- Welcome to the Docs
- Get Docker
- Get Started
- Docker ID
- Docker Engine
- User Guide
- Introduction
- Work with images
- Docker storage drivers
- Network configuration
- Apply custom metadata
- Admin Guide
- Configuring and running Docker
- Automatically start containers
- Limit a container's resources
- Keep containers alive during daemon downtime
- Control and configure Docker with systemd
- Format command and log output
- Run a local registry mirror
- Logging
- PowerShell DSC Usage
- Using Ansible
- Using Chef
- Using Puppet
- Using Supervisor with Docker
- Runtime metrics
- Link via an ambassador container
- Troubleshoot Docker Engine
- Manage a swarm
- Swarm mode overview
- Swarm mode key concepts
- Get started with swarm mode
- How swarm mode works
- Run Docker Engine in swarm mode
- Join nodes to a swarm
- Manage nodes in a swarm
- Deploy services to a swarm
- Manage sensitive data with Docker secrets
- Lock your swarm
- Attach services to an overlay network
- Swarm administration guide
- Raft consensus in swarm mode
- Secure Engine
- Extend Engine
- Dockerize an application
- Dockerfile reference
- Docker run reference
- Use the Docker command line
- Daemon CLI reference (dockerd)
- Engine CLI reference
- docker (base command)
- docker attach
- docker build
- docker checkpoint *
- docker commit
- docker container *
- docker container
- docker container attach
- docker container commit
- docker container cp
- docker container create
- docker container diff
- docker container exec
- docker container export
- docker container inspect
- docker container kill
- docker container logs
- docker container ls
- docker container pause
- docker container port
- docker container prune
- docker container rename
- docker container restart
- docker container rm
- docker container run
- docker container start
- docker container stats
- docker container stop
- docker container top
- docker container unpause
- docker container update
- docker container wait
- docker cp
- docker create
- docker deploy
- docker diff
- docker events
- docker exec
- docker export
- docker history
- docker image *
- docker images
- docker import
- docker info
- docker inspect
- docker kill
- docker load
- docker login
- docker logout
- docker logs
- docker network *
- docker node *
- docker pause
- docker plugin *
- docker port
- docker ps
- docker pull
- docker push
- docker rename
- docker restart
- docker rm
- docker rmi
- docker run
- docker save
- docker search
- docker secret *
- docker service *
- docker stack *
- docker start
- docker stats
- docker stop
- docker swarm *
- docker system *
- docker tag
- docker top
- docker unpause
- docker update
- docker version
- docker volume *
- docker wait
- Engine API
- User Guide
- Docker Compose
- Overview of Docker Compose
- Install Compose
- Getting Started
- Docker Stacks and Distributed Application Bundles
- Using Compose with Swarm
- Quickstart: Compose and Django
- Quickstart: Compose and Rails
- Quickstart: Compose and WordPress
- Environment file
- Environment variables in Compose
- Extending Services in Compose
- Networking in Compose
- Using Compose in Production
- Compose File Reference
- Command-line Reference
- Command-line Completion
- Link Environment Variables
- Controlling startup order
- Frequently Asked Questions
- CS Docker Engine
- Docker Datacenter
- Deploy Datacenter on AWS
- Deploy Datacenter on Linux
- Universal Control Plane 2.0
- Docker Trusted Registry 2.1
- Previous versions
- Universal Control Plane 1.0
- Docker Trusted Registry 2.0
- Docker Cloud
- About Docker Cloud
- Docker Cloud Settings and Docker ID
- Organizations and Teams
- Getting Started
- Introducing Docker Cloud
- Link to your Infrastructure
- Deploy your first node
- Deploy your first service
- Deploy an application
- Introduction to Deploying an app in Docker Cloud
- Set up your environment
- Prepare the application
- Push the image to Docker Cloud's Registry
- Deploy the app as a Docker Cloud service
- Define environment variables
- Scale the service
- View service logs
- Load-balance the service
- Provision a data backend for the service
- Stackfiles for your service
- Data management with Volumes
- Manage Applications
- Add a Deploy to Docker Cloud button
- Automatic container destroy
- Automatic container restart
- Automatic service redeploy
- Create a proxy or load balancer
- Deployment tags
- Manage service stacks
- Publish and expose service or container ports
- Redeploy running services
- Scale your service
- Service API Roles
- Service discovery and links
- Stack YAML reference
- Use triggers
- Work with data volumes
- Manage Builds and Images
- Manage Infrastructure
- Infrastructure Overview
- Container distribution strategies
- Link to Amazon Web Services hosts
- Link to DigitalOcean hosts
- Link to Microsoft Azure hosts
- Link to Packet hosts
- Link to SoftLayer hosts
- SSH into a Docker Cloud-managed node
- Upgrade Docker Engine on a node
- Use the Docker Cloud Agent
- Using Docker Cloud and Packet.net
- Using Docker Cloud on AWS
- Docker Cloud notifications in Slack
- The Docker Cloud CLI
- Known Issues in Docker Cloud
- API reference
- Release Notes
- Docker Hub
- Docker Machine
- Docker Store
- Component Projects
- Docker Swarm
- Swarm Overview
- How to get Swarm
- Evaluate Swarm in a sandbox
- Plan for Swarm in production
- Build a Swarm cluster for production
- Try Swarm at scale
- High availability in Swarm
- Swarm and container networks
- Discovery
- Provision with Machine
- Scheduling
- Overview Docker Swarm with TLS
- Configure Docker Swarm for TLS
- Command line reference
- API response codes
- Docker Swarm API
- Docker Registry
- Registry Overview
- Understanding the Registry
- Deploying a registry server
- Configuring a registry
- Working with notifications
- Recipes
- Reference
- Reference Overview
- HTTP API V2
- Image Manifest V 2, Schema 1
- Image Manifest V 2, Schema 2
- Garbage Collection
- Testing an insecure registry
- Deprecated Features
- Compatibility
- Docker Registry Token Authentication
- Token Authentication Implementation
- Oauth2 Token Authentication
- Token Scope Documentation
- Token Authentication Specification
- Storage Drivers
- Getting help
- Docker Notary
- Docker Swarm
- Open Source at Docker
- Quickstart contribution
- Set up for Engine Development
- FAQ for contributors
- Where to chat or get help
- Style guide for Docker documentation
- About
- Docs archive
CLI-based access
Estimated reading time: 2 minutesDocker UCP secures your cluster with role-based access control, so that only authorized users can perform changes to the cluster.
For this reason, when running docker commands on a UCP node, you need to authenticate your request using client certificates. When trying to run docker commands without a valid certificate, you get an authentication error:
$ docker ps
x509: certificate signed by unknown authority
There are two different types of client certificates:
- Admin user certificate bundles: allow running docker commands on the Docker Engine of any node,
- User certificate bundles: only allow running docker commands through a UCP controller node.
Download client certificates
To download a client certificate bundle, log into the UCP web UI, and navigate to your user profile page.
Click the Create a Client Bundle button, to download the certificate bundle.
Use client certificates
Once you’ve downloaded a client certificate bundle to your local computer, you can use it to authenticate your requests.
Navigate to the directory where you downloaded the user bundle, and unzip it.
Then source the env.sh script.
$ unzip ucp-bundle-dave.lauper.zip
$ cd ucp-bundle-dave.lauper
$ eval $(<env.sh)
The env.sh script updates the DOCKER_HOST environment variable to make your
local Docker CLI communicate with UCP. It also updates the DOCKER_CERT_PATH
environment variables to use the client certificates that are included in the
client bundle you downloaded.
From now on, when you use the Docker CLI client, it includes your client certificates as part of the request to the Docker Engine. You can now use the Docker CLI to create services, networks, volumes and other resources on a swarm managed by UCP.
Download client certificates using the REST API
You can also download client bundles using the UCP REST API. In
this example we’ll be using curl for making the web requests to the API, and
jq to parse the responses.
To install these tools on a Ubuntu distribution, you can run:
$ sudo apt-get update && apt-get install curl jq
Then you get an authentication token from UCP, and use it to download the client certificates.
# Create an environment variable with the user security token
$ AUTHTOKEN=$(curl -sk -d '{"username":"<username>","password":"<password>"}' https://<ucp-ip>/auth/login | jq -r .auth_token)
# Download the client certificate bundle
$ curl -k -H "Authorization: Bearer $AUTHTOKEN" https://<ucp-ip>/api/clientbundle -o bundle.zip
Where to go next
Feedback? Suggestions? Can't find something in the docs?Edit this page ● Request docs changes ● Get support
Rate this page: