Docker Community Forums

Share and learn in the Docker community.

UCP configuration and DTR User auth data storage locations


(Srandey) #1

HI, After setting up Docker data center, whether we create users using UCP UI or by using DTR user creation API where is that user auth data get stored. In UCP nodes or in DTR nodes? In either case please help me in finding actual path of the user auth storage.

Also would like to know the path where Docker data center configurations are stored. For example cluster configurations, certificates etc.

Basically I am planning to find the place where all my Data Center’s data is stored and want to use mounted storage. Including cluster confs, user auth data etc. I think any changes to this data in one UCP node or DTR will get automatically get replicated across other nodes. In this case what will happen if I use mounted storage and point all the UCP nodes and DTR nodes to use their respective mounted storage.


(Patrick Devine) #2

Both UCP and DTR store all of their config data in various docker volumes, which you can see by using the command $ docker volume ls. Just look for the ucp-* and dtr-* volumes. UCP takes care of authentication for DTR and I believe that data is stored in the volume ucp-auth-store-data.

That said, both UCP and DTR when in high availability mode will take care of replicating all of the data for you.You should not back this with any kind of replicated storage as you will experience data corruption.

The only exception to this is the dtr-registry-* volume. DTR does not automatically replicate the underlying registry which you’ll need to use an object store or NFS. We recommend using an object store over NFS as the performance is better, however both are fine. There are also some improvements for NFS setup and configuration coming up in the next release.


(Srandey) #3

Thanks for clarifying and highlighting the risk of data corruption with common/mounted storage.

One more clarification.

The DTR architecture says “dtr-rethink-<replica_id>”, “The volume used by RethinkDB to persist DTR data, like users and repositories”.

Is rethinkDB of DTR used by ucp-auth-store container for persisting data?

Because only the DTR node is having the rethinkDB. The ucp-auth-store is listed as a container in UCP architecture but the volumes list of UCP is not having ucp-auth-store-data.

Or it is a choice for us to specify “create volume ucp-auth-store-data” and use it?
(I came across one page which has ucp-auth-store-data" - https://boxboat.com/2016/08/12/exploring-docker-data-center-part-1/)

Please help me understand.


(Patrick Devine) #4

There are two separate instances of Rethink, one for UCP and one for DTR. UCP in 1.1+ handles the authentication for DTR, but not the authorization. You shouldn’t need to create any volumes, as both UCP and DTR will take care of that for you.

One thing you should do, however, is keep periodic backups of each of these volumes. You can do this through the DTR and UCP bootstrappers, although the process is slightly different for each of them (hopefully we can simplify this in the future).