mirror of https://github.com/docker/docs.git
Improve security documentation with warning around windows containers (#21929)
## Description Some background dialog between security, desktop, moby teams and some security researchers. At the present time, this is an accepted risk in Docker Desktop installations for Windows and should be clarified in better detail. ## Related issues or tickets PSEC-1839 ## Reviews <!-- Notes for reviewers here --> <!-- List applicable reviews (optionally @tag reviewers) --> - [ ] Technical review @gabriellavengeo - [ ] Editorial review - [ ] Product review --------- Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
This commit is contained in:
parent
1fe65be5b5
commit
04d0957128
|
@ -210,7 +210,7 @@ By default, Docker Desktop is installed at `C:\Program Files\Docker\Docker`.
|
|||
The `install` command accepts the following flags:
|
||||
- `--quiet`: Suppresses information output when running the installer
|
||||
- `--accept-license`: Accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement) now, rather than requiring it to be accepted when the application is first run
|
||||
- `--no-windows-containers`: Disables the Windows containers integration
|
||||
- `--no-windows-containers`: Disables the Windows containers integration. This can improve security. For more information, see [Windows containers](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers).
|
||||
- `--allowed-org=<org name>`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application
|
||||
- `--backend=<backend name>`: Selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default)
|
||||
- `--installation-dir=<path>`: Changes the default installation location (`C:\Program Files\Docker\Docker`)
|
||||
|
|
|
@ -67,7 +67,11 @@ isolated from the Docker daemon and other services running inside the VM.
|
|||
|
||||
## Windows Containers
|
||||
|
||||
Unlike the Linux Docker engine and containers which run in a VM, Windows containers are an operating system feature, and run directly on the Windows host with `Administrator` privileges. For organizations who don't want their developers to run Windows containers, a `–no-windows-containers` installer flag is available from version 4.11 to disable their use.
|
||||
> [!WARNING]
|
||||
>
|
||||
> Enabling Windows containers has important security implications.
|
||||
|
||||
Unlike the Linux Docker Engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-–no-windows-containers` installer flag is available to disable their use.
|
||||
|
||||
## Networking
|
||||
|
||||
|
|
Loading…
Reference in New Issue