Just need to know how to add label(s) to engine nodes when using UCP if at all possible. Goal is to limit my jobs to only run on engines, and not on the controllers.
Answered my own question by doing something like:
docker run -e constraint:node==/name-of-server-to-run-on/ image
If you know the name of your controller node, you could probably make a constraint like this:
docker run -e constraint:node!=/name-of-controller-server/ image
What is the best practice for applying labels to nodes? I am running ubuntu nodes and have modified /etc/default/docker to include my label in the docker opts
–label com.mydomain.key=“value” but that doesn’t seem to work. Also, this is a clunky way of adding labels, it would be better if the UCP UI & API allowed for adding labels to nodes.
There’s no specific best practice around this right now, although here’s some examples from the documentation: https://docs.docker.com/engine/userguide/labels-custom-metadata/#daemon-labels
We will definitely keep in mind the request for adding labels via UCP UI/API.
Do you have to edit the labels on the nodes itself? I’m running 2 boot2docker nodes and I would like to add some labels, but I don’t know where to do that Or should I edit something on the machine that connects to the cluster (centos system that runs docker-machine)
on the boot2docker inside /var/lib/boot2docker/profile there was a --label provider=vmwarevsphere
I changed it to vmwarevsphereS and rebooted, and nothing changed
It worked, I think you have to reboot the masternode after the change.
I was able to get this to work. It required rebooting the docker service and waiting a bit for it to be reflected in the UCP UI.
In several of the examples/guides about RBAC in UCP I’ve seen permission names such as ‘prod’, ‘staging’, etc.
Will we be able to add a label such as
com.docker.ucp.access.label=prod-nodes to a node to restrict who can run containers in production?
At the moment RBAC labels apply to containers, not specific nodes. This is to ensure that access control to a particular container type is done independently of the nodes they are scheduled on. (container label maps to a team, not to a node).
Separately, however, you can use affinity and anti-affinity rules to affect node scheduling (https://docs.docker.com/swarm/scheduler/filter/). You could use this to ensure that certain containers are only scheduled on certain types of nodes.
I came by this post several months ago.
I finally came by the answer a couple of weeks ago Hope this helps: https://github.com/IcaliaLabs/guides/wiki/Docker-UCP-Pro-Tips#with-docker-cs-over-a-debian-host
But when we inspect node object, the label com.docker.ucp.access.label is present.