docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/installation/install-production.md

219 lines
7.1 KiB
Markdown
Raw Blame History

<!--[metadata]>
+++
aliases = [ "/ucp/production-install/"]
title = "Install UCP for production"
description = "Learn how to install Docker Universal Control Plane on production"
keywords = ["Universal Control Plane, UCP, install"]
[menu.main]
parent="mn_ucp_installation"
identifier="ucp_install_production"
weight=20
+++
<![end-metadata]-->
# Install UCP for production
Docker Universal Control Plane (UCP) is a containerized application that can be
installed on-premises or on a cloud infrastructure.
## Step 1: Validate the system requirements
The first step in installing UCP, is ensuring your
infrastructure has all the [requirements UCP needs to run](system-requirements).
## Step 2: Install CS Docker on all nodes
UCP requires you to install Docker CS Engine 1.10 or above on all nodes of
your UCP cluster.
For each node that you want to add to the UCP cluster, install the CS Docker
Engine.
## Step 3: Customize named volumes
This step is optional.
Docker UCP uses [named volumes](../architecture.md) to persist data. If you want
to customize the volume drivers and flags of these volumes, you can create the
volumes before installing UCP.
If the volumes don't exist, when installing UCP they are
created with the default volume driver and flags.
## Step 4: Customize the CA used
This step is optional.
The UCP cluster uses TLS to secure all communications. Two Certificate
Authorities (CA) are used for this:
* Cluster root CA: generates certificates for new nodes joining the cluster and
admin user bundles.
* Client root CA: generates non-admin user bundles.
You can customize UCP to use certificates signed by an external Certificate
Authority. These certificates are used instead of the ones generated by the
client root CA. That way you can use a certificate from a CA that your
browsers and client tools already trust.
If you want to use your own certificates:
1. Log into the host where you intend to instal UCP.
2. Create a volume with the name `ucp-controller-server-certs`.
3. Add the following files to the volume top-level directory:
| File | Description |
|:---------|:---------------------------------------------------------------|
| ca.pem | Your Root CA Certificate chain, including any intermediaries. |
| cert.pem | Your signed UCP controller certificate. |
| key.pem | Your UCP controller private key. |
## Step 5: Install the UCP controller
To install UCP you use the `docker/ucp` image. This image has commands to
install, configure, and backup UCP. To find what commands and options are
available, check the [reference documentation](../reference/install.md).
To install UCP:
1. Log in to the machine where you want to install UCP.
2. Use the `docker/ucp install` command to install UCP.
In this example we'll be running the install command interactively, so that
the command prompts for the necessary configuration values.
You can also use flags to pass values to the install command.
```bash
$ docker run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp install -i \
--host-address <$UCP_PUBLIC_IP>
```
Where:
* i, specify to run the install command interactively,
* host-address, is the public IP where users or a load balancer can access
UCP,
* Also, include the `--external-server-cert` flag if you're using server
certificates signed by an external CA.
</br>
When installing Docker UCP, overlay networking is automatically configured
for you. If you are running Docker CS Engine 1.10, or have custom
configurations on your Docker CS Engine, you need to restart the Docker
daemon at this point.
3. Check that the UCP web application is running.
In your browser, navigate to the address where you've installed UCP.
If you're not using an external CA, your browser warns that UCP is
an unsafe site. This happens because you're accessing UCP using HTTPS
but the certificates used by UCP are not trusted by your browser.
![](../images/login.png)
## Step 6: License your installation
Now that your UCP controller is installed, you need to license it.
[Learn how to license your installation](license.md).
## Step 7: Backup the controller CAs
This step is optional.
For an highly available installation, you can add more controller nodes to
the UCP cluster. The controller nodes are replicas of each other.
[Learn more about high-availability](../high-availability/set-up-high-availability.md).
For this, you need to make the CAs on each controller node, use the same
root certificates and keys.
[Learn how to replicate the CAs for high availability](../high-availability/replicate-cas.md).
## Step 8: Add controller replicas to the UCP cluster
This step is optional.
For an highly available installation, you can add more controller nodes to
the UCP cluster. For that, use the `docker/ucp join --replica` command.
[Learn more about the join command](../reference/join.md).
For each node that you want to install as a controller replica:
1. Log into that node.
2. Use the join command with the replica option:
In this example we'll be running the join command interactively, so that
the command prompts for the necessary configuration values.
You can also use flags to pass values to the install command.
```bash
$ docker run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp join -i \
--replica
```
3. Since UCP configures your Docker Engine for multi-host networking, it might
prompt you to restart the Docker daemon. To make the installation faster, join
all replica nodes first, and only then restart the Docker daemon on those nodes.
4. Repeat steps 1 and 2 on the other nodes you want to set up as replicas.
Make sure you set up 3, 5, or 7 controllers.
5. Check the cluster state.
The Dashboard page of UCP should list all your controller nodes.
![UCP nodes page](../images/replica-nodes.png)
## Step 9: Add more nodes to the UCP cluster
Now you can add additional nodes to your UCP cluster. These are the nodes that
will be running your containers.
For each node that you want to add to your UCP cluster:
1. Log into that node.
2. Use the join command, to join the node to the cluster:
```bash
$ docker run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp join -i
```
3. Repeat steps 1 and 2 on the other nodes you want to add to your UCP cluster.
4. Check the cluster state.
The Dashboard page of UCP should list all your controller nodes.
![UCP nodes page](../images/nodes-page.png)
## Step 10. Download a client certificate bundle
To validate that your cluster is correctly configured, you should try accessing
the cluster with the Docker CLI client. For this, you'll need to get a client
certificate bundle.
[Learn more about user bundles](../access-ucp/cli-based-access.md).
## Where to go next
* [Deploy an app from the UI](../applications/deploy-app-ui.md)
* [Monitor a UCP cluster](../monitor/monitor-ucp.md)
Reference in New Issue View Git Blame Copy Permalink