docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15483 from aiordache/ddl_registry 

Registry access management setup for DDL
This commit is contained in:
jerae-duffin 2022-08-31 16:15:02 -05:00 committed by GitHub
parent 7cdab60dfb fd8fa8782f
commit 0cba5cac66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 67 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
_includes/configure-registry-json.md
View File

@ -8,8 +8,12 @@ least one organization the user is a member of, they can sign in to Docker
Desktop and access all their organizations. Desktop and access all their organizations.
Based on the user's operating system, you must create a `registry.json` file at the following location and make sure the file can't be edited by the user: Based on the user's operating system, you must create a `registry.json` file at the following location and make sure the file can't be edited by the user:
- Windows: `/ProgramData/DockerDesktop/registry.json`
- Mac: `/Library/Application Support/com.docker.docker/registry.json` | Platform | Location |
|----------|----------------------------------------------------------------|
| Windows | `/ProgramData/DockerDesktop/registry.json` |
| Mac | `/Library/Application Support/com.docker.docker/registry.json` |
| Linux | `/usr/share/docker-desktop/registry/registry.json` |
The `registry.json` file must contain the following contents, where `myorg` is replaced with your organization's name. The `registry.json` file must contain the following contents, where `myorg` is replaced with your organization's name.
@ -24,16 +28,15 @@ You can use the following methods to create a `registry.json` file based on the
<ul class="nav nav-tabs"> <ul class="nav nav-tabs">
<li class="active"><a data-toggle="tab" data-target="#windows">Windows</a></li> <li class="active"><a data-toggle="tab" data-target="#windows">Windows</a></li>
<li><a data-toggle="tab" data-target="#mac">Mac</a></li> <li><a data-toggle="tab" data-target="#mac">Mac</a></li>
<li><a data-toggle="tab" data-target="#linux">Linux</a></li>
</ul> </ul>
<div class="tab-content"> <div class="tab-content">
<div id="windows" class="tab-pane fade in active" markdown="1"> <div id="windows" class="tab-pane fade in active" markdown="1">
### Windows ### Windows
On Windows, you can use the following methods to create a `registry.json` file. On Windows, you can use the following methods to create a `registry.json` file.
#### Create registry.json when installing Docker Desktop on Windows #### Create registry.json when installing Docker Desktop on Windows
To automatically create a `registry.json` file when installing Docker Desktop, download `Docker Desktop Installer.exe` and run one of the following commands from the directory containing `Docker Desktop Installer.exe`. Replace `myorg` with your organization's name. To automatically create a `registry.json` file when installing Docker Desktop, download `Docker Desktop Installer.exe` and run one of the following commands from the directory containing `Docker Desktop Installer.exe`. Replace `myorg` with your organization's name.
@ -67,7 +70,6 @@ This creates the `registry.json` file at `C:\ProgramData\DockerDesktop\registry.
On Mac, you can use the following methods to create a `registry.json` file. On Mac, you can use the following methods to create a `registry.json` file.
#### Create registry.json when installing Docker Desktop on Mac #### Create registry.json when installing Docker Desktop on Mac
To automatically create a registry.json file when installing Docker Desktop, download `Docker.dmg` and run the following commands in a terminal from the directory containing `Docker.dmg`. Replace `myorg` with your organization's name. To automatically create a registry.json file when installing Docker Desktop, download `Docker.dmg` and run the following commands in a terminal from the directory containing `Docker.dmg`. Replace `myorg` with your organization's name.
@ -108,4 +110,42 @@ $ sudo ls -l "/Library/Application Support/com.docker.docker/registry.json"
-rw-r--r-- 1 root admin 26 Jul 27 22:01 /Library/Application Support/com.docker.docker/registry.json -rw-r--r-- 1 root admin 26 Jul 27 22:01 /Library/Application Support/com.docker.docker/registry.json
``` ```
</div>
<div id="linux" class="tab-pane fade" markdown="1">
### Linux
On Linux, you can use the following methods to create a `registry.json` file.
#### Create registry.json manually on Linux
To manually create a `registry.json` file, run the following commands in a terminal
and replace `myorg` with your organization's name.
```console
$ sudo mkdir -p /usr/share/docker-desktop/registry
$ echo '{"allowedOrgs":["myorg"]}' | sudo tee /usr/share/docker-desktop/registry/registry.json
```
This creates (or updates, if the file already exists) the `registry.json` file
at `/usr/share/docker-desktop/registry/registry.json` and includes
the organization information to which the user belongs. Make sure the file has the
expected content and can't be edited by the user, only by root.
Verify that the content of the file contains the correct information:
```console
$ sudo cat /usr/share/docker-desktop/registry/registry.json
{"allowedOrgs":["myorg"]}
```
Verify that the file has the expected permissions (`-rw-r--r--`) and ownership
(`root`):
```console
$ sudo ls -l /usr/share/docker-desktop/registry/registry.json
-rw-r--r-- 1 root root 26 Jul 27 22:01 /usr/share/docker-desktop/registry/registry.json
```
</div></div> </div></div>

20
docker-hub/registry-access-management.md
View File

@ -10,8 +10,9 @@ Registry Access Management is a feature available to organizations with a Docker
Download Docker Desktop v4.8 or a later release. Download Docker Desktop v4.8 or a later release.
- [Download and install for Windows](/desktop/install/windows-install/) - [Download and install for Windows](../desktop/install/windows-install.md)
- [Download and install for Mac](/desktop/install/mac-install/) - [Download and install for Mac](../desktop/install/mac-install.md)
- [Download and install for Linux](../desktop/install/linux-install.md)
## Configure Registry Access Management permissions ## Configure Registry Access Management permissions
@ -39,7 +40,7 @@ To configure Registry Access Management permissions, perform the following steps
To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this: To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this:
1. Download the latest version of Docker Desktop, and then 1. Download the latest version of Docker Desktop, and then
2. Create a `registry.json` file by following the instructions for [Windows and Mac](/docker-hub/configure-sign-in/). 2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](configure-sign-in.md).
## Verify the restrictions ## Verify the restrictions
@ -49,12 +50,11 @@ To ensure that each org member uses Registry Access Management on their local ma
There are certain limitations when using Registry Access Management; they are as follows: There are certain limitations when using Registry Access Management; they are as follows:
* Windows image pulls, and image builds are not restricted - Windows image pulls, and image builds are not restricted
* Builds such as `docker buildx` using a Kubernetes driver are not restricted - Builds such as `docker buildx` using a Kubernetes driver are not restricted
* Builds such as `docker buildx` using a custom docker-container driver are not restricted - Builds such as `docker buildx` using a custom docker-container driver are not restricted
* Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” - Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull”
* WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) - WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series)
* Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) - Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel)
Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop. Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop.