docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ENGDOCS-2180 (#20594) 

* ENGDOCS-2180

* link fix

* final link fix

* remove old page

* remove old page links
This commit is contained in:
Allie Sadler 2024-08-15 08:59:37 +01:00 committed by GitHub
parent d444610c66
commit 3b64bebf9f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
38 changed files with 136 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/admin/faqs/organization-faqs.md
View File

@ -28,7 +28,7 @@ No. Organization owners can invite users with their email address, and also assi
Yes. You can [enforce sign-in](../../security/for-admins/enforce-sign-in/_index.md) and some benefits are:
- Administrators can enforce features like [Image Access Management](../../security/for-admins/image-access-management.md) and [Registry Access Management](../../security/for-admins/registry-access-management.md).
- Administrators can enforce features like [Image Access Management](/security/for-admins/hardened-desktop/image-access-management.md) and [Registry Access Management](../../security/for-admins/hardened-desktop/registry-access-management.md).
- Administrators can ensure compliance by blocking Docker Desktop usage for users who don't sign in as members of the organization.
### If a user has their personal email associated with a user account in Docker Hub, do they have to convert to using the organization's domain before they can be invited to join an organization?

2
content/admin/organization/orgs.md
View File

@ -99,7 +99,7 @@ configure your organization.
- **Settings**: Displays information about your
organization, and allows you to view and change your repository privacy
settings, configure org permissions such as
[Image Access Management](../../security/for-admins/image-access-management.md), configure notification settings, and [deactivate](../deactivate-account.md#deactivate-an-organization) You can also update your organization name and company name that appear on your organization landing page. You must be an owner to access the
[Image Access Management](/security/for-admins/hardened-desktop/image-access-management.md), configure notification settings, and [deactivate](../deactivate-account.md#deactivate-an-organization) You can also update your organization name and company name that appear on your organization landing page. You must be an owner to access the
organization's **Settings** page.
- **Billing**: Displays information about your existing

2
content/desktop/get-started.md
View File

@ -41,7 +41,7 @@ In large enterprises where admin access is restricted, administrators can [enfor
- Authenticated users also get a higher pull rate limit compared to anonymous users. For example, if you are authenticated, you get 200 pulls per 6 hour period, compared to 100 pulls per 6 hour period per IP address for anonymous users. For more information, see [Download rate limit](../docker-hub/download-rate-limit.md).
- Improve your organizations security posture for containerized development by taking advantage of [Hardened Desktop](hardened-desktop/index.md).
- Improve your organizations security posture for containerized development by taking advantage of [Hardened Desktop](/security/for-admins/hardened-desktop/index.md).
> **Note**
>

4
content/desktop/install/mac-install.md
View File

@ -106,7 +106,7 @@ The `install` command accepts the following flags:
- `--accept-license`: Accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement) now, rather than requiring it to be accepted when the application is first run.
- `--allowed-org=<org name>`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application
- `--user=<username>`: Performs the privileged configurations once during installation. This removes the need for the user to grant root privileges on first run. For more information, see [Privileged helper permission requirements](../mac/permission-requirements.md#permission-requirements). To find the username, enter `ls /Users` in the CLI.
- `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by administrators to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](../hardened-desktop/settings-management/index.md).
- `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by administrators to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md).
- It must be used together with the `--allowed-org=<org name>` flag.
- For example:
`--allowed-org=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
@ -117,7 +117,7 @@ The `install` command accepts the following flags:
> **Tip**
>
> As an IT administrator, you can use endpoint management (MDM) software to identify the number of Docker Desktop instances and their versions within your environment. This can provide accurate license reporting, help ensure your machines use the latest version of Docker Desktop, and enable you to [enforce sign-in](../../security/for-admins/configure-sign-in.md).
> As an IT administrator, you can use endpoint management (MDM) software to identify the number of Docker Desktop instances and their versions within your environment. This can provide accurate license reporting, help ensure your machines use the latest version of Docker Desktop, and enable you to [enforce sign-in](../../security/for-admins/enforce-sign-in/_index.md).
> - [Intune](https://learn.microsoft.com/en-us/mem/intune/apps/app-discovered-apps)
> - [Jamf](https://docs.jamf.com/10.25.0/jamf-pro/administrator-guide/Application_Usage.html)
> - [Kandji](https://support.kandji.io/support/solutions/articles/72000559793-view-a-device-application-list)

2
content/desktop/install/msi/install-and-configure.md
View File

@ -183,7 +183,7 @@ msiexec /x "DockerDesktop.msi" /quiet
| :--- | :--- | :--- |
| `ENABLEDESKTOPSHORTCUT` | Creates a desktop shortcut. | 1 |
| `INSTALLFOLDER` | Specifies a custom location where Docker Desktop will be installed. | C:\Program Files\Docker |
| `ADMINSETTINGS` | Automatically creates an `admin-settings.json` file which is used to [control certain Docker Desktop settings](../../hardened-desktop/settings-management/_index.md) on client machines within organizations. It must be used together with the `ALLOWEDORG` property. | None |
| `ADMINSETTINGS` | Automatically creates an `admin-settings.json` file which is used to [control certain Docker Desktop settings](/security/for-admins/hardened-desktop/settings-management/_index.md) on client machines within organizations. It must be used together with the `ALLOWEDORG` property. | None |
| `ALLOWEDORG` | Requires the user to sign in and be part of the specified Docker Hub organization when running the application. This creates a registry key called `allowedOrgs` in `HKLM\Software\Policies\Docker\Docker Desktop`. | None |
| `ALWAYSRUNSERVICE` | Lets users switch to Windows containers without needing admin rights | 0 |
| `DISABLEWINDOWSCONTAINERS` | Disables the Windows containers integration | 0 |

4
content/desktop/install/windows-install.md
View File

@ -217,7 +217,7 @@ The `install` command accepts the following flags:
- `--allowed-org=<org name>`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application
- `--backend=<backend name>`: Selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default)
- `--installation-dir=<path>`: Changes the default installation location (`C:\Program Files\Docker\Docker`)
- `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by admins to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](../hardened-desktop/settings-management/index.md).
- `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by admins to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md).
- It must be used together with the `--allowed-org=<org name>` flag.
- For example:
@ -267,7 +267,7 @@ Docker Desktop does not start automatically after installation. To start Docker
> **Tip**
>
> As an IT administrator, you can use endpoint management (MDM) software to identify the number of Docker Desktop instances and their versions within your environment. This can provide accurate license reporting, help ensure your machines use the latest version of Docker Desktop, and enable you to [enforce sign-in](../../security/for-admins/configure-sign-in.md).
> As an IT administrator, you can use endpoint management (MDM) software to identify the number of Docker Desktop instances and their versions within your environment. This can provide accurate license reporting, help ensure your machines use the latest version of Docker Desktop, and enable you to [enforce sign-in](../../security/for-admins/enforce-sign-in/_index.md).
> - [Intune](https://learn.microsoft.com/en-us/mem/intune/apps/app-discovered-apps)
> - [Jamf](https://docs.jamf.com/10.25.0/jamf-pro/administrator-guide/Application_Usage.html)
> - [Kandji](https://support.kandji.io/support/solutions/articles/72000559793-view-a-device-application-list)

2
content/desktop/mac/permission-requirements.md
View File

@ -176,7 +176,7 @@ retain their original permissions.
## Enhanced Container Isolation
In addition, Docker Desktop supports [Enhanced Container Isolation
mode](../hardened-desktop/enhanced-container-isolation/_index.md) (ECI),
mode](/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md) (ECI),
available to Business customers only, which further secures containers without
impacting developer workflows.

26
content/desktop/release-notes.md
View File

@ -133,7 +133,7 @@ For more information, see [microsoft/WSL#11794](https://github.com/microsoft/WSL
- Improved instructions for `watch` in the Compose File Viewer
- Added support for Golang projects that don't have dependencies in Docker Init. Addresses [docker/roadmap#611](https://github.com/docker/roadmap/issues/611)
- [Settings Management](hardened-desktop/settings-management/index.md) now lets admins set the default value to `ProxyEnableKerberosNTLM`.
- [Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md) now lets admins set the default value to `ProxyEnableKerberosNTLM`.
- Removed a temporary compatibility fix for older versions of Visual Studio Code.
- Builds view:
- Changed icon for imported build record to a "files" icon.
@ -196,7 +196,7 @@ For more information, see [microsoft/WSL#11794](https://github.com/microsoft/WSL
### New
- [Air-Gapped Containers](desktop/hardened-desktop/air-gapped-containers.md) is now generally available.
- [Air-Gapped Containers](/security/for-admins/hardened-desktop/air-gapped-containers.md) is now generally available.
- Docker Compose File Viewer shows your Compose YAML with syntax highlighting and contextual links to relevant docs (Beta, progressive rollout).
- New Sidebar user experience.
@ -220,7 +220,7 @@ For more information, see [microsoft/WSL#11794](https://github.com/microsoft/WSL
- Added `proxyEnableKerberosNTLM` config to `settings.json` to enable fallback to basic proxy authentication if Kerberos/NTLM environment is not properly set up.
- Fixed a bug where Docker Debug was not working properly with Enhanced Container Isolation enabled.
- Fixed a bug where UDP responses were not truncated properly.
- Fixed a bug where the **Update** screen was hidden when using [Settings Management](hardened-desktop/settings-management/_index.md).
- Fixed a bug where the **Update** screen was hidden when using [Settings Management](/security/for-admins/hardened-desktop/settings-management/_index.md).
- Fixed a bug where proxy settings defined in `admin-settings.json` were not applied correctly on startup.
- Fixed a bug where the **Manage Synchronized file shares with Compose** toggle did not correctly reflect the value with the feature.
- Fixed a bug where a bind mounted file modified on host is not updated after the container restarts, when gRPC FUSE file sharing is used on macOS and on Windows with Hyper-V. Fixes [docker/for-mac#7274](https://github.com/docker/for-mac/issues/7274), [docker/for-win#14060](https://github.com/docker/for-win/issues/14060).
@ -285,7 +285,7 @@ For more information, see [microsoft/WSL#11794](https://github.com/microsoft/WSL
#### For all platforms
- Docker Desktop now supports [SOCKS5 proxies](networking.md#socks5-proxy-support). Requires a Business subscription.
- Added a new setting to manage the onboarding survey in [Settings Management](hardened-desktop/settings-management/_index.md).
- Added a new setting to manage the onboarding survey in [Settings Management](/security/for-admins/hardened-desktop/settings-management/_index.md).
#### For Windows
@ -364,14 +364,14 @@ This can be resolved by adding the user to the **docker-users** group. Before st
### New
- You can now enforce Rosetta usage via [Settings Management](hardened-desktop/settings-management/configure.md).
- [Docker socket mount restrictions](hardened-desktop/enhanced-container-isolation/config.md) with ECI is now generally available.
- You can now enforce Rosetta usage via [Settings Management](/security/for-admins/hardened-desktop/settings-management/configure.md).
- [Docker socket mount restrictions](/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md) with ECI is now generally available.
- Docker Engine and CLI updated to [Moby 26.0](https://github.com/moby/moby/releases/tag/v26.0.0). This includes Buildkit 0.13, sub volumes mounts, networking updates, and improvements to the containerd multi-platform image store UX.
- New and improved Docker Desktop error screens: swift troubleshooting, easy diagnostics uploads, and actionable remediation.
- Compose supports [Synchronized file shares (experimental)](synchronized-file-sharing.md).
- New [interactive Compose CLI (experimental)](../compose/environment-variables/envvars.md#compose_menu).
- Beta release of:
- Air-Gapped Containers with [Settings Management](hardened-desktop/air-gapped-containers/_index.md).
- Air-Gapped Containers with [Settings Management](/security/for-admins/hardened-desktop/air-gapped-containers/_index.md).
- [Host networking](/engine/network/drivers/host.md#docker-desktop) in Docker Desktop.
- [Docker Debug](use-desktop/container.md#integrated-terminal) for running containers.
- [Volumes Backup & Share extension](use-desktop/volumes.md) functionality available in the **Volumes** tab.
@ -444,7 +444,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
### New
- [Settings Management](hardened-desktop/settings-management/index.md) now allows admins to set the default file-sharing implementation and specify which paths developer can add file shares to.
- [Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md) now allows admins to set the default file-sharing implementation and specify which paths developer can add file shares to.
- Added support for `socks5://` HTTP and HTTPS proxy URLs when the [`SOCKS` proxy support beta feature](networking.md) is enabled.
- Users can now filter volumes to see which ones are in use in the **Volumes** tab.
@ -569,7 +569,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
- Docker init now supports Java and is generally available to all users.
- [Synchronized File Shares](synchronized-file-sharing.md) provides fast and flexible host-to-VM file sharing within Docker Desktop. Utilizing the technology behind [Dockers acquisition of Mutagen](https://www.docker.com/blog/mutagen-acquisition/), this feature provides an alternative to virtual bind mounts that uses synchronized filesystem caches, improving performance for developers working with large codebases.
- Organization admins can now [configure Docker socket mount permissions](hardened-desktop/enhanced-container-isolation/config.md) when ECI is enabled.
- Organization admins can now [configure Docker socket mount permissions](/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md) when ECI is enabled.
- [Containerd Image Store](containerd.md) support is now generally available to all users.
- Get a debug shell into any container or image with the new [`docker debug` command](../reference/cli/docker/debug.md) (Beta).
- Organization admins, with a Docker Business subscription, can now configure a custom list of extensions with [Private Extensions Marketplace](extensions/private-marketplace.md) enabled (Beta)
@ -674,7 +674,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
### New
- Administrators can now control access to beta and experimental features in the **Features in development** tab with [Settings Management](hardened-desktop/settings-management/configure.md).
- Administrators can now control access to beta and experimental features in the **Features in development** tab with [Settings Management](/security/for-admins/hardened-desktop/settings-management/configure.md).
- Introduced four new version update states in the footer.
- `docker init` (Beta) now supports PHP with Apache + Composer.
- The [**Builds** view](use-desktop/builds.md) is now GA. You can now inspect builds, troubleshoot errors, and optimize build speed.
@ -790,7 +790,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
- Rosetta is now Generally Available for all users on macOS 13 or later. It provides faster emulation of Intel-based images on Apple Silicon. To use Rosetta, see [Settings](settings/mac.md). Rosetta is enabled by default on macOS 14.1 and later.
- Docker Desktop now detects if a WSL version is out of date. If an out dated version of WSL is detected, you can allow Docker Desktop to automatically update the installation or you can manually update WSL outside of Docker Desktop.
- New installations of Docker Desktop for Windows now require a Windows version of 19044 or later.
- Administrators now have the ability to control Docker Scout image analysis in [Settings Management](hardened-desktop/settings-management/configure.md).
- Administrators now have the ability to control Docker Scout image analysis in [Settings Management](/security/for-admins/hardened-desktop/settings-management/configure.md).
### Upgrades
@ -1057,7 +1057,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
#### For all platforms
- [Settings Management](hardened-desktop/settings-management/index.md) now lets you turn off Docker Extensions for your organisation.
- [Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md) now lets you turn off Docker Extensions for your organisation.
- Fixed a bug where turning on Kubernetes from the UI failed when the system was paused.
- Fixed a bug where turning on Wasm from the UI failed when the system was paused.
- Bind mounts are now shown when you [inspect a container](use-desktop/container.md).
@ -1689,7 +1689,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
### New
- Two new security features have been introduced for Docker Business users, Settings Management and Enhanced Container Isolation. Read more about Docker Desktops new [Hardened Docker Desktop security model](hardened-desktop/index.md).
- Two new security features have been introduced for Docker Business users, Settings Management and Enhanced Container Isolation. Read more about Docker Desktops new [Hardened Docker Desktop security model](/security/for-admins/hardened-desktop/index.md).
- Added the new Dev Environments CLI `docker dev`, so you can create, list, and run Dev Envs via command line. Now it's easier to integrate Dev Envs into custom scripts.
- Docker Desktop can now be installed to any drive and folder using the `--installation-dir`. Partially addresses [docker/roadmap#94](https://github.com/docker/roadmap/issues/94).

4
content/desktop/settings/linux.md
View File

@ -42,7 +42,7 @@ If you choose the integrated terminal, you can run commands in a running contain
troubleshoot the application. Clear the check box to opt out. Docker may
periodically prompt you for more information.
- **Use Enhanced Container Isolation**. Select to enhance security by preventing containers from breaching the Linux VM. For more information, see [Enhanced Container Isolation](../hardened-desktop/enhanced-container-isolation/index.md)
- **Use Enhanced Container Isolation**. Select to enhance security by preventing containers from breaching the Linux VM. For more information, see [Enhanced Container Isolation](/security/for-admins/hardened-desktop/enhanced-container-isolation/index.md)
>**Note**
>
> This setting is only available if you are signed in to Docker Desktop and have a Docker Business subscription.
@ -166,7 +166,7 @@ To set a different proxy for Docker Desktop, turn on **Manual proxy configuratio
upstream proxy URL of the form `http://proxy:port` or `https://proxy:port`.
To prevent developers from accidentally changing the proxy settings, see
[Settings Management](../hardened-desktop/settings-management/index.md#what-features-can-i-configure-with-settings-management).
[Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md#what-features-can-i-configure-with-settings-management).
The HTTPS proxy settings used for scanning images are set using the `HTTPS_PROXY` environment variable.

4
content/desktop/settings/mac.md
View File

@ -64,7 +64,7 @@ If you choose the integrated terminal, you can run commands in a running contain
troubleshoot the application. Clear the checkbox to opt out. Docker may
periodically prompt you for more information.
- **Use Enhanced Container Isolation**. Select to enhance security by preventing containers from breaching the Linux VM. For more information, see [Enhanced Container Isolation](../hardened-desktop/enhanced-container-isolation/index.md).
- **Use Enhanced Container Isolation**. Select to enhance security by preventing containers from breaching the Linux VM. For more information, see [Enhanced Container Isolation](/security/for-admins/hardened-desktop/enhanced-container-isolation/index.md).
>**Note**
>
> This setting is only available if you are signed in to Docker Desktop and have a Docker Business subscription.
@ -214,7 +214,7 @@ To set a different proxy for Docker Desktop, turn on **Manual proxy configuratio
upstream proxy URL of the form `http://proxy:port` or `https://proxy:port`.
To prevent developers from accidentally changing the proxy settings, see
[Settings Management](../hardened-desktop/settings-management/index.md#what-features-can-i-configure-with-settings-management).
[Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md#what-features-can-i-configure-with-settings-management).
The HTTPS proxy settings used for scanning images are set using the `HTTPS_PROXY` environment variable.

6
content/desktop/settings/windows.md
View File

@ -52,7 +52,7 @@ If you choose the integrated terminal, you can run commands in a running contain
troubleshoot the application. Clear the check box to opt out. Docker may
periodically prompt you for more information.
- **Use Enhanced Container Isolation**. Select to enhance security by preventing containers from breaching the Linux VM. For more information, see [Enhanced Container Isolation](../hardened-desktop/enhanced-container-isolation/index.md)
- **Use Enhanced Container Isolation**. Select to enhance security by preventing containers from breaching the Linux VM. For more information, see [Enhanced Container Isolation](/security/for-admins/hardened-desktop/enhanced-container-isolation/index.md)
>**Note**
>
> This setting is only available if you are signed in to Docker Desktop and have a Docker Business subscription.
@ -215,12 +215,12 @@ To set a different proxy for Docker Desktop, turn on **Manual proxy configuratio
upstream proxy URL of the form `http://proxy:port` or `https://proxy:port`.
To prevent developers from accidentally changing the proxy settings, see
[Settings Management](../hardened-desktop/settings-management/index.md#what-features-can-i-configure-with-settings-management).
[Settings Management](/security/for-admins/hardened-desktop/settings-management/index.md#what-features-can-i-configure-with-settings-management).
The HTTPS proxy settings used for scanning images are set using the `HTTPS_PROXY` environment variable.
If you are running Windows containers in Docker, you can allow the Windows Docker daemon to use Docker Desktop's internal proxy, with the **Use proxy for Windows Docker daemon** setting.
This is useful when a corporate proxy that requires authentication is manually configured or set at the system level. If you are an admin for your organization and have a Docker Business subscription, you can control this setting with [Settings management](../hardened-desktop/settings-management/configure.md) using the `windowsDockerdPort` parameter.
This is useful when a corporate proxy that requires authentication is manually configured or set at the system level. If you are an admin for your organization and have a Docker Business subscription, you can control this setting with [Settings management](/security/for-admins/hardened-desktop/settings-management/configure.md) using the `windowsDockerdPort` parameter.
> **Note**
>

2
content/desktop/windows/permission-requirements.md
View File

@ -52,7 +52,7 @@ you access to any files that it doesnt already have access to.
## Enhanced Container Isolation
In addition, Docker Desktop supports [Enhanced Container Isolation
mode](../hardened-desktop/enhanced-container-isolation/_index.md) (ECI),
mode](/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md) (ECI),
available to Business customers only, which further secures containers without
impacting developer workflows.

4
content/docker-hub/_index.md
View File

@ -49,8 +49,8 @@ GitHub and Bitbucket and push them to Docker Hub.
* Set up [SSO](../security/for-admins/single-sign-on/index.md) and [SCIM](../security/for-admins/provisioning/scim.md)
* Use [Group mapping](group-mapping.md)
* [Carry out domain audits](domain-audit.md)
* [Use Image Access Management](image-access-management.md) to control developers' access to certain types of images
* [Turn on Registry Access Management](../security/for-admins/registry-access-management.md)
* [Use Image Access Management](/security/for-admins/hardened-desktop/image-access-management.md) to control developers' access to certain types of images
* [Turn on Registry Access Management](/security/for-admins/hardened-desktop/registry-access-management.md)
{{< /tab >}}
{{< /tabs >}}

2
content/docker-hub/release-notes.md
View File

@ -102,7 +102,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro
### New
- [Registry Access Management](registry-access-management.md) is now available for all Docker Business subscriptions. When enabled, your users can access specific registries in Docker Hub.
- [Registry Access Management](/security/for-admins/hardened-desktop/registry-access-management.md) is now available for all Docker Business subscriptions. When enabled, your users can access specific registries in Docker Hub.
## 2022-05-03

6
content/extensions/private-marketplace.md
View File

@ -16,7 +16,7 @@ Learn how to configure and set up a private marketplace with a curated list of e
It is designed specifically
Docker Extensions' private marketplace is designed specifically for organizations who dont give developers root access to their machines. It makes use of [Settings Management](/desktop/hardened-desktop/settings-management/_index.md) so administrators have complete control over the private marketplace.
Docker Extensions' private marketplace is designed specifically for organizations who dont give developers root access to their machines. It makes use of [Settings Management](/security/for-admins/hardened-desktop/settings-management/_index.md) so administrators have complete control over the private marketplace.
## Prerequisites
@ -82,7 +82,7 @@ Each setting has a `value` that you can set, including a `locked` field that let
}
```
To find out more information about the `admin-settings.json` file, see [Settings Management](/desktop/hardened-desktop/settings-management/_index.md).
To find out more information about the `admin-settings.json` file, see [Settings Management](/security/for-admins/hardened-desktop/settings-management/_index.md).
## Step three: List allowed extensions
@ -196,7 +196,7 @@ These files must be placed on developer's machines. Depending on your operating
- Windows: `C:\ProgramData\DockerDesktop`
- Linux: `/usr/share/docker-desktop`
Make sure your developers are signed in to Docker Desktop in order for the private marketplace configuration to take effect. As an administrator, you should [configure a registry.json to enforce Docker Desktop sign-in](/security/for-admins/configure-sign-in.md).
Make sure your developers are signed in to Docker Desktop in order for the private marketplace configuration to take effect. As an administrator, you should [enforce sign-in](/security/for-admins/enforce-sign-in/_index.md).
## Feedback

2
content/extensions/settings-feedback.md
View File

@ -24,7 +24,7 @@ Docker Extensions is switched on by default. To change your settings:
> - `~/Library/Group Containers/group.com.docker/settings.json` on Mac
> - `C:\Users\[USERNAME]\AppData\Roaming\Docker\settings.json` on Windows
>
> This can also be done with [Hardened Docker Desktop](/desktop/hardened-desktop/index.md)
> This can also be done with [Hardened Docker Desktop](/security/for-admins/hardened-desktop/index.md)
### Turn on or turn off extensions not available in the Marketplace

2
content/scout/release-notes/cli.md
View File

@ -372,7 +372,7 @@ Discarded in favor of [1.9.1](#191).
instance by Docker Desktop there's no need anymore to re-index it on WSL2
side.
- Indexing is now blocked in the CLI if it has been disabled using
[Settings Management](../../desktop/hardened-desktop/settings-management/configure.md) feature.
[Settings Management](/security/for-admins/hardened-desktop/settings-management/configure.md) feature.
- Fix a panic that would occur when analyzing a single-image `oci-dir` input
- Improve local attestation support with the containerd image store

12
content/security/_index.md
View File

@ -6,23 +6,23 @@ grid_admins:
- title: Settings Management
description: Learn how Settings Management can secure your developers' workflows.
icon: shield_locked
link: /desktop/hardened-desktop/settings-management/
link: /security/for-admins/hardened-desktop/settings-management/
- title: Enhanced Container Isolation
description: Understand how Enhanced Container Isolation can prevent container attacks.
icon: security
link: /desktop/hardened-desktop/enhanced-container-isolation/
link: /security/for-admins/hardened-desktop/enhanced-container-isolation/
- title: Registry Access Management
description: Control the registries developers can access while using Docker Desktop.
icon: home_storage
link: /security/for-admins/registry-access-management/
link: /security/for-admins/hardened-desktop/registry-access-management/
- title: Image Access Management
description: Control the images developers can pull from Docker Hub.
icon: photo_library
link: /security/for-admins/image-access-management/
link: /security/for-admins/hardened-desktop/image-access-management/
- title: "Air-Gapped Containers"
description: Restrict containers from accessing unwanted network resources.
icon: "vpn_lock"
link: /desktop/hardened-desktop/air-gapped-containers/
link: /security/for-admins/hardened-desktop/air-gapped-containers/
- title: Enforce sign-in
description: Configure sign-in for members of your teams and organizations.
link: /security/for-admins/enforce-sign-in/
@ -47,7 +47,7 @@ grid_admins:
description: Assign roles to individuals giving them different permissions within an organization.
icon: badge
link: /security/for-admins/roles-and-permissions/
- title: Private marketplace for Extensions (Early Access)
- title: Private marketplace for Extensions (Beta)
description: Learn how to configure and set up a private marketplace with a curated list of extensions for your Docker Desktop users.
icon: storefront
link: /desktop/extensions/private-marketplace/

2
content/security/faqs/containers.md
View File

@ -27,7 +27,7 @@ However note the following:
which containers they run with such privileges to avoid security breaches by
malicious container images.
* If [Enhanced Container Isolation (ECI)](../../desktop/hardened-desktop/enhanced-container-isolation/_index.md)
* If [Enhanced Container Isolation (ECI)](/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md)
mode is enabled, then each container runs within a dedicated Linux User
Namespace inside the Docker Desktop VM, which means the container has no
privileges within the Docker Desktop VM. Even when using the `--privileged`

2
content/security/faqs/general.md
View File

@ -81,4 +81,4 @@ Extensions are not covered as part of Dockers Third-Party Risk Management Pro
### Can I disable private repos in my organization via a setting to make sure nobody is pushing images into Docker Hub?
No. With [Registry Access Management](../../security/for-admins/registry-access-management.md) (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard on Docker Hub.
No. With [Registry Access Management](/security/for-admins/hardened-desktop/registry-access-management.md) (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard on Docker Hub.

231
content/security/for-admins/configure-sign-in.md
View File

@ -1,231 +0,0 @@
---
description: Configure registry.json to enforce users to sign into Docker Desktop
toc_max: 2
keywords: authentication, registry.json, configure, enforce sign-in
title: Enforce sign-in for Desktop
aliases:
- /docker-hub/configure-sign-in/
---
By default, members of your organization can use Docker Desktop without signing
in. When users dont sign in as a member of your organization, they dont
receive the [benefits of your organizations
subscription](../../subscription/core-subscription/details.md) and they can circumvent [Dockers
security features](../../desktop/hardened-desktop/_index.md) for your organization.
To ensure members of your organization always sign in, you can deploy a
`registry.json` configuration file to the machines of your users.
## How is sign-in enforced?
When Docker Desktop starts and it detects a `registry.json` file, the
following occurs:
- The following **Sign in required!** prompt appears requiring the user to sign
in as a member of your organization to use Docker Desktop. ![Enforce Sign-in
Prompt](../images/enforce-sign-in.png?w=400)
- When a user signs in to an account that isnt a member of your organization,
they will be automatically signed out and cant use Docker Desktop. The user
can select **Sign in** and try again.
- When a user signs in to an account that is a member of your organization, they
can use Docker Desktop.
- When a user signs out, the **Sign in required!** prompt appears and they can
no longer use Docker Desktop.
> **Enforce sign-in vs enforce SSO**
>
> Enforcing sign-in ensures that users are required to sign in to use Docker Desktop.
> If your organization is also using single sign-on (SSO), you can optionally enforce SSO.
> This means that your users must use SSO to sign in, instead of a username and password.
> When you enforce sign-in and enforce SSO, your users must sign in and must use SSO to do so.
> See [Enforce SSO](/security/for-admins/single-sign-on/connect#optional-enforce-sso) for details on how to enable this for your SSO connection.
{ .tip }
## Create a registry.json file to enforce sign-in
1. Ensure that the user is a member of your organization in Docker. For more
details, see [Manage members](/admin/organization/members/).
2. Create the `registry.json` file.
Based on the user's operating system, create a file named `registry.json` at the following location and make sure the file can't be edited by the user.
| Platform | Location |
| --- | --- |
| Windows | /ProgramData/DockerDesktop/registry.json |
| Mac | /Library/Application Support/com.docker.docker/registry.json |
| Linux | /usr/share/docker-desktop/registry/registry.json |
3. Specify your organization in the `registry.json` file.
Open the `registry.json` file in a text editor and add the following contents, where `myorg` is replaced with your organizations name. The file contents are case-sensitive and you must use lowercase letters for your organization's name.
```json
{
"allowedOrgs": ["myorg"]
}
```
4. Verify that sign-in is enforced.
To activate the `registry.json` file, restart Docker Desktop on the users machine. When Docker Desktop starts, verify that the **Sign in
required!** prompt appears.
In some cases, a system reboot may be necessary for the enforcement to take effect.
> **Tip**
>
> If your users have issues starting Docker Desktop after you enforce sign-in, they may need to update to the latest version.
{ .tip }
## Alternative methods to create a registry.json file
You can also use the following alternative methods to create a `registry.json` file.
### Create a registry.json file when installing Docker Desktop
To create a `registry.json` file when installing Docker Desktop, use the following instructions based on your user's operating system.
{{< tabs >}}
{{< tab name="Windows" >}}
To automatically create a `registry.json` file when installing Docker Desktop,
download `Docker Desktop Installer.exe` and run one of the following commands
from the directory containing `Docker Desktop Installer.exe`. Replace `myorg`
with your organization's name. You must use lowercase letters for your
organization's name.
If you're using PowerShell:
```powershell
PS> Start-Process '.\Docker Desktop Installer.exe' -Wait 'install --allowed-org=myorg'
```
If you're using the Windows Command Prompt:
```console
C:\Users\Admin> "Docker Desktop Installer.exe" install --allowed-org=myorg
```
{{< /tab >}}
{{< tab name="Mac" >}}
To automatically create a `registry.json` file when installing Docker Desktop,
download `Docker.dmg` and run the following commands in a terminal from the
directory containing `Docker.dmg`. Replace `myorg` with your organization's name. You must use lowercase letters for your organization's name.
```console
$ sudo hdiutil attach Docker.dmg
$ sudo /Volumes/Docker/Docker.app/Contents/MacOS/install --allowed-org=myorg
$ sudo hdiutil detach /Volumes/Docker
```
{{< /tab >}}
{{< /tabs >}}
### Create a registry.json file using the command line
To create a `registry.json` using the command line, use the following instructions based on your user's operating system.
{{< tabs >}}
{{< tab name="Windows" >}}
To use the CLI to create a `registry.json` file, run the following PowerShell
command as an Admin and replace `myorg` with your organization's name. The file
contents are case-sensitive and you must use lowercase letters for your
organization's name.
```powershell
PS> Set-Content /ProgramData/DockerDesktop/registry.json '{"allowedOrgs":["myorg"]}'
```
This creates the `registry.json` file at
`C:\ProgramData\DockerDesktop\registry.json` and includes the organization
information the user belongs to. Make sure that the user can't edit this file, but only the administrator can:
```console
PS C:\ProgramData\DockerDesktop> Get-Acl .\registry.json
Directory: C:\ProgramData\DockerDesktop
Path Owner Access
---- ----- ------
registry.json BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
```
{{< /tab >}}
{{< tab name="Mac" >}}
To use the CLI to create a `registry.json` file, run the following commands in a
terminal and replace `myorg` with your organization's name. The file contents
are case-sensitive and you must use lowercase letters for your organization's
name.
```console
$ sudo mkdir -p "/Library/Application Support/com.docker.docker"
$ echo '{"allowedOrgs":["myorg"]}' | sudo tee "/Library/Application Support/com.docker.docker/registry.json"
```
This creates (or updates, if the file already exists) the `registry.json` file
at `/Library/Application Support/com.docker.docker/registry.json` and includes
the organization information the user belongs to. Make sure that the file has the
expected content, and that the user can't edit this file, but only the administrator can.
Verify that the content of the file contains the correct information:
```console
$ sudo cat "/Library/Application Support/com.docker.docker/registry.json"
{"allowedOrgs":["myorg"]}
```
Verify that the file has the expected permissions (`-rw-r--r--`) and ownership
(`root` and `admin`):
```console
$ sudo ls -l "/Library/Application Support/com.docker.docker/registry.json"
-rw-r--r-- 1 root admin 26 Jul 27 22:01 /Library/Application Support/com.docker.docker/registry.json
```
{{< /tab >}}
{{< tab name="Linux" >}}
To use the CLI to create a `registry.json` file, run the following commands in a
terminal and replace `myorg` with your organization's name. The file contents
are case-sensitive and you must use lowercase letters for your organization's
name.
```console
$ sudo mkdir -p /usr/share/docker-desktop/registry
$ echo '{"allowedOrgs":["myorg"]}' | sudo tee /usr/share/docker-desktop/registry/registry.json
```
This creates (or updates, if the file already exists) the `registry.json` file
at `/usr/share/docker-desktop/registry/registry.json` and includes the
organization information to which the user belongs. Make sure the file has the
expected content and that the user can't edit this file, only the root can.
Verify that the content of the file contains the correct information:
```console
$ sudo cat /usr/share/docker-desktop/registry/registry.json
{"allowedOrgs":["myorg"]}
```
Verify that the file has the expected permissions (`-rw-r--r--`) and ownership
(`root`):
```console
$ sudo ls -l /usr/share/docker-desktop/registry/registry.json
-rw-r--r-- 1 root root 26 Jul 27 22:01 /usr/share/docker-desktop/registry/registry.json
```
{{< /tab >}}
{{< /tabs >}}
## Deploy registry.json to multiple devices
The previous instructions explain how to create and deploy a `registry.json` file to a single device. To automatically deploy the `registry.json` to multiple devices, you must use a third-party solution, such as a mobile device management solution. You can use the previous instructions along with your third-party solution to remotely deploy the `registry.json` file, or remotely install Docker Desktop with the `registry.json` file. For more details, see the documentation of your third-party solution.

2
content/security/for-admins/domain-audit.md
View File

@ -21,7 +21,7 @@ Although domain audit can't identify all Docker users in your environment, you c
> **Tip**
>
> You can use endpoint management (MDM) software to identify the number of Docker Desktop instances and their versions within your environment. This can provide accurate license reporting, help ensure your machines use the latest version of Docker Desktop, and enable you to [enforce sign-in](configure-sign-in.md).
> You can use endpoint management (MDM) software to identify the number of Docker Desktop instances and their versions within your environment. This can provide accurate license reporting, help ensure your machines use the latest version of Docker Desktop, and enable you to [enforce sign-in](enforce-sign-in/_index.md).
> - [Intune](https://learn.microsoft.com/en-us/mem/intune/apps/app-discovered-apps)
> - [Jamf](https://docs.jamf.com/10.25.0/jamf-pro/administrator-guide/Application_Usage.html)
> - [Kandji](https://support.kandji.io/support/solutions/articles/72000559793-view-a-device-application-list)

2
content/security/for-admins/enforce-sign-in/_index.md
View File

@ -11,7 +11,7 @@ By default, members of your organization can use Docker Desktop without signing
in. When users dont sign in as a member of your organization, they dont
receive the [benefits of your organizations
subscription](../../../subscription/core-subscription/details.md) and they can circumvent [Dockers
security features](../../../desktop/hardened-desktop/_index.md) for your organization.
security features](/security/for-admins/hardened-desktop/_index.md) for your organization.
There are multiple ways you can enforce sign-in, depending on your companies' set up and preferences:
- [Registry key method (Windows only)](methods.md#registry-key-method-windows-only){{< badge color=violet text="Early Access" >}}

12
content/desktop/hardened-desktop/_index.md → content/security/for-admins/hardened-desktop/_index.md
View File

@ -4,27 +4,29 @@ description: Overview of what Hardened Docker Desktop is and its key features
keywords: security, hardened desktop, enhanced container isolation, registry access
management, settings management root access, admins, docker desktop, image access
management
aliases:
- /desktop/hardened-desktop/
grid:
- title: "Settings Management"
description: Learn how Settings Management can secure your developers' workflows.
icon: shield_locked
link: /desktop/hardened-desktop/settings-management/
link: /security/for-admins/hardened-desktop/settings-management/
- title: "Enhanced Container Isolation"
description: Understand how Enhanced Container Isolation can prevent container attacks.
icon: "security"
link: /desktop/hardened-desktop/enhanced-container-isolation/
link: /security/for-admins/hardened-desktop/enhanced-container-isolation/
- title: "Registry Access Management"
description: Control the registries developers can access while using Docker Desktop.
icon: "home_storage"
link: /security/for-admins/registry-access-management/
link: /security/for-admins/hardened-desktop/registry-access-management/
- title: "Image Access Management"
description: Control the images developers can pull from Docker Hub.
icon: "photo_library"
link: /security/for-admins/image-access-management/
link: /security/for-admins/hardened-desktop/image-access-management/
- title: "Air-Gapped Containers"
description: Restrict containers from accessing unwanted network resources.
icon: "vpn_lock"
link: /desktop/hardened-desktop/air-gapped-containers/
link: /security/for-admins/hardened-desktop/air-gapped-containers/
---
> **Note**

9
content/desktop/hardened-desktop/air-gapped-containers.md → content/security/for-admins/hardened-desktop/air-gapped-containers.md
View File

@ -3,10 +3,11 @@ title: Air-gapped containers
description: Air-gapped containers - What it is, benefits, and how to configure it.
keywords: air gapped, security, Docker Desktop, configuration, proxy, network
aliases:
- /desktop/hardened-desktop/settings-management/air-gapped-containers/
- /desktop/hardened-desktop/settings-management/air-gapped-containers/
- /desktop/hardened-desktop/air-gapped-containers/
---
{{< introduced desktop 4.29.0 "../release-notes.md#4290" >}}
{{< introduced desktop 4.29.0 "/desktop/release-notes.md#4290" >}}
Air-Gapped Containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
@ -23,7 +24,7 @@ You can choose:
## Configuration
Assuming [enforced sign-in](../../../security/for-admins/enforce-sign-in/_index.md) and [Settings Management](settings-management/_index.md) are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
Assuming [enforced sign-in](/security/for-admins/enforce-sign-in/_index.md) and [Settings Management](settings-management/_index.md) are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
```json
{
@ -84,4 +85,4 @@ The `FindProxyForURL` can return the following values:
In this particular example, HTTP and HTTPS requests for `internal.corp` are sent via the HTTP proxy `10.0.0.1:3128`. Requests to connect to IPs on the subnet `192.168.0.0/24` connect directly. All other requests are blocked.
To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).
To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](/desktop/networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).

8
content/desktop/hardened-desktop/enhanced-container-isolation/_index.md → content/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md
View File

@ -3,6 +3,8 @@ description: Enhanced Container Isolation - benefits, why use it, how it differs
Docker rootless, who it is for
keywords: containers, rootless, security, sysbox, runtime
title: What is Enhanced Container Isolation?
aliases:
- /desktop/hardened-desktop/enhanced-container-isolation/
---
> **Note**
@ -11,7 +13,7 @@ title: What is Enhanced Container Isolation?
Enhanced Container Isolation provides an additional layer of security to prevent malicious workloads running in containers from compromising Docker Desktop or the host.
It uses a variety of advanced techniques to harden container isolation, but without impacting developer productivity. It is available with [Docker Desktop 4.13.0 and later](../../release-notes.md).
It uses a variety of advanced techniques to harden container isolation, but without impacting developer productivity. It is available with [Docker Desktop 4.13.0 and later](/desktop/release-notes.md).
These techniques include:
- Running all containers unprivileged through the Linux user-namespace, even those launched with the `--privileged` flag. This makes it harder for malicious container workloads to escape the container and infect the Docker Desktop VM and host.
@ -21,7 +23,7 @@ These techniques include:
When Enhanced Container Isolation is enabled, these mechanisms are applied automatically and with minimal functional or performance impact to developers. Developers continue to use Docker Desktop as usual, but the containers they launch are more strongly isolated.
Enhanced Container Isolation ensures stronger container isolation and also locks in any security configurations that have been created by IT admins, for instance through [Registry Access Management policies](../../../security/for-admins/registry-access-management.md) or with [Settings Management](../settings-management/index.md).
Enhanced Container Isolation ensures stronger container isolation and also locks in any security configurations that have been created by IT admins, for instance through [Registry Access Management policies](/security/for-admins/hardened-desktop/registry-access-management.md) or with [Settings Management](../settings-management/index.md).
> **Note**
>
@ -95,7 +97,7 @@ To enable Enhanced Container Isolation as a developer:
##### Prerequisite
To enable Enhanced Container Isolation as an admin, you first need to [enforce
sign-in](../../../security/for-admins/enforce-sign-in/_index.md). This is
sign-in](/security/for-admins/enforce-sign-in/_index.md). This is
because the Enhanced Container Isolation feature requires a Docker Business
subscription and therefore your Docker Desktop users must authenticate to your
organization for this configuration to take effect.

2
content/desktop/hardened-desktop/enhanced-container-isolation/config.md → content/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md
View File

@ -2,6 +2,8 @@
description: Advanced Configuration for Enhanced Container Isolation
title: Advanced configuration options
keywords: enhanced container isolation, Docker Desktop, Docker socket, bind mount, configuration
aliases:
- /desktop/hardened-desktop/enhanced-container-isolation/config/
---
> **Note**

6
content/desktop/hardened-desktop/enhanced-container-isolation/faq.md → content/security/for-admins/hardened-desktop/enhanced-container-isolation/faq.md
View File

@ -3,6 +3,8 @@ title: Enhanced Container Isolation (ECI) FAQs
description: Frequently asked questions for Enhanced Container Isolation
keywords: enhanced container isolation, security, faq, sysbox, Docker Desktop
toc_max: 2
aliases:
- /desktop/hardened-desktop/enhanced-container-isolation/faq/
---
### Do I need to change the way I use Docker when ECI is switched on?
@ -71,12 +73,12 @@ with Docker Desktop 4.30, it protects such containers, except for Docker Desktop
on WSL 2 (Windows hosts).
Note that ECI always protects containers used by `docker build`, when using the
[docker-container build driver](../../../build/drivers/_index.md), since Docker
[docker-container build driver](/build/drivers/_index.md), since Docker
Desktop 4.19 and on all supported platforms (Windows with WSL 2 or Hyper-V, Mac,
and Linux).
ECI does not yet protect Docker Desktop Kubernetes pods, Extension containers,
and [Dev Environments containers](../../../desktop/dev-environments/_index.md).
and [Dev Environments containers](/desktop/dev-environments/_index.md).
### Does ECI protect containers launched prior to enabling ECI?

2
content/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md → content/security/for-admins/hardened-desktop/enhanced-container-isolation/features-benefits.md
View File

@ -2,6 +2,8 @@
description: The benefits of enhanced container isolation
title: Key features and benefits
keywords: set up, enhanced container isolation, rootless, security, features, Docker Desktop
aliases:
- /desktop/hardened-desktop/enhanced-container-isolation/features-benefits/
---
### Linux User Namespace on all containers

2
content/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md → content/security/for-admins/hardened-desktop/enhanced-container-isolation/how-eci-works.md
View File

@ -2,6 +2,8 @@
description: How Enhanced Container Isolation works
title: How does it work?
keywords: set up, enhanced container isolation, rootless, security
aliases:
- /desktop/hardened-desktop/enhanced-container-isolation/how-eci-works/
---
Docker implements Enhanced Container Isolation by using the [Sysbox

0
content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md → content/security/for-admins/hardened-desktop/enhanced-container-isolation/limitations.md
View File

11
content/security/for-admins/image-access-management.md → content/security/for-admins/hardened-desktop/image-access-management.md
View File

@ -3,14 +3,15 @@ description: Image Access Management
keywords: image, access, management, trusted content, permissions, Docker Business feature
title: Image Access Management
aliases:
- /docker-hub/image-access-management/
- /desktop/hardened-desktop/image-access-management/
- /admin/organization/image-access/
- /docker-hub/image-access-management/
- /desktop/hardened-desktop/image-access-management/
- /admin/organization/image-access/
- /security/for-admins/image-access-management/
---
> **Note**
>
> Image Access Management is available to [Docker Business](../../subscription/core-subscription/details.md#docker-business) customers only.
> Image Access Management is available to [Docker Business](/subscription/core-subscription/details.md#docker-business) customers only.
Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub.
@ -18,7 +19,7 @@ For example, a developer, who is part of an organization, building a new contain
## Prerequisites
You need to [enforce sign-in](enforce-sign-in/_index.md). For Image Access
You need to [enforce sign-in](../enforce-sign-in/_index.md). For Image Access
Management to take effect, Docker Desktop users must authenticate to your
organization. Enforcing sign-in ensures that your Docker Desktop developers
always authenticate to your organization, even though they can authenticate

13
content/security/for-admins/registry-access-management.md → content/security/for-admins/hardened-desktop/registry-access-management.md
View File

@ -3,14 +3,15 @@ description: Registry Access Management
keywords: registry, access, management, permissions, Docker Business feature
title: Registry Access Management
aliases:
- /desktop/hardened-desktop/registry-access-management/
- /admin/organization/registry-access/
- /docker-hub/registry-access-management/
- /desktop/hardened-desktop/registry-access-management/
- /admin/organization/registry-access/
- /docker-hub/registry-access-management/
- /security/for-admins/registry-access-management/
---
> **Note**
>
> Registry Access Management is available to [Docker Business](../../subscription/core-subscription/details.md) customers only.
> Registry Access Management is available to [Docker Business](/subscription/core-subscription/details.md) customers only.
With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard in Docker Hub or the Docker Admin Console.
@ -28,7 +29,7 @@ Example registries administrators can allow include:
## Prerequisites
You need to [enforce sign-in](enforce-sign-in/_index.md). For Registry Access
You need to [enforce sign-in](../enforce-sign-in/_index.md). For Registry Access
Management to take effect, Docker Desktop users must authenticate to your
organization. Enforcing sign-in ensures that your Docker Desktop developers
always authenticate to your organization, even though they can authenticate
@ -60,7 +61,7 @@ The new Registry Access Management policy takes effect after the developer succe
There are certain limitations when using Registry Access Management:
- Windows image pulls and image builds are not restricted by default. For Registry Access Management to take effect on Windows Container mode, you must allow the Windows Docker daemon to use Docker Desktop's internal proxy by selecting the [Use proxy for Windows Docker daemon](../../desktop/settings/windows.md/#proxies) setting.
- Windows image pulls and image builds are not restricted by default. For Registry Access Management to take effect on Windows Container mode, you must allow the Windows Docker daemon to use Docker Desktop's internal proxy by selecting the [Use proxy for Windows Docker daemon](/desktop/settings/windows.md#proxies) setting.
- Builds such as `docker buildx` using a Kubernetes driver are not restricted
- Builds such as `docker buildx` using a custom docker-container driver are not restricted
- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull”

10
content/desktop/hardened-desktop/settings-management/_index.md → content/security/for-admins/hardened-desktop/settings-management/_index.md
View File

@ -3,6 +3,8 @@ description: Understand how Settings Management works, who it is for, and what t
benefits are
keywords: Settings Management, rootless, docker desktop, hardened desktop
title: What is Settings Management?
aliases:
- /desktop/hardened-desktop/settings-management/
---
>**Note**
@ -13,7 +15,7 @@ Settings Management is a feature that helps admins to control certain Docker Des
With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also use Settings Management to enable and lock in [Enhanced Container Isolation](../enhanced-container-isolation/index.md) which ensures that any configurations set with Settings Management cannot be modified by containers.
It is available with [Docker Desktop 4.13.0 and later](../../release-notes.md).
It is available with [Docker Desktop 4.13.0 and later](/desktop/release-notes.md).
### Who is it for?
@ -25,7 +27,7 @@ It is available with [Docker Desktop 4.13.0 and later](../../release-notes.md).
Administrators can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or admin privileges.
Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by developers and ensure that these cannot be modified. For more information, see [Configure Settings Management](../settings-management/configure.md#step-two-configure-the-settings-you-want-to-lock-in).
Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by developers and ensure that these cannot be modified. For more information, see [Configure Settings Management](configure.md#step-two-configure-the-settings-you-want-to-lock-in).
### What features can I configure with Settings Management?
@ -52,7 +54,7 @@ For more details on the syntax and options admins can set, see [Configure Settin
### How do I set up and enforce Settings Management?
As an administrator, you first need to [enforce
sign-in](../../../security/for-admins/enforce-sign-in/_index.md). This is
sign-in](/security/for-admins/enforce-sign-in/_index.md). This is
because the Settings Management feature requires a Docker Business subscription
and therefore your Docker Desktop developers must authenticate to your
organization. Enforcing sign-in ensures that your Docker Desktop developers
@ -61,7 +63,7 @@ without it and the feature will take effect. Enforcing sign-in guarantees the
feature always takes effect.
Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location.
Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](/desktop/install/mac-install.md#install-from-the-command-line) or [Windows](/desktop/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location.
Once this is done, Docker Desktop developers receive the changed settings when they either:
- Quit, re-launch, and sign in to Docker Desktop

8
content/desktop/hardened-desktop/settings-management/configure.md → content/security/for-admins/hardened-desktop/settings-management/configure.md
View File

@ -2,6 +2,8 @@
description: How to configure Settings Management for Docker Desktop
keywords: admin, controls, rootless, enhanced container isolation
title: Configure Settings Management
aliases:
- /desktop/hardened-desktop/settings-management/configure/
---
>**Note**
@ -14,9 +16,9 @@ Settings Management is designed specifically for organizations who dont give
### Prerequisites
- [Download and install Docker Desktop 4.13.0 or later](../../release-notes.md).
- [Download and install Docker Desktop 4.13.0 or later](/desktop/release-notes.md).
- As an administrator, you need to [enforce
sign-in](../../../security/for-admins/enforce-sign-in/_index.md). This is
sign-in](/security/for-admins/enforce-sign-in/_index.md). This is
because this feature requires a Docker Business subscription and therefore
your Docker Desktop users must authenticate to your organization for this
configuration to take effect. Enforcing sign-in ensures that your Docker
@ -27,7 +29,7 @@ Settings Management is designed specifically for organizations who dont give
### Step one: Create the `admin-settings.json` file and save it in the correct location
You can either use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location, or set it up manually.
You can either use the `--admin-settings` installer flag on [macOS](/desktop/install/mac-install.md#install-from-the-command-line) or [Windows](/desktop/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location, or set it up manually.
To set it up manually:
1. Create a new, empty JSON file and name it `admin-settings.json`.

6
content/security/security-announcements.md
View File

@ -47,9 +47,9 @@ If you are unable to update to an unaffected version promptly, follow these best
* Only use trusted Docker images (such as [Docker Official Images](../trusted-content/official-images/_index.md)).
* Dont build Docker images from untrusted sources or untrusted Dockerfiles.
* If you are a Docker Business customer using Docker Desktop and unable to update to v4.27.1, make sure to enable [Hardened Docker Desktop](../desktop/hardened-desktop/_index.md) features such as:
* [Enhanced Container Isolation](../desktop/hardened-desktop/enhanced-container-isolation/_index.md), which mitigates the impact of CVE-2024-21626 in the case of running containers from malicious images.
* [Image Access Management](./for-admins/image-access-management.md), and [Registry Access Management](./for-admins/registry-access-management.md), which give organizations control over which images and repositories their users can access.
* If you are a Docker Business customer using Docker Desktop and unable to update to v4.27.1, make sure to enable [Hardened Docker Desktop](/security/for-admins/hardened-desktop/_index.md) features such as:
* [Enhanced Container Isolation](/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md), which mitigates the impact of CVE-2024-21626 in the case of running containers from malicious images.
* [Image Access Management](for-admins/hardened-desktop/image-access-management.md), and [Registry Access Management](/security/for-admins/hardened-desktop/registry-access-management.md), which give organizations control over which images and repositories their users can access.
* For CVE-2024-23650, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, avoid using BuildKit frontend from an untrusted source. A frontend image is usually specified as the #syntax line on your Dockerfile, or with `--frontend` flag when using the `buildctl build` command.
* To mitigate CVE-2024-24557, make sure to either use BuildKit or disable caching when building images. From the CLI this can be done via the `DOCKER_BUILDKIT=1` environment variable (default for Moby >= v23.0 if the buildx plugin is installed) or the `--no-cache flag`. If you are using the HTTP API directly or through a client, the same can be done by setting `nocache` to `true` or `version` to `2` for the [/build API endpoint](https://docs.docker.com/engine/api/v1.44/#tag/Image/operation/ImageBuild).

6
content/subscription/core-subscription/details.md
View File

@ -66,9 +66,9 @@ For a list of features available in each tier, see [Docker Pricing](https://www.
Docker Business includes:
- Everything included in Docker Team
- [Hardened Docker Desktop](../../desktop/hardened-desktop/index.md)
- [Image Access Management](../../security/for-admins/image-access-management.md) which lets admins control what content developers can access
- [Registry Access Management](../../security/for-admins/registry-access-management.md) which lets admins control what registries developers can access
- [Hardened Docker Desktop](/security/for-admins/hardened-desktop/index.md)
- [Image Access Management](/security/for-admins/hardened-desktop/image-access-management.md) which lets admins control what content developers can access
- [Registry Access Management](/security/for-admins/hardened-desktop/registry-access-management.md) which lets admins control what registries developers can access
- [Company layer](../../admin/company/_index.md) to manage multiple organizations and settings
- [Single Sign-On](../../security/for-admins/single-sign-on/index.md)
- [System for Cross-domain Identity Management](../../security/for-admins/provisioning/scim.md) and more.

61
data/toc.yaml
View File

@ -1227,32 +1227,6 @@ Manuals:
title: Resource Saver mode
- path: /desktop/use-desktop/pause/
title: Pause Docker Desktop
- sectiontitle: Hardened Docker Desktop
section:
- path: /desktop/hardened-desktop/
title: Overview
- sectiontitle: Settings Management
section:
- path: /desktop/hardened-desktop/settings-management/
title: What is Settings Management?
- path: /desktop/hardened-desktop/settings-management/configure/
title: Configure Settings Management
- sectiontitle: Enhanced Container Isolation
section:
- path: /desktop/hardened-desktop/enhanced-container-isolation/
title: What is Enhanced Container Isolation?
- path: /desktop/hardened-desktop/enhanced-container-isolation/how-eci-works/
title: How does it work?
- path: /desktop/hardened-desktop/enhanced-container-isolation/features-benefits/
title: Key features and benefits
- path: /desktop/hardened-desktop/enhanced-container-isolation/config/
title: Advanced configuration options
- path: /desktop/hardened-desktop/enhanced-container-isolation/limitations/
title: Limitations
- path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
title: FAQ
- path: /desktop/hardened-desktop/air-gapped-containers/
title: Air-Gapped Containers
- sectiontitle: Dev Environments (Beta)
section:
- path: /desktop/dev-environments/
@ -2323,10 +2297,37 @@ Manuals:
title: Roles and permissions
- path: /security/for-admins/domain-audit/
title: Domain audit
- path: /security/for-admins/image-access-management/
title: Image Access Management
- path: /security/for-admins/registry-access-management/
title: Registry Access Management
- sectiontitle: Hardened Docker Desktop
section:
- path: /security/for-admins/hardened-desktop/
title: Overview
- sectiontitle: Settings Management
section:
- path: /security/for-admins/hardened-desktop/settings-management/
title: What is Settings Management?
- path: /security/for-admins/hardened-desktop/settings-management/configure/
title: Configure Settings Management
- sectiontitle: Enhanced Container Isolation
section:
- path: /security/for-admins/hardened-desktop/enhanced-container-isolation/
title: What is Enhanced Container Isolation?
- path: /security/for-admins/hardened-desktop/enhanced-container-isolation/how-eci-works/
title: How does it work?
- path: /security/for-admins/hardened-desktop/enhanced-container-isolation/features-benefits/
title: Key features and benefits
- path: /security/for-admins/hardened-desktop/enhanced-container-isolation/config/
title: Advanced configuration options
- path: /security/for-admins/hardened-desktop/enhanced-container-isolation/limitations/
title: Limitations
- path: /security/for-admins/hardened-desktop/enhanced-container-isolation/faq/
title: FAQ
- path: /security/for-admins/hardened-desktop/air-gapped-containers/
title: Air-Gapped Containers
- path: /security/for-admins/hardened-desktop/image-access-management/
title: Image Access Management
- path: /security/for-admins/hardened-desktop/registry-access-management/
title: Registry Access Management
- sectiontitle: For developers
section:
- path: /security/for-developers/access-tokens/