diff --git a/compose/compose-file/index.md b/compose/compose-file/index.md index 0010b823c6..aca96d4ba2 100644 --- a/compose/compose-file/index.md +++ b/compose/compose-file/index.md @@ -957,11 +957,13 @@ container access to the secret and mounts it at `/run/secrets/` within the container. The source name and destination mountpoint are both set to the secret name. -> **Warning**: Due to a bug in Docker 1.13.1, using the short syntax currently +> **Warning**: +> Due to a bug in Docker 1.13.1, using the short syntax currently > mounts the secret with permissions `000`, which means secrets defined using > the short syntax are unreadable within the container if the command does not > run as the `root` user. The workaround is to use the long syntax instead if > you use Docker 1.13.1 and the secret must be read by a non-`root` user. +{:.warning} The following example uses the short syntax to grant the `redis` service access to the `my_secret` and `my_other_secret` secrets. The value of diff --git a/datacenter/ucp/1.1/install-sandbox-2.md b/datacenter/ucp/1.1/install-sandbox-2.md index c4da8242d1..c4add6ff57 100644 --- a/datacenter/ucp/1.1/install-sandbox-2.md +++ b/datacenter/ucp/1.1/install-sandbox-2.md @@ -36,8 +36,10 @@ between UCP and DTR, and between DTR and your Docker Engine/docker-trusted-registry/repos-and-images/, but for our sandbox deployment we can skip this. -> **Warning**: These steps produce an insecure DTR connection. Do not use these +> **Warning**: +> These steps produce an insecure DTR connection. Do not use these configuration steps for a production deployment. +{:.warning} To allow the Docker Engine to connect to DTR despite it having a self-signed certificate, we'll specify that there is one insecure registry that we'll allow diff --git a/datacenter/ucp/2.1/guides/admin/configure/scale-your-cluster.md b/datacenter/ucp/2.1/guides/admin/configure/scale-your-cluster.md index 34ab581977..4b75972a68 100644 --- a/datacenter/ucp/2.1/guides/admin/configure/scale-your-cluster.md +++ b/datacenter/ucp/2.1/guides/admin/configure/scale-your-cluster.md @@ -77,8 +77,10 @@ in UCP. SSH and run `docker swarm leave --force` directly against the local docker engine. - >**Warning**: Do not perform this step if the node is still a manager, as + >**Warning**: + >Do not perform this step if the node is still a manager, as >that may cause loss of quorum. + {:.warning} 3. Now that the status of the node is reported as `Down`, you may remove the node: diff --git a/docker-for-mac/docker-toolbox.md b/docker-for-mac/docker-toolbox.md index cfc2f322f1..00de0d7463 100644 --- a/docker-for-mac/docker-toolbox.md +++ b/docker-for-mac/docker-toolbox.md @@ -71,8 +71,9 @@ If you need several VMs and want to manage the version of the Docker client or s >**Note**: If you have a shell script as part of your profile that sets these `DOCKER` environment variables automatically each time you open a command window, then you will need to unset these each time you want to use Docker for Mac. -> **Warning**: If you install Docker for Mac on a machine where Docker Toolbox is installed, it will replace the `docker` and `docker-compose` command lines in `/usr/local/bin` with symlinks to its own versions. - +> **Warning**: +> If you install Docker for Mac on a machine where Docker Toolbox is installed, it will replace the `docker` and `docker-compose` command lines in `/usr/local/bin` with symlinks to its own versions. +{:.warning} ## Docker Toolbox and Docker for Mac coexistence diff --git a/docker-for-windows/faqs.md b/docker-for-windows/faqs.md index 65eba7e1ac..da9cebb54f 100644 --- a/docker-for-windows/faqs.md +++ b/docker-for-windows/faqs.md @@ -4,7 +4,8 @@ keywords: windows faqs title: Frequently asked questions (FAQ) --- ->**Looking for popular FAQs on Docker for Windows?** Check out the [Docker +>**Looking for popular FAQs on Docker for Windows?** +>Check out the [Docker Knowledge Hub](http://success.docker.com/) for knowledge base articles, FAQs, technical support for various subscription levels, and more. diff --git a/docker-for-windows/install.md b/docker-for-windows/install.md index 726b713aa0..fd98d59873 100644 --- a/docker-for-windows/install.md +++ b/docker-for-windows/install.md @@ -10,7 +10,8 @@ install package includes everything you need to run Docker on a Windows system. This topic describes pre-install considerations, and how to download and install Docker for Windows.

-> **Already have Docker for Windows?** If you already have Docker for +> **Already have Docker for Windows?** +> If you already have Docker for Windows installed, and are ready to get started, skip to [Get started with Docker for Windows](index.md) for a quick tour of the command line, settings, and tools. diff --git a/docker-id/index.md b/docker-id/index.md index d3ba06a58c..10f0e92293 100644 --- a/docker-id/index.md +++ b/docker-id/index.md @@ -47,7 +47,10 @@ For Docker Cloud, Hub, and Store, log in using the web interface. You can also log in using the `docker login` command. (You can read more about `docker login` [here](/engine/reference/commandline/login.md).) -> **Warning**: When you use the `docker login` command, your credentials are +> **Warning**: +> When you use the `docker login` command, your credentials are stored in your home directory in `.docker/config.json`. The password is base64 encoded in this file. If you require secure storage for this password, use the [Docker credential helpers](https://github.com/moby/moby-credential-helpers). +{:.warning} +>>>>>>> Update index.md diff --git a/engine/admin/resource_constraints.md b/engine/admin/resource_constraints.md index ad9825b6bf..8a35d6e624 100644 --- a/engine/admin/resource_constraints.md +++ b/engine/admin/resource_constraints.md @@ -131,10 +131,12 @@ realtime scheduler, for tasks which cannot use the CFS scheduler. You need to before you can [configure the Docker daemon](#configure-the-docker-daemon) or [configure individual containers](#configure-individual-containers). ->**Warning**: CPU scheduling and prioritization are advanced kernel-level +>**Warning**: +>CPU scheduling and prioritization are advanced kernel-level features. Most users do not need to change these values from their defaults. Setting these values incorrectly can cause your host system to become unstable or unusable. +{:.warning} #### Configure the host machine's kernel diff --git a/engine/installation/binaries.md b/engine/installation/binaries.md index e3a0b61433..1f5ac63a24 100644 --- a/engine/installation/binaries.md +++ b/engine/installation/binaries.md @@ -55,6 +55,7 @@ instructions for enabling and configuring AppArmor or SELinux. > If either of the security mechanisms is enabled, do not disable it as a > work-around to make Docker or its containers run. Instead, configure it > correctly to fix any problems. +{:.warning} ##### Docker daemon considerations diff --git a/engine/installation/linux/centos.md b/engine/installation/linux/centos.md index 3d945e60a0..2789817370 100644 --- a/engine/installation/linux/centos.md +++ b/engine/installation/linux/centos.md @@ -168,10 +168,12 @@ Repository set-up instructions are different for [Docker CE](#docker-ce) and | Docker CE | `sudo yum install docker-ce` | | Docker EE | `sudo yum install docker-ee` | - > **Warning**: If you have multiple Docker repositories enabled, installing + > **Warning**: + > If you have multiple Docker repositories enabled, installing > or updating without specifying a version in the `yum install` or > `yum update` command will always install the highest possible version, > which may not be appropriate for your stability needs. + {:.warning} 3. On production systems, you should install a specific version of Docker instead of always using the latest. List the available versions. This diff --git a/engine/installation/linux/debian.md b/engine/installation/linux/debian.md index 9bb7a49a54..a5e7e05aca 100644 --- a/engine/installation/linux/debian.md +++ b/engine/installation/linux/debian.md @@ -204,10 +204,12 @@ from the repository. $ sudo apt-get install docker-ce ``` - > **Warning**: If you have multiple Docker repositories enabled, installing + > **Warning**: + > If you have multiple Docker repositories enabled, installing > or updating without specifying a version in the `apt-get install` or > `apt-get update` command will always install the highest possible version, > which may not be appropriate for your stability needs. + {:.warning} 3. On production systems, you should install a specific version of Docker instead of always using the latest. This output is truncated. List the diff --git a/engine/installation/linux/fedora.md b/engine/installation/linux/fedora.md index 5fed6c160a..32ab1afd87 100644 --- a/engine/installation/linux/fedora.md +++ b/engine/installation/linux/fedora.md @@ -124,10 +124,12 @@ the repository. $ sudo dnf install docker-ce ``` - > **Warning**: If you have multiple Docker repositories enabled, installing + > **Warning**: + > If you have multiple Docker repositories enabled, installing > or updating without specifying a version in the `dnf install` or > `dnf update` command will always install the highest possible version, > which may not be appropriate for your stability needs. + {:.warning} 3. On production systems, you should install a specific version of Docker instead of always using the latest. List the available versions. This diff --git a/engine/installation/linux/linux-postinstall.md b/engine/installation/linux/linux-postinstall.md index 4836db1c9a..8ad0e12c44 100644 --- a/engine/installation/linux/linux-postinstall.md +++ b/engine/installation/linux/linux-postinstall.md @@ -18,9 +18,11 @@ If you don't want to use `sudo` when you use the `docker` command, create a Unix group called `docker` and add users to it. When the `docker` daemon starts, it makes the ownership of the Unix socket read/writable by the `docker` group. -> **Warning**: The `docker` group grants privileges equivalent to the `root` +> **Warning**: +> The `docker` group grants privileges equivalent to the `root` > user. For details on how this impacts security in your system, see > [*Docker Daemon Attack Surface*](/engine/security/security.md#docker-daemon-attack-surface). +{:.warning} To create the `docker` group and add your user: diff --git a/engine/installation/linux/ubuntu.md b/engine/installation/linux/ubuntu.md index 24ef7677d5..6070d3f795 100644 --- a/engine/installation/linux/ubuntu.md +++ b/engine/installation/linux/ubuntu.md @@ -243,10 +243,12 @@ Docker EE. - > **Warning**: If you have multiple Docker repositories enabled, installing + > **Warning**: + > If you have multiple Docker repositories enabled, installing > or updating without specifying a version in the `apt-get install` or > `apt-get update` command will always install the highest possible version, > which may not be appropriate for your stability needs. + {:.warning} 3. On production systems, you should install a specific version of Docker instead of always using the latest. This output is truncated. List the diff --git a/engine/security/https.md b/engine/security/https.md index 70f2ec6f72..7419f18bf3 100644 --- a/engine/security/https.md +++ b/engine/security/https.md @@ -21,11 +21,13 @@ it will only connect to servers with a certificate signed by that CA. > **Warning**: > Using TLS and managing a CA is an advanced topic. Please familiarize yourself > with OpenSSL, x509 and TLS before using it in production. +{:.warning} > **Warning**: > These TLS commands will only generate a working set of certificates on Linux. > macOS comes with a version of OpenSSL that is incompatible with the > certificates that Docker requires. +{:.warning} ## Create a CA, server and client keys with OpenSSL @@ -160,6 +162,7 @@ need to provide your client keys, certificates and trusted CA: > That means anyone with the keys can give any instructions to your Docker > daemon, giving them root access to the machine hosting the daemon. Guard > these keys as you would a root password! +{:.warning} ## Secure by default diff --git a/engine/security/trust/content_trust.md b/engine/security/trust/content_trust.md index a7af80e7e2..48242bece4 100644 --- a/engine/security/trust/content_trust.md +++ b/engine/security/trust/content_trust.md @@ -109,11 +109,13 @@ The following image depicts the various signing keys and their relationships: ![Content trust components](images/trust_components.png) ->**WARNING**: Loss of the root key is **very difficult** to recover from. +>**WARNING**: +> Loss of the root key is **very difficult** to recover from. >Correcting this loss requires intervention from [Docker >Support](https://support.docker.com) to reset the repository state. This loss >also requires **manual intervention** from every consumer that used a signed >tag from this repository prior to the loss. +{:.warning} You should backup the root key somewhere safe. Given that it is only required to create new repositories, it is a good idea to store it offline in hardware. diff --git a/engine/swarm/secrets.md b/engine/swarm/secrets.md index 38a8f02620..ec969d47be 100644 --- a/engine/swarm/secrets.md +++ b/engine/swarm/secrets.md @@ -45,11 +45,13 @@ encrypted. The entire Raft log is replicated across the other managers, ensuring the same high availability guarantees for secrets as for the rest of the swarm management data. ->**Warning**: Raft data is encrypted in Docker 1.13 and higher. If any of your +>**Warning**: +>Raft data is encrypted in Docker 1.13 and higher. If any of your Swarm managers run an earlier version, and one of those managers becomes the manager of the swarm, the secrets will be stored unencrypted in that node's Raft logs. Before adding any secrets, update all of your manager nodes to Docker 1.13 to prevent secrets from being written to plain-text Raft logs. +{:.warning} When you grant a newly-created or running service access to a secret, the decrypted secret is mounted into the container in an in-memory filesystem at diff --git a/engine/swarm/swarm_manager_locking.md b/engine/swarm/swarm_manager_locking.md index ad8262bd38..bebb599b4b 100644 --- a/engine/swarm/swarm_manager_locking.md +++ b/engine/swarm/swarm_manager_locking.md @@ -151,6 +151,8 @@ Please remember to store this key in a password manager, since without it you will not be able to restart the manager. ``` -> **Warning**: When you rotate the unlock key, keep a record of the old key +> **Warning**: +> When you rotate the unlock key, keep a record of the old key > around for a few minutes, so that if a manager goes down before it gets the new > key, it may still be locked with the old one. +{:.warning} diff --git a/engine/userguide/networking/default_network/dockerlinks.md b/engine/userguide/networking/default_network/dockerlinks.md index 7e951d46f2..868ce27141 100644 --- a/engine/userguide/networking/default_network/dockerlinks.md +++ b/engine/userguide/networking/default_network/dockerlinks.md @@ -18,13 +18,15 @@ behave differently between default `bridge` network and This section briefly discusses connecting via a network port and then goes into detail on container linking in default `bridge` network. ->**Warning**: The `--link` flag is a deprecated legacy feature of Docker. It may eventually +>**Warning**: +>The `--link` flag is a deprecated legacy feature of Docker. It may eventually be removed. Unless you absolutely need to continue using it, we recommend that you use user-defined networks to facilitate communication between two containers instead of using `--link`. One feature that user-defined networks do not support that you can do with `--link` is sharing environmental variables between containers. However, you can use other mechanisms such as volumes to share environment variables between containers in a more controlled way. +{:.warning} ## Connect using network port mapping @@ -231,6 +233,7 @@ target container of information related to the source container. > from Docker within a container are made available to *any* container > that links to it. This could have serious security implications if sensitive > data is stored in them. +{:.warning} Docker sets an `_NAME` environment variable for each target container listed in the `--link` parameter. For example, if a new container called diff --git a/registry/deploying.md b/registry/deploying.md index 163f74efdb..4f68661d37 100644 --- a/registry/deploying.md +++ b/registry/deploying.md @@ -147,7 +147,9 @@ Except for registries running on secure local networks, registries should always The simplest way to achieve access restriction is through basic authentication (this is very similar to other web servers' basic authentication mechanism). -> **Warning**: You **cannot** use authentication with an insecure registry. You have to [configure TLS first](deploying.md#running-a-domain-registry) for this to work. +> **Warning**: +> You **cannot** use authentication with an insecure registry. You have to [configure TLS first](deploying.md#running-a-domain-registry) for this to work. +{:.warning} First create a password file with one entry for the user "testuser", with password "testpassword": @@ -212,7 +214,9 @@ registry: - /path/auth:/auth ``` -> **Warning**: replace `/path` by whatever directory that holds your `certs` and `auth` folder from above. +> **Warning**: +> replace `/path` by whatever directory that holds your `certs` and `auth` folder from above. +{:.warning} You can then start your registry with a simple @@ -227,4 +231,4 @@ You will find more specific and advanced information in the following sections: - [Advanced "recipes"](recipes/index.md) - [Registry API](spec/api.md) - [Storage driver model](storage-drivers/index.md) - - [Token authentication](spec/auth/token.md) \ No newline at end of file + - [Token authentication](spec/auth/token.md) diff --git a/registry/insecure.md b/registry/insecure.md index 2f8e19a6b3..e629d4b576 100644 --- a/registry/insecure.md +++ b/registry/insecure.md @@ -13,7 +13,9 @@ configuration. ## Deploying a plain HTTP registry -> **Warning**: it's not possible to use an insecure registry with basic authentication. +> **Warning**: +> it's not possible to use an insecure registry with basic authentication. +{:.warning} This basically tells Docker to entirely disregard security for your registry. While this is relatively easy to configure the daemon in this way, it is @@ -44,7 +46,9 @@ environment. ## Using self-signed certificates -> **Warning**: using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below) +> **Warning**: +> using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below) +{:.warning} This is more secure than the insecure registry solution. You must configure every docker daemon that wants to access your registry diff --git a/swarm/discovery.md b/swarm/discovery.md index cf5a7213fe..f535c160e2 100644 --- a/swarm/discovery.md +++ b/swarm/discovery.md @@ -168,7 +168,9 @@ Or with node discovery: ## Docker Hub as a hosted discovery service -> **Warning**: The Docker Hub Hosted Discovery Service **is not recommended** for production use. It's intended to be used for testing/development. See the discovery backends for production use. +> **Warning**: +> The Docker Hub Hosted Discovery Service **is not recommended** for production use. It's intended to be used for testing/development. See the discovery backends for production use. +{:.warning} This example uses the hosted discovery service on Docker Hub. Using Docker Hub's hosted discovery service requires that each node in the