First step with Docker EE

TL;DR

Before the introduction of Docker-CE and Docker-EE, Docker’s offering for the enterprises was based on Docker Datacenter which consists of the following components:

  • Docker CS Engine: Commercially Supported Engine
  • UCP (Universal Control Plane): container applications management
  • DTR (Docker Trusted Registry): image management

With the introduction of Docker-EE, the Docker CS Engine is not in the picture anymore and Datacenter is now available starting from the Standard tiers of the enterprise offering.

Docker-EE editions

Docker Store is the place where the different Docker products can be downloaded.

Get Docker from the Docker Store

If we focus on Docker-EE, there are several editions:

  • some are dedicated to cloud platforms, such as Amazon AWS or Microsoft Azure. Those editions are tightly integrated with the components of the underlying infrastructure and can be installed easily through templates.
  • some are dedicated to servers and need to be installed manually (as we will see, automation of the installation procedure can easily be done)
Docker EE flavours

In this article, we will focus on Docker EE for Ubuntu.

Creation of the nodes

We create 3 nodes on DigitalOcean, we will not setup a HA configuration. The minimal requirements for each node is 4GB of RAM but 2 will be enough for our tests.

Creation of 3 DigitalOcean Droplets

Activate Docker-EE 30 days trial

From the Docker Store, we select the Docker Entreprise Edition for Ubuntu and activate the 1 month trial.

Activating the 1 month trial of Docker Entreprise

Once activated, there are a couple of steps we need to follow in order to setup our enterprise cluster:

  • Download the license key: this one will be needed to activate UCP
  • Copy our personalized Docker EE url: needed download the Entreprise Edition linked to our trial
  • Follow the instruction to install Docker EE on each node of our cluster
  • Follow the instruction to setup UCP and DTR

Installation of Docker-EE on each node

On each node, we need to perform the following steps

  • Making sure the needed libraries are installed
$ sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
software-properties-common
  • Add the Docker repository
$ export DOCKER_EE_URL=https://storebits.docker.com/ee/ubuntu/sub-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

$ curl -fsSL $DOCKER_EE_URL/gpg | sudo apt-key add -
$ apt-key fingerprint 0EBFCD88
$ sudo add-apt-repository "deb [arch=amd64] $DOCKER_EE_URL $(lsb_release -cs) stable-17.03"
$ sudo apt-get update

Note: in this step, the DOCKER_EE_URL used is linked to the trial we activated

  • Install Docker-EE
$ sudo apt-get install docker-ee
  • Verify the version

The last stable version at the date of this writing is the 17.03.1, the next stable will be 17.06 (Docker-EE is released quarterly).

$ docker version
Client:
Version: 17.03.1-ee-3
API version: 1.27
Go version: go1.7.5
Git commit: 3fcee33
Built: Thu Mar 30 20:06:11 2017
OS/Arch: linux/amd64
Server:
Version: 17.03.1-ee-3
API version: 1.27 (minimum version 1.12)
Go version: go1.7.5
Git commit: 3fcee33
Built: Thu Mar 30 20:06:11 2017
OS/Arch: linux/amd64
Experimental: false

Note: the installation process is very simple and can easily be scripted (using an Ansible playbook for instance).

Setup of UCP

“Universal Control Plane (UCP) allows managing from a centralized place your images, applications, networks, and other computing resources.” ( https://docs.docker.com)

We install UCP on node1 running the following command

$ docker run --rm -it --name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp:2.1.3 install \
--host-address $NODE_IP \
--interactive

A couple of information are requested during the interactive installation: the username and password of the admin account, and some additional aliases that we may use to connect to UCP (we left this last one blank as we will only use the IP address).

The UCP interface is then available through https://NODE1_IP. Once logged in, we need to upload the license key we downloaded previously.

Login onto UCP

We can then manage our applications, images, volumes, networks, … directly from a really user friendly interface.

The dashboard tells a lot of interesting things:

  • only one is running active node (node-01 on which UCP is installed)
  • only one service is running: this one is the system ucp-agent service
  • several containers (system containers) are running
  • CPU / RAM / Disk usage of our 1 node UCP cluster

On top of that, several other information are provided from the DDC Highlights at the bottom:

  • to install DTR (more on this in a bit)
  • to add additional nodes: this part is especially interesting as it indicates how to add worker and manager nodes to our Swarm cluster
  • to connect to the Swarm from a client CLI
  • to manage users and organisations

Adding nodes

We have created 3 nodes and installed Docker-EE on them. We will now add them to our UCP cluster.

From the Nodes section of the UCP interface, we can see that only one node is listed. Using the Add Node button provides the command to run from any node that needs to be added to the cluster.

Note: this command also shows that behind the hood our UCP cluster is based on Swarm, Docker’s native clustering / orchestration solution.

We run this command from node-02 and node-03 in order to add both nodes to our cluster.

$ docker swarm join --token SWMTKN-1–3i42pvndyqe9lnnndv94bh0by1xuck90rb1k2ljssowjcgz3mo-760ibk6yj4cxbtzvz160ww4ij $NODE1_IP:2377
This node joined a swarm as a worker.

Three nodes are now listed in the UCP interface.

Node-01 is the Manager of the Swarm, node-02 and node-03 are worker nodes. The manager is the one which manages the state of the Swarm. In a production environment, we would setup 3 or 5 managers for HA capabilities and to ensure a quorum is present to elect a new leader in case the current leader fails.

Setup of DTR

“Docker Trusted Registry (DTR) is a private image registry so that you can manage who has access to your Docker images. DTR needs to be installed on a node that is being managed by UCP.” (https://docs.docker.com)

We install DTR on node-02 with the following command:

$ docker run -it --rm \
docker/dtr:2.2.4 install \
--ucp-node node-02 \
--ucp-insecure-tls

Note: additional information are requested during the installation step: UCP’s admin credentials, the URL of the node UCP is installed and the URL of the node DTR will be installed on.

After a couple of seconds, the web interface is available from https://node-02

DTR login page

From the Settings menu on the left, the the type of storage can be selected, by default the images registered in DTR are saved on the local filesystem.

Create a repository

Once logged in we create a new repository associated to the admin user and call it www.

Creation of the admin/www public repository

The repository is empty as no image have already been pushed.

Push an image

From the third node of your UCP cluster (node-03), we can use the admin credential and log into DTR (running on node-02).

Note: we could have used any node of the cluster.

$ docker login $NODE2_IP
Username: admin
Password:
Login Succeeded

We first pull an nginx image, tag it to match the URL of the admin/www repository hosted in DTR and push it.

# Pulling nginx
$ docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
36a46ebd5019: Pull complete
57168433389f: Pull complete
332ec8285c50: Pull complete
Digest: sha256:c15f1fb8fd55c60c72f940a76da76a5fccce2fefa0dd9b17967b9e40b0355316
Status: Downloaded newer image for nginx:latest
# Create a new tag for the nginx image
$ docker tag nginx $NODE2_IP/admin/www
# Push the new taged image to DTR
$ docker push $NODE2_IP/admin/www
The push refers to a repository [46.101.7.50/admin/www]
48be3b91dcb8: Pushed
a4fc47c1db15: Pushed
f85d5ff897c4: Pushed
latest: digest: sha256:c15f1fb8fd55c60c72f940a76da76a5fccce2fefa0dd9b17967b9e40b0355316 size: 948

The image is now available in the repository.

Create a service

Let’s now see how to create a service using the image previously pushed.

We start by creating a service based on the $NODE2_IP/admin/www image and expose the port 80 onto the port 8080 of the Ingress network (more on that in a bit).

Once the service is ran, we can see from the tasks tab that the instance is running on node-03.

Note: as the UCP cluster has been created from node-01, this node is the Swarm Manager of our cluster. The manager is responsible of the scheduling of each task on a node of the cluster.

Service www based on admin/www running on node-03

The ingress network available in a Swarm cluster allows each service which publishes a port to be accessible from the outside through any node of the Swarm. In our example, the www service is running a single task on node-03, the ingress network allows to access it from any node, let’s try from node-02:

www service is accessible from each node of the cluster through port 8080

Summary

I hope this post gave you some information about Docker EE and its components. The installation of a UCP cluster and DTR is relatively easy. We have only touched the tip of the iceberg and have not considered a production setup which would involved several UCP manager and additional DTR replicas.