0 0 Share PDF

Service constraint warnings

Article ID: KB000580

Issue

If UCP 3.0 is displaying a warning banner saying:

some services are missing their Swarm placement constraints

This means that the cluster has a node that is marked for the Kubernetes orchestrator, but there are Swarm services that do not have the right placement constraints to keep them from being scheduled on this node.

NOTE: If you are seeing this banner in relation to the Docker EE IP Allocator Service while running a cluster on Microsoft Azure, then please ignore this banner and KB. Adding this constraint to your Service will affect future Kubernetes Workers joining your cluster.

Prerequisites

  • UCP 3.0.0 and higher

Resolution

UCP doesn't add these placement constraints automatically to services created in previous versions of UCP because doing so will restart your services' tasks. All new services created through UCP or old services that are updated in UCP will automatically adopt the necessary placement constraints, but to prevent your old services from being scheduled on your Kubernetes nodes, first find the services missing these constraints by sourcing an admin client bundle through UCP and running:

services=$(docker service ls -q)
for service in $services; do
    if docker service inspect $service --format '{{.Spec.TaskTemplate.Placement.Constraints}}' | grep -q -v 'node.labels.com.docker.ucp.orchestrator.swarm==true'; then
        name=$(docker service inspect $service --format '{{.Spec.Name}}')
        if [ $name = "ucp-agent" ] || [ $name = "ucp-agent-win" ] ||  [ $name = "ucp-agent-s390x" ]; then
            continue
        fi
        echo "Service $name (ID: $service) is missing the node.labels.com.docker.ucp.orchestrator.swarm==true placement constraint"
    fi
done

To add the constraint to these services, run the following script:

NOTE: This will cause your services' tasks to restart and will cause downtime for all of the services returned by the above script.

services=$(docker service ls -q)
for service in $services; do
    if docker service inspect $service --format '{{.Spec.TaskTemplate.Placement.Constraints}}' | grep -q -v 'node.labels.com.docker.ucp.orchestrator.swarm==true'; then
        name=$(docker service inspect $service --format '{{.Spec.Name}}')
        if [ $name = "ucp-agent" ] || [ $name = "ucp-agent-win" ] ||  [ $name = "ucp-agent-s390x" ]; then
            continue
        fi
        echo "Updating service $name (ID: $service)"
        docker service update --constraint-add node.labels.com.docker.ucp.orchestrator.swarm==true $service
    fi
done

Known issues

UCP 3.0.4

In UCP 3.0.4, this banner may show up for the ucp-auth-api and ucp-auth-worker services. These services will always run on UCP manager nodes, which always allow mixed workloads, so this does not actually cause any problems. If you'd like the banner to go away, you can update the sevices by running the following commands from a shell session on a manager node.

Warning: The following should only be performed from a shell session on a manager node to avoid possible conflicts with the enableadminucp_scheduling UCP scheduler setting. This procedure is an explicit exception to the best practice of using a UCP certificate bundle to update services.

docker service update --detach --constraint-add node.labels.com.docker.ucp.orchestrator.swarm==true ucp-auth-api
docker service update --detach --constraint-add node.labels.com.docker.ucp.orchestrator.swarm==true ucp-auth-worker
docker service update --detach --constraint-add node.labels.com.docker.ucp.orchestrator.swarm==true ucp-auth-api-s390x
docker service update --detach --constraint-add node.labels.com.docker.ucp.orchestrator.swarm==true ucp-auth-worker-s390x

UCP 3.1.5

Since ucp 3.1.5, internal services ucp-*-s390x were removed, so these services are seen as user services.

To disable this warning message, you will need to remove these services (used normally for s390x server arch):

docker service rm ucp-agent-s390x
docker service rm ucp-auth-api-s390x
docker service rm ucp-auth-worker-s390x