docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into release-notes-eng-2019

This commit is contained in:
paigehargrave 2019-02-18 14:16:18 -05:00 committed by GitHub
parent 41ce6065ff 9fab06639e
commit b75a86e470
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
85 changed files with 10568 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Dockerfile
View File

@ -66,16 +66,6 @@ COPY --from=docs/docker.github.io:nginx-onbuild /etc/nginx/conf.d/default.conf /
# archives less often than new ones.
# To add a new archive, add it here
# AND ALSO edit _data/docsarchives/archives.yaml to add it to the drop-down
COPY --from=docs/docker.github.io:v1.4 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.5 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.6 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.7 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.8 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.9 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.10 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.11 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.12 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v1.13 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v17.03 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v17.06 ${TARGET} ${TARGET}
COPY --from=docs/docker.github.io:v17.09 ${TARGET} ${TARGET}

15
README.md
View File

@ -317,6 +317,21 @@ still optimizes the bandwidth during browsing).
> This is beta content. It is not yet complete and should be considered a work in progress. This content is subject to change without notice.
```
## Accessing unsupported archived documentation
Supported documentation includes the current version plus the previous five versions.
If you are using a version of the documentation that is no longer supported, which means that the version number is not listed in the site dropdown list, you can still access that documentation in the following ways:
- By entering your version number and selecting it from the branch selection list for this repo
- By directly accessing the Github URL for your version. For example, https://github.com/docker/docker.github.io/tree/v1.9 for `v1.9`
- By running a container of the specific [tag for your documentation version](https://cloud.docker.com/u/docs/repository/docker/docs/docker.github.io/general#read-these-docs-offline)
in Docker Hub. For example, run the following to access `v1.9`:
```bash
docker run -it -p 4000:4000 docs/docker.github.io:v1.9
```
## Building archives and the live published docs
All the images described below are automatically built using Docker Hub. To

4
_config.yml
View File

@ -13,7 +13,7 @@ safe: false
lsi: false
url: https://docs.docker.com
# This needs to have all the directories you expect to be in the archives (delivered by docs-base in the Dockerfile)
keep_files: ["v1.4", "v1.5", "v1.6", "v1.7", "v1.8", "v1.9", "v1.10", "v1.11", "v1.12", "v1.13", "v17.03", "v17.06", "v17.09", "v17.12", "v18.03"]
keep_files: ["v17.03", "v17.06", "v17.09", "v17.12", "v18.03"]
exclude: ["_scripts", "apidocs/layouts", "Gemfile", "hooks", "index.html", "404.html"]
# Component versions -- address like site.docker_ce_version
@ -94,7 +94,7 @@ defaults:
- scope:
path: "install"
values:
win_latest_build: "docker-18.09.1"
win_latest_build: "docker-18.09.2"
- scope:
path: "datacenter"
values:

30
_data/docsarchive/archives.yaml
View File

@ -22,33 +22,3 @@
- archive:
name: v17.03
image: docs/docker.github.io:v17.03
- archive:
name: v1.13
image: docs/docker.github.io:v1.13
- archive:
name: v1.12
image: docs/docker.github.io:v1.12
- archive:
name: v1.11
image: docs/docker.github.io:v1.11
- archive:
name: v1.10
image: docs/docker.github.io:v1.10
- archive:
name: v1.9
image: docs/docker.github.io:v1.9
- archive:
name: v1.8
image: docs/docker.github.io:v1.8
- archive:
name: v1.7
image: docs/docker.github.io:v1.7
- archive:
name: v1.6
image: docs/docker.github.io:v1.6
- archive:
name: v1.5
image: docs/docker.github.io:v1.5
- archive:
name: v1.4
image: docs/docker.github.io:v1.4

2
_data/glossary.yaml
View File

@ -32,7 +32,7 @@ collection: |
nodes, services, containers, volumes, networks, and secrets. [Learn how to manage collections](/datacenter/ucp/2.2/guides/access-control/manage-access-with-collections/).
Compose: |
[Compose](https://github.com/docker/compose) is a tool for defining and
running complex applications with Docker. With compose, you define a
running complex applications with Docker. With Compose, you define a
multi-container application in a single file, then spin your
application up in a single command which does everything that needs to
be done to get it running.

6
_data/toc.yaml
View File

@ -1182,6 +1182,8 @@ manuals:
title: Add SANs to cluster certificates
- path: /ee/ucp/admin/configure/collect-cluster-metrics/
title: Collect UCP cluster metrics with Prometheus
- path: /ee/ucp/admin/configure/metrics-descriptions/
title: Using UCP cluster metrics with Prometheus
- path: /ee/ucp/admin/configure/configure-rbac-kube/
title: Configure native Kubernetes role-based access control
- path: /ee/ucp/admin/configure/create-audit-logs/
@ -1204,8 +1206,6 @@ manuals:
title: UCP configuration file
- path: /ee/ucp/admin/configure/use-node-local-network-in-swarm/
title: Use a local node network in a swarm
- path: /ee/ucp/admin/configure/use-nfs-volumes/
title: Use NFS persistent storage
- path: /ee/ucp/admin/configure/use-your-own-tls-certificates/
title: Use your own TLS certificates
- path: /ee/ucp/admin/configure/manage-and-deploy-private-images/
@ -1345,6 +1345,8 @@ manuals:
section:
- title: Access Kubernetes Resources
path: /ee/ucp/kubernetes/kube-resources/
- title: Use NFS persistent storage
path: /ee/ucp/admin/configure/use-nfs-volumes/
- title: Configure AWS EBS Storage for Kubernetes
path: /ee/ucp/kubernetes/configure-aws-storage/
- title: Deploy a workload

2
_includes/ee-linux-install-reuse.md
View File

@ -137,7 +137,7 @@ You only need to set up the repository once, after which you can install Docker
{% elsif section == "install-using-yum-repo" %}
> ***NOTE:*** If you need to run Docker EE 2.0, please see the following instructions:
> **Note**: If you need to run Docker EE 2.0, please see the following instructions:
> * [18.03](https://docs.docker.com/v18.03/ee/supported-platforms/) - Older Docker EE Engine only release
> * [17.06](https://docs.docker.com/v17.06/engine/installation/) - Docker Enterprise Edition 2.0 (Docker Engine,
> UCP, and DTR).

2
compose/compose-file/compose-file-v1.md
View File

@ -205,7 +205,7 @@ the value assigned to a variable that shows up more than once_. The files in the
list are processed from the top down. For the same variable specified in file
`a.env` and assigned a different value in file `b.env`, if `b.env` is
listed below (after), then the value from `b.env` stands. For example, given the
following declaration in `docker_compose.yml`:
following declaration in `docker-compose.yml`:
```yaml
services:

10
compose/compose-file/compose-file-v2.md
View File

@ -532,7 +532,7 @@ the value assigned to a variable that shows up more than once_. The files in the
list are processed from the top down. For the same variable specified in file
`a.env` and assigned a different value in file `b.env`, if `b.env` is
listed below (after), then the value from `b.env` stands. For example, given the
following declaration in `docker_compose.yml`:
following declaration in `docker-compose.yml`:
```yaml
services:
@ -990,7 +990,7 @@ as it has the highest priority. It then connects to `app_net_3`, then
app_net_2:
app_net_3:
> **Note:** If multiple networks have the same priority, the connection order
> **Note**: If multiple networks have the same priority, the connection order
> is undefined.
### pid
@ -1235,7 +1235,7 @@ volumes:
mydata:
```
> **Note:** When creating bind mounts, using the long syntax requires the
> **Note**: When creating bind mounts, using the long syntax requires the
> referenced folder to be created beforehand. Using the short syntax
> creates the folder on the fly if it doesn't exist.
> See the [bind mounts documentation](/engine/admin/volumes/bind-mounts.md/#differences-between--v-and---mount-behavior)
@ -1248,7 +1248,7 @@ service.
volume_driver: mydriver
> **Note:** In [version 2 files](compose-versioning.md#version-2), this
> **Note**: In [version 2 files](compose-versioning.md#version-2), this
> option only applies to anonymous volumes (those specified in the image,
> or specified under `volumes` without an explicit named volume or host path).
> To configure the driver for a named volume, use the `driver` key under the
@ -1298,7 +1298,7 @@ then read-write is used.
Each of these is a single value, analogous to its
[docker run](/engine/reference/run.md) counterpart.
> **Note:** The following options were added in [version 2.2](compose-versioning.md#version-22):
> **Note**: The following options were added in [version 2.2](compose-versioning.md#version-22):
> `cpu_count`, `cpu_percent`, `cpus`.
> The following options were added in [version 2.1](compose-versioning.md#version-21):
> `oom_kill_disable`, `cpu_period`

14
compose/compose-file/index.md
View File

@ -279,7 +279,7 @@ at build time is the value in the environment where Compose is running.
#### cache_from
> **Note:** This option is new in v3.2
> **Note**: This option is new in v3.2
A list of images that the engine uses for cache resolution.
@ -291,7 +291,7 @@ A list of images that the engine uses for cache resolution.
#### labels
> **Note:** This option is new in v3.3
> **Note**: This option is new in v3.3
Add metadata to the resulting image using [Docker labels](/engine/userguide/labels-custom-metadata.md).
You can use either an array or a dictionary.
@ -490,7 +490,7 @@ an error.
### credential_spec
> **Note:** this option was added in v3.3.
> **Note**: this option was added in v3.3.
Configure the credential spec for managed service account. This option is only
used for services using Windows containers. The `credential_spec` must be in the
@ -1001,7 +1001,7 @@ the value assigned to a variable that shows up more than once_. The files in the
list are processed from the top down. For the same variable specified in file
`a.env` and assigned a different value in file `b.env`, if `b.env` is
listed below (after), then the value from `b.env` stands. For example, given the
following declaration in `docker_compose.yml`:
following declaration in `docker-compose.yml`:
```none
services:
@ -1431,7 +1431,7 @@ containers in the bare-metal machine's namespace and vice versa.
Expose ports.
> **Note:** Port mapping is incompatible with `network_mode: host`
> **Note**: Port mapping is incompatible with `network_mode: host`
#### Short syntax
@ -1473,7 +1473,7 @@ ports:
```
> **Note:** The long syntax is new in v3.2
> **Note**: The long syntax is new in v3.2
### restart
@ -1810,7 +1810,7 @@ volumes:
mydata:
```
> **Note:** The long syntax is new in v3.2
> **Note**: The long syntax is new in v3.2
#### Volumes for services, swarms, and stack files

2
compose/install.md
View File

@ -129,7 +129,7 @@ by step instructions are also included below.
sudo chmod +x /usr/local/bin/docker-compose
```
> ***Note:*** If the command `docker-compose` fails after installation, check your path.
> **Note**: If the command `docker-compose` fails after installation, check your path.
> You can also create a symbolic link to `/usr/bin` or any other directory in your path.
For example:

4
config/containers/start-containers-automatically.md
View File

@ -28,8 +28,8 @@ any of the following:
|:-----------------|:------------------------------------------------------------------------------------------------|
| `no` | Do not automatically restart the container. (the default) |
| `on-failure` | Restart the container if it exits due to an error, which manifests as a non-zero exit code. |
| `unless-stopped` | Restart the container unless it is explicitly stopped or Docker itself is stopped or restarted. |
| `always` | Always restart the container if it stops. |
| `always` | Always restart the container if it stops. If it is manually stopped, it is restarted only when Docker daemon restarts or the container itself is manually restarted. (See the second bullet listed in [restart policy details](#restart-policy-details)) |
| `unless-stopped` | Similar to `always`, except that when the container is stopped (manually or otherwise), it is not restarted even after Docker daemon restarts. |
The following example starts a Redis container and configures it to always
restart unless it is explicitly stopped or Docker is restarted.

2
config/daemon/systemd.md
View File

@ -101,7 +101,7 @@ you need to add this configuration in the Docker systemd service file.
The `NO_PROXY` variable specifies a string that contains comma-separated
values for hosts that should be excluded from proxying. These are the
options you can specify to exclude hosts:
* IP address prefix (`1.2.3.4`) or in CIDR notation (`1.2.3.4/8`)
* IP address prefix (`1.2.3.4`)
* Domain name, or a special DNS label (`*`)
* A domain name matches that name and all subdomains. A domain name with
a leading "." matches subdomains only. For example, given the domains

4
datacenter/dtr/2.3/reference/cli/install.md
View File

@ -24,11 +24,13 @@ command.
Example usage:
```bash
$ docker run -it --rm dtr-internal.caas.docker.io/caas/dtr:2.4.0-alpha-008434_ge02413a install \
--ucp-node <UCP_NODE_HOSTNAME> \
--ucp-insecure-tls
```
Note: Use --ucp-ca "$(cat ca.pem)" instead of --ucp-insecure-tls for a production deployment.
> **Note**: Use `--ucp-ca "$(cat ca.pem)"` instead of `--ucp-insecure-tls` for a production deployment.
## Options

4
datacenter/dtr/2.4/reference/cli/install.md
View File

@ -24,11 +24,13 @@ command.
Example usage:
```bash
$ docker run -it --rm docker/dtr:2.4.1 install \
--ucp-node <UCP_NODE_HOSTNAME> \
--ucp-insecure-tls
```
Note: Use --ucp-ca "$(cat ca.pem)" instead of --ucp-insecure-tls for a production deployment.
> **Note**: Use `--ucp-ca "$(cat ca.pem)"` instead of `--ucp-insecure-tls` for a production deployment.
## Options

38
datacenter/ucp/1.1/release_notes.md
View File

@ -14,10 +14,10 @@ upgrade your installation to the latest release.
(18 Jan 2017)
Note: UCP 1.1.6 supports Docker Engine 1.12 but does not use the built-in
orchestration capabilities provided by the Docker Engine with swarm mode enabled.
When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
cluster using the older Docker Swarm v1.2.
> **Note**: UCP 1.1.6 supports Docker Engine 1.12 but does not use the built-in
> orchestration capabilities provided by the Docker Engine with swarm mode enabled.
> When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
> cluster using the older Docker Swarm v1.2.
**Security Update**
@ -41,10 +41,10 @@ the [permissions levels section](user-management/permission-levels.md) for more
(8 Dec 2016)
Note: UCP 1.1.5 supports Docker Engine 1.12 but does not use the built-in
orchestration capabilities provided by the Docker Engine with swarm mode enabled.
When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
cluster using the older Docker Swarm v1.2.
> **Note**: UCP 1.1.5 supports Docker Engine 1.12 but does not use the built-in
> orchestration capabilities provided by the Docker Engine with swarm mode enabled.
> When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
> cluster using the older Docker Swarm v1.2.
**Bug fixes**
@ -61,10 +61,10 @@ the authentication process.
(29 Sept 2016)
Note: UCP 1.1.4 supports Docker Engine 1.12 but does not use the built-in
orchestration capabilities provided by the Docker Engine with swarm mode enabled.
When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
cluster using Docker Swarm v1.2.5.
> **Note**: UCP 1.1.4 supports Docker Engine 1.12 but does not use the built-in
> orchestration capabilities provided by the Docker Engine with swarm mode enabled.
> When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
> cluster using Docker Swarm v1.2.5.
**Bug fixes**
@ -76,10 +76,10 @@ organization accounts
## Version 1.1.3
Note: UCP 1.1.3 supports Docker Engine 1.12 but does not use the built-in
orchestration capabilities provided by the Docker Engine with swarm mode enabled.
When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
cluster using Docker Swarm v1.2.5.
> **Note**: UCP 1.1.3 supports Docker Engine 1.12 but does not use the built-in
> orchestration capabilities provided by the Docker Engine with swarm mode enabled.
> When installing this UCP version on a Docker Engine 1.12 host, UCP creates a
> cluster using Docker Swarm v1.2.5.
**Security Update**
@ -125,9 +125,9 @@ enabled, and is not compatible with swarm-mode based APIs, e.g. `docker service`
## Version 1.1.2
Note: UCP 1.1.2 supports Docker Engine 1.12 but doesn't use the new clustering
capabilities provided by the Docker swarm mode. When installing this UCP version
on a Docker Engine 1.12, UCP creates a "classic" Docker Swarm 1.2.3 cluster.
> **Note**: UCP 1.1.2 supports Docker Engine 1.12 but doesn't use the new clustering
> capabilities provided by the Docker swarm mode. When installing this UCP version
> on a Docker Engine 1.12, UCP creates a "classic" Docker Swarm 1.2.3 cluster.
**Features**

3
datacenter/ucp/2.2/guides/user/services/use-domain-names-to-access-services.md
View File

@ -194,7 +194,8 @@ apply two labels to your service:
com.docker.ucp.mesh.http.1=external_route=http://example.org,redirect=https://example.org
com.docker.ucp.mesh.http.2=external_route=sni://example.org
```
Note: It is not possible to redirect HTTPS to HTTP.
> **Note**: It is not possible to redirect HTTPS to HTTP.
### X-Forwarded-For header

11
datacenter/ucp/3.0/guides/admin/backups-and-disaster-recovery.md
View File

@ -41,6 +41,17 @@ As part of your backup policy you should regularly create backups of UCP.
DTR is backed up independently.
[Learn about DTR backups and recovery](../../../../dtr/2.3/guides/admin/backups-and-disaster-recovery.md).
> Warning: On UCP versions 3.0.0 - 3.0.7, before performing a UCP backup, you must clean up multiple /dev/shm mounts in the ucp-kublet entrypoint script by running the following script on all nodes via cron job:
```
SHM_MOUNT=$(grep -m1 '^tmpfs./dev/shm' /proc/mounts)
while [ $(grep -cm2 '^tmpfs./dev/shm' /proc/mounts) -gt 1 ]; do
sudo umount /dev/shm
done
grep -q '^tmpfs./dev/shm' /proc/mounts || sudo mount "${SHM_MOUNT}"
```
For additional details, refer to [Docker KB000934](https://success.docker.com/article/more-than-one-dev-shm-mount-in-the-host-namespace){: target="_blank"}
To create a UCP backup, run the `{{ page.ucp_org }}/{{ page.ucp_repo }}:{{ page.ucp_version }} backup` command
on a single UCP manager. This command creates a tar archive with the
contents of all the [volumes used by UCP](../architecture.md) to persist data

4
datacenter/ucp/3.0/guides/admin/install/plan-installation.md
View File

@ -40,6 +40,10 @@ Docker UCP requires each node on the cluster to have a static IP address.
Before installing UCP, ensure your network and nodes are configured to support
this.
## Avoid IP range conflicts
The `service-cluster-ip-range` Kubernetes API Server flag is currently set to `10.96.0.0/16` and cannot be changed.
## Time synchronization
In distributed systems like Docker UCP, time synchronization is critical

2
datacenter/ucp/3.0/guides/admin/install/upgrade.md
View File

@ -22,7 +22,7 @@ impact to your users.
Don't make changes to UCP configurations while you're upgrading.
This can lead to misconfigurations that are difficult to troubleshoot.
> Note: If you are upgrading a cluster to UCP 3.0.2 or higher on Microsoft
> **Note**: If you are upgrading a cluster to UCP 3.0.2 or higher on Microsoft
> Azure then please ensure all of the Azure [prerequisities](install-on-azure.md/#azure-prerequisites)
> are met.

3
datacenter/ucp/3.0/guides/user/services/use-domain-names-to-access-services.md
View File

@ -187,7 +187,8 @@ apply two labels to your service:
com.docker.ucp.mesh.http.1=external_route=http://example.org,redirect=https://example.org
com.docker.ucp.mesh.http.2=external_route=sni://example.org
```
Note: It is not possible to redirect HTTPS to HTTP.
> **Note**: It is not possible to redirect HTTPS to HTTP.
### X-Forwarded-For header

5
datacenter/ucp/3.0/reference/cli/install.md
View File

@ -63,9 +63,9 @@ command.
| `--swarm-port` | Port for the Docker Swarm manager. Used for backwards compatibility |
| `--swarm-grpc-port` | Port for communication between nodes |
| `--cni-installer-url` | A URL pointing to a Kubernetes YAML file to be used as an installer for the CNI plugin of the cluster. If specified, the default CNI plugin is not installed. If the URL uses the HTTPS scheme, no certificate verification is performed. |
| `--pod-cidr` | Kubernetes cluster IP pool for the pods to allocated IPs from (Default: 192.168.0.0/16) |
| `--cloud-provider` | The cloud provider for the cluster |
| `--skip-cloud-provider` | Disables checks that rely on detecting the cloud provider (if any) on which the cluster is currently running. |
| `--dns` | Set custom DNS servers for the UCP containers |
| `--dns-opt` | Set DNS options for the UCP containers |
| `--dns-search` | Set custom DNS search domains for the UCP containers |
@ -80,7 +80,8 @@ command.
| `--swarm-experimental` | Enable Docker Swarm experimental features. Used for backwards compatibility |
| `--disable-tracking` | Disable anonymous tracking and analytics |
| `--disable-usage` | Disable anonymous usage reporting |
| `--external-server-cert` | Use the certificates in the `ucp-controller-server-certs` volume instead of generating self-signed certs during installation |
| `--external-server-cert` | Use the certificates in the `ucp-controller-server-certs` volume instead of generating self-signed certs during installation
|
| `--preserve-certs` | Don't generate certificates if they already exist |
| `--binpack` | Set the Docker Swarm scheduler to binpack mode. Used for backwards compatibility |
| `--random` | Set the Docker Swarm scheduler to random mode. Used for backwards compatibility |

2
develop/index.md
View File

@ -29,4 +29,4 @@ most benefits from Docker.
## Advanced development with the SDK or API
After you can write Dockerfiles or Compose files and use Docker CLI, take it to the next level by using Docker Engine SDK for Go/Python or use HTTP API directly.
After you can write Dockerfiles or Compose files and use Docker CLI, take it to the next level by using Docker Engine SDK for Go/Python or use the HTTP API directly.

11
docker-for-mac/edge-release-notes.md
View File

@ -16,7 +16,14 @@ notes](release-notes) are also available. (Following the CE release model,
releases, and download stable and edge product installers at [Download Docker
for Mac](install.md#download-docker-for-mac).
## Edge Releases of 2018
## Edge Releases of 2019
### Docker Community Edition 2.0.2.1 2019-02-15
[Download](https://download.docker.com/mac/edge/31274/Docker.dmg)
* Upgrades
- [Docker 18.09.2](https://github.com/docker/docker-ce/releases/tag/v18.09.2), fixes [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
### Docker Community Edition 2.0.2.0 2019-02-06
@ -55,6 +62,8 @@ for Mac](install.md#download-docker-for-mac).
- Rename Docker for Mac to Docker Desktop
- Partially open services ports if possible. [docker/for-mac#3438](https://github.com/docker/for-mac/issues/3438)
## Edge Releases of 2018
### Docker Community Edition 2.0.0.0-mac82 2018-12-07
[Download](https://download.docker.com/mac/edge/29268/Docker.dmg)

6
docker-for-mac/index.md
View File

@ -412,9 +412,9 @@ $ security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychai
See also, [Directory structures for
certificates](#directory-structures-for-certificates).
> **Note:** You need to restart Docker Desktop for Mac after making any changes to the
keychain or to the `~/.docker/certs.d` directory in order for the changes to
take effect.
> **Note**: You need to restart Docker Desktop for Mac after making any changes to the
> keychain or to the `~/.docker/certs.d` directory in order for the changes to
> take effect.
For a complete explanation of how to do this, see the blog post [Adding
Self-signed Registry Certs to Docker & Docker Desktop for

60
docker-for-mac/multi-arch.md
View File

@ -6,29 +6,51 @@ redirect_from:
title: Leverage multi-CPU architecture support
notoc: true
---
Docker images can support multiple architectures, which means that a single
image may contain variants for different architectures, and sometimes for different
operating systems, such as Windows.
Docker Desktop for Mac provides `binfmt_misc` multi architecture support, so you can run
containers for different Linux architectures, such as `arm`, `mips`, `ppc64le`,
and even `s390x`.
When running an image with multi-architecture support, `docker` will
automatically select an image variant which matches your OS and architecture.
Most of the official images on Docker Hub provide a [variety of architectures](https://github.com/docker-library/official-images#architectures-other-than-amd64).
For example, the `busybox` image supports `amd64`, `arm32v5`, `arm32v6`,
`arm32v7`, `arm64v8`, `i386`, `ppc64le`, and `s390x`. When running this image
on an `x86_64` / `amd64` machine, the `x86_64` variant will be pulled and run,
which can be seen from the output of the `uname -a` command that's run inside
the container:
```bash
$ docker run busybox uname -a
Linux 82ef1a0c07a2 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 GNU/Linux
```
**Docker Desktop for Mac** provides `binfmt_misc` multi-architecture support,
which means you can run containers for different Linux architectures
such as `arm`, `mips`, `ppc64le`, and even `s390x`.
This does not require any special configuration in the container itself as it uses
<a href="http://wiki.qemu.org/" target="_blank">qemu-static</a> from the Docker for
Mac VM.
<a href="http://wiki.qemu.org/" target="_blank">qemu-static</a> from the **Docker for
Mac VM**. Because of this, you can run an ARM container, like the `arm32v7` or `ppc64le`
variants of the busybox image:
You can run an ARM container, like the <a href="https://www.balena.io/blog/how-resin-io-works/" target="_blank">
balena</a> arm builds:
```
$ docker run balenalib/armv7hf-debian uname -a
Linux 3d3ffca44f6e 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 armv7l GNU/Linux
$ docker run justincormack/ppc64le-debian uname -a
Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 ppc64le GNU/Linux
### arm32v7 variant
```bash
$ docker run arm32v7/busybox uname -a
Linux 9e3873123d09 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 armv7l GNU/Linux
```
Multi architecture support makes it easy to build <a href="https://blog.docker.com/2017/11/multi-arch-all-the-things/" target="_blank">
multi architecture Docker images</a> or experiment with ARM images and binaries
from your Mac.
### ppc64le variant
```bash
$ docker run ppc64le/busybox uname -a
Linux 57a073cc4f10 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 ppc64le GNU/Linux
```
Notice that this time, the `uname -a` output shows `armv7l` and
`ppc64le` respectively.
Multi-architecture support makes it easy to build <a href="https://blog.docker.com/2017/11/multi-arch-all-the-things/" target="_blank">multi-architecture Docker images</a> or experiment with ARM images and binaries from your Mac.

2
docker-for-mac/osxfs.md
View File

@ -63,7 +63,7 @@ By default, you can share files in `/Users/`, `/Volumes/`, `/private/`, and
`/tmp` directly. To add or remove directory trees that are exported to Docker,
use the **File sharing** tab in Docker preferences ![whale
menu](images/whale-x.png){: .inline} -> **Preferences** ->
**File sharing**. (See [Preferences](index.md#preferences).)
**File sharing**. (See [Preferences](/docker-for-mac/index.md#preferences-menu).)
All other paths
used in `-v` bind mounts are sourced from the Moby Linux VM running the Docker

7
docker-for-mac/release-notes.md
View File

@ -20,6 +20,13 @@ Desktop for Mac](install.md#download-docker-for-mac).
## Stable Releases of 2019
### Docker Community Edition 2.0.0.3 2019-02-15
[Download](https://download.docker.com/mac/stable/31259/Docker.dmg)
* Upgrades
- [Docker 18.09.2](https://github.com/docker/docker-ce/releases/tag/v18.09.2), fixes [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
### Docker Community Edition 2.0.0.2 2019-01-16
[Download](https://download.docker.com/mac/stable/30215/Docker.dmg)

11
docker-for-windows/edge-release-notes.md
View File

@ -16,7 +16,14 @@ notes](release-notes) are also available. (Following the CE release model,
releases, and download stable and edge product installers at [Download Docker
for Windows](install.md#download-docker-for-windows).
## Edge Releases of 2018
## Edge Releases of 2019
### Docker Community Edition 2.0.2.1 2019-02-15
[Download](https://download.docker.com/win/edge/31274/Docker%20Desktop%20Installer.exe)
* Upgrades
- [Docker 18.09.2](https://github.com/docker/docker-ce/releases/tag/v18.09.2), fixes [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
### Docker Community Edition 2.0.2.0 2019-02-06
@ -54,6 +61,8 @@ for Windows](install.md#download-docker-for-windows).
- Quit will not check if service is running anymore
- Fix UI lock when changing kubernetes state
## Edge Releases of 2018
### Docker Community Edition 2.0.0.0-win82 2018-12-07
[Download](https://download.docker.com/win/edge/29268/Docker%20for%20Windows%20Installer.exe)

4
docker-for-windows/install.md
View File

@ -54,7 +54,7 @@ Hub](https://hub.docker.com/editions/community/docker-ce-desktop-windows){:
Looking for information on using Windows containers?
* [Switch between Windows and Linux
containers](https://docs.docker.com/docker-for-windows/#switch-between-windows-and-linux-containers)
containers](/docker-for-windows/index.md#switch-between-windows-and-linux-containers)
describes the Linux / Windows containers toggle in Docker Desktop for Windows and
points you to the tutorial mentioned above.
* [Getting Started with Windows Containers
@ -99,7 +99,7 @@ accessible from any terminal window.
If the whale is hidden in the Notifications area, click the up arrow on the
taskbar to show it. To learn more, see [Docker
Settings](index.md#docker-settings-dialog).
Settings](/docker-for-windows/index.md#docker-settings-dialog).
If you just installed the app, you also get a popup success message with
suggested next steps, and a link to this documentation.

10
docker-for-windows/release-notes.md
View File

@ -20,6 +20,16 @@ for Windows](install.md#download-docker-for-windows).
## Stable Releases of 2019
### Docker Community Edition 2.0.0.3 2019-02-15
[Download](https://download.docker.com/win/stable/31259/Docker%20for%20Windows%20Installer.exe)
* Upgrades
- [Docker 18.09.2](https://github.com/docker/docker-ce/releases/tag/v18.09.2), fixes [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
* Bug fix
- Fix crash in system tray menu when the Hub login fails or Air gap mode
### Docker Community Edition 2.0.0.2 2019-01-16
[Download](https://download.docker.com/win/stable/30215/Docker%20for%20Windows%20Installer.exe)

6
docker-hub/builds/index.md
View File

@ -129,9 +129,9 @@ For each source:
* Specify the **Dockerfile location** as a path relative to the root of the source code repository. (If the Dockerfile is at the repository root, leave this path set to `/`.)
> **Note:** When Docker Hub pulls a branch from a source code repository, it performs
a shallow clone (only the tip of the specified branch). Refer to [Advanced options for Autobuild and Autotest](advanced.md)
for more information.
> **Note**: When Docker Hub pulls a branch from a source code repository, it performs
> a shallow clone (only the tip of the specified branch). Refer to [Advanced options for Autobuild and Autotest](advanced.md)
> for more information.
### Environment variables for builds

4
docker-hub/orgs.md
View File

@ -13,7 +13,7 @@ Docker Hub Organizations let you create teams so you can give your team access t
- **Organizations** are a collection of teams and repositories that can be managed together.
- **Teams** are groups of Docker Hub users that belong to your organization.
**Note:** in Docker Hub, users cannot be associated directly to an organization. They belong only to teams within an organization.
> **Note**: in Docker Hub, users cannot be associated directly to an organization. They belong only to teams within an organization.
### Creating an organization
@ -48,7 +48,7 @@ To create a team:
2. Click on **Add User**
3. Provide the user's Docker ID username _or_ email to add them to the team ![Add User to Team](images/orgs-team-add-user.png)
**Note:** you are not automatically added to teams created by your organization.
> **Note**: you are not automatically added to teams created by your organization.
### Removing team members

6
docker-hub/publish/certify-images.md
View File

@ -466,11 +466,12 @@ root:[~/] #
root:[~/] # ./inspectDockerImage --json gforghetti/apache:latest | jq
```
Note: The output was piped to the **jq** command to display it "nicely".
> **Note**: The output was piped to the `jq` command to display it "nicely".
#### Output:
```
```json
{
"Date": "Mon May 21 13:23:37 2018",
"SystemOperatingSystem": "Operating System: Ubuntu 16.04.4 LTS",
@ -580,7 +581,6 @@ Note: The output was piped to the **jq** command to display it "nicely".
}
]
}
root:[~/] #
```
<a name="linux-with-html">

5
docker-hub/publish/certify-plugins-logging.md
View File

@ -364,12 +364,11 @@ gforghetti:~/$
gforghetti:~:$ ./inspectDockerLoggingPlugin --json gforghetti/docker-log-driver-test:latest | jq
```
> Note: The output was piped to the **jq** command to display it "nicely".
> **Note**: The output was piped to the `jq` command to display it "nicely".
#### Output:
```
```json
{
"Date": "Mon May 21 14:38:28 2018",
"SystemOperatingSystem": "Operating System: Ubuntu 16.04.4 LTS",

2
ee/dtr/admin/configure/deploy-caches/simple-kube.md
View File

@ -82,7 +82,7 @@ stored in the primary DTR. You can
[customize the storage parameters](/registry/configuration/#storage),
if you want the cached images to be backended by persistent storage.
> Note: Kubernetes Peristent Volumes or Persistent Volume Claims would have to be
> **Note**: Kubernetes Peristent Volumes or Persistent Volume Claims would have to be
> used to provide persistent backend storage capabilities for the cache.
```

3
ee/dtr/admin/configure/use-a-web-proxy.md
View File

@ -38,7 +38,8 @@ docker run -it --rm \
--https-proxy username:password@<doman>:<port> \
--ucp-insecure-tls
```
NOTE: DTR will hide the password portion of the URL, when it is displayed in the DTR UI.
> **Note**: DTR will hide the password portion of the URL, when it is displayed in the DTR UI.
## Where to go next

11
ee/dtr/admin/disaster-recovery/repair-a-cluster.md
View File

@ -45,7 +45,7 @@ It also reconfigures DTR removing all other nodes from the cluster, leaving DTR
as a single-replica cluster with the replica you chose.
Start by finding the ID of the DTR replica that you want to repair from.
You can find the list of replicas by navigating to the UCP web UI, or by using
You can find the list of replicas by navigating to **Shared Resources > Stacks** or **Swarm > Volumes** (when using [swarm mode](/engine/swarm/)) on the UCP web interface, or by using
a UCP client bundle to run:
{% raw %}
@ -57,6 +57,15 @@ docker ps --format "{{.Names}}" | grep dtr
```
{% endraw %}
Another way to determine the replica ID is to SSH into a DTR node and run the following:
{% raw %}
```bash
REPLICA_ID=$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-')
&& echo $REPLICA_ID
```
{% endraw %}
Then, use your UCP client bundle to run the emergency repair command:
```bash

11
ee/dtr/admin/disaster-recovery/repair-a-single-replica.md
View File

@ -54,7 +54,7 @@ To remove unhealthy replicas, you'll first have to find the replica ID
of one of the replicas you want to keep, and the replica IDs of the unhealthy
replicas you want to remove.
You can find this in the **Stacks** page of the UCP web UI, or by using the UCP
You can find the list of replicas by navigating to **Shared Resources > Stacks** or **Swarm > Volumes** (when using [swarm mode](/engine/swarm/)) on the UCP web interface, or by using the UCP
client bundle to run:
{% raw %}
@ -66,6 +66,15 @@ docker ps --format "{{.Names}}" | grep dtr
```
{% endraw %}
Another way to determine the replica ID is to SSH into a DTR node and run the following:
{% raw %}
```bash
REPLICA_ID=$(docker inspect -f '{{.Name}}' $(docker ps -q -f name=dtr-rethink) | cut -f 3 -d '-')
&& echo $REPLICA_ID
```
{% endraw %}
Then use the UCP client bundle to remove the unhealthy replicas:
```bash

1
ee/dtr/release-notes.md
View File

@ -84,6 +84,7 @@ to upgrade your installation to the latest release.
* Users with read-only permissions to a repository can edit the repository README but their changes will not be saved. Only repository admins should have the ability to [edit the description](/ee/dtr/admin/manage-users/permission-levels/#team-permission-levels) of a repository. (docker/dhe-deploy #9677)
* Poll mirroring for Docker plugins such as `docker/imagefs` is currently broken. (docker/dhe-deploy #9490)
* When viewing the details of a scanned image tag, the header may display a different vulnerability count from the layer details. (docker/dhe-deploy #9474)
* In order to set a tag limit for pruning purposes, immutability must be turned off for a repository. This limitation is not clear in the **Repository Settings** view. (docker/dhe-deploy #9554)
* Webhooks
* When configured for "Image promoted from repository" events, a webhook notification is triggered twice during an image promotion when scanning is enabled on a repository. (docker/dhe-deploy #9685)

10
ee/dtr/user/tag-pruning.md
View File

@ -11,11 +11,14 @@ Tag pruning is the process of cleaning up unnecessary or unwanted repository tag
* specifying a tag pruning policy or alternatively,
* setting a tag limit
> Tag Pruning
>
> When run, tag pruning only deletes a tag and does not carry out any actual blob deletion. For actual blob deletions, see [Garbage Collection](../../admin/configure/garbage-collection.md).
> Known Issue
>
> While the tag limit field is disabled when you turn on immutability for a new repository, this is currently [not the case with **Repository Settings**](/ee/dtr/release-notes/#known-issues). As a workaround, turn off immutability when setting a tag limit via **Repository Settings > Pruning**.
In the following section, we will cover how to specify a tag pruning policy and set a tag limit on repositories that you manage. It will not include modifying or deleting a tag pruning policy.
## Specify a tag pruning policy
@ -65,7 +68,10 @@ In addition to pruning policies, you can also set tag limits on repositories tha
![](../images/tag-pruning-4.png){: .with-border}
To set a tag limit, select the repository that you want to update and click the **Settings** tab. Specify a number in the **Pruning** section and click **Save**. The **Pruning** tab will now display your tag limit above the prune triggers list along with a link to modify this setting.
To set a tag limit, do the following:
1. Select the repository that you want to update and click the **Settings** tab.
2. Turn off immutability for the repository.
3. Specify a number in the **Pruning** section and click **Save**. The **Pruning** tab will now display your tag limit above the prune triggers list along with a link to modify this setting.
![](../images/tag-pruning-5.png){: .with-border}

11
ee/ucp/admin/backups-and-disaster-recovery.md
View File

@ -45,6 +45,17 @@ As part of your backup policy you should regularly create backups of UCP.
DTR is backed up independently.
[Learn about DTR backups and recovery](../../dtr/2.5/admin/disaster-recovery/index.md).
> Warning: On UCP versions 3.1.0 - 3.1.2, before performing a UCP backup, you must clean up multiple /dev/shm mounts in the ucp-kublet entrypoint script by running the following script on all nodes via cron job:
```
SHM_MOUNT=$(grep -m1 '^tmpfs./dev/shm' /proc/mounts)
while [ $(grep -cm2 '^tmpfs./dev/shm' /proc/mounts) -gt 1 ]; do
sudo umount /dev/shm
done
grep -q '^tmpfs./dev/shm' /proc/mounts || sudo mount "${SHM_MOUNT}"
```
For additional details, refer to [Docker KB000934](https://success.docker.com/article/more-than-one-dev-shm-mount-in-the-host-namespace){: target="_blank"}
To create a UCP backup, run the `{{ page.ucp_org }}/{{ page.ucp_repo }}:{{ page.ucp_version }} backup` command
on a single UCP manager. This command creates a tar archive with the
contents of all the [volumes used by UCP](../ucp-architecture.md) to persist data

18
ee/ucp/admin/configure/collect-cluster-metrics.md
View File

@ -22,16 +22,16 @@ The Docker EE platform provides a base set of metrics that gets you running and
## Business metrics ##
These are high-level aggregate metrics that typically combine technical, financial, and organizational data to create metrics for business leaders of the IT infrastructure. Some examples of business metrics might be:
- Company or division-level application downtime
- Aggregate resource utilization
- Application resource demand growth
- Company or division-level application downtime
- Aggregate resource utilization
- Application resource demand growth
## Application metrics ##
These are metrics about domain of APM tools like AppDynamics or DynaTrace and provide metrics about the state or performance of the application itself.
- Service state metrics
- Container platform metrics
- Host infrastructure metrics
- Service state metrics
- Container platform metrics
- Host infrastructure metrics
Docker EE 2.1 does not collect or expose application level metrics.
@ -40,9 +40,9 @@ The following are metrics Docker EE 2.1 collects, aggregates, and exposes:
## Service state metrics ##
These are metrics about the state of services running on the container platform. These types of metrics have very low cardinality, meaning the values are typically from a small fixed set of possibilities, commonly binary.
- Application health
- Convergence of K8s deployments and Swarm services
- Cluster load by number of services or containers or pods
- Application health
- Convergence of K8s deployments and Swarm services
- Cluster load by number of services or containers or pods
## Deploy Prometheus on worker nodes

11
ee/ucp/admin/configure/create-audit-logs.md
View File

@ -195,6 +195,17 @@ events and may create a large amount of log entries.
- /kubernetesdocs
- /manage
## API endpoint information redacted
Information for the following API endpoints is redacted from the audit logs for security purposes:
- `/secrets/create` (POST)
- `/secrets/{id}/update` (POST)
- `/swarm/join` (POST)
- `/swarm/update` (POST)
-`/auth/login` (POST)
- Kube secrete create/update endpoints
## Where to go next
- [Collect UCP Cluster Metrics with Prometheus](collect-cluster-metrics.md)

2
ee/ucp/admin/configure/deploy-route-reflectors.md
View File

@ -27,7 +27,7 @@ workloads.
If Route Reflectors are running on a same node as other workloads, swarm ingress
and NodePorts might not work in these workloads.
## Choose dedicated notes
## Choose dedicated nodes
Start by tainting the nodes, so that no other workload runs there. Configure
your CLI with a UCP client bundle, and for each dedicated node, run:

2
ee/ucp/admin/configure/external-auth/index.md
View File

@ -141,7 +141,7 @@ Click **Yes** to enable integrating UCP users and teams with LDAP servers.
| No simple pagination | If your LDAP server doesn't support pagination. |
| Just-In-Time User Provisioning | Whether to create user accounts only when users log in for the first time. The default value of `true` is recommended. If you upgraded from UCP 2.0.x, the default is `false`. |
> **Note:** LDAP connections using certificates created with TLS v1.2 do not currently advertise support for sha512WithRSAEncryption in the TLS handshake which leads to issues establishing connections with some clients. Support for advertising sha512WithRSAEncryption will be added in UCP 3.1.0.
> **Note**: LDAP connections using certificates created with TLS v1.2 do not currently advertise support for sha512WithRSAEncryption in the TLS handshake which leads to issues establishing connections with some clients. Support for advertising sha512WithRSAEncryption will be added in UCP 3.1.0.
![](../../../images/ldap-integration-1.png){: .with-border}

86
ee/ucp/admin/configure/metrics-descriptions.md Normal file
View File

@ -0,0 +1,86 @@
---
description: Using UCP cluster metrics with Prometheus
keywords: prometheus, metrics, ucp
title: Using UCP cluster metrics with Prometheus
redirect_from:
- /engine/admin/prometheus/
---
# UCP metrics
The following table lists the metrics that UCP exposes in Prometheus, along with descriptions. Note that only the metrics
labeled with `ucp_` are documented. Other metrics are exposed in Prometheus but are not documented.
| Name | Units | Description | Labels | Metric source |
|---------------------------------------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|---------------|
| `ucp_controller_services` | number of services | The total number of Swarm services | | Controller |
| `ucp_engine_container_cpu_percent` | percentage | The percentage of CPU time this container is using. | container labels | Node |
| `ucp_engine_container_cpu_total_time_nanoseconds` | nanoseconds | Total CPU time used by this container in nanoseconds | container labels | Node |
| `ucp_engine_container_health` | 0.0 or 1.0 | Whether or not this container is healthy, according to its healthcheck. Note that if this value is 0, it just means that the container is not reporting healthy; it might not have a healthcheck defined at all, or its healthcheck might not have returned any results yet | container labels | Node |
| `ucp_engine_container_memory_max_usage_bytes` | bytes | Maximum memory used by this container in bytes | container labels | Node |
| `ucp_engine_container_memory_usage_bytes` | bytes | Current memory used by this container in bytes | container labels | Node |
| `ucp_engine_container_memory_usage_percent` | percentage | Percentage of total node memory currently being used by this container | container labels | Node |
| `ucp_engine_container_network_rx_bytes_total` | bytes | Number of bytes received by this container on this network in the last sample | container networking labels | Node |
| `ucp_engine_container_network_rx_dropped_packets_total` | number of packets | Number of packets bound for this container on this network that were dropped in the last sample | container networking labels | Node |
| `ucp_engine_container_network_rx_errors_total` | number of errors | Number of received network errors for this container on this network in the last sample | container networking labels | Node |
| `ucp_engine_container_network_rx_packets_total` | number of packets | Number of received packets for this container on this network in the last sample | container networking labels | Node |
| `ucp_engine_container_network_tx_bytes_total` | bytes | Number of bytes sent by this container on this network in the last sample | container networking labels | Node |
| `ucp_engine_container_network_tx_dropped_packets_total` | number of packets | Number of packets sent from this container on this network that were dropped in the last sample | container networking labels | Node |
| `ucp_engine_container_network_tx_errors_total` | number of errors | Number of sent network errors for this container on this network in the last sample | container networking labels | Node |
| `ucp_engine_container_network_tx_packets_total` | number of packets | Number of sent packets for this container on this network in the last sample | container networking labels | Node |
| `ucp_engine_container_unhealth` | 0.0 or 1.0 | Whether or not this container is unhealthy, according to its healthcheck. Note that if this value is 0, it just means that the container is not reporting unhealthy; it might not have a healthcheck defined at all, or its healthcheck might not have returned any results yet | container labels | Node |
| `ucp_engine_containers` | number of containers | Total number of containers on this node | node labels | Node |
| `ucp_engine_cpu_total_time_nanoseconds` | nanoseconds | System CPU time used by this container in nanoseconds | container labels | Node |
| `ucp_engine_disk_free_bytes` | bytes | Free disk space on the Docker root directory on this node in bytes. Note that this metric is not available for Windows nodes | node labels | Node |
| `ucp_engine_disk_total_bytes` | bytes | Total disk space on the Docker root directory on this node in bytes. Note that this metric is not available for Windows nodes | node labels | Node |
| `ucp_engine_images` | number of images | Total number of images on this node | node labels | Node |
| `ucp_engine_memory_total_bytes` | bytes | Total amount of memory on this node in bytes | node labels | Node |
| `ucp_engine_networks` | number of networks | Total number of networks on this node | node labels | Node |
| `ucp_engine_node_health` | 0.0 or 1.0 | Whether or not this node is healthy, as determined by UCP | nodeName: node name, nodeAddr: node IP address | Controller |
| `ucp_engine_num_cpu_cores` | number of cores | Number of CPU cores on this node | node labels | Node |
| `ucp_engine_pod_container_ready` | 0.0 or 1.0 | Whether or not this container in a Kubernetes pod is ready, as determined by its readiness probe. | pod labels | Controller |
| `ucp_engine_pod_ready` | 0.0 or 1.0 | Whether or not this Kubernetes pod is ready, as determined by its readiness probe. | pod labels | Controller |
| `ucp_engine_volumes` | number of volumes | Total number of volumes on this node | node labels | Node |
## Metrics labels
Metrics exposed by UCP in Prometheus have standardized labels, depending on the resource that they are measuring.
The following table lists some of the labels that are used, along with their values:
### Container labels
| Label name | Value |
|--------------------|---------------------------------------------------------------------------------------------|
| `collection` | The collection ID of the collection this container is in, if any |
| `container` | The ID of this container |
| `image` | The name of this container's image |
| `manager` | "true" if the container's node is a UCP manager, "false" otherwise |
| `name` | The name of the container |
| `podName` | If this container is part of a Kubernetes pod, this is the pod's name |
| `podNamespace` | If this container is part of a Kubernetes pod, this is the pod's namespace |
| `podContainerName` | If this container is part of a Kubernetes pod, this is the container's name in the pod spec |
| `service` | If this container is part of a Swarm service, this is the service ID |
| `stack` | If this container is part of a Docker compose stack, this is the name of the stack |
### Container networking labels
The following metrics measure network activity for a given network attached to a given
container. They have the same labels as Container labels, with one addition:
| Label name | Value |
|------------|-----------------------|
| `network` | The ID of the network |
### Node labels
| Label name | Value |
|------------|--------------------------------------------------------|
| `manager` | "true" if the node is a UCP manager, "false" otherwise |
## Metric source
UCP exports metrics on every node and also exports additional metrics from
every controller. The metrics that are exported from controllers are
cluster-scoped, for example, the total number of Swarm services. Metrics that
are exported from nodes are specific to those nodes, for example, the total memory
on that node.

4
ee/ucp/admin/configure/ucp-configuration-file.md
View File

@ -112,6 +112,8 @@ Configures audit logging options for UCP components.
Specifies scheduling options and the default orchestrator for new nodes.
> **Note**: If you run the `kubectl` command, such as `kubectl describe nodes`, to view scheduling rules on Kubernetes nodes, it does not reflect what is configured in UCP Admin settings. UCP uses taints to control container scheduling on nodes and is unrelated to kubectl's `Unschedulable` boolean flag.
| Parameter | Required | Description |
|:------------------------------|:---------|:-------------------------------------------------------------------------------------------------------------------------------------------|
| `enable_admin_ucp_scheduling` | no | Set to `true` to allow admins to schedule on containers on manager nodes. The default is `false`. |
@ -181,7 +183,7 @@ components. Assigning these values overrides the settings in a container's
| `metrics_retention_time` | no | Adjusts the metrics retention time. |
| `metrics_scrape_interval` | no | Sets the interval for how frequently managers gather metrics from nodes in the cluster. |
| `metrics_disk_usage_interval` | no | Sets the interval for how frequently storage metrics are gathered. This operation can be expensive when large volumes are present. |
| `rethinkdb_cache_size` | no | Sets the size of the cache used by UCP's RethinkDB servers. The default is 512MB, but leaving this field empty or specifying `auto` instructs RethinkDB to determine a cache size automatically. |
| `rethinkdb_cache_size` | no | Sets the size of the cache used by UCP's RethinkDB servers. The default is 1GB, but leaving this field empty or specifying `auto` instructs RethinkDB to determine a cache size automatically. |
| `cloud_provider` | no | Set the cloud provider for the kubernetes cluster. |
| `pod_cidr` | yes | Sets the subnet pool from which the IP for the Pod should be allocated from the CNI ipam plugin. Default is `192.168.0.0/16`. |
| `calico_mtu` | no | Set the MTU (maximum transmission unit) size for the Calico plugin. |

4
ee/ucp/admin/configure/use-nfs-volumes.md
View File

@ -8,9 +8,9 @@ Docker UCP supports Network File System (NFS) persistent volumes for
Kubernetes. To enable this feature on a UCP cluster, you need to set up
an NFS storage volume provisioner.
> Kubernetes storage drivers
> ### Kubernetes storage drivers
>
> Currently, NFS is the only Kubernetes storage driver that UCP supports.
>NFS is one of the Kubernetes storage drivers that UCP supports. See [Kubernetes Volume Drivers](https://success.docker.com/article/compatibility-matrix#kubernetesvolumedrivers) in the Compatibility Matrix for the full list.
{: important}
## Enable NFS volume provisioning

12
ee/ucp/admin/install/plan-installation.md
View File

@ -42,12 +42,22 @@ this.
## Avoid IP range conflicts
The `service-cluster-ip-range` Kubernetes API Server flag is currently set to `10.96.0.0/16` and cannot be changed.
Swarm uses a default address pool of `10.0.0.0/16` for its overlay networks. If this conflicts with your current network implementation, please use a custom IP address pool. To specify a custom IP address pool, use the `--default-address-pool` command line option during [Swarm initialization](../../../../engine/swarm/swarm-mode.md).
**NOTE:** Currently, the UCP installation process does not support this flag. To deploy with a custom IP pool, Swarm must first be installed using this flag and UCP must be installed on top of it.
> **Note**: Currently, the UCP installation process does not support this flag. To deploy with a custom IP pool, Swarm must first be installed using this flag and UCP must be installed on top of it.
Kubernetes uses a default cluster IP pool for pods that is `192.168.0.0/16`. If it conflicts with your current networks, please use a custom IP pool by specifying `--pod-cidr` during UCP installation.
## Avoid firewall conflicts
For SUSE Linux Enterprise Server 12 SP2 (SLES12), the `FW_LO_NOTRACK` flag is turned on by default in the openSUSE firewall. This speeds up packet processing on the loopback interface, and breaks certain firewall setups that need to redirect outgoing packets via custom rules on the local machine.
To turn off the FW_LO_NOTRACK option, edit the `/etc/sysconfig/SuSEfirewall2` file and set `FW_LO_NOTRACK="no"`. Save the file and restart the firewall or reboot.
For For SUSE Linux Enterprise Server 12 SP3, the default value for `FW_LO_NOTRACK` was changed to `no`.
## Time synchronization
In distributed systems like Docker UCP, time synchronization is critical

8
ee/ucp/admin/install/system-requirements.md
View File

@ -84,6 +84,14 @@ host types:
| managers | TCP 12386 | Internal | Port for the authentication worker |
| managers | TCP 12388 | Internal | Internal Port for the Kubernetes API Server |
## Avoid firewall conflicts
For SUSE Linux Enterprise Server 12 SP2 (SLES12), the `FW_LO_NOTRACK` flag is turned on by default in the openSUSE firewall. This speeds up packet processing on the loopback interface, and breaks certain firewall setups that need to redirect outgoing packets via custom rules on the local machine.
To turn off the FW_LO_NOTRACK option, edit the `/etc/sysconfig/SuSEfirewall2` file and set `FW_LO_NOTRACK="no"`. Save the file and restart the firewall or reboot.
For For SUSE Linux Enterprise Server 12 SP3, the default value for `FW_LO_NOTRACK` was changed to `no`.
## Enable ESP traffic
For overlay networks with encryption to work, you need to ensure that

26
ee/ucp/admin/install/upgrade.md
View File

@ -29,7 +29,7 @@ Learn about [UCP system requirements](system-requirements.md).
Ensure that your cluster nodes meet the minimum requirements for port openings.
[Ports used](system-requirements.md/#ports-used) are documented in the UCP system requirements.
> Note: If you are upgrading a cluster to UCP 3.0.2 or higher on Microsoft
> **Note**: If you are upgrading a cluster to UCP 3.0.2 or higher on Microsoft
> Azure then please ensure all of the Azure [prerequisites](install-on-azure.md/#azure-prerequisites)
> are met.
@ -56,17 +56,17 @@ to install the Docker Enterprise Edition.
Starting with the manager nodes, and then worker nodes:
1. Log into the node using ssh.
2. Upgrade the Docker Engine to version 17.06.2-ee-8 or higher. See [Upgrade Docker EE](https://docs.docker.com/ee/upgrade/).
2. Upgrade the Docker Engine to version 18.09.0 or higher. See [Upgrade Docker EE](https://docs.docker.com/ee/upgrade/).
3. Make sure the node is healthy.
In your browser, navigate to the **Nodes** page in the UCP web UI,
In your browser, navigate to **Nodes** in the UCP web interface,
and check that the node is healthy and is part of the cluster.
## Upgrade UCP
You can upgrade UCP from the web UI or the CLI.
You can upgrade UCP from the web or the command line interface.
### Use the UI to perform an upgrade
### Use the web interface to perform an upgrade
When an upgrade is available for a UCP installation, a banner appears.
@ -77,17 +77,17 @@ It can be found under the **Upgrade** tab of the **Admin Settings** section.
![](../../images/upgrade-ucp-2.png){: .with-border}
In the **Available Versions** dropdown, select **3.0.0** and click
In the **Available Versions** dropdown, select the version you want to update to and click
**Upgrade UCP**.
During the upgrade, the UI will be unavailable, and you should wait
During the upgrade, the web interface will be unavailable, and you should wait
until completion before continuing to interact with it. When the upgrade
completes, you'll see a notification that a newer version of the UI
is available and a browser refresh is required to see the latest UI.
completes, you'll see a notification that a newer version of the web interface
is available and a browser refresh is required to see it.
### Use the CLI to perform an upgrade
To upgrade from the CLI, log into a UCP manager node using ssh, and run:
To upgrade from the CLI, log into a UCP manager node using SSH, and run:
```
# Get the latest version of UCP
@ -100,10 +100,10 @@ docker container run --rm -it \
upgrade --interactive
```
This runs the upgrade command in interactive mode, so that you are prompted
for any necessary configuration values.
This runs the upgrade command in interactive mode, which will prompt you
for required configuration values.
Once the upgrade finishes, navigate to the UCP web UI and make sure that
Once the upgrade finishes, navigate to the UCP web interface and make sure that
all the nodes managed by UCP are healthy.
## Where to go next

4
ee/ucp/authorization/ee-standard.md
View File

@ -53,7 +53,7 @@ built-in collection, `/Shared`.
Other collections are also being created to enable shared `db` applications.
> **Note:** For increased security with node-based isolation, use Docker
> **Note**: For increased security with node-based isolation, use Docker
> Enterprise Advanced.
- `/Shared/mobile` hosts all Mobile applications and resources.
@ -107,7 +107,7 @@ collection boundaries. By assigning multiple grants per team, the Mobile and
Payments applications teams can connect to dedicated Database resources through
a secure and controlled interface, leveraging Database networks and secrets.
> **Note:** In Docker Enterprise Standard, all resources are deployed across the
> **Note**: In Docker Enterprise Standard, all resources are deployed across the
> same group of UCP worker nodes. Node segmentation is provided in Docker
> Enterprise Advanced and discussed in the [next tutorial](ee-advanced.md).

9
ee/ucp/authorization/group-resources.md
View File

@ -40,7 +40,14 @@ can be nested inside one another, to create hierarchies.
You can nest collections inside one another. If a user is granted permissions
for one collection, they'll have permissions for its child collections,
pretty much like a directory structure..
pretty much like a directory structure. As of UCP `3.1`, the ability to create a nested
collection of more than 2 layers deep within the root `/Swarm/` collection has been deprecated.
The following image provides two examples of nested collections with the recommended maximum
of two nesting layers. The first example illustrates an environment-oriented collection, and the second
example illustrates an application-oriented collection.
![](../images/nested-collection.png){: .with-border}
For a child collection, or for a user who belongs to more than one team, the
system concatenates permissions from multiple roles into an "effective role" for

BIN
ee/ucp/images/nested-collection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
ee/ucp/images/upgrade-ucp-1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 181 KiB

After

Width:  |  Height:  |  Size: 110 KiB

BIN
ee/ucp/images/upgrade-ucp-2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 58 KiB

After

Width:  |  Height:  |  Size: 68 KiB

6
ee/ucp/interlock/usage/sessions.md
View File

@ -125,7 +125,7 @@ $> curl -vs -H "Host: demo.local" http://127.0.0.1/ping
You can use `docker service scale demo=10` to add some more replicas. Once scaled, you will notice that requests are pinned
to a specific backend.
Note: due to the way the IP hashing works for extensions, you will notice a new upstream address when scaling replicas. This is
expected as internally the proxy uses the new set of replicas to decide on a backend on which to pin. Once the upstreams are
determined a new "sticky" backend will be chosen and that will be the dedicated upstream.
> **Note**: due to the way the IP hashing works for extensions, you will notice a new upstream address when scaling replicas. This is
> expected as internally the proxy uses the new set of replicas to decide on a backend on which to pin. Once the upstreams are
> determined a new "sticky" backend will be chosen and that will be the dedicated upstream.

2
ee/ucp/interlock/usage/tls.md
View File

@ -143,7 +143,7 @@ using a version of `curl` that includes the SNI header with insecure requests.
If this doesn't happen, `curl` displays an error saying that the SSL handshake
was aborterd.
> ***NOTE:*** Currently there is no way to update expired certificates using this method.
> **Note**: Currently there is no way to update expired certificates using this method.
> The proper way is to create a new secret then update the corresponding service.
## Let your service handle TLS

4
ee/ucp/interlock/usage/websockets.md
View File

@ -27,8 +27,8 @@ $> docker service create \
ehazlett/websocket-chat
```
Note: for this to work you must have an entry for `demo.local` in your local hosts (i.e. `/etc/hosts`) file.
This uses the browser for websocket communication so you will need to have an entry or use a routable domain.
> **Note**: for this to work you must have an entry for `demo.local` in your local hosts (i.e. `/etc/hosts`) file.
> This uses the browser for websocket communication so you will need to have an entry or use a routable domain.
Interlock will detect once the service is available and publish it. Once the tasks are running
and the proxy service has been updated the application should be available via `http://demo.local`. Open

4
ee/ucp/kubernetes/configure-aws-storage.md
View File

@ -32,8 +32,8 @@ Instances must have the following [AWS Identity and Access Management](https://d
### Infrastructure Configuration
- Apply the roles and policies to Kubernetes masters and workers as indicated in the above chart.
- EC2 instances must be set to the private DNS hostname of the instance (will typically end in `.internal`)
- EC2 instances must also be labeled with the key `KubernetesCluster` with a matching value across all nodes.
- Set the hostname of the EC2 instances to the private DNS hostname of the instance. See [DNS Hostnames](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-hostnames) and [To change the system hostname without a public DNS name](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-hostname.html#set-hostname-system) for more details.
- Label the EC2 instances with the key `KubernetesCluster` and assign the same value across all nodes, for example, `UCPKubenertesCluster`.
### Cluster Configuration

9
ee/ucp/kubernetes/install-cni-plugin.md
View File

@ -11,7 +11,7 @@ UCP supports certified third-party Container Networking Interface (CNI) plugins.
built-in [Calico](https://github.com/projectcalico/cni-plugin) plugin, but you can override that and
install a Docker certified plugin.
***NOTE:*** The `--cni-installer-url` option is deprecated as of UCP 3.1. It is replaced by the `--unmanaged-cni` option.
> **Note**: The `--cni-installer-url` option is deprecated as of UCP 3.1. It is replaced by the `--unmanaged-cni` option.
# Install UCP with a custom CNI plugin
@ -27,9 +27,10 @@ docker container run --rm -it --name ucp \
--unmanaged-cni <true|false> \
--interactive
```
***NOTE:*** Setting `--unmanaged-cni` to `true` value installs UCP without a managed CNI plugin. UCP and the
Kubernetes components will be running but pod-to-pod networking will not function until a CNI plugin is manually
installed. This will impact some functionality of UCP until a CNI plugin is running.
> **Note**: Setting `--unmanaged-cni` to `true` value installs UCP without a managed CNI plugin. UCP and the
> Kubernetes components will be running but pod-to-pod networking will not function until a CNI plugin is manually
> installed. This will impact some functionality of UCP until a CNI plugin is running.
You must provide a correct YAML installation file for the CNI plugin, but most
of the default files work on Docker EE with no modification.

6
ee/ucp/release-notes.md
View File

@ -38,6 +38,8 @@ upgrade your installation to the latest release.
* Non-admin users can no longer create `PersistentVolumes` that mount host directories. (docker/orca#15936)
* Added support for the limit arg in `docker ps`. (docker/orca#15812)
* Fixed an issue with ucp-proxy health check. (docker/orca#15814, docker/orca#15813, docker/orca#16021, docker/orca#15811)
* Fixed an issue with manual creation of a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects requiring the ID of the user, organization, or team. (docker/orca#14935)
* Fixed an issue in which Kube Rolebindings only worked on UCP User ID and not UCP username. (docker/orca#14935)
### Known issue
* By default, Kubelet begins deleting images, starting with the oldest unused images, after exceeding 85% disk space utilization. This causes an issue in an air-gapped environment. (docker/orca#16082)
@ -191,7 +193,9 @@ There are several backward-incompatible changes in the Kubernetes API that may a
The following features are deprecated in UCP 3.1.
* Collections
* User-created nested collections more than 2 layers deep within the root `/Swarm/` collection are deprecated and will be removed in future versions of the product. In the future, we recommend that at most only two levels of collections be created within UCP under the shared Cluster collection designated as `/Swarm/`. For example, if a production collection is created as a collection under the cluster collection `/Swarm/` as `/Swarm/production/` then at most one level of nestedness should be created, as in `/Swarm/production/app/`.
* The ability to create a nested collection of more than 2 layers deep within the root `/Swarm/` collection is now deprecated and will not be included in future versions of the product. However, current nested collections with more than 2 layers are still retained.
* Docker recommends a maximum of two layers when creating collections within UCP under the shared cluster collection designated as `/Swarm/`. For example, if a production collection called `/Swarm/production` is created under the shared cluster collection, `/Swarm/`, then only one level of nesting should be created: `/Swarm/production/app/`. See [Nested Collections](/ee/ucp/authorization/group-resources/#nested-collections) for more details.
* Kubernetes
* **PersistentVolumeLabel** admission controller is deprecated in Kubernetes 1.11. This functionality will be migrated to [Cloud Controller Manager](https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/](https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/)

2
ee/upgrade.md
View File

@ -11,7 +11,7 @@ redirect_from:
In Docker Engine - Enterprise 18.09, significant architectural improvements were made to the network
architecture in Swarm to increase the performance and scale of the built-in load balancing functionality.
> ***NOTE:*** These changes introduce new constraints to the Docker Engine - Enterprise upgrade process that,
> **Note**: These changes introduce new constraints to the Docker Engine - Enterprise upgrade process that,
> if not correctly followed, can have impact on the availability of applications running on the Swarm. These
> constraints impact any upgrades coming from any version before 18.09 to version 18.09 or greater.

10
engine/ce-ee-node-activate.md
View File

@ -26,7 +26,7 @@ on your hub/store account after starting the trial or paid license. This allows
upgrade operations to work as expected and keep them current as long as your license is still
valid and has not expired.
> ***NOTE:*** You can use the `docker engine update` command. However, if you continue to use
> **Note**: You can use the `docker engine update` command. However, if you continue to use
> the CE packages, the OS package will no longer replace the active daemon binary during apt/yum
> updates, so you are responsible for performing the `docker engine update` operation periodically
> to keep your engine up to date.
@ -61,10 +61,10 @@ Server: Docker Engine - Community
2. Log into the Docker engine from the command line.
**NOTE:** When running the command `docker login`, the shell stores the credentials in the current user's home
directory. RHEL and Ubuntu-based Linux distributions have different behavior for sudo. RHEL sets $HOME to point
to `/root` while Ubuntu leaves `$HOME` pointing to the user's home directory who ran `sudo` and this can cause
permission and access problems when switching between `sudo` and non-sudo'd commands.
> **Note**: When running the command `docker login`, the shell stores the credentials in the current user's home
> directory. RHEL and Ubuntu-based Linux distributions have different behavior for sudo. RHEL sets $HOME to point
> to `/root` while Ubuntu leaves `$HOME` pointing to the user's home directory who ran `sudo` and this can cause
> permission and access problems when switching between `sudo` and non-sudo'd commands.
For Ubuntu or Debian:

212
engine/release-notes.md
View File

@ -16,13 +16,13 @@ Docker EE is a superset of all the features in Docker CE. It incorporates defect
that you can use in environments where new features cannot be adopted as quickly for
consistency and compatibility reasons.
> ***NOTE:***
> **Note**:
> New in 18.09 is an aligned release model for Docker Engine - Community and Docker
> Engine - Enterprise. The new versioning scheme is YY.MM.x where x is an incrementing
> patch version. The enterprise engine is a superset of the community engine. They
> will ship concurrently with the same x patch version based on the same code base.
> ***NOTE:***
> **Note**:
> The client and container runtime are now in separate packages from the daemon in
> Docker Engine 18.09. Users should install and update all three packages at the same time
> to get the latest patch releases. For example, on Ubuntu:
@ -224,8 +224,7 @@ As of EE 2.2, Docker will deprecate support for Device Mapper as a storage drive
time, but support will be removed in a future release. Docker will continue to support Device Mapper for existing
EE 2.0 and 2.1 customers. Please contact Sales for more information.
Docker recommends that existing customers [migrate to using Overlay2 for the storage driver]
(https://success.docker.com/article/how-do-i-migrate-an-existing-ucp-cluster-to-the-overlay2-graph-driver).
Docker recommends that existing customers [migrate to using Overlay2 for the storage driver](https://success.docker.com/article/how-do-i-migrate-an-existing-ucp-cluster-to-the-overlay2-graph-driver).
The [Overlay2 storage driver](https://docs.docker.com/storage/storagedriver/overlayfs-driver/) is now the
default for Docker engine implementations.
@ -236,14 +235,16 @@ For more information on the list of deprecated flags and APIs, have a look at th
In this release, Docker has also removed support for TLS < 1.2 [moby/moby#37660](https://github.com/moby/moby/pull/37660),
Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/docker-ce-packaging/pull/255) / [docker-ce-packaging#254](https://github.com/docker/docker-ce-packaging/pull/254), and Debian 8 "Jessie" [docker-ce-packaging#255](https://github.com/docker/docker-ce-packaging/pull/255) / [docker-ce-packaging#254](https://github.com/docker/docker-ce-packaging/pull/254).
### 18.03.1-ee-6
## Older Docker Engine EE Release notes
## 18.03.1-ee-6
2019-02-11
### Security fixes for Docker Engine - Enterprise
* Update `runc` to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
* Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel
### 18.03.1-ee-5
## 18.03.1-ee-5
2019-01-09
### Security fixes
@ -256,35 +257,11 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
* Fix resource leak on `docker logs --follow` [moby/moby#37576](https://github.com/moby/moby/pull/37576)
* Mask proxy credentials from URL when displayed in system info (docker/escalation#879)
### 17.06.2-ee-19
2019-02-11
### Security fixes for Docker Engine - Enterprise
* Update `runc` to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
* Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel
### 17.06.2-ee-18
2019-01-09
### Security fixes
* Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
* Added `/proc/asound` to masked paths
* Fixed authz plugin for 0-length content and path validation.
### Fixes for Docker Engine EE
* Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692)
* Fix resource leak on `docker logs --follow` [moby/moby#37576](https://github.com/moby/moby/pull/37576)
* Mask proxy credentials from URL when displayed in system info (docker/escalation#879)
## Older Docker Engine EE Release notes
### 18.03.1-ee-4
## 18.03.1-ee-4
2018-10-25
> *** NOTE: *** If you're deploying UCP or DTR, use Docker EE Engine 18.09 or higher. 18.03 is an engine only release.
> **Note**: If you're deploying UCP or DTR, use Docker EE Engine 18.09 or higher. 18.03 is an engine only release.
#### Client
@ -307,59 +284,7 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
* Fixed the logic used for skipping over running tasks. [docker/swarmkit#2724](https://github.com/docker/swarmkit/pull/2724)
* Addressed unassigned task leak when a service is removed. [docker/swarmkit#2709](https://github.com/docker/swarmkit/pull/2709)
### 18.03.1-ee-3
2018-08-30
#### Builder
* Fix: no error if build args are missing during docker build. [docker/engine#25](https://github.com/docker/engine/pull/25)
* Ensure RUN instruction to run without healthcheck. [moby/moby#37413](https://github.com/moby/moby/pull/37413)
#### Client
* Fix manifest list to always use correct size. [docker/cli#1156](https://github.com/docker/cli/pull/1156)
* Various shell completion script updates. [docker/cli#1159](https://github.com/docker/cli/pull/1159) [docker/cli#1227](https://github.com/docker/cli/pull/1227)
* Improve version output alignment. [docker/cli#1204](https://github.com/docker/cli/pull/1204)
#### Runtime
* Disable CRI plugin listening on port 10010 by default. [docker/engine#29](https://github.com/docker/engine/pull/29)
* Update containerd to v1.1.2. [docker/engine#33](https://github.com/docker/engine/pull/33)
* Windows: Pass back system errors on container exit. [moby/moby#35967](https://github.com/moby/moby/pull/35967)
* Windows: Fix named pipe support for hyper-v isolated containers. [docker/engine#2](https://github.com/docker/engine/pull/2) [docker/cli#1165](https://github.com/docker/cli/pull/1165)
* Register OCI media types. [docker/engine#4](https://github.com/docker/engine/pull/4)
#### Swarm Mode
* Clean up tasks in dirty list for which the service has been deleted. [docker/swarmkit#2694](https://github.com/docker/swarmkit/pull/2694)
* Propagate the provided external CA certificate to the external CA object in swarm. [docker/cli#1178](https://github.com/docker/cli/pull/1178)
2018-10-25
> ***NOTE:*** If you're deploying UCP or DTR, use Docker EE Engine 18.09 or higher. 18.03 is an engine only release.
#### Client
* Fixed help message flags on docker stack commands and child commands. [docker/cli#1251](https://github.com/docker/cli/pull/1251)
* Fixed typo breaking zsh docker update autocomplete. [docker/cli#1232](https://github.com/docker/cli/pull/1232)
### Networking
* Added optimizations to reduce the messages in the NetworkDB queue. [docker/libnetwork#2225](https://github.com/docker/libnetwork/pull/2225)
* Fixed a very rare condition where managers are not correctly triggering the reconnection logic. [docker/libnetwork#2226](https://github.com/docker/libnetwork/pull/2226)
* Changed loglevel from error to warning for missing disable_ipv6 file. [docker/libnetwork#2224](https://github.com/docker/libnetwork/pull/2224)
#### Runtime
* Fixed denial of service with large numbers in cpuset-cpus and cpuset-mems. [moby/moby#37967](https://github.com/moby/moby/pull/37967)
* Added stability improvements for devicemapper shutdown. [moby/moby#36307](https://github.com/moby/moby/pull/36307) [moby/moby#36438](https://github.com/moby/moby/pull/36438)
#### Swarm Mode
* Fixed the logic used for skipping over running tasks. [docker/swarmkit#2724](https://github.com/docker/swarmkit/pull/2724)
* Addressed unassigned task leak when a service is removed. [docker/swarmkit#2709](https://github.com/docker/swarmkit/pull/2709)
### 18.03.1-ee-3
## 18.03.1-ee-3
2018-08-30
#### Builder
@ -386,7 +311,7 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
* Clean up tasks in dirty list for which the service has been deleted. [docker/swarmkit#2694](https://github.com/docker/swarmkit/pull/2694)
* Propagate the provided external CA certificate to the external CA object in swarm. [docker/cli#1178](https://github.com/docker/cli/pull/1178)
### 18.03.1-ee-2
## 18.03.1-ee-2
2018-07-10
> #### Important notes about this release
@ -399,7 +324,7 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
+ Add /proc/acpi to masked paths [(CVE-2018-10892)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10892). [moby/moby#37404](https://github.com/moby/moby/pull/37404)
### 18.03.1-ee-1
## 18.03.1-ee-1
2018-06-27
> #### Important notes about this release
@ -423,7 +348,29 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
+ Support for `--chown` with `COPY` and `ADD` in `Dockerfile`.
+ Added functionality for the `docker logs` command to include the output of multiple logging drivers.
### 17.06.2-ee-17
## 17.06.2-ee-19
2019-02-11
### Security fixes for Docker Engine - Enterprise
* Update `runc` to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
* Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel
## 17.06.2-ee-18
2019-01-09
### Security fixes
* Upgraded Go language to 1.10.6 to resolve CVE-2018-16873, CVE-2018-16874, and CVE-2018-16875.
* Added `/proc/asound` to masked paths
* Fixed authz plugin for 0-length content and path validation.
### Fixes for Docker Engine EE
* Disable kmem accounting in runc on RHEL/CentOS (docker/escalation#614, docker/escalation#692)
* Fix resource leak on `docker logs --follow` [moby/moby#37576](https://github.com/moby/moby/pull/37576)
* Mask proxy credentials from URL when displayed in system info (docker/escalation#879)
## 17.06.2-ee-17
2018-10-25
#### Networking
@ -442,7 +389,7 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
* Fixed leaking task resources. [docker/swarmkit#2755](https://github.com/docker/swarmkit/pull/2755)
* Fixed deadlock in dispatcher that could cause node to crash. [docker/swarmkit#2753](https://github.com/docker/swarmkit/pull/2753)
### 17.06.2-ee-16
## 17.06.2-ee-16
2018-07-26
#### Client
@ -468,7 +415,7 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
* RoleManager will remove deleted nodes from the cluster membership. [docker/swarmkit#2607](https://github.com/docker/swarmkit/pull/2607)
- Fix unassigned task leak when service is removed. [docker/swarmkit#2708](https://github.com/docker/swarmkit/pull/2708)
### 17.06.2-ee-15
## 17.06.2-ee-15
2018-07-10
#### Runtime
@ -494,21 +441,21 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
- Fix `docker stack deploy --prune` with empty name removes all swarm services. [moby/moby#36776](https://github.com/moby/moby/issues/36776)
### 17.06.2-ee-13
## 17.06.2-ee-13
2018-06-04
#### Networking
- Fix attachable containers that may leave DNS state when exiting. [docker/libnetwork#2175](https://github.com/docker/libnetwork/pull/2175)
### 17.06.2-ee-12
## 17.06.2-ee-12
2018-05-29
#### Networking
- Fix to allow service update with no connection loss. [docker/libnetwork#2157](https://github.com/docker/libnetwork/pull/2157)
### 17.06.2-ee-11
## 17.06.2-ee-11
2018-05-17
#### Client
@ -533,14 +480,14 @@ Ubuntu 14.04 "Trusty Tahr" [docker-ce-packaging#255](https://github.com/docker/d
* When all Swarm managers are stopped at the same time, the swarm might end up in a
split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
### 17.06.2-ee-10
## 17.06.2-ee-10
2018-04-27
#### Runtime
* Fix version output to not have `-dev`.
### 17.06.2-ee-9
## 17.06.2-ee-9
2018-04-26
#### Runtime
@ -554,7 +501,7 @@ split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
- Increase raft ElectionTick to 10xHeartbeatTick. [docker/swarmkit#2564](https://github.com/docker/swarmkit/pull/2564)
- Adding logic to restore networks in order. [docker/swarmkit#2584](https://github.com/docker/swarmkit/pull/2584)
### 17.06.2-ee-8
## 17.06.2-ee-8
2018-04-17
#### Runtime
@ -577,7 +524,7 @@ split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
workaround, wait for leader election to complete before issuing commands
to the cluster.
### 17.06.2-ee-7
## 17.06.2-ee-7
2018-03-19
#### Important notes about this release
@ -628,7 +575,7 @@ split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
- Synchronize Dispatcher.Stop() with incoming rpcs [docker/swarmkit#2524](https://github.com/docker/swarmkit/pull/2524)
- Fix IP overlap with empty EndpointSpec [docker/swarmkit#2511](https://github.com/docker/swarmkit/pull/2511)
### 17.06.2-ee-6
## 17.06.2-ee-6
2017-11-27
#### Runtime
@ -645,7 +592,7 @@ split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
* Only shut down old tasks on success [docker/swarmkit#2308](https://github.com/docker/swarmkit/pull/2308)
* Error on cluster spec name change [docker/swarmkit#2436](https://github.com/docker/swarmkit/pull/2436)
### 17.06.2-ee-5
## 17.06.2-ee-5
2017-11-02
#### Important notes about this release
@ -695,7 +642,7 @@ split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
* Docker may experience IP exhaustion if many tasks are assigned to a single overlay network, for example if many services are attached to that network or because services on the network are scaled to many replicas. The problem may also manifest when tasks are rescheduled because of node failures. In case of node failure, Docker currently waits 24h to release overlay IP addresses. The problem can be diagnosed by looking for `failed to allocate network IP for task` messages in the Docker logs.
* SELinux enablement is not supported for containers on IBM Z on RHEL because of missing Red Hat package.
### 17.06.2-ee-4
## 17.06.2-ee-4
2017-10-12
#### Client
@ -714,14 +661,14 @@ split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
* Serialize IP allocation [docker/libnetwork#1788](https://github.com/docker/libnetwork/pull/1788)
### 17.06.2-ee-3
## 17.06.2-ee-3
2017-09-22
#### Swarm mode
- Increase max message size to allow larger snapshots [docker/swarmkit#131](https://github.com/docker/swarmkit/pull/131)
### 17.06.1-ee-2
## 17.06.1-ee-2
2017-08-24
#### Client
@ -741,7 +688,7 @@ split-brain scenario. [Learn more](https://success.docker.com/article/KB000759).
- Ignore PullOptions for running tasks [#2351](https://github.com/docker/swarmkit/pull/2351)
### 17.06.1-ee-1
## 17.06.1-ee-1
2017-08-16
#### Important notes about this release
@ -1017,7 +964,7 @@ not reachable until one of these 2 conditions happens:
As a workaround, send at least a packet out from each container like
(ping, GARP, etc).
### Docker EE 17.03.2-ee-8
## Docker EE 17.03.2-ee-8
2017-12-13
* Handle cleanup DNS for attachable container to prevent leak in name resolution [docker/libnetwork#1999](https://github.com/docker/libnetwork/pull/1999)
@ -1032,7 +979,7 @@ As a workaround, send at least a packet out from each container like
* Don't abort when setting `may_detach_mounts` [moby/moby#35172](https://github.com/moby/moby/pull/35172)
* Protect health monitor channel to prevent engine panic [moby/moby#35482](https://github.com/moby/moby/pull/35482)
### Docker EE 17.03.2-ee-7
## Docker EE 17.03.2-ee-7
2017-10-04
* Fix logic in network resource reaping to prevent memory leak [docker/libnetwork#1944](https://github.com/docker/libnetwork/pull/1944) [docker/libnetwork#1960](https://github.com/docker/libnetwork/pull/1960)
@ -1096,6 +1043,14 @@ Initial Docker EE release, based on Docker CE 17.03.0
## Older Docker Engine CE Release notes
## 18.06.2
2019-02-11
### Security fixes for Docker Engine - Community
* Update `runc` to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host. [CVE-2019-5736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736)
* Ubuntu 14.04 customers using a 3.13 kernel will need to upgrade to a supported Ubuntu 4.x kernel
## 18.06.1-ce
2018-08-21
@ -1298,7 +1253,12 @@ Initial Docker EE release, based on Docker CE 17.03.0
- Avoid a leak when a service with unassigned tasks is deleted. [docker/engine#27](https://github.com/docker/engine/pull/27)
- Fix racy batching on the dispatcher. [docker/engine#27](https://github.com/docker/engine/pull/27)
### 18.03.1-ce
## 18.03.1-ce
2018-04-26
## Older Docker Engine CE Release notes
## 18.03.1-ce
2018-04-26
#### Client
@ -1336,7 +1296,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
* Allow for larger preset property values, do not override [docker/libnetwork#2124](https://github.com/docker/libnetwork/pull/2124)
* Prevent panics on concurrent reads/writes when calling `changeNodeState` [docker/libnetwork#2136](https://github.com/docker/libnetwork/pull/2136)
### 18.03.0-ce
## 18.03.0-ce
2018-03-21
#### Builder
@ -1454,7 +1414,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
+ Add swarm types to bash completion event type filter [docker/cli#888](https://github.com/docker/cli/pull/888)
- Fix issue where network inspect does not show Created time for networks in swarm scope [moby/moby#36095](https://github.com/moby/moby/pull/36095)
### 17.12.1-ce
## 17.12.1-ce
2018-02-27
#### Client
@ -1495,7 +1455,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
#### Swarm
* Remove watchMiss from swarm mode [docker/libnetwork#2047](https://github.com/docker/libnetwork/pull/2047)
### 17.12.0-ce
## 17.12.0-ce
2017-12-27
#### Known Issues
@ -1598,7 +1558,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
* Pass Version to engine static builds [docker/docker-ce-packaging#70](https://github.com/docker/docker-ce-packaging/pull/70)
+ Added support for aarch64 on Debian (stretch/jessie) and Ubuntu Zesty or newer [docker/docker-ce-packaging#35](https://github.com/docker/docker-ce-packaging/pull/35)
### 17.09.1-ce
## 17.09.1-ce
2017-12-07
#### Builder
@ -1642,7 +1602,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
- Provide custom gRPC dialer to override default proxy dialer [docker/swarmkit/#2457](https://github.com/docker/swarmkit/pull/2457)
- Avoids recursive readlock on swarm info [moby/moby#35388](https://github.com/moby/moby/pull/35388)
### 17.09.0-ce
## 17.09.0-ce
2017-09-26
#### Builder
@ -1707,7 +1667,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
+ Remove deprecated `--enable-api-cors` daemon flag [moby/moby#34821](https://github.com/moby/moby/pull/34821)
### 17.06.2-ce
## 17.06.2-ce
2017-09-05
#### Client
@ -1723,7 +1683,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
- Ignore PullOptions for running tasks [docker/swarmkit#2351](https://github.com/docker/swarmkit/pull/2351)
### 17.06.1-ce
## 17.06.1-ce
2017-08-15
#### Builder
@ -1779,7 +1739,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
* Cluster update and memory issue fixes [#114](https://github.com/docker/docker-ce/pull/114)
* Changing get network request to return predefined network in swarm [#150](https://github.com/docker/docker-ce/pull/150)
### 17.06.0-ce
## 17.06.0-ce
2017-06-28
> **Note**: Docker 17.06.0 has an issue in the image builder causing a change in the behavior
@ -1884,7 +1844,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
* Disable legacy registry (v1) by default [#33629](https://github.com/moby/moby/pull/33629)
### 17.03.2-ce
## 17.03.2-ce
2017-05-29
## 17.03.3-ce
@ -1917,7 +1877,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
- Fix a case where tasks could get killed unexpectedly [#33118](https://github.com/moby/moby/pull/33118)
- Fix an issue preventing to deploy services if the registry cannot be reached despite the needed images being locally present [#33117](https://github.com/moby/moby/pull/33117)
### 17.03.1-ce
## 17.03.1-ce
2017-03-27
#### Remote API (v1.27) & Client
@ -1950,7 +1910,7 @@ Initial Docker EE release, based on Docker CE 17.03.0
* Cleanup HCS on restore [#31503](https://github.com/docker/docker/pull/31503)
### 17.03.0-ce
## 17.03.0-ce
2017-03-01
**IMPORTANT**: Starting with this release, Docker is on a monthly release cycle and uses a
@ -1999,7 +1959,7 @@ Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.
## Edge releases
### 18.05.0-ce
## 18.05.0-ce
2018-05-09
#### Builder
@ -2070,7 +2030,7 @@ Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.
* Expose swarmkit's Raft tuning parameters in engine config. [moby/moby#36726](https://github.com/moby/moby/pull/36726)
* Make internal/test/daemon.Daemon swarm aware. [moby/moby#36826](https://github.com/moby/moby/pull/36826)
### 18.04.0-ce
## 18.04.0-ce
2018-04-10
#### Builder
@ -2152,7 +2112,7 @@ Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.
- Fix agent logging race. [docker/swarmkit#2578](https://github.com/docker/swarmkit/pull/2578)
* Adding logic to restore networks in order. [docker/swarmkit#2571](https://github.com/docker/swarmkit/pull/2571)
### 18.02.0-ce
## 18.02.0-ce
2018-02-07
#### Builder
@ -2218,7 +2178,7 @@ Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.
* Update runc to fix hang during start and exec [moby/moby#36097](https://github.com/moby/moby/pull/36097)
- Fix "--node-generic-resource" singular/plural [moby/moby#36125](https://github.com/moby/moby/pull/36125)
### 18.01.0-ce
## 18.01.0-ce
2018-01-10
#### Builder
@ -2276,7 +2236,7 @@ Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.
- Fix published ports not being updated if a service has the same number of host-mode published ports with Published Port 0 [docker/swarmkit#2376](https://github.com/docker/swarmkit/pull/2376)
* Make the task termination order deterministic [docker/swarmkit#2265](https://github.com/docker/swarmkit/pull/2265)
### 17.11.0-ce
## 17.11.0-ce
2017-11-20
> **Important**: Docker CE 17.11 is the first Docker release based on
@ -2349,7 +2309,7 @@ running, un-managed, on the system.
+ Build packages for Debian 10 (Buster) [docker/docker-ce-packaging#50](https://github.com/docker/docker-ce-packaging/pull/50)
+ Build packages for Ubuntu 17.10 (Artful) [docker/docker-ce-packaging#55](https://github.com/docker/docker-ce-packaging/pull/55)
### 17.10.0-ce
## 17.10.0-ce
2017-10-17
> **Important**: Starting with this release, `docker service create`, `docker service update`,
@ -2399,7 +2359,7 @@ use `--detach` to keep the old behaviour.
- Do not filter nodes if logdriver is set to `none` [docker/swarmkit#2396](https://github.com/docker/swarmkit/pull/2396)
+ Adding ipam options to ipam driver requests [docker/swarmkit#2324](https://github.com/docker/swarmkit/pull/2324)
### 17.07.0-ce
## 17.07.0-ce
2017-08-29
#### API & Client
@ -2462,7 +2422,7 @@ use `--detach` to keep the old behaviour.
* Fix error during service creation if a network with the same name exists both as "local" and "swarm" scoped network [docker/cli#184](https://github.com/docker/cli/pull/184)
* (experimental) Add support for plugins on swarm [moby/moby#33575](https://github.com/moby/moby/pull/33575)
### 17.05.0-ce
## 17.05.0-ce
2017-05-04
#### Builder
@ -2549,7 +2509,7 @@ use `--detach` to keep the old behaviour.
- Deprecate `--api-enable-cors` daemon flag. This flag was marked deprecated in Docker 1.6.0 but not listed in deprecated features [#32352](https://github.com/docker/docker/pull/32352)
- Remove Ubuntu 12.04 (Precise Pangolin) as supported platform. Ubuntu 12.04 is EOL, and no longer receives updates [#32520](https://github.com/docker/docker/pull/32520)
### 17.04.0-ce
## 17.04.0-ce
2017-04-05
#### Builder

2
engine/security/https.md
View File

@ -102,7 +102,7 @@ Docker clients.
For client authentication, create a client key and certificate signing
request:
> **Note:** for simplicity of the next couple of steps, you may perform this
> **Note**: for simplicity of the next couple of steps, you may perform this
> step on the Docker daemon's host machine as well.
$ openssl genrsa -out key.pem 4096

2
engine/security/https/README.md
View File

@ -16,7 +16,7 @@ My process is as following:
lots of things to see and manually answer, as openssl wants to be interactive
**NOTE:** make sure you enter the hostname (`boot2docker` in my case) when prompted for `Computer Name`)
> **Note**: make sure you enter the hostname (`boot2docker` in my case) when prompted for `Computer Name`)
root@boot2docker:/# sudo make run

2
engine/swarm/join-nodes.md
View File

@ -26,7 +26,7 @@ the `docker swarm join` command. The node only uses the token at join time. If
you subsequently rotate the token, it doesn't affect existing swarm nodes. Refer
to [Run Docker Engine in swarm mode](swarm-mode.md#view-the-join-command-or-update-a-swarm-join-token).
**NOTE:** Docker engine allows a non-FIPS node to join a FIPS-enabled swarm cluster.
> **Note**: Docker engine allows a non-FIPS node to join a FIPS-enabled swarm cluster.
While a mixed FIPS environment makes upgrading or changing status easier, Docker recommends not running a mixed FIPS environment in production.

2
engine/swarm/networking.md
View File

@ -208,7 +208,7 @@ Multiple pools can be configured if discontiguous address space is required. How
The default mask length can be configured and is the same for all networks. It is set to `/24` by default. To change the default subnet mask length, use the `--default-addr-pool-mask-length` command line option.
**NOTE:** Default address pools can only be configured on `swarm init` and cannot be altered after cluster creation.
> **Note**: Default address pools can only be configured on `swarm init` and cannot be altered after cluster creation.
##### Overlay network size limitations

26
get-started/part3.md
View File

@ -143,18 +143,28 @@ named it the same as shown in this example, the name is
`getstartedlab_web`. The service ID is listed as well, along with the number of
replicas, image name, and exposed ports.
Alternatively, you can run `docker stack services`, followed by the name of
your stack. The following example command lets you view all services associated with the
`getstartedlab` stack:
```bash
docker stack services getstartedlab
ID NAME MODE REPLICAS IMAGE PORTS
bqpve1djnk0x getstartedlab_web replicated 5/5 username/repo:tag *:4000->80/tcp
```
A single container running in a service is called a **task**. Tasks are given unique
IDs that numerically increment, up to the number of `replicas` you defined in
`docker-compose.yml`. List the tasks for your service:
```shell
```bash
docker service ps getstartedlab_web
```
Tasks also show up if you just list all the containers on your system, though that
is not filtered by service:
```shell
```bash
docker container ls -q
```
@ -168,6 +178,18 @@ load-balancing; with each request, one of the 5 tasks is chosen, in a
round-robin fashion, to respond. The container IDs match your output from
the previous command (`docker container ls -q`).
To view all tasks of a stack, you can run `docker stack ps` followed by your app name, as shown in the following example:
```bash
docker stack ps getstartedlab
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
uwiaw67sc0eh getstartedlab_web.1 username/repo:tag docker-desktop Running Running 9 minutes ago
sk50xbhmcae7 getstartedlab_web.2 username/repo:tag docker-desktop Running Running 9 minutes ago
c4uuw5i6h02j getstartedlab_web.3 username/repo:tag docker-desktop Running Running 9 minutes ago
0dyb70ixu25s getstartedlab_web.4 username/repo:tag docker-desktop Running Running 9 minutes ago
aocrb88ap8b0 getstartedlab_web.5 username/repo:tag docker-desktop Running Running 9 minutes ago
```
> Running Windows 10?
>
> Windows 10 PowerShell should already have `curl` available, but if not you can

2
install/linux/docker-ce/ubuntu.md
View File

@ -56,7 +56,7 @@ networks, are preserved. The Docker CE package is now called `docker-ce`.
### Supported storage drivers
Docker CE on Ubuntu supports `overlay2`, `aufs` and `btrfs` storage drivers.
> *** Note: *** In Docker Engine - Enterprise, `btrfs` is only supported on SLES. See the documentation on
> **Note**: In Docker Engine - Enterprise, `btrfs` is only supported on SLES. See the documentation on
> [btrfs](/engine/userguide/storagedriver/btrfs-driver.md) for more details.
For new installations on version 4 and higher of the Linux kernel, `overlay2`

2
install/linux/docker-ee/rhel.md
View File

@ -57,7 +57,7 @@ $ cat /proc/sys/crypto/fips_enabled
1
```
> ***NOTE:*** FIPS is only supported in the Docker Engine EE. UCP and DTR currently do not have support for FIPS-140-2.
> **Note**: FIPS is only supported in the Docker Engine EE. UCP and DTR currently do not have support for FIPS-140-2.
To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, do the following:

2
install/linux/docker-ee/suse.md
View File

@ -164,7 +164,7 @@ Before you install Docker EE for the first time on a new host machine, you need
to set up the Docker repository. Afterward, you can install and update Docker EE
from the repository.
> ***NOTE:*** If you need to run Docker EE 2.0, please see the following instructions:
> **Note**: If you need to run Docker EE 2.0, please see the following instructions:
> * [18.03](https://docs.docker.com/v18.03/ee/supported-platforms/) - Older Docker EE Engine only release
> * [17.06](https://docs.docker.com/v17.06/engine/installation/) - Docker Enterprise Edition 2.0 (Docker Engine,
> UCP, and DTR).

2
install/linux/docker-ee/ubuntu.md
View File

@ -137,7 +137,7 @@ from the repository.
4. Temporarily add a `$DOCKER_EE_VERSION` variable into your environment.
> ***NOTE:*** If you need to run something other than Docker EE 2.0, please see the following instructions:
> **Note**: If you need to run something other than Docker EE 2.0, please see the following instructions:
> * [18.03](https://docs.docker.com/v18.03/ee/supported-platforms/) - Older Docker EE Engine only release
> * [17.06](https://docs.docker.com/v17.06/engine/installation/) - Docker Enterprise Edition 2.0 (Docker Engine,
> UCP, and DTR).

87
install/windows/docker-ee.md
View File

@ -14,28 +14,32 @@ Docker Engine - Enterprise enables native Docker containers on Windows Server. W
> Release notes
>
> [Release notes for all versions](/release-notes/)
> [Release notes for all versions](/engine/release-notes/)
## System requirements
Windows OS requirements around specific CPU and RAM requirements also need to be met as specified
in the [Windows Server Requirements](https://docs.microsoft.com/en-us/windows-server/get-started/system-requirements).
This provides information for specific CPU and memory specs and capabilities (instruction sets like CMPXCHG16b,
LAHF/SAHF, and PrefetchW, security: DEP/NX, etc.).
Windows OS requirements around specific CPU and RAM requirements also need to be
met as specified in the [Windows Server
Requirements](https://docs.microsoft.com/en-us/windows-server/get-started/system-requirements).
This provides information for specific CPU and memory specs and capabilities
(instruction sets like CMPXCHG16b, LAHF/SAHF, and PrefetchW, security: DEP/NX,
etc.).
* OS Versions: Server 2016 (Core and GUI), 1709 and 1803
* OS Versions:
- Long Term Service Channel (LTSC) - 2016 and 2019 (Core and GUI)
- Semi-annual Channel (SAC) - 1709, 1803 and 1809
* RAM: 4GB
* Disk space: [32 GB minimum recommendation for Windows](https://docs.microsoft.com/en-us/windows-server/get-started/system
requirements). An additional 32 GB of Space is recommended for base images for ServerCore and NanoServer along with buffer
space for workload containers running IIS, SQL Server and .Net apps.
* Disk space: [32 GB minimum recommendation for Windows](https://docs.microsoft.com/en-us/windows-server/get-started/system-requirements).
Docker recommends an additional 32 GB of space for base images for ServerCore
and NanoServer along with buffer space for workload containers running IIS, SQL Server and .Net apps.
## Install Docker Engine - Enterprise
Docker Engine - Enterprise requires Windows Server 2016, 1703, or 1803. See
[What to know before you install](#what-to-know-before-you-install) for a
full list of prerequisites.
To install the Docker Engine - Enterprise on your hosts, Docker provides a
[OneGet](https://github.com/oneget/oneget) PowerShell Module.
1. Open a PowerShell command prompt, and type the following commands.
1. Open an elevated PowerShell command prompt, and type the following commands.
```powershell
Install-Module DockerMsftProvider -Force
@ -87,19 +91,28 @@ Select option `6) Download and Install Updates`.
### FIPS 140-2 cryptographic module support
[Federal Information Processing Standards (FIPS) Publication 140-2](https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf) is a United States Federal security requirement for cryptographic modules.
[Federal Information Processing Standards (FIPS) Publication
140-2](https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf)
is a United States Federal security requirement for cryptographic modules.
With Docker EE Basic license for versions 18.09 and later, Docker provides FIPS 140-2 support in Windows Server 2016. This includes a FIPS supported cryptographic module. If the Windows implementation already has FIPS support enabled, FIPS is automatically enabled in the Docker engine.
With Docker EE Basic license for versions 18.09 and later, Docker provides FIPS
140-2 support in Windows Server. This includes a FIPS supported cryptographic
module. If the Windows implementation already has FIPS support enabled, FIPS is
automatically enabled in the Docker engine.
**NOTE:** FIPS 140-2 is only supported in the Docker EE engine. UCP and DTR currently do not have support for FIPS 140-2.
To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, execute the following command in PowerShell:
> **Note**: FIPS 140-2 is only supported in the Docker EE engine. UCP and DTR currently do not have support for FIPS 140-2.
To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode,
execute the following command in PowerShell:
```powershell
[System.Environment]::SetEnvironmentVariable("DOCKER_FIPS", "1", "Machine")
```
FIPS 140-2 mode may also be enabled via the Windows Registry. To update the pertinent registry key, execute the following PowerShell command as an Administrator:
FIPS 140-2 mode may also be enabled via the Windows Registry. To update the
pertinent registry key, execute the following PowerShell command as an
Administrator:
```powershell
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\" -Name "Enabled" -Value "1"
@ -119,12 +132,12 @@ Labels:
com.docker.security.fips=enabled
```
**NOTE:** If the system has the FIPS-140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance. To disable FIPS-140-2 in Docker but not the operating system, set the value `"DOCKER_FIPS","0"` in the `[System.Environment]`.`
> **Note**: If the system has the FIPS-140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance. To disable FIPS-140-2 in Docker but not the operating system, set the value `"DOCKER_FIPS","0"` in the `[System.Environment]`.`
## Use a script to install Docker EE
Use the following steps when you want to install manually, script automated
installs, or install on air-gapped systems.
Use the following guide if you wanted to install the Docker Engine - Enterprise
manually, via a script, or on air-gapped systems.
1. In a PowerShell command prompt, download the installer archive on a machine
that has a connection.
@ -192,7 +205,8 @@ Docker {{ site.docker_ee_version }} Docker
### Updating the DockerMsftProvider
Installing specific Docker EE versions may require an update to previously installed DockerMsftProvider modules. To update:
Installing specific Docker EE versions may require an update to previously
installed DockerMsftProvider modules. To update:
```powershell
Update-Module DockerMsftProvider
@ -202,16 +216,19 @@ Then open a new PowerShell session for the update to take effect.
## Update Docker Engine - Enterprise
To update Docker Engine - Enterprise to the most recent release, specify the `-RequiredVersion` and `-Update` flags:
To update Docker Engine - Enterprise to the most recent release, specify the
`-RequiredVersion` and `-Update` flags:
```powershell
Install-Package -Name docker -ProviderName DockerMsftProvider -RequiredVersion {{ site.docker_ee_version }} -Update -Force
```
The required version must match any of the versions available in this json file: https://dockermsft.blob.core.windows.net/dockercontainer/DockerMsftIndex.json
The required version number must match a versions available on the [JSON
index](https://dockermsft.blob.core.windows.net/dockercontainer/DockerMsftIndex.json)
## Uninstall Docker EE
Use the following commands to completely remove the Docker Engine - Enterprise from a Windows Server:
Use the following commands to completely remove the Docker Engine - Enterprise
from a Windows Server:
1. Leave any active Docker Swarm
@ -245,20 +262,11 @@ The required version must match any of the versions available in this json file:
Remove-Item -Path "C:\ProgramData\Docker" -Recurse -Force
```
## Preparing a Docker EE Engine for use with UCP
## Preparing a Windows Host for use with UCP
Run the
[UCP installation script for Windows](/ee/ucp/admin/configure/join-nodes/join-windows-nodes-to-cluster/#run-the-windows-node-setup-script).
Start the Docker service:
```powershell
Start-Service Docker
```
* **What the Docker Engine - Enterprise install includes**: The installation
provides [Docker Engine](/engine/userguide/intro.md) and the
[Docker CLI client](/engine/reference/commandline/cli.md).
To add a Windows Server host to an existing Universal Control Plane cluster
please follow the list of [prerequisites and joining
instructions](/ee/ucp/admin/configure/join-nodes/join-windows-nodes-to-cluster/#run-the-windows-node-setup-script).
## About Docker Engine - Enterprise containers and Windows Server
@ -269,9 +277,6 @@ provides a tutorial on how to set up and run Windows containers on Windows 10
or Windows Server 2016. It shows you how to use a MusicStore application with
Windows containers.
* [Setup - Windows Server 2016 (Lab)](https://github.com/docker/labs/blob/master/windows/windows-containers/Setup-Server2016.md)
describes environment setup in detail.
* Docker Container Platform for Windows Server [articles and blog
posts](https://www.docker.com/microsoft/) on the Docker website.

2
machine/drivers/azure.md
View File

@ -7,7 +7,7 @@ title: Microsoft Azure
You need an Azure Subscription to use this Docker Machine driver.
[Sign up for a free trial.][trial]
> **NOTE:** This documentation is for the new version of the Azure driver, which started
> **Note**: This documentation is for the new version of the Azure driver, which started
> shipping with v0.7.0. This driver is not backwards-compatible with the old
> Azure driver. If you want to continue managing your existing Azure machines, please
> download and use machine versions prior to v0.7.0.

2
network/overlay.md
View File

@ -230,7 +230,7 @@ preferred because it is somewhat self-documenting.
</tr>
<tr>
<td><tt>-p 8080:80/tcp -p 8080:80/udp</tt> or <br /><tt>-p published=8080,target=80,protocol=tcp -p published=8080,target=80,protocol=udp</tt></td>
<td>Map TCP port 80 on the service to TCP port 8080 on the routing mesh, and map UDP port 80 on the service to UDP port 8080 on the routine mesh.</td>
<td>Map TCP port 80 on the service to TCP port 8080 on the routing mesh, and map UDP port 80 on the service to UDP port 8080 on the routing mesh.</td>
</tr>
</table>

9957
reference/dtr/2.6/api/dtr-swagger-2.6.json Normal file
View File

File diff suppressed because it is too large Load Diff

4
reference/dtr/2.6/cli/install.md
View File

@ -23,11 +23,13 @@ After installing DTR, you can join additional DTR replicas using `docker/dtr joi
## Example Usage
```bash
$ docker run -it --rm docker/dtr:{{ site.dtr_version }}.0 install \
--ucp-node <UCP_NODE_HOSTNAME> \
--ucp-insecure-tls
```
> Note: Use `--ucp-ca "$(cat ca.pem)"` instead of `--ucp-insecure-tls` for a production deployment.
> **Note**: Use `--ucp-ca "$(cat ca.pem)"` instead of `--ucp-insecure-tls` for a production deployment.
## Options

65
reference/ucp/3.1/cli/install.md
View File

@ -42,41 +42,42 @@ command.
| Option | Description |
|:-------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--debug, D` | Enable debug mode |
| `--jsonlog` | Produce json formatted output for easier parsing |
| `--interactive, i` | Run in interactive mode and prompt for configuration values |
| `--admin-username` | The UCP administrator username |
| `--admin-password` | The UCP administrator password |
| `--san` | Add subject alternative names to certificates (e.g. --san www1.acme.com --san www2.acme.com) | | `--unmanaged-cni` | This determines who manages the CNI plugin, using `true` or `false`. The default is `false`. The `true` value installs UCP without a managed CNI plugin. UCP and the Kubernetes components will be running but pod to pod networking will not function until a CNI plugin is manually installed. This will impact some functionality of UCP until a CNI plugin is running. |
| `--host-address` | The network address to advertise to other nodes. Format: IP address or network interface name |
| `--data-path-addr` | Address or interface to use for data path traffic. Format: IP address or network interface name |
| `--controller-port` | Port for the web UI and API |
| `--kube-apiserver-port` | Port for the Kubernetes API server (default: 6443) |
| `--swarm-port` | Port for the Docker Swarm manager. Used for backwards compatibility |
| `--swarm-grpc-port` | Port for communication between nodes |
| `--admin-username` | The UCP administrator username |
| `--binpack` | Set the Docker Swarm scheduler to binpack mode. Used for backwards compatibility |
| `--cloud-provider` | The cloud provider for the cluster
| `--cni-installer-url` | Deprecated feature. A URL pointing to a Kubernetes YAML file to be used as an installer for the CNI plugin of the cluster. If specified, the default CNI plugin is not installed. If the URL uses the HTTPS scheme, no certificate verification is performed. |
| `--unmanaged-cni` | flag to indicate if cni provider is calico and managed by UCP (calico is the default CNI provider). The default value is "true" when using the default Calico CNI. |
| `--pod-cidr` | Kubernetes cluster IP pool for the pods to allocated IPs from (Default: `192.168.0.0/16`) |
| `--cloud-provider` | The cloud provider for the cluster |
| `--dns` | Set custom DNS servers for the UCP containers |
| `--dns-opt` | Set DNS options for the UCP containers |
| `--dns-search` | Set custom DNS search domains for the UCP containers |
| `--unlock-key` | The unlock key for this swarm-mode cluster, if one exists. |
| `--existing-config` | Use the latest existing UCP config during this installation. The install fails if a config is not found. |
| `--force-minimums` | Force the install/upgrade even if the system doesn't meet the minimum requirements. |
| `--pull` | Pull UCP images: `always`, when `missing`, or `never` |
| `--registry-username` | Username to use when pulling images |
| `--registry-password` | Password to use when pulling images |
| `--kv-timeout` | Timeout in milliseconds for the key-value store |
| `--kv-snapshot-count` | Number of changes between key-value store snapshots |
| `--swarm-experimental` | Enable Docker Swarm experimental features. Used for backwards compatibility |
| `--controller-port` | Port for the web UI and API
| `--data-path-addr` | Address or interface to use for data path traffic. Format: IP address or network interface name
| `--debug, D` | Enable debug mode |
| `--disable-tracking` | Disable anonymous tracking and analytics |
| `--disable-usage` | Disable anonymous usage reporting |
| `--external-server-cert` | Use the certificates in the `ucp-controller-server-certs` volume instead of generating self-signed certs during installation |
| `--preserve-certs` | Don't generate certificates if they already exist |
| `--binpack` | Set the Docker Swarm scheduler to binpack mode. Used for backwards compatibility |
| `--random` | Set the Docker Swarm scheduler to random mode. Used for backwards compatibility |
| `--external-service-lb` | Set the external service load balancer reported in the UI |
| `--dns` | Set custom DNS servers for the UCP containers |
| `--dns-opt` | Set DNS options for the UCP containers |
| `--dns-search` | Set custom DNS search domains for the UCP containers |
| `--enable-profiling` | Enable performance profiling |
| `--license` | Add a license: e.g.` --license "$(cat license.lic)" ` |
| `--existing-config` | Use the latest existing UCP config during this installation. The install fails if a config is not found. |
| `--external-server-cert` | Use the certificates in the `ucp-controller-server-certs` volume instead of generating self-signed certs during installation |
| `--external-service-lb` | Set the external service load balancer reported in the UI |
| `--force-insecure-tcp` | Force install to continue even with unauthenticated Docker Engine ports |
| `--force-minimums` | Force the install/upgrade even if the system doesn't meet the minimum requirements. |
| `--host-address` | The network address to advertise to other nodes. Format: IP address or network interface name |
| `--interactive, i` | Run in interactive mode and prompt for configuration values |
| `--jsonlog` | Produce json formatted output for easier parsing |
| `--kube-apiserver-port` | Port for the Kubernetes API server (default: 6443) |
| `--kv-snapshot-count` | Number of changes between key-value store snapshots |
| `--kv-timeout` | Timeout in milliseconds for the key-value store |
| `--license` | Add a license: e.g.` --license "$(cat license.lic)" ` |
| `--pod-cidr` | Kubernetes cluster IP pool for the pods to allocated IPs from (Default: `192.168.0.0/16`) |
| `--preserve-certs` | Don't generate certificates if they already exist |
| `--pull` | Pull UCP images: `always`, when `missing`, or `never` |
| `--random` | Set the Docker Swarm scheduler to random mode. Used for backwards compatibility |
| `--registry-username` | Username to use when pulling images |
| `--registry-password` | Password to use when pulling images |
| `--san` | Add subject alternative names to certificates (e.g. --san www1.acme.com --san www2.acme.com) |
| `--skip-cloud-provider` | Disables checks that rely on detecting the cloud provider (if any) on which the cluster is currently running. |
| `--swarm-experimental` | Enable Docker Swarm experimental features. Used for backwards compatibility |
| `--swarm-port` | Port for the Docker Swarm manager. Used for backwards compatibility |
| `--swarm-grpc-port` | Port for communication between nodes |
| `--unlock-key` | The unlock key for this swarm-mode cluster, if one exists. |
| `--unmanaged-cni` |The default value of `false` indicates that Kubernetes networking is managed by UCP with its default managed CNI plugin, Calico. When set to `true`, UCP does not deploy or manage the lifecycle of the default CNI plugin - the CNI plugin is deployed and managed independently of UCP. Note that when `unmanaged-cni=true`, networking in the cluster will not function for Kubernetes until a CNI plugin is deployed. |

2
registry/help.md
View File

@ -7,7 +7,7 @@ title: Get help
If you need help, or just want to chat, you can reach us:
- on the [Docker forums](https://forums.docker.com/c/open-source-projects/opensrcreg).
- on the [Docker community Slack](https://dockercommunity.slack.com/messages/C31GQCJN7/).
- on the [Docker community Slack](https://blog.docker.com/2016/11/introducing-docker-community-directory-docker-community-slack/).
- on the [mailing list](https://groups.google.com/a/dockerproject.org/forum/#!forum/distribution) (mail at <distribution@dockerproject.org>).
If you want to report a bug:

2
registry/recipes/nginx.md
View File

@ -38,7 +38,7 @@ you want through the secondary authentication mechanism implemented inside your
proxy, it also requires that you move TLS termination from the Registry to the
proxy itself.
> ***NOTE:*** Docker does not recommend binding your registry to `localhost:5000` without
> **Note**: Docker does not recommend binding your registry to `localhost:5000` without
> authentication. This creates a potential loophole in your Docker Registry security.
> As a result, anyone who can log on to the server where your Docker Registry is running
> can push images without authentication.

2
release-notes/docker-compose.md
View File

@ -954,7 +954,7 @@ naming scheme accordingly before upgrading.
- Containers dependencies can now be set up to wait on positive healthchecks
when declared using `depends_on`. See the documentation for the updated
syntax.
**Note:** This feature will not be ported to version 3 Compose files.
**Note**: This feature will not be ported to version 3 Compose files.
- Added support for the `sysctls` parameter in service definitions

2
storage/storagedriver/zfs-driver.md
View File

@ -44,7 +44,7 @@ use unless you have substantial experience with ZFS on Linux.
and push existing images to Docker Hub or a private repository, so that you
do not need to re-create them later.
> ***NOTE:*** There is no need to use `MountFlags=slave` with Docker Engine 18.09 or
> **Note**: There is no need to use `MountFlags=slave` with Docker Engine 18.09 or
> later because `dockerd` and `containerd` are in different mount namespaces.
## Configure Docker with the `zfs` storage driver