Under the Hood: Demystifying Docker Enterprise Edition 2.0 Architecture

Estimated Reading Time: 8 minutes

The Only Kubernetes Solution for Multi-Linux, Multi-OS and Multi-Cloud Deployments is right here…

Docker Enterprise Edition(EE) 2.0 Final GA release is available. One of the most promising feature announced with this release includes Kubernetes integration as an optional orchestration solution, running side-by-side with Docker Swarm. Not only this, this release includes Swarm Layer 7 routing improvements, Registry image mirroring, Kubernetes integration to Docker Trusted Registry & Kubernetes integration to Docker EE access controls. With this new release, organizations will be able to deploy applications with either Swarm or fully-conformant Kubernetes while maintaining the consistent developer-to-IT workflow.

Docker EE is more than just a container orchestration solution; it is a full lifecycle management solution for the modernization of traditional applications and microservices across a broad set of infrastructure platforms. It is a Containers-as-a-Service(CaaS) platform for IT that manages and secures diverse applications across disparate infrastructure, both on-premises and in the cloud. Docker EE provides an integrated, tested and certified platform for apps running on enterprise Linux or Windows operating systems and Cloud providers. It is tightly integrated to the underlying infrastructure to provide a native, easy to install experience and an optimized Docker environment.

Docker EE 2.0 GA consists of 3 major components which together enable a full software supply chain, from image creation, to secure image storage, to secure image deployment.

  • Universal Control Plane 3.0.0 (application and cluster management) – Deploys applications from images, by managing orchestrators, like Kubernetes and Swarm. UCP is designed for high availability (HA). You can join multiple UCP manager nodes to the cluster, and if one manager node fails, another takes its place automatically without impact to the cluster.
  • Docker Trusted Registry 2.5.0 – The production-grade image storage solution from Docker &
  • EE Engine 17.06.2- The commercially supported Docker engine for creating images and running them in Docker containers.

Tell me more about Kubernetes Support..

Kubernetes in Docker EE fully supports all Docker EE features, including role-based access control, LDAP/AD integration, scanning, signing enforcement, and security policies.

Kubernetes features on Docker EE include:

  • Kubernetes orchestration full feature set
  • CNCF Certified Kubernetes conformance
  • Kubernetes app deployment by using web UI or CLI
  • Compose stack deployment for Swarm and Kubernetes apps
  • Role-based access control for Kubernetes workloads
  • Pod-based autoscaling, to increase and decrease pod count based on CPU usage
  • Blue-Green deployments, for load balancing to different app versions
  • Ingress Controllers with Kubernetes L7 routing
  • Interoperability between Swarm and Kubernetes workloads for networking and storage.

But wait.. What type of workload shall I run on K8s and what on Swarm?

One of the question raised multiple times in last couple of Docker Meetup was – Good that now we have K8s and Swarm as multi-orchestrator under the single Enterprise Engine. But what type of workload shall I run on Kubernetes and what on Docker Swarm?


As shown above, even though there is a bigger overlap in terms of Microservices, Docker Inc. recommends specific types of workloads for both Swarm and Kubernetes.
Kubernetes works really great for large-scale workloads. It is designed to address some of the difficulties that are inherent in managing large-scale containerized environments. Example: blue-green deployments on Cloud Platform, highly resilient infrastructure with zero downtime deployment capabilities, automatic rollback, scaling, and self-healing of containers (which consists of auto-placement, auto-restart, auto-replication , and scaling of containers on the basis of CPU usage). Hence, it can be used in a variety of scenarios, from simple ones like running WordPress instances on Kubernetes, to scaling Jenkins machines, to secure deployments with thousands of nodes.

Docker Swarm, on the other hand, do provide most of the functionality which Kubernetes provides today. With notable features like easy & fast to install & configure, quick container deployment and scaling even in very large clusters, high availability through container replication and service redundancy, automated internal load balancing, process scheduling, Automatically configured TLS authentication and container networking, service discovery, routing mesh etc. Docker Swarm is best suited for MTA program – modernizing your traditional legacy application(.Net app running on Windows Server 2016)  by containerization on Docker Enterprise Edition. By doing this, you reduce the total resource requirements to run your application. This increases operational efficiency and allows you to consolidate your infrastructure.

Under this blog post, I will deep dive into Docker EE Architecture covering its individual components, how they work together and how the platform manages containers.

Let us begin with its architectural diagram –


At the base of the architecture, we have Docker Enterprise Engine. All the nodes in the cluster runs Docker Enterprise Edition as the base engine. Currently the stable release is 17.06 EE. It is a lightweight and powerful containerization technology combined with a work flow for building and containerizing your applications.

Sitting on top of the Docker Engine is what we call “Enterprise Edition Stack” where all of these components run as containers(shown below in the picture), except Swarm Mode. Swarm Mode is integrated into Docker Engine and you can turn it on/off based on your choice.Swarm Mode is enabled when Universal Control Plane (UCP) is up & running.


UCP depicting ucp-etcd, ucp-hyperkube & ucp-agent containers

In case you’re new to UCP, Docker Universal Control Plane is a solution designed to deploy, manage and scale Dockerized applications and infrastructure. As a Docker native solution, full support for the Docker API ensures seamless transition of your app from development to test to production – no code changes required, support for the Docker tool-set and compatibility with the Docker ecosystem.



From infrastructure clustering and container scheduling with the embedded Docker Swarm Mode, Kubernetes to multi-container application definition with Docker Compose and image management with Trusted Registry, Universal Control Plane simplifies the process of managing infrastructure, deploying, managing applications and monitoring their activity, with a mix of graphical dashboards and Docker command line driven user interface

There are 3 orchestrators sitting on top of Docker Enterprise Engine – Docker Swarm Mode, Classic Swarm & Kubernetes. For both Classic Swarm and Kubernetes, there is the same underlying etcd instance which is highly available based on setup you have in your cluster.

Docker EE provides access to the full API sets of three popular orchestrators:

  • Kubernetes: Full YAML object support
  • SwarmKit: Service-centric, Compose file version 3
  • “Classic” Swarm: Container-centric, Compose file version 2

Docker EE proxies the underlying API of each orchestrator, giving you access to all of the capabilities of each orchestrator, along with the benefits of Docker EE, like role-based access control and Docker Content Trust.

To manage lifecycle of orchestrator, we have a component called Agents and reconciler which manages both the promotion and demotion flows as well as certification renewal rotation and deal with patching and upgrading.

Agent is the core component of UCP and is a globally-scheduled service. When you install UCP on a node, or join a node to a swarm that’s being managed by UCP, the agent service starts running on that node. Once this service is running, it deploys containers with other UCP components, and it ensures they keep running. The UCP components that are deployed on a node depend on whether the node is a manager or a worker. In nutshell, it monitors the node and ensures the right UCP services are running.

Another important component is Reconciler. When UCP agent detects that the node is not running the right UCP components, it starts the reconciler container to converge the node to its desired state. It is expected for the UCP reconciler container to remain in an exited state when the node is healthy.

In order to integrate with K8s and support authentication, Docker Team built open ID connect provider. In case you’re completely new to OIDC, OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an inter-operable and REST-like manner.

As Swarm Mode is designed, we have central certificate authority that manages all the certificates and cryptographic node identity of the cluster. All component uses mutual TLS communication and they are using nodes which are issue by certificate authority. We are using unmodified version of Kubernetes.

Sitting on the top of the stack, there is GUI which uses Swarm APIs and Kubernetes APIs. Right next to GUI, we have Docker Trusted Registry which is an enterprise-ready on-premises service for storing, distributing and securing images. It gives enterprises the ability to ensure secure collaboration between developers and sysadmins to build, ship and run applications. Finally we have Docker & Kubernetes CLI capability integrated. Please note that this uses un-modified version of Kubernetes API.

Try Free Hosted Trial

If you’re interested in a fully conformant Kubernetes environment that is ready for the enterprise,    https://trial.docker.com/

Did you find this blog helpful? Feel free to share your experience. Get in touch with me on Twitter –  @ajeetsraina

Top 10 Cool New Features in Docker Datacenter for Dev & IT Operations Team

Estimated Reading Time: 6 minutes
Docker Datacenter(DDC) provides an integrated platform for developers and IT operations teams to collaborate securely on the application life cycle. It is an integrated, end-to-end platform for agile application development and management from the datacenter to the cloud. Basically, DDC brings container management and deployment services to enterprises with a production-ready Containers-as-a-Service (CaaS) platform supported by Docker and hosted locally behind an organization’s firewall. The Docker native tools are integrated to create an on-premises CaaS platform, allowing organizations to save time and seamlessly take applications built-in dev to production.


Under this blog, I will focus on the top 10 new cool features which comes with DDC:


Let us get started with setting up a fresh Docker Datacenter setup. I am going to leverage 6-node instances of Google Cloud Platform to share my experience with DDC UI.


Built-in Docker 1.12 Swarm Mode Capabilities:

Run the below command on the first node where we are going to install Docker CS Engine.

$ sudo curl -SLf https://packages.docker.com/1.12/install.sh | sh


Next, its time to install UCP:

$sudo docker run --rm -it \
--name ucp \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/ucp install \
--host-address \


This brings up UCP UI as shown below. Kudos to Docker UCP Team for “a very lightweight UI” with the latest release.


Docker Inc. provides you with 30-days trial license once you register for Docker Datacenter. Upload the license accordingly.


Once you login, you will see that you have Swarm Mode cluster already initialized.

I was interested to see how easy it is to add nodes to the cluster. Click on Add Nodes > Select nodes as either Manager or Worker based on your requirement. Docker UCP Team has done great job in providing features like “-advertise-addr` to build up the cluster in few seconds.



It just took 5 minutes to bring up 6 nodes cluster.

Please ensure that the following ports are not under firewall.




HTTP Routing Mesh & Load Balancing

Let us try out another interesting new feature – Routing Mesh. It makes use of LB concepts.It provides global publish port for a given service. The routing mesh uses port based service discovery and load balancing. So to reach any service from outside the cluster you need to expose ports and reach them via the Published Port.

Docker 1.12 Engine creates “ingress” overlay network to achieve the routing mesh. Usually the frontend web service and sandbox are part of “ingress” network and take care in routing mesh.All nodes become part of “ingress” overlay network by default using the sandbox network namespace created inside each node.

Let us try to setup a simple wordpress application and see how Routing Mesh works.

i. Create a network called “collabnet”. UCP Team has done a great job in covering almost all the features which we use under CLI option.


As shown below, a network “collabnet” with the scope “swarm” gets created:



ii. Creating a wordpress application

Typically, while creating a frontend service with name “wordpressapp” we usually run the below command. If you want to pass the same parameter through UCP UI, its matter of just few seconds:

$sudo docker service create –env WORDPRESS_DB_HOST=wordpressdb1 –env WORDPRESS_DB_PASSWORD=collab123 –network collabnet –replicas 4 –name wordpressapp –publish 80:80/tcp wordpress:latest







ddc-24You can easily browse through the master node and get the wordpress page working.


Let us enable Routing Mesh as shown below:


Once Routing Mesh is enabled, you can access it from any node even if the particular node is not running any container which serves the wordpress application. Let us try accessing it from worker-5 as shown below:


Cool.. Routing Mesh just works flawlessly.


Integrating Notary Installation and HA as part of DTR:

Installing DTR is a matter of single on-liner command as shown below:


Setting up Centralized Logging through UCP

Under admin settings > Logs section, one can supply the rsyslog server details to push all the cluster logs to a centralized location.



TLS Mutual Authentication and Encryption:

UCP Team has done another great job in including TLS mutual authentication and encryption feature to secure communications between itself and all other nodes. There is also cert rotation, which is awesome especially from a compliance point of view. The TLS encryption also ensures that the nodes are connecting to the correct managers in the swarm.

Rotation Join tokens are secrets that allow a node to join the swarm. There are two different join tokens available, one for the worker role and one for the manager role. One usually pass the token using the --token flag when you run swarm join. Nodes use the join token only when they join the swarm. One can view or rotate the join tokens using swarm join-token. We have now these features rightly available under Docker Datacenter as shown below:


Raft Consensus, Orchestrator  & Dispatcher specific Changes:

One of the compelling feature which has been introduced under the latest Docker datacenter is capability to alter and control Raft consensus parameter, orchestration and Dispatcher specific changes. These features were enabled in the recent 1.12.2 release and have been put under docker swarm update command as shown below:


--snapshot-interval is an important parameter useful for performance tuning while –dispatcher-heartbeat duration controls heartbeat period which is default 5 seconds.

In the future post, I am going to talk about DTR, Docker-compose V2 specific examples and cluster configuration under the latest Docker datacenter.

Building Microservice applications on Docker-Datacenter (DDC) using Docker Compose

Estimated Reading Time: 3 minutes

Docker-Datacenter (DDC) is targeted for both developers and IT operations team. DDC provides both developers and IT operations a common option for managing containers. Developers create containers using the toolset they’re comfortable with and deliver the resulting containers to the Docker Registry Service. Operations Team then creates rules that describe how resources can be managed to run those containers, so that developers can perform self-service provisioning for their work.

DDC is an end-to-end Docker platform for enterprises. It is built as a tightly integrated enterprise product – the inclusion of Docker Swarm as the default orchestration engine and Universal Control Plane (UCP) – which sits above the Docker Swarm and provides an on-premises container management solution for Docker apps and infrastructure regardless of where your applications are running.

One of the most amazing feature which DDC provides is building Microservices using Docker compose.

If Docker compose is completely new to you, I request you to refer  https://docs.docker.com/compose/overview/ to get started with Docker compose.  In this post, we will look at how DDC provides an easy way to build wordpress applications using Docker compose.

I assume Docker-Datacenter is already up and running. If not, please refer http://collabnix.com/archives/1149 for step by step guide to setup DDC.

Let’s open up the DDC Web UI as shown below:



Click on Applications tab shown in the left. Click on Compose Application tab.


DDC provides a capability to upload docker-compose.yml right from your Desktop. Also, you can manually copy-paste it from your notepad or Linux machine. Click on Create Application and that’s all you need to get your app up and running. Please refer https://github.com/ajeetraina/collabnix-wordpress/blob/master/docker-compose.yml for the complete docker-compose.yml content:


Under Docker compose file, we didn’t specified “network” type and hence it chose the default “collabwebapp_default”. There are various ways to specify the network. In case you created an overlay network for multi-host networking, you can add this application or containers under  the pre-existing network through the following entry in docker-compose.yml:

      name: CollabNet

In case you want to specify the custom network driver, the entry should look like as shown below:

     driver: custom-driver-1
     driver: custom-driver-2
      collabNet1: “1”
      collabNet2: “2”


While your application is being built, you have a close look at the images and containers pulled up and created respectively as shown below:





Let’s check the logs of application creation:




Yippee !! Your first application is up and running using Docker Compose. In the future post, we will look at how can we restrict containers to run on the particular UCP client nodes using the affinity feature of Docker Swarm.

Implementing Multi-Host Docker Networking with Docker-Datacenter (DDC)

Estimated Reading Time: 5 minutes

In our previous post, we looked at detailed implementation of Docker-Datacenter-In-A-Box (Container-as-a-Service) on VMware ESXi platform. DDC pluggable architecture and open APIs allows flexibility in compute, networking and storage providers used in your CaaS infrastructure without disrupting the application code. Under this blog post, we will talk about Multi-host Docker networking. We will see  how overlay networking brings the capability of multi-host networking where the hundreds and thousands of containers can reach each other, even when they are running across different hosts machines and resolve each others DNS names, making service discovery a breeze to name a few.

A Quick brief about Overlay:

Docker’s overlay network driver supports multi-host networking natively out-of-the-box. This support is accomplished with the help of libnetwork, a built-in VXLAN-based overlay network driver, and Docker’s libkv library. Libnetwork provides a network overlay that can be used by your containers so that they appear on the same subnet. The huge bonus is that they can reach each other and resolve each other’s DNS names, making service discovery a breeze.

The overlay network requires a valid key-value store service. Currently, Docker’s libkv supports Consul, Etcd, and ZooKeeper (Distributed store). Before creating a network you must install and configure your chosen key-value store service. The Docker hosts that you intend to network and the service must be able to communicate.

If you have Docker Datacenter installed, it means you already have environment to play around the overlay networking.

Setting up Overlay Networking:

Machine #1:

Machine #2:

I assume that Docker-datacenter is properly configured and running in your setup. I have DDC Web UI running under Machine #1. Browse to Networks section and click on “Create Network” as shown below:



Suppose you have multiple teams in your floor like DB-team, OS-team, VMware-team and HPC-team and all you want is to create respective network for them. You have multiple Dockerhost running as your VM environment on VMware ESXi 6. Let’s go ahead and create a network “DB-network” for DB-team first:


This is equivalent to the below command if you run on your UCP host:

#docker network create –driver overlay DB-network


Ensure that Driver option chosen as “Overlay” and NOT bridge, none or null.Once you click on “Create Network”, it should succeed with the acknowledgment as shown below:


We have overlay network setup for DB-team. Interestingly, due to Docker swarm and UCP integration, one can easily see this network from any of UCP client nodes. All you need is run the “docker network ls” utility to see the list of the networks.

Creating container in Overlay Network:

Click on Containers > Deploy Container section to create a container under DB-team overlay network.


We choose “mysql” as image name which will be fetch automatically from the Dockerhub. I have named this new container as “db-mysql-new” for keeping it simple.

P5As we are going to put this newly create container under DB-network(overlay), I have specified hostname and required port(3306) and bind it to the Dockerhost accordingly.



Though the above looks a minimal parameters to be considered to bring up the MySQL container but still it might throw warning if you miss out choosing the below parameters:


It will take sometime to get this container running based on your network speed. Once done, it just shows up as shown below:


You can login to any one of Dockerhost machine in the cluster to see the details about this newly created container through docker network inspect utility. From Machine #2, the overlay network and containers running inside this container can be viewed very clearly as shown below:


Let’s create mediawiki container under the same network as shown:

P22Once you deploy mediwiki container, it will show up under Container section as shown below:



You can check under what UCP client node is this mediawiki running:



As shown above, this container is running under Machine #2. Fire up the IP to see the mediawiki default page:


It’s just cool..the mediawiki page comes up magically.


You can go ahead and configure Mediawiki to work with MySQL. If you want to use Docker compose, its more simple by clicking over “Compose the application” and it just work flawlessly.

In the forthcoming post, we will look at “Docker Volumes” from Docker-Datacenter (DDC) perspective.




Implementing Docker-Datacenter-In-A-Box (Container-as-a-Service) on VMware ESXi platform

Estimated Reading Time: 7 minutes

The critical component for any enterprise IT, either having multiple data centers or a hybrid cloud or multiple cloud providers, is the ability to migrate workloads from one environment to another, without causing application issues. With Docker Datacenter (CaaS in-a-box), you can abstract the infrastructure away from the application, allowing the application containers to be run anywhere and portable across any infrastructure, from on-premises datacenters to public clouds, across a vast array of network and storage providers.

As per Docker Inc. “Docker Datacenter is an integrated solution including open source and commercial software, the integrations between them, full Docker API support, validated configurations and commercial support for your Docker Datacenter environment. A pluggable architecture allows flexibility in compute, networking and storage providers used in your CaaS infrastructure without disrupting the application code. Enterprises can leverage existing technology investments with Docker Datacenter. The open APIs allow Docker Datacenter CaaS to easily integrate into your existing systems like LDAP/AD, monitoring, logging and more.”


Basically, Docker CaaS is an IT Ops managed and secured application environment of infrastructure and content that allows developers to build and deploy applications in a self service manner.
With Docker Datacenter, IT ops teams can store their IP and maintain their management plane on premises (datacenter or VPC). Its an equal treat for developers too – Developers are able to leverage trusted base content, build and ship applications freely as needed without worrying about altering the code to deploy in production.

Docker Datacenter comes with the following integrated components and newer capabilities shown below:





To get started with the implementation, I leveraged 3-node VMs (running on my ESXi 6.0) running Docker 1.11.1 version.


The whole idea is to install Universal Control Plane(UCP) on the master node  and start joining Docker Engines(Client Nodes) to the Swarm cluster with just a few commands in the CLI. Once up and running, use the intuitive web admin UI to configure your system settings, integrate to LDAP/AD, add users or connect your Trusted Registry. End users can also use the web UI to interact with applications, containers, networks, volumes and images as part of their development process.  At the end of this blog post, you will realize its just a matter of few commands which can help you setup DDC-In-A-Box.



Setting up UCP Controller Node:

I picked up Ubuntu 14.04 system for setting up UCP controller node. First install Docker 1.11.1 on this system using the below command:

#curl -fsSL https://get.docker.com/ | sh

My machine showed the below docker information:

Version: 1.11.1
API version: 1.23
Go version: go1.5.4
Git commit: 5604cbe
Built: Tue Apr 26 23:30:23 2016
OS/Arch: linux/amd64

Version: 1.11.1
API version: 1.23
Go version: go1.5.4
Git commit: 5604cbe
Built: Tue Apr 26 23:30:23 2016
OS/Arch: linux/amd64

You install UCP by using the Engine CLI to run the ucp tool. The ucp tool is an image with subcommands to install a UCP controller or join a node to a UCP controller. Let’s setup a UCP controller node first as shown below:

root@ucp-client1:~# docker run –rm -it –name ucp   -v /var/run/docker.sock:/var/run/docker.sock   docker/ucp install -i   –host-address

Once this command is successful, you will need to add your user to “docker” group as shown below:

$sudo usermod -aG docker  <user>

I had a user “dell” added to this group, hence it will show up:

dell@dell-virtual-machine:~$ id
uid=1000(dell) gid=1000(dell) groups=1000(dell),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),999(docker)




Attaching UCP Nodes to the Controller Node

Browse to UCP Controller WebUI  > Nodes > Add Node as shown below:


I assume Docker 1.11 is already installed on the UCP Client node to be attached to controller node.

Let’s run the below command to join it to the cluster:

root@ucp-client1:~# docker run –rm -it –name ucp -v /var/run/docker.sock:/var/run/docker.sock docker/ucp join   –admin-username admin   –interactive   –url   –fingerprint 11:43:43:18:F2:82:D7:80:E7:8E:2C:2C:4A:F5:27:A0:C9:A2:FC:DC:E8:3E:62:56:15:BC:7F:FA:CE:0B:8D:C2


This will end up with the following SUCCESS message:

INFO[0011] Starting local swarm containers

INFO[0013] New configuration established.  Signalling the daemon to load it…

INFO[0014] Successfully delivered signal to daemon


You can check that this is part of UCP cluster as show below:

root@ucp-client1:~# docker info | tail -3

WARNING: No swap limit support

Registry: https://index.docker.io/v1/

Cluster store: etcd://

Cluster advertise:

Similarly, add the 3rd Node to the controller node and hence you will see it displayed under UCP Web UI:



If you try to see what containers are running on your client nodes:

[root@ucp-client2 ~]# docker ps
d862f8d89841 docker/ucp-swarm:1.1.0 “/swarm join –discov” 38 minutes ago Up 38 minutes 2375/tcp ucp-swarm-join
a519b9a913d4 docker/ucp-proxy:1.1.0 “/bin/run” 38 minutes ago Up 38 minutes>2376/tcp ucp-proxy

How UCP handles the newly created container might be one curious question for anyone who deploy DDC for the first time. Let’s try creating a nagios container and see how DDC actually handles that.

Browse to Dashboard > Containers > Deploy and let’s create a new container called nagios_ajeetraina as shown below:


Ensure that the port 80 has been listed under the exposed ports as shown below:





As shown below, the nagios container is built from ajeetraina/nagios image from Dockerhub.


You can see the complete status details of Nagios container under Container section :


As you scroll down, the ports information is rightly shown:


Now lets check what does it shows under box:

If you go to machine and check the running container, you will find:


[root@ucp-client1 ~]# docker ps

CONTAINER ID        IMAGE                      COMMAND                  CREATED             STATUS              PORTS                        NAMES

0f4fd5a286d2        ajeetraina/nagios:latest   “/usr/bin/supervisord”   12 hours ago        Up 12 hours         25/tcp,>80/tcp   ajeetraina-nagios

d862f8d89841        docker/ucp-swarm:1.1.0     “/swarm join –discov”   21 hours ago        Up 21 hours         2375/tcp                     ucp-swarm-join

a519b9a913d4        docker/ucp-proxy:1.1.0     “/bin/run”               21 hours ago        Up 21 hours>2376/tcp      ucp-proxy


Yipee !!! The UCP and swarm got the Nagios up and running on the available resource i.e.,

What if I start another instance of Nagios? Shall we try that?  

I will create another container again under DDC Web UI. Here I have the snapshot of the container:


Let’s check what port it has been running on:



Well, I supplied port number: 80 while I created the new container. Let me see if Nagios is coming up fine or not.



This is just awesome !!! The UCP and Swarm together pushed the new Nagios container to the other client node which is now hosting the Nagios under the port:81 as expected.

Hence we saw that Docker Datacenter brings interesting features like UCP, Docker API and embeds Swarm integration which  allows the application portability based on resource availability and  makes “scale-out” architecture possible through an easy setup.




Adding new Host to Docker Swarm & Universal Control Plane through Docker Machine

Estimated Reading Time: 2 minutes

In our previous post, we spent considerable time in understanding what is Universal Control Plane(UCP) and how to add hosts to UCP.  For UCP to work, swarm cluster is a per-requisite, hence let’s understand how to quickly setup Swarm agent node through Docker Machine.


By this time, you will be able to see a new Docker-8 instance gets created.


Let’s open up Docker-8 instance which we created by clicking on SSH at the right end. Though you can also use Docker-Machine to login to run commands.


Finally, I am going to add this new machine to existing swarm cluster as shown below:


Ensure that the right token is added as shown above.

You will be able to see the new node added to the swarm cluster as shown below:


Finally, add this new node to UCP as shown below:


Let’s verify that UCP has detected the 3rd Node in the swarm cluster.


Hurray !! We have added a new node to the swarm cluster and then got it reflected under Universal Control Plane.

Docker Container Management using Universal Control Plane

Estimated Reading Time: 6 minutes

Docker recently announced Universal Control Plane (UCP) beta availability to the public. This tool delivers Enterprise-ready capabilities and is meant to be run in companies’ on-premises data centers and public cloud environments too.  The Beta access is a Christmas gift for both developers and operation engineers.

UCP looks promising in managing the entire lifecycle of Docker-based applications — automating the workflow between development and production — regardless of whether the containers run on hosted or in-house platforms.Developers can deploy applications in containers with the new tool, while operations people can use it to determine which data center infrastructure gets used.

The UCP is meant as one central system to cut across any cloud, any infrastructure and easily provision anything one need from a compute, network, storage and policy standpoint.

As Docker Inc. clearly states its capabilities in terms of:

  • Enterprise-ready capabilities such as LDAP/AD integration, on-premises deployment and high availability, scale, and load balancing.
  • For developers and IT ops, a quick and easy way to build, ship, and run distributed apps from a single Docker framework.Docker native solution using core Docker tools, API and vast ecosystem.
  • Fastest time to value with an easy to deploy and use solution for Docker management.

The control plane integrates the native Docker tools – Engine, Compose and Swarm – and integrates them on a graphical front end. I enrolled for beta access few days back and tried my hands in setting up UCP on my Google Cloud Engine. I had already 4 nodes swarm cluster running on recently purchased Google Cloud Engine. Here is the available Docker Swarm setup which I used to explore Universal Control Plane  and demonstrate how easily it manages and configures containers, hosts, and network flawlessly.


Remember:- UCP requires a minimum of 1.50 GB, ensure that you don’t choose micro instances for setting up UCP.

1.Ensure that Docker 1.9.1 is installed on the nodes:

#wget -qO- https://get.docker.com/ | sh

Processing triggers for systemd (225-1ubuntu9) …
Processing triggers for man-db (2.7.4-1) …
Setting up docker-engine (1.9.1-0~wily) …
Installing new version of config file /etc/bash_completion.d/docker …
Installing new version of config file /etc/init.d/docker …
Installing new version of config file /etc/init/docker.conf …
Processing triggers for ureadahead (0.100.0-19) …
Processing triggers for systemd (225-1ubuntu9) …
+ sh -c docker version
Version:      1.9.1
API version:  1.21
Go version:   go1.4.2
Git commit:   a34a1d5
Built:        Fri Nov 20 13:20:08 UTC 2015
OS/Arch:      linux/amd64
Version:      1.9.1
API version:  1.21
Go version:   go1.4.2
Git commit:   a34a1d5
Built:        Fri Nov 20 13:20:08 UTC 2015
OS/Arch:      linux/amd64
If you would like to use Docker as a non-root user, you should now consider
adding your user to the “docker” group with something like:
sudo usermod -aG docker your-user
Remember that you will have to log out and back in for this to take effect!

The above single command is enough to install the latest 1.9.1 version on the nodes. Repeat the command on all the nodes to get UCP working.

2.Run the below command on one of the available node to setup UCP.


root@docker-3:~# docker run –rm -it -v /var/run/docker.sock:/var/run/docker.sock –name ucp dockerorca/ucp install  -i
INFO[0000] Verifying your system is compatible with UCP
Please choose your initial Orca admin password:
Confirm your initial password:
INFO[0009] Pulling required images
Please enter your Docker Hub username: ajeetraina
Please enter your Docker Hub password:
Please enter your Docker Hub e-mail address: ajeetraina@gmail.com
INFO[0045] Pulling required images
WARN[0147] None of the hostnames we’ll be using in the UCP certificates [docker-3]
contain a domain component.  Your generated certs may fail TLS validation unless you only use one of these shortna
mes or IPs to connect.  You can use the –san flag to add more aliases
You may enter additional aliases (SANs) now or press enter to proceed with the above list.
Additional aliases:
INFO[0221] Installing UCP with host address – If this is incorrect, please use the ‘–host-address’ flag
to specify a different address
WARN[0000] None of the hostnames we’ll be using in the UCP certificates [docker-3] contain a domain component.  Your generated certs may fail TLS validation unless you only use one of th
ese shortnames or IPs to connect.  You can use the –san flag to add more aliases
INFO[0005] Generating Swarm Root CA
INFO[0024] Generating UCP Root CA
INFO[0032] Deploying UCP Containers
INFO[0074] UCP Server SSL: SHA1 Fingerprint=85:07:66:3B:D3:46:9D:3F:FE:4D:4A:22:59:D1:80:41:2A:57:DE:70
INFO[0074] Login as “admin”/(your admin password) to UCP at

That’s it. You can now browse to the web browser to see the UCP working.


Once login, you will see the single host machine (as we haven’t still added any further nodes) as shown:


Adding Nodes to Docker UCP:


Run the below command to add more nodes:

root@docker-1:~# docker run –rm -it  –name ucp  -v /var/run/docker.sock:/var/run/docker.sock  dockerorca/ucp join  –url  –san
–host-address –interactive
Please enter the URL to your Orca Server:
Orca server
Subject: ucp
Issuer: UCP Root CA
SHA1 Fingerprint=85:07:66:3B:D3:46:9D:3F:FE:4D:4A:22:59:D1:80:41:2A:57:DE:70
Do you want to trust this server and proceed with the join? (y/n): y
Please enter your UCP Admin username: admin
Please enter your UCP Admin password:
INFO[0024] Pulling required images
Please enter your Docker Hub username: ajeetraina
Please enter your Docker Hub password:
Please enter your Docker Hub e-mail address: ajeetraina@gmail.com
INFO[0047] Pulling required images
WARN[0121] None of the hostnames we’ll be using in the UCP certificates [docker-1] contain a domain component.  Your gen
erated certs may fail TLS validation unless you only use one of these shortnames or IPs to connect.  You can use the –san flag to add more aliases
You may enter additional aliases (SANs) now or press enter to proceed with the above list.
Additional aliases:
WARN[0000] None of the hostnames we’ll be using in the UCP certificates [docker-1] contain a domain component
.  Your generated certs may fail TLS validation unless you only use one of these shortnames or IPs to connect.  You can use the –san flag to add more aliases
INFO[0000] This engine will join UCP and advertise itself with host address
INFO[0000] Verifying your system is compatible with UCP
^[[CINFO[0017] Starting local swarm containers

Wow !! You have now node added and displayed under UCP as shown:


Universal Control Plane is feature-rich and holds a set of GUI-based workflows, this control plane can reach into an enterprise registry and pull out specific containers and then allow the administrator to choose which infrastructure to run them on,that could be AWS, Azure, Google Cloud or on-premises OpenStack clouds.

In future, I am going to explore UCP further in terms of its integration with Docker Compose, Docker Engine and Docker Machine. Till then, keep Reading !!