diff --git a/adminguide.md b/adminguide.md deleted file mode 100644 index 3f028ad1a6..0000000000 --- a/adminguide.md +++ /dev/null @@ -1,362 +0,0 @@ -+++ -title = "Admin tasks" -description = "Documentation describing administration of Docker Trusted Registry" -keywords = ["docker, documentation, about, technology, hub, registry, enterprise, admin tasks, dashboard, settings, logs, reporting, Notary, diagnostics, admin guide, administration"] -[menu.main] -parent="workw_dtr" -weight=5 -+++ - - - -# Docker Trusted Registry administrator tasks - -This document explains the tasks and functions a Docker Trusted Registry -administrator needs to understand such as reporting, logging, system management, -performance metrics, optimizing the Trusted Registry file size, and deleting -containers. For tasks Docker Trusted Registry users need to accomplish, -such as pushing and pulling images, go to the [User's Guide](userguide.md). For -using the Trusted Registry user interface (UI) to view, manage, or assign -permissions regarding repositories, organizations, and teams, go to the -[Account management](accounts.md) documentation. - -## Reporting Dashboard - -![Docker Trusted Registry Dashboard](images/admin-metrics.png) - -The Docker Trusted Registry Dashboard displays "hardware" resource utilization -and network traffic metrics for the Docker Trusted Registry host as well as for -each of its contained services. The CPU and RAM usage meters at the top indicate -overall resource usage for the host, while detailed time-series charts are -provided below for each container providing a Docker Trusted Registry service. - -In addition, if your registry is using a filesystem storage driver, you can view -a usage meter indicating used and available space on the storage volume. -Third-party storage back-ends are not supported. If you are using one, this -meter is not displayed. Mouse-over the charts or meters to see detailed data points. - -Clicking a service name, such as Load Balancer or Admin Server, displays the -network, CPU, and memory (RAM) utilization data for the specified service. See -the following for a [detailed explanation of the available services](#services). - -### Settings tab - -Use the settings tab to configure your Trusted Registry. It is further -sub-catagorized into the following sub-headings: - -* **General**, including Notary settings -* **Security**, SSL certificates and SSL private key -* **Storage**, where you can set an optional storage back-end -* **License**, where you apply your license -* **Garbage collection**, set up cron job -* **Auth**, authentication method settings: managed or LDAP -* **Updates**, where you upgrade your registry - -Refer to the [configuration documentation](configure/configuration.md) for details. - -### Repositories tab - -Use this tab to create or view repositories that are either public or private. -For details on how account management works, see the [account management documentation](accounts.md). Note that at this time, more functionality is accessed through the APIs. View the API documentation for details. - -### Organization tab - -Use this tab to create or view organizations. For details on how account -management works, see the [account management documentation](accounts.md). Note that at this time, more functionality is accessed through the APIs. View -the API documentation for details. - -### Logs tab - -![System Logs page](images/admin-logs.png) - -Use this tab to view the logs from your Docker Trusted Registry's containers. -Based on the filter, see log sections for each service. Older or newer logs can -be loaded by scrolling up or down. See the following for a detailed -[explanation of the available services](#services). - -The Trusted Registry's log files are located on the host in -`/usr/local/etc/dtr/logs/`. They are limited to a maximum size of 64mb. They are -rotated every two weeks, when the aggregator sends logs to the collection -server, or they are rotated if a logfile would exceed 64mb without rotation. Log -files are named `-`, where the "component -name" is the service it provides, for example `manager` or `admin-server`. - -### Usage statistics and crash reports - -During normal use, the Trusted Registry generates usage statistics and crash -reports. This information is collected by Docker, Inc. to help prioritize -features, fix bugs, and improve our products. Specifically, Docker, Inc. -collects the following information: - -* Error logs -* Crash logs - -## Emergency access to the Trusted Registry - -If your authenticated or public access to the Trusted Registry UI has stopped -working, but your Trusted Registry admin container is still running, you can add -an -[ambassador container](https://docs.docker.com/articles/ambassador_pattern_linking/) -to get temporary unsecure access to it. - -For Trusted Registry version 1.4.3, run the following command in a Trusted Registry CLI: - -``` -docker run --rm -it --net dtr -p 9999:80 svendowideit/ambassador dockertrustedregistry_admin_server_1 80 -``` -However, if you are running a version prior to it, 1.4.2 or earlier, then continue to run this command: - -``` -$ docker run --rm -it --link docker_trusted_registry_admin_server:admin -p 9999:80 svendowideit/ambassador -``` - -Either command gives you access on port `9999` on your Trusted Registry server -`http://:9999`. This guide assumes that you are a member of the `docker` group, or you have root privileges. Otherwise, you may need to add `sudo` to the previous example command. - -### SSH access to host - -As an extra measure of safety, ensure you have SSH access to the Trusted -Registry host before you start using it. - -If you are hosting Trusted Registry on an EC2 host launched from the AWS -Marketplace AMI, note that the user is `ec2-user`: -`/path/to/private_key/id_rsa ec2-user@`. - -## Services - -The Trusted Registry runs several Docker services which are essential to its reliability and usability. The following services are included; you can see their details by -viewing the [Trusted Registry Dashboard](#dashboard) and [Logs](#logs) pages: - -* `admin_server`: Used for displaying system health, performing upgrades, -configuring settings, and viewing logs. -* `load_balancer`: Used for maintaining high availability by distributing load -to each image storage service (`image_storage_X`). -* `log_aggregator`: A microservice used for aggregating logs from each of the -other services. Handles log persistence and rotation on disk. -* `image_storage_X`: Stores Docker images using the [Docker Registry HTTP API V2](http://docs.docker.com/registry/spec/api/). Typically, -multiple image storage services are used in order to provide greater uptime and -faster, more efficient resource utilization. -* `postgres`: A database service used to host authentication (LDAP) data and other datasets as needed by Docker Trusted Registry. - -## Trusted Registry system management - -The `docker/trusted-registry` image is used to control the Trusted Registry -system. This image uses the Docker socket to orchestrate the multiple services -that comprise the Trusted Registry. The bash script needs access to run `docker` commands, so if you are not in the `docker` group, then you will need super user (sudo) access. - - $ sudo bash -c "$(sudo docker run docker/trusted-registry [COMMAND])" - -Supported commands are: `install`, `start`, `stop`, `restart`, `pull`, `info`, -`export-settings`, `diagnostics`, `status`, `upgrade`. - -### `install` - -Install Docker Trusted Registry. - -### `start` - -Start Docker Trusted Registry containers that are not running. - -### `stop` - -Stop Docker Trusted Registry containers that are running. - -### `restart` - -Stop and then start the Docker Trusted Registry containers. - -### `status` - -Display the current running status of only the Docker Trusted Registry containers. - -``` -$ sudo bash -c "$(docker run docker/trusted-registry status)" -INFO [1.1.0-alpha-001472_g8a9ddb4] Attempting to connect to docker engine dockerHost="unix:///var/run/docker.sock" -INFO [1.1.0-alpha-001472_g8a9ddb4] Running status command -docker_trusted_registry_load_balancer - Daemon [default (unix:///var/run/docker.sock)] - Id: 4d6abd5c39acda25e3d3ccf7cc2acf00f32c7786a7e86fb56daf7fd67584ce9f - Created: 2015-06-16 21:52:53+00:00 - Status: Up 4 minutes - Image: docker/trusted-registry-nginx:1.1.0-alpha-001472_g8a9ddb4 - Ports: - tcp://0.0.0.0:443 -> 443 - tcp://0.0.0.0:80 -> 80 - Command: - nginxWatcher - Linked To: - None - -docker_trusted_registry_auth_server - Daemon [default (unix:///var/run/docker.sock)] - Id: 22d5c1cf988338638dd810bc8111295f71713e81338d16298028122d33eed64a - Created: 2015-06-16 21:52:46+00:00 -... -``` - -### `info` - -Display the version and info for the Docker daemon, and version and image ID's -of Docker Trusted Registry. - -``` -$ sudo bash -c "$(docker run docker/trusted-registry info)" -INFO [1.1.0-alpha-001472_g8a9ddb4] Attempting to connect to docker engine dockerHost="unix:///var/run/docker.sock" -{ - "DockerEngine": { - "Version": { - "ApiVersion": "1.20", - "Arch": "amd64", - "GitCommit": "55bdb51", - "GoVersion": "go1.4.2", - "KernelVersion": "3.16.0-4-amd64", - "Os": "linux", - "Version": "1.6.0" - }, - "Info": { - "ID": "QUMM:6SGD:6ZK4:TLJD:LTX7:64Z5:WP4Y:NE3N:TY7P:Y2RR:KVGO:IWRX", - "Containers": 15, - "Driver": "btrfs", - "DriverStatus": [], - "ExecutionDriver": "native-0.2", - "Images": 2793, - "KernelVersion": "3.16.0-4-amd64", - "OperatingSystem": "Debian GNU/Linux stretch/sid", - "NCPU": 4, - "MemTotal": 12305711104, - "Name": "t440s", - "Labels": null, - "Debug": true, - "NFd": 43, - "NGoroutines": 85, - "SystemTime": "2015-06-17T04:24:54.634746915+10:00", - "NEventsListener": 1, - "InitPath": "/usr/bin/docker", - "InitSha1": "", - "IndexServerAddress": "https://index.docker.io/v1/", - "MemoryLimit": false, - "SwapLimit": false, - "IPv4Forwarding": true, - "DockerRootDir": "/data/docker", - "HttpProxy": "", - "HttpsProxy": "", - "NoProxy": "" - } - }, - "DTR": { - "Version": "1.1.0-alpha-001472_g8a9ddb4", - "GitSHA": "8a9ddb4595c3", - "StorageDriver": "filesystem", - "AuthDriver": "dtr", - "ImageIDs": { - "Garant": "59bc135c362ad7e44743800b037061976210a9cc6aec323c3ea6eb93ebb513ca", - "Registry": "6aba58d8bbe71b14edd538a20ac98e1279577bbef461ca25fd2794dcb017c1dc", - "AdminServer": "af4dfb1f386e3e07b612f5f59f08166ce499ef1dfc619d499a42c53c5e424acf", - "Manager": "3abc65af8385e63d61af40a1393438d0d720e6bf2a60c1b15b7a17a2a0d8965b", - "LogAggregator": "01da5d7ef561a251c0c63b860a95d55b602cc70347192ef34acd3b1c5bcd317f", - "Nginx": "631537f98c8876050fae00106c8db424d03e408b27cc14b5eb1fc11abbaba03b" - }, - "LicenseKeyID": "2Y6QPUBxoYEms6pIysneyum6SZY_QxE9v4zLF8i1wBNZ" - } -} -``` - -### `diagnostics` - -Use the `diagnostics` command to extract configuration and run time data about -your containers for support purposes. The output includes the `docker inspect` -output for all containers, running and not, so check the resulting files for -passwords and other proprietary information before sending it. - -`$ sudo bash -c "$(docker run docker/trusted-registry diagnostics)" > diagnostics.zip` - -> **Warning:** These diagnostics files may contain secrets that you need to remove before passing on, such as raw container log files, Azure storage -credentials, or passwords that may be sent to non-Docker Trusted Registry -containers using the `docker run -e PASSWORD=asdf` environment variable options. - -Stream to STDOUT a zip file containing CSDE and Docker Trusted Registry -configuration, state, and log files to help the Docker Enterprise support team: - -- your Docker host's `ca-certificates.crt` -- `containers/`: the first 20 running, stopped and paused containers `docker inspect` - information and log files. -- `dockerEngine/`: the Docker daemon's `info` and `version` output -- `dockerState/`: the Docker daemon's container states, image states, daemon log file, and daemon configuration file -- `dtrlogs/`: the Docker Trusted Registry container log files -- `manager/`: the Docker Trusted Registry `/usr/local/etc/dtr` configuration directory and manager `info` output. See the [export settings section](#export-settings) for more details. -- `sysinfo/`: Host information -- `errors.txt`: errors and warnings encountered while running diagnostics - - -### `export-settings` - -Export the Trusted Registry configuration files for backup or diagnostics use. - -`$ sudo bash -c "$(docker run docker/trusted-registry export-settings)" > export-settings.tar.gz` - -> **Warning:** These diagnostics files may contain secrets that you need to remove before passing on, such as Azure storage credentials. - -Stream to STDOUT a gzipped tar file containing the Trusted Registry -configuration files from `/usr/local/etc/dtr/`: - -- `garant.yml` -- `generatedConfigs/nginx.conf` -- `generatedConfigs/stacker.yml` -- `hub.yml` -- `license.json` -- `ssl/server.pem` -- `storage.yml` - -## Client Docker Daemon diagnostics - -To debug client Docker daemon communication issues with the Trusted Registry, -Docker also provides a diagnostics tool to be run on the client Docker daemon. - -> **Warning:** These diagnostics files may contain secrets that you need to remove before passing on, such as raw container log files, Azure storage credentials, or passwords that may be sent to non-Docker Trusted Registry containers using the `docker run -e PASSWORD=asdf` environment variable options. - -If you supply an administrator username and password, then the `diagnostics` -tool also downloads additional logs and configuration data from the remote -Trusted Registry server. Download and run this tool using the following command: - -``` -$ wget https://dhe.mycompany.com/admin/bin/diagnostics && chmod +x diagnostics -$ sudo ./diagnostics dhe.mycompany.com > enduserDiagnostics.zip DTR -administrator password (provide empty string if there is no admin server -authentication): -WARN [1.1.0-alpha-001472_g8a9ddb4] Encountered errors running diagnostics -errors=[Failed to copy DTR Adminserver's exported settings into ZIP output: -"Failed to read next tar header: \"archive/tar: invalid tar header\"" Failed to -copy logs from DTR Adminserver into ZIP output: "Failed to read next tar header: -\"archive/tar: invalid tar header\"" error running "sestatus": "exit status 127" -error running "dmidecode": "exit status 127"] -``` - -The zip file contains the following information: - -- your local Docker host's `ca-certificates.crt` -- `containers/`: the first 20 running, stopped and paused containers `docker inspect` - information and log files. -- `dockerEngine/`: the local Docker daemon's `info` and `version` output -- `dockerState/`: the local Docker daemon's container states, image states, log file, and daemon configuration file -- `dtr/`: Remote Docker Trusted Registry services information. This directory will only be populated if the user enters a Docker Trusted Registry "admin" username and password. -- - `dtr/logs/`: the remote Docker Trusted Registry container log files. This directory will only be populated if the user enters a Docker Trusted Registry "admin" username and password. -- - `dtr/exportedSettings/`: the Docker Trusted Registry manager container's log files and a backup of the `/usr/local/etc/dtr` Docker Trusted Registry configuration directory. See the [export settings section](#export-settings) for more details. -- `sysinfo/`: local Host information -- `errors.txt`: errors and warnings encountered while running diagnostics - -### Starting and stopping the Trusted Registry - -If you need to stop and/or start the Trusted Registry (for example, upgrading, or troubleshooting), use the following commands: - -`sudo bash -c "$(docker run docker/trusted-registry stop)"` - - -`sudo bash -c "$(docker run docker/trusted-registry start)"` - -## See also - -* To configure for your environment, see the -[Configuration instructions](configure/configuration.md). -* To use Docker Trusted Registry, see the [User guide](userguide.md). -* To upgrade, see the [Upgrade guide](install/upgrade.md). -* To see previous changes, see the [release notes](release-notes.md). diff --git a/architecture.md b/architecture.md new file mode 100644 index 0000000000..8e82397e5d --- /dev/null +++ b/architecture.md @@ -0,0 +1,85 @@ + + +# DTR architecture + +Docker Trusted Registry (DTR) is a Dockerized application that runs +using the Commercially Supported Docker Engine. + + +![](images/architecture-1.png) + + +## Containers + +When you install DTR on a node, the following containers are started: + +| Name | Description | +|:--------------|:-------------------------------------------------------------------------------------------------------------------------------------------| +| dtr-api | Executes the DTR business logic. It serves the DTR web application, and API. | +| dtr-etcd | A key-value store for persisting DTR configuration settings. Don't use it in your applications, since it's for internal use only. | +| dtr-nginx | Receives http and https requests and proxies them to other DTR components. It listens on ports 80 and 443 of the host where it is running. | +| dtr-registry | Implements the functionality for pulling and pushing Docker images. It also handles how images are stored. | +| dtr-rethinkdb | A database for persisting repository metadata. Don't use it in your applications, since it's for internal use only. | + + +## Networks + +To allow containers to communicate, when installing DTR the following networks +are created: + +| Name | Type | Description | +|:-------|:--------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| dtr-br | bridge | Allows containers in the same node to communicate with each other in a secure way. | +| dtr-ol | overlay | Allows containers in different nodes to communicate. This network is used in high-availability installations, to allow etcd and RethinkDB containers to replicate their data across different nodes. | + + +## Volumes + +DTR uses these named volumes for persisting data: + +| Volume name | Location on host (/var/lib/docker/volumes/) | Description | +|:-------------|:--------------------------------------------|:-------------------------------------------------------------------------------------------------------------| +| dtr-ca | dtr-ca/_data | The volume where the private keys and certificates are stored so that containers can use TLS to communicate. | +| dtr-etcd | dtr-etcd/_data | The volume used by etcd to persist DTR configurations. | +| dtr-registry | dtr-registry/_data | The volume where images are stored, if DTR is configured to store images on the local filesystem. | +| dtr-rethink | dtr-rethink/_data | The volume used by RethinkDB to persist DTR data, like users and repositories. | + +If you don’t create these volumes, when installing DTR they are created with +the default volume driver and flags. + +## Image storage + +By default, Docker Trusted Registry stores images on the filesystem of the host +where it is running. +You can also configure DTR for using these cloud storage backends: + +* Amazon S3 +* OpenStack Swift +* Microsoft Azure + + +## High-availability support +For load balancing and high-availability, you can create multiple replicas of +DTR. In that case, you’ll have multiple nodes, each running the +same set of containers. + + + +![](images/architecture-2.png) + +Notice that: + +* You can load balance user requests between the controller nodes. +When you make a change to the configuration of one controller node, that +configuration is replicated to the other controllers. +* For high-availability, you should set up 3, 5, or 7 controller nodes. diff --git a/configure/config-auth.md b/configure/config-auth.md index 599285b16f..a4a1d0ca19 100644 --- a/configure/config-auth.md +++ b/configure/config-auth.md @@ -27,7 +27,7 @@ There are three authentication methods: ![Auth settings page](../images/admin-settings-auth.png) -> **Note**: If you have issues logging into the Docker Trusted Registry admin web interface after changing the authentication settings, you may need to use the [emergency access to the Docker Trusted Registry admin web interface](../adminguide.md#emergency-access-to-the-trusted-registry). +> **Note**: If you have issues logging into the Docker Trusted Registry admin web interface after changing the authentication settings, you may need to [troubleshoot DTR](../monitor-troubleshoot/troubleshoot.md). ## No authentication (None) @@ -134,6 +134,5 @@ configuration is working. ## See also -* To continue to configure for your environment, see the overview -[configuration instructions](configuration.md). -* To use Docker Trusted Registry, see the [User guide](../userguide.md). +* [Configure DTR](config-general.md) +* [Troubleshoot DTR](../monitor-troubleshoot/troubleshoot.md) diff --git a/configure/config-general.md b/configure/config-general.md index 46f239e8ba..a842a626c1 100644 --- a/configure/config-general.md +++ b/configure/config-general.md @@ -93,6 +93,5 @@ the Trusted Registry interface. ## See also -* To continue to configure for your environment, see the overview -[configuration instructions](configuration.md). -* To use Docker Trusted Registry, see the [User guide](../userguide.md). +* [Configure authentication](config-auth.md) +* [Configure storage settings](config-storage.md) diff --git a/configure/config-security.md b/configure/config-security.md index 4d54dfd9cc..08faf756c6 100644 --- a/configure/config-security.md +++ b/configure/config-security.md @@ -226,6 +226,5 @@ Then restart the Docker daemon with `sudo /etc/init.d/docker restart`. ## See also -* To continue to configure for your environment, see the overview -[configuration instructions](configuration.md). -* To use Docker Trusted Registry, see the [User guide](../userguide.md). +* [Configure authentication](config-auth.md) +* [Configure storage options](config-storage.md) diff --git a/configure/config-storage.md b/configure/config-storage.md index 0cacb19669..547e4ec3af 100644 --- a/configure/config-storage.md +++ b/configure/config-storage.md @@ -215,6 +215,5 @@ ensure your choices make sense. ## See also -* To continue to configure for your environment, see the overview -[configuration instructions](configuration.md). -* To use Docker Trusted Registry, see the [User guide](../userguide.md). +* [Configure authentication](config-auth.md) +* [Configure security settings](config-security.md) diff --git a/configure/configuration.md b/configure/configuration.md index 6b591deea6..c632e82dac 100644 --- a/configure/configuration.md +++ b/configure/configuration.md @@ -18,9 +18,9 @@ view configuration options. Configuring is grouped by the following: * [General settings](config-general.md) (ports, proxies, and Notary) * [Security settings](config-security.md) * [Storage settings](config-storage.md) -* [License](../license.md) +* [License](../install/license.md) * [Authentication settings](config-auth.md) (including LDAP) -* [Garbage collection](../soft-garbage.md) +* [Garbage collection](../repos-and-images/delete-images.md) * Updates * Docker daemon (this is set from the Trusted Registry CLI and not the UI) @@ -70,12 +70,8 @@ Both the Trusted Registry and the Docker daemon collect and store log messages. `docker daemon --log-opt max-size 100m max-file=1` -To learn about Trusted Registry logs, view the [Logs tab](../adminguide.md) in the admin guide documentation. ## See also -* To use Docker Trusted Registry, see the [User guide](../userguide.md). -* View [admin tasks](../adminguide.md). -* To upgrade, see the [Upgrade guide](../install/upgrade.md). -* To see previous changes and fixes, refer to the [release notes](../release-notes.md). -* For information on getting support for Docker Trusted Registry, go to [Support information](../support.md). +* [Monitor DTR](../monitor-troubleshoot/monitor.md) +* [Troubleshoot DTR](../monitor-troubleshoot/troubleshoot.md) diff --git a/configure/index.md b/configure/index.md index 7d6bf104db..f0687d7b99 100644 --- a/configure/index.md +++ b/configure/index.md @@ -1,12 +1,14 @@ + # Configure Docker Trusted Registry diff --git a/high-availability/backups-and-disaster-recovery.md b/high-availability/backups-and-disaster-recovery.md new file mode 100644 index 0000000000..eefd2f520a --- /dev/null +++ b/high-availability/backups-and-disaster-recovery.md @@ -0,0 +1,119 @@ + + + +# Backups and disaster recovery + +When you decide to start using Docker Trusted Registry on a production +setting, you should [configure it for high availability](high-availability.md). + +The next step is creating a backup policy and disaster recovery plan. + +## DTR data persistency + +Docker Trusted Registry persists four kinds of data: + +* Configurations: the cluster configurations are stored on a key-value store +that is replicated through all DTR nodes. +* Image and repository metadata: the information about the repositories and +images deployed. This information is replicated through all DTR nodes. +* Docker images: By default images are stored on the host of the filesystem +where DTR is installed. +* Certificates and keys: the certificates, public keys, and private keys that +are used for mutual TLS communication. + +This data is persisted on the host machine using named volumes. +[Learn more about DTR named volumes](../architecture.md). + +## Backup DTR data + +To perform a backup of a DTR node, use the `docker/dtr backup` +command. This command creates a backup of DTR: + +* Configurations, +* Repository metadata, +* Certificates and keys used by DTR. + +These files are added to a tar archive, and the result is streamed to stdout. + +The backup command does not create a backup of Docker images. You should +implement a separate backup policy for the Docker images, taking in +consideration whether your DTR installation is configured to store images on the +filesystem or using a cloud provider. + +When creating a backup, the resulting .tar file contains sensitive information +like private keys. You should ensure the backups are stored securely. + +To learn about the options available on the backup command, you can +[check the reference documentation](../reference/backup.md), or run: + +```bash +$ docker run --rm -it docker/dtr backup --help +``` + +As an example, to create a backup of a DTR node, you can use: + +```bash +$ docker run -it --rm docker/dtr backup \ + --insecure-tls --pod-id 8b6174866010 \ + --username admin --password password \ + --host 192.168.10.100 > /tmp/backup.tar +``` + +Where: + +* `--insecure-tls` allows connecting to UCP without TLS, +* `--pod-id` specifies the DTR pod to backup, +* `--username, --password` are the credentials of a UCP admin user, +* `--host` is the IP address of UCP. + +## Restore DTR data + +You can restore a DTR node from a backup using the `docker/dtr restore` +command. +This command performs a fresh installation of DTR, and reconfigures it with +the configuration created during a backup. + +The command starts by installing DTR, restores the configurations stored on +etcd, and then restores the repository metadata stored on RethinkDB. You +can use the `--config-only` option, to only restore the configurations stored +on etcd. + +This command does not restore Docker images. You should implement a separate +restore procedure for the Docker images stored in your registry, taking in +consideration whether your DTR installation is configured to store images on +the filesystem or using a cloud provider. + +To learn about the options available on the restore command, you can +[check the reference documentation](../reference/restore.md), or run: + +```bash +$ docker run --rm -it docker/trusted-registry restore --help +``` + +As an example, to install DTR on the host at 192.168.10.101, and restore its +state from an existing backup: + +```bash +$ docker run -i --rm -v /var/run/docker.sock:/var/run/docker.sock \ + docker/dtr restore \ + --insecure-tls \ + --username admin --password password \ + --host 192.168.10.100 --dtr-host 192.168.10.101 < /tmp/backup.tar +``` + +Where: + +* `--insecure-tls` allows connecting to UCP without TLS, +* `--username, --password` are the credentials of a UCP admin user, +* `--host` is the IP address of UCP, +* `--dtr-host` is the IP address of the host where DTR is going to be installed. diff --git a/high-availability/high-availability.md b/high-availability/high-availability.md new file mode 100644 index 0000000000..79266598a9 --- /dev/null +++ b/high-availability/high-availability.md @@ -0,0 +1,63 @@ + + +# Set up high availability + +Docker Trusted Registry (DTR) is designed for high availability. +When installing DTR you can add multiple nodes to form a cluster. + +Adding more nodes to your DTR cluster allows you to: + +* Load-balance user requests across the DTR nodes, +* Keep the DTR cluster working if a node fails. + +To make a DTR installation tolerant to node failures, add additional nodes to +the DTR cluster. + +| DTR nodes | Failures tolerated | +|:---------:|:------------------:| +| 1 | 0 | +| 3 | 1 | +| 5 | 2 | +| 7 | 3 | + +When sizing your DTR installation for high-availability, +follow these rules of thumb: + +* Don't create a DTR cluster with just two nodes. Your cluster +won't tolerate any failures, and it's possible that you experience performance +degradation. +* When a node fails, the number of failures tolerated by your cluster +decreases. Don't leave that node offline for long. +* Adding too many nodes to the cluster might also lead to performance +degradation, as data needs to be replicated across all nodes. + +## Size your cluster + +When installing DTR for production, you should have separate nodes for running +Docker Universal Control Plane (DTR), Docker Trusted Registry, and your +containers. + +Having dedicated nodes for UCP, DTR, and your containers, ensures they stay +performant since all applications have dedicated resources. +It also makes it easier to implement backup policies and disaster recovery +plans. + +For installing DTR for production, you'll need a minimum of: + +* 3 dedicated nodes to install UCP for high-availability, +* 3 dedicated nodes to install DTR for high-availability, +* As many nodes as you want for running your containers and applications. + + + +![](../images/architecture-3.png) diff --git a/high-availability/index.md b/high-availability/index.md new file mode 100644 index 0000000000..f9a5b4d6ff --- /dev/null +++ b/high-availability/index.md @@ -0,0 +1,11 @@ + diff --git a/images/architecture-1.png b/images/architecture-1.png new file mode 100644 index 0000000000..dd369cd476 Binary files /dev/null and b/images/architecture-1.png differ diff --git a/images/architecture-2.png b/images/architecture-2.png new file mode 100644 index 0000000000..955f097e33 Binary files /dev/null and b/images/architecture-2.png differ diff --git a/images/architecture-3.png b/images/architecture-3.png new file mode 100644 index 0000000000..a3a5f67c2a Binary files /dev/null and b/images/architecture-3.png differ diff --git a/images/get-license-1.png b/images/get-license-1.png new file mode 100644 index 0000000000..03d6f83b2d Binary files /dev/null and b/images/get-license-1.png differ diff --git a/images/get-license-2.png b/images/get-license-2.png new file mode 100644 index 0000000000..c06d994e85 Binary files /dev/null and b/images/get-license-2.png differ diff --git a/index.md b/index.md index bc5e443f2c..68e71d44d9 100644 --- a/index.md +++ b/index.md @@ -1,5 +1,5 @@ + # Welcome to Docker Trusted Registry The following documentation for Docker Trusted Registry is available: -* [Overview](overview.md) -* [Installation](install/index.md) -* [Quick Start: Basic User Workflow](quick-start.md) -* [User Guide](userguide.md) -* [Administrator Guide](adminguide.md) +* [Docker Trusted Registry overview](overview.md) +* [Quickstart](quick-start.md) +* [Architecture](architecture.md) +* [Installation](install/system-requirements.md) * [Configuration](configure/configuration.md) -* [Support](support.md) -* [Release Notes](release-notes.md) +* [Monitor and troubleshoot](monitor-troubleshoot/monitor.md) +* [High-availability](high-availability/high-availability.md) +* [User management](user-management/permission-levels.md) +* [Repositories and images](repos-and-images/create-repo.md) +* [Release notes](release-notes/cse-release-notes.md) diff --git a/install/dtr-ami-bds-launch.md b/install/dtr-ami-bds-launch.md deleted file mode 100644 index 808752c215..0000000000 --- a/install/dtr-ami-bds-launch.md +++ /dev/null @@ -1,162 +0,0 @@ -+++ -title = "Install Trusted Registry for AWS AMI (BDS)" -description = "Install Docker Trusted Registry for AWS (Business Day Support)" -keywords = ["docker, documentation, about, technology, understanding, enterprise, hub, registry, AWS, Amazon, AMI"] -[menu.main] -parent="workw_dtr_install" -+++ - -# Install Trusted Registry for AWS AMI (BDS) - -This article walks you through the process of launching the *Docker Trusted Registry for AWS (Business Day Support)* AMI as an EC2 instance in the Amazon Web Services (AWS) cloud. - -This AMI launches an instance of Docker Trusted Registry (Trusted Registry). The remainder of this document refers to the running instance of this AMI as a “Trusted Registry”. This AMI requires the use of Docker Engine for AWS (Business Day Support). - -If you have not already done so, make sure you have read the [installation overview](index.md) for Trusted Registry. - -## Prerequisites - -You can locate, install, and launch the AMI from the Amazon AWS Marketplace or with the AWS EC2 Console by selecting the AMI from the "Launch Instance" dialog. Both the AWS Marketplace and the AWS EC2 Console require that you have an AWS account to launch the AMI. - -If your account is supplied through your company, your company's administrator must give you permissions to launch EC2 instances. If you receive a permissions error when following these instructions, contact your AWS administrator for help. - -You will need to create a Key Pair, which is associated to your selected region. Refer to [AWS Documentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) to learn how to do this. - -# Install procedure - -These instructions show you how to locate, install, and launch a Trusted Registry from Amazon's AWS Marketplace. The AWS Marketplace allows you to do a "1-Click Launch" or "Manual Launch". - -The *Manual Launch* allows you to launch using the AWS EC2 Console. It allows for fine control of EC2 instance settings such as: - -- Instance type -- VPC settings -- Storage -- Instance tags -- Security Group settings - -The *1-Click Launch* is quicker, provides default values for most settings, and dynamically updates the Cost Estimator. This install shows you how to do a *1-Click Launch*. The entire process should take about 15 minutes to complete. - -## Locate the Docker Trusted Registry AMI - -1. If you haven't already done so, open your browser to the Amazon AWS Marketplace. - -2. Search the Marketplace for "Docker Trusted Registry for AWS (Business Day Support)". - -3. Select the "Docker Trusted Registry for AWS (Business Day Support)" AMI from the list of results. - - The Marketplace entry provides details on the product. - -4. Press "Continue" to move to the launch step. - - If you are not logged into AWS, the system prompts you to. - -5. Enter your AWS login credentials. - - When your login succeeds, the browser displays the "Launch on EC2" page. - -6. Ensure that the "1-Click Launch" tab is selected. - -## Deploy the 1-Click Launch - -You can deploy a Trusted Registry to a private or public subnet. A private subnet provides added security but also prevents your Trusted Registry instance from being directly addressable on the internet. If you choose to deploy to a private subnet, you may need to access your Trusted Registry through a Bastion host or a management instance within your VPC. - -These instructions launch an EC2 instance into a public subnet with a public IP so that gaining access to it in the "Connecting to the Docker Trusted Registry Administration web interface" section is simplified. - -> **Note:** Deploying a Trusted Registry instance to an AWS Public Subnet will automatically assign it a Public IP and Public DNS. Remember that AWS Public IPs and Public DNS names change when an EC2 Instance is rebooted. If you want your Trusted Registry EC2 Instance to be directly accessible over the internet, you should assign it an Elastic IP. - - -The following steps walk you through the 1-Click Launch settings: - -1. From the "Software Pricing" box, select a "Subscription Term" and an "Applicable Instance Type." - - These two options contribute to the overall cost of running your choice of EC2 instance. The combination of these two fees make up the running costs of your EC2 instance, and are shown in the "Cost Estimator" box. Make sure you understand these costs before launching your instance. - - -2. Select the version you want to deploy from the list of available versions. - -3. Select the Region you want to deploy to from the "Region" dropdown menu. Remember you must have the appropriate permissions for the selected region. - -4. Select the VPC and Subnet you want to deploy to from the "VPC" and "Subnet" dropdown menus. - -5. From the Security Group box, select "Create new based on seller settings". - - ![](../images/aws-dtr-sg-rules.png) - - This option has security implications. It allows incoming connections to the listed ports from any host or IP address. You should lock this down in line with your existing AWS security policies. - -6. Select an existing or add a new key pair using the "Key Pair" box. - - If you choose to use an existing key pair, be sure to choose one that you have access to, as this cannot be changed after the instance is launched. If you do not have a key pair, then you need to create one which is associated to your region. - -7. Review your choices and check the values in the Cost Estimator. - - Changing your selected Region and VPC settings can cause your selected EC2 instance type to reset to the default value of "m3.2xlarge". - -8. If you are satisfied with your configuration and estimated charges, click "Launch with 1-Click". - -9. Go to the EC2 Dashboard to view your instance. - - If your instance has no name, it may be hard to find depending on the instance list. Use the Key Name and/or Launch Time columns to help you find your instance. Once found, you can select your instance and name it. - - -## Connect to the Docker Trusted Registry Administration web interface - -You administer your Trusted Registry server via the Administration web -interface. You can configure your own custom DNS names for your EC2 instance -using CNAME records and so forth. Or, you can use the default DNS names provided by -AWS. These instructions use the default DNS name provided by AWS. - -The DTR Administration web interface is exposed on port 443 (HTTPS) of -the EC2 instance. To connect to the DTR Administration web -interface: - -1. Log into the AWS Console. - -2. Go to the EC2 Dashboard. - -3. Choose the "Running Instances" option. - -4. Select the Trusted Registry EC2 instance. - -5. Select the "Description" tab. - -6. Locate the Public DNS or Public IP of the EC2 instance. - -7. Copy the Public DNS or Public IP into your browser's address bar and press `return`. - - > **Note:** Connecting to the DTR Administration web - interface may result in a certificate related browser warning. This is - expected behavior and you can bypass the warning. - - The interface prompts you for the username and password. - -8. Enter "admin" for the username. - -9. For the password, use the EC2 Instance ID. - - You'll find the Instance ID on the "Description" tab on the EC2 Dashboard as shown in the image below: - - ![](../images/aws-instance-id.png) - -## Configure the Docker Trusted Registry Service - -When you first login to the DTR Administration web interface you are prompted to configure the "Domain name" on the "General" tab of the "Settings" page. The Domain Name should be a fully qualified domain name that you have configured for your DTR service. Enter your desired domain name and click the "Save and restart" button at the bottom of the page. - -After the DTR server restarts, return to the DTR Administration web interface. The browser displays another certificate related browser warning. Changing the Domain Name property of your DTR server generates a new self-signed certificate. Again, this is expected behavior and you can bypass the warning. - -Log into the Trusted Registry and change the default password for the "admin" account from the "Auth" tab on the "Settings" page in the DTR Administration web interface. - -Your Docker Trusted Registry server is now ready for use. - -## Next steps - -For more information on using DTR, go to the -[User's Guide](https://docs.docker.com/docker-trusted-registry/userguide/). - -## See also - -* To configure for your environment, see -[configuration instructions](../configure/configuration.md). -* To use Docker Trusted Registry, see [the User guide](../userguide.md). -* To make administrative changes, see [the Admin guide](../adminguide.md). -* To see previous changes, see [the release notes](../release-notes.md). diff --git a/install/dtr-ami-byol-launch.md b/install/dtr-ami-byol-launch.md deleted file mode 100644 index 32735a3ad1..0000000000 --- a/install/dtr-ami-byol-launch.md +++ /dev/null @@ -1,185 +0,0 @@ -+++ -title = "Install Docker Subscription for AWS (BYOL))" -description = "Install Docker Subscription for AWS (BYOL)" -keywords = ["docker, documentation, about, technology, understanding, enterprise, hub, registry, AWS, Amazon, AMI"] -[menu.main] -parent="workw_dtr_install" -weight=-1 -+++ - -# Install Docker Subscription for AWS (BYOL) - -This article walks you through the process of launching the *Docker Subscription -for AWS (BYOL)* AMI as an EC2 instance in the Amazon Web Services (AWS) cloud. -The Trusted Registry installation includes a single instance of the commercially -supported Docker Engine. - -You can install additional instances of the commercially supported Docker Engine -either on premises or through AWS. For more information, see the [installation -overview](index.md) for Trusted Registry. - -The remainder of this document refers to the running instance of this AMI as a “Trusted Registry”. - -## Prerequisites - -You need the following to complete this guide: - -* An AWS account with permissions to launch EC2 Instances. -* A valid Docker subscription license. - -Contact your AWS administrator if your AWS account is provided by your company and you do not have permissions to launch EC2 Instances. - -If you do not have a valid Docker Subscription license the following options are available: - -- Use the *Docker Trusted Registry for AWS (Business Day Support)* AMI and the *Docker Engine for AWS (Business Day Support)* AMI, both of which include the cost of a Docker Subscription. -- Register for a [Free 30 Day Trial](https://hub.docker.com/enterprise/trial/). -- [Contact Docker](https://www.docker.com/contact) to obtain a quote for a Docker Subscription. - -# Install procedure - -These instructions show you how to locate, install, and launch a Trusted Registry using the *Docker Subscription for AWS (BYOL)* AMI from Amazon's AWS Marketplace. - -The AWS Marketplace allows you to do a "1-Click Launch" or "Manual Launch". - -The *Manual Launch* allows you to launch using the AWS EC2 Console. It allows for fine control of EC2 instance settings such as: - -- Instance type -- VPC settings -- Storage -- Instance tags -- Security Group settings - -The *1-Click Launch* is quicker, provides default values for most settings, and dynamically updates the Cost Estimator. This install shows you how to do a *1-Click Launch*. The entire process should take about 15 minutes to complete. - -## Locate the Docker Trusted Registry AMI - -1. If you haven't already done so, open your browser to the Amazon AWS Marketplace. - -2. Search the Marketplace for "Docker Subscription for AWS (BYOL)". - -3. Select the "Docker Subscription for AWS (BYOL)" AMI from the list of results. - - The Marketplace entry provides details on the product. - -4. Press "Continue" to move to the launch step. - - If you are not logged into AWS, the system prompts you to. - -5. Enter your AWS login credentials. - - When your login succeeds, the browser displays the "Launch on EC2" page. - -6. Make sure that the "1-Click Launch" tab is selected. - -## Deploy the 1-Click Launch - -You can deploy a Trusted Registry instance to a private or public subnet. A private subnet provides added security but also prevents your Trusted Registry instance from being directly addressable on the internet. If you choose to deploy to a private subnet, you may need to access your Trusted Registry via a Bastion host or a management instance within your VPC. - -These instructions launch a Trusted Registry on an EC2 instance in a public subnet with a public IP, so that gaining access to it in the "Connecting to the Docker Trusted Registry Administration web interface" section is simplified. - -> **Note:** Deploying a Trusted Registry instance to an AWS Public Subnet will automatically assign it a Public IP and Public DNS. Do not forget that AWS Public IPs and Public DNS names change when an EC2 Instance is rebooted. If you want your Trusted Registry EC2 Instance to be directly accessible over the internet you should assign it an Elastic IP. - -The following steps walk you through the 1-Click Launch settings: - -1. Select the version you want to deploy from the list of available versions. - -2. Select the Region you want to deploy to from the "Region" dropdown. - -3. Select the EC2 Instance type. - - Be sure to check the "Pricing Details" and "Cost Estimator" boxes when changing EC2 Instance types. - -3. Select the VPC and Subnet you want to deploy to from the "VPC" and "Subnet" dropdowns. - -4. From the Security Group box, select "Create new based on seller settings". - - ![](../images/aws-dtr-sg-rules.png) - - This option has security implications. It allows incoming connections to the listed ports from any host or IP address. You should lock this down in line with your existing AWS security policies.. - -5. Select an existing or add a new key pair using the "Key Pair" box. - - If you choose to use an existing key pair, be sure to choose one that you have access to, as this cannot be changed after the instance is launched. - -6. Review your choices and check the values in the Cost Estimator. - - Changing your selected Region and VPC settings can cause your selected EC2 Instance type to reset to the default value of "m3.2xlarge". - -7. If you are happy with your configuration and estimated charges, click "Launch with 1-Click". - -8. Go to the EC2 Dashboard to view your instance. - - -## Connect to the Docker Trusted Registry Administration web interface - -You administer your Trusted Registry server through the Administration web -interface (hereafter referred to as *Trusted Registry Administration web interface*). - -You can configure your own custom DNS names for your EC2 instance using CNAME -records and so forth. Or, you can use the default DNS names provided by AWS. -These instructions use the default DNS name provided by AWS. - -The Trusted Registry Administration web interface is exposed on port 443 (HTTPS) -of the EC2 instance. To connect to the Trusted Registry Administration web -interface: - -1. Log into the AWS Console. - -2. Go to the EC2 Dashboard. - -3. Choose the "Running Instances" option. - -4. Select the Trusted Registry EC2 instance. - -5. Select the "Description" tab. - -6. Locate the Public DNS or Public IP of the EC2 instance. - -7. Copy the Public DNS or Public IP into your browser's address bar and press `return`. - - > **Note:** Connecting to the Trusted Registry Administration web - interface may result in a certificate related browser warning. This is - expected behavior and you can bypass the warning. - - The interface prompts you for the username and password. - -8. Enter "admin" for the username. - -9. For the password, use the EC2 Instance ID. - - You'll find the Instance ID on the "Description" tab on the EC2 Dashboard as shown in the following image: - - ![](../images/aws-instance-id.png) - -## Configure the Docker Trusted Registry Service - -When you first log into the Trusted Registry Administration web interface, you are prompted to complete two configuration items: - -1. Configure the "Domain name" on the "General" tab of the "Settings" page. - - This should be a fully qualified domain name that you have configured for your Trusted Registry service. - - Enter your desired domain name and click the "Save and restart" button at the bottom of the page. - - After the Trusted Registry server restarts, return to the Trusted Registry Administration web interface. The browser displays another certificate related browser warning. Changing the Domain Name property of your Trusted Registry server generates a new self-signed certificate. Again, this is expected behavior and you can bypass the warning. - - Log back in to the Trusted Registry Administration web interface. - -2. License your copy of Docker Trusted Registry from the "License" tab of the "Settings" page. - - Your Docker Trusted Registry license file is available from Docker Hub. To download it, login to Docker Hub and click your username in the top right corner. Choose "Settings" and select the "Licenses" tab. Click the download button beneath your license. - - ![](../images/dtr-license-download.png) - - From the Docker Trusted Registry Administration web interface, select "Settings" and then "License". Under the "Apply a new license" heading select "Choose File". Select your downloaded license file and click "Save and restart". - -> **Note:** Restarting your Trusted Registry from the Trusted Registry Administration web interface, or as part of the above procedures, does not restart the EC2 instance. Therefore, the Public IP and Public DNS of the EC2 instance does not change. - -Log into the Trusted Registry Administration web interface and change the default password for the "admin" account. Navigate to Settings > Auth. - -Your Docker Trusted Registry server is now ready for use. - -## Next Steps - -For more information on using Trusted Registry, go to the -[User's Guide](https://docs.docker.com/docker-trusted-registry/userguide/). diff --git a/install/dtr-vhd-azure.md b/install/dtr-vhd-azure.md deleted file mode 100644 index a9efd60fa1..0000000000 --- a/install/dtr-vhd-azure.md +++ /dev/null @@ -1,209 +0,0 @@ -+++ -title = "Install on Microsoft Azure" -description = "Install Trusted Registry in Microsoft Azure (BYOL)" -keywords = ["docker, documentation, about, technology, understanding, enterprise, hub, registry, Azure, VHD, Microsoft"] -[menu.main] -parent="workw_dtr_install" -+++ - - -# Install Trusted Registry on Microsoft Azure (BYOL) - -This page explains how to install Docker Trusted Registry using a virtual hard -drive (VHD) in a Microsoft Azure environment. Azure is a cloud service which -means that you don't need to host the Trusted Registry your own hardware or -network. If you have not already done so, make sure you have first read the -[installation overview](index.md) for Trusted Registry. - -Before installing, you may want to read more information about running Docker with Microsoft. - - -## Prerequisites - -This installation requires that you "bring your own license" (BYOL). This means -you need to have a [free trial license or buy a license](../license.md) from -Docker to run Trusted Registry on an Azure server. A license is linked to a -Docker Hub account. The account can be a personal account or an account -associated with your organization. - -Additionally, installing requires a Microsoft Azure account with the -ability to launch new instances. These installation instructions do not -require you to modify security groups or networks in Azure. However, if you are installing for production, authority to modify such settings is recommended. - -You should be able to complete the installation in under thirty minutes. - -> **Note**: Microsoft may occasionally change the appearance of the Azure web -> interface. So, the interface may differ from what you see here but the -> overall process remains the same. - - -## Launch the Trusted Registry VHD - -1. Log into the Microsoft Azure portal. - - ![Azure portal](../images/azure_portal.png) - -2. Choose the + New option. - -3. Choose the Marketplace option. - -4. Search for `Docker Trusted Registry`. - - ![Azure filter](../images/azure_filter.png) - -5. Double click Docker Trusted Registry. - - The system prompts you to review information about the registry. - -6. Press Create. - - The system prompts you to enter basic configuration settings. - - ![Azure basics](../images/basic_configuration.png) - - For production, you should always choose to use an SSH public key. This - example uses a trial version of Azure, so Password authentication is - sufficient. - -7. Press OK on the the default Size, Settings, and Summary pages. - - If you were going into production, the size and storage of an instance would - depend on the load and configuration you were planning for. For this - example, the defaults are sufficient. - -8. When you reach the Buy page, press Purchase. - - The Docker Trusted Registry is a bring your own license (BYOL) purchase, so - the cost of the purchase is 0.00 USD. That is because you should get the - license through Docker. The use of the Azure instance is charged separately. - - After you press Purchase, Microsoft provisions your instance. Currently, the Azure VHD is an Ubuntu 14.04.3 LTS (GNU/Linux 3.16.0-49-generic x86_64) system. - -9. After the provisioning completes, copy the IP address of your instance. - - ![Azure basics](../images/azure_ip.png) - -10. In a terminal or through PuTTy, connect to your Trusted Registry instance. - - For example, to connect using SSH and a username/password, you'd do the following: - - $ ssh moxiegirl@40.117.88.185 - moxiegirl@40.117.88.185's password: - Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.16.0-49-generic x86_64) - * Documentation: https://help.ubuntu.com/ - System information as of Wed Nov 11 00:45:38 UTC 2015 - System load: 0.07 Processes: 287 - Usage of /: 12.1% of 28.80GB Users logged in: 0 - Memory usage: 4% IP address for eth0: 10.1.0.4 - Swap usage: 0% IP address for docker0: 172.17.42.1 - Graph this data and manage this system at: - https://landscape.canonical.com/ - Get cloud support with Ubuntu Advantage Cloud Guest: - http://www.ubuntu.com/business/services/cloud - - Last login: Wed Nov 11 00:45:38 2015 from docker.static.monkeybrains.net - -11. Check that the Trusted Registry containers are running on this host. - - $ sudo docker ps - sudo docker ps - CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES - 361856c46c1d docker/trusted-registry-nginx:1.3.3 "nginxWatcher" 7 weeks ago Up 24 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp docker_trusted_registry_load_balancer - 01d6c8204b8c docker/trusted-registry-admin-server:1.3.3 "server" 7 weeks ago Up 24 minutes 80/tcp docker_trusted_registry_admin_server - 5033f0a16a09 docker/trusted-registry-log-aggregator:1.3.3 "log-aggregator" 7 weeks ago Up 24 minutes docker_trusted_registry_log_aggregator - 63141333eab3 docker/trusted-registry-garant:1.3.3 "garant /config/gara 7 weeks ago Up 24 minutes docker_trusted_registry_auth_server - 47fb8f13038a postgres:9.4.1 "/docker-entrypoint. 7 weeks ago Up 24 minutes 5432/tcp docker_trusted_registry_postgres - -12. Enter the `https:///`` your browser's address bar to display the Trusted Registry Administrator interface. - - Your browser warns you that this is an unsafe site, with a self-signed, - untrusted certificate. At this point, this dialog is normal and expected; - allow this connection temporarily. - -# Set the Trusted Registry domain name - -At this point, the Docker Trusted Registry Administrator site should warn that -the Domain Name is not set. While you can use the public IP address that the portal created, you may find it more convenient to create a fully qualified domain name (FQDN). Refer to the Microsoft Azure documentation. - -1. Select Settings from the global nav bar at the top of the page. - -2. Set the Domain Name to the full host-name of your Docker Trusted Registry server. - -3. Click the Save and Restart Docker Trusted Registry Server button to generate a new certificate. - - The certificate is used by both the Docker Trusted Registry Administrator - web interface and the Docker Trusted Registry server. - -3. After the server restarts, allow the connection to the untrusted Docker Trusted Registry web admin site. - - You see a warning notification that this instance of Docker Trusted Registry - is unlicensed. You'll correct this in the next section. - -## Apply your license - -The Docker Trusted Registry services will not start until you apply your -license. To do that, you'll first download your license from the Docker Hub and -then upload it to your Docker Trusted Registry web admin server. Follow these -steps: - -1. If needed, log back into the [Docker Hub](https://hub.docker.com) - using the username you used when obtaining your license. - -2. Under your name, go to Settings to display the Account Settings page. - -3. Click the Licenses submenu to display the Licenses page. - - There is a list of available licenses. - -4. Click the download button to obtain the license file you want. - -5. Go to your Docker Trusted Registry instance in your browser. - -6. Click Settings in the global nav bar. - -7. Click License in the Settings nav bar. - -8. Click the Choose File button and navigate to your license file. - -9. Approve the selection to close the dialog and upload your file. - -10. Click the Save and restart button. - - Docker Trusted Registry quits and then restarts with the applied the license. - -11. Verify the acceptance of the license by confirming that the "Unlicensed -copy" warning is no longer present. - -## Secure the Trusted Registry - -Securing Docker Trusted Registry is **required**. You will not be able to push -or pull from Docker Trusted Registry until you secure it. - -There are several options and methods for securing Docker Trusted Registry. For -more information, see the [configuration -documentation](../configure/configuration.md#security). - -## Push and pull images - -Now that you have Docker Trusted Registry configured with a "Domain Name" and -have your client Docker daemons configured with the required security settings, -you can test your setup by following the instructions for [Using Docker Trusted -Registry to Push and pull images](../userguide.md). - -## Docker Trusted Registry web interface and registry authentication - -By default, there is no authentication set on either the Docker Trusted Registry -web admin interface or the Docker Trusted Registry. You can restrict access -using an in-Docker Trusted Registry configured set of users (and passwords), or -you can configure Docker Trusted Registry to use LDAP-based authentication. - -See [Docker Trusted Registry Authentication settings](../configure/configuration.md#authentication) for more details. - -## See also - -* [Upgrade information](upgrade.md) to upgrade either the Docker Trusted Registry or the commercially supported engine. -* [Install the CS Engine](install-csengine.md). -* To configure for your environment, see the [configuration instructions](../configure/configuration.md). -* To use Docker Trusted Registry, see the [User guide](../userguide.md). -* To make administrative changes, see the[Admin guide](../adminguide.md). -* To see previous changes, see [the release notes](../release-notes.md). diff --git a/install/engine-ami-launch.md b/install/engine-ami-launch.md deleted file mode 100644 index 3dc551bdc2..0000000000 --- a/install/engine-ami-launch.md +++ /dev/null @@ -1,279 +0,0 @@ -+++ -title = "Install Docker Engine for AWS AMI (BDS)" -description = "Install Docker Engine for AWS AMI (BDS)" -keywords = ["docker, documentation, about, technology, understanding, enterprise, hub, registry, AWS, AMI, Amazon"] -[menu.main] -parent="workw_dtr_install" -+++ - -# Install Docker Engine for AWS AMI (BDS) - -This article walks you through the following steps to launch the *Docker Engine for AWS (Business Day Support)* AMI as an EC2 instance in the Amazon Web Services (AWS) cloud: - -1. Locate the *Docker Engine for AWS (Business Day Support)* AMI -2. Deploy with 1-Click Launch -3. Connect to the Docker Engine -4. Confirm the Docker Engine is running -5. Configure *Docker Engine for AWS* to use *Docker Trusted Registry for AWS* -6. Push a Docker image to your *Docker Trusted Registry for AWS* - -The *Docker Engine for AWS (Business Day Support)* AMI launches an instance of the commercially supported Docker Engine. Upgrading the Docker Engine to a non commercially supported version is not supported. This AMI requires the use of Docker Trusted Registry for AWS (Business Day Support) to maintain a supported configuration. - -To learn more about *Docker Engine for AWS* visit our [AWS Documentation](https://www.docker.com/aws). - -You can refer to the [overview](index.md) to see additional information on the general install process. - -## Prerequisites - -You can locate, install, and launch the AMI from the Amazon AWS Marketplace, or with the AWS EC2 Console by selecting the AMI from the "Launch Instance" dialog. Both the AWS Marketplace and the AWS EC2 Console require that you have an AWS account to launch the AMI. - -If your account is supplied through your company, your company's administrator must have given you permissions to launch EC2 instances. If you receive a permissions error when following these instructions, contact your AWS administrator for help. - - -# Install procedure - -These instructions show you how to locate, install, and launch the Docker Engine from Amazon's AWS Marketplace. The AWS Marketplace allows you to do a "1-Click Launch" or "Manual Launch". - -The *Manual Launch* allows you to launch using the AWS EC2 Console. It allows for fine control of EC2 instance settings such as: - -- Instance type -- VPC settings -- Storage -- Instance tags -- Security Group settings - -The *1-Click Launch* is quicker, provides default values for most settings, and dynamically updates the Cost Estimator. This install shows you how to do a *1-Click Launch*. The entire process should take about 20 minutes to complete. - - -## Locate the Docker Engine for AWS (Business Day Support) AMI - -1. If you haven't already done so, open your browser to the Amazon Marketplace. - -2. Search the Marketplace for "Docker Engine for AWS (Business Day Support)". - -3. Select the "Docker Engine for AWS (Business Day Support)" AMI from the list of results. - - The Marketplace entry provides details on the product. - -4. Press "Continue" to move to the launch step. - - If you are not logged into AWS, the system prompts you to. - -5. Enter your AWS login credentials. - - When your login succeeds, the browser displays the "Launch on EC2" page. - -6. Make sure that the "1-Click Launch" tab is selected. - - -## Deploy with 1-Click Launch - -You can deploy the Docker Engine AMI to an Instance in a private or public subnet. A private subnet provides added security but also prevents your Docker Engine instance from being directly addressable on the internet. If you choose to deploy to a private subnet, you may need to access your Docker Engine instance via a Bastion host or a management instance within your VPC. - -These instructions launch an EC2 instance into a public subnet with a public IP, so that gaining access to it in the "Connect to the Docker Engine" section is simplified. - -The following steps walk you through the 1-Click Launch settings: - -1. From the "Software Pricing" box, select a "Subscription Term" and an "Applicable Instance Type." - - These two options contribute to the overall cost of running your choice of EC2 instance. The combination of these two fees make up the running costs of your EC2 instance, and are shown in the "Cost Estimator" box. Make sure you understand these costs before launching your instance. - -2. Select the version you want to deploy from the list of available versions. - -3. Select the Region you want to deploy to from the "Region" dropdown. - -4. Select the VPC and Subnet you want to deploy to from the "VPC" and "Subnet" dropdowns. - -5. From the Security Group box, select "Create new based on seller settings". - - ![](../images/aws-engine-sg-rules.png) - - This option has security implications. It allows incoming connections to the listed ports from any host or IP address. You should lock this down in line with your existing AWS security policies. - -6. Select an existing or add a new key pair using the "Key Pair" box. - - If you choose to use an existing key pair, be sure to choose one that you have access to, as this cannot be changed after the instance is launched. - -7. Review your choices and check the values in the Cost Estimator. - - Changing your selected Region and VPC settings can cause your selected EC2 instance type to reset to the default value of "m3.medium". - -8. If you are happy with your configuration and estimated charges, click "Launch with 1-Click". - -9. Go to the EC2 Dashboard to view your instance. - - -## Connect to the Docker Engine - -You administer your Docker Engine using the `docker` command line tool. You can run the `docker` command line tool directly from your Docker Engine EC2 Instance, or remotely from another machine with network connectivity to your Docker Engine EC2 Instance. These instructions administer the Docker Engine directly from the Docker Engine EC2 Instance. - -To connect to the command line of your Docker Engine EC2 Instance: - -1. Log into the AWS Console. - -2. Go to the EC2 Dashboard. - -3. Choose the "Running Instances" option. - -4. Right-click your Docker Engine EC2 Instance and choose "Connect". - -5. Copy and paste the "Example:" command into a terminal window. - -6. Change the username from "root" to "ec2-user". - - After changing the username from "root" to "ec2-user", the command should look like the following: - - `$ ssh -i ec2-user@52.27.119.45` - - The will reflect the name of the key pair you launched the instance with and the IP address will match the IP of your Docker Engine EC2 Instance. - -7. Press `Return`. - - Connecting to the Docker Engine EC2 Instance will gnerate and authentication warning. This is expected behavior and you can continue. - - If you're connecting from a Windows machine, you'll need to have an SSH client installed and in your PATH variable. - -For more information about connecting to your Docker Engine EC2 Instance over SSH, right-click your EC2 Instance and choose "Connect". - - -## Confirm the Docker Engine is ready to use - -The Docker daemon is configured to automatically start with your Docker Engine EC2 Instance. - -Run the [`docker version`](https://docs.docker.com/reference/commandline/version) command from the command line of your Docker Engine EC2 Instance: - - $ sudo docker version - Client version: 1.6.2-cs5 - Client API version: 1.18 - Go version (client): go1.4.2 - Git commit (client): 9c454bd - OS/Arch (client): linux/amd64 - Server version: 1.6.2-cs5 - Server API version: 1.18 - Go version (server): go1.4.2 - Git commit (server): 9c454bd - OS/Arch (server): linux/amd64 - -If you get a "FATA[0000]" error for the server portion of the output, make sure you are using `sudo` at the beginning of the command. If you are using `sudo` and still get the error, check the status of the Docker service with the `sudo service docker status` command, and try restarting the service with the `sudo service docker restart` command. - - -## Configuring the Docker Engine to use Docker Trusted Registry - -This section of the guide walks you through the steps to configure *Docker Engine for AWS* to use *Docker Trusted Registry for AWS* as its image registry. - -This guide assumes you have a working version of *Docker Trusted Registry for AWS* running in your AWS VPC at "ec2-52-24-229-123.us-west-2.compute.amazonaws.com". You will need to substitute this value with the correct value for your environment for the remainder of this guide. - -For information on installing Docker Trusted Registry for AWS, see our [AWS Documentation](https://www.docker.com/aws). - -> **Note:** Docker Trusted Registry is only supported with the commercially supported Docker Engine. For more information see the [online compatibility matrix](https://www.docker.com/compatibility-maintenance). - - -1. Save the Domain name of your Docker Trusted Registry for AWS service to an environment variable: - - `$ export DOMAIN_NAME=ec2-52-24-229-123.us-west-2.compute.amazonaws.com` - - Don't forget to substitute the Domain name in the command above with the correct domain name in your environment. - -2. Retrieve the certificate from your Docker Trusted Registry server and store it locally on the Docker Engine for AWS EC2 Instance: - - `$ sudo openssl s_client -connect $DOMAIN_NAME:443 -showcerts /dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/$DOMAIN_NAME.crt` - -3. Add the retrieved certificate as a trusted root: - - `$ sudo update-ca-certificates` - -4. Restart the Docker service: - - `$ sudo service docker restart` - -Your *Docker Engine for AWS* EC2 Instance is now configured to be able to push and pull images to your instance of *Docker Trusted Registry for AWS*. - -## Push a Docker image to your Docker Trusted Registry for AWS - -You push and pull images to Docker Trusted Registry using the normal [`docker push`](https://docs.docker.com/reference/commandline/push) and [`docker pull`](https://docs.docker.com/reference/commandline/pull) commands. - -The following steps walk you through the process of pulling an image from Docker Hub, pushing that same image to your Docker Trusted Registry, and then pulling it back from your Docker Trusted Registry. - -This guide assumes your Docker Trusted Registry is reachable at "ec2-52-24-229-123.us-west-2.compute.amazonaws.com". You will need to substitute this value with the DNS name of your own Docker Trusted Registry. All commands are ran from your *Docker Engine for AWS* EC2 Instance. - -1. Pull a Docker image from Docker Hub with the [`docker pull`](https://docs.docker.com/reference/commandline/pull) command: - - $ sudo docker pull busybox - latest: Pulling from busybox - cf2616975b4a: Pull complete - 79722f6accc3: Pull complete - 0f864637f229: Pull complete - busybox:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security. - Digest: sha256:c451012efb6e79b9cf93f48a326a195acfcdf01cadf4271d678d03e031c214d3 - Status: Downloaded newer image for busybox:latest - - -2. Verify the image is stored locally with the [`docker images`](https://docs.docker.com/reference/commandline/images) command: - - $ sudo docker images - REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE - busybox latest 0f864637f229 2 days ago 2.433 MB - - -3. Tag the image for storage in your Docker Trusted Registry using the [`docker tag`](https://docs.docker.com/reference/commandline/tag) command: - - `$ sudo docker tag 0f864637f229 ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox:0.1` - - This will tag the local busybox image (0f864637f229) so that it can be pushed to the "devops" repository in your Docker Trusted Registry at "ec2-52-24-229-123.us-west-2.compute.amazonaws.com". Don't forget to substitute the image ID (0f864637f229) and the domain anme of the Docker Trusted Registry with the appropriate values for your environment. - -4. Log in to the Docker Trusted Registry with the [`docker login`](https://docs.docker.com/reference/commandline/login) command: - - `$ sudo docker login ec2-52-24-229-123.us-west-2.compute.amazonaws.com` - - By default, Docker Trusted Registry requires you to login before you can push and pull images. It is recommended that you create user accounts with the appropriate permissions on the "Settings" > "Auth" tab in the Docker Trusted Registry Administration web interface. - -5. Push the local tagged BusyBox image to your Docker Trusted Registry with the [`docker push`](https://docs.docker.com/reference/commandline/push) command: - - $ sudo docker push ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox - The push refers to a repository [ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox] (len: 1) - 0f864637f229: Image already exists - 79722f6accc3: Image successfully pushed - cf2616975b4a: Image successfully pushed - Digest: sha256:06a01d4fc44fd4d3fb9fbb808e337822b2af3a97ca1ffdde7c0548eae33d3fec - -6. Delete the local copies of the "busybox" image from the Docker Engine EC2 Instance using the [`docker rmi`](https://docs.docker.com/reference/commandline/rmi) command: - - `$ sudo docker rmi -f 0f864637f229` - - You may need to run the command above command twice. The first time you run the command, it deletes the tagged image we created earlier with the `docker tag` command. The second time you run the command it deletes the image pulled from Docker Hub. - -7. Verify there are no local copies of the "busybox" image: - - $ sudo docker images - REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE - -8. Pull a copy of the busybox image from your Docker Trusted Registry: - - $ sudo docker pull ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox:0.1 - 0.1: Pulling from ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox - cf2616975b4a: Pull complete - 79722f6accc3: Pull complete - 0f864637f229: Already exists - Digest: sha256:06a01d4fc44fd4d3fb9fbb808e337822b2af3a97ca1ffdde7c0548eae33d3fec - Status: Downloaded newer image for ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox:0.1 - -9. Verify that the image is now stored locally: - - $ sudo docker images - REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE - ec2-52-24-229-123.us-west-2.compute.amazonaws.com/devops/busybox 0.1 0f864637f229 2 days ago 2.433 MB - - -You have now successfully deployed the *Docker Engine for AWS (Business Day Support)* AMI and configured it to work with *Docker Trusted Registry for AWS (Business Day Support)*. - -## Next step - -For more information on using Docker Engineer in AWS, go to the [AWS Documentation](https://www.docker.com/aws). - -## See also - -* To configure for your environment, see -[Configuration instructions](../configure/configuration.md). -* To use Docker Trusted Registry, see [the User guide](../userguide.md). -* To make administrative changes, see [the Admin guide](../adminguide.md). -* To see previous changes, see [the release notes](../release-notes.md). diff --git a/install/index.md b/install/index.md index fd72bf66e6..42f35af42c 100644 --- a/install/index.md +++ b/install/index.md @@ -1,3 +1,4 @@ + # Trusted Registry installation overview @@ -58,13 +61,3 @@ This section summarizes the process of installing Docker Trusted Registry. Remember, your support is based on your type of license. Each license has a single Trusted Registry and one or more CS engines. Your support for CS Engine installations is limited to the number of engines identified by your license. Docker Trusted Registry requires that you use the latest version of the commercially supported Docker Engine. This means that when you upgrade Trusted Registry, you must also upgrade to the latest CS Engine. - -## Where to go next - -* If you are installing on physical infrastructure or a cloud provider, first install the [commercially supported Docker Engine](install-csengine.md) and then go on to install [Trusted Registry](install-dtr.md). - -* If you are installing on AWS and would like to use a pre-built AMI and a license you purchased, see [bringing your own license (BYOL)](dtr-ami-byol-launch.md). - -* If you are installing on AWS and would like to use the subscription license, see the [pay as you go BDS installation](dtr-ami-bds-launch.md). - -* If you are installing on Microsoft Azure, see the [Install Trusted Registry on Microsoft Azure (BYOL)](dtr-vhd-azure.md). diff --git a/install/install-csengine.md b/install/install-csengine.md index 7567a79dbc..9a0ee21185 100644 --- a/install/install-csengine.md +++ b/install/install-csengine.md @@ -1,10 +1,14 @@ + # Manually Install the CS Docker Engine diff --git a/install/install-dtr-offline.md b/install/install-dtr-offline.md index 3fa8ec1261..383015a0a4 100644 --- a/install/install-dtr-offline.md +++ b/install/install-dtr-offline.md @@ -1,189 +1,52 @@ + -# Install the Trusted Registry offline +# Install DTR offline -This document describes the process of obtaining, installing, and securing -Docker Trusted Registry offline. Since your system is not connected to the internet, there will be no notifications regarding upgrading either the CS Engine or the Trusted Registry. You will also not be able to link from the Trusted Registry UI to our documentation except for the API documentation. Docker recommends that you contact customer support to obtain the latest information. +The procedure to install Docker Trusted Registry on a host is the same, +whether that host has access to the internet or not. -For more information about installing, read the -[installation overview](index.md) to understand your options. +The only difference when installing on an offline host, +is that instead of pulling the DTR images from Docker Hub, you use a +computer that is connected to the internet to download a single package with +all the images. Then you copy that package to the host where you’ll install DTR. -## Prerequisites +## Step 1. Get the DTR package -Docker Trusted Registry runs on the following 64-bit platforms: +Use a computer with internet access to download a single package with all DTR +images. As an example, to download UCP 2.0, run: -* Ubuntu 14.04 LTS -* RHEL 7.0 and 7.1 -* CentOS 7.1 -* SUSE Linux Enterprise 12 +```bash +$ wget https://packages.docker.com/dtr/2.0/dtr-2.0.0.tar +``` -Docker Trusted Registry requires the latest commercially supported Docker Engine (CS Engine), running on a supported host. +## Step 2. Copy the package +Now that you have the DTR package file, transfer it to the host where you want +to install Docker Trusted Registry. You can use the `scp` command for this. -The Docker daemon listens to the Unix socket (the default) so that it can be -bind-mounted into the Trusted Registry management containers. This allows -Trusted Registry to manage itself and its updates. For this reason, the host you -install on needs internet connectivity so it can access the updates. -Additionally, your host needs to have TCP ports `80` and `443` available for the -Docker Trusted Registry container port mapping. +```bash +$ scp ./dtr-2.0.0.tar user@dtr-host:/tmp +``` -Installing Trusted Registry requires that you have a login to Docker Hub (or the -user-name of an administrator of the Hub organization that obtained an -Enterprise license. If you already installed CS Engine, you should already have a [Hub account](https://hub.docker.com). +## Step 3. Load the DTR images -Also, you must have a license for Docker Trusted Registry. This license allows -you to run both Docker Trusted Registry and CS Engine. Before installing, -[purchase a license or sign up for a free, 30 day trial license](https://hub.docker.com/enterprise/). +Once the package is on the host where you want to install DTR, you can use +the `docker load` command, to load the images from the .tar file. +```bash +$ docker load < /tmp/dtr-2.0.0.tar +``` -## Install Docker Trusted Registry +## Step 4. Install DTR -Trusted Registry is a self-installing application built and distributed using -Docker and the [Docker Hub](https://hub.docker.com/). You install Docker Trusted -Registry by running the "docker/trusted-registry" container. Once installed, it -is able to restart and reconfigure itself using the Docker socket that is -bind-mounted to this container. - -1. Since you are retrieving a large file, use the `wget` command in your command line to get the Trusted Registry files. The following command is an example getting DTR 1.4.3. Ensure to get your correct version. - - `wget https://packages.docker.com/dtr/1.4/dtr-1.4.3.tar` - -2. After downloading, move the `tar` file to the offline machine you want to install the Trusted Registry. - -3. On that machine, verify that the CS Engine is installed. If it is not, see the [CS Engine install directions](install-csengine.md). - - `$ docker --version` - - > **Note:** To remain compliant with your Docker Trusted Registry support agreement, you **must** use the current version of commercially supported Docker Engine. Running the open source version of Engine is **not** supported. - -5. Open a terminal window on that machine and load the `tar` file using the following command. Again, ensure you get the correct version. - - `$ sudo docker load < dtr-1.4.3.tar` - -6. Install the Trusted Registry with the following command: - - `$ sudo bash -c "$(sudo docker run docker/trusted-registry install)"` - - - > **Note**: `sudo` is needed for `docker/trusted-registry` commands to - > ensure that the Bash script is run with full access to the Docker host. - - The command runs the registry's containers from the images you loaded in the previous step. You will know that you successfully installed by the following in part: - - Image is up to date for docker/trusted-registry:1.4.3 - - - ``` - Checking for required image: docker/trusted-registry-distribution:v2.2.1 - Checking for required image: postgres:9.4.1 - ... - INFO [1.4.3-003501_g657863b] Attempting to connect to docker engine dockerHost="unix:///var/run/docker.sock" - INFO [1.4.3-003501_g657863b] Running install command - INFO [1.4.3-003501_g657863b] Running pull command - INFO [1.4.3-003501_g657863b] Using links? false - INFO [1.4.3-003501_g657863b] DTR Network created - Bringing up docker_trusted_registry_postgres. - Creating container docker_trusted_registry_postgres with docker daemon unix:///var/run/docker.sock - Starting container docker_trusted_registry_postgres with docker daemon unix:///var/run/docker.sock - ... - Bringing up docker_trusted_registry_log_aggregator. - Creating container docker_trusted_registry_log_aggregator with docker daemon unix:///var/run/docker.sock - Starting container docker_trusted_registry_log_aggregator with docker daemon unix:///var/run/docker.sock - Bringing up docker_trusted_registry_auth_server. - Creating container docker_trusted_registry_auth_server with docker daemon unix:///var/run/docker.sock - Starting container docker_trusted_registry_auth_server with docker daemon unix:///var/run/docker.sock - Bringing up docker_trusted_registry_postgres. - Creating container docker_trusted_registry_postgres with docker daemon unix:///var/run/docker.sock - Container already exists for daemon at unix:///var/run/docker.sock: docker_trusted_registry_postgres - Starting container docker_trusted_registry_postgres with docker daemon unix:///var/run/docker.sock - Container docker_trusted_registry_postgres is already running for daemon at unix:///var/run/docker.sock - ``` - -5. Use `docker ps` to list all the running containers. - - The listing should show the following were started: - - * `docker_trusted_registry_load_balancer` - * `docker_trusted_registry_image_storage_0` - * `docker_trusted_registry_image_storage_1` - * `docker_trusted_registry_admin_server` - * `docker_trusted_registry_log_aggregator` - * `docker_trusted_registry_auth_server` - * `docker_trusted_registry_postgres` - -6. Enter the `https:///` your browser's address bar to run the Trusted Registry interface. - - Your browser warns you that this is an unsafe site, with a self-signed, - untrusted certificate. This is normal and expected; allow this connection - temporarily. - - -## Set the Trusted Registry domain name - -The Docker Trusted Registry Administrator site will also warn that the "Domain Name" is not set. - -1. Select "Settings" from the global nav bar at the top of the page, and then set the "Domain Name" to the full host-name of your Docker Trusted Registry server. - -2. Click the "Save and Restart Docker Trusted Registry Server" button to generate a new certificate, which will be used -by both the Docker Trusted Registry Administrator web interface and the Docker Trusted Registry server. - -3. After the server restarts, you will again need to allow the connection to the untrusted Docker Trusted Registry web admin site. - -4. You see a warning notification that this instance of Docker Trusted Registry is unlicensed. You'll correct this in the next section. - -## Apply your license - -The Docker Trusted Registry services will not start until you apply your license. -To do that, you'll first download your license from the Docker Hub and then -upload it to your Docker Trusted Registry web admin server. Follow these steps: - -1. If needed, log back into the [Docker Hub](https://hub.docker.com) - using the user-name you used when obtaining your license. Under your name, go to Settings to display the Account Settings page. Click the Licenses submenu to display the Licenses page. - -2. There is a list of available licenses. Click the download button to - obtain the license file you want. - -3. Go to your Docker Trusted Registry instance in your browser, click Settings in the global nav bar. Click License in the Settings nav bar. Click the Choose File button. It opens a standard file browser. Locate and select the license file you downloaded in the previous step. Approve the selection to close the dialog. - -4. Click Save and restart. Docker Trusted Registry quits and then restarts with the applied the license. - -5. Verify the acceptance of the license by confirming that the "Unlicensed copy" - warning is no longer present. - -## Secure the Trusted Registry - -Securing Docker Trusted Registry is **required**. You will not be able to push -or pull from Docker Trusted Registry until you secure it. - -There are several options and methods for securing Docker Trusted Registry. For -more information, see the [configuration documentation](../configure/config-security.md) - -## Push and pull images - -You have your Trusted Registry configured with a "Domain Name" and your -client Docker daemons configured with the required security settings. But -before you can test your setup by pushing an image, you need to create a repository first. Follow the instructions for [Using Docker -Trusted Registry to Push and pull images](../userguide.md) to create a repository and to push and pull images. - -## Docker Trusted Registry web interface and registry authentication - -By default, there is no authentication set on either the Docker Trusted Registry -web admin interface or the Docker Trusted Registry. You can restrict access -using an in-Docker Trusted Registry configured set of users (and passwords), or -you can configure Docker Trusted Registry to use LDAP based authentication. - -See [Docker Trusted Registry Authentication settings](../configure/config-auth.md) for more details. - -## See also - -* To configure for your environment, see the -[configuration instructions](../configure/configuration.md). -* To use Docker Trusted Registry, see [the User guide](../userguide.md). -* To make administrative changes, see [the Admin guide](../adminguide.md). -* To see previous changes, see [the release notes](../release-notes.md). +Now that the offline host has all the images needed to install UCP, +you can [install DTR that machine](install-dtr.md). diff --git a/install/install-dtr.md b/install/install-dtr.md index 9145b6e0f5..4888e88427 100644 --- a/install/install-dtr.md +++ b/install/install-dtr.md @@ -1,13 +1,19 @@ + -# Manually install Trusted Registry +# Install Docker Trusted Registry This document describes the process of obtaining, installing, and securing Docker Trusted Registry. You can use these instructions if you are installing Trusted Registry on a physical or cloud infrastructure. @@ -166,8 +172,10 @@ more information, see the [configuration documentation](../configure/configurati You have your Trusted Registry configured with a "Domain Name" and your client Docker daemons configured with the required security settings. But -before you can test your setup by pushing an image, you need to create a repository first. Follow the instructions for [Using Docker -Trusted Registry to Push and pull images](../userguide.md) to create a repository and to push and pull images. +before you can test your setup by pushing an image, you need to create a +repository first. Follow the instructions for +[Using Docker Trusted Registry to Push and pull images](../repos-and-images/push-and-pull-images.md) +to create a repository and to push and pull images. ## Docker Trusted Registry web interface and registry authentication @@ -180,8 +188,5 @@ See [Docker Trusted Registry Authentication settings](../configure/configuration ## See also -* To configure for your environment, see the -[configuration instructions](../configure/configuration.md). -* To use Docker Trusted Registry, see [the User guide](../userguide.md). -* To make administrative changes, see [the Admin guide](../adminguide.md). -* To see previous changes, see [the release notes](../release-notes.md). +* [Install DTR offline](install-dtr-offline.md) +* [Install CS Docker Engine](install-csengine.md) diff --git a/install/installAWS.md b/install/installAWS.md deleted file mode 100644 index 6af20041b7..0000000000 --- a/install/installAWS.md +++ /dev/null @@ -1,271 +0,0 @@ -+++ -draft="true" -title = "Install AWS" -description = "Install Trusted Registry in Amazon Web Services (BYOL)" -keywords = ["docker, documentation, about, technology, understanding, enterprise, hub, registry, AWS, AMI, Amazon"] -[menu.main] -parent="workw_dtr_install" -+++ - - -# Install Docker Trusted Registry in Amazon Web Services (Bring your own license) - -Use this Quick Start guide to install and use the Docker Trusted Registry AMI in an Amazon Web Services Virtual Private Cloud (AWS-VPC) environment. -The benefit to this is that you don't need to host on your servers or get and install the appropriate operating system. If you have not already done so, make sure you have first read the [installation -overview](index.md) for Trusted Registry. - -This AMI is a "bring your own license" or "BYOL" model. This means you need to -obtain the license keys from Docker to install and configure. Specifically, this -guide demonstrates the process of installing Docker Trusted Registry through an -Amazon Machine Image (AMI), performing basic configuration, and then accessing -images on the Docker Trusted Registry server from within your AWS VPC. - - -In this guide, you will perform the following: - -1. Launch the Docker Trusted Registry (BYOL) EC2 Host in AWS https://aws.amazon.com/marketplace/pp/B014VG1PEI/ref=sp_mpg_product_title?ie=UTF8&sr=0-3. -2. Configure the AWS components. -3. Connect to the Docker Trusted Registry EC2 Host. -4. Manage Docker Trusted Registry via the web administration interface. -5. Complete a Docker image workflow (push and pull images). - -This guide refers to two major components of a Docker Trusted Registry implementation in AWS: - -* The "Docker Trusted Registry EC2 Host". This is the Linux VM running in AWS that hosts the containers required to run Docker Trusted Registry Service. - -* The "Docker Trusted Registry Service". This is the private Docker Registry service that runs on the Docker Trusted Registry EC2 Host. - -You should be able to complete this guide in about thirty minutes. - -> **Note**: Amazon may occasionally change the appearance of the AWS web -> interface. This mean the AWS web interface may differ from this guide, but the -> overall process remains the same. - -## Prerequisites - -To perform the install, you'll need: - -* The Docker Hub user-name and password used to obtain the Docker Subscription licenses. -* A Docker Trusted Registry license key. Either a purchased license or a trial license works. -* A commercially supported Docker Engine running within AWS. -* An AWS account with the ability to launch EC2 instances. -* The ability to modify Security Groups and Network ACLs in your AWS VPC. -* Familiarity with how to manage resources in an AWS VPC. - -## Launching the Docker Trusted Registry EC2 Host in AWS - -First, retrieve a copy of the Docker Trusted Registry AMI from the AWS Marketplace. Do this by launching a new EC2 instance from your “EC2 Dashboard” by clicking the blue “Launch Instance” button. - -Choose “AWS Marketplace” from the resulting screen, and type "Docker Trusted Registry" into the “Search AWS Marketplace Products” search box. - -> **Note**: Currently, the Docker Trusted Registry AMI is only available for Ubuntu 14.04 LTS. - -Select the Docker Trusted Registry AMI you wish to retrieve, and then select the instance-type based on your requirements. Then choose the option “Next: Configure Instance Details”. - -At this point, you must configure the Docker Trusted Registry EC2 Host according to the requirements of your particular environment. When doing so, consider: - -* If you want your Docker Trusted Registry EC2 Host to be accessible from the internet, you will need to assign it an Elastic IP or a Public IP. -* You may also want to Tag the Docker Trusted Registry instance with a meaningful name. - -The Docker Trusted Registry EC2 Host is managed over SSH, whereas the Docker Trusted Registry Service is managed over HTTPS. When launching the AMI for the first time, the wizard will prompt you to create a new “Security Group” with rules that allow SSH, HTTP, and HTTPS already created. - -> **Note**: Make sure that you are launching your Docker Trusted Registry EC2 Host in the correct -> Region, VPC, and subnet. - -When satisfied with your Docker Trusted Registry EC2 Host's configuration details, click Launch. - -You will now be prompted to associate the Docker Trusted Registry EC2 Host with a key pair. If you already have a key pair you would like to use, select it from the drop-down list of available key pairs and check the "Acknowledge" check-box. This will enable the Launch Instances button. - -If you do not have an existing key pair, choose Create a new key pair from the first drop-down list, give the key pair a meaningful name, and click the Download Key Pair button. This enables the Launch Instances button. - -When creating a new key pair, clicking the “Download Key Pair” button initiates a one-time operation that creates the key pair. Ensure you keep the downloaded key pair in a safe place as you will not be able to download it again. - -Next, click the Launch Instances button. - -Your Docker Trusted Registry EC2 Host starts. You can view its status on the “Instances” page of your “EC2 Dashboard”. It may take a minute or two for your Docker Trusted Registry EC2 Host to reach the running state. - -## Configuring AWS Components - -Now that you have a Docker Trusted Registry EC2 Host up and running, you'll customize it to integrate with your infrastructure. - -Start by configuring your AWS VPC to allow SSH and HTTP/HTTPS traffic to your Docker Trusted Registry EC2 Host. - -### Allowing SSH and HTTP/HTTPS access to your Docker Trusted Registry instance - -There are two places where you need to enable SSH and HTTP/HTTPS traffic: - -* All Security Groups associated with your Docker Trusted Registry EC2 Host -* The Network ACL associated with the subnet in which your Docker Trusted Registry EC2 Host is running - -#### Security Group configuration - -> **Note**: If you configured the Security Group associated with your Docker Trusted Registry EC2 -> Host to allow SSH and HTTP/HTTPS traffic when creating the instance, you can -> skip ahead to the next section and configure the Network ACL. - -All Security Groups associated with your Docker Trusted Registry instance will need to allow SSH and HTTP/HTTPS traffic. -To ensure this, select your Docker Trusted Registry EC2 Host in your “EC2 dashboard” and click “view rules” from the “Description” tab as shown below. Three rules – allowing TCP ports 22, 80, and 443 – need to be present. - -Any rule with a Source of "0.0.0.0/0" will allow any host from any network to connect over that protocol. This works but is not secure. For improved security, you should specify the IP address, or the network, that your management hosts are on. - -#### Network ACL configuration - -The Network ACL associated with the subnet where your Docker Trusted Registry EC2 Host is running needs to allow inbound SSH and HTTP/HTTPS traffic. - -To ensure this, go to your “VPC Dashboard” and select the subnet that your Docker Trusted Registry EC2 Host is running in from the list of available subnets. Then select the “Network ACL” tab. Three rules (allowing TCP ports 22, 80, and 443) need to be present in the “Inbound” section. These rules must appear above the default “DENY” rule. - -> **Note**: An ALLOW rule allowing “All Traffic” on “ALL” protocols, on “ALL” -> ports will allow the necessary SSH and HTTP/HTTPS traffic. However, it is more -> secure to create specific rules that only allow specific traffic types. - -If you have not given your subnets meaningful names, you may need to obtain the “Subnet ID” in which your Docker Trusted Registry EC2 Host is running. You’ll find it on the “Instance” pane of the your “EC2 Dashboard”. From here you can select your Docker Trusted Registry EC2 Host and obtain its Subnet ID from the “Description” tab. Make a note of the Subnet ID and use it to locate the correct Subnet ID from the “VPC Dashboard”. - -You must also make sure that appropriate outbound rules exist in the Network ACL. Commonly, outbound Network ACL rules allow all traffic. However, if your network security policy does not allow this, you will need to create rules that conform to your policy. - -## Connecting to the Docker Trusted Registry EC2 Host - -Now that you have configured Security Group and Network ACL rules, you can connect to the Docker Trusted Registry EC2 Host over SSH using the key pair associated with the instance and your “ec2-user” username. Beyond this, the Docker Trusted Registry AMI does not require any manual configuration in order to work for this quick start guide, so we won't be discussing further configuration of the Docker Trusted Registry EC2 Host. - -When connecting to the Docker Trusted Registry EC2 Host, you will need its DNS name or IP address. This information can be obtained from the “Description” tab of your Docker Trusted Registry EC2 Host in your “EC2 Dashboard”. EC2 instances can have the following IP addresses: - -* Private IP (accessible only from within your AWS VPC, as well as from networks connected to your VPC) -* Public IP (accessible from the internet, but will change when the Docker Trusted Registry EC2 Host is rebooted) -* Elastic IP (accessible from the internet and will not change when the Docker Trusted Registry EC2 Host is rebooted) - -If you want to manage your Docker Trusted Registry instance from within your AWS VPC, choose the Private DNS or Private IP address. - -If you want to manage your Docker Trusted Registry instance over the internet, choose its Public DNS, Elastic IP, or Public IP address. - -## Managing the Docker Trusted Registry Service via the Administration web interface - -You can now manage the Docker Trusted Registry Service via its Administration web interface over HTTPS. To connect, open a web browser and connect to the DNS name or IP address of your Docker Trusted Registry EC2 Host. - -> **Note**: Connecting to the Docker Trusted Registry Service Administration web interface using the default, self-signed certificate will result in a browser warning. This is expected behavior, you can ignore the warning. - -Ensure to connect using the correct DNS name or IP address. For example, if connecting from within AWS, use the Private DNS or Private IP. If connecting from over the internet, use the Public DNS, Public IP, or Elastic IP. - -> **Note**: By default, traffic to port 80 and 443 of your Docker Trusted Registry EC2 Host is -> automatically redirected to the Docker Trusted Registry Service Administration web -> interface. - -You can perform most Docker Trusted Registry management tasks, including updating Docker Trusted Registry, from the Docker Trusted Registry Administration web interface. But first, two initial tasks must be completed: - -1. Configure the Domain Name of your Docker Trusted Registry server -2. License your Docker Trusted Registry server - -To configure the Domain Name, click “Settings” > “HTTP”, and enter the DNS name of your Docker Trusted Registry server in the text box titled “Domain Name”. In order to use the Docker Trusted Registry Service to push and pull Docker images from within AWS, you will want to use the AWS Private DNS name. - -After configuring the Domain Name, restart Docker Trusted Registry by clicking the “Save and Restart Docker Trusted Registry Server” button. - -> **Note**: Changing the Domain Name property of your Docker Trusted Registry server will generate a -> new self-signed certificate that is used by the Docker Trusted Registry Administration web -> interface and the Docker Trusted Registry server. Therefore, you will receive another certificate -> warning the first time you connect to the Docker Trusted Registry Administration web interface -> after changing its Domain Name. This is expected behavior, you can ignore the > warning. - -To apply the license to your Docker Trusted Registry Service, click “Settings” > “License” and then click “Upload License”. Your license will normally be available for download from your Docker Hub account under “Settings” > “Enterprise Licenses”. - -Once your license is uploaded, restart Docker Trusted Registry by clicking the “Save and Restart Docker Trusted Registry Server” button. This completes the basic configuration of Docker Trusted Registry. You can now start using it as an image Registry. - -## Docker Image Workflow - -This section will walk you through the process of pushing and pulling images to and from your Docker Trusted Registry server from another EC2 instance within your AWS VPC, from a peer VPC, or from a remote location connected via VPN. As such, this guide will use the Private DNS name of the Docker Trusted Registry EC2 Host when tagging and pushing the image. - -To complete this section you will need two EC2 instances: - -1. The Docker Trusted Registry EC2 Host you have already built and configured -2. A Docker client EC2 instance running commercially supported versions of [Docker Engine](https://www.docker.com/compatibility-maintenance) with at least one image stored locally. - -The instructions in this section of the guide will assume the Docker client has a local Docker image called "jenkins", and that the Docker Trusted Registry Service has the following DNS name "ip-10-0-0-117.us-west-2.compute.internal". Your image name and DNS name for your Docker Trusted Registry Service will be different, so you will need to replace these values with the appropriate values for your environment. - -> **Note**: Push and pull traffic to a Docker Trusted Registry Service is encrypted using -> SSL certificates. By default, Docker Trusted Registry installs with a self-signed certificate -> which you will need to either: (a) configure your Docker hosts to trust, or -> (b) configure your Docker hosts to ignore by using the `--insecure-registry` -> flag. Alternatively, you can generate and use your own SSL certificates. - -### Pushing an image to Docker Trusted Registry Service - -From the command line of the Docker client, run the following: - -``` -docker images - REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE - jenkins latest 4704aa632ce7 12 days ago 887.1 MB - -``` - -> **Note**: Depending on your configuration, you may need to prefix your Docker commands with `sudo`. - -You will now tag the local Jenkins image to associate it with a repo in your newly built Docker Trusted Registry server. To do this, type the following: -`docker tag jenkins ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img` - -This will tag a version of the local Jenkins image so that it can be stored in the "ip-10-0-0-117.us-2.compute.internal" registry in a repository called "ci-infrastructure" with the name "jnkns-img". - -Run the `docker images` command again to verify the tag operation succeeded. If it did, you will see an additional tagged image associated with the repository used in the previous docker tag command. - -``` -docker images -REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE -jenkins latest 4704aa632ce7 2 days ago 887.1 MB -ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img latest 4704aa632ce7 2 days ago 887.1 MB - -``` - -Now that the image is tagged, it can be pushed to Docker Trusted Registry with the following command: - -``` - -docker push ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img -The push refers to a repository [ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img] (len: 1) -4704aa632ce7: Image already exists -77f96086063d: Image successfully pushed -841f40a9f341: Image successfully pushed -8768f04b3a96: Image successfully pushed -fcd8dccdd336: Image successfully pushed -0087c04f8fb6: Image successfully pushed -5cb564bdbf98: Image successfully pushed - -Digest: sha256:1bf8c96ca484290178064e448ea69a55caa52f53ea7e279ff66f5c66625aff43 - -``` - -From the “System Health" page of the Docker Trusted Registry Administration web interface, you can view stats from your Docker Trusted Registry Service, including network throughput. The image below shows spikes in network throughput (related to the image_storage_1 image store) generated while the image was being pushed. - -Your tagged image is now stored in the Docker Trusted Registry. - -### Pulling an image from your Docker Trusted Registry Service - -Now that your image is stored in your Docker Trusted Registry, you can pull that image from any supported Docker host that has access to the Registry. - -From a Docker Host that has access to the Docker Trusted Registry server, run the following to pull the image locally: - -``` -docker pull ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img -latest: Pulling from ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img -64e5325c0d9d: Extracting [=======> ] 7.864 MB/51.36 MB -bf84c1d84a8f: Download complete -87de57de6955: Download complete -6a974bea7c0d: Download complete -06c293acac6e: Download complete -b8a058108e9e: Download complete -9aa09af53eee: Download complete -a0513c939a75: Download complete -f509350ab0be: Download complete -b0b7b9978dda: Download complete -6a0b67c37920: Downloading [===============> ] 63.41 MB/199.1 MB -1f80eb0f8128: Download complete -1d1aa175e120: Download complete - -Digest: sha256:1bf8c96ca484290178064e448ea69a55caa52f53ea7e279ff66f5c66625aff43 -Status: Downloaded newer image for ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img:latest - -``` - -Finally, run `docker images` again to verify that the image has been successfully pulled and stored locally: - -``` -docker images -REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE -ip-10-0-0-117.us-west-2.compute.internal/ci-infrastructure/jnkns-img latest 4704aa632ce7 2 days ago 887.1 MB -``` diff --git a/install/license.md b/install/license.md new file mode 100644 index 0000000000..e371e9d510 --- /dev/null +++ b/install/license.md @@ -0,0 +1,38 @@ + + + +# License DTR + +After installing Docker Trusted Registry, you need to license your installation. +If you just want to try DTR, you can +[get a trial license](https://www.docker.com/pricing). + + +## Download your license + +When your license is issued, you can download it on Docker Hub. On Docker Hub, +navigate to your profile settings. Then click the +[Licenses tab](https://hub.docker.com/account/licenses/). + +![](../images/get-license-2.png) + + +## License your installation + +Once you've downloaded the license file, you can apply it to your DTR +installation. On your browser, navigate to DTR, and then go to the **settings +page**. + + + +**Upload the new license**, and click **save** for the changes to take effect. diff --git a/install/system-requirements.md b/install/system-requirements.md new file mode 100644 index 0000000000..297ea3f42a --- /dev/null +++ b/install/system-requirements.md @@ -0,0 +1,51 @@ + + + +# DTR system requirements + +Docker Trusted Registry can be installed on-premises or on the cloud. +Before installing, be sure your infrastructure has these requirements. + +## Software requirements + +To install DTR, all nodes must have: + + + +* One of the supported operating systems installed: + * RHEL 7.0, 7.1 + * Ubuntu 14.04 LTS + * CentOS 7.1 + * SUSE Linux Enterprise 12 +* Linux kernel version 3.10 or higher +* CS Docker Engine version 1.10 or higher +* Docker Universal Control Plane 1.1 or higher + + +## Ports used + +When installing DTR on a host, make sure the following ports are open: + +| Direction | Port | Purpose | +|:---------:|:-----|:---------------------------------------------------------------------------------| +| in | 80 | Web app and API client access to DTR. | +| in | 443 | Web app and API client access to DTR. | +| out | 443 | Check if new versions are available, and send anonymous usage reports to Docker. | + +DTR collects anonymous usage metrics, to help us improve it. These metrics +are entirely anonymous, don’t identify your company, users, applications, +or any other sensitive information. You can disable this on the DTR settings +page. diff --git a/install/uninstall.md b/install/uninstall.md new file mode 100644 index 0000000000..03d9b89827 --- /dev/null +++ b/install/uninstall.md @@ -0,0 +1,13 @@ + + +# Uninstall Docker Trusted Registry diff --git a/install/upgrade.md b/install/upgrade.md index c1b507b4e5..4346f44a71 100644 --- a/install/upgrade.md +++ b/install/upgrade.md @@ -1,10 +1,14 @@ + # Upgrade the Trusted Registry and the CS Engine @@ -421,9 +425,5 @@ steps depending on your type of system. ## See also -* To configure for your environment, see the -[configuration instructions](../configure/configuration.md). -* To use Docker Trusted Registry, see [the User guide](../userguide.md). -* See [installing the CS Engine](install-csengine.md). -* To make administrative changes, see [the Admin guide](../adminguide.md). -* To see previous changes, go to the [release notes](../release-notes.md). +* [Install DTR](install-dtr.md) +* [Install DTR offline](install-dtr-offline.md) diff --git a/license.md b/license.md deleted file mode 100644 index 6d8a96a870..0000000000 --- a/license.md +++ /dev/null @@ -1,43 +0,0 @@ - -+++ -title = "Trusted Registry License" -description = "Trusted Registry License" -keywords = ["docker, documentation, about, technology, hub, registry, license, enterprise, CS engine script"] -[menu.main] -parent="workw_dtr" -weight=90 -+++ - - -# Licensing - -To run Docker Trusted Registry, you need a Docker license, obtained either by -purchasing Docker Trusted Registry, acquiring a trial license, or through an AWS -hourly subscription. If you a purchase a license or you have a trial license, it is associated with your free Docker Hub account or Docker Hub organization. - -## Get your Trusted Registry License - -1. Go to the [Docker Subscription page](https://hub.docker.com/enterprise/) and select an edition. After completing a brief registration process, follow the steps to acquire it. - - You may need to disable any pop-up blocker installed on your browser in order to complete the download. - -2. After acquiring your license, view or download it by logging in to -Docker Hub, going to your account settings (gear icon at upper right), and -selecting ["Licenses"](https://hub.docker.com/account/licenses/) from the -top nav bar. Download the license by clicking the cloud icon. - -The Licenses page displays your currently available licenses and if you selected the trial license, it also keeps track of how many trial days are remaining. - -When installing Docker Trusted Registry, you must first obtain your license, then apply it. - -## Apply your license - -![Settings page](images/admin-settings-license2.png) - -Use the Trusted Registry dashboard (Settings > License) to enter your license ID or apply for a new license. - -## See also - -* To continue to configure for your environment, see the overview -[configuration instructions](configure/configuration.md). -* To use Docker Trusted Registry, see the [User guide](userguide.md). diff --git a/monitor-troubleshoot/index.md b/monitor-troubleshoot/index.md new file mode 100644 index 0000000000..fcf83d4550 --- /dev/null +++ b/monitor-troubleshoot/index.md @@ -0,0 +1,11 @@ + diff --git a/monitor-troubleshoot/monitor.md b/monitor-troubleshoot/monitor.md new file mode 100644 index 0000000000..c7f59964fb --- /dev/null +++ b/monitor-troubleshoot/monitor.md @@ -0,0 +1,34 @@ + + +# Monitor DTR + +Docker Trusted Registry is a Dockerized application. To monitor it, you can +use the same tools and techniques you're already using to monitor other +containerized applications. One way to monitor DTR is using the monitoring +capabilities of Docker Universal Control Plane. + +In your browser, log in to **Docker Universal Control Plane** (UCP), and +navigate to the **Applications** page. + + + +To make it easier to find DTR, use the search box to **search for the +DTR application**. If you have DTR set up for high-availability, then all the +DTR nodes are displayed. + + + +**Click on the DTR application** to see all of its containers, and if they're +running. **Click on a container** to see its details, like configurations, +resources, and logs. + + diff --git a/monitor-troubleshoot/troubleshoot.md b/monitor-troubleshoot/troubleshoot.md new file mode 100644 index 0000000000..b910ec0484 --- /dev/null +++ b/monitor-troubleshoot/troubleshoot.md @@ -0,0 +1,92 @@ + + +# Troubleshoot DTR + + +## Emergency access to the Trusted Registry + +If your authenticated or public access to the Trusted Registry UI has stopped +working, but your Trusted Registry admin container is still running, you can add +an +[ambassador container](https://docs.docker.com/articles/ambassador_pattern_linking/) +to get temporary unsecure access to it. + +For Trusted Registry version 1.4.3, run the following command in a Trusted Registry CLI: + +``` +docker run --rm -it --net dtr -p 9999:80 svendowideit/ambassador dockertrustedregistry_admin_server_1 80 +``` +However, if you are running a version prior to it, 1.4.2 or earlier, then continue to run this command: + +``` +$ docker run --rm -it --link docker_trusted_registry_admin_server:admin -p 9999:80 svendowideit/ambassador +``` + +Either command gives you access on port `9999` on your Trusted Registry server +`http://:9999`. This guide assumes that you are a member of the `docker` group, or you have root privileges. Otherwise, you may need to add `sudo` to the previous example command. + +### SSH access to host + +As an extra measure of safety, ensure you have SSH access to the Trusted +Registry host before you start using it. + +If you are hosting Trusted Registry on an EC2 host launched from the AWS +Marketplace AMI, note that the user is `ec2-user`: +`/path/to/private_key/id_rsa ec2-user@`. + + +## Client Docker Daemon diagnostics + +To debug client Docker daemon communication issues with the Trusted Registry, +Docker also provides a diagnostics tool to be run on the client Docker daemon. + +> **Warning:** These diagnostics files may contain secrets that you need to remove before passing on, such as raw container log files, Azure storage credentials, or passwords that may be sent to non-Docker Trusted Registry containers using the `docker run -e PASSWORD=asdf` environment variable options. + +If you supply an administrator username and password, then the `diagnostics` +tool also downloads additional logs and configuration data from the remote +Trusted Registry server. Download and run this tool using the following command: + +``` +$ wget https://dhe.mycompany.com/admin/bin/diagnostics && chmod +x diagnostics +$ sudo ./diagnostics dhe.mycompany.com > enduserDiagnostics.zip DTR +administrator password (provide empty string if there is no admin server +authentication): +WARN [1.1.0-alpha-001472_g8a9ddb4] Encountered errors running diagnostics +errors=[Failed to copy DTR Adminserver's exported settings into ZIP output: +"Failed to read next tar header: \"archive/tar: invalid tar header\"" Failed to +copy logs from DTR Adminserver into ZIP output: "Failed to read next tar header: +\"archive/tar: invalid tar header\"" error running "sestatus": "exit status 127" +error running "dmidecode": "exit status 127"] +``` + +The zip file contains the following information: + +- your local Docker host's `ca-certificates.crt` +- `containers/`: the first 20 running, stopped and paused containers `docker inspect` + information and log files. +- `dockerEngine/`: the local Docker daemon's `info` and `version` output +- `dockerState/`: the local Docker daemon's container states, image states, log file, and daemon configuration file +- `dtr/`: Remote Docker Trusted Registry services information. This directory will only be populated if the user enters a Docker Trusted Registry "admin" username and password. +- - `dtr/logs/`: the remote Docker Trusted Registry container log files. This directory will only be populated if the user enters a Docker Trusted Registry "admin" username and password. +- - `dtr/exportedSettings/`: the Docker Trusted Registry manager container's log files and a backup of the `/usr/local/etc/dtr` Docker Trusted Registry configuration directory. See the [export settings section](#export-settings) for more details. +- `sysinfo/`: local Host information +- `errors.txt`: errors and warnings encountered while running diagnostics + +### Starting and stopping the Trusted Registry + +If you need to stop and/or start the Trusted Registry (for example, upgrading, or troubleshooting), use the following commands: + +`sudo bash -c "$(docker run docker/trusted-registry stop)"` + + +`sudo bash -c "$(docker run docker/trusted-registry start)"` diff --git a/overview.md b/overview.md index f3f4bd1c1c..c7352f2a05 100644 --- a/overview.md +++ b/overview.md @@ -1,68 +1,38 @@ - + -# Overview of Docker Trusted Registry +# Docker Trusted Registry overview -Docker Trusted Registry lets you run and manage your own Docker image -storage service, securely on your own infrastructure behind your company -firewall. This allows you to securely store, push, and pull the images used by -your enterprise to build, ship, and run applications. Docker Trusted Registry also provides -monitoring and usage information to help you understand the workloads being -placed on it. +Docker Trusted Registry (DTR) is the enterprise-grade image storage solution +from Docker. You install it behind your firewall so that you can securely store +and manage the Docker images you use in your applications. -Specifically, Docker Trusted Registry provides: + -* An image registry to store, manage, and collaborate on Docker images -* Pluggable storage drivers -* Configuration options to let you run Docker Trusted Registry in your particular enterprise -environment. -* Easy, transparent upgrades -* Logging, usage and system health metrics +## Image management -Docker Trusted Registry is perfect for: +Docker UCP can be installed on-premises, or on a virtual private cloud. +And with it, you can store your Docker images securely, behind your firewall. -* Providing a secure, on-premises development environment -* Creating a streamlined build pipeline -* Building a consistent, high-performance test/QA environment -* Managing image deployment +You can use DTR as part of your Continuous Integration (CI), and Continuous +Delivery (CD) processes, to build, run, and ship your applications. -Docker Trusted Registry is built on [version 2 of the Docker registry](https://github.com/docker/distribution). -To get your copy of Docker Trusted Registry, including a free trial, visit [the Docker Subscription page](https://hub.docker.com/enterprise/). For more information on acquiring Docker Trusted Registry, see the [install page](install/index.md). +## Built-in security and access control -> **Important**: Docker Trusted Registry must be used with the current version of the commercially -> supported Docker Engine. You must install this version of Docker before -> installing Docker Trusted Registry. For instructions on accessing and installing commercially -> supported Docker Engine, visit the [install page](install/index.md#download-the-commercially-supported-docker-engine-installation-script). +Docker UCP has its own built-in authentication mechanism, and supports LDAP +and Active Directory. It also supports Role Based Access Control (RBAC). -## Available Documentation +This allows you to implement fine-grain access control policies, on who has +access to your Docker images. -The following documentation for Docker Trusted Registry is available: - -* **Overview**, this page. -* [**Release Notes**](release-notes.md) See the latest additions, fixes, and known issues. -* [**Quick Start: Basic User Workflow**](quick-start.md) Go here to learn the -fundamentals of how Docker Trusted Registry works and how you can set up a simple, but useful -workflow. -* [**User Guide**](userguide.md) Go here to learn about using Docker Trusted Registry from day to -day. -* [**Administrator Guide**](adminguide.md) Go here if you are an administrator -responsible for running and maintaining Docker Trusted Registry. -* [**Installation**](install/index.md) Go here for the steps you'll need to install -Docker Trusted Registry and get it working. -* [**Configuration**](configure/configuration.md) Go here to find out details about -setting up and configuring Docker Trusted Registry for your particular environment. -* [**Support**](install/index.md) Go here for information on getting support for Docker Trusted Registry. -* [**The Docker Trusted Registry product page**](https://www.docker.com/docker-trusted-registry). -* [**Docker Trusted Registry Use Cases page**](https://www.docker.com/products/use-cases) showing an example CI/CD pipeline. -* [**Docker Trusted Registry and Docker tutorials and webinars**](https://www.docker.com/products/resources). - -Note: Docker Trusted Registry requires that you use the commercially supported Docker Engine. + diff --git a/quick-start.md b/quick-start.md index a1e1827c12..ffe2b9199b 100644 --- a/quick-start.md +++ b/quick-start.md @@ -1,14 +1,15 @@ - + -# Docker Trusted Registry Quick Start guide: Basic User Workflow +# Docker Trusted Registry quickstart This Quick Start Guide gives you a hands-on look at the basics of using Docker Trusted Registry, Docker's on-premises image storage application. @@ -44,9 +45,7 @@ You should be able to complete this guide in about thirty minutes. ## Pulling the official Jenkins image > **Note:** This guide assumes you are familiar with basic Docker concepts such -> as images, containers, and registries. If you need to learn more about Docker -> fundamentals, please consult the -> [Docker user guide](http://docs.docker.com/userguide/). +> as images, containers, and registries. First, you will retrieve a copy of the official Jenkins image from the Docker Hub. By default, if Docker can't find an image locally, it will attempt to pull the image from the @@ -322,8 +321,3 @@ HTTPS access, your new plugin was added and is ready for use, and HTTP access has been disabled. At this point, any member of your team can use `docker pull` to access the image from your Docker Trusted Registry instance, allowing them to access a configured, secured Jenkins instance that can run on any infrastructure. - -## Next Steps - -For more information on using Docker Trusted Registry, take a look at the -[User's Guide](userguide.md). diff --git a/reference/backup.md b/reference/backup.md new file mode 100644 index 0000000000..dad35088e4 --- /dev/null +++ b/reference/backup.md @@ -0,0 +1,18 @@ + + +# backup + +## Usage + +## Description + +## Options diff --git a/reference/diagnostics.md b/reference/diagnostics.md new file mode 100644 index 0000000000..7d268c5614 --- /dev/null +++ b/reference/diagnostics.md @@ -0,0 +1,18 @@ + + +# diagnostics + +## Usage + +## Description + +## Options diff --git a/reference/dumpcerts.md b/reference/dumpcerts.md new file mode 100644 index 0000000000..63185c096a --- /dev/null +++ b/reference/dumpcerts.md @@ -0,0 +1,18 @@ + + +# dumpcerts + +## Usage + +## Description + +## Options diff --git a/reference/help.md b/reference/help.md new file mode 100644 index 0000000000..2b68fac229 --- /dev/null +++ b/reference/help.md @@ -0,0 +1,18 @@ + + +# help + +## Usage + +## Description + +## Options diff --git a/reference/index.md b/reference/index.md new file mode 100644 index 0000000000..b0e075c719 --- /dev/null +++ b/reference/index.md @@ -0,0 +1,11 @@ + diff --git a/reference/install.md b/reference/install.md new file mode 100644 index 0000000000..c43b2a4cce --- /dev/null +++ b/reference/install.md @@ -0,0 +1,18 @@ + + +# install + +## Usage + +## Description + +## Options diff --git a/reference/join.md b/reference/join.md new file mode 100644 index 0000000000..b541c67251 --- /dev/null +++ b/reference/join.md @@ -0,0 +1,18 @@ + + +# join + +## Usage + +## Description + +## Options diff --git a/reference/reconfigure.md b/reference/reconfigure.md new file mode 100644 index 0000000000..914ff106e5 --- /dev/null +++ b/reference/reconfigure.md @@ -0,0 +1,18 @@ + + +# reconfigure + +## Usage + +## Description + +## Options diff --git a/reference/remove.md b/reference/remove.md new file mode 100644 index 0000000000..99cd8199cd --- /dev/null +++ b/reference/remove.md @@ -0,0 +1,18 @@ + + +# remove + +## Usage + +## Description + +## Options diff --git a/reference/restart.md b/reference/restart.md new file mode 100644 index 0000000000..28a7cd2811 --- /dev/null +++ b/reference/restart.md @@ -0,0 +1,18 @@ + + +# restart + +## Usage + +## Description + +## Options diff --git a/reference/restore.md b/reference/restore.md new file mode 100644 index 0000000000..ad8d1af771 --- /dev/null +++ b/reference/restore.md @@ -0,0 +1,18 @@ + + +# restore + +## Usage + +## Description + +## Options diff --git a/cse-prior-release-notes.md b/release-notes/cse-prior-release-notes.md similarity index 98% rename from cse-prior-release-notes.md rename to release-notes/cse-prior-release-notes.md index 16720a5cf6..d338e85bc8 100644 --- a/cse-prior-release-notes.md +++ b/release-notes/cse-prior-release-notes.md @@ -1,12 +1,14 @@ + # CS Engine release notes archive diff --git a/cse-release-notes.md b/release-notes/cse-release-notes.md similarity index 95% rename from cse-release-notes.md rename to release-notes/cse-release-notes.md index b88f4062ba..6d375a984d 100644 --- a/cse-release-notes.md +++ b/release-notes/cse-release-notes.md @@ -1,11 +1,12 @@ @@ -59,7 +60,7 @@ incorrectly propagated as the source address of a connection. ## CS Engine 1.9.1-cs2 (4 December 2015) -Starting with this release, upgrading minor versions, for example, from 1.9.0 to 1.9.1, is faster and easier. See the [upgrade](install/upgrade.md) documentation for details. +Starting with this release, upgrading minor versions, for example, from 1.9.0 to 1.9.1, is faster and easier. See the [upgrade](../install/upgrade.md) documentation for details. You can refer to the detailed list of all changes since the release of CS Engine 1.9.0 diff --git a/release-notes/index.md b/release-notes/index.md new file mode 100644 index 0000000000..ccb15bced5 --- /dev/null +++ b/release-notes/index.md @@ -0,0 +1,11 @@ + diff --git a/prior-release-notes.md b/release-notes/prior-release-notes.md similarity index 92% rename from prior-release-notes.md rename to release-notes/prior-release-notes.md index 92bb8ae225..bf72573b81 100644 --- a/prior-release-notes.md +++ b/release-notes/prior-release-notes.md @@ -1,12 +1,14 @@ + # Docker Trusted Registry release notes archive @@ -81,11 +83,11 @@ Trusted Registry. See below for specifics. ### New Features -* New, more granular, [roles for users](configure/configuration.md#authentication). Docker Trusted Registry users can now be assigned different levels of access +* New, more granular, [roles for users](../user-management/permission-levels.md). Docker Trusted Registry users can now be assigned different levels of access (admin, r/w, r/o) to the repositories. **Important:** Existing Docker Trusted Registry users should make sure to see the note [below](#dhe-1-0-upgrade-warning) regarding migrating users before upgrading. * A new storage status indicator for storage space. The dashboard now shows used and available storage space for supported storage drivers. -* A new [diagnostics tool](adminguide.md#client-docker-daemon-diagnostics) gathers and bundles Docker Trusted Registry logs, system information, container +* A new diagnostics tool gathers and bundles Docker Trusted Registry logs, system information, container information, and other configuration settings for use by Docker support or as a backup. * Performance and reliability improvements to the S3 storage backend. diff --git a/release-notes.md b/release-notes/release-notes.md similarity index 94% rename from release-notes.md rename to release-notes/release-notes.md index 8b8a388c9c..524d261077 100644 --- a/release-notes.md +++ b/release-notes/release-notes.md @@ -1,12 +1,14 @@ + # Docker Trusted Registry release notes @@ -62,7 +64,7 @@ Release notes contain the following sections: * Fixed or updated with this release ## Additional storage backend -This release introduces using Openstack Swift as a storage backend. Refer to the [configuration documentation](configure/configuration.md) for details on the Swift driver. +This release introduces using Openstack Swift as a storage backend. Refer to the [configuration documentation](../configure/config-storage.md) for details on the Swift driver. ## Fixed or updated with this release This release addresses the following issues in Docker Trusted Registry 1.4.1. @@ -127,17 +129,17 @@ documentation. * Image deletion and garbage collection - * You can now delete an image in the registry's image index. This step of marking an unwanted image is called a soft delete. Refer to the [documentation](soft-garbage.md). + * You can now delete an image in the registry's image index. This step of marking an unwanted image is called a soft delete. - * Administrators can use the dashboard or API to configure a task to regularly reclaim the disk space taken up by deleted images. Refer to the [documentation](soft-garbage.md). + * Administrators can use the dashboard or API to configure a task to regularly reclaim the disk space taken up by deleted images. * Repositories, Account Management, and interactive API UIs - * Set up, and manage user accounts, teams, organizations, and repositories from either APIs or through the Trusted Registry user interface. Refer to either the API documentation or the [documentation](accounts.md) for performing tasks in the UI. + * Set up, and manage user accounts, teams, organizations, and repositories from either APIs or through the Trusted Registry user interface. * Search, browse, and discover images created by other users through either APIs or through the Trusted Registry UI. - * Users, depending on their roles, can access account information through the Trusted Registry UI. Refer to the [documentation](accounts.md) for details. + * Users, depending on their roles, can access account information through the Trusted Registry UI. * View new API documentation through the Trusted Registry UI. You can also view this [documentation](https://docs.docker.com/docker-trusted-registry/) from Docker, Inc. docs section. @@ -149,7 +151,7 @@ documentation. * Different repository behavior. A repository must first exist before you can push an image to it. This means you must explicitly create (or have it performed for you if you don't have the correct permissions) a repository. This behavior is different than how you would perform this in a free and open-source software registry. -* New experimental feature. Docker Trusted Registry now integrates with Docker Content Trust using Notary. This is an experimental feature that is available with this release. See the [configuration documentation](configure/configuration.md). +* New experimental feature. Docker Trusted Registry now integrates with Docker Content Trust using Notary. This is an experimental feature that is available with this release. ### Fixed with this release This release corrects the following issues in Docker Trusted Registry 1.3.3. diff --git a/repos-and-images/create-repo.md b/repos-and-images/create-repo.md new file mode 100644 index 0000000000..87fefff1c4 --- /dev/null +++ b/repos-and-images/create-repo.md @@ -0,0 +1,39 @@ + + +## Create a repository + +Before you can push images to your Docker Trusted Registry, you need to +create a repository for them. + +To create a new repository: + +1. In your browser navigate to the **Docker Trusted Registry web application**. + +2. Navigate to the **Repositories** page. + +3. Click **New repository**. + + +4. Add a **name and description** for the repository. + + +5. Choose whether your repository is public or private: + + * Private repositories are visible to all users, but can only be changed by + users granted with permission to write them. + * Private repositories can only be seen by users that have been granted + permissions to that repository. + +6. Click **Create** to create the repository. + +Now you can push your images to this repository. diff --git a/soft-garbage.md b/repos-and-images/delete-images.md similarity index 80% rename from soft-garbage.md rename to repos-and-images/delete-images.md index 1d579467e0..addec57c2b 100644 --- a/soft-garbage.md +++ b/repos-and-images/delete-images.md @@ -1,14 +1,17 @@ + -# Overview +# Delete images This document describes the two-step process of removing an image from the Trusted Registry. This process is first performed by developers wanting to @@ -25,14 +28,14 @@ purposefully delete one of those manifests and the image layers referenced by that manifest become orphaned, then they can be removed during the garbage collection job. In the following diagram, _both_ manifests point to the first layer, #2543d8. -![Garbage collection illustration](images/gc1.png) +![](../images/gc1.png) Since many developers may use a base image for future images, it is possible that there will be image layers that will never be deleted. There might be other manifests that point to layers of the base image which could still be used by others as seen in the second diagram. -![Garbage collection illustration](images/gc3.png) +![](../images/gc3.png) ## Prerequisites You need an image to remove. @@ -53,13 +56,13 @@ You can perform a soft deletion, either from the UI or from the command line. From the Trusted Registry dashboard, navigate to Repositories > Tags. Click the trash can next to the images you want to remove. They are now marked for the garbage collection job. -![Soft deletion of a tag in the UIn](images/tag-removal.png) +![](../images/tag-removal.png) If you prefer to not use the UI, then you can open a Trusted Registry command line and type: -``` -curl -u : -X DELETE https:///api/v0/repositories///manifests/ +```bash +$ curl -u : -X DELETE https:///api/v0/repositories///manifests/ ``` You can only delete one image at a time and you must also be authenticated as a @@ -82,10 +85,10 @@ immediately, they can type in a Trusted Registry CLI: However, it is more common to set up the garbage collection cron job to be performed routinely as seen in the following example: -``` - curl -u : -H 'Content-Type: application/json' -X POST https:///api/v0/admin/settings/registry/garbageCollection/schedule -d '{"schedule": - ""}' +```bash +$ curl -u : -H 'Content-Type: application/json' -X POST https:///api/v0/admin/settings/registry/garbageCollection/schedule -d '{"schedule": +""}' ``` Trusted Registry administrators can also set the cron job through the Trusted @@ -116,18 +119,9 @@ get an error message. See your results by running the following example in a Trusted Registry CLI: -``` -curl -u : https://: https:///api/v0/admin/settings/registry/garbageCollection/lastSavings ``` The results are also displayed in the Trusted Registry UI by navigating to Settings > Garbage collection. - -### See also - -* See the [administrator guide](adminguide.md) if you are an administrator -responsible for running and maintaining Docker Trusted Registry. - -* See [configuration](configure/configuration.md) to find out details about -setting up and configuring Docker Trusted Registry for your particular -environment. diff --git a/repos-and-images/index.md b/repos-and-images/index.md new file mode 100644 index 0000000000..a34d2481f3 --- /dev/null +++ b/repos-and-images/index.md @@ -0,0 +1,11 @@ + diff --git a/userguide.md b/repos-and-images/push-and-pull-images.md similarity index 56% rename from userguide.md rename to repos-and-images/push-and-pull-images.md index 123f71a6d5..c668ec005c 100644 --- a/userguide.md +++ b/repos-and-images/push-and-pull-images.md @@ -1,47 +1,13 @@ + ## Push and pull overview @@ -57,7 +23,7 @@ Docker registry. You use the `docker pull` command to retrieve images and the `docker push` command to add an image. To learn more about Docker images, see [User Guide: Working with Docker Images](https://docs.docker.com/engine/userguide/dockerimages/). For a step-by-step example of the entire process, see the -[Quick Start: Basic Workflow Guide](quick-start.md). +[Quickstart guide](../quick-start.md). > **Note**: If your Docker Trusted Registry instance has authentication enabled, you will need to >use your command line to `docker login ` (for example `docker login @@ -122,39 +88,32 @@ To retrieve an image from the Trusted Registry and then run Docker to build the container, add the needed info to `docker run`: - $ docker run dtr.yourdomain.com/yourusername/hello-mine - latest: Pulling from dtr.yourdomain.com/yourusername/hello-mine - 511136ea3c5a: Pull complete - 31cbccb51277: Pull complete - e45a5af57b00: Already exists - Digest: sha256:45f0de377f861694517a1440c74aa32eecc3295ea803261d62f950b1b757bed1 - Status: Downloaded newer image for dtr.yourdomain.com/demouser/hello-mine:latest +```bash +$ docker run dtr.yourdomain.com/yourusername/hello-mine + +latest: Pulling from dtr.yourdomain.com/yourusername/hello-mine +511136ea3c5a: Pull complete +31cbccb51277: Pull complete +e45a5af57b00: Already exists +Digest: sha256:45f0de377f861694517a1440c74aa32eecc3295ea803261d62f950b1b757bed1 +Status: Downloaded newer image for dtr.yourdomain.com/demouser/hello-mine:latest +``` If you don't specify a version, by default the `latest` version of an image is pulled. If you run `docker images` after this, then you see a `hello-mine` image. - $ docker images - REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE - dtr.yourdomain.com/yourusername/hello-mine latest e45a5af57b00 3 months ago 910 B +```bash +$ docker images +REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE +dtr.yourdomain.com/yourusername/hello-mine latest e45a5af57b00 3 months ago 910 B +``` + To pull an image without building the container, use `docker pull` and specify your Docker Trusted Registry by adding it to the command: - $ docker pull dtr.yourdomain.com/yourusername/hello-mine - - -## Next steps - -For information on administering the Trusted Registry, see the -[administrator's tasks ](adminguide.md) documentation. - - - +```bash +$ docker pull dtr.yourdomain.com/yourusername/hello-mine +``` diff --git a/support.md b/support.md index 844baf5deb..87fdf77ec0 100644 --- a/support.md +++ b/support.md @@ -1,23 +1,22 @@ - + +# Get support +Your Docker Data Center, or Docker Trusted Registry subscription gives you +access to prioritized support. The service levels depend on your subscription. -# How to get Commercial Support +If you need help, you can file a ticket via: -Purchasing a Docker Trusted Registry License or Commercial Support subscription -means your questions and issues about Docker Trusted Registry will receive -prioritized support. You can file a ticket through -[email](mailto:support@docker.com) from your company email address, or visit our -[support site](https://support.docker.com). In either case, you'll need to -verify your email address, and then you can communicate with the support team -either by email or web interface. +* [Email](mailto:support@docker.com) +* [Docker support page](https://support.docker.com/) -**The availability of support depends on your [support subscription](https://www.docker.com/enterprise/support/)** +Be sure to use your company email when filing tickets. diff --git a/user-management/index.md b/user-management/index.md new file mode 100644 index 0000000000..22fa26c0bd --- /dev/null +++ b/user-management/index.md @@ -0,0 +1,11 @@ + diff --git a/accounts.md b/user-management/permission-levels.md similarity index 62% rename from accounts.md rename to user-management/permission-levels.md index f907c73873..c5d08c8613 100644 --- a/accounts.md +++ b/user-management/permission-levels.md @@ -1,13 +1,16 @@ + -# Account and repository management introduction +# DTR permission levels Administrators assign permissions to control users level of access to the Trusted Registry. To access repositories, these users are grouped into teams and @@ -107,95 +110,3 @@ You must first create a repository before pushing an image to it. Otherwise you The push refers to a repository [my.dtr.host/user1/myimage] (len: 1) 1d073211c498: Image push failed unauthorized: access to the requested resource is not authorized ``` - -## Manage repositories, organizations, and teams - -This section provides workflows for you to manage your users using the Trusted Registry’s repositories. - - -### Create an organization - -1. From the Trusted Registry dashboard, click the Organizations submenu. - -2. Click New organization. The Organization details screen displays. - -3. Enter a unique name for your organization and save. - - -### Add teams to your organization - -1. From the Trusted Registry dashboard, click the Organizations submenu. - -2. Find your organization and select it. The Organization details screen displays. - -3. Select the submenu Teams. - -4. By default, the `owners` team box displays where you can add members who will have full admin access to that repository. - -5. Click New team and enter the required fields. - -6. Click Add members to select members to the team. Save your work. - -At this point, you have created an organization and populated it with at least -one team. Next, you will either create or associate a repository to that -organization. - - -### Create a new repository for the team or organization - -1. From the Organization details screen, click the desired organization. - -2. If you click New repository, follow the steps to create a new repository that is associated to the organization. - -3. To associate that repo to a team, click the Teams subtab, then click the targeted team. - -4. Click Add repository and select a permission set from the drop down menu. - -5. You can either create a new repository or find an existing repository to associate to the team. - - -### Create a new repository - -1. From the Trusted Registry dashboard, click the Repositories submenu. - -2. Click New repository. The Repositories details screen displays. - -3. Select an account type and enter a repository name. - -4. Determine visibility. By default, the repository is public. - -5. (Optional) Enter a description. - -6. Save your work. - -From the Repository submenu, you can: - -* View, search, and filter the list of your repositories. -* Create either public or private repositories. -* Select a repository and edit it. -* Drill down to see details and teams that are associated with it. - -### View repository details - -1. From the Trusted Registry dashboard, navigate to the Repositories menu. - -2. Find a repository that contains images in it. - -3. Click the submenu to see either details, tags, or settings. - -The **Details** screen contains a brief description, a longer README, and the permissions associated with it. - -The **Tag** screen contains the list of image tags. If you wanted to delete an image for garbage collection, click the garbage can icon beside it. - -![Repositories page](images/accounts-long-tag.png) - -The **Settings** screen is where you edit the details screen. - -## See also - -* To configure for your environment, see the -[Configuration instructions](configure/configuration.md). -* To administer the Trusted Registry, see the [Admin guide ](adminguide.md). -* To use Docker Trusted Registry, see the [User guide](userguide.md). -* To upgrade, see the [Upgrade guide](install/upgrade.md). -* To see previous changes, see the [release notes](release-notes.md).