HD patch (#15923)

2022-10-20 10:06:42 +01:00 · 2022-10-20 10:06:42 +01:00 · 442300bc47
parent 3a9998620a
commit 442300bc47
4 changed files with 8 additions and 8 deletions
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@ -32,7 +32,7 @@ containers securely. For more information, see [Key features and benefits](featu

 #### Will all privileged container workloads run with Enhanced Container Isolation?

-No. Privileged container workloads that wish to access global kernel resources, for example non-namespaced, inside the Docker Desktop Linux VM won't
+No. Privileged container workloads, or non-namespaced workloads, that wish to access global kernel resources inside the Docker Desktop Linux VM won't
 work. For example, you can't use a privileged container to load a kernel module.

 #### Why not just restrict usage of the `--privileged` flag?
--- a/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md
@ -191,8 +191,8 @@ mount: permission denied (are you root?)
 ```

 Since the `$HOME` directory was mounted into the container's `/mnt` directory as
-read-only, it can't be changed from within the container to read-write. This
-ensures container processes use `mount`, or `umount`, to breach the container's
+read-only, it can't be changed from within the container to read-write, even if the container process has the capability to do so. This
+ensures container processes can't use `mount`, or `umount`, to breach the container's
 root filesystem.

 Note however that in the example above the container can still create mounts
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@ -11,7 +11,7 @@ keywords: set up, enhanced container isolation, rootless, security
 Enhanced Container Isolation hardens container isolation using the [Sysbox
 container runtime](https://github.com/nestybox/sysbox). Sysbox is a fork of the
 standard OCI runc runtime that was modified to enhance container isolation and
-workloads. For more details see [Under the covers](#under-the-hood).
+workloads. For more details see [Under the hood](#under-the-hood).

 Starting with version 4.13, Docker Desktop includes a customized version of
 Sysbox.
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@ -82,7 +82,7 @@ When Enhanced Container Isolation is enabled, users see that containers run with
 To check, run:

 ```
-$ docker run -it --rm alpine / # cat /proc/self/uid_map 
+$ docker run --rm alpine cat /proc/self/uid_map 
 ```

 The following output displays:
@ -105,9 +105,9 @@ With Enhanced Container Isolation, if a process were to escape the container, it

 Since Enhanced Container Isolation [uses the Sysbox container runtime](how-eci-works.md) embedded in the Docker Desktop Linux VM, another way to determine if a container is running with Enhanced Container Isolation is by using `docker inspect`:

-```
-docker inspect --format='{{.HostConfig.Runtime}}' my_container
-```
+{% highlight liquid %}
+docker inspect --format={% raw %}'{{.HostConfig.Runtime}}'{% endraw %} my_container
+{% endhighlight %}

 It outputs: