The platform layer – Docker Enterprise engine, UCP, and DTR

At the platform layer, the Docker software is installed and configured on top of the infrastructure layer, which we discussed in the previous section. We prepare each of the Docker nodes in the cluster by installing the Docker Enterprise Engine. Before you start this process, you need to purchase your Docker license or get a free 30-day trial license. In either case, the license key storebits link will appear in your Docker store account under My Contents.

We will walk through an actual install later in the book using a sample AWS installation with Ubuntu. But generally speaking, we install the Docker Enterprise engine using an encrypted link to configure a Linux package manager repository on each node, then use the package manager to install the appropriate version of the engine.

After the Docker Engine is installed and started, there are a few things you want to do:

1. Update the storage driver and the logging driver in the /etc/docker/daemon.json file. A service restart is required for these changes to become active.
2. Add your Linux user to the Docker group so you don't have to run Docker commands with the root privilege.
3. Install and configure any Docker plugins.

Once the engines are all installed, it's time for us to move into setting up the cluster. We install UCP on the first manager node, and then join the other nodes into the cluster. After UCP is up and all of the manager and worker nodes are joined, the Docker trusted registry is installed. Again, there will be a lot more detail as we walk through a real setup in the installation chapter.

Now, you have a new cluster with a DTR up and running. The administrator adds users to the cluster RBAC system, usually by connecting to an LDAP system and using a special query to define a sync point for UCP users with the corporation-wide LDAP directory. Docker Enterprise 2.1 also has a SAML-based single sign-on option, which we will discuss later. You can also set up new UCP users with the GUI or by running a script against the UCP API.

Once you have users created, you can give them the appropriate access to UCP and DTR resources. This is done by a grant system where you can assign fine-grained rights to clusters (Swarm collections and Kubernetes namespace resources) based on organizational membership, team membership, or by individual account. Once accounts are set up, developers can access cluster resources based on the privileges granted by the administrator. Now that UCP and DTR are installed and initially configured, we can focus our attention on the application layer.