Pre OSS commit

nginx · nginx · commit 980e32e143f4 · 2024-11-21T15:36:00.000Z
diff --git a/content/includes/licensing-and-reporting/download-jwt-crt-from-myf5.md b/content/includes/licensing-and-reporting/download-jwt-crt-from-myf5.md
@@ -0,0 +1,9 @@
+---
+docs:
+---
+
+* Log in to [MyF5](https://my.f5.com/manage/s/).
+* Go to **My Products & Plans > Subscriptions** to see your active subscriptions.
+* Find your NGINX products or services subscription, and select the **Subscription ID** for details.
+* Download the **nginx-repo.crt** and **nginx-repo.key** from the subscription page.
+* Download the **JSON Web Token** (JWT) from the subscription page.
diff --git a/content/nginx/admin-guide/installing-nginx/installing-nginx-docker.md b/content/nginx/admin-guide/installing-nginx/installing-nginx-docker.md
@@ -13,8 +13,13 @@ weight: 600
 <span id="prereq"></span>
 ## Prerequisites
 
-- Docker installation
-- for NGINX Plus: JWT license file, *nginx-repo.crt* and *nginx-repo.key* files 
+- The [Docker Engine](https://docs.docker.com/engine/install/) command-line tool
+- for NGINX Plus:
+
+  * the JSON Web Token (JWT) from [MyF5](https://my.f5.com) customer portal
+  * the *nginx-repo.crt* and *nginx-repo.key* files from [MyF5](https://my.f5.com) customer portal
+  * your private Docker registry is configured and running
+
 - for NGINX Open Source: [Docker Hub](https://hub.docker.com/) account
 
 
@@ -23,18 +28,20 @@ weight: 600
 
 Since NGINX Plus <a href="../../../releases/#r31">Release 31</a> you can get an NGINX Plus image from the official NGINX Plus Docker registry and upload it to your private registry.
 
-The NGINX Plus Docker registry is available at `https://private-registry.nginx.com/v2/`. It contains the following image types:
+The NGINX Plus Docker registry is available at `https://private-registry.nginx.com/v2/`. 
 
-- [NGINX Plus]({{< ref "/nginx/releases.md" >}}):
+The registry contains the following image types:
+
+- [NGINX Plus]({{< ref "/nginx/releases.md" >}}):</br>
   `https://private-registry.nginx.com/v2/nginx-plus/base`
 
-- [Unprivileged]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#nginx-plus-unprivileged-installation" >}}) installation of NGINX Plus:
+- [Unprivileged]({{< ref "/nginx/admin-guide/installing-nginx/installing-nginx-plus.md#nginx-plus-unprivileged-installation" >}}) installation of NGINX Plus:</br>
   `https://private-registry.nginx.com/v2/nginx-plus/rootless-base`
 
-- NGINX Plus bundled with [NGINX Agent](https://docs.nginx.com/nginx-agent/overview/):
+- NGINX Plus bundled with [NGINX Agent](https://docs.nginx.com/nginx-agent/overview/):</br>
   `https://private-registry.nginx.com/v2/nginx-plus/agent`
 
-- Unprivileged installation of NGINX Plus and NGINX Agent:
+- Unprivileged installation of NGINX Plus and NGINX Agent:</br>
   `https://private-registry.nginx.com/v2/nginx-plus/rootless-agent`
 
 The images can be targeted for a particular operating system and NGINX Plus release using tags.
@@ -69,11 +76,11 @@ curl https://private-registry.nginx.com/v2/nginx-plus/<nginxplus-image-type>/tag
 
 where:
 - the `<nginxplus-image-type>` is the location of images in NGINX Plus private registry:
-  - `base` — NGINX Plus only 
-  - `rootless-base` — NGINX Plus run from `nginx` user
-` - `agent` — NGINX Plus along with NGINX Agent in a single image
-  - `rootless-agent` — NGINX Plus with NGINX Agent both run from `nginx` user
-  - `modules` — NGINX Plus dynamic modules <!-- As described in internal issue SE-3 -->
+  - `base` is NGINX Plus only
+  - `rootless-base` is NGINX Plus run from `nginx` user
+  - `agent` is NGINX Plus along with NGINX Agent in a single image
+  - `rootless-agent` is NGINX Plus with NGINX Agent both run from `nginx` user
+  - `modules` is NGINX Plus dynamic modules <!-- As described in internal issue SE-3 -->
 
 - the `<nginx-repo.key>` is a local path to your client key from MyF5, for example, `/etc/ssl/nginx/nginx-repo-x12345.key`
 
@@ -90,10 +97,7 @@ Before you get a container image, you should provide the JSON Web Token file or
 {{<tabs name="product_keys">}}
 
 {{%tab name="JSON Web Token"%}}
-1. Log in to the [MyF5](https://my.f5.com) customer portal.
-2. Go to **My Products and Plans** > **Subscriptions**.
-3. Select the product subscription.
-4. Download the **JSON Web Token** file.
+{{< include "licensing-and-reporting/download-jwt-from-myf5.md" >}}
 {{% /tab %}}
 
 {{%tab name="SSL"%}}
@@ -183,6 +187,8 @@ docker pull private-registry.nginx.com/nginx-plus/modules:<version-tag>
 
 After pulling the image, tag it and upload it to your private registry.
 
+> **Note:** Never upload your NGINX Plus images to a public repository such as Docker Hub. Doing so violates your license agreement.
+
 Log in to your private registry:
 
 ```shell
@@ -193,53 +199,63 @@ Tag and push the image. Replace `<my-docker-registry>` with your registry’s pa
 
 ```shell
 docker tag private-registry.nginx.com/nginx-plus/base:<version-tag> <my-docker-registry>/nginx-plus/base:<version-tag>
+```
+
+```shell
 docker push <my-docker-registry>/nginx-plus/base:<version-tag>
 ```
 
 ### Running the NGINX Plus container
 
-To start the Docker container, replace `YOUR_DATA_PLANE_KEY` with your data plane key and `YOUR_JWT_HERE` with your JWT, `VERSION_TAG` with the version tag you pulled.
-
-**For NGINX Plus R33**:
+{{< note >}} Starting from [NGINX Plus Release 33]({{< ref "nginx/releases.md#r33" >}}), the JWT file is required for each NGINX Plus instance. For more information, see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}). {{< /note >}}
 
-- Use the `NGINX_LICENSE_JWT` variable to pass your JWT license
-- Alternatively, specify the license file path with `NGINX_LICENSE_PATH` (default: `/etc/nginx/license.jwt`).
-s
-For more information about NGINX Plus license and usage reporting see [About Subscription Licenses]({{< ref "/solutions/about-subscription-licenses.md">}}).
+To start the Docker container with NGINX Plus, you will need to pass your JWT license file named `license.jwt` as the `NGINX_LICENSE_JWT` environment variable. If the license file needs to be located in a non-default directory, specify its full path using the `NGINX_LICENSE_PATH` variable (default path: `/etc/nginx/license.jwt`).
 
 To start the Docker container with NGINX Plus only:
 ```sh
 sudo docker run \
---env=NGINX_LICENSE_JWT="YOUR_JWT_HERE" \
+--env=NGINX_LICENSE_JWT=license.jwt \
 --restart=always \
 --runtime=runc \
--d private-registry.nginx.com/nginx-plus/base:<VERSION_TAG>
+-d <YOUR_REGISTRY>/nginx-plus/base:<VERSION_TAG>
 ```
 
-To start the Docker container with NGINX Plus and NGINX Agent:
+To start the Docker container with NGINX Plus and NGINX Agent,
+you will need to additionally pass the NGINX One data plane key as the `NGINX_AGENT_SERVER_TOKEN` environment variable. For more information, see [Create and manage data plane keys](https://docs.nginx.com/nginx-one/how-to/data-plane-keys/create-manage-data-plane-keys/):
+
 ```sh
 sudo docker run \
---env=NGINX_LICENSE_JWT="YOUR_JWT_HERE" \
+--env=NGINX_LICENSE_JWT=license.jwt \
 --env=NGINX_AGENT_SERVER_GRPCPORT=443 \
 --env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com \
---env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY_HERE" \
+--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY" \
 --env=NGINX_AGENT_TLS_ENABLE=true \
 --restart=always \
 --runtime=runc \
--d private-registry.nginx.com/nginx-plus/agent:<VERSION_TAG>
+-d <YOUR_REGISTRY>/nginx-plus/agent:<VERSION_TAG>
 ```
 
+where:
+ - `NGINX_LICENSE_JWT` is your JWT license file from MyF5. The file name should be `license.jwt`.
+ - `NGINX_AGENT_SERVER_GRPCPORT` sets a GRPC port used by NGINX Agent to communicate with NGINX Instance Manager.
+ - `NGINX_AGENT_SERVER_HOST` sets the domain name or IP address of NGINX Instance Manager. Note that for production environments it is not recommended to expose NGINX Instance Manager to public networks.
+ - `NGINX_AGENT_SERVER_TOKEN` sets NGINX One data plane key. See [Create and manage data plane keys](https://docs.nginx.com/nginx-one/how-to/data-plane-keys/create-manage-data-plane-keys/) for details.
+ - `NGINX_AGENT_TLS_ENABLE` enables mutual TLS, server-side TLS, or insecure mode (not recommended for production environments). See [Encrypt communication](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for details.
+ - `YOUR_REGISTRY` is the path to your private registry.
+ - `VERSION_TAG` is the tag assigned when pushing to your registry.
+
+
 <br>
 
 {{<call-out "" "Example:" "" >}}
-To start the container with the `debian` or `ubuntu` image:
+To start the Docker Container with NGINX Plus and NGINX Agent on Debian or Ubuntu:
 
 ```sh
 sudo docker run \
---env=NGINX_LICENSE_JWT="YOUR_JWT_HERE" \
+--env=NGINX_LICENSE_JWT="license.jwt" \
 --env=NGINX_AGENT_SERVER_GRPCPORT=443 \
 --env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com \
---env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY_HERE" \
+--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY" \
 --env=NGINX_AGENT_TLS_ENABLE=true \
 --restart=always \
 --runtime=runc \
diff --git a/content/nginx/admin-guide/installing-nginx/installing-nginx-plus.md b/content/nginx/admin-guide/installing-nginx/installing-nginx-plus.md
