diff --git a/content/desktop/hardened-desktop/_index.md b/content/desktop/hardened-desktop/_index.md index 1b2133117b..c2cfb84fe6 100644 --- a/content/desktop/hardened-desktop/_index.md +++ b/content/desktop/hardened-desktop/_index.md @@ -8,19 +8,23 @@ grid: - title: "Settings Management" description: Learn how Settings Management can secure your developers' workflows. icon: shield_locked - link: "/desktop/hardened-desktop/settings-management/" + link: /desktop/hardened-desktop/settings-management/ - title: "Enhanced Container Isolation" description: Understand how Enhanced Container Isolation can prevent container attacks. icon: "security" - link: "/desktop/hardened-desktop/enhanced-container-isolation/" + link: /desktop/hardened-desktop/enhanced-container-isolation/ - title: "Registry Access Management" description: Control the registries developers can access while using Docker Desktop. icon: "home_storage" - link: "/security/for-admins/registry-access-management/" + link: /security/for-admins/registry-access-management/ - title: "Image Access Management" description: Control the images developers can pull from Docker Hub. icon: "photo_library" - link: "/security/for-admins/image-access-management/" + link: /security/for-admins/image-access-management/ + - title: "Air-Gapped Containers" + description: Restrict containers from accessing unwanted network resources. + icon: "vpn_lock" + link: /desktop/hardened-desktop/air-gapped-containers/ --- > **Note** @@ -45,17 +49,20 @@ It is for security conscious organizations who: ### What does Hardened Docker Desktop include? It includes: + - Settings Management, which helps admins to confidently manage and control the usage of Docker Desktop within their organization. - Enhanced Container Isolation (ECI), a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that any configurations set using Settings Management cannot be bypassed or modified by containers. - Registry Access Management (RAM), which allows admins to control the registries developers can access. - Image Access Management (IAM), which gives admins control over which images developers can pull from Docker Hub. +- Air-gapped containers, which restricts containers from accessing unwanted network resources. ### How does it help my organisation? Hardened Desktop features work independently but collectively to create a defense-in-depth strategy, safeguarding developer workstations against potential attacks across various functional layers, such as configuring Docker Desktop, pulling container images, and running container images. This multi-layered defense approach ensures comprehensive security. It helps mitigate against threats such as: - - Malware and supply chain attacks. RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace. - - Insider threats. Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally. + - **Malware and supply chain attacks:** RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace. + - **Lateral movement:** Air gapped containers allows admins to configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network. + - **Insider threats:** Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally. {{< grid >}} diff --git a/content/desktop/hardened-desktop/settings-management/air-gapped-containers.md b/content/desktop/hardened-desktop/air-gapped-containers.md similarity index 85% rename from content/desktop/hardened-desktop/settings-management/air-gapped-containers.md rename to content/desktop/hardened-desktop/air-gapped-containers.md index bbbb4da14e..804726bcec 100644 --- a/content/desktop/hardened-desktop/settings-management/air-gapped-containers.md +++ b/content/desktop/hardened-desktop/air-gapped-containers.md @@ -1,12 +1,12 @@ --- -description: Learn how to create air-gapped containers with Settings Management -title: Configure air-gapped containers with Settings Management -keywords: settings management, air gapped, security, Docker Desktop, configuration, proxy, network +title: Air-gapped containers +description: Air-gapped containers - What it is, benefits, and how to configure it. +keywords: air gapped, security, Docker Desktop, configuration, proxy, network --- > **Beta feature** > -> This feature is in [Beta](../../../release-lifecycle.md/#beta). +> This feature is in [Beta](../../release-lifecycle.md/#beta). > It's available with Docker Desktop version 4.29 and later. { .experimental } @@ -25,7 +25,7 @@ You can choose: ## Configuration -Assuming [enforced sign-in](../../../security/for-admins/configure-sign-in.md) and Settings Management are enabled, add the new proxy configuration to the `admin-settings.json` file. For example: +Assuming [enforced sign-in](../../security/for-admins/configure-sign-in.md) and [Settings Management](settings-management/_index.md) are enabled, add the new proxy configuration to the `admin-settings.json` file. For example: ```json { @@ -86,4 +86,4 @@ The `FindProxyForURL` can return the following values: In this particular example, HTTP and HTTPS requests for `internal.corp` are sent via the HTTP proxy `10.0.0.1:3128`. Requests to connect to IPs on the subnet `192.168.0.0/24` connect directly. All other requests are blocked. -To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host). \ No newline at end of file +To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host). diff --git a/content/desktop/hardened-desktop/settings-management/configure.md b/content/desktop/hardened-desktop/settings-management/configure.md index 7c0f0d3bc2..df79872dfa 100644 --- a/content/desktop/hardened-desktop/settings-management/configure.md +++ b/content/desktop/hardened-desktop/settings-management/configure.md @@ -157,24 +157,24 @@ The following `admin-settings.json` code and table provides an example of the re "path":"$TMP", "sharedByDefault": false } - ], + ], "useVirtualizationFrameworkVirtioFS": { "locked": true, - "value": true + "value": true }, "useVirtualizationFrameworkRosetta": { "locked": true, - "value": true + "value": true }, "useGrpcfuse": { "locked": true, - "value": true + "value": true }, "displayedOnboarding": { "locked": true, - "value": true + "value": true } -} +} ``` | Parameter | | Description | @@ -183,7 +183,7 @@ The following `admin-settings.json` code and table provides an example of the re | `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| | `proxy` | |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | |        `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. | -| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Configure air-gapped containers with Settings Management](air-gapped-containers.md).| +| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-gapped containers](../air-gapped-containers.md).| | `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md).| |        `dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | |               `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | diff --git a/content/desktop/release-notes.md b/content/desktop/release-notes.md index ccb305f4fa..bc33e53dd6 100644 --- a/content/desktop/release-notes.md +++ b/content/desktop/release-notes.md @@ -33,7 +33,7 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re ### New -#### For all platforms +#### For all platforms - Docker Desktop now supports [SOCKS5 proxies](networking.md#socks5-proxy-support). Requires a Business subscription. - Added a new setting to manage the onboarding survey in [Settings Management](hardened-desktop/settings-management/_index.md). @@ -122,7 +122,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st - Compose supports [Synchronized file shares (experimental)](synchronized-file-sharing.md). - New [interactive Compose CLI (experimental)](../compose/environment-variables/envvars.md#compose_menu). - Beta release of: - - Air-gapped containers with [Settings Management](hardened-desktop/settings-management/air-gapped-containers.md). + - Air-gapped containers with [Settings Management](hardened-desktop/air-gapped-containers/_index.md). - [Host networking](../network/drivers/host.md#docker-desktop) in Docker Desktop. - [Docker Debug](use-desktop/container.md#integrated-terminal) for running containers. - [Volumes Backup & Share extension](use-desktop/volumes.md) functionality available in the **Volumes** tab. @@ -203,7 +203,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st - [Compose v2.24.6](https://github.com/docker/compose/releases/tag/v2.24.6) - [Docker Engine v25.0.3](https://docs.docker.com/engine/release-notes/25.0/#2503) - [Docker Scout CLI v1.5.0](https://github.com/docker/scout-cli/releases/tag/v1.5.0) -- [Qemu 8.1.5](https://wiki.qemu.org/ChangeLog/8.1) +- [Qemu 8.1.5](https://wiki.qemu.org/ChangeLog/8.1) - [Wasm](../desktop/wasm/_index.md) runtimes: - Updated runwasi shims to `v0.4.0`, including: - wasmtime `v17.0`, with initial support for WASI preview 2 @@ -480,7 +480,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st - Fixed a bug were the setting **Start Docker Desktop when you sign in** would not work. Fixes [docker/for-mac#7052](https://github.com/docker/for-mac/issues/7052). - You can now enable the use of Kernel networking path for UDP through the UI. Fixes [docker/for-mac#7008](https://github.com/docker/for-mac/issues/7008). - Fixed a regression where the `uninstall` CLI tool was missing. -- Addressed an issue which caused Docker Desktop to become unresponsive when analytics were disabled with Settings Management. +- Addressed an issue which caused Docker Desktop to become unresponsive when analytics were disabled with Settings Management. #### For Windows @@ -492,7 +492,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st #### For Windows - Docker CLI doesn’t work when using WSL 2 integration on an older Linux distribution (for example, Ubuntu 20.04) which uses a `glibc` version older than `2.32`. This will be fixed in future releases. See [docker/for-win#13824](https://github.com/docker/for-win/issues/13824). - + ## 4.25.2 {{< release-date date="2023-11-21" >}} @@ -602,7 +602,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st #### For all platforms -- Docker operations, such as pulling images or logging in, fail with 'connection refused' or 'timeout' errors if the Swap file size is set to 0MB. As a workaround, configure the swap file size to a non-zero value in the **Resources** tab in **Settings**. +- Docker operations, such as pulling images or logging in, fail with 'connection refused' or 'timeout' errors if the Swap file size is set to 0MB. As a workaround, configure the swap file size to a non-zero value in the **Resources** tab in **Settings**. ## 4.24.2 diff --git a/content/security/_index.md b/content/security/_index.md index 39e9795d1a..959ebf828f 100644 --- a/content/security/_index.md +++ b/content/security/_index.md @@ -19,6 +19,10 @@ grid_admins: description: Control the images developers can pull from Docker Hub. icon: photo_library link: /security/for-admins/image-access-management/ +- title: "Air-Gapped Containers" + description: Restrict containers from accessing unwanted network resources. + icon: "vpn_lock" + link: /desktop/hardened-desktop/air-gapped-containers/ - title: Enforce sign-in description: Configure sign-in for members of your teams and organizations. link: /security/for-admins/configure-sign-in/ @@ -40,14 +44,14 @@ grid_admins: icon: checklist link: /security/for-admins/scim/ - title: Roles and permissions - description: Assign roles to individuals giving them different permissions within an organization. + description: Assign roles to individuals giving them different permissions within an organization. icon: badge link: /security/for-admins/roles-and-permissions/ - title: Private marketplace for Extensions (Early Access) description: Learn how to configure and set up a private marketplace with a curated list of extensions for your Docker Desktop users. icon: storefront link: /desktop/extensions/private-marketplace/ -grid_developers: +grid_developers: - title: Set up two-factor authentication description: Add an extra layer of authentication to your Docker account. link: /security/for-developers/2fa/ @@ -83,18 +87,18 @@ grid_resources: link: /scout/guides/vex/ --- -Docker provides security guardrails for both administrators and developers. +Docker provides security guardrails for both administrators and developers. -If you're an administrator, you can enforce sign-in across Docker products for your developers, and -scale, manage, and secure your instances of Docker Desktop with DevOps security controls like Enhanced Container Isolation and Registry Access Management. +If you're an administrator, you can enforce sign-in across Docker products for your developers, and +scale, manage, and secure your instances of Docker Desktop with DevOps security controls like Enhanced Container Isolation and Registry Access Management. -For both administrators and developers, Docker provides security-specific products such as Docker Scout, for securing your software supply chain with proactive image vulnerability monitoring and remediation strategies. +For both administrators and developers, Docker provides security-specific products such as Docker Scout, for securing your software supply chain with proactive image vulnerability monitoring and remediation strategies. ## For administrators Explore the security features Docker offers to satisfy your company's security policies. -{{< grid items="grid_admins" >}} +{{< grid items="grid_admins" >}} ## For developers diff --git a/data/toc.yaml b/data/toc.yaml index af421cd1ac..112e0a2c73 100644 --- a/data/toc.yaml +++ b/data/toc.yaml @@ -1168,8 +1168,6 @@ Manuals: title: What is Settings Management? - path: /desktop/hardened-desktop/settings-management/configure/ title: Configure Settings Management - - path: /desktop/hardened-desktop/settings-management/air-gapped-containers/ - title: Air-gapped containers (Beta) - sectiontitle: Enhanced Container Isolation section: - path: /desktop/hardened-desktop/enhanced-container-isolation/ @@ -1184,6 +1182,8 @@ Manuals: title: Limitations - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/ title: FAQ + - path: /desktop/hardened-desktop/air-gapped-containers/ + title: Air-Gapped Containers - sectiontitle: Dev Environments (Beta) section: - path: /desktop/dev-environments/