Updating with metadata for website

Closes docker#371: Added metadata for web build
Updating with Dan's comments

Signed-off-by: Mary Anthony <mary@docker.com>

Author: Mary Anthony

certs.md

@@ -1,10 +1,12 @@
+
 +++
 title = "Manually setting up a CA"
 description = "Docker Universal Control Plane"
 [menu.main]
 parent="mn_ucp"
 +++
 
+
 # Manually setting up a CA
 
 A few features of UCP require an external CA (cfssl or equivalent) to sign

index.md

@@ -1,10 +1,12 @@
+
 +++
 title = "Overview"
 description = "Docker Universal Control Plane"
 [menu.main]
 identifier="mn_ucp"
 +++
 
+
 # Welcome to Docker Universal Control Plane BETA docs
 
 The following are available:

installation.md

@@ -1,10 +1,12 @@
+
 +++
 title = "Docker UCP Quickstart Guide"
 description = "Docker Universal Control Plane"
 [menu.main]
 parent="mn_ucp"
 +++
 
+
 # Docker UCP Quickstart Guide
 
 These instructions explain how to install UCP. A UCP installation consists of an UCP controller and one or more nodes. The same machine can serve as both the controller and the node. These instructions show you how to install both a host and a node. It contains the following sections:

kv_store.md

@@ -1,10 +1,12 @@
+
 +++
 title = "Key/Value Store Backends"
 description = "Docker Universal Control Plane"
 [menu.main]
 parent="mn_ucp"
 +++
 
+
 # Key/Value Store Backends
 
 In this release, UCP leverages the [etcd](https://github.com/coreos/etcd/) KV

networking.md

@@ -1,10 +1,12 @@
+
 +++
 title = "Set up container networking with UCP"
 description = "Docker Universal Control Plane"
 [menu.main]
 parent="mn_ucp"
 +++
 
+
 # Set up container networking with UCP
 
 Beginning in release 1.9, the Docker Engine updated and expanded its networking
@@ -59,10 +61,10 @@ nodes.
 
 ### Prerequisites
 
-You must install UCP on your entire cluster (sever and nodes), before following
-these instructions.  Make sure you have run on the `install` and `join` on each
-node as appropriate. Then, enable mult-host networking on every node in your
-cluster using these instructions.
+You must install UCP on your entire cluster (controller and nodes), before
+following these instructions.  Make sure you have run on the `install` and
+`join` on each node as appropriate. Then, enable mult-host networking on every
+node in your cluster using the instructions in this page.
 
 UCP requires that all clients, including Docker Engine, use a Swarm TLS
 certificate chain signed by the UCP Swarm Root CA. You configured these
@@ -73,25 +75,36 @@ To continue with this procedure, you need to know the SAN values you used on
 each controller or node. Because you can pass a SAN either as an IP address or
 fully-qualified hostname, make sure you know how to find these.
 
-If you used a public IP address, log into the controller host and run these two
-commands on the controller:
+If you used public IP addresses, do the following:
 
-```bash
-$ IP_ADDRESS=$(ip -o -4 route get 8.8.8.8 | cut -f8 -d' ')
-$ echo ${IP_ADDRESS}
-```
+1. Log into a host in your UCP cluster (controller or one of your nodes).
+
+2. Run these two commands to get the public IP:
+
+        $ IP_ADDRESS=$(ip -o -4 route get 8.8.8.8 | cut -f8 -d' ')
+        $ echo ${IP_ADDRESS}
 
-If your cluster is installed on a cloud provider, the public IP may not be the
-same as the IP address returned by this command. Confirm through your cloud
-provider's console or command line that this value is indeed the public IP. For
-example, the AWS console shows these values to you:
+  If your cluster is installed on a cloud provider, the public IP may not be
+  the same as the IP address returned by this command. Confirm through your
+  cloud provider's console or command line that this value is indeed the
+  public IP. For example, the AWS console shows these values to you:
 
-![Open certs](images/ip_cloud_provider.png)
+  ![Open certs](images/ip_cloud_provider.png)
 
-You can get also the SAN values of the controller by examining the certificate
-through your browser. This would include a fully qualified hostname you used for
-the controller. Each browser has a different way to view a website's certificate. To
-do this on Chrome:
+3. Note the host's IP address.
+
+4. Repeat steps 1-3 on the remaining hosts in your cluster.
+
+If you used a fully-qualified domain service names for SANs, you use them again
+configure multi-host networking. If you don't recall the name you used for each
+node, then:
+
+* If your hosts are on a private network, ask your system administrator for their fully-qualified domain service names.
+* If your hosts are from a cloud provider, use the provider's console or other facility to get the name.
+
+An easy way to get the controller's SAN values is to examine its certificate
+through your browser. Each browser has a different way to view a website's
+certificate. To do this on Chrome:
 
 1. Open the browser to the UCP console.
 
@@ -107,8 +120,6 @@ do this on Chrome:
 
     ![SAN](images/browser_cert_san.png)
 
-If you are using a private network, and don't know the fully-qualified DNS for a node, you can ask your network administrator.
-
 
 ### Configure and restart the daemon
 
@@ -121,35 +132,35 @@ If you followed the prerequisites, you should have a list of the SAN values you
 3. Determine the Docker daemon's startup configuration file.
 
     Each Linux distribution have different approaches for configuring daemon
-    startup (init) options. On Centos/RedHat systems that rely systemd,
-    the Docker daemon startup options are stored in the
-    `/lib/systemd/system/docker.service` file. Ubuntu 14.04 stores these in the `/etc/init/docker.conf` file.
+    startup (init) options. On Centos/RedHat systems that rely on systemd, the
+    Docker daemon startup options are stored in the
+    `/lib/systemd/system/docker.service` file. Ubuntu 14.04 stores these in the
+    `/etc/default/docker` file.
 
 4. Open the configuration file with your favorite editor.
 
   **Ubuntu**:
-        $ sudo vi /etc/init/docker.conf
+        $ sudo vi /etc/default/docker
 
   **Centos/Rehat**:
         $ sudo vi /lib/systemd/system/docker.service
 
 5. Uncomment the `DOCKER_OPTS` line and add the following options.
 
-        --cluster-advertise eth0:12376
-        --cluster-store etcd://CONTROLLER_PUBLIC_IP_OR_DOMAIN:12379
+        --cluster-advertise CURRENT_HOST_PUBLIC_IP_OR_DNS:12376
+        --cluster-store etcd://CONTROLLER_PUBLIC_IP_OR_DNS:12379
         --cluster-store-opt kv.cacertfile=/var/lib/docker/discovery_certs/ca.pem
         --cluster-store-opt kv.certfile=/var/lib/docker/discovery_certs/cert.pem
         --cluster-store-opt kv.keyfile=/var/lib/docker/discovery_certs/key.pem
 
-  Replace `CONTROLLER_PUBLIC_IP_OR_DOMAIN` with the IP address of the UCP
-  controller. Use `ifconfig` to ensure the host you are installing on is
-  accessible over `eth0`, on your host the systems with multiple ether
-  interfaces this value might differ. When you are done, the line should look
-  similar to the following:
+  Replace `CURRENT_HOST_PUBLIC_IP` with the IP of the host whose file you are
+  configuration. Replace `CONTROLLER_PUBLIC_IP_OR_DOMAIN` with the IP address of
+  the UCP controller. When you are done, the line should look similar to the
+  following:
 
-        DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --cluster-advertise eth0:12376 --cluster-store etcd://52.70.188.239:12379 --cluster-store-opt kv.cacertfile=/var/lib/docker/discovery_certs/ca.pem --cluster-store-opt kv.certfile=/var/lib/docker/discovery_certs/cert.pem --cluster-store-opt kv.keyfile=/var/lib/docker/discovery_certs/key.pem"
+        DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --cluster-advertise 52.70.180.235:12376 --cluster-store etcd://52.70.188.239:12379 --cluster-store-opt kv.cacertfile=/var/lib/docker/discovery_certs/ca.pem --cluster-store-opt kv.certfile=/var/lib/docker/discovery_certs/cert.pem --cluster-store-opt kv.keyfile=/var/lib/docker/discovery_certs/key.pem"
 
-6. Save and close the `/etc/init/docker.conf` file.
+6. Save and close the Docker configuration file file.
 
 6. Restart the Docker daemon.
 

profiling.md

@@ -1,10 +1,12 @@
+
 +++
 title = "Profiling UCP"
 description = "Docker Universal Control Plane"
 [menu.main]
 parent="mn_ucp"
 +++
 
+
 # Profiling UCP
 
 If you run the UCP server with the debug flag set, not only will you get more logging output, but we enable

release_notes.md

@@ -1,3 +1,12 @@
+
++++
+title = "Overview"
+description = "Docker Universal Control Plane"
+[menu.main]
+identifier="mn_ucp"
++++
+
+
 # Release Notes
 
 The latest release is 0.5.  Consult with your Docker sales engineer for the release notes of earlier versions.

specs/high_availability.md

@@ -0,0 +1,66 @@
++++
+draft = "true"
++++
+
+# UCP High Availability
+
+This document outlines how UCP high availability works, and general
+guidelines for deploying a highly available UCP in production.
+When adding nodes to your cluster, you decide which nodes you want to
+be replicas, and which nodes are simply additional engines for extra
+capacity.  If you are planning an HA deployment, you should have a
+minimum of 3 nodes (primary + two replicas)
+
+It is **highly** recommended that you deploy your initial 3 controller
+nodes (primary + at least 2 replicas) **before** you start adding
+non-replica nodes or start running workloads on your cluster.  When adding
+the first replica, if an error occurrs, the cluster will be come unusable.
+
+## Architecture
+
+* **Primary Controller** This is the first node you run the `install` against.  It runs the following containers/services:
+    * **ucp-kv** This etcd container runs the replicated KV store
+    * **ucp-swarm-manger** This Swarm Manager uses the replicated KV store for leader election and cluster membership tracking
+    * **ucp-controller** This container runs the UCP server, using the replicated KV store for configuration state
+    * **ucp-swarm-join** Runs the swarm join command to periodically publish this nodes existence to the KV store.  If the node goes down, this publishing stops, and the registration times out, and the node is automatically dropped from the cluster
+    * **ucp-proxy** Runs a local TLS proxy for the docker socket to enable secure access of the local docker daemon
+    * **ucp-swarm-ca[-proxy]** These **unreplicated** containers run the Swarm CA used for admin certificate bundles, and adding new nodes
+    * **ucp-ca[-proxy]** These **unreplicated** containers run the (optional) UCP CA used for signing user bundles.
+* **Replica Node**  This is a node you `join` to the primary using the `--replica` flag and it contributes to the availability of the cluster
+    * **ucp-kv** This etcd container runs the replicated KV store
+    * **ucp-swarm-manger** This Swarm Manager uses the replicated KV store for leader election and cluster membership tracking
+    * **ucp-controller** This container runs the UCP server, using the replicated KV store for configuration state
+    * **ucp-swarm-join** Runs the swarm join command to periodically publish this nodes existence to the KV store.  If the node goes down, this publishing stops, and the registration times out, and the node is automatically dropped from the cluster
+    * **ucp-proxy** Runs a local TLS proxy for the docker socket to enable secure access of the local docker daemon
+* **Non-Replica Node**  These nodes provide additional capacity, but do not enhance the availability of the UCP/Swarm infrastructure
+    * **ucp-swarm-join** Runs the swarm join command to periodically publish this nodes existence to the KV store.  If the node goes down, this publishing stops, and the registration times out, and the node is automatically dropped from the cluster
+    * **ucp-proxy** Runs a local TLS proxy for the docker socket to enable secure access of the local docker daemon
+
+Notes:
+* At present, UCP does not include a load-balancer.  Users may provide one exernally and load balance between the primary and replica nodes on port 443 for web access to the system via a single IP/hostname if desired.  If no external load balancer is used, admins should note the IP/hostname of the primary and all replicas so they can access them when needed.
+* Backups:
+    * Users should always back up their volumes (see the other guides for a complete list of named volumes)
+* The CAs (swarm and UCP) are not currently replicated.
+    * Swarm CA:
+        * Used for admin cert bundle generation
+        * Used for adding hosts to the cluster
+        * During an outage, no new admin cert bundles can be downloaded, but existing ones will still work.
+        * During an outage, no new nodes can be added to the cluster, but existing nodes will continue to operate
+    * UCP CA:
+        * Used for user bundle generation
+        * Used to sign certs for new replica nodes
+        * During an outage, no new user cert bundles can be downloaded, but existing ones will still work
+        * During an outage, no new replica nodes can be joined to the cluster
+
+**WARNING** You should never run a cluster with only the primary
+controller and a single replica.  This will result in an HA configuration
+of "2-nodes" where quorum is also "2-nodes" (to prevent split-brain.)
+If either the primary or single replica were to fail, the cluster will be
+unusable until they are repaired.  (So you actually have a higher failure
+probability than if you just ran a non-HA setup with no replica.)  You
+should have a minimum of 2 replicas (aka, "3-nodes") so that you can
+tolerate at least a single failure.
+
+**TODO** In the future this document should describe best practices for layout,
+target number of nodes, etc.  For now, that's an exercise for the reader
+based on etcd/raft documentation.