docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into ENGDOCS-2281

This commit is contained in:
Sarah Sanders 2024-11-13 09:38:26 -08:00 committed by GitHub
parent 5db7f4d0c1 00e3c8b965
commit 3709b9bab5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
38 changed files with 291 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
_vale/Docker/Acronyms.yml
View File

@ -31,6 +31,7 @@ exceptions:
- DPI
- DSOS
- DVP
- ECI
- ELK
- FAQ
- FUSE
@ -60,6 +61,7 @@ exceptions:
- LTS
- MAC
- MDM
- MDN
- NAT
- NET
- NFS
@ -67,6 +69,7 @@ exceptions:
- NTLM
- NVDA
- OCI
- OS
- OSS
- PATH
- PDF
@ -90,6 +93,7 @@ exceptions:
- SDK
- SLES
- SLSA
- SOCKS
- SPDX
- SQL
- SSD

2
_vale/Docker/RecommendedWords.yml
View File

@ -14,7 +14,7 @@ swap:
(?:sign on|log on|log in|logon|login): sign in
above: previous
adaptor: adapter
admin: administrator
admin(?! console): administrator
administrate: administer
afterwards: afterward
allow: let

3
_vale/config/vocabularies/Docker/accept.txt
View File

@ -1,5 +1,4 @@
(?-i)[A-Z]{2,}s
Admin Console
Amazon
Anchore
Apple
@ -108,6 +107,7 @@ Zsh
[Mm]oby
[Oo]nboarding
[Pp]aravirtualization
[Pp]roxied
[Pp]roxying
[Rr]eal-time
[Rr]untimes?
@ -156,5 +156,6 @@ tmpfs
ufw
umask
ungated
untrusted
vSphere
vpnkit

7
content/get-started/docker-concepts/building-images/multi-stage-builds.md
View File

@ -57,9 +57,8 @@ In this hands-on guide, you'll unlock the power of multi-stage builds to create
1. [Download and install](https://www.docker.com/products/docker-desktop/) Docker Desktop.
2. [Download and install](https://www.oracle.com/java/technologies/downloads/) Java.
3. Open this [pre-initialized project](https://start.spring.io/#!type=maven-project&language=java&platformVersion=3.4.0-M3&packaging=jar&jvmVersion=21&groupId=com.example&artifactId=spring-boot-docker&name=spring-boot-docker&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.spring-boot-docker&dependencies=web) to generate a ZIP file. Heres how that looks:
2. Open this [pre-initialized project](https://start.spring.io/#!type=maven-project&language=java&platformVersion=3.4.0-M3&packaging=jar&jvmVersion=21&groupId=com.example&artifactId=spring-boot-docker&name=spring-boot-docker&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.spring-boot-docker&dependencies=web) to generate a ZIP file. Heres how that looks:
![A screenshot of Spring Initializr tool selected with Java 21, Spring Web and Spring Boot 3.4.0](images/multi-stage-builds-spring-initializer.webp?border=true)
@ -72,7 +71,7 @@ In this hands-on guide, you'll unlock the power of multi-stage builds to create
For this demonstration, youve paired Maven build automation with Java, a Spring Web dependency, and Java 21 for your metadata.
4. Navigate the project directory. Once you unzip the file, you'll see the following project directory structure:
3. Navigate the project directory. Once you unzip the file, you'll see the following project directory structure:
```plaintext
@ -109,7 +108,7 @@ In this hands-on guide, you'll unlock the power of multi-stage builds to create
contains most of the information needed to build a customized project. The POM is huge and can seem
daunting. Thankfully, you don't yet need to understand every intricacy to use it effectively.
5. Create a RESTful web service that displays "Hello World!".
4. Create a RESTful web service that displays "Hello World!".
Under the `src/main/java/com/example/spring_boot_docker/` directory, you can modify your

4
content/guides/docker-scout/_index.md
View File

@ -14,7 +14,7 @@ aliases:
params:
featured: true
image: images/learning-paths/scout.png
time: 10 minutes
time: 20 minutes
resource_links:
- title: Docker Scout overview
url: /scout/
@ -22,8 +22,6 @@ params:
url: /scout/quickstart/
- title: Install Docker Scout
url: /scout/install/
- title: Software Bill of Materials
url: /scout/concepts/sbom/
---
When container images are insecure, significant risks can arise. Around 60% of

36
content/guides/docker-scout/attestations.md Normal file
View File

@ -0,0 +1,36 @@
---
title: Attestations
keywords: build, attestations, sbom, provenance, metadata
description: |
Introduction to SBOM and provenance attestations with Docker Build,
what they are, and why they exist
weight: 50
---
{{< youtube-embed qOzcycbTs4o >}}
[Build attestations](/manuals/build/metadata/attestations/_index.md) give you
detailed information about how an image was built and what it contains. These
attestations, generated by BuildKit during build-time, attach to the final
image as metadata, allowing you to inspect an image to see its origin, creator,
and contents. This information helps you make informed decisions about the
security and impact of the image on your supply chain.
Docker Scout uses these attestations to evaluate the image's security and
supply chain posture, and to provide remediation recommendations for issues. If
issues are detected, such as missing or outdated attestations, Docker Scout can
guide you on how to add or update them, ensuring compliance and improving
visibility into the image's security status.
There are two key types of attestations:
- SBOM, which lists the software artifacts within the image.
- Provenance, which details how the image was built.
You can create attestations by using `docker buildx build` with the
`--provenance` and `--sbom` flags. Attestations attach to the image index,
allowing you to inspect them without pulling the entire image. Docker Scout
leverages this metadata to give you more precise recommendations and better
control over your image's security.
<div id="scout-lp-survey-anchor"></div>

1
content/guides/docker-scout/common-questions.md
View File

@ -1,7 +1,6 @@
---
title: Common challenges and questions
description: Explore common challenges and questions related to Docker Scout.
weight: 30
---
<!-- vale Docker.HeadingLength = NO -->

5
content/guides/docker-scout/demo.md
View File

@ -1,9 +1,12 @@
---
title: Docker Scout demo
linkTitle: Demo
description: Learn about Docker Scout's powerful features for enhanced supply chain security.
weight: 20
---
{{< youtube-embed "TkLwJ0p46W8" >}}
Docker Scout has powerful features for enhancing containerized application
security and ensuring a robust software supply chain.
@ -15,6 +18,4 @@ security and ensuring a robust software supply chain.
removing unnecessary packages
- Verify and validate remediation efforts using Docker Scout
{{< youtube-embed "TkLwJ0p46W8" >}}
<div id="scout-lp-survey-anchor"></div>

27
content/guides/docker-scout/remediation.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Remediation
description: Learn how Docker Scout can help you improve your software quality automatically, using remediation
keywords: scout, supply chain, security, remediation, automation
weight: 60
---
{{< youtube-embed jM9zLBf8M-8 >}}
Docker Scout's [remediation feature](/manuals/scout/policy/remediation.md)
helps you address supply chain and security issues by offering tailored
recommendations based on policy evaluations. These recommendations guide you in
improving policy compliance or enhancing image metadata, allowing Docker Scout
to perform more accurate evaluations in the future.
You can use this feature to ensure that your base images are up-to-date and
that your supply chain attestations are complete. When a violation occurs,
Docker Scout provides recommended fixes, such as updating your base image or
adding missing attestations. If there isnt enough information to determine
compliance, Docker Scout suggests actions to help resolve the issue.
In the Docker Scout Dashboard, you can view and act on these recommendations by
reviewing violations or compliance uncertainties. With integrations like
GitHub, you can even automate updates, directly fixing issues from the
dashboard.
<div id="scout-lp-survey-anchor"></div>

15
content/manuals/scout/concepts/s3c.md → content/guides/docker-scout/s3c.md
View File

@ -2,8 +2,13 @@
title: Software supply chain security
description: Learn about software supply chain security (S3C), what it means, and why it is important.
keywords: docker scout, secure, software, supply, chain, security, sssc, sscs, s3c
aliases:
- /scout/concepts/s3c/
weight: 30
---
{{< youtube-embed YzNK6E7APv0 >}}
The term "software supply chain" refers to the end-to-end process of developing
and delivering software, from the development to deployment and maintenance.
Software supply chain security, or "S3C" for short, is the practice for
@ -39,7 +44,7 @@ day where software is built using multiple components from different sources.
Organizations need to have a clear understanding of the software components
they use, and the security risks associated with them.
## Docker Scout
## How Docker Scout is different
Docker Scout is a platform designed to help organizations secure their software
supply chain. It provides tools and services for identifying and managing
@ -53,9 +58,11 @@ updated risk assessment is available within seconds, and earlier in the
development process.
Docker Scout works by analyzing the composition of your images to create a
[Software Bill of Materials (SBOM)](/manuals/scout/concepts/sbom.md). The SBOM is
cross-referenced against the security advisories to identify CVEs that affect
your images. Docker Scout integrates with [over 20 different security
Software Bill of Materials (SBOM). The SBOM is cross-referenced against the
security advisories to identify CVEs that affect your images. Docker Scout
integrates with [over 20 different security
advisories](/manuals/scout/deep-dive/advisory-db-sources.md), and updates its
vulnerability database in real-time. This ensures that your security posture is
represented using the latest available information.
<div id="scout-lp-survey-anchor"></div>

17
content/manuals/scout/concepts/sbom.md → content/guides/docker-scout/sbom.md
View File

@ -2,8 +2,13 @@
title: Software Bill of Materials
description: Learn about Software Bill of Materials (SBOM) and how Docker Scout uses it.
keywords: scout, sbom, software bill of materials, analysis, composition
aliases:
- /scout/concepts/sbom/
weight: 40
---
{{< youtube-embed PbS4y7C7h4A >}}
A Bill of Materials (BOM) is a list of materials, parts, and the quantities of
each needed to manufacture a product. For example, a BOM for a computer might
list the motherboard, CPU, RAM, power supply, storage devices, case, and other
@ -35,16 +40,10 @@ An SBOM typically includes the following information:
Docker Scout uses SBOMs to determine the components that are used in a Docker
image. When you analyze an image, Docker Scout will either use the SBOM that is
attached to the image (using [attestations](/manuals/build/metadata/attestations/_index.md)), or
it will generate an SBOM on the fly by analyzing the contents of the image.
attached to the image as an attestation, or it will generate an SBOM on the fly
by analyzing the contents of the image.
The SBOM is cross-referenced with the [advisory database](/manuals/scout/deep-dive/advisory-db-sources.md)
to determine if any of the components in the image have known vulnerabilities.
## Additional resources
To learn more about generating SBOMs and how SBOMs are used in Docker Scout,
see:
- [Image analysis in Docker Scout](/manuals/scout/explore/analysis.md)
- [View and create SBOMs](/manuals/scout/how-tos/view-create-sboms.md)
<div id="scout-lp-survey-anchor"></div>

4
content/guides/docker-scout/why.md
View File

@ -4,6 +4,8 @@ description: Learn how Docker Scout can help you secure your supply chain.
weight: 10
---
{{< youtube-embed "-omsQ7Uqyc4" >}}
Organizations face significant challenges from data breaches,
including financial losses, operational disruptions, and long-term damage to
brand reputation and customer trust. Docker Scout addresses critical problems
@ -22,6 +24,4 @@ development process. It also integrates with popular development tools like
Docker Desktop and GitHub Actions, providing seamless security management and
compliance checks within existing workflows.
{{< youtube-embed "-omsQ7Uqyc4" >}}
<div id="scout-lp-survey-anchor"></div>

3
content/manuals/accounts/_index.md
View File

@ -1,6 +1,5 @@
---
title: Docker account overview
linkTitle: Docker accounts
title: Docker accounts
weight: 200
description: Learn how to create and manage your Docker account.
keywords: accounts, docker ID, account management, account settings, docker account, docker home

3
content/manuals/admin/_index.md
View File

@ -1,6 +1,5 @@
---
title: Administration overview
linkTitle: Administration
title: Administration
weight: 200
description: Discover manuals on administration for accounts, organizations, and companies.
keywords: admin, administration, company, organization, Admin Console, user accounts, account management

3
content/manuals/build/_index.md
View File

@ -1,6 +1,5 @@
---
title: Overview of Docker Build
linkTitle: Docker Build
title: Docker Build
weight: 100
description: Get an overview of Docker Build to package and bundle your code and ship it anywhere
keywords: build, buildx, buildkit

2
content/manuals/build/building/best-practices.md
View File

@ -319,7 +319,7 @@ backslashes to make your Dockerfile more readable, understandable, and
maintainable.
For example, you can chain commands with the `&&` operator, and use
use escape characters to break long commands into multiple lines.
escape characters to break long commands into multiple lines.
```dockerfile
RUN apt-get update && apt-get install -y \

2
content/manuals/build/metadata/attestations/_index.md
View File

@ -8,6 +8,8 @@ aliases:
- /build/attestations/
---
{{< youtube-embed qOzcycbTs4o >}}
Build attestations describe how an image was built, and what it contains. The
attestations are created at build-time by BuildKit, and become attached to the
final image as metadata.

3
content/manuals/compose/_index.md
View File

@ -1,6 +1,5 @@
---
title: Docker Compose overview
linkTitle: Docker Compose
title: Docker Compose
weight: 100
description: Learn how to use Docker Compose to define and run multi-container applications
with this detailed introduction to the tool.

3
content/manuals/desktop/_index.md
View File

@ -1,6 +1,5 @@
---
title: Overview of Docker Desktop
linkTitle: Docker Desktop
title: Docker Desktop
weight: 100
description: Explore Docker Desktop, what it has to offer, and its key features. Take the next step by downloading or find additional resources
keywords: how to use docker desktop, what is docker desktop used for, what does docker

2
content/manuals/desktop/troubleshoot-and-support/troubleshoot/known-issues.md
View File

@ -4,6 +4,8 @@ keywords: mac, troubleshooting, known issues, Docker Desktop
title: Known issues
tags: [ Troubleshooting ]
weight: 30
aliases:
- /desktop/troubleshoot/known-issues/
---
{{< tabs >}}

2
content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md
View File

@ -6,6 +6,8 @@ linkTitle: Common topics
toc_max: 4
tags: [ Troubleshooting ]
weight: 10
aliases:
- /desktop/troubleshoot/topics/
---
> [!TIP]

2
content/manuals/desktop/troubleshoot-and-support/troubleshoot/workarounds.md
View File

@ -4,6 +4,8 @@ keywords: linux, mac, windows, troubleshooting, workarounds, Docker Desktop
title: Workarounds for common problems
tags: [ Troubleshooting ]
weight: 20
aliases:
- /desktop/troubleshoot/workarounds/
---
### Reboot

66
content/manuals/docker-hub/_index.md
View File

@ -1,59 +1,49 @@
---
description: Find a comprehensive overview of Docker Hub, including its features, administrative settings, how to get started quickly, and more
keywords: Docker, docker, docker hub, hub, repositories, docker account
title: Overview of Docker Hub
linkTitle: Docker Hub
description: Get an overview on Docker Hub to find and share container images
keywords: docker hub, hub, repositories
title: Docker Hub
weight: 100
grid:
- title: Quickstart
description: Step-by-step instructions on getting started on Docker Hub.
icon: explore
link: /docker-hub/quickstart
- title: Create a repository
- title: Repositories
description: Create a repository to share your images with your team, customers,
or the Docker community.
icon: inbox
link: /docker-hub/repos
- title: Manage repository access
description: Manage access to push and pull to your repository and assign permissions.
icon: key
link: /docker-hub/repos/access
- title: Automated builds
description: Learn how you can automatically build images from source code to push to your repositories.
icon: build
link: /docker-hub/builds/how-builds-work
- title: Organizations
description: Learn about organization administration.
icon: store
link: /admin/
- title: Usage
description: Explore usage limits and how to better utilize Docker Hub.
icon: leaderboard
link: /docker-hub/download-rate-limit/
- title: Release notes
description: Find out about new features, improvements, and bug fixes.
icon: note_add
link: /docker-hub/release-notes
---
Docker Hub is a service provided by Docker for finding and sharing container images.
Docker Hub simplifies development with the world's largest container registry
for storing, managing, and sharing Docker images. By integrating seamlessly with
your tools, it enhances productivity and ensures reliable deployment,
distribution, and access to containerized applications. It also provides
developers with pre-built images and assets to speed up development workflows.
It's the worlds largest repository of container images with an array of content sources including container community developers, open source projects, and independent software vendors (ISV) building and distributing their code in containers.
Key features of Docker Hub:
Docker Hub is also where you can go to [carry out administrative tasks for organizations](/admin/). If you have a Docker Team or Business subscription, you can also carry out administrative tasks in the [Docker Admin Console](https://admin.docker.com).
* Unlimited public repositories
* Private repositories
* Webhooks to automate workflows
* GitHub and Bitbucket integrations
* Concurrent and automated builds
* Trusted content featuring high-quality, secure images
{{< tabs >}}
{{< tab name="What key features are included in Docker Hub?" >}}
* [Repositories](../docker-hub/repos/_index.md): Push and pull container images.
* [Builds](builds/_index.md): Automatically build container images from
GitHub and Bitbucket and push them to Docker Hub.
* [Webhooks](webhooks.md): Trigger actions after a successful push
to a repository to integrate Docker Hub with other services.
* [Docker Hub CLI](https://github.com/docker/hub-tool#readme) tool (currently experimental) and an API that allows you to interact with Docker Hub.
* Browse through the [Docker Hub API](/reference/api/hub/latest/) documentation to explore the supported endpoints.
{{< /tab >}}
{{< tab name="What administrative tasks can I perform in Docker Hub?" >}}
* [Create and manage teams and organizations](orgs.md)
* [Create a company](../admin/company/new-company.md)
* [Enforce sign in](../security/for-admins/enforce-sign-in/_index.md)
* Set up [SSO](../security/for-admins/single-sign-on/_index.md) and [SCIM](../security/for-admins/provisioning/scim.md)
* Use [Group mapping](group-mapping.md)
* [Carry out domain audits](domain-audit.md)
* [Use Image Access Management](/manuals/security/for-admins/hardened-desktop/image-access-management.md) to control developers' access to certain types of images
* [Turn on Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md)
{{< /tab >}}
{{< /tabs >}}
In addition to the graphical interface, you can interact with Docker Hub using
the [Docker Hub API](../../reference/api/hub/latest.md) or experimental [Docker
Hub CLI tool](https://github.com/docker/hub-tool#readme).
{{< grid >}}
{{< grid >}}

12
content/manuals/docker-hub/release-notes.md
View File

@ -15,6 +15,18 @@ known issues for each Docker Hub release.
Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projects/51/views/1?filterQuery=) to see what's coming next.
## 2024-11-11
### New
- [Personal access tokens](/security/for-developers/access-tokens/) (PATs) now support expiration dates.
## 2024-10-15
### New
- Beta: You can now create [organization access tokens](/security/for-admins/access-tokens/) (OATs) to enhance security for organizations and streamline access management for organizations.
## 2024-03-23
### New

3
content/manuals/engine/_index.md
View File

@ -1,6 +1,5 @@
---
title: Docker Engine overview
linkTitle: Docker Engine
title: Docker Engine
weight: 100
description: Find a comprehensive overview of Docker Engine, including how to install, storage details, networking, and more
keywords: Engine

3
content/manuals/extensions/_index.md
View File

@ -1,6 +1,5 @@
---
title: Overview of Docker Extensions
linkTitle: Docker Extensions
title: Docker Extensions
weight: 100
description: Extensions
keywords: Docker Extensions, Docker Desktop, Linux, Mac, Windows

6
content/manuals/scout/concepts/_index.md
View File

@ -1,6 +0,0 @@
---
build:
render: never
title: Concepts
weight: 30
---

4
content/manuals/scout/how-tos/artifact-types.md
View File

@ -56,7 +56,7 @@ You can use prefixes with the following commands:
This section contains a few examples showing how you can use prefixes
to specify artifacts for `docker scout` commands.
## Analyze a local project
### Analyze a local project
The `fs://` prefix lets you analyze local source code directly,
without having to build it into a container image.
@ -112,7 +112,7 @@ pkg:npm/fastify@3.29.0
CRITICAL 0
```
## Compare a local project to an image
### Compare a local project to an image
With `docker scout compare`, you can compare the analysis of source code on
your local filesystem with the analysis of a container image.

2
content/manuals/scout/policy/remediation.md
View File

@ -8,6 +8,8 @@ keywords: scout, supply chain, security, remediation, automation
Remediation with Docker Scout is currently in [Beta](../../release-lifecycle.md#Beta).
{{% /experimental %}}
{{< youtube-embed 7PsZbAsPgsY >}}
Docker Scout helps you remediate supply chain or security issues by providing
recommendations based on policy evaluation results. Recommendations are
suggested actions you can take that improve policy compliance, or that add

10
content/manuals/security/for-admins/hardened-desktop/_index.md
View File

@ -37,9 +37,9 @@ weight: 60
Hardened Docker Desktop is a group of security features, designed to improve the security of developer environments with minimal impact on developer experience or productivity.
It lets administrators enforce strict security settings, preventing developers and their containers from bypassing these controls, either intentionally or unintentionally. Additionally, you can enhance container isolation, to mitigate potential security threats such as malicious payloads breaching the Docker Desktop Linux VM and the underlying host.
It lets you enforce strict security settings, preventing developers and their containers from bypassing these controls, either intentionally or unintentionally. Additionally, you can enhance container isolation, to mitigate potential security threats such as malicious payloads breaching the Docker Desktop Linux VM and the underlying host.
Hardened Docker Desktop moves the ownership boundary for Docker Desktop configuration to the organization, meaning that any security controls administrators set cannot be altered by the user of Docker Desktop.
Hardened Docker Desktop moves the ownership boundary for Docker Desktop configuration to the organization, meaning that any security controls you set cannot be altered by the user of Docker Desktop.
It is for security conscious organizations who:
- Dont give their users root or administrator access on their machines
@ -50,8 +50,8 @@ It is for security conscious organizations who:
Hardened Desktop features work independently but collectively to create a defense-in-depth strategy, safeguarding developer workstations against potential attacks across various functional layers, such as configuring Docker Desktop, pulling container images, and running container images. This multi-layered defense approach ensures comprehensive security. It helps mitigate against threats such as:
- Malware and supply chain attacks: Registry Access Management and Image Access Management prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
- Lateral movement: Air-Gapped Containers lets administrators configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network.
- Insider threats: Settings Management configures and locks various Docker Desktop settings so administrators can enforce company policies and prevent developers from introducing insecure configurations, intentionally or unintentionally.
- Malware and supply chain attacks: Registry Access Management and Image Access Management prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, Enhanced Container Isolation (ECI) restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
- Lateral movement: Air-gapped containers lets you configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network.
- Insider threats: Settings Management configures and locks various Docker Desktop settings so you can enforce company policies and prevent developers from introducing insecure configurations, intentionally or unintentionally.
{{< grid >}}

6
content/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md
View File

@ -9,11 +9,11 @@ aliases:
{{< introduced desktop 4.29.0 "/manuals/desktop/release-notes.md#4290" >}}
Air-Gapped Containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
Air-gapped containers let you restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
Docker Desktop can apply a custom set of proxy rules to network traffic from containers. The proxy can be configured to:
- Allow network connections
- Accept network connections
- Reject network connections
- Tunnel through an HTTP or SOCKS proxy
@ -79,7 +79,7 @@ The `FindProxyForURL` can return the following values:
- `PROXY host_or_ip:port`: Tunnels this request through the HTTP proxy `host_or_ip:port`
- `SOCKS5 host_or_ip:port`: Tunnels this request through the SOCKS proxy `host_or_ip:port`
- `DIRECT`: Allows this request to go direct, without a proxy
- `DIRECT`: Lets this request go direct, without a proxy
- `PROXY reject.docker.internal:any_port`: Rejects this request
In this particular example, HTTP and HTTPS requests for `internal.corp` are sent via the HTTP proxy `10.0.0.1:3128`. Requests to connect to IPs on the subnet `192.168.0.0/24` connect directly. All other requests are blocked.

11
content/manuals/security/for-admins/hardened-desktop/image-access-management.md
View File

@ -14,20 +14,15 @@ weight: 40
>
> Image Access Management is available to [Docker Business](/manuals/subscription/core-subscription/details.md#docker-business) customers only.
Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub.
Image Access Management gives you control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, your developers can pull from Docker Hub.
For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organizations own images, preventing such a risk.
## Prerequisites
You need to [enforce sign-in](../enforce-sign-in/_index.md). For Image Access
Management to take effect, Docker Desktop users must authenticate to your
organization. Enforcing sign-in ensures that your Docker Desktop developers
always authenticate to your organization, even though they can authenticate
without it and the feature will take effect. Enforcing sign-in guarantees the
feature always takes effect.
You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since Image Access Management requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in.
## Configure Image Access Management permissions
## Configure
{{< tabs >}}
{{< tab name="Docker Hub" >}}

40
content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md
View File

@ -13,27 +13,25 @@ weight: 10
>
> Settings Management is available to Docker Business customers only.
Settings Management is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization.
Settings Management helps you control key Docker Desktop settings, like proxies and network configurations, on your developers' machines within your organization.
With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also use Settings Management to enable and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md) which ensures that any configurations set with Settings Management cannot be modified by containers.
For an extra layer of security, you can also use Settings Management to enable and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md), which prevents containers from modifying any Settings Management configurations.
It is available with [Docker Desktop 4.13.0 and later](/manuals/desktop/release-notes.md).
### Who is it for?
## Who is it for?
- For organizations that want to configure Docker Desktop to be within their organization's centralized control.
- For organizations that want to create a standardized Docker Desktop environment at scale.
- For Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments.
### How does it work?
## How does it work?
Administrators can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or admin privileges.
You can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or administrator privileges.
Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by developers and ensure that these cannot be modified. For more information, see [Configure Settings Management](configure.md#step-two-configure-the-settings-you-want-to-lock-in).
### What features can I configure with Settings Management?
## What features can I configure with Settings Management?
Using the `admin-settings.json` file, admins can:
Using the `admin-settings.json` file, you can:
- Turn on and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md)
- Configure HTTP proxies
@ -50,21 +48,13 @@ Using the `admin-settings.json` file, admins can:
- Control whether developers can use the Docker terminal
- Control the file sharing implementation for your developers on macOS
- Specify which paths your developers can add file shares to
- Configure Air-Gapped Containers
- Configure Air-gapped containers
For more details on the syntax and options admins can set, see [Configure Settings Management](configure.md).
For more details on the syntax and options, see [Configure Settings Management](configure.md).
### How do I set up and enforce Settings Management?
As an administrator, you first need to [enforce
sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). This is
because the Settings Management feature requires a Docker Business subscription
and therefore your Docker Desktop developers must authenticate to your
organization. Enforcing sign-in ensures that your Docker Desktop developers
always authenticate to your organization, even though they can authenticate
without it and the feature will take effect. Enforcing sign-in guarantees the
feature always takes effect.
## How do I set up and enforce Settings Management?
You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since the Settings Management feature requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in.
Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location.
@ -72,11 +62,13 @@ Once this is done, Docker Desktop developers receive the changed settings when t
- Quit, re-launch, and sign in to Docker Desktop
- Launch and sign in to Docker Desktop for the first time
Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers' workflow.
To avoid disrupting your developers' workflows, Docker doesn't automatically require that developers re-launch and re-authenticate once a change has been made.
### What do developers see when the settings are enforced?
## What do developers see when the settings are enforced?
Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or the `settings-store.json` file (or `settings.json` for Docker Desktop versions 4.34 and earlier). In addition, if Enhanced Container Isolation is enforced, developers can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM, for example, reconfigure proxy and networking of reconfigure Docker Engine.
Enforced settings appear grayed out in Docker Desktop. They can't be edited via the Docker Desktop Dashboard, CLI, or `settings-store.json` (or `settings.json` for Docker Desktop 4.34 and earlier).
In addition, if Enhanced Container Isolation is enforced, developers can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM. For example, they can't reconfigure proxy and networking, or Docker Engine.
![Proxy settings grayed out](/assets/images/grayed-setting.png)

168
content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md
View File

@ -3,7 +3,8 @@ description: How to configure Settings Management for Docker Desktop
keywords: admin, controls, rootless, enhanced container isolation
title: Configure Settings Management
linkTitle: Configure
aliases:
toc_min: 4
aliases:
- /desktop/hardened-desktop/settings-management/configure/
---
@ -11,59 +12,49 @@ aliases:
>
> Settings Management is available to Docker Business customers only.
This page contains information for admins on how to configure Settings Management to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
This page contains information on how to configure Settings Management to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
Settings Management is designed specifically for organizations who dont give developers root access to their machines.
### Prerequisites
## Prerequisites
- [Download and install Docker Desktop 4.13.0 or later](/manuals/desktop/release-notes.md).
- As an administrator, you need to [enforce
sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). This is
because this feature requires a Docker Business subscription and therefore
your Docker Desktop users must authenticate to your organization for this
configuration to take effect. Enforcing sign-in ensures that your Docker
Desktop developers always authenticate to your organization, even though they
can authenticate without it and the feature will take effect. Enforcing
sign-in guarantees the feature always takes effect.
You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since Settings Management requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in.
### Step one: Create the `admin-settings.json` file and save it in the correct location
## Step one: Create the `admin-settings.json` file and save it in the correct location
You can either use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location, or set it up manually.
To set it up manually:
1. Create a new, empty JSON file and name it `admin-settings.json`.
2. Save the `admin-settings.json` file on your developers' machines in the following locations:
- Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json`
- Windows: `C:\ProgramData\DockerDesktop\admin-settings.json`
- Linux: `/usr/share/docker-desktop/admin-settings.json`
- Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json`
- Windows: `C:\ProgramData\DockerDesktop\admin-settings.json`
- Linux: `/usr/share/docker-desktop/admin-settings.json`
By placing this file in a protected directory, developers are unable to modify it.
By placing this file in the above protected directories, end users are unable to modify it.
> [!IMPORTANT]
>
> It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
> [!IMPORTANT]
>
> It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
### Step two: Configure the settings you want to lock in
## Step two: Configure the settings you want to lock in
> [!NOTE]
>
> Some of the configuration parameters only apply to Windows. This is highlighted in the table below.
> Some of the configuration parameters only apply to Windows or to specific Docker Desktop versions. This is highlighted in the following table.
The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the `locked` parameter. You can add or remove configuration parameters as per your requirements.
The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the `locked` parameter. You can add or remove configuration parameters as per your requirements.
If `locked: true`, users aren't able to edit this setting from Docker Desktop or the CLI.
If `locked: false`, it's similar to setting a factory default in that:
- For new installs, `locked: false` pre-populates the relevant settings in the Docker Desktop UI, but users are able to modify it.
- For new installs, `locked: false` pre-populates the relevant settings in the Docker Desktop Dashboard, but users are able to modify it.
- If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting, which in turn will have been written to the relevant config file, for example the `settings-store.json` (or `settings.json` for Docker Desktop versions 4.34 and earlier) or `daemon.json`. In these instances, the user's preferences are respected and we don't alter these values. These can be controlled by the admin by setting `locked: true`.
- If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting, which in turn will have been written to the relevant config file, for example the `settings-store.json` (or `settings.json` for Docker Desktop versions 4.34 and earlier) or `daemon.json`. In these instances, the user's preferences are respected and the values aren't altered. These can be controlled by setting `locked: true`.
The following `admin-settings.json` code and table provides an example of the required syntax and descriptions for parameters and values:
```json
```json {collapse=true}
{
"configurationFileVersion": 2,
"exposeDockerAPIOnTCP2375": {
@ -192,55 +183,100 @@ The following `admin-settings.json` code and table provides an example of the re
}
```
| Parameter | | Description |
| :------------------------------- |---| :------------------------------- |
| `configurationFileVersion` | |Specifies the version of the configuration file format. |
| `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
| `proxy` | |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
| &nbsp; &nbsp; &nbsp; &nbsp;`windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. |
| &nbsp; &nbsp; &nbsp; &nbsp;`enableKerberosNtlm` | |When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. Available in Docker Desktop version 4.32 and later. For more information, see the settings documentation. |
| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).|
| `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md).|
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. |
| `linuxVM` | |Parameters and settings related to Linux VM options - grouped together here for convenience. |
| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. |
| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`| |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |
| &nbsp;&nbsp; &nbsp; &nbsp;`vpnkitCIDR` | |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` |
|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the UI and when you run `docker ps`. `imagesRepository` allows you to specify which repository Docker Desktop pulls the Kubernetes images from. For example, `"imagesRepository": "registry-1.docker.io/docker"`. |
| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file).|
|`disableUpdate`| |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.|
|`analyticsEnabled`| |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. |
|`extensionsEnabled`| |If `value` is set to false, Docker extensions are disabled. |
|`scout`|| Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. |
| `allowExperimentalFeatures`| | If `value` is set to `false`, experimental features are disabled.|
| `allowBetaFeatures`| | If `value` is set to `false`, beta features are disabled.|
| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to.|
| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. |
| `useVirtualizationFrameworkVirtioFS`| macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. |
| `useVirtualizationFrameworkRosetta`| macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. |
| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. |
| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. |
| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. |
### General
### Step three: Re-launch Docker Desktop
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`configurationFileVersion`| |Specifies the version of the configuration file format.| |
|`analyticsEnabled`| |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | |
|`disableUpdate`| |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.| |
|`extensionsEnabled`| |If `value` is set to false, Docker extensions are disabled. | |
| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to.| |
| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | Docker Desktop version 4.30 and later |
| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | |
|`exposeDockerAPIOnTCP2375`| Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| |
### File sharing and emulation
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | |
| `useVirtualizationFrameworkVirtioFS`| macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | |
| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | |
| `useVirtualizationFrameworkRosetta`| macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | Docker Desktop version 4.29 and later. |
### Docker Scout
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`scout`| | Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. | |
### Proxy
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`proxy`| |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | |
|&nbsp; &nbsp; &nbsp; &nbsp;`windowsDockerdPort`| Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | |
|&nbsp; &nbsp; &nbsp; &nbsp;`enableKerberosNtlm`| |When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. |
### Container proxy
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).| Docker Desktop version 4.29 and later. |
### Linux VM
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `linuxVM` | |Parameters and settings related to Linux VM options - grouped together here for convenience. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`vpnkitCIDR` | |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | |
### Windows containers
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file).| |
### Kubernetes
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. `imagesRepository` lets you specify which repository Docker Desktop pulls the Kubernetes images from. For example, `"imagesRepository": "registry-1.docker.io/docker"`. | |
### Features in development
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `allowExperimentalFeatures`| | If `value` is set to `false`, experimental features are disabled.| |
| `allowBetaFeatures`| | If `value` is set to `false`, beta features are disabled.| |
### Enhanced Container Isolation
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`enhancedContainerIsolation`| | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md).| |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets you relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | |
## Step three: Re-launch Docker Desktop
> [!NOTE]
>
> Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.
> Test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.
For settings to take effect:
- On a new install, developers need to launch Docker Desktop and authenticate to their organization.
- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then relaunch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect.
- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then re-launch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect.
> [!IMPORTANT]
>
> Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop.
Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers' workflow.
So as not to disrupt your developers' workflow, Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made.
In Docker Desktop, developers see the relevant settings grayed out and the message **Locked by your administrator**.

3
content/manuals/subscription/_index.md
View File

@ -1,6 +1,5 @@
---
title: Docker subscription overview
linkTitle: Subscription
title: Subscription
weight: 200
description: Learn about subscription features and how to manage your subscription
keywords: Docker, pricing, billing, Pro, Team, business, subscription, tier, plan

2
data/redirects.yml
View File

@ -98,7 +98,7 @@
- /go/storage-driver/
"/docker-hub/vulnerability-scanning/":
- /go/tip-scanning/
"/desktop/windows/features/wsl/":
"/desktop/features/wsl/":
# Link used by Docker Desktop to refer users on how to activate WSL 2
- /go/wsl2/
"/reference/api/hub/latest/":

3
hugo_stats.json
View File

@ -75,7 +75,6 @@
"Mac",
"Mac-/-Linux",
"Mac-/-Linux-/-Git-Bash",
"Mac-/-Linux-/-Windows-Git-Bash",
"Mac-/-Linux-CLI",
"Mac-and-Linux",
"Mac-with-Apple-silicon",
@ -124,9 +123,7 @@
"WSL-2-backend-Arm-Beta",
"WSL-2-backend-x86_64",
"Web-browser",
"What-administrative-tasks-can-I-perform-in-Docker-Hub",
"What-are-the-key-features-of-Docker-Desktop",
"What-key-features-are-included-in-Docker-Hub",
"Whats-included-in-Docker-Desktop",
"Windows",
"Windows-Command-Prompt",

4
layouts/shortcodes/admin-image-access.html
View File

@ -10,10 +10,10 @@
2. {{ $iam_navigation }}
3. Enable Image Access Management to set the permissions for the following categories of images you can manage:
- **Organization images**: Images from your organization are always allowed by default. These images can be public or private created by members within your organization.
- **Organization Images**: Images from your organization are always allowed by default. These images can be public or private created by members within your organization.
- **Docker Official Images**: A curated set of Docker repositories hosted on Hub. They provide OS repositories, best practices for Dockerfiles, drop-in solutions, and applies security updates on time.
- **Docker Verified Publisher Images**: Images published by Docker partners that are part of the Verified Publisher program and are qualified to be included in the developer secure supply chain.
- **Community images**: These images are disabled by default when Image Access Management is enabled because various users contribute them and they may pose security risks. This category includes Docker-Sponsored Open Source images.
- **Community Images**: These images are disabled by default when Image Access Management is enabled because various users contribute them and they may pose security risks. This category includes Docker-Sponsored Open Source images.
> [!NOTE]
>