docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updates

This commit is contained in:
ddeyo 2018-10-15 13:54:09 -07:00
parent 9df2f34b75
commit c63d0e786e
7 changed files with 1 additions and 1077 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
ee/ucp/admin/configure/_site/external-auth/enable-ldap-config-file.html
View File

@ -1,68 +0,0 @@
<p>Docker UCP integrates with LDAP directory services, so that you can manage
users and groups from your organizations directory and automatically
propagate this information to UCP and DTR. You can set up your clusters LDAP
configuration by using the UCP web UI, or you can use a
<a href="../ucp-configuration-file.md">UCP configuration file</a>.</p>
<p>To see an example TOML config file that shows how to configure UCP settings,
run UCP with the <code class="highlighter-rouge">example-config</code> option.
<a href="../ucp-configuration-file.md">Learn about UCP configuration files</a>.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker container run <span class="nt">--rm</span> /: example-config
</code></pre></div></div>
<h2 id="set-up-ldap-by-using-a-configuration-file">Set up LDAP by using a configuration file</h2>
<ol>
<li>
<p>Use the following command to extract the name of the currently active
configuration from the <code class="highlighter-rouge">ucp-agent</code> service.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
<span class="nv">$ CURRENT_CONFIG_NAME</span><span class="o">=</span><span class="k">$(</span>docker service inspect <span class="nt">--format</span> <span class="s1">'{{ range $config := .Spec.TaskTemplate.ContainerSpec.Configs }}{{ $config.ConfigName }}{{ "\n" }}{{ end }}'</span> ucp-agent | <span class="nb">grep</span> <span class="s1">'com.docker.ucp.config-'</span><span class="k">)</span>
</code></pre></div> </div>
</li>
<li>
<p>Get the current configuration and save it to a TOML file.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
docker config inspect <span class="nt">--format</span> <span class="s1">'{{ printf "%s" .Spec.Data }}'</span> <span class="nv">$CURRENT_CONFIG_NAME</span> <span class="o">&gt;</span> config.toml
</code></pre></div> </div>
</li>
<li>
<p>Use the output of the <code class="highlighter-rouge">example-config</code> command as a guide to edit your
<code class="highlighter-rouge">config.toml</code> file. Under the <code class="highlighter-rouge">[auth]</code> sections, set <code class="highlighter-rouge">backend = "ldap"</code>
and <code class="highlighter-rouge">[auth.ldap]</code> to configure LDAP integration the way you want.</p>
</li>
<li>
<p>Once youve finished editing your <code class="highlighter-rouge">config.toml</code> file, create a new Docker
Config object by using the following command.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">NEW_CONFIG_NAME</span><span class="o">=</span><span class="s2">"com.docker.ucp.config-</span><span class="k">$((</span> <span class="k">$(</span>cut <span class="nt">-d</span> <span class="s1">'-'</span> <span class="nt">-f</span> 2 <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="nv">$CURRENT_CONFIG_NAME</span><span class="s2">"</span><span class="k">)</span> <span class="o">+</span> <span class="m">1</span> <span class="k">))</span><span class="s2">"</span>
docker config create <span class="nv">$NEW_CONFIG_NAME</span> config.toml
</code></pre></div> </div>
</li>
<li>
<p>Update the <code class="highlighter-rouge">ucp-agent</code> service to remove the reference to the old config
and add a reference to the new config.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker service update <span class="nt">--config-rm</span> <span class="s2">"</span><span class="nv">$CURRENT_CONFIG_NAME</span><span class="s2">"</span> <span class="nt">--config-add</span> <span class="s2">"source=</span><span class="k">${</span><span class="nv">NEW_CONFIG_NAME</span><span class="k">}</span><span class="s2">,target=/etc/ucp/ucp.toml"</span> ucp-agent
</code></pre></div> </div>
</li>
<li>
<p>Wait a few moments for the <code class="highlighter-rouge">ucp-agent</code> service tasks to update across
your cluster. If you set <code class="highlighter-rouge">jit_user_provisioning = true</code> in the LDAP
configuration, users matching any of your specified search queries will
have their accounts created when they log in with their username and LDAP
password.</p>
</li>
</ol>
<h2 id="where-to-go-next">Where to go next</h2>
<ul>
<li><a href="../../../authorization/create-users-and-teams-manually.md">Create users and teams manually</a></li>
<li><a href="../../../authorization/create-teams-with-ldap.md">Create teams with LDAP</a></li>
</ul>

351
ee/ucp/admin/configure/_site/external-auth/index.html
View File

@ -1,351 +0,0 @@
<p>Docker UCP integrates with LDAP directory services, so that you can manage
users and groups from your organizations directory and it will automatically
propagate that information to UCP and DTR.</p>
<p>If you enable LDAP, UCP uses a remote directory server to create users
automatically, and all logins are forwarded to the directory server.</p>
<p>When you switch from built-in authentication to LDAP authentication,
all manually created users whose usernames dont match any LDAP search results
are still available.</p>
<p>When you enable LDAP authentication, you can choose whether UCP creates user
accounts only when users log in for the first time. Select the
<strong>Just-In-Time User Provisioning</strong> option to ensure that the only LDAP
accounts that exist in UCP are those that have had a user log in to UCP.</p>
<h2 id="how-ucp-integrates-with-ldap">How UCP integrates with LDAP</h2>
<p>You control how UCP integrates with LDAP by creating searches for users.
You can specify multiple search configurations, and you can specify multiple
LDAP servers to integrate with. Searches start with the <code class="highlighter-rouge">Base DN</code>, which is
the <em>distinguished name</em> of the node in the LDAP directory tree where the
search starts looking for users.</p>
<p>Access LDAP settings by navigating to the <strong>Authentication &amp; Authorization</strong>
page in the UCP web UI. There are two sections for controlling LDAP searches
and servers.</p>
<ul>
<li><strong>LDAP user search configurations:</strong> This is the section of the
<strong>Authentication &amp; Authorization</strong> page where you specify search
parameters, like <code class="highlighter-rouge">Base DN</code>, <code class="highlighter-rouge">scope</code>, <code class="highlighter-rouge">filter</code>, the <code class="highlighter-rouge">username</code> attribute,
and the <code class="highlighter-rouge">full name</code> attribute. These searches are stored in a list, and
the ordering may be important, depending on your search configuration.</li>
<li><strong>LDAP server:</strong> This is the section where you specify the URL of an LDAP
server, TLS configuration, and credentials for doing the search requests.
Also, you provide a domain for all servers but the first one. The first
server is considered the default domain server. Any others are associated
with the domain that you specify in the page.</li>
</ul>
<p>Heres what happens when UCP synchronizes with LDAP:</p>
<ol>
<li>UCP creates a set of search results by iterating over each of the user
search configs, in the order that you specify.</li>
<li>UCP choses an LDAP server from the list of domain servers by considering the
<code class="highlighter-rouge">Base DN</code> from the user search config and selecting the domain server that
has the longest domain suffix match.</li>
<li>If no domain server has a domain suffix that matches the <code class="highlighter-rouge">Base DN</code> from the
search config, UCP uses the default domain server.</li>
<li>UCP combines the search results into a list of users and creates UCP
accounts for them. If the <strong>Just-In-Time User Provisioning</strong> option is set,
user accounts are created only when users first log in.</li>
</ol>
<p>The domain server to use is determined by the <code class="highlighter-rouge">Base DN</code> in each search config.
UCP doesnt perform search requests against each of the domain servers, only
the one which has the longest matching domain suffix, or the default if theres
no match.</p>
<p>Heres an example. Lets say we have three LDAP domain servers:</p>
<table>
<thead>
<tr>
<th>Domain</th>
<th>Server URL</th>
</tr>
</thead>
<tbody>
<tr>
<td><em>default</em></td>
<td>ldaps://ldap.example.com</td>
</tr>
<tr>
<td><code class="highlighter-rouge">dc=subsidiary1,dc=com</code></td>
<td>ldaps://ldap.subsidiary1.com</td>
</tr>
<tr>
<td><code class="highlighter-rouge">dc=subsidiary2,dc=subsidiary1,dc=com</code></td>
<td>ldaps://ldap.subsidiary2.com</td>
</tr>
</tbody>
</table>
<p>Here are three user search configs with the following <code class="highlighter-rouge">Base DNs</code>:</p>
<ul>
<li>
<p>baseDN=<code class="highlighter-rouge">ou=people,dc=subsidiary1,dc=com</code></p>
<p>For this search config, <code class="highlighter-rouge">dc=subsidiary1,dc=com</code> is the only server with a
domain which is a suffix, so UCP uses the server <code class="highlighter-rouge">ldaps://ldap.subsidiary1.com</code>
for the search request.</p>
</li>
<li>
<p>baseDN=<code class="highlighter-rouge">ou=product,dc=subsidiary2,dc=subsidiary1,dc=com</code></p>
<p>For this search config, two of the domain servers have a domain which is a
suffix of this base DN, but <code class="highlighter-rouge">dc=subsidiary2,dc=subsidiary1,dc=com</code> is the
longer of the two, so UCP uses the server <code class="highlighter-rouge">ldaps://ldap.subsidiary2.com</code>
for the search request.</p>
</li>
<li>
<p>baseDN=<code class="highlighter-rouge">ou=eng,dc=example,dc=com</code></p>
<p>For this search config, there is no server with a domain specified which is
a suffix of this base DN, so UCP uses the default server, <code class="highlighter-rouge">ldaps://ldap.example.com</code>,
for the search request.</p>
</li>
</ul>
<p>If there are <code class="highlighter-rouge">username</code> collisions for the search results between domains, UCP
uses only the first search result, so the ordering of the user search configs
may be important. For example, if both the first and third user search configs
result in a record with the username <code class="highlighter-rouge">jane.doe</code>, the first has higher
precedence and the second is ignored. For this reason, its important to choose
a <code class="highlighter-rouge">username</code> attribute thats unique for your users across all domains.</p>
<p>Because names may collide, its a good idea to use something unique to the
subsidiary, like the email address for each person. Users can log in with the
email address, for example, <code class="highlighter-rouge">jane.doe@subsidiary1.com</code>.</p>
<h2 id="configure-the-ldap-integration">Configure the LDAP integration</h2>
<p>To configure UCP to create and authenticate users by using an LDAP directory,
go to the UCP web UI, navigate to the <strong>Admin Settings</strong> page and click
<strong>Authentication &amp; Authorization</strong> to select the method used to create and
authenticate users.</p>
<p><img src="../../../images/authentication-authorization.png" alt="" /></p>
<p>In the <strong>LDAP Enabled</strong> section, click <strong>Yes</strong> to The LDAP settings appear.
Now configure your LDAP directory integration.</p>
<h2 id="default-role-for-all-private-collections">Default role for all private collections</h2>
<p>Use this setting to change the default permissions of new users.</p>
<p>Click the dropdown to select the permission level that UCP assigns by default
to the private collections of new users. For example, if you change the value
to <code class="highlighter-rouge">View Only</code>, all users who log in for the first time after the setting is
changed have <code class="highlighter-rouge">View Only</code> access to their private collections, but permissions
remain unchanged for all existing users.
<a href="../../../authorization/define-roles.md">Learn more about permission levels</a>.</p>
<h2 id="ldap-enabled">LDAP enabled</h2>
<p>Click <strong>Yes</strong> to enable integrating UCP users and teams with LDAP servers.</p>
<h2 id="ldap-server">LDAP server</h2>
<table>
<thead>
<tr>
<th style="text-align: left">Field</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">LDAP server URL</td>
<td style="text-align: left">The URL where the LDAP server can be reached.</td>
</tr>
<tr>
<td style="text-align: left">Reader DN</td>
<td style="text-align: left">The distinguished name of the LDAP account used for searching entries in the LDAP server. As a best practice, this should be an LDAP read-only user.</td>
</tr>
<tr>
<td style="text-align: left">Reader password</td>
<td style="text-align: left">The password of the account used for searching entries in the LDAP server.</td>
</tr>
<tr>
<td style="text-align: left">Use Start TLS</td>
<td style="text-align: left">Whether to authenticate/encrypt the connection after connecting to the LDAP server over TCP. If you set the LDAP Server URL field with <code class="highlighter-rouge">ldaps://</code>, this field is ignored.</td>
</tr>
<tr>
<td style="text-align: left">Skip TLS verification</td>
<td style="text-align: left">Whether to verify the LDAP server certificate when using TLS. The connection is still encrypted but vulnerable to man-in-the-middle attacks.</td>
</tr>
<tr>
<td style="text-align: left">No simple pagination</td>
<td style="text-align: left">If your LDAP server doesnt support pagination.</td>
</tr>
<tr>
<td style="text-align: left">Just-In-Time User Provisioning</td>
<td style="text-align: left">Whether to create user accounts only when users log in for the first time. The default value of <code class="highlighter-rouge">true</code> is recommended. If you upgraded from UCP 2.0.x, the default is <code class="highlighter-rouge">false</code>.</td>
</tr>
</tbody>
</table>
<p><img src="../../../images/ldap-integration-1.png" alt="" class="with-border" /></p>
<p>Click <strong>Confirm</strong> to add your LDAP domain.</p>
<p>To integrate with more LDAP servers, click <strong>Add LDAP Domain</strong>.</p>
<h2 id="ldap-user-search-configurations">LDAP user search configurations</h2>
<table>
<thead>
<tr>
<th style="text-align: left">Field</th>
<th style="text-align: left">Description</th>
<th> </th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">Base DN</td>
<td style="text-align: left">The distinguished name of the node in the directory tree where the search should start looking for users.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Username attribute</td>
<td style="text-align: left">The LDAP attribute to use as username on UCP. Only user entries with a valid username will be created. A valid username is no longer than 100 characters and does not contain any unprintable characters, whitespace characters, or any of the following characters: <code class="highlighter-rouge">/</code> <code class="highlighter-rouge">\</code> <code class="highlighter-rouge">[</code> <code class="highlighter-rouge">]</code> <code class="highlighter-rouge">:</code> <code class="highlighter-rouge">;</code> <code class="highlighter-rouge">|</code> <code class="highlighter-rouge">=</code> <code class="highlighter-rouge">,</code> <code class="highlighter-rouge">+</code> <code class="highlighter-rouge">*</code> <code class="highlighter-rouge">?</code> <code class="highlighter-rouge">&lt;</code> <code class="highlighter-rouge">&gt;</code> <code class="highlighter-rouge">'</code> <code class="highlighter-rouge">"</code>.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Full name attribute</td>
<td style="text-align: left">The LDAP attribute to use as the users full name for display purposes. If left empty, UCP will not create new users with a full name value.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Filter</td>
<td style="text-align: left">The LDAP search filter used to find users. If you leave this field empty, all directory entries in the search scope with valid username attributes are created as users.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Search subtree instead of just one level</td>
<td style="text-align: left">Whether to perform the LDAP search on a single level of the LDAP tree, or search through the full LDAP tree starting at the Base DN.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Match Group Members</td>
<td style="text-align: left">Whether to further filter users by selecting those who are also members of a specific group on the directory server. This feature is helpful if the LDAP server does not support <code class="highlighter-rouge">memberOf</code> search filters.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Iterate through group members</td>
<td style="text-align: left">If <code class="highlighter-rouge">Select Group Members</code> is selected, this option searches for users by first iterating over the target groups membership, making a separate LDAP query for each member, as opposed to first querying for all users which match the above search query and intersecting those with the set of group members. This option can be more efficient in situations where the number of members of the target group is significantly smaller than the number of users which would match the above search filter, or if your directory server does not support simple pagination of search results.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Group DN</td>
<td style="text-align: left">If <code class="highlighter-rouge">Select Group Members</code> is selected, this specifies the distinguished name of the group from which to select users.</td>
<td> </td>
</tr>
<tr>
<td style="text-align: left">Group Member Attribute</td>
<td style="text-align: left">If <code class="highlighter-rouge">Select Group Members</code> is selected, the value of this group attribute corresponds to the distinguished names of the members of the group.</td>
<td> </td>
</tr>
</tbody>
</table>
<p><img src="../../../images/ldap-integration-2.png" alt="" class="with-border" /></p>
<p>To configure more user search queries, click <strong>Add LDAP User Search Configuration</strong>
again. This is useful in cases where users may be found in multiple distinct
subtrees of your organizations directory. Any user entry which matches at
least one of the search configurations will be synced as a user.</p>
<h2 id="ldap-test-login">LDAP test login</h2>
<table>
<thead>
<tr>
<th style="text-align: left">Field</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">Username</td>
<td style="text-align: left">An LDAP username for testing authentication to this application. This value corresponds with the <strong>Username Attribute</strong> specified in the <strong>LDAP user search configurations</strong> section.</td>
</tr>
<tr>
<td style="text-align: left">Password</td>
<td style="text-align: left">The users password used to authenticate (BIND) to the directory server.</td>
</tr>
</tbody>
</table>
<p>Before you save the configuration changes, you should test that the integration
is correctly configured. You can do this by providing the credentials of an
LDAP user, and clicking the <strong>Test</strong> button.</p>
<h2 id="ldap-sync-configuration">LDAP sync configuration</h2>
<table>
<thead>
<tr>
<th style="text-align: left">Field</th>
<th style="text-align: left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">Sync interval</td>
<td style="text-align: left">The interval, in hours, to synchronize users between UCP and the LDAP server. When the synchronization job runs, new users found in the LDAP server are created in UCP with the default permission level. UCP users that dont exist in the LDAP server become inactive.</td>
</tr>
<tr>
<td style="text-align: left">Enable sync of admin users</td>
<td style="text-align: left">This option specifies that system admins should be synced directly with members of a group in your organizations LDAP directory. The admins will be synced to match the membership of the group. The configured recovery admin user will also remain a system admin.</td>
</tr>
</tbody>
</table>
<p>Once youve configured the LDAP integration, UCP synchronizes users based on
the interval youve defined starting at the top of the hour. When the
synchronization runs, UCP stores logs that can help you troubleshoot when
something goes wrong.</p>
<p>You can also manually synchronize users by clicking <strong>Sync Now</strong>.</p>
<h2 id="revoke-user-access">Revoke user access</h2>
<p>When a user is removed from LDAP, the effect on the users UCP account depends
on the <strong>Just-In-Time User Provisioning</strong> setting:</p>
<ul>
<li><strong>Just-In-Time User Provisioning</strong> is <code class="highlighter-rouge">false</code>: Users deleted from LDAP become
inactive in UCP after the next LDAP synchronization runs.</li>
<li><strong>Just-In-Time User Provisioning</strong> is <code class="highlighter-rouge">true</code>: Users deleted from LDAP cant
authenticate, but their UCP accounts remain active. This means that they can
use their client bundles to run commands. To prevent this, deactivate their
UCP user accounts.</li>
</ul>
<h2 id="data-synced-from-your-organizations-ldap-directory">Data synced from your organizations LDAP directory</h2>
<p>UCP saves a minimum amount of user data required to operate. This includes
the value of the username and full name attributes that you have specified in
the configuration as well as the distinguished name of each synced user.
UCP does not store any additional data from the directory server.</p>
<h2 id="sync-teams">Sync teams</h2>
<p>UCP enables syncing teams with a search query or group in your organizations
LDAP directory.
<a href="../../../authorization/create-teams-with-ldap.md">Sync team members with your organizations LDAP directory</a>.</p>
<h2 id="where-to-go-next">Where to go next</h2>
<ul>
<li><a href="../../../authorization/create-users-and-teams-manually.md">Create users and teams manually</a></li>
<li><a href="../../../authorization/create-teams-with-ldap.md">Create teams with LDAP</a></li>
<li><a href="enable-ldap-config-file.md">Enable LDAP integration by using a configuration file</a></li>
</ul>

59
ee/ucp/admin/configure/_site/join-nodes/index.html
View File

@ -1,59 +0,0 @@
<p>Docker Universal Control Plane is designed for high availability (HA). You can
join multiple manager nodes to the cluster, so that if one manager node fails,
another can automatically take its place without impact to the cluster.</p>
<p>Having multiple manager nodes in your cluster allows you to:</p>
<ul>
<li>Handle manager node failures,</li>
<li>Load-balance user requests across all manager nodes.</li>
</ul>
<h2 id="size-your-deployment">Size your deployment</h2>
<p>To make the cluster tolerant to more failures, add additional replica nodes to
your cluster.</p>
<table>
<thead>
<tr>
<th style="text-align: center">Manager nodes</th>
<th style="text-align: center">Failures tolerated</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">1</td>
<td style="text-align: center">0</td>
</tr>
<tr>
<td style="text-align: center">3</td>
<td style="text-align: center">1</td>
</tr>
<tr>
<td style="text-align: center">5</td>
<td style="text-align: center">2</td>
</tr>
</tbody>
</table>
<p>For production-grade deployments, follow these rules of thumb:</p>
<ul>
<li>When a manager node fails, the number of failures tolerated by your cluster
decreases. Dont leave that node offline for too long.</li>
<li>You should distribute your manager nodes across different availability
zones. This way your cluster can continue working even if an entire
availability zone goes down.</li>
<li>Adding many manager nodes to the cluster might lead to performance
degradation, as changes to configurations need to be replicated across all
manager nodes. The maximum advisable is seven manager nodes.</li>
</ul>
<h2 id="where-to-go-next">Where to go next</h2>
<ul>
<li><a href="join-linux-nodes-to-cluster.md">Join nodes to your cluster</a></li>
<li><a href="join-windows-nodes-to-cluster.md">Join Windows worker nodes to your cluster</a></li>
<li><a href="use-a-load-balancer.md">Use a load balancer</a></li>
</ul>

143
ee/ucp/admin/configure/_site/join-nodes/join-linux-nodes-to-cluster.html
View File

@ -1,143 +0,0 @@
<p>Docker EE is designed for scaling horizontally as your applications grow in
size and usage. You can add or remove nodes from the cluster to scale it
to your needs. You can join Windows Server 2016, IBM z System, and Linux nodes
to the cluster.</p>
<p>Because Docker EE leverages the clustering functionality provided by Docker
Engine, you use the <a href="/engine/swarm/swarm-tutorial/add-nodes.md">docker swarm join</a>
command to add more nodes to your cluster. When you join a new node, Docker EE
services start running on the node automatically.</p>
<h2 id="node-roles">Node roles</h2>
<p>When you join a node to a cluster, you specify its role: manager or worker.</p>
<ul>
<li>
<p><strong>Manager</strong>: Manager nodes are responsible for cluster management
functionality and dispatching tasks to worker nodes. Having multiple
manager nodes allows your swarm to be highly available and tolerant of
node failures.</p>
<p>Manager nodes also run all Docker EE components in a replicated way, so
by adding additional manager nodes, youre also making the cluster highly
available.
<a href="/enterprise/docker-ee-architecture.md">Learn more about the Docker EE architecture.</a></p>
</li>
<li>
<p><strong>Worker</strong>: Worker nodes receive and execute your services and applications.
Having multiple worker nodes allows you to scale the computing capacity of
your cluster.</p>
<p>When deploying Docker Trusted Registry in your cluster, you deploy it to a
worker node.</p>
</li>
</ul>
<h2 id="join-a-node-to-the-cluster">Join a node to the cluster</h2>
<p>You can join Windows Server 2016, IBM z System, and Linux nodes to the cluster,
but only Linux nodes can be managers.</p>
<p>To join nodes to the cluster, go to the Docker EE web UI and navigate to the
<strong>Nodes</strong> page.</p>
<ol>
<li>Click <strong>Add Node</strong> to add a new node.</li>
<li>Select the type of node to add, <strong>Windows</strong> or <strong>Linux</strong>.</li>
<li>Click <strong>Manager</strong> if you want to add the node as a manager.</li>
<li>Check the <strong>Use a custom listen address</strong> option to specify the address
and port where new node listens for inbound cluster management traffic.</li>
<li>Check the <strong>Use a custom listen address</strong> option to specify the
IP address thats advertised to all members of the cluster for API access.</li>
</ol>
<p><img src="../../../images/join-nodes-to-cluster-2.png" alt="" class="with-border" /></p>
<p>Copy the displayed command, use SSH to log in to the host that you want to
join to the cluster, and run the <code class="highlighter-rouge">docker swarm join</code> command on the host.</p>
<p>To add a Windows node, click <strong>Windows</strong> and follow the instructions in
<a href="join-windows-nodes-to-cluster.md">Join Windows worker nodes to a cluster</a>.</p>
<p>After you run the join command in the node, the node is displayed on the
<strong>Nodes</strong> page in the Docker EE web UI. From there, you can change the nodes
cluster configuration, including its assigned orchestrator type.
<a href="../set-orchestrator-type.md">Learn how to change the orchestrator for a node</a>.</p>
<h2 id="pause-or-drain-a-node">Pause or drain a node</h2>
<p>Once a node is part of the cluster, you can configure the nodes availability
so that it is:</p>
<ul>
<li><strong>Active</strong>: the node can receive and execute tasks.</li>
<li><strong>Paused</strong>: the node continues running existing tasks, but doesnt receive
new tasks.</li>
<li><strong>Drained</strong>: the node wont receive new tasks. Existing tasks are stopped and
replica tasks are launched in active nodes.</li>
</ul>
<p>Pause or drain a node from the <strong>Edit Node</strong> page:</p>
<ol>
<li>In the Docker EE web UI, browse to the <strong>Nodes</strong> page and select the node.</li>
<li>In the details pane, click <strong>Configure</strong> and select <strong>Details</strong> to open
the <strong>Edit Node</strong> page.</li>
<li>In the <strong>Availability</strong> section, click <strong>Active</strong>, <strong>Pause</strong>, or <strong>Drain</strong>.</li>
<li>Click <strong>Save</strong> to change the availability of the node.</li>
</ol>
<p><img src="../../../images/join-nodes-to-cluster-3.png" alt="" class="with-border" /></p>
<h2 id="promote-or-demote-a-node">Promote or demote a node</h2>
<p>You can promote worker nodes to managers to make UCP fault tolerant. You can
also demote a manager node into a worker.</p>
<p>To promote or demote a manager node:</p>
<ol>
<li>Navigate to the <strong>Nodes</strong> page, and click the node that you want to demote.</li>
<li>In the details pane, click <strong>Configure</strong> and select <strong>Details</strong> to open
the <strong>Edit Node</strong> page.</li>
<li>In the <strong>Role</strong> section, click <strong>Manager</strong> or <strong>Worker</strong>.</li>
<li>Click <strong>Save</strong> and wait until the operation completes.</li>
<li>Navigate to the <strong>Nodes</strong> page, and confirm that the node role has changed.</li>
</ol>
<p>If youre load-balancing user requests to Docker EE across multiple manager
nodes, dont forget to remove these nodes from your load-balancing pool when
you demote them to workers.</p>
<h2 id="remove-a-node-from-the-cluster">Remove a node from the cluster</h2>
<p>You can remove worker nodes from the cluster at any time:</p>
<ol>
<li>Navigate to the <strong>Nodes</strong> page and select the node.</li>
<li>In the details pane, click <strong>Actions</strong> and select <strong>Remove</strong>.</li>
<li>Click <strong>Confirm</strong> when youre prompted.</li>
</ol>
<p>Since manager nodes are important to the cluster overall health, you need to
be careful when removing one from the cluster.</p>
<p>To remove a manager node:</p>
<ol>
<li>Make sure all nodes in the cluster are healthy. Dont remove manager nodes
if thats not the case.</li>
<li>Demote the manager node into a worker.</li>
<li>Now you can remove that node from the cluster.</li>
</ol>
<h2 id="use-the-cli-to-manage-your-nodes">Use the CLI to manage your nodes</h2>
<p>You can use the Docker CLI client to manage your nodes from the CLI. To do
this, configure your Docker CLI client with a <a href="../../../user-access/cli.md">UCP client bundle</a>.</p>
<p>Once you do that, you can start managing your UCP nodes:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker node <span class="nb">ls</span>
</code></pre></div></div>

235
ee/ucp/admin/configure/_site/join-nodes/join-windows-nodes-to-cluster.html
View File

@ -1,235 +0,0 @@
<p>Docker Enterprise Edition supports worker nodes that run on Windows Server 2016 or 1709.
Only worker nodes are supported on Windows, and all manager nodes in the cluster
must run on Linux.</p>
<p>Follow these steps to enable a worker node on Windows.</p>
<ol>
<li>Install Docker EE Engine on Windows Server 2016.</li>
<li>Configure the Windows node.</li>
<li>Join the Windows node to the cluster.</li>
</ol>
<h2 id="install-docker-ee-engine-on-windows-server-2016-or-1709">Install Docker EE Engine on Windows Server 2016 or 1709</h2>
<p><a href="/engine/installation/windows/docker-ee/#use-a-script-to-install-docker-ee">Install Docker EE Engine</a>
on a Windows Server 2016 or 1709 instance to enable joining a cluster thats managed by
Docker Enterprise Edition.</p>
<h2 id="configure-the-windows-node">Configure the Windows node</h2>
<p>Follow these steps to configure the docker daemon and the Windows environment.</p>
<ol>
<li>Add a label to the node.</li>
<li>Pull the Windows-specific image of <code class="highlighter-rouge">ucp-agent</code>, which is named <code class="highlighter-rouge">ucp-agent-win</code>.</li>
<li>Run the Windows worker setup script provided with <code class="highlighter-rouge">ucp-agent-win</code>.</li>
<li>Join the cluster with the token provided by the Docker EE web UI or CLI.</li>
</ol>
<h3 id="add-a-label-to-the-node">Add a label to the node</h3>
<p>Configure the Docker Engine running on the node to have a label. This makes
it easier to deploy applications on nodes with this label.</p>
<p>Create the file <code class="highlighter-rouge">C:\ProgramData\docker\config\daemon.json</code> with the following
content:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{
"labels": ["os=windows"]
}
</code></pre></div></div>
<p>Restart Docker for the changes to take effect:</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Restart-Service docker
</code></pre></div></div>
<h3 id="pull-the-windows-specific-images">Pull the Windows-specific images</h3>
<p>On a manager node, run the following command to list the images that are required
on Windows nodes.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker container run <span class="nt">--rm</span> /: images <span class="nt">--list</span> <span class="nt">--enable-windows</span>
/ucp-agent-win:
/ucp-dsinfo-win:
</code></pre></div></div>
<p>On Windows Server 2016, in a PowerShell terminal running as Administrator,
log in to Docker Hub with the <code class="highlighter-rouge">docker login</code> command and pull the listed images.</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker image pull /ucp-agent-win:
docker image pull /ucp-dsinfo-win:
</code></pre></div></div>
<h3 id="run-the-windows-node-setup-script">Run the Windows node setup script</h3>
<p>You need to open ports 2376 and 12376, and create certificates
for the Docker daemon to communicate securely. Use this command to run
the Windows node setup script:</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$script</span> <span class="o">=</span> <span class="o">[</span>ScriptBlock]::Create<span class="o">((</span>docker run --rm /ucp-agent-win: windows-script | <span class="nb">Out-String</span><span class="o">))</span>
Invoke-Command <span class="nv">$script</span>
</code></pre></div></div>
<blockquote>
<p>Docker daemon restart</p>
<p>When you run <code class="highlighter-rouge">windows-script</code>, the Docker service is unavailable temporarily.</p>
</blockquote>
<p>The Windows node is ready to join the cluster. Run the setup script on each
instance of Windows Server that will be a worker node.</p>
<h3 id="compatibility-with-daemonjson">Compatibility with daemon.json</h3>
<p>The script may be incompatible with installations that use a config file at
<code class="highlighter-rouge">C:\ProgramData\docker\config\daemon.json</code>. If you use such a file, make sure
that the daemon runs on port 2376 and that it uses certificates located in
<code class="highlighter-rouge">C:\ProgramData\docker\daemoncerts</code>. If certificates dont exist in this
directory, run <code class="highlighter-rouge">ucp-agent-win generate-certs</code>, as shown in Step 2 of the
procedure in <a href="#set-up-certs-for-the-dockerd-service">Set up certs for the dockerd service</a>.</p>
<p>In the daemon.json file, set the <code class="highlighter-rouge">tlscacert</code>, <code class="highlighter-rouge">tlscert</code>, and <code class="highlighter-rouge">tlskey</code> options
to the corresponding files in <code class="highlighter-rouge">C:\ProgramData\docker\daemoncerts</code>:</p>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w">
</span><span class="err">...</span><span class="w">
</span><span class="s2">"debug"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w">
</span><span class="s2">"tls"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w">
</span><span class="s2">"tlscacert"</span><span class="p">:</span><span class="w"> </span><span class="s2">"C:</span><span class="se">\P</span><span class="s2">rogramData</span><span class="se">\d</span><span class="s2">ocker</span><span class="se">\d</span><span class="s2">aemoncerts</span><span class="se">\c</span><span class="s2">a.pem"</span><span class="p">,</span><span class="w">
</span><span class="s2">"tlscert"</span><span class="p">:</span><span class="w"> </span><span class="s2">"C:</span><span class="se">\P</span><span class="s2">rogramData</span><span class="se">\d</span><span class="s2">ocker</span><span class="se">\d</span><span class="s2">aemoncerts</span><span class="se">\c</span><span class="s2">ert.pem"</span><span class="p">,</span><span class="w">
</span><span class="s2">"tlskey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"C:</span><span class="se">\P</span><span class="s2">rogramData</span><span class="se">\d</span><span class="s2">ocker</span><span class="se">\d</span><span class="s2">aemoncerts</span><span class="se">\k</span><span class="s2">ey.pem"</span><span class="p">,</span><span class="w">
</span><span class="s2">"tlsverify"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w">
</span><span class="err">...</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div></div>
<h2 id="join-the-windows-node-to-the-cluster">Join the Windows node to the cluster</h2>
<p>Now you can join the cluster by using the <code class="highlighter-rouge">docker swarm join</code> command thats
provided by the Docker EE web UI and CLI.</p>
<ol>
<li>Log in to the Docker EE web UI with an administrator account.</li>
<li>Navigate to the <strong>Nodes</strong> page.</li>
<li>Click <strong>Add Node</strong> to add a new node.</li>
<li>In the <strong>Node Type</strong> section, click <strong>Windows</strong>.</li>
<li>In the <strong>Step 2</strong> section, click the checkbox for
“Im ready to join my windows node.”</li>
<li>Check the <strong>Use a custom listen address</strong> option to specify the address
and port where new node listens for inbound cluster management traffic.</li>
<li>
<p>Check the <strong>Use a custom listen address</strong> option to specify the
IP address thats advertised to all members of the cluster for API access.</p>
<p><img src="../../../images/join-windows-nodes-to-cluster-1.png" alt="" class="with-border" /></p>
</li>
</ol>
<p>Copy the displayed command. It looks similar to the following:</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker swarm join --token &lt;token&gt; &lt;ucp-manager-ip&gt;
</code></pre></div></div>
<p>You can also use the command line to get the join token. Using your
<a href="../../../user-access/cli.md">UCP client bundle</a>, run:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker swarm join-token worker
</code></pre></div></div>
<p>Run the <code class="highlighter-rouge">docker swarm join</code> command on each instance of Windows Server that
will be a worker node.</p>
<h2 id="configure-a-windows-worker-node-manually">Configure a Windows worker node manually</h2>
<p>The following sections describe how to run the commands in the setup script
manually to configure the <code class="highlighter-rouge">dockerd</code> service and the Windows environment.
The script opens ports in the firewall and sets up certificates for <code class="highlighter-rouge">dockerd</code>.</p>
<p>To see the script, you can run the <code class="highlighter-rouge">windows-script</code> command without piping
to the <code class="highlighter-rouge">Invoke-Expression</code> cmdlet.</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker container run --rm /ucp-agent-win: windows-script
</code></pre></div></div>
<h3 id="open-ports-in-the-windows-firewall">Open ports in the Windows firewall</h3>
<p>Docker EE requires that ports 2376 and 12376 are open for inbound TCP traffic.</p>
<p>In a PowerShell terminal running as Administrator, run these commands
to add rules to the Windows firewall.</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>netsh advfirewall firewall add rule <span class="nv">name</span><span class="o">=</span><span class="s2">"docker_local"</span> <span class="nb">dir</span><span class="o">=</span><span class="k">in </span><span class="nv">action</span><span class="o">=</span>allow <span class="nv">protocol</span><span class="o">=</span>TCP <span class="nv">localport</span><span class="o">=</span>2376
netsh advfirewall firewall add rule <span class="nv">name</span><span class="o">=</span><span class="s2">"docker_proxy"</span> <span class="nb">dir</span><span class="o">=</span><span class="k">in </span><span class="nv">action</span><span class="o">=</span>allow <span class="nv">protocol</span><span class="o">=</span>TCP <span class="nv">localport</span><span class="o">=</span>12376
</code></pre></div></div>
<h3 id="set-up-certs-for-the-dockerd-service">Set up certs for the dockerd service</h3>
<ol>
<li>Create the directory <code class="highlighter-rouge">C:\ProgramData\docker\daemoncerts</code>.</li>
<li>
<p>In a PowerShell terminal running as Administrator, run the following command
to generate certificates.</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker container run --rm -v C:\ProgramData\docker\daemoncerts:C:\certs /ucp-agent-win: generate-certs
</code></pre></div> </div>
</li>
<li>
<p>To set up certificates, run the following commands to stop and unregister the
<code class="highlighter-rouge">dockerd</code> service, register the service with the certificates, and restart the service.</p>
<div class="language-powershell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">Stop-Service </span>docker
dockerd --unregister-service
dockerd -H npipe:// -H 0.0.0.0:2376 --tlsverify --tlscacert<span class="o">=</span>C:\ProgramData\docker\daemoncerts\ca.pem --tlscert<span class="o">=</span>C:\ProgramData\docker\daemoncerts\cert.pem --tlskey<span class="o">=</span>C:\ProgramData\docker\daemoncerts\key.pem --register-service
<span class="nb">Start-Service </span>docker
</code></pre></div> </div>
</li>
</ol>
<p>The <code class="highlighter-rouge">dockerd</code> service and the Windows environment are now configured to join a Docker EE cluster.</p>
<blockquote>
<p>TLS certificate setup</p>
<p>If the TLS certificates arent set up correctly, the Docker EE web UI shows the
following warning.</p>
<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Node WIN-NOOQV2PJGTE is a Windows node that cannot connect to its local Docker daemon.
</code></pre></div> </div>
</blockquote>
<h2 id="windows-nodes-limitations">Windows nodes limitations</h2>
<p>Some features are not yet supported on Windows nodes:</p>
<ul>
<li>Networking
<ul>
<li>The cluster mode routing mesh cant be used on Windows nodes. You can expose
a port for your service in the host where it is running, and use the HTTP
routing mesh to make your service accessible using a domain name.</li>
<li>Encrypted networks are not supported. If youve upgraded from a previous
version, youll also need to recreate the <code class="highlighter-rouge">ucp-hrm</code> network to make it
unencrypted.</li>
</ul>
</li>
<li>Secrets
<ul>
<li>When using secrets with Windows services, Windows stores temporary secret
files on disk. You can use BitLocker on the volume containing the Docker
root directory to encrypt the secret data at rest.</li>
<li>When creating a service which uses Windows containers, the options to
specify UID, GID, and mode are not supported for secrets. Secrets are
currently only accessible by administrators and users with system access
within the container.</li>
</ul>
</li>
<li>Mounts
<ul>
<li>On Windows, Docker cant listen on a Unix socket. Use TCP or a named pipe
instead.</li>
</ul>
</li>
</ul>

220
ee/ucp/admin/configure/_site/join-nodes/use-a-load-balancer.html
View File

@ -1,220 +0,0 @@
<p>Once youve joined multiple manager nodes for high-availability, you can
configure your own load balancer to balance user requests across all
manager nodes.</p>
<p><img src="../../../images/use-a-load-balancer-1.svg" alt="" /></p>
<p>This allows users to access UCP using a centralized domain name. If
a manager node goes down, the load balancer can detect that and stop forwarding
requests to that node, so that the failure goes unnoticed by users.</p>
<h2 id="load-balancing-on-ucp">Load-balancing on UCP</h2>
<p>Since Docker UCP uses mutual TLS, make sure you configure your load balancer to:</p>
<ul>
<li>Load-balance TCP traffic on ports <code class="highlighter-rouge">443</code> and <code class="highlighter-rouge">6443</code>.</li>
<li>Not terminate HTTPS connections.</li>
<li>Use the <code class="highlighter-rouge">/_ping</code> endpoint on each manager node, to check if the node
is healthy and if it should remain on the load balancing pool or not.</li>
</ul>
<h2 id="load-balancing-ucp-and-dtr">Load balancing UCP and DTR</h2>
<p>By default, both UCP and DTR use port 443. If you plan on deploying UCP and DTR,
your load balancer needs to distinguish traffic between the two by IP address
or port number.</p>
<ul>
<li>If you want to configure your load balancer to listen on port 443:
<ul>
<li>Use one load balancer for UCP, and another for DTR,</li>
<li>Use the same load balancer with multiple virtual IPs.</li>
</ul>
</li>
<li>Configure your load balancer to expose UCP or DTR on a port other than 443.</li>
</ul>
<blockquote class="important">
<p>Additional requirements</p>
<p>In addition to configuring your load balancer to distinguish between UCP and DTR, configuring a load balancer for DTR has <a href="https://docs.docker.com/ee/dtr/admin/configure/use-a-load-balancer/#load-balance-dtr">additional requirements</a>.</p>
</blockquote>
<h2 id="configuration-examples">Configuration examples</h2>
<p>Use the following examples to configure your load balancer for UCP.</p>
<ul class="nav nav-tabs">
<li class="active"><a data-toggle="tab" data-target="#nginx" data-group="nginx">NGINX</a></li>
<li><a data-toggle="tab" data-target="#haproxy" data-group="haproxy">HAProxy</a></li>
<li><a data-toggle="tab" data-target="#aws">AWS LB</a></li>
</ul>
<div class="tab-content">
<div id="nginx" class="tab-pane fade in active">
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">user</span> <span class="n">nginx</span>;
<span class="n">worker_processes</span> <span class="m">1</span>;
<span class="n">error_log</span> /<span class="n">var</span>/<span class="n">log</span>/<span class="n">nginx</span>/<span class="n">error</span>.<span class="n">log</span> <span class="n">warn</span>;
<span class="n">pid</span> /<span class="n">var</span>/<span class="n">run</span>/<span class="n">nginx</span>.<span class="n">pid</span>;
<span class="n">events</span> {
<span class="n">worker_connections</span> <span class="m">1024</span>;
}
<span class="n">stream</span> {
<span class="n">upstream</span> <span class="n">ucp_443</span> {
<span class="n">server</span> &lt;<span class="n">UCP_MANAGER_1_IP</span>&gt;:<span class="m">443</span> <span class="n">max_fails</span>=<span class="m">2</span> <span class="n">fail_timeout</span>=<span class="m">30</span><span class="n">s</span>;
<span class="n">server</span> &lt;<span class="n">UCP_MANAGER_2_IP</span>&gt;:<span class="m">443</span> <span class="n">max_fails</span>=<span class="m">2</span> <span class="n">fail_timeout</span>=<span class="m">30</span><span class="n">s</span>;
<span class="n">server</span> &lt;<span class="n">UCP_MANAGER_N_IP</span>&gt;:<span class="m">443</span> <span class="n">max_fails</span>=<span class="m">2</span> <span class="n">fail_timeout</span>=<span class="m">30</span><span class="n">s</span>;
}
<span class="n">server</span> {
<span class="n">listen</span> <span class="m">443</span>;
<span class="n">proxy_pass</span> <span class="n">ucp_443</span>;
}
}
</code></pre></div> </div>
</div>
<div id="haproxy" class="tab-pane fade">
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">global</span>
<span class="n">log</span> /<span class="n">dev</span>/<span class="n">log</span> <span class="n">local0</span>
<span class="n">log</span> /<span class="n">dev</span>/<span class="n">log</span> <span class="n">local1</span> <span class="n">notice</span>
<span class="n">defaults</span>
<span class="n">mode</span> <span class="n">tcp</span>
<span class="n">option</span> <span class="n">dontlognull</span>
<span class="n">timeout</span> <span class="n">connect</span> <span class="m">5</span><span class="n">s</span>
<span class="n">timeout</span> <span class="n">client</span> <span class="m">50</span><span class="n">s</span>
<span class="n">timeout</span> <span class="n">server</span> <span class="m">50</span><span class="n">s</span>
<span class="n">timeout</span> <span class="n">tunnel</span> <span class="m">1</span><span class="n">h</span>
<span class="n">timeout</span> <span class="n">client</span>-<span class="n">fin</span> <span class="m">50</span><span class="n">s</span>
<span class="c">### frontends
# Optional HAProxy Stats Page accessible at http://&lt;host-ip&gt;:8181/haproxy?stats
</span><span class="n">frontend</span> <span class="n">ucp_stats</span>
<span class="n">mode</span> <span class="n">http</span>
<span class="n">bind</span> <span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>:<span class="m">8181</span>
<span class="n">default_backend</span> <span class="n">ucp_stats</span>
<span class="n">frontend</span> <span class="n">ucp_443</span>
<span class="n">mode</span> <span class="n">tcp</span>
<span class="n">bind</span> <span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>:<span class="m">443</span>
<span class="n">default_backend</span> <span class="n">ucp_upstream_servers_443</span>
<span class="c">### backends
</span><span class="n">backend</span> <span class="n">ucp_stats</span>
<span class="n">mode</span> <span class="n">http</span>
<span class="n">option</span> <span class="n">httplog</span>
<span class="n">stats</span> <span class="n">enable</span>
<span class="n">stats</span> <span class="n">admin</span> <span class="n">if</span> <span class="n">TRUE</span>
<span class="n">stats</span> <span class="n">refresh</span> <span class="m">5</span><span class="n">m</span>
<span class="n">backend</span> <span class="n">ucp_upstream_servers_443</span>
<span class="n">mode</span> <span class="n">tcp</span>
<span class="n">option</span> <span class="n">httpchk</span> <span class="n">GET</span> /<span class="err">_</span><span class="n">ping</span> <span class="n">HTTP</span>/<span class="m">1</span>.<span class="m">1</span>\<span class="n">r</span>\<span class="n">nHost</span>:\ &lt;<span class="n">UCP_FQDN</span>&gt;
<span class="n">server</span> <span class="n">node01</span> &lt;<span class="n">UCP_MANAGER_1_IP</span>&gt;:<span class="m">443</span> <span class="n">weight</span> <span class="m">100</span> <span class="n">check</span> <span class="n">check</span>-<span class="n">ssl</span> <span class="n">verify</span> <span class="n">none</span>
<span class="n">server</span> <span class="n">node02</span> &lt;<span class="n">UCP_MANAGER_2_IP</span>&gt;:<span class="m">443</span> <span class="n">weight</span> <span class="m">100</span> <span class="n">check</span> <span class="n">check</span>-<span class="n">ssl</span> <span class="n">verify</span> <span class="n">none</span>
<span class="n">server</span> <span class="n">node03</span> &lt;<span class="n">UCP_MANAGER_N_IP</span>&gt;:<span class="m">443</span> <span class="n">weight</span> <span class="m">100</span> <span class="n">check</span> <span class="n">check</span>-<span class="n">ssl</span> <span class="n">verify</span> <span class="n">none</span>
</code></pre></div> </div>
</div>
<div id="aws" class="tab-pane fade">
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w">
</span><span class="s2">"Subnets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="s2">"subnet-XXXXXXXX"</span><span class="p">,</span><span class="w">
</span><span class="s2">"subnet-YYYYYYYY"</span><span class="p">,</span><span class="w">
</span><span class="s2">"subnet-ZZZZZZZZ"</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="s2">"CanonicalHostedZoneNameID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"XXXXXXXXXXX"</span><span class="p">,</span><span class="w">
</span><span class="s2">"CanonicalHostedZoneName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"XXXXXXXXX.us-west-XXX.elb.amazonaws.com"</span><span class="p">,</span><span class="w">
</span><span class="s2">"ListenerDescriptions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="s2">"Listener"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="s2">"InstancePort"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w">
</span><span class="s2">"LoadBalancerPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w">
</span><span class="s2">"Protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"TCP"</span><span class="p">,</span><span class="w">
</span><span class="s2">"InstanceProtocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"TCP"</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="s2">"PolicyNames"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="s2">"HealthCheck"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="s2">"HealthyThreshold"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w">
</span><span class="s2">"Interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w">
</span><span class="s2">"Target"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTPS:443/_ping"</span><span class="p">,</span><span class="w">
</span><span class="s2">"Timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w">
</span><span class="s2">"UnhealthyThreshold"</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="s2">"VPCId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vpc-XXXXXX"</span><span class="p">,</span><span class="w">
</span><span class="s2">"BackendServerDescriptions"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w">
</span><span class="s2">"Instances"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="s2">"InstanceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"i-XXXXXXXXX"</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="s2">"InstanceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"i-XXXXXXXXX"</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="p">{</span><span class="w">
</span><span class="s2">"InstanceId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"i-XXXXXXXXX"</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="s2">"DNSName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"XXXXXXXXXXXX.us-west-2.elb.amazonaws.com"</span><span class="p">,</span><span class="w">
</span><span class="s2">"SecurityGroups"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="s2">"sg-XXXXXXXXX"</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="s2">"Policies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="s2">"LBCookieStickinessPolicies"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w">
</span><span class="s2">"AppCookieStickinessPolicies"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w">
</span><span class="s2">"OtherPolicies"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w">
</span><span class="p">},</span><span class="w">
</span><span class="s2">"LoadBalancerName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ELB-UCP"</span><span class="p">,</span><span class="w">
</span><span class="s2">"CreatedTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2017-02-13T21:40:15.400Z"</span><span class="p">,</span><span class="w">
</span><span class="s2">"AvailabilityZones"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="s2">"us-west-2c"</span><span class="p">,</span><span class="w">
</span><span class="s2">"us-west-2a"</span><span class="p">,</span><span class="w">
</span><span class="s2">"us-west-2b"</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="s2">"Scheme"</span><span class="p">:</span><span class="w"> </span><span class="s2">"internet-facing"</span><span class="p">,</span><span class="w">
</span><span class="s2">"SourceSecurityGroup"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w">
</span><span class="s2">"OwnerAlias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"XXXXXXXXXXXX"</span><span class="p">,</span><span class="w">
</span><span class="s2">"GroupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"XXXXXXXXXXXX"</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="p">}</span><span class="w">
</span></code></pre></div> </div>
</div>
</div>
<p>You can deploy your load balancer using:</p>
<ul class="nav nav-tabs">
<li class="active"><a data-toggle="tab" data-target="#nginx-2" data-group="nginx">NGINX</a></li>
<li><a data-toggle="tab" data-target="#haproxy-2" data-group="haproxy">HAProxy</a></li>
</ul>
<div class="tab-content">
<div id="nginx-2" class="tab-pane fade in active">
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Create the nginx.conf file, then
# deploy the load balancer
</span>
<span class="n">docker</span> <span class="n">run</span> --<span class="n">detach</span> \
--<span class="n">name</span> <span class="n">ucp</span>-<span class="n">lb</span> \
--<span class="n">restart</span>=<span class="n">unless</span>-<span class="n">stopped</span> \
--<span class="n">publish</span> <span class="m">443</span>:<span class="m">443</span> \
--<span class="n">volume</span> ${<span class="n">PWD</span>}/<span class="n">nginx</span>.<span class="n">conf</span>:/<span class="n">etc</span>/<span class="n">nginx</span>/<span class="n">nginx</span>.<span class="n">conf</span>:<span class="n">ro</span> \
<span class="n">nginx</span>:<span class="n">stable</span>-<span class="n">alpine</span>
</code></pre></div> </div>
</div>
<div id="haproxy-2" class="tab-pane fade">
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Create the haproxy.cfg file, then
# deploy the load balancer
</span>
<span class="n">docker</span> <span class="n">run</span> --<span class="n">detach</span> \
--<span class="n">name</span> <span class="n">ucp</span>-<span class="n">lb</span> \
--<span class="n">publish</span> <span class="m">443</span>:<span class="m">443</span> \
--<span class="n">publish</span> <span class="m">8181</span>:<span class="m">8181</span> \
--<span class="n">restart</span>=<span class="n">unless</span>-<span class="n">stopped</span> \
--<span class="n">volume</span> ${<span class="n">PWD</span>}/<span class="n">haproxy</span>.<span class="n">cfg</span>:/<span class="n">usr</span>/<span class="n">local</span>/<span class="n">etc</span>/<span class="n">haproxy</span>/<span class="n">haproxy</span>.<span class="n">cfg</span>:<span class="n">ro</span> \
<span class="n">haproxy</span>:<span class="m">1</span>.<span class="m">7</span>-<span class="n">alpine</span> <span class="n">haproxy</span> -<span class="n">d</span> -<span class="n">f</span> /<span class="n">usr</span>/<span class="n">local</span>/<span class="n">etc</span>/<span class="n">haproxy</span>/<span class="n">haproxy</span>.<span class="n">cfg</span>
</code></pre></div> </div>
</div>
</div>
<h2 id="where-to-go-next">Where to go next</h2>
<ul>
<li><a href="../add-labels-to-cluster-nodes.md">Add labels to cluster nodes</a></li>
</ul>

2
ee/ucp/admin/configure/set-session-timeout.md
View File

@ -16,6 +16,6 @@ To configure UCP login sessions, go to the UCP web UI, navigate to the
| Field | Description |
| :---------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Lifetime Minutes | The initial lifetime of a login session, starting from the time UCP generates the session. When this time expires, UCP invalidates the session. To establish a new session,the u ser must authenticate again. The default is 60 minutes. The minimum is 10 minutes. |
| Lifetime Minutes | The initial lifetime of a login session, starting from the time UCP generates the session. When this time expires, UCP invalidates the session. To establish a new session, the user must authenticate again. The default is 60 minutes with a minimum of 10 minutes. |
| Renewal Threshold Minutes | The time by which UCP extends an active session before session expiration. UCP extends the session by the number of minutes specified in **Lifetime Minutes**. The threshold value can't be greater than **Lifetime Minutes**. The default is 20 minutes. To specify that sessions are never extended, set the threshold value to zero. This may cause users to be logged out unexpectedly while using the UCP web interface. The maximum threshold is 5 minutes less than **Lifetime Minutes**. |
| Per User Limit | The maximum number of simultaneous logins for a user. If creating a new session exceeds this limit, UCP deletes the least recently used session. To disable this limit, set the value to zero. The default limit is 10 sessions. |