Merge pull request #15483 from aiordache/ddl_registry

Registry access management setup for DDL

_includes/configure-registry-json.md

@@ -8,14 +8,18 @@ least one organization the user is a member of, they can sign in to Docker
 Desktop and access all their organizations.
 
 Based on the user's operating system, you must create a `registry.json` file at the following location and make sure the file can't be edited by the user:
-   - Windows: `/ProgramData/DockerDesktop/registry.json`
-   - Mac: `/Library/Application Support/com.docker.docker/registry.json`
+
+| Platform | Location                                                       |
+|----------|----------------------------------------------------------------|
+| Windows  | `/ProgramData/DockerDesktop/registry.json`                     |
+| Mac      | `/Library/Application Support/com.docker.docker/registry.json` |
+| Linux    | `/usr/share/docker-desktop/registry/registry.json`             |
 
 The `registry.json` file must contain the following contents, where `myorg` is replaced with your organization's name.
 
 ```json
 {
-   "allowedOrgs":["myorg"]
+  "allowedOrgs": ["myorg"]
 }
 ```
 
@@ -24,16 +28,15 @@ You can use the following methods to create a `registry.json` file based on the
 <ul class="nav nav-tabs">
 <li class="active"><a data-toggle="tab" data-target="#windows">Windows</a></li>
 <li><a data-toggle="tab" data-target="#mac">Mac</a></li>
+<li><a data-toggle="tab" data-target="#linux">Linux</a></li>
 </ul>
 <div class="tab-content">
 <div id="windows" class="tab-pane fade in active" markdown="1">
 
-
 ### Windows
 
 On Windows, you can use the following methods to create a `registry.json` file.
 
-
 #### Create registry.json when installing Docker Desktop on Windows
 
 To automatically create a `registry.json` file when installing Docker Desktop, download `Docker Desktop Installer.exe` and run one of the following commands from the directory containing `Docker Desktop Installer.exe`. Replace `myorg` with your organization's name.
@@ -67,13 +70,12 @@ This creates the `registry.json` file at `C:\ProgramData\DockerDesktop\registry.
 
 On Mac, you can use the following methods to create a `registry.json` file.
 
-
 #### Create registry.json when installing Docker Desktop on Mac
 
 To automatically create a registry.json file when installing Docker Desktop, download `Docker.dmg` and run the following commands in a terminal from the directory containing `Docker.dmg`. Replace `myorg` with your organization's name.
 
 ```console
-$ sudo hdiutil attach Docker.dmg 
+$ sudo hdiutil attach Docker.dmg
 $ sudo /Volumes/Docker/Docker.app/Contents/MacOS/install --allowed-org=myorg
 $ sudo hdiutil detach /Volumes/Docker
 ```
@@ -108,4 +110,42 @@ $ sudo ls -l "/Library/Application Support/com.docker.docker/registry.json"
 -rw-r--r--  1 root  admin  26 Jul 27 22:01 /Library/Application Support/com.docker.docker/registry.json
 ```
 
+</div>
+
+<div id="linux" class="tab-pane fade" markdown="1">
+
+### Linux
+
+On Linux, you can use the following methods to create a `registry.json` file.
+
+#### Create registry.json manually on Linux
+
+To manually create a `registry.json` file, run the following commands in a terminal
+and replace `myorg` with your organization's name.
+
+```console
+$ sudo mkdir -p /usr/share/docker-desktop/registry
+$ echo '{"allowedOrgs":["myorg"]}' | sudo tee /usr/share/docker-desktop/registry/registry.json
+```
+
+This creates (or updates, if the file already exists) the `registry.json` file
+at `/usr/share/docker-desktop/registry/registry.json` and includes
+the organization information to which the user belongs. Make sure the file has the
+expected content and can't be edited by the user, only by root.
+
+Verify that the content of the file contains the correct information:
+
+```console
+$ sudo cat /usr/share/docker-desktop/registry/registry.json
+{"allowedOrgs":["myorg"]}
+```
+
+Verify that the file has the expected permissions (`-rw-r--r--`) and ownership
+(`root`):
+
+```console
+$ sudo ls -l /usr/share/docker-desktop/registry/registry.json
+-rw-r--r--  1 root  root  26 Jul 27 22:01 /usr/share/docker-desktop/registry/registry.json
+```
+
 </div></div>

docker-hub/registry-access-management.md

@@ -10,8 +10,9 @@ Registry Access Management is a feature available to organizations with a Docker
 
 Download Docker Desktop v4.8 or a later release.
 
-- [Download and install for Windows](/desktop/install/windows-install/)
-- [Download and install for Mac](/desktop/install/mac-install/)
+- [Download and install for Windows](../desktop/install/windows-install.md)
+- [Download and install for Mac](../desktop/install/mac-install.md)
+- [Download and install for Linux](../desktop/install/linux-install.md)
 
 ## Configure Registry Access Management permissions
 
@@ -21,16 +22,16 @@ To configure Registry Access Management permissions, perform the following steps
 2. Select an organization, navigate to the **Settings** tab on the **Organizations** page and click **Registry Access**.
 3. Enable Registry Access Management to set the permissions for your registry.
 
-     > **Note**
-     >
-     > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers.
+   > **Note**
+   >
+   > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers.
 
 4. Click **Add** and enter your registry details in the applicable fields, and click **Create** to add the registry to your list.
-5. Verify that the registry appears in your list and click **Save & Apply**.  You can verify that your changes are saved in the Activity tab.
+5. Verify that the registry appears in your list and click **Save & Apply**. You can verify that your changes are saved in the Activity tab.
 
-      > **Note**
-      >
-      > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop.  Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature.
+   > **Note**
+   >
+   > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature.
 
 ![Registry Access Management](images/registry-access-management.png){:width="700px"}
 
@@ -39,22 +40,21 @@ To configure Registry Access Management permissions, perform the following steps
 To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this:
 
 1. Download the latest version of Docker Desktop, and then
-2. Create a `registry.json` file by following the instructions for [Windows and Mac](/docker-hub/configure-sign-in/).
+2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](configure-sign-in.md).
 
 ## Verify the restrictions
 
-   The new Registry Access Management policy should be in place after the developer successfully authenticates to Docker Desktop using their organization credentials. The developer can attempt to pull an image from a disallowed registry via the Docker CLI. They will then receive an error message that your organization has disallowed this registry.
+The new Registry Access Management policy should be in place after the developer successfully authenticates to Docker Desktop using their organization credentials. The developer can attempt to pull an image from a disallowed registry via the Docker CLI. They will then receive an error message that your organization has disallowed this registry.
 
 ### Caveats
 
-  There are certain limitations when using Registry Access Management; they are as follows:
+There are certain limitations when using Registry Access Management; they are as follows:
 
-  * Windows image pulls, and image builds are not restricted
-  * Builds such as `docker buildx` using a Kubernetes driver are not restricted
-  * Builds such as `docker buildx` using a custom docker-container driver are not restricted
-  * Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull”
-  * WSL 2 requires at least a 5.4 series Linux kernel  (this does not apply to earlier Linux kernel series)
- * Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel)
-
-  Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop.
+- Windows image pulls, and image builds are not restricted
+- Builds such as `docker buildx` using a Kubernetes driver are not restricted
+- Builds such as `docker buildx` using a custom docker-container driver are not restricted
+- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull”
+- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series)
+- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel)
 
+Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop.