mirror of https://github.com/docker/docs.git
add warning class and a linebreake to the warning blogquote (#2937)
* Update fedora.md add warning class to blogquote * Update linux-postinstall.md add warning class to blogquote * Update ubuntu.md add warning class to blogquote * Update https.md add warning class to blogquote * Update swarm_manager_locking.md add warning class to blogquote * Update dockerlinks.md add warning class to blogquote * Update deploying.md add warning class to blogquote * Update deploying.md add warning class to blogquote * Update insecure.md add warning class to blogquote * Update discovery.md add warning class to blogquote * Update dockerd.yaml add warning class to blogquote * Update docker_secret_rm.yaml add warning class to blogquote * Update docker_service_rm.yaml add warning class to blogquote * Update docker_secret_rm.yaml add warning class to blogquote * Update scale-your-cluster.md add warning class to blogquote * Update resource_constraints.md add warning class to blogquote * Update binaries.md add warning class to blogquote * Update content_trust.md add warning class to blogquote * Update secrets.md add warning class to blogquote * Update index.md add warning class to blogquote * Update install-sandbox-2.md add warning class to blogquote * Update docker-toolbox.md add warning class to blogquote * Update index.md add warning class to blogquote * Update centos.md add warning class to blogquote * Update debian.md add warning class to blogquote * Update faqs.md add linebreak after Looking for popular FAQs on Docker for Windows? * Update install.md add linebreake after **Already have Docker for Windows?** * Revert "Update dockerd.yaml" This reverts commit 3a98eb86f700ade8941483546c33f69a9dab8ac3. * Revert "Update docker_secret_rm.yaml" This reverts commit 5dc1e75f37033932486c11287052b7d64bf83e55. * Revert "Update docker_service_rm.yaml" This reverts commit a983380a5625b471f1a03f8ed2301ead72f98f1b. * Revert "Update docker_secret_rm.yaml" This reverts commit 4c454b883c300e26fbb056b954bb49ec2933b172.
This commit is contained in:
parent
530ea2777e
commit
9a1f99cd11
|
@ -957,11 +957,13 @@ container access to the secret and mounts it at `/run/secrets/<secret_name>`
|
|||
within the container. The source name and destination mountpoint are both set
|
||||
to the secret name.
|
||||
|
||||
> **Warning**: Due to a bug in Docker 1.13.1, using the short syntax currently
|
||||
> **Warning**:
|
||||
> Due to a bug in Docker 1.13.1, using the short syntax currently
|
||||
> mounts the secret with permissions `000`, which means secrets defined using
|
||||
> the short syntax are unreadable within the container if the command does not
|
||||
> run as the `root` user. The workaround is to use the long syntax instead if
|
||||
> you use Docker 1.13.1 and the secret must be read by a non-`root` user.
|
||||
{:.warning}
|
||||
|
||||
The following example uses the short syntax to grant the `redis` service
|
||||
access to the `my_secret` and `my_other_secret` secrets. The value of
|
||||
|
|
|
@ -36,8 +36,10 @@ between UCP and DTR, and
|
|||
between DTR and your Docker Engine/docker-trusted-registry/repos-and-images/,
|
||||
but for our sandbox deployment we can skip this.
|
||||
|
||||
> **Warning**: These steps produce an insecure DTR connection. Do not use these
|
||||
> **Warning**:
|
||||
> These steps produce an insecure DTR connection. Do not use these
|
||||
configuration steps for a production deployment.
|
||||
{:.warning}
|
||||
|
||||
To allow the Docker Engine to connect to DTR despite it having a self-signed
|
||||
certificate, we'll specify that there is one insecure registry that we'll allow
|
||||
|
|
|
@ -77,8 +77,10 @@ in UCP.
|
|||
SSH and run `docker swarm leave --force` directly against the local docker
|
||||
engine.
|
||||
|
||||
>**Warning**: Do not perform this step if the node is still a manager, as
|
||||
>**Warning**:
|
||||
>Do not perform this step if the node is still a manager, as
|
||||
>that may cause loss of quorum.
|
||||
{:.warning}
|
||||
|
||||
3. Now that the status of the node is reported as `Down`, you may remove the
|
||||
node:
|
||||
|
|
|
@ -71,8 +71,9 @@ If you need several VMs and want to manage the version of the Docker client or s
|
|||
|
||||
>**Note**: If you have a shell script as part of your profile that sets these `DOCKER` environment variables automatically each time you open a command window, then you will need to unset these each time you want to use Docker for Mac.
|
||||
|
||||
> **Warning**: If you install Docker for Mac on a machine where Docker Toolbox is installed, it will replace the `docker` and `docker-compose` command lines in `/usr/local/bin` with symlinks to its own versions.
|
||||
|
||||
> **Warning**:
|
||||
> If you install Docker for Mac on a machine where Docker Toolbox is installed, it will replace the `docker` and `docker-compose` command lines in `/usr/local/bin` with symlinks to its own versions.
|
||||
{:.warning}
|
||||
|
||||
## Docker Toolbox and Docker for Mac coexistence
|
||||
|
||||
|
|
|
@ -4,7 +4,8 @@ keywords: windows faqs
|
|||
title: Frequently asked questions (FAQ)
|
||||
---
|
||||
|
||||
>**Looking for popular FAQs on Docker for Windows?** Check out the [Docker
|
||||
>**Looking for popular FAQs on Docker for Windows?**
|
||||
>Check out the [Docker
|
||||
Knowledge Hub](http://success.docker.com/) for knowledge base articles, FAQs,
|
||||
technical support for various subscription levels, and more.
|
||||
|
||||
|
|
|
@ -10,7 +10,8 @@ install package includes everything you need to run Docker on a Windows system.
|
|||
This topic describes pre-install considerations, and how to download and install
|
||||
Docker for Windows.<br><br>
|
||||
|
||||
> **Already have Docker for Windows?** If you already have Docker for
|
||||
> **Already have Docker for Windows?**
|
||||
> If you already have Docker for
|
||||
Windows installed, and are ready to get started, skip to
|
||||
[Get started with Docker for Windows](index.md) for a quick tour of
|
||||
the command line, settings, and tools.
|
||||
|
|
|
@ -47,7 +47,10 @@ For Docker Cloud, Hub, and Store, log in using the web interface.
|
|||
|
||||
You can also log in using the `docker login` command. (You can read more about `docker login` [here](/engine/reference/commandline/login.md).)
|
||||
|
||||
> **Warning**: When you use the `docker login` command, your credentials are
|
||||
> **Warning**:
|
||||
> When you use the `docker login` command, your credentials are
|
||||
stored in your home directory in `.docker/config.json`. The password is base64
|
||||
encoded in this file. If you require secure storage for this password, use the
|
||||
[Docker credential helpers](https://github.com/moby/moby-credential-helpers).
|
||||
{:.warning}
|
||||
>>>>>>> Update index.md
|
||||
|
|
|
@ -131,10 +131,12 @@ realtime scheduler, for tasks which cannot use the CFS scheduler. You need to
|
|||
before you can [configure the Docker daemon](#configure-the-docker-daemon) or
|
||||
[configure individual containers](#configure-individual-containers).
|
||||
|
||||
>**Warning**: CPU scheduling and prioritization are advanced kernel-level
|
||||
>**Warning**:
|
||||
>CPU scheduling and prioritization are advanced kernel-level
|
||||
features. Most users do not need to change these values from their defaults.
|
||||
Setting these values incorrectly can cause your host system to become unstable
|
||||
or unusable.
|
||||
{:.warning}
|
||||
|
||||
#### Configure the host machine's kernel
|
||||
|
||||
|
|
|
@ -55,6 +55,7 @@ instructions for enabling and configuring AppArmor or SELinux.
|
|||
> If either of the security mechanisms is enabled, do not disable it as a
|
||||
> work-around to make Docker or its containers run. Instead, configure it
|
||||
> correctly to fix any problems.
|
||||
{:.warning}
|
||||
|
||||
##### Docker daemon considerations
|
||||
|
||||
|
|
|
@ -168,10 +168,12 @@ Repository set-up instructions are different for [Docker CE](#docker-ce) and
|
|||
| Docker CE | `sudo yum install docker-ce` |
|
||||
| Docker EE | `sudo yum install docker-ee` |
|
||||
|
||||
> **Warning**: If you have multiple Docker repositories enabled, installing
|
||||
> **Warning**:
|
||||
> If you have multiple Docker repositories enabled, installing
|
||||
> or updating without specifying a version in the `yum install` or
|
||||
> `yum update` command will always install the highest possible version,
|
||||
> which may not be appropriate for your stability needs.
|
||||
{:.warning}
|
||||
|
||||
3. On production systems, you should install a specific version of Docker
|
||||
instead of always using the latest. List the available versions. This
|
||||
|
|
|
@ -204,10 +204,12 @@ from the repository.
|
|||
$ sudo apt-get install docker-ce
|
||||
```
|
||||
|
||||
> **Warning**: If you have multiple Docker repositories enabled, installing
|
||||
> **Warning**:
|
||||
> If you have multiple Docker repositories enabled, installing
|
||||
> or updating without specifying a version in the `apt-get install` or
|
||||
> `apt-get update` command will always install the highest possible version,
|
||||
> which may not be appropriate for your stability needs.
|
||||
{:.warning}
|
||||
|
||||
3. On production systems, you should install a specific version of Docker
|
||||
instead of always using the latest. This output is truncated. List the
|
||||
|
|
|
@ -124,10 +124,12 @@ the repository.
|
|||
$ sudo dnf install docker-ce
|
||||
```
|
||||
|
||||
> **Warning**: If you have multiple Docker repositories enabled, installing
|
||||
> **Warning**:
|
||||
> If you have multiple Docker repositories enabled, installing
|
||||
> or updating without specifying a version in the `dnf install` or
|
||||
> `dnf update` command will always install the highest possible version,
|
||||
> which may not be appropriate for your stability needs.
|
||||
{:.warning}
|
||||
|
||||
3. On production systems, you should install a specific version of Docker
|
||||
instead of always using the latest. List the available versions. This
|
||||
|
|
|
@ -18,9 +18,11 @@ If you don't want to use `sudo` when you use the `docker` command, create a Unix
|
|||
group called `docker` and add users to it. When the `docker` daemon starts, it
|
||||
makes the ownership of the Unix socket read/writable by the `docker` group.
|
||||
|
||||
> **Warning**: The `docker` group grants privileges equivalent to the `root`
|
||||
> **Warning**:
|
||||
> The `docker` group grants privileges equivalent to the `root`
|
||||
> user. For details on how this impacts security in your system, see
|
||||
> [*Docker Daemon Attack Surface*](/engine/security/security.md#docker-daemon-attack-surface).
|
||||
{:.warning}
|
||||
|
||||
To create the `docker` group and add your user:
|
||||
|
||||
|
|
|
@ -243,10 +243,12 @@ Docker EE.
|
|||
</div>
|
||||
|
||||
|
||||
> **Warning**: If you have multiple Docker repositories enabled, installing
|
||||
> **Warning**:
|
||||
> If you have multiple Docker repositories enabled, installing
|
||||
> or updating without specifying a version in the `apt-get install` or
|
||||
> `apt-get update` command will always install the highest possible version,
|
||||
> which may not be appropriate for your stability needs.
|
||||
{:.warning}
|
||||
|
||||
3. On production systems, you should install a specific version of Docker
|
||||
instead of always using the latest. This output is truncated. List the
|
||||
|
|
|
@ -21,11 +21,13 @@ it will only connect to servers with a certificate signed by that CA.
|
|||
> **Warning**:
|
||||
> Using TLS and managing a CA is an advanced topic. Please familiarize yourself
|
||||
> with OpenSSL, x509 and TLS before using it in production.
|
||||
{:.warning}
|
||||
|
||||
> **Warning**:
|
||||
> These TLS commands will only generate a working set of certificates on Linux.
|
||||
> macOS comes with a version of OpenSSL that is incompatible with the
|
||||
> certificates that Docker requires.
|
||||
{:.warning}
|
||||
|
||||
## Create a CA, server and client keys with OpenSSL
|
||||
|
||||
|
@ -160,6 +162,7 @@ need to provide your client keys, certificates and trusted CA:
|
|||
> That means anyone with the keys can give any instructions to your Docker
|
||||
> daemon, giving them root access to the machine hosting the daemon. Guard
|
||||
> these keys as you would a root password!
|
||||
{:.warning}
|
||||
|
||||
## Secure by default
|
||||
|
||||
|
|
|
@ -109,11 +109,13 @@ The following image depicts the various signing keys and their relationships:
|
|||
|
||||

|
||||
|
||||
>**WARNING**: Loss of the root key is **very difficult** to recover from.
|
||||
>**WARNING**:
|
||||
> Loss of the root key is **very difficult** to recover from.
|
||||
>Correcting this loss requires intervention from [Docker
|
||||
>Support](https://support.docker.com) to reset the repository state. This loss
|
||||
>also requires **manual intervention** from every consumer that used a signed
|
||||
>tag from this repository prior to the loss.
|
||||
{:.warning}
|
||||
|
||||
You should backup the root key somewhere safe. Given that it is only required
|
||||
to create new repositories, it is a good idea to store it offline in hardware.
|
||||
|
|
|
@ -45,11 +45,13 @@ encrypted. The entire Raft log is replicated across the other managers, ensuring
|
|||
the same high availability guarantees for secrets as for the rest of the swarm
|
||||
management data.
|
||||
|
||||
>**Warning**: Raft data is encrypted in Docker 1.13 and higher. If any of your
|
||||
>**Warning**:
|
||||
>Raft data is encrypted in Docker 1.13 and higher. If any of your
|
||||
Swarm managers run an earlier version, and one of those managers becomes the
|
||||
manager of the swarm, the secrets will be stored unencrypted in that node's Raft
|
||||
logs. Before adding any secrets, update all of your manager nodes to Docker 1.13
|
||||
to prevent secrets from being written to plain-text Raft logs.
|
||||
{:.warning}
|
||||
|
||||
When you grant a newly-created or running service access to a secret, the
|
||||
decrypted secret is mounted into the container in an in-memory filesystem at
|
||||
|
|
|
@ -151,6 +151,8 @@ Please remember to store this key in a password manager, since without it you
|
|||
will not be able to restart the manager.
|
||||
```
|
||||
|
||||
> **Warning**: When you rotate the unlock key, keep a record of the old key
|
||||
> **Warning**:
|
||||
> When you rotate the unlock key, keep a record of the old key
|
||||
> around for a few minutes, so that if a manager goes down before it gets the new
|
||||
> key, it may still be locked with the old one.
|
||||
{:.warning}
|
||||
|
|
|
@ -18,13 +18,15 @@ behave differently between default `bridge` network and
|
|||
This section briefly discusses connecting via a network port and then goes into
|
||||
detail on container linking in default `bridge` network.
|
||||
|
||||
>**Warning**: The `--link` flag is a deprecated legacy feature of Docker. It may eventually
|
||||
>**Warning**:
|
||||
>The `--link` flag is a deprecated legacy feature of Docker. It may eventually
|
||||
be removed. Unless you absolutely need to continue using it, we recommend that you use
|
||||
user-defined networks to facilitate communication between two containers instead of using
|
||||
`--link`. One feature that user-defined networks do not support that you can do
|
||||
with `--link` is sharing environmental variables between containers. However,
|
||||
you can use other mechanisms such as volumes to share environment variables
|
||||
between containers in a more controlled way.
|
||||
{:.warning}
|
||||
|
||||
## Connect using network port mapping
|
||||
|
||||
|
@ -231,6 +233,7 @@ target container of information related to the source container.
|
|||
> from Docker within a container are made available to *any* container
|
||||
> that links to it. This could have serious security implications if sensitive
|
||||
> data is stored in them.
|
||||
{:.warning}
|
||||
|
||||
Docker sets an `<alias>_NAME` environment variable for each target container
|
||||
listed in the `--link` parameter. For example, if a new container called
|
||||
|
|
|
@ -147,7 +147,9 @@ Except for registries running on secure local networks, registries should always
|
|||
|
||||
The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism).
|
||||
|
||||
> **Warning**: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](deploying.md#running-a-domain-registry) for this to work.
|
||||
> **Warning**:
|
||||
> You **cannot** use authentication with an insecure registry. You have to [configure TLS first](deploying.md#running-a-domain-registry) for this to work.
|
||||
{:.warning}
|
||||
|
||||
First create a password file with one entry for the user "testuser", with password "testpassword":
|
||||
|
||||
|
@ -212,7 +214,9 @@ registry:
|
|||
- /path/auth:/auth
|
||||
```
|
||||
|
||||
> **Warning**: replace `/path` by whatever directory that holds your `certs` and `auth` folder from above.
|
||||
> **Warning**:
|
||||
> replace `/path` by whatever directory that holds your `certs` and `auth` folder from above.
|
||||
{:.warning}
|
||||
|
||||
You can then start your registry with a simple
|
||||
|
||||
|
@ -227,4 +231,4 @@ You will find more specific and advanced information in the following sections:
|
|||
- [Advanced "recipes"](recipes/index.md)
|
||||
- [Registry API](spec/api.md)
|
||||
- [Storage driver model](storage-drivers/index.md)
|
||||
- [Token authentication](spec/auth/token.md)
|
||||
- [Token authentication](spec/auth/token.md)
|
||||
|
|
|
@ -13,7 +13,9 @@ configuration.
|
|||
|
||||
## Deploying a plain HTTP registry
|
||||
|
||||
> **Warning**: it's not possible to use an insecure registry with basic authentication.
|
||||
> **Warning**:
|
||||
> it's not possible to use an insecure registry with basic authentication.
|
||||
{:.warning}
|
||||
|
||||
This basically tells Docker to entirely disregard security for your registry.
|
||||
While this is relatively easy to configure the daemon in this way, it is
|
||||
|
@ -44,7 +46,9 @@ environment.
|
|||
|
||||
## Using self-signed certificates
|
||||
|
||||
> **Warning**: using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below)
|
||||
> **Warning**:
|
||||
> using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below)
|
||||
{:.warning}
|
||||
|
||||
This is more secure than the insecure registry solution. You must configure every docker daemon that wants to access your registry
|
||||
|
||||
|
|
|
@ -168,7 +168,9 @@ Or with node discovery:
|
|||
|
||||
## Docker Hub as a hosted discovery service
|
||||
|
||||
> **Warning**: The Docker Hub Hosted Discovery Service **is not recommended** for production use. It's intended to be used for testing/development. See the discovery backends for production use.
|
||||
> **Warning**:
|
||||
> The Docker Hub Hosted Discovery Service **is not recommended** for production use. It's intended to be used for testing/development. See the discovery backends for production use.
|
||||
{:.warning}
|
||||
|
||||
This example uses the hosted discovery service on Docker Hub. Using
|
||||
Docker Hub's hosted discovery service requires that each node in the
|
||||
|
|
Loading…
Reference in New Issue