From a494c4ad961c0b05eb828907db5ca5e60cf5fec7 Mon Sep 17 00:00:00 2001 From: aiordache Date: Wed, 24 Aug 2022 17:48:00 +0100 Subject: [PATCH 1/5] update registry access management docs for DD4L Signed-off-by: aiordache --- _includes/configure-registry-json.md | 52 ++++++++++++++++++++---- docker-hub/registry-access-management.md | 36 ++++++++-------- 2 files changed, 63 insertions(+), 25 deletions(-) diff --git a/_includes/configure-registry-json.md b/_includes/configure-registry-json.md index fb8ca75bc2..a284e69708 100644 --- a/_includes/configure-registry-json.md +++ b/_includes/configure-registry-json.md @@ -8,14 +8,16 @@ least one organization the user is a member of, they can sign in to Docker Desktop and access all their organizations. Based on the user's operating system, you must create a `registry.json` file at the following location and make sure the file can't be edited by the user: - - Windows: `/ProgramData/DockerDesktop/registry.json` - - Mac: `/Library/Application Support/com.docker.docker/registry.json` + +- Windows: `/ProgramData/DockerDesktop/registry.json` +- Mac: `/Library/Application Support/com.docker.docker/registry.json` +- Linux: `/usr/share/docker-desktop/registry/registry.json` The `registry.json` file must contain the following contents, where `myorg` is replaced with your organization's name. ```json { - "allowedOrgs":["myorg"] + "allowedOrgs": ["myorg"] } ``` @@ -24,16 +26,15 @@ You can use the following methods to create a `registry.json` file based on the
- ### Windows On Windows, you can use the following methods to create a `registry.json` file. - #### Create registry.json when installing Docker Desktop on Windows To automatically create a `registry.json` file when installing Docker Desktop, download `Docker Desktop Installer.exe` and run one of the following commands from the directory containing `Docker Desktop Installer.exe`. Replace `myorg` with your organization's name. @@ -67,13 +68,12 @@ This creates the `registry.json` file at `C:\ProgramData\DockerDesktop\registry. On Mac, you can use the following methods to create a `registry.json` file. - #### Create registry.json when installing Docker Desktop on Mac To automatically create a registry.json file when installing Docker Desktop, download `Docker.dmg` and run the following commands in a terminal from the directory containing `Docker.dmg`. Replace `myorg` with your organization's name. ```console -$ sudo hdiutil attach Docker.dmg +$ sudo hdiutil attach Docker.dmg $ sudo /Volumes/Docker/Docker.app/Contents/MacOS/install --allowed-org=myorg $ sudo hdiutil detach /Volumes/Docker ``` @@ -108,4 +108,42 @@ $ sudo ls -l "/Library/Application Support/com.docker.docker/registry.json" -rw-r--r-- 1 root admin 26 Jul 27 22:01 /Library/Application Support/com.docker.docker/registry.json ``` +
+ +
+ +### Linux + +On Linux, you can use the following methods to create a `registry.json` file. + +#### Create registry.json manually on Linux + +To manually create a `registry.json` file, run the following commands in a terminal +and replace `myorg` with your organization's name. + +```console +$ sudo mkdir -p /usr/share/docker-desktop/registry +$ echo '{"allowedOrgs":["myorg"]}' | sudo tee /usr/share/docker-desktop/registry/registry.json +``` + +This creates (or updates, if the file already exists) the `registry.json` file +at `/usr/share/docker-desktop/registry/registry.json` and includes +the organization information to which the user belongs. Make sure the file has the +expected content and can't be edited by the user, only by root. + +Verify that the content of the file contains the correct information; + +```console +$ sudo cat /usr/share/docker-desktop/registry/registry.json +{"allowedOrgs":["myorg"]} +``` + +Verify that the file has the expected permissions (`-rw-r--r--`) and ownership +(`root`): + +```console +$ sudo ls -l /usr/share/docker-desktop/registry/registry.json +-rw-r--r-- 1 root root 26 Jul 27 22:01 /usr/share/docker-desktop/registry/registry.json +``` +
diff --git a/docker-hub/registry-access-management.md b/docker-hub/registry-access-management.md index 28edff749c..4f8755ff22 100644 --- a/docker-hub/registry-access-management.md +++ b/docker-hub/registry-access-management.md @@ -12,6 +12,7 @@ Download Docker Desktop v4.8 or a later release. - [Download and install for Windows](/desktop/install/windows-install/) - [Download and install for Mac](/desktop/install/mac-install/) +- [Download and install for Linux](/desktop/install/linux-install/) ## Configure Registry Access Management permissions @@ -21,16 +22,16 @@ To configure Registry Access Management permissions, perform the following steps 2. Select an organization, navigate to the **Settings** tab on the **Organizations** page and click **Registry Access**. 3. Enable Registry Access Management to set the permissions for your registry. - > **Note** - > - > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers. + > **Note** + > + > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers. 4. Click **Add** and enter your registry details in the applicable fields, and click **Create** to add the registry to your list. -5. Verify that the registry appears in your list and click **Save & Apply**. You can verify that your changes are saved in the Activity tab. +5. Verify that the registry appears in your list and click **Save & Apply**. You can verify that your changes are saved in the Activity tab. - > **Note** - > - > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature. + > **Note** + > + > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature. ![Registry Access Management](images/registry-access-management.png){:width="700px"} @@ -39,22 +40,21 @@ To configure Registry Access Management permissions, perform the following steps To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this: 1. Download the latest version of Docker Desktop, and then -2. Create a `registry.json` file by following the instructions for [Windows and Mac](/docker-hub/configure-sign-in/). +2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](/docker-hub/configure-sign-in/). ## Verify the restrictions - The new Registry Access Management policy should be in place after the developer successfully authenticates to Docker Desktop using their organization credentials. The developer can attempt to pull an image from a disallowed registry via the Docker CLI. They will then receive an error message that your organization has disallowed this registry. +The new Registry Access Management policy should be in place after the developer successfully authenticates to Docker Desktop using their organization credentials. The developer can attempt to pull an image from a disallowed registry via the Docker CLI. They will then receive an error message that your organization has disallowed this registry. ### Caveats - There are certain limitations when using Registry Access Management; they are as follows: +There are certain limitations when using Registry Access Management; they are as follows: - * Windows image pulls, and image builds are not restricted - * Builds such as `docker buildx` using a Kubernetes driver are not restricted - * Builds such as `docker buildx` using a custom docker-container driver are not restricted - * Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” - * WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) - * Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) - - Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop. +- Windows image pulls, and image builds are not restricted +- Builds such as `docker buildx` using a Kubernetes driver are not restricted +- Builds such as `docker buildx` using a custom docker-container driver are not restricted +- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” +- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) +- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) +Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop. From d8ad873ea261d03bf06ca767f175ec2a25987b32 Mon Sep 17 00:00:00 2001 From: jerae-duffin <83294991+jerae-duffin@users.noreply.github.com> Date: Mon, 29 Aug 2022 14:04:20 -0500 Subject: [PATCH 2/5] Update docker-hub/registry-access-management.md Co-authored-by: Sebastiaan van Stijn --- docker-hub/registry-access-management.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-hub/registry-access-management.md b/docker-hub/registry-access-management.md index 4f8755ff22..2c1760e094 100644 --- a/docker-hub/registry-access-management.md +++ b/docker-hub/registry-access-management.md @@ -10,9 +10,9 @@ Registry Access Management is a feature available to organizations with a Docker Download Docker Desktop v4.8 or a later release. -- [Download and install for Windows](/desktop/install/windows-install/) -- [Download and install for Mac](/desktop/install/mac-install/) -- [Download and install for Linux](/desktop/install/linux-install/) +- [Download and install for Windows](../desktop/install/windows-install.md) +- [Download and install for Mac](../desktop/install/mac-install.md) +- [Download and install for Linux](../desktop/install/linux-install.md) ## Configure Registry Access Management permissions From cc3dd2dd7c3a246dfb506980c83b277004c1bb34 Mon Sep 17 00:00:00 2001 From: jerae-duffin <83294991+jerae-duffin@users.noreply.github.com> Date: Mon, 29 Aug 2022 14:04:28 -0500 Subject: [PATCH 3/5] Update docker-hub/registry-access-management.md Co-authored-by: Sebastiaan van Stijn --- docker-hub/registry-access-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-hub/registry-access-management.md b/docker-hub/registry-access-management.md index 2c1760e094..bce4eb1f5d 100644 --- a/docker-hub/registry-access-management.md +++ b/docker-hub/registry-access-management.md @@ -40,7 +40,7 @@ To configure Registry Access Management permissions, perform the following steps To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this: 1. Download the latest version of Docker Desktop, and then -2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](/docker-hub/configure-sign-in/). +2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](configure-sign-in.md). ## Verify the restrictions From 49d08397718c679cc205ac62cf2c5583ff882c6f Mon Sep 17 00:00:00 2001 From: jerae-duffin <83294991+jerae-duffin@users.noreply.github.com> Date: Mon, 29 Aug 2022 14:06:02 -0500 Subject: [PATCH 4/5] Update _includes/configure-registry-json.md Co-authored-by: Sebastiaan van Stijn --- _includes/configure-registry-json.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/_includes/configure-registry-json.md b/_includes/configure-registry-json.md index a284e69708..c914455538 100644 --- a/_includes/configure-registry-json.md +++ b/_includes/configure-registry-json.md @@ -9,9 +9,11 @@ Desktop and access all their organizations. Based on the user's operating system, you must create a `registry.json` file at the following location and make sure the file can't be edited by the user: -- Windows: `/ProgramData/DockerDesktop/registry.json` -- Mac: `/Library/Application Support/com.docker.docker/registry.json` -- Linux: `/usr/share/docker-desktop/registry/registry.json` +| Platform | Location | +|----------|----------------------------------------------------------------| +| Windows | `/ProgramData/DockerDesktop/registry.json` | +| Mac | `/Library/Application Support/com.docker.docker/registry.json` | +| Linux | `/usr/share/docker-desktop/registry/registry.json` | The `registry.json` file must contain the following contents, where `myorg` is replaced with your organization's name. From fd8fa8782f64c9b74c9aa0abfe4aa02e3c23b2d0 Mon Sep 17 00:00:00 2001 From: jerae-duffin <83294991+jerae-duffin@users.noreply.github.com> Date: Wed, 31 Aug 2022 16:05:56 -0500 Subject: [PATCH 5/5] Update _includes/configure-registry-json.md --- _includes/configure-registry-json.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/configure-registry-json.md b/_includes/configure-registry-json.md index c914455538..ed71ac2b93 100644 --- a/_includes/configure-registry-json.md +++ b/_includes/configure-registry-json.md @@ -133,7 +133,7 @@ at `/usr/share/docker-desktop/registry/registry.json` and includes the organization information to which the user belongs. Make sure the file has the expected content and can't be edited by the user, only by root. -Verify that the content of the file contains the correct information; +Verify that the content of the file contains the correct information: ```console $ sudo cat /usr/share/docker-desktop/registry/registry.json