docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve air-gapped containers visibility in docs (#19990) 

* Improve visibility of air-gapped containers feature.

The air-gapped container feature is currently under the settings-management
section. This hides it from users.  Instead, move it up one level by creating a
dedicated sub-section for it under Hardended Desktop section.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* nit: remove quotes from links in hardened desktop section.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Add air-gapped containers to security section grid.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fix broken link from release notes to air-gapped containers.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* A few improvements in the air-gapped containers docs.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fix capitalization of air-gapped container references.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Make air-gapped containers a single page rather than subsection.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

* Fixes to air-gapped containers section per review feedback.

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>

---------

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
This commit is contained in:
Cesar Talledo 2024-05-10 02:41:48 -07:00 committed by GitHub
parent e97ab3f92d
commit 40bec3a6c2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 45 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
content/desktop/hardened-desktop/_index.md
View File

@ -8,19 +8,23 @@ grid:
- title: "Settings Management"
description: Learn how Settings Management can secure your developers' workflows.
icon: shield_locked
link: "/desktop/hardened-desktop/settings-management/"
link: /desktop/hardened-desktop/settings-management/
- title: "Enhanced Container Isolation"
description: Understand how Enhanced Container Isolation can prevent container attacks.
icon: "security"
link: "/desktop/hardened-desktop/enhanced-container-isolation/"
link: /desktop/hardened-desktop/enhanced-container-isolation/
- title: "Registry Access Management"
description: Control the registries developers can access while using Docker Desktop.
icon: "home_storage"
link: "/security/for-admins/registry-access-management/"
link: /security/for-admins/registry-access-management/
- title: "Image Access Management"
description: Control the images developers can pull from Docker Hub.
icon: "photo_library"
link: "/security/for-admins/image-access-management/"
link: /security/for-admins/image-access-management/
- title: "Air-Gapped Containers"
description: Restrict containers from accessing unwanted network resources.
icon: "vpn_lock"
link: /desktop/hardened-desktop/air-gapped-containers/
---
> **Note**
@ -45,17 +49,20 @@ It is for security conscious organizations who:
### What does Hardened Docker Desktop include?
It includes:
- Settings Management, which helps admins to confidently manage and control the usage of Docker Desktop within their organization.
- Enhanced Container Isolation (ECI), a setting that instantly enhances security by preventing containers from running as root in Docker Desktops Linux VM and ensures that any configurations set using Settings Management cannot be bypassed or modified by containers.
- Registry Access Management (RAM), which allows admins to control the registries developers can access.
- Image Access Management (IAM), which gives admins control over which images developers can pull from Docker Hub.
- Air-gapped containers, which restricts containers from accessing unwanted network resources.
### How does it help my organisation?
Hardened Desktop features work independently but collectively to create a defense-in-depth strategy, safeguarding developer workstations against potential attacks across various functional layers, such as configuring Docker Desktop, pulling container images, and running container images. This multi-layered defense approach ensures comprehensive security.
It helps mitigate against threats such as:
- Malware and supply chain attacks. RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
- Insider threats. Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally.
- **Malware and supply chain attacks:** RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
- **Lateral movement:** Air gapped containers allows admins to configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network.
- **Insider threats:** Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally.
{{< grid >}}

12
content/desktop/hardened-desktop/settings-management/air-gapped-containers.md → content/desktop/hardened-desktop/air-gapped-containers.md
View File

@ -1,12 +1,12 @@
---
description: Learn how to create air-gapped containers with Settings Management
title: Configure air-gapped containers with Settings Management
keywords: settings management, air gapped, security, Docker Desktop, configuration, proxy, network
title: Air-gapped containers
description: Air-gapped containers - What it is, benefits, and how to configure it.
keywords: air gapped, security, Docker Desktop, configuration, proxy, network
---
> **Beta feature**
>
> This feature is in [Beta](../../../release-lifecycle.md/#beta).
> This feature is in [Beta](../../release-lifecycle.md/#beta).
> It's available with Docker Desktop version 4.29 and later.
{ .experimental }
@ -25,7 +25,7 @@ You can choose:
## Configuration
Assuming [enforced sign-in](../../../security/for-admins/configure-sign-in.md) and Settings Management are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
Assuming [enforced sign-in](../../security/for-admins/configure-sign-in.md) and [Settings Management](settings-management/_index.md) are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
```json
{
@ -86,4 +86,4 @@ The `FindProxyForURL` can return the following values:
In this particular example, HTTP and HTTPS requests for `internal.corp` are sent via the HTTP proxy `10.0.0.1:3128`. Requests to connect to IPs on the subnet `192.168.0.0/24` connect directly. All other requests are blocked.
To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).
To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).

14
content/desktop/hardened-desktop/settings-management/configure.md
View File

@ -157,24 +157,24 @@ The following `admin-settings.json` code and table provides an example of the re
"path":"$TMP",
"sharedByDefault": false
}
],
],
"useVirtualizationFrameworkVirtioFS": {
"locked": true,
"value": true
"value": true
},
"useVirtualizationFrameworkRosetta": {
"locked": true,
"value": true
"value": true
},
"useGrpcfuse": {
"locked": true,
"value": true
"value": true
},
"displayedOnboarding": {
"locked": true,
"value": true
"value": true
}
}
}
```
| Parameter | | Description |
@ -183,7 +183,7 @@ The following `admin-settings.json` code and table provides an example of the re
| `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
| `proxy` | |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
| &nbsp; &nbsp; &nbsp; &nbsp;`windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. |
| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Configure air-gapped containers with Settings Management](air-gapped-containers.md).|
| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-gapped containers](../air-gapped-containers.md).|
| `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md).|
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. |

12
content/desktop/release-notes.md
View File

@ -33,7 +33,7 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re
### New
#### For all platforms
#### For all platforms
- Docker Desktop now supports [SOCKS5 proxies](networking.md#socks5-proxy-support). Requires a Business subscription.
- Added a new setting to manage the onboarding survey in [Settings Management](hardened-desktop/settings-management/_index.md).
@ -122,7 +122,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
- Compose supports [Synchronized file shares (experimental)](synchronized-file-sharing.md).
- New [interactive Compose CLI (experimental)](../compose/environment-variables/envvars.md#compose_menu).
- Beta release of:
- Air-gapped containers with [Settings Management](hardened-desktop/settings-management/air-gapped-containers.md).
- Air-gapped containers with [Settings Management](hardened-desktop/air-gapped-containers/_index.md).
- [Host networking](../network/drivers/host.md#docker-desktop) in Docker Desktop.
- [Docker Debug](use-desktop/container.md#integrated-terminal) for running containers.
- [Volumes Backup & Share extension](use-desktop/volumes.md) functionality available in the **Volumes** tab.
@ -203,7 +203,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
- [Compose v2.24.6](https://github.com/docker/compose/releases/tag/v2.24.6)
- [Docker Engine v25.0.3](https://docs.docker.com/engine/release-notes/25.0/#2503)
- [Docker Scout CLI v1.5.0](https://github.com/docker/scout-cli/releases/tag/v1.5.0)
- [Qemu 8.1.5](https://wiki.qemu.org/ChangeLog/8.1)
- [Qemu 8.1.5](https://wiki.qemu.org/ChangeLog/8.1)
- [Wasm](../desktop/wasm/_index.md) runtimes:
- Updated runwasi shims to `v0.4.0`, including:
- wasmtime `v17.0`, with initial support for WASI preview 2
@ -480,7 +480,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
- Fixed a bug were the setting **Start Docker Desktop when you sign in** would not work. Fixes [docker/for-mac#7052](https://github.com/docker/for-mac/issues/7052).
- You can now enable the use of Kernel networking path for UDP through the UI. Fixes [docker/for-mac#7008](https://github.com/docker/for-mac/issues/7008).
- Fixed a regression where the `uninstall` CLI tool was missing.
- Addressed an issue which caused Docker Desktop to become unresponsive when analytics were disabled with Settings Management.
- Addressed an issue which caused Docker Desktop to become unresponsive when analytics were disabled with Settings Management.
#### For Windows
@ -492,7 +492,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
#### For Windows
- Docker CLI doesnt work when using WSL 2 integration on an older Linux distribution (for example, Ubuntu 20.04) which uses a `glibc` version older than `2.32`. This will be fixed in future releases. See [docker/for-win#13824](https://github.com/docker/for-win/issues/13824).
## 4.25.2
{{< release-date date="2023-11-21" >}}
@ -602,7 +602,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st
#### For all platforms
- Docker operations, such as pulling images or logging in, fail with 'connection refused' or 'timeout' errors if the Swap file size is set to 0MB. As a workaround, configure the swap file size to a non-zero value in the **Resources** tab in **Settings**.
- Docker operations, such as pulling images or logging in, fail with 'connection refused' or 'timeout' errors if the Swap file size is set to 0MB. As a workaround, configure the swap file size to a non-zero value in the **Resources** tab in **Settings**.
## 4.24.2

18
content/security/_index.md
View File

@ -19,6 +19,10 @@ grid_admins:
description: Control the images developers can pull from Docker Hub.
icon: photo_library
link: /security/for-admins/image-access-management/
- title: "Air-Gapped Containers"
description: Restrict containers from accessing unwanted network resources.
icon: "vpn_lock"
link: /desktop/hardened-desktop/air-gapped-containers/
- title: Enforce sign-in
description: Configure sign-in for members of your teams and organizations.
link: /security/for-admins/configure-sign-in/
@ -40,14 +44,14 @@ grid_admins:
icon: checklist
link: /security/for-admins/scim/
- title: Roles and permissions
description: Assign roles to individuals giving them different permissions within an organization.
description: Assign roles to individuals giving them different permissions within an organization.
icon: badge
link: /security/for-admins/roles-and-permissions/
- title: Private marketplace for Extensions (Early Access)
description: Learn how to configure and set up a private marketplace with a curated list of extensions for your Docker Desktop users.
icon: storefront
link: /desktop/extensions/private-marketplace/
grid_developers:
grid_developers:
- title: Set up two-factor authentication
description: Add an extra layer of authentication to your Docker account.
link: /security/for-developers/2fa/
@ -83,18 +87,18 @@ grid_resources:
link: /scout/guides/vex/
---
Docker provides security guardrails for both administrators and developers.
Docker provides security guardrails for both administrators and developers.
If you're an administrator, you can enforce sign-in across Docker products for your developers, and
scale, manage, and secure your instances of Docker Desktop with DevOps security controls like Enhanced Container Isolation and Registry Access Management.
If you're an administrator, you can enforce sign-in across Docker products for your developers, and
scale, manage, and secure your instances of Docker Desktop with DevOps security controls like Enhanced Container Isolation and Registry Access Management.
For both administrators and developers, Docker provides security-specific products such as Docker Scout, for securing your software supply chain with proactive image vulnerability monitoring and remediation strategies.
For both administrators and developers, Docker provides security-specific products such as Docker Scout, for securing your software supply chain with proactive image vulnerability monitoring and remediation strategies.
## For administrators
Explore the security features Docker offers to satisfy your company's security policies.
{{< grid items="grid_admins" >}}
{{< grid items="grid_admins" >}}
## For developers

4
data/toc.yaml
View File

@ -1168,8 +1168,6 @@ Manuals:
title: What is Settings Management?
- path: /desktop/hardened-desktop/settings-management/configure/
title: Configure Settings Management
- path: /desktop/hardened-desktop/settings-management/air-gapped-containers/
title: Air-gapped containers (Beta)
- sectiontitle: Enhanced Container Isolation
section:
- path: /desktop/hardened-desktop/enhanced-container-isolation/
@ -1184,6 +1182,8 @@ Manuals:
title: Limitations
- path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
title: FAQ
- path: /desktop/hardened-desktop/air-gapped-containers/
title: Air-Gapped Containers
- sectiontitle: Dev Environments (Beta)
section:
- path: /desktop/dev-environments/