diff --git a/_vale/Docker/Acronyms.yml b/_vale/Docker/Acronyms.yml index b71ca8873d..6760a8f6fa 100644 --- a/_vale/Docker/Acronyms.yml +++ b/_vale/Docker/Acronyms.yml @@ -31,6 +31,7 @@ exceptions: - DPI - DSOS - DVP + - ECI - ELK - FAQ - FUSE @@ -60,6 +61,7 @@ exceptions: - LTS - MAC - MDM + - MDN - NAT - NET - NFS @@ -67,6 +69,7 @@ exceptions: - NTLM - NVDA - OCI + - OS - OSS - PATH - PDF @@ -90,6 +93,7 @@ exceptions: - SDK - SLES - SLSA + - SOCKS - SPDX - SQL - SSD diff --git a/_vale/Docker/RecommendedWords.yml b/_vale/Docker/RecommendedWords.yml index baa8d0e6d9..ed308ac9b5 100644 --- a/_vale/Docker/RecommendedWords.yml +++ b/_vale/Docker/RecommendedWords.yml @@ -14,7 +14,7 @@ swap: (?:sign on|log on|log in|logon|login): sign in above: previous adaptor: adapter - admin: administrator + admin(?! console): administrator administrate: administer afterwards: afterward allow: let diff --git a/_vale/config/vocabularies/Docker/accept.txt b/_vale/config/vocabularies/Docker/accept.txt index b7d98e3d3d..f47ba57e3b 100644 --- a/_vale/config/vocabularies/Docker/accept.txt +++ b/_vale/config/vocabularies/Docker/accept.txt @@ -1,5 +1,4 @@ (?-i)[A-Z]{2,}s -Admin Console Amazon Anchore Apple @@ -108,6 +107,7 @@ Zsh [Mm]oby [Oo]nboarding [Pp]aravirtualization +[Pp]roxied [Pp]roxying [Rr]eal-time [Rr]untimes? @@ -156,5 +156,6 @@ tmpfs ufw umask ungated +untrusted vSphere vpnkit diff --git a/content/get-started/docker-concepts/building-images/multi-stage-builds.md b/content/get-started/docker-concepts/building-images/multi-stage-builds.md index e018690ff9..7e45aa8f81 100644 --- a/content/get-started/docker-concepts/building-images/multi-stage-builds.md +++ b/content/get-started/docker-concepts/building-images/multi-stage-builds.md @@ -57,9 +57,8 @@ In this hands-on guide, you'll unlock the power of multi-stage builds to create 1. [Download and install](https://www.docker.com/products/docker-desktop/) Docker Desktop. -2. [Download and install](https://www.oracle.com/java/technologies/downloads/) Java. -3. Open this [pre-initialized project](https://start.spring.io/#!type=maven-project&language=java&platformVersion=3.4.0-M3&packaging=jar&jvmVersion=21&groupId=com.example&artifactId=spring-boot-docker&name=spring-boot-docker&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.spring-boot-docker&dependencies=web) to generate a ZIP file. Here’s how that looks: +2. Open this [pre-initialized project](https://start.spring.io/#!type=maven-project&language=java&platformVersion=3.4.0-M3&packaging=jar&jvmVersion=21&groupId=com.example&artifactId=spring-boot-docker&name=spring-boot-docker&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.spring-boot-docker&dependencies=web) to generate a ZIP file. Here’s how that looks: ![A screenshot of Spring Initializr tool selected with Java 21, Spring Web and Spring Boot 3.4.0](images/multi-stage-builds-spring-initializer.webp?border=true) @@ -72,7 +71,7 @@ In this hands-on guide, you'll unlock the power of multi-stage builds to create For this demonstration, you’ve paired Maven build automation with Java, a Spring Web dependency, and Java 21 for your metadata. -4. Navigate the project directory. Once you unzip the file, you'll see the following project directory structure: +3. Navigate the project directory. Once you unzip the file, you'll see the following project directory structure: ```plaintext @@ -109,7 +108,7 @@ In this hands-on guide, you'll unlock the power of multi-stage builds to create contains most of the information needed to build a customized project. The POM is huge and can seem daunting. Thankfully, you don't yet need to understand every intricacy to use it effectively. -5. Create a RESTful web service that displays "Hello World!". +4. Create a RESTful web service that displays "Hello World!". Under the `src/main/java/com/example/spring_boot_docker/` directory, you can modify your diff --git a/content/guides/docker-scout/_index.md b/content/guides/docker-scout/_index.md index 3134c8e85a..eaa39f527a 100644 --- a/content/guides/docker-scout/_index.md +++ b/content/guides/docker-scout/_index.md @@ -14,7 +14,7 @@ aliases: params: featured: true image: images/learning-paths/scout.png - time: 10 minutes + time: 20 minutes resource_links: - title: Docker Scout overview url: /scout/ @@ -22,8 +22,6 @@ params: url: /scout/quickstart/ - title: Install Docker Scout url: /scout/install/ - - title: Software Bill of Materials - url: /scout/concepts/sbom/ --- When container images are insecure, significant risks can arise. Around 60% of diff --git a/content/guides/docker-scout/attestations.md b/content/guides/docker-scout/attestations.md new file mode 100644 index 0000000000..fb060e7033 --- /dev/null +++ b/content/guides/docker-scout/attestations.md @@ -0,0 +1,36 @@ +--- +title: Attestations +keywords: build, attestations, sbom, provenance, metadata +description: | + Introduction to SBOM and provenance attestations with Docker Build, + what they are, and why they exist +weight: 50 +--- + +{{< youtube-embed qOzcycbTs4o >}} + +[Build attestations](/manuals/build/metadata/attestations/_index.md) give you +detailed information about how an image was built and what it contains. These +attestations, generated by BuildKit during build-time, attach to the final +image as metadata, allowing you to inspect an image to see its origin, creator, +and contents. This information helps you make informed decisions about the +security and impact of the image on your supply chain. + +Docker Scout uses these attestations to evaluate the image's security and +supply chain posture, and to provide remediation recommendations for issues. If +issues are detected, such as missing or outdated attestations, Docker Scout can +guide you on how to add or update them, ensuring compliance and improving +visibility into the image's security status. + +There are two key types of attestations: + +- SBOM, which lists the software artifacts within the image. +- Provenance, which details how the image was built. + +You can create attestations by using `docker buildx build` with the +`--provenance` and `--sbom` flags. Attestations attach to the image index, +allowing you to inspect them without pulling the entire image. Docker Scout +leverages this metadata to give you more precise recommendations and better +control over your image's security. + +
diff --git a/content/guides/docker-scout/common-questions.md b/content/guides/docker-scout/common-questions.md index 65a98d737a..21537ed80e 100644 --- a/content/guides/docker-scout/common-questions.md +++ b/content/guides/docker-scout/common-questions.md @@ -1,7 +1,6 @@ --- title: Common challenges and questions description: Explore common challenges and questions related to Docker Scout. -weight: 30 --- diff --git a/content/guides/docker-scout/demo.md b/content/guides/docker-scout/demo.md index 2304b82d8f..e1d0740669 100644 --- a/content/guides/docker-scout/demo.md +++ b/content/guides/docker-scout/demo.md @@ -1,9 +1,12 @@ --- title: Docker Scout demo +linkTitle: Demo description: Learn about Docker Scout's powerful features for enhanced supply chain security. weight: 20 --- +{{< youtube-embed "TkLwJ0p46W8" >}} + Docker Scout has powerful features for enhancing containerized application security and ensuring a robust software supply chain. @@ -15,6 +18,4 @@ security and ensuring a robust software supply chain. removing unnecessary packages - Verify and validate remediation efforts using Docker Scout -{{< youtube-embed "TkLwJ0p46W8" >}} -
diff --git a/content/guides/docker-scout/remediation.md b/content/guides/docker-scout/remediation.md new file mode 100644 index 0000000000..e485c9cd3c --- /dev/null +++ b/content/guides/docker-scout/remediation.md @@ -0,0 +1,27 @@ +--- +title: Remediation +description: Learn how Docker Scout can help you improve your software quality automatically, using remediation +keywords: scout, supply chain, security, remediation, automation +weight: 60 +--- + +{{< youtube-embed jM9zLBf8M-8 >}} + +Docker Scout's [remediation feature](/manuals/scout/policy/remediation.md) +helps you address supply chain and security issues by offering tailored +recommendations based on policy evaluations. These recommendations guide you in +improving policy compliance or enhancing image metadata, allowing Docker Scout +to perform more accurate evaluations in the future. + +You can use this feature to ensure that your base images are up-to-date and +that your supply chain attestations are complete. When a violation occurs, +Docker Scout provides recommended fixes, such as updating your base image or +adding missing attestations. If there isn’t enough information to determine +compliance, Docker Scout suggests actions to help resolve the issue. + +In the Docker Scout Dashboard, you can view and act on these recommendations by +reviewing violations or compliance uncertainties. With integrations like +GitHub, you can even automate updates, directly fixing issues from the +dashboard. + +
diff --git a/content/manuals/scout/concepts/s3c.md b/content/guides/docker-scout/s3c.md similarity index 89% rename from content/manuals/scout/concepts/s3c.md rename to content/guides/docker-scout/s3c.md index 6c13291e2e..df6eac67a7 100644 --- a/content/manuals/scout/concepts/s3c.md +++ b/content/guides/docker-scout/s3c.md @@ -2,8 +2,13 @@ title: Software supply chain security description: Learn about software supply chain security (S3C), what it means, and why it is important. keywords: docker scout, secure, software, supply, chain, security, sssc, sscs, s3c +aliases: + - /scout/concepts/s3c/ +weight: 30 --- +{{< youtube-embed YzNK6E7APv0 >}} + The term "software supply chain" refers to the end-to-end process of developing and delivering software, from the development to deployment and maintenance. Software supply chain security, or "S3C" for short, is the practice for @@ -39,7 +44,7 @@ day where software is built using multiple components from different sources. Organizations need to have a clear understanding of the software components they use, and the security risks associated with them. -## Docker Scout +## How Docker Scout is different Docker Scout is a platform designed to help organizations secure their software supply chain. It provides tools and services for identifying and managing @@ -53,9 +58,11 @@ updated risk assessment is available within seconds, and earlier in the development process. Docker Scout works by analyzing the composition of your images to create a -[Software Bill of Materials (SBOM)](/manuals/scout/concepts/sbom.md). The SBOM is -cross-referenced against the security advisories to identify CVEs that affect -your images. Docker Scout integrates with [over 20 different security +Software Bill of Materials (SBOM). The SBOM is cross-referenced against the +security advisories to identify CVEs that affect your images. Docker Scout +integrates with [over 20 different security advisories](/manuals/scout/deep-dive/advisory-db-sources.md), and updates its vulnerability database in real-time. This ensures that your security posture is represented using the latest available information. + +
diff --git a/content/manuals/scout/concepts/sbom.md b/content/guides/docker-scout/sbom.md similarity index 81% rename from content/manuals/scout/concepts/sbom.md rename to content/guides/docker-scout/sbom.md index 69c80d5d04..c7c6e2fa8a 100644 --- a/content/manuals/scout/concepts/sbom.md +++ b/content/guides/docker-scout/sbom.md @@ -2,8 +2,13 @@ title: Software Bill of Materials description: Learn about Software Bill of Materials (SBOM) and how Docker Scout uses it. keywords: scout, sbom, software bill of materials, analysis, composition +aliases: + - /scout/concepts/sbom/ +weight: 40 --- +{{< youtube-embed PbS4y7C7h4A >}} + A Bill of Materials (BOM) is a list of materials, parts, and the quantities of each needed to manufacture a product. For example, a BOM for a computer might list the motherboard, CPU, RAM, power supply, storage devices, case, and other @@ -35,16 +40,10 @@ An SBOM typically includes the following information: Docker Scout uses SBOMs to determine the components that are used in a Docker image. When you analyze an image, Docker Scout will either use the SBOM that is -attached to the image (using [attestations](/manuals/build/metadata/attestations/_index.md)), or -it will generate an SBOM on the fly by analyzing the contents of the image. +attached to the image as an attestation, or it will generate an SBOM on the fly +by analyzing the contents of the image. The SBOM is cross-referenced with the [advisory database](/manuals/scout/deep-dive/advisory-db-sources.md) to determine if any of the components in the image have known vulnerabilities. -## Additional resources - -To learn more about generating SBOMs and how SBOMs are used in Docker Scout, -see: - -- [Image analysis in Docker Scout](/manuals/scout/explore/analysis.md) -- [View and create SBOMs](/manuals/scout/how-tos/view-create-sboms.md) +
diff --git a/content/guides/docker-scout/why.md b/content/guides/docker-scout/why.md index bf84d26f68..3c63052fcb 100644 --- a/content/guides/docker-scout/why.md +++ b/content/guides/docker-scout/why.md @@ -4,6 +4,8 @@ description: Learn how Docker Scout can help you secure your supply chain. weight: 10 --- +{{< youtube-embed "-omsQ7Uqyc4" >}} + Organizations face significant challenges from data breaches, including financial losses, operational disruptions, and long-term damage to brand reputation and customer trust. Docker Scout addresses critical problems @@ -22,6 +24,4 @@ development process. It also integrates with popular development tools like Docker Desktop and GitHub Actions, providing seamless security management and compliance checks within existing workflows. -{{< youtube-embed "-omsQ7Uqyc4" >}} -
diff --git a/content/manuals/accounts/_index.md b/content/manuals/accounts/_index.md index ae9594d7ba..b4b2b0a307 100644 --- a/content/manuals/accounts/_index.md +++ b/content/manuals/accounts/_index.md @@ -1,6 +1,5 @@ --- -title: Docker account overview -linkTitle: Docker accounts +title: Docker accounts weight: 200 description: Learn how to create and manage your Docker account. keywords: accounts, docker ID, account management, account settings, docker account, docker home diff --git a/content/manuals/admin/_index.md b/content/manuals/admin/_index.md index 591be8b4ba..f32ba7a787 100644 --- a/content/manuals/admin/_index.md +++ b/content/manuals/admin/_index.md @@ -1,6 +1,5 @@ --- -title: Administration overview -linkTitle: Administration +title: Administration weight: 200 description: Discover manuals on administration for accounts, organizations, and companies. keywords: admin, administration, company, organization, Admin Console, user accounts, account management diff --git a/content/manuals/build/_index.md b/content/manuals/build/_index.md index 5fbdec6cfe..88bf305324 100644 --- a/content/manuals/build/_index.md +++ b/content/manuals/build/_index.md @@ -1,6 +1,5 @@ --- -title: Overview of Docker Build -linkTitle: Docker Build +title: Docker Build weight: 100 description: Get an overview of Docker Build to package and bundle your code and ship it anywhere keywords: build, buildx, buildkit diff --git a/content/manuals/build/building/best-practices.md b/content/manuals/build/building/best-practices.md index c3d7e783a5..c3d42b9a96 100644 --- a/content/manuals/build/building/best-practices.md +++ b/content/manuals/build/building/best-practices.md @@ -319,7 +319,7 @@ backslashes to make your Dockerfile more readable, understandable, and maintainable. For example, you can chain commands with the `&&` operator, and use -use escape characters to break long commands into multiple lines. +escape characters to break long commands into multiple lines. ```dockerfile RUN apt-get update && apt-get install -y \ diff --git a/content/manuals/build/metadata/attestations/_index.md b/content/manuals/build/metadata/attestations/_index.md index 73cd8a3e2e..fc9530a05b 100644 --- a/content/manuals/build/metadata/attestations/_index.md +++ b/content/manuals/build/metadata/attestations/_index.md @@ -8,6 +8,8 @@ aliases: - /build/attestations/ --- +{{< youtube-embed qOzcycbTs4o >}} + Build attestations describe how an image was built, and what it contains. The attestations are created at build-time by BuildKit, and become attached to the final image as metadata. diff --git a/content/manuals/compose/_index.md b/content/manuals/compose/_index.md index 33d034320b..88d396af20 100644 --- a/content/manuals/compose/_index.md +++ b/content/manuals/compose/_index.md @@ -1,6 +1,5 @@ --- -title: Docker Compose overview -linkTitle: Docker Compose +title: Docker Compose weight: 100 description: Learn how to use Docker Compose to define and run multi-container applications with this detailed introduction to the tool. diff --git a/content/manuals/desktop/_index.md b/content/manuals/desktop/_index.md index 3c1a08355b..29c89bda30 100644 --- a/content/manuals/desktop/_index.md +++ b/content/manuals/desktop/_index.md @@ -1,6 +1,5 @@ --- -title: Overview of Docker Desktop -linkTitle: Docker Desktop +title: Docker Desktop weight: 100 description: Explore Docker Desktop, what it has to offer, and its key features. Take the next step by downloading or find additional resources keywords: how to use docker desktop, what is docker desktop used for, what does docker diff --git a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/known-issues.md b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/known-issues.md index 72e91f77b0..6cef692924 100644 --- a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/known-issues.md +++ b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/known-issues.md @@ -4,6 +4,8 @@ keywords: mac, troubleshooting, known issues, Docker Desktop title: Known issues tags: [ Troubleshooting ] weight: 30 +aliases: + - /desktop/troubleshoot/known-issues/ --- {{< tabs >}} diff --git a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md index 6dd0e0e8e0..532a60e4fc 100644 --- a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md +++ b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/topics.md @@ -6,6 +6,8 @@ linkTitle: Common topics toc_max: 4 tags: [ Troubleshooting ] weight: 10 +aliases: + - /desktop/troubleshoot/topics/ --- > [!TIP] diff --git a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/workarounds.md b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/workarounds.md index ac4f55f013..8720454e17 100644 --- a/content/manuals/desktop/troubleshoot-and-support/troubleshoot/workarounds.md +++ b/content/manuals/desktop/troubleshoot-and-support/troubleshoot/workarounds.md @@ -4,6 +4,8 @@ keywords: linux, mac, windows, troubleshooting, workarounds, Docker Desktop title: Workarounds for common problems tags: [ Troubleshooting ] weight: 20 +aliases: + - /desktop/troubleshoot/workarounds/ --- ### Reboot diff --git a/content/manuals/docker-hub/_index.md b/content/manuals/docker-hub/_index.md index 43e867a23b..d793487640 100644 --- a/content/manuals/docker-hub/_index.md +++ b/content/manuals/docker-hub/_index.md @@ -1,59 +1,49 @@ --- -description: Find a comprehensive overview of Docker Hub, including its features, administrative settings, how to get started quickly, and more -keywords: Docker, docker, docker hub, hub, repositories, docker account -title: Overview of Docker Hub -linkTitle: Docker Hub +description: Get an overview on Docker Hub to find and share container images +keywords: docker hub, hub, repositories +title: Docker Hub weight: 100 grid: - title: Quickstart description: Step-by-step instructions on getting started on Docker Hub. icon: explore link: /docker-hub/quickstart -- title: Create a repository +- title: Repositories description: Create a repository to share your images with your team, customers, or the Docker community. icon: inbox link: /docker-hub/repos -- title: Manage repository access - description: Manage access to push and pull to your repository and assign permissions. - icon: key - link: /docker-hub/repos/access -- title: Automated builds - description: Learn how you can automatically build images from source code to push to your repositories. - icon: build - link: /docker-hub/builds/how-builds-work +- title: Organizations + description: Learn about organization administration. + icon: store + link: /admin/ +- title: Usage + description: Explore usage limits and how to better utilize Docker Hub. + icon: leaderboard + link: /docker-hub/download-rate-limit/ - title: Release notes description: Find out about new features, improvements, and bug fixes. icon: note_add link: /docker-hub/release-notes --- -Docker Hub is a service provided by Docker for finding and sharing container images. +Docker Hub simplifies development with the world's largest container registry +for storing, managing, and sharing Docker images. By integrating seamlessly with +your tools, it enhances productivity and ensures reliable deployment, +distribution, and access to containerized applications. It also provides +developers with pre-built images and assets to speed up development workflows. -It's the world’s largest repository of container images with an array of content sources including container community developers, open source projects, and independent software vendors (ISV) building and distributing their code in containers. +Key features of Docker Hub: -Docker Hub is also where you can go to [carry out administrative tasks for organizations](/admin/). If you have a Docker Team or Business subscription, you can also carry out administrative tasks in the [Docker Admin Console](https://admin.docker.com). +* Unlimited public repositories +* Private repositories +* Webhooks to automate workflows +* GitHub and Bitbucket integrations +* Concurrent and automated builds +* Trusted content featuring high-quality, secure images -{{< tabs >}} -{{< tab name="What key features are included in Docker Hub?" >}} -* [Repositories](../docker-hub/repos/_index.md): Push and pull container images. -* [Builds](builds/_index.md): Automatically build container images from -GitHub and Bitbucket and push them to Docker Hub. -* [Webhooks](webhooks.md): Trigger actions after a successful push - to a repository to integrate Docker Hub with other services. -* [Docker Hub CLI](https://github.com/docker/hub-tool#readme) tool (currently experimental) and an API that allows you to interact with Docker Hub. - * Browse through the [Docker Hub API](/reference/api/hub/latest/) documentation to explore the supported endpoints. -{{< /tab >}} -{{< tab name="What administrative tasks can I perform in Docker Hub?" >}} -* [Create and manage teams and organizations](orgs.md) -* [Create a company](../admin/company/new-company.md) -* [Enforce sign in](../security/for-admins/enforce-sign-in/_index.md) -* Set up [SSO](../security/for-admins/single-sign-on/_index.md) and [SCIM](../security/for-admins/provisioning/scim.md) -* Use [Group mapping](group-mapping.md) -* [Carry out domain audits](domain-audit.md) -* [Use Image Access Management](/manuals/security/for-admins/hardened-desktop/image-access-management.md) to control developers' access to certain types of images -* [Turn on Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md) -{{< /tab >}} -{{< /tabs >}} +In addition to the graphical interface, you can interact with Docker Hub using +the [Docker Hub API](../../reference/api/hub/latest.md) or experimental [Docker +Hub CLI tool](https://github.com/docker/hub-tool#readme). -{{< grid >}} +{{< grid >}} \ No newline at end of file diff --git a/content/manuals/docker-hub/release-notes.md b/content/manuals/docker-hub/release-notes.md index 39d11fef69..4b307927e5 100644 --- a/content/manuals/docker-hub/release-notes.md +++ b/content/manuals/docker-hub/release-notes.md @@ -15,6 +15,18 @@ known issues for each Docker Hub release. Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projects/51/views/1?filterQuery=) to see what's coming next. +## 2024-11-11 + +### New + +- [Personal access tokens](/security/for-developers/access-tokens/) (PATs) now support expiration dates. + +## 2024-10-15 + +### New + +- Beta: You can now create [organization access tokens](/security/for-admins/access-tokens/) (OATs) to enhance security for organizations and streamline access management for organizations. + ## 2024-03-23 ### New diff --git a/content/manuals/engine/_index.md b/content/manuals/engine/_index.md index 6a2e265d7f..68846eb6a3 100644 --- a/content/manuals/engine/_index.md +++ b/content/manuals/engine/_index.md @@ -1,6 +1,5 @@ --- -title: Docker Engine overview -linkTitle: Docker Engine +title: Docker Engine weight: 100 description: Find a comprehensive overview of Docker Engine, including how to install, storage details, networking, and more keywords: Engine diff --git a/content/manuals/extensions/_index.md b/content/manuals/extensions/_index.md index c3fbb6fc11..a538211d29 100644 --- a/content/manuals/extensions/_index.md +++ b/content/manuals/extensions/_index.md @@ -1,6 +1,5 @@ --- -title: Overview of Docker Extensions -linkTitle: Docker Extensions +title: Docker Extensions weight: 100 description: Extensions keywords: Docker Extensions, Docker Desktop, Linux, Mac, Windows diff --git a/content/manuals/scout/concepts/_index.md b/content/manuals/scout/concepts/_index.md deleted file mode 100644 index 60fd656fe6..0000000000 --- a/content/manuals/scout/concepts/_index.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -build: - render: never -title: Concepts -weight: 30 ---- diff --git a/content/manuals/scout/how-tos/artifact-types.md b/content/manuals/scout/how-tos/artifact-types.md index 524219fc8c..e62a1452df 100644 --- a/content/manuals/scout/how-tos/artifact-types.md +++ b/content/manuals/scout/how-tos/artifact-types.md @@ -56,7 +56,7 @@ You can use prefixes with the following commands: This section contains a few examples showing how you can use prefixes to specify artifacts for `docker scout` commands. -## Analyze a local project +### Analyze a local project The `fs://` prefix lets you analyze local source code directly, without having to build it into a container image. @@ -112,7 +112,7 @@ pkg:npm/fastify@3.29.0 CRITICAL 0 ``` -## Compare a local project to an image +### Compare a local project to an image With `docker scout compare`, you can compare the analysis of source code on your local filesystem with the analysis of a container image. diff --git a/content/manuals/scout/policy/remediation.md b/content/manuals/scout/policy/remediation.md index f2d645d337..78e1d8d04c 100644 --- a/content/manuals/scout/policy/remediation.md +++ b/content/manuals/scout/policy/remediation.md @@ -8,6 +8,8 @@ keywords: scout, supply chain, security, remediation, automation Remediation with Docker Scout is currently in [Beta](../../release-lifecycle.md#Beta). {{% /experimental %}} +{{< youtube-embed 7PsZbAsPgsY >}} + Docker Scout helps you remediate supply chain or security issues by providing recommendations based on policy evaluation results. Recommendations are suggested actions you can take that improve policy compliance, or that add diff --git a/content/manuals/security/for-admins/hardened-desktop/_index.md b/content/manuals/security/for-admins/hardened-desktop/_index.md index 0ef103c2ce..067476c2d1 100644 --- a/content/manuals/security/for-admins/hardened-desktop/_index.md +++ b/content/manuals/security/for-admins/hardened-desktop/_index.md @@ -37,9 +37,9 @@ weight: 60 Hardened Docker Desktop is a group of security features, designed to improve the security of developer environments with minimal impact on developer experience or productivity. -It lets administrators enforce strict security settings, preventing developers and their containers from bypassing these controls, either intentionally or unintentionally. Additionally, you can enhance container isolation, to mitigate potential security threats such as malicious payloads breaching the Docker Desktop Linux VM and the underlying host. +It lets you enforce strict security settings, preventing developers and their containers from bypassing these controls, either intentionally or unintentionally. Additionally, you can enhance container isolation, to mitigate potential security threats such as malicious payloads breaching the Docker Desktop Linux VM and the underlying host. -Hardened Docker Desktop moves the ownership boundary for Docker Desktop configuration to the organization, meaning that any security controls administrators set cannot be altered by the user of Docker Desktop. +Hardened Docker Desktop moves the ownership boundary for Docker Desktop configuration to the organization, meaning that any security controls you set cannot be altered by the user of Docker Desktop. It is for security conscious organizations who: - Don’t give their users root or administrator access on their machines @@ -50,8 +50,8 @@ It is for security conscious organizations who: Hardened Desktop features work independently but collectively to create a defense-in-depth strategy, safeguarding developer workstations against potential attacks across various functional layers, such as configuring Docker Desktop, pulling container images, and running container images. This multi-layered defense approach ensures comprehensive security. It helps mitigate against threats such as: - - Malware and supply chain attacks: Registry Access Management and Image Access Management prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace. - - Lateral movement: Air-Gapped Containers lets administrators configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network. - - Insider threats: Settings Management configures and locks various Docker Desktop settings so administrators can enforce company policies and prevent developers from introducing insecure configurations, intentionally or unintentionally. + - Malware and supply chain attacks: Registry Access Management and Image Access Management prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, Enhanced Container Isolation (ECI) restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace. + - Lateral movement: Air-gapped containers lets you configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network. + - Insider threats: Settings Management configures and locks various Docker Desktop settings so you can enforce company policies and prevent developers from introducing insecure configurations, intentionally or unintentionally. {{< grid >}} diff --git a/content/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md b/content/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md index e08b9d22a8..107de36432 100644 --- a/content/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md +++ b/content/manuals/security/for-admins/hardened-desktop/air-gapped-containers.md @@ -9,11 +9,11 @@ aliases: {{< introduced desktop 4.29.0 "/manuals/desktop/release-notes.md#4290" >}} -Air-Gapped Containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from. +Air-gapped containers let you restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from. Docker Desktop can apply a custom set of proxy rules to network traffic from containers. The proxy can be configured to: -- Allow network connections +- Accept network connections - Reject network connections - Tunnel through an HTTP or SOCKS proxy @@ -79,7 +79,7 @@ The `FindProxyForURL` can return the following values: - `PROXY host_or_ip:port`: Tunnels this request through the HTTP proxy `host_or_ip:port` - `SOCKS5 host_or_ip:port`: Tunnels this request through the SOCKS proxy `host_or_ip:port` -- `DIRECT`: Allows this request to go direct, without a proxy +- `DIRECT`: Lets this request go direct, without a proxy - `PROXY reject.docker.internal:any_port`: Rejects this request In this particular example, HTTP and HTTPS requests for `internal.corp` are sent via the HTTP proxy `10.0.0.1:3128`. Requests to connect to IPs on the subnet `192.168.0.0/24` connect directly. All other requests are blocked. diff --git a/content/manuals/security/for-admins/hardened-desktop/image-access-management.md b/content/manuals/security/for-admins/hardened-desktop/image-access-management.md index 2314c8d983..4a22ca9680 100644 --- a/content/manuals/security/for-admins/hardened-desktop/image-access-management.md +++ b/content/manuals/security/for-admins/hardened-desktop/image-access-management.md @@ -14,20 +14,15 @@ weight: 40 > > Image Access Management is available to [Docker Business](/manuals/subscription/core-subscription/details.md#docker-business) customers only. -Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub. +Image Access Management gives you control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, your developers can pull from Docker Hub. For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk. ## Prerequisites -You need to [enforce sign-in](../enforce-sign-in/_index.md). For Image Access -Management to take effect, Docker Desktop users must authenticate to your -organization. Enforcing sign-in ensures that your Docker Desktop developers -always authenticate to your organization, even though they can authenticate -without it and the feature will take effect. Enforcing sign-in guarantees the -feature always takes effect. +You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since Image Access Management requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in. -## Configure Image Access Management permissions +## Configure {{< tabs >}} {{< tab name="Docker Hub" >}} diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md index b7b971472e..7df4022e8d 100644 --- a/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md @@ -13,27 +13,25 @@ weight: 10 > > Settings Management is available to Docker Business customers only. -Settings Management is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization. +Settings Management helps you control key Docker Desktop settings, like proxies and network configurations, on your developers' machines within your organization. -With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also use Settings Management to enable and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md) which ensures that any configurations set with Settings Management cannot be modified by containers. +For an extra layer of security, you can also use Settings Management to enable and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md), which prevents containers from modifying any Settings Management configurations. -It is available with [Docker Desktop 4.13.0 and later](/manuals/desktop/release-notes.md). - -### Who is it for? +## Who is it for? - For organizations that want to configure Docker Desktop to be within their organization's centralized control. - For organizations that want to create a standardized Docker Desktop environment at scale. - For Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments. -### How does it work? +## How does it work? -Administrators can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or admin privileges. +You can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or administrator privileges. Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by developers and ensure that these cannot be modified. For more information, see [Configure Settings Management](configure.md#step-two-configure-the-settings-you-want-to-lock-in). -### What features can I configure with Settings Management? +## What features can I configure with Settings Management? -Using the `admin-settings.json` file, admins can: +Using the `admin-settings.json` file, you can: - Turn on and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md) - Configure HTTP proxies @@ -50,21 +48,13 @@ Using the `admin-settings.json` file, admins can: - Control whether developers can use the Docker terminal - Control the file sharing implementation for your developers on macOS - Specify which paths your developers can add file shares to -- Configure Air-Gapped Containers +- Configure Air-gapped containers -For more details on the syntax and options admins can set, see [Configure Settings Management](configure.md). +For more details on the syntax and options, see [Configure Settings Management](configure.md). -### How do I set up and enforce Settings Management? - -As an administrator, you first need to [enforce -sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). This is -because the Settings Management feature requires a Docker Business subscription -and therefore your Docker Desktop developers must authenticate to your -organization. Enforcing sign-in ensures that your Docker Desktop developers -always authenticate to your organization, even though they can authenticate -without it and the feature will take effect. Enforcing sign-in guarantees the -feature always takes effect. +## How do I set up and enforce Settings Management? +You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since the Settings Management feature requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in. Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location. @@ -72,11 +62,13 @@ Once this is done, Docker Desktop developers receive the changed settings when t - Quit, re-launch, and sign in to Docker Desktop - Launch and sign in to Docker Desktop for the first time -Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers' workflow. +To avoid disrupting your developers' workflows, Docker doesn't automatically require that developers re-launch and re-authenticate once a change has been made. -### What do developers see when the settings are enforced? +## What do developers see when the settings are enforced? -Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or the `settings-store.json` file (or `settings.json` for Docker Desktop versions 4.34 and earlier). In addition, if Enhanced Container Isolation is enforced, developers can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM, for example, reconfigure proxy and networking of reconfigure Docker Engine. +Enforced settings appear grayed out in Docker Desktop. They can't be edited via the Docker Desktop Dashboard, CLI, or `settings-store.json` (or `settings.json` for Docker Desktop 4.34 and earlier). + +In addition, if Enhanced Container Isolation is enforced, developers can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM. For example, they can't reconfigure proxy and networking, or Docker Engine. ![Proxy settings grayed out](/assets/images/grayed-setting.png) diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md index e1ad90212f..cde1009502 100644 --- a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md @@ -3,7 +3,8 @@ description: How to configure Settings Management for Docker Desktop keywords: admin, controls, rootless, enhanced container isolation title: Configure Settings Management linkTitle: Configure -aliases: +toc_min: 4 +aliases: - /desktop/hardened-desktop/settings-management/configure/ --- @@ -11,59 +12,49 @@ aliases: > > Settings Management is available to Docker Business customers only. -This page contains information for admins on how to configure Settings Management to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization. +This page contains information on how to configure Settings Management to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization. Settings Management is designed specifically for organizations who don’t give developers root access to their machines. -### Prerequisites +## Prerequisites -- [Download and install Docker Desktop 4.13.0 or later](/manuals/desktop/release-notes.md). -- As an administrator, you need to [enforce - sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). This is - because this feature requires a Docker Business subscription and therefore - your Docker Desktop users must authenticate to your organization for this - configuration to take effect. Enforcing sign-in ensures that your Docker - Desktop developers always authenticate to your organization, even though they - can authenticate without it and the feature will take effect. Enforcing - sign-in guarantees the feature always takes effect. +You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since Settings Management requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in. - -### Step one: Create the `admin-settings.json` file and save it in the correct location +## Step one: Create the `admin-settings.json` file and save it in the correct location You can either use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location, or set it up manually. To set it up manually: 1. Create a new, empty JSON file and name it `admin-settings.json`. 2. Save the `admin-settings.json` file on your developers' machines in the following locations: + - Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json` + - Windows: `C:\ProgramData\DockerDesktop\admin-settings.json` + - Linux: `/usr/share/docker-desktop/admin-settings.json` - - Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json` - - Windows: `C:\ProgramData\DockerDesktop\admin-settings.json` - - Linux: `/usr/share/docker-desktop/admin-settings.json` + By placing this file in a protected directory, developers are unable to modify it. - By placing this file in the above protected directories, end users are unable to modify it. + > [!IMPORTANT] + > + > It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE). - > [!IMPORTANT] - > - > It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE). - -### Step two: Configure the settings you want to lock in +## Step two: Configure the settings you want to lock in > [!NOTE] > -> Some of the configuration parameters only apply to Windows. This is highlighted in the table below. +> Some of the configuration parameters only apply to Windows or to specific Docker Desktop versions. This is highlighted in the following table. -The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the `locked` parameter. You can add or remove configuration parameters as per your requirements. +The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the `locked` parameter. You can add or remove configuration parameters as per your requirements. If `locked: true`, users aren't able to edit this setting from Docker Desktop or the CLI. If `locked: false`, it's similar to setting a factory default in that: -- For new installs, `locked: false` pre-populates the relevant settings in the Docker Desktop UI, but users are able to modify it. + - For new installs, `locked: false` pre-populates the relevant settings in the Docker Desktop Dashboard, but users are able to modify it. -- If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting, which in turn will have been written to the relevant config file, for example the `settings-store.json` (or `settings.json` for Docker Desktop versions 4.34 and earlier) or `daemon.json`. In these instances, the user's preferences are respected and we don't alter these values. These can be controlled by the admin by setting `locked: true`. + - If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting, which in turn will have been written to the relevant config file, for example the `settings-store.json` (or `settings.json` for Docker Desktop versions 4.34 and earlier) or `daemon.json`. In these instances, the user's preferences are respected and the values aren't altered. These can be controlled by setting `locked: true`. The following `admin-settings.json` code and table provides an example of the required syntax and descriptions for parameters and values: -```json +```json {collapse=true} { "configurationFileVersion": 2, "exposeDockerAPIOnTCP2375": { @@ -192,55 +183,100 @@ The following `admin-settings.json` code and table provides an example of the re } ``` -| Parameter | | Description | -| :------------------------------- |---| :------------------------------- | -| `configurationFileVersion` | |Specifies the version of the configuration file format. | -| `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| -| `proxy` | |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | -|        `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. | -|        `enableKerberosNtlm` | |When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. Available in Docker Desktop version 4.32 and later. For more information, see the settings documentation. | -| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).| -| `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md).| -|        `dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | -|               `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | -|               `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | -| `linuxVM` | |Parameters and settings related to Linux VM options - grouped together here for convenience. | -|        `wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=` flag. | -|       `dockerDaemonOptions`| |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | -|       `vpnkitCIDR` | |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | -|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the UI and when you run `docker ps`. `imagesRepository` allows you to specify which repository Docker Desktop pulls the Kubernetes images from. For example, `"imagesRepository": "registry-1.docker.io/docker"`. | -| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | -|        `dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file).| -|`disableUpdate`| |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.| -|`analyticsEnabled`| |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | -|`extensionsEnabled`| |If `value` is set to false, Docker extensions are disabled. | -|`scout`|| Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. | -| `allowExperimentalFeatures`| | If `value` is set to `false`, experimental features are disabled.| -| `allowBetaFeatures`| | If `value` is set to `false`, beta features are disabled.| -| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to.| -| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | -| `useVirtualizationFrameworkVirtioFS`| macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | -| `useVirtualizationFrameworkRosetta`| macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | -| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | -| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | -| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | +### General -### Step three: Re-launch Docker Desktop +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +|`configurationFileVersion`| |Specifies the version of the configuration file format.| | +|`analyticsEnabled`| |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | | +|`disableUpdate`| |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.| | +|`extensionsEnabled`| |If `value` is set to false, Docker extensions are disabled. | | +| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to.| | +| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | Docker Desktop version 4.30 and later | +| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | | +|`exposeDockerAPIOnTCP2375`| Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| | + +### File sharing and emulation + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | | +| `useVirtualizationFrameworkVirtioFS`| macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | | +| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | | +| `useVirtualizationFrameworkRosetta`| macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | Docker Desktop version 4.29 and later. | + +### Docker Scout + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +|`scout`| | Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. | | + +### Proxy + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +|`proxy`| |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | | +|       `windowsDockerdPort`| Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | | +|       `enableKerberosNtlm`| |When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. | + +### Container proxy + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +|`containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).| Docker Desktop version 4.29 and later. | + +### Linux VM + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +| `linuxVM` | |Parameters and settings related to Linux VM options - grouped together here for convenience. | | +|        `wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=` flag. | | +|        `dockerDaemonOptions` | |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | | +|        `vpnkitCIDR` | |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | | + +### Windows containers + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | | +|        `dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file).| | + +### Kubernetes + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. `imagesRepository` lets you specify which repository Docker Desktop pulls the Kubernetes images from. For example, `"imagesRepository": "registry-1.docker.io/docker"`. | | + +### Features in development + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +| `allowExperimentalFeatures`| | If `value` is set to `false`, experimental features are disabled.| | +| `allowBetaFeatures`| | If `value` is set to `false`, beta features are disabled.| | + +### Enhanced Container Isolation + +|Parameter|OS|Description|Version| +|:-------------------------------|---|:-------------------------------|---| +|`enhancedContainerIsolation`| | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md).| | +|        `dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets you relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | | +|               `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | | +|               `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | | + +## Step three: Re-launch Docker Desktop > [!NOTE] > -> Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected. +> Test the changes made through the `admin-settings.json` file locally to see if the settings work as expected. For settings to take effect: - On a new install, developers need to launch Docker Desktop and authenticate to their organization. -- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then relaunch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect. - +- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then re-launch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect. > [!IMPORTANT] > > Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop. -Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers' workflow. - +So as not to disrupt your developers' workflow, Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made. In Docker Desktop, developers see the relevant settings grayed out and the message **Locked by your administrator**. diff --git a/content/manuals/subscription/_index.md b/content/manuals/subscription/_index.md index 6a6d05718c..5dd8112151 100644 --- a/content/manuals/subscription/_index.md +++ b/content/manuals/subscription/_index.md @@ -1,6 +1,5 @@ --- -title: Docker subscription overview -linkTitle: Subscription +title: Subscription weight: 200 description: Learn about subscription features and how to manage your subscription keywords: Docker, pricing, billing, Pro, Team, business, subscription, tier, plan diff --git a/data/redirects.yml b/data/redirects.yml index b6da290635..59970580d1 100644 --- a/data/redirects.yml +++ b/data/redirects.yml @@ -98,7 +98,7 @@ - /go/storage-driver/ "/docker-hub/vulnerability-scanning/": - /go/tip-scanning/ -"/desktop/windows/features/wsl/": +"/desktop/features/wsl/": # Link used by Docker Desktop to refer users on how to activate WSL 2 - /go/wsl2/ "/reference/api/hub/latest/": diff --git a/hugo_stats.json b/hugo_stats.json index 9e492820c9..dde209194f 100644 --- a/hugo_stats.json +++ b/hugo_stats.json @@ -75,7 +75,6 @@ "Mac", "Mac-/-Linux", "Mac-/-Linux-/-Git-Bash", - "Mac-/-Linux-/-Windows-Git-Bash", "Mac-/-Linux-CLI", "Mac-and-Linux", "Mac-with-Apple-silicon", @@ -124,9 +123,7 @@ "WSL-2-backend-Arm-Beta", "WSL-2-backend-x86_64", "Web-browser", - "What-administrative-tasks-can-I-perform-in-Docker-Hub", "What-are-the-key-features-of-Docker-Desktop", - "What-key-features-are-included-in-Docker-Hub", "Whats-included-in-Docker-Desktop", "Windows", "Windows-Command-Prompt", diff --git a/layouts/shortcodes/admin-image-access.html b/layouts/shortcodes/admin-image-access.html index 4220c151a6..0db9b8f400 100644 --- a/layouts/shortcodes/admin-image-access.html +++ b/layouts/shortcodes/admin-image-access.html @@ -10,10 +10,10 @@ 2. {{ $iam_navigation }} 3. Enable Image Access Management to set the permissions for the following categories of images you can manage: - - **Organization images**: Images from your organization are always allowed by default. These images can be public or private created by members within your organization. + - **Organization Images**: Images from your organization are always allowed by default. These images can be public or private created by members within your organization. - **Docker Official Images**: A curated set of Docker repositories hosted on Hub. They provide OS repositories, best practices for Dockerfiles, drop-in solutions, and applies security updates on time. - **Docker Verified Publisher Images**: Images published by Docker partners that are part of the Verified Publisher program and are qualified to be included in the developer secure supply chain. - - **Community images**: These images are disabled by default when Image Access Management is enabled because various users contribute them and they may pose security risks. This category includes Docker-Sponsored Open Source images. + - **Community Images**: These images are disabled by default when Image Access Management is enabled because various users contribute them and they may pose security risks. This category includes Docker-Sponsored Open Source images. > [!NOTE] >