mirantis/ucp install

Use this command to install MKE on a node. Running this command will initialize a new swarm, turn a node into a manager, and install MKE.

When installing MKE, you can customize:

  • The MKE web server certificates. Create a volume named ucp-controller-server-certs and copy the ca.pem, cert.pem, and key.pem files to the root directory. Next, run the install command with the --external-server-cert flag.

  • The license used by MKE, which you can accomplish by bind-mounting the file at /config/docker_subscription.lic in the tool or by specifying the --license $(cat license.lic) option.

    For example, to bind-mount the file:

    -v /path/to/my/config/docker_subscription.lic:/config/docker_subscription.lic

If you’re joining more nodes to this swarm, open the following ports in your firewall:

  • 443 or the --controller-port

  • 2376 or the --swarm-port

  • 12376, 12379, 12380, 12381, 12382, 12383, 12384, 12385, 12386, 12387

  • 4789 (UDP) and 7946 (TCP/UDP) for overlay networking


If you are installing MKE on a manager node with SELinunx enabled at the daemon and OS level, you will need to pass --security-opt label=disable in to your install command. This flag will disable SELinux policies on the installation container. The MKE installation container mounts and configures the Docker Socket as part of the MKE installation container, therefore the MKE installation will fail with the following permission denied error if you fail to pass in this flag.

FATA[0000] unable to get valid Docker client: unable to ping Docker daemon: Got
permission denied while trying to connect to the Docker daemon socket at
unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/_ping: dial
unix /var/run/docker.sock: connect: permission denied - If SELinux is enabled
on the Docker daemon, make sure you run MKE with "docker run --security-opt
label=disable -v /var/run/docker.sock:/var/run/docker.sock ..."

An installation command for a system with SELinux enabled at the daemon level would be:

docker container run \
    --rm \
    --interactive \
    --tty \
    --name ucp \
    --security-opt label=disable \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    mirantis/ucp \
    install [command options]

Cloud Providers

If you are installing on a public cloud platform, there is cloud specific MKE installation documentation:

  • For Microsoft Azure, this is mandatory.

  • For AWS, this is optional.




--debug, -D

Enable debug mode


Produce json formatted output for easier parsing.

--interactive, -i

Run in interactive mode and prompt for configuration values.

--admin-password value

The MKE administrator password [$UCP_ADMIN_PASSWORD].

--admin-username value

The MKE administrator username [$UCP_ADMIN_USER].

--azure-ip-count value

Configure the Number of IP Address to be provisioned for each Azure Virtual Machine (default: “128”).


Set the Docker Swarm scheduler to binpack mode. Used for backwards compatibility.

--cloud-provider value

The cloud provider for the cluster.

--cni-installer-url value

A URL pointing to a Kubernetes YAML file to be used as an installer for the CNI plugin of the cluster. If specified, the default CNI plugin will not be installed. If the URL is using the HTTPS scheme, no certificate verification will be performed

--controller-port value

Port for the web UI and API (default: 443).

--data-path-addr value

Address or interface to use for data path traffic. Format: IP address or network interface name [$UCP_DATA_PATH_ADDR].


Disable anonymous tracking and analytics.


Disable anonymous usage reporting.

--dns-opt value

Set DNS options for the MKE containers [$DNS_OPT].

--dns-search value

Set custom DNS search domains for the MKE containers [$DNS_SEARCH].

--dns value

Set custom DNS servers for the MKE containers [$DNS].


Enable performance profiling.


Use the latest existing MKE config during this installation. The install will fail if a config is not found.


Customize the certificates used by the MKE web server.

--external-service-lb value

Set the IP address of the load balancer that published services are expected to be reachable on.


Force install to continue even with unauthenticated Mirantis Container Runtime ports.


Force the install/upgrade even if the system does not meet the minimum requirements.

--host-address value

The network address to advertise to other nodes. Format: IP address or network interface name [$UCP_HOST_ADDRESS].

--iscsiadm-pathvalue value

Path to the host iscsiadm binary. This option is applicable only when –storage-iscsi is specified.

--kube-apiserver-port value

Port for the Kubernetes API server (default: 6443).

--kv-snapshot-count value

Number of changes between key-value store snapshots (default: 20000) [$KV_SNAPSHOT_COUNT].

--kv-timeout value

Timeout in milliseconds for the key-value store (default: 5000) [$KV_TIMEOUT].

--license value

Add a license: e.g. –license “$(cat license.lic)” [$UCP_LICENSE].

--nodeport-range value

Allowed port range for Kubernetes services of type NodePort (Default: 32768-35535) (default: “32768-35535”).

--pod-cidr value

Kubernetes cluster IP pool for the pods to allocated IP from (Default: (default: “”).


Don’t generate certificates if they already exist.

--pull value

Pull MKE images: ‘always’, when ‘missing’, or ‘never’ (default: “missing”).


Set the Docker Swarm scheduler to random mode. Used for backwards compatibility.

--registry-password value

Password to use when pulling images [$REGISTRY_PASSWORD].

--registry-username value

Username to use when pulling images [$REGISTRY_USERNAME].

--san value

Add subject alternative names to certificates (e.g. –san www1.acme.com –san www2.acme.com) [$UCP_HOSTNAMES].

--service-cluster-ip-range value

Kubernetes Cluster IP Range for Services (default: “”).


Disables checks which rely on detecting which (if any) cloud provider the cluster is currently running on.


Flag to enable experimental features in Kubernetes storage.


Enable ISCSI based Persistent Volumes in Kubernetes.


Enable Docker Swarm experimental features. Used for backwards compatibility.

--swarm-grpc-port value

Port for communication between nodes (default: 2377).

--swarm-port value

Port for the Docker Swarm manager. Used for backwards compatibility (default: 2376).

--unlock-key value

The unlock key for this swarm-mode cluster, if one exists. [$UNLOCK_KEY].


Flag to indicate that Calico is the CNI provider, managed by MKE. (Calico is the default CNI provider.)


Configure the kubelet data root directory on Linux when performing new MKE installations.


Configure the containerd root directory on Linux when performing new MKE installations. Any non-root directory containerd customizations must be made along with the root directory customizations prior to installation and with the --containerd-root flag omitted.

--ingress-controller Available since MKE 3.5.0

Configure the HTTP ingress controller for the management of traffic that originates outside the cluster.

--calico-ebpf-enabled Available since MKE 3.5.0

Sets whether Calico eBPF mode is enabled.

When specifying --calico-ebpf-enabled, do not use --kube-default-drop-masq-bits or --kube-proxy-mode.

--kube-default-drop-masq-bits Available since MKE 3.5.0

Sets whether MKE uses Kubernetes default values for iptables drop and masquerade bits.


Sets the operational mode for kube-proxy.

Valid values: iptables``(default), ``ipvs, disabled