com` is the - longer of the two, so UCP uses the server `ldaps://ldap.subsidiary2.com` + longer of the two, so UCP uses the server `ldaps://ldap.subsidiary2.com` for the search request. - baseDN=`ou=eng,dc=example,dc=com` @@ -127,7 +127,7 @@ remain unchanged for all existing users. ## LDAP enabled -Click **Yes** to enable integrating UCP users and teams with LDAP servers. +Click **Yes** to enable integrating UCP users and teams with LDAP servers. ## LDAP server @@ -198,7 +198,7 @@ You can also manually synchronize users by clicking **Sync Now**. ## Revoke user access When a user is removed from LDAP, the effect on the user's UCP account depends -on the **Just-In-Time User Provisioning** setting: +on the **Just-In-Time User Provisioning** setting: - **Just-In-Time User Provisioning** is `false`: Users deleted from LDAP become inactive in UCP after the next LDAP synchronization runs. @@ -225,9 +225,9 @@ LDAP directory. As of UCP 3.1.5, LDAP-specific `GET` and `PUT` API endpoints have been added to the Config resource. Note that swarm mode has to be enabled before you can hit the following endpoints: - `GET /api/ucp/config/auth/ldap` - Returns information on your current system LDAP configuration. -- `PUT /api/ucp/config/auth/ldap` - Lets you update your LDAP configuration. +- `PUT /api/ucp/config/auth/ldap` - Lets you update your LDAP configuration. -See [UCP API Documentation](/reference/ucp/3.1/api/) for additonal information. +See [UCP API Documentation](/reference/ucp/3.2/api/) for additonal information. ## Where to go next From fbe93c9da66d01b7691253018cacc3b6a97b8f70 Mon Sep 17 00:00:00 2001 From: Mathieu Champlon Date: Thu, 29 Aug 2019 11:11:45 +0200 Subject: [PATCH 2/7] Fix invocation of `dockerdesktop-admin` --- ee/desktop/admin/install/mac.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/desktop/admin/install/mac.md b/ee/desktop/admin/install/mac.md index ea1d5dbc4f..adaa62e7e7 100644 --- a/ee/desktop/admin/install/mac.md +++ b/ee/desktop/admin/install/mac.md @@ -84,7 +84,7 @@ When you install Docker Desktop Enterprise, the command line tool is installed a Run the following command to install or upgrade a version pack to the version contained in the specified `.ddvp` archive: - dockerdesktop-admin version-pack install [path-to-archive] + sudo /Applications/Docker.app/Contents/Resources/bin/dockerdesktop-admin version-pack install [path-to-archive] >**Note:** You must stop Docker Desktop before installing a version pack. @@ -92,7 +92,7 @@ Run the following command to install or upgrade a version pack to the version co Run the following command to uninstall the specified version pack: - dockerdesktop-admin version-pack uninstall [version-pack-name] + sudo /Applications/Docker.app/Contents/Resources/bin/dockerdesktop-admin version-pack uninstall [version-pack-name] >**Note:** You must stop Docker Desktop before uninstalling a version pack. From 6a19d309b0d6e7eee0396459e8e43f44b5e101ed Mon Sep 17 00:00:00 2001 From: Traci Morrison Date: Thu, 29 Aug 2019 14:03:19 -0400 Subject: [PATCH 3/7] Add cluster and persistent storage --- _data/glossary.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/_data/glossary.yaml b/_data/glossary.yaml index 659648bd26..1b05505b1f 100644 --- a/_data/glossary.yaml +++ b/_data/glossary.yaml @@ -1,4 +1,4 @@ -amd64: | +amd64: | AMD64 is AMD's 64-bit extension of Intel's x86 architecture, and is also referred to as x86_64 (or x86-64). aufs: | @@ -26,6 +26,8 @@ cgroups: | of processes. Docker relies on cgroups to control and isolate resource limits. *Also known as : control groups* +cluster: | + A cluster is a group of machines that work together to run workloads and provide high availability. collection: | A collection is a group of swarm resources that Docker Engine - Enterprise uses for role-based access control. Collections enable organizing permissions for resources like @@ -219,6 +221,8 @@ parent image: | in the image's Dockerfile. All subsequent commands are applied to this parent image. A Dockerfile with no `FROM` directive has no parent image, and is called a **base image**. +persistent storage: | + Persistent storage or volume storage provides a way for a user to add a persistent layer to the running container's file system. This persistent layer could live on the container host or an external device. The lifecycle of this persistent layer is not connected to the life cycle of the container, allowing a user to retain state. registry: | A Registry is a hosted service containing [repositories](#repository) of [images](#image) which responds to the Registry API. From a1c16611160754dd2c72d0a19465dd84f1b19030 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Mon, 2 Sep 2019 06:36:56 -0400 Subject: [PATCH 4/7] fix formatting around persistent-volume-binder (#9334) * fix formatting around persistent-volume-binder * Update release-notes.md --- ee/ucp/release-notes.md | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/ee/ucp/release-notes.md b/ee/ucp/release-notes.md index 69d539b602..d240f11e13 100644 --- a/ee/ucp/release-notes.md +++ b/ee/ucp/release-notes.md @@ -256,24 +256,24 @@ In order to optimize user experience and security, support for Internet Explorer $ sudo yum downgrade container-selinux-2.74-1.el7 ``` - Attempts to deploy local PV fail with regular UCP configuration unless PV binder SA is bound to cluster admin role. - - Workaround: Create a `ClusterRoleBinding` that binds the `persistent-volume-binder` serviceaccount - to a `cluster-admin` `ClusterRole`, as shown in the following example: - ``` - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - labels: - subjectName: kube-system-persistent-volume-binder - name: kube-system-persistent-volume-binder:cluster-admin - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin - subjects: - - kind: ServiceAccount - name: persistent-volume-binder - namespace: kube-system - ``` + - Workaround: Create a `ClusterRoleBinding` that binds the `persistent-volume-binder` serviceaccount to a `cluster-admin` `ClusterRole`, as shown in the following example: + + ``` + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + labels: + subjectName: kube-system-persistent-volume-binder + name: kube-system-persistent-volume-binder:cluster-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - kind: ServiceAccount + name: persistent-volume-binder + namespace: kube-system + ``` - Using iSCSI on a SLES 12 or SLES 15 Kubernetes cluster results in failures - Using Kubernetes iSCSI on SLES 12 or SLES 15 hosts results in failures. Kubelet logs might have errors similar to the following, when there's an attempt to attach the iSCSI based persistent volume: From 56722dd4a0fcbcc8f03d7df60743bf3537345862 Mon Sep 17 00:00:00 2001 From: Affinito Alessandro Date: Mon, 2 Sep 2019 12:40:18 +0200 Subject: [PATCH 5/7] Added chmod +x for the binary (#9330) --- machine/install-machine.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/machine/install-machine.md b/machine/install-machine.md index 7882eae3e5..2330dc7da7 100644 --- a/machine/install-machine.md +++ b/machine/install-machine.md @@ -34,7 +34,8 @@ on GitHub. ```console $ base=https://github.com/docker/machine/releases/download/v{{site.machine_version}} && curl -L $base/docker-machine-$(uname -s)-$(uname -m) >/tmp/docker-machine && - sudo mv /tmp/docker-machine /usr/local/bin/docker-machine + sudo mv /tmp/docker-machine /usr/local/bin/docker-machine && + chmod +x /usr/local/bin/docker-machine ``` If you are running **Windows** with [Git BASH](https://git-for-windows.github.io/){: target="_blank" class="_"}: From 38400b7884d84ea79e22d2407691cc56e4aab6f9 Mon Sep 17 00:00:00 2001 From: Olly P Date: Mon, 2 Sep 2019 18:49:07 +0100 Subject: [PATCH 6/7] Expanded SELinux UCP install documentation (#9299) * Expanded SELinux install documentation Added a bit more context installing UCP on a system with SELinux enabled at the daemon. * Added a list for cloud providers --- ee/ucp/admin/install/index.md | 9 +++--- reference/ucp/3.2/cli/install.md | 52 ++++++++++++++++++++++++++++---- 2 files changed, 51 insertions(+), 10 deletions(-) diff --git a/ee/ucp/admin/install/index.md b/ee/ucp/admin/install/index.md index 76a0d94540..dc2b9ff1fc 100644 --- a/ee/ucp/admin/install/index.md +++ b/ee/ucp/admin/install/index.md @@ -78,10 +78,11 @@ To install UCP: --interactive ``` - This runs the install command in interactive mode, so that you're - prompted for any necessary configuration values. - To find what other options are available in the install command, check the - [reference documentation](/reference/ucp/3.2/cli/install.md). + This runs the install command in interactive mode, so that you're prompted + for any necessary configuration values. To find what other options are + available in the install command, including how to install UCP on a system + with SELinux enabled, check the [reference + documentation](/reference/ucp/3.2/cli/install.md). > Custom Container Networking Interface (CNI) plugins > diff --git a/reference/ucp/3.2/cli/install.md b/reference/ucp/3.2/cli/install.md index a5022020b1..5f8d8a2078 100644 --- a/reference/ucp/3.2/cli/install.md +++ b/reference/ucp/3.2/cli/install.md @@ -9,9 +9,12 @@ Install UCP on a node ## Usage ```bash -docker container run --rm -it \ +docker container run \ + --rm \ + --interactive \ + --tty \ --name ucp \ - -v /var/run/docker.sock:/var/run/docker.sock \ + --volume /var/run/docker.sock:/var/run/docker.sock \ docker/ucp \ install [command options] ``` @@ -34,11 +37,48 @@ firewall: * 12376, 12379, 12380, 12381, 12382, 12383, 12384, 12385, 12386, 12387 * 4789 (udp) and 7946 (tcp/udp) for overlay networking -If you have SELinux policies enabled for your Docker install, you will need to -use `docker container run --rm -it --security-opt label=disable ...` when running this -command. +### SELinux -If you are installing on Azure, see [Install UCP on Azure](/ee/ucp/admin/install/install-on-azure/). +If you are installing UCP on a manager node with SELinunx enabled at the daemon +and operating system level, you will need to pass `--security-opt +label=disable` in to your install command. This flag will disable SELinux +policies on the installation container. The UCP installation container mounts +and configures the Docker Socket as part of the UCP installation container, +therefore the UCP installation will fail with a permission denied error if you +fail to pass in this flag. + +``` +FATA[0000] unable to get valid Docker client: unable to ping Docker daemon: Got +permission denied while trying to connect to the Docker daemon socket at +unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/_ping: dial +unix /var/run/docker.sock: connect: permission denied - If SELinux is enabled +on the Docker daemon, make sure you run UCP with "docker run --security-opt +label=disable -v /var/run/docker.sock:/var/run/docker.sock ..." +``` + +An installation command for a system with SELinux enabled at the daemon level +would be: + +```bash +docker container run \ + --rm \ + --interactive \ + --tty \ + --name ucp \ + --security-opt label=disable \ + --volume /var/run/docker.sock:/var/run/docker.sock \ + docker/ucp \ + install [command options] +``` + +### Cloud Providers + +If you are installing on a public cloud platform there is cloud specific UCP +installation documentation: + +- For [Microsoft Azure](./cloudproviders/install-on-azure/) this is + **mandatory** +- For [AWS](./cloudproviders/install-on-aws/) this is optional. ## Options From 3279c447b6dc424b176c8dff5f30b9ca0b1afb26 Mon Sep 17 00:00:00 2001 From: "Jose J. Escobar" <53836904+jescobar-docker@users.noreply.github.com> Date: Mon, 2 Sep 2019 13:50:06 -0400 Subject: [PATCH 7/7] Update dockerfile_best-practices.md (#9335) Just two typos --- develop/develop-images/dockerfile_best-practices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/develop/develop-images/dockerfile_best-practices.md b/develop/develop-images/dockerfile_best-practices.md index 33ca9a15eb..567bcff101 100644 --- a/develop/develop-images/dockerfile_best-practices.md +++ b/develop/develop-images/dockerfile_best-practices.md @@ -222,7 +222,7 @@ docker build [OPTIONS] -f- PATH ``` This syntax can be useful in situations where you want to build an image from a -repository does not contain a `Dockerfile`, or if you want to build with a custom +repository that does not contain a `Dockerfile`, or if you want to build with a custom `Dockerfile`, without maintaining your own fork of the repository. The example below builds an image using a `Dockerfile` from `stdin`, and adds @@ -898,7 +898,7 @@ image. For example, you would use `ONBUILD` for a language stack image that builds arbitrary user software written in that language within the `Dockerfile`, as you can see in [Ruby’s `ONBUILD` variants](https://github.com/docker-library/ruby/blob/c43fef8a60cea31eb9e7d960a076d633cb62ba8d/2.4/jessie/onbuild/Dockerfile). -Images built from `ONBUILD` should get a separate tag, for example: +Images built with `ONBUILD` should get a separate tag, for example: `ruby:1.9-onbuild` or `ruby:2.0-onbuild`. Be careful when putting `ADD` or `COPY` in `ONBUILD`. The "onbuild" image