Merge pull request #748 from docker/fips-engine-config-672

FIPS 140-2 engine configuration 672

engine/swarm/join-nodes.md

@@ -4,7 +4,11 @@ keywords: guide, swarm mode, node
 title: Join nodes to a swarm
 ---
 
-When you first create a swarm, you place a single Docker Engine (Engine) into
+> BETA DISCLAIMER
+>
+> This is beta content. It is not yet complete and should be considered a work in progress. This content is subject to change without notice.
+
+When you first create a swarm, you place a single Docker Engine into
 swarm mode. To take full advantage of swarm mode you can add nodes to the swarm:
 
 * Adding worker nodes increases capacity. When you deploy a service to a swarm,
@@ -26,6 +30,10 @@ the `docker swarm join` command. The node only uses the token at join time. If
 you subsequently rotate the token, it doesn't affect existing swarm nodes. Refer
 to [Run Docker Engine in swarm mode](swarm-mode.md#view-the-join-command-or-update-a-swarm-join-token).
 
+**NOTE:** Docker engine allows a non-FIPS node to join a FIPS-enabled swarm cluster. 
+
+While a mixed FIPS environment makes upgrading or changing status easier, Docker recommends not running a mixed FIPS environment in production.
+
 ## Join as a worker node
 
 To retrieve the join command including the join token for worker nodes, run the

install/linux/docker-ee/rhel.md

@@ -9,6 +9,10 @@ redirect_from:
 title: Get Docker EE for Red Hat Enterprise Linux
 ---
 
+> BETA DISCLAIMER
+>
+> This is beta content. It is not yet complete and should be considered a work in progress. This content is subject to change without notice.
+
 {% assign linux-dist = "rhel" %}
 {% assign linux-dist-cap = "RHEL" %}
 {% assign linux-dist-url-slug = "rhel" %}
@@ -44,6 +48,61 @@ On {{ linux-dist-long }}, Docker EE supports storage drivers, `overlay2` and `de
 
 - [Device Mapper](/storage/storagedriver/device-mapper-driver/){: target="_blank" class="_" }: On production systems using `devicemapper`, you must use `direct-lvm` mode, which requires one or more dedicated block devices. Fast storage such as solid-state media (SSD) is recommended. Do not start Docker until properly configured per the [storage guide](/storage/storagedriver/device-mapper-driver/){: target="_blank" class="_" }.
 
+### FIPS 140-2 cryptographic module support
+
+[Federal Information Processing Standards (FIPS) Publication 140-2](https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf) is a United States Federal security requirement for cryptographic modules. 
+
+With Docker EE Basic license for versions 18.03 and later, Docker provides FIPS 140-2 support in RHEL 7.3, 7.4 and 7.5. This includes a FIPS supported cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is automatically enabled in the Docker engine.
+
+To verify the FIPS-140-2 module is enabled in the Linux kernel, confirm the file `/proc/sys/crypto/fips_enabled.conf` contains `1`.
+
+```
+$ cat /proc/sys/crypto/fips_enabled.conf
+1
+```
+
+**NOTE:** FIPS is only supported in the Docker EE engine. UCP and DTR currently do not have support for FIPS-140-2. 
+
+To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, do the following:
+
+Create a file called `/etc/systemd/system/docker.service.d/fips-module.conf`. It needs to contain the following:
+
+```
+[Service]
+Environment="DOCKER_FIPS=1"
+```
+
+Reload the Docker configuration to systemd.
+
+`$ sudo systemctl daemon-reload`
+
+Restart the Docker service as root.
+
+`$ sudo systemctl restart docker`
+
+To confirm Docker is running with FIPS-140-2 enabled, run the `docker info` command:
+
+```
+$ docker info --format '{{ .SecurityOptions }}'
+[name=selinux name=fips]
+```
+
+### Disabling FIPS-140-2 
+
+If the system has the FIPS 140-2 cryptographic module installed on the operating system, 
+it is possible to disable FIPS-140-2 compliance. 
+
+To disable FIPS 140-2 in Docker but not the operating system, set the value `DOCKER_FIPS=0` 
+in the `/etc/systemd/system/docker.service.d/fips-module.conf`.
+
+Reload the Docker configuration to systemd.
+
+`$ sudo systemctl daemon-reload`
+
+Restart the Docker service as root.
+
+`$ sudo systemctl restart docker`
+
 ### Find your Docker EE repo URL
 
 {% include ee-linux-install-reuse.md section="find-ee-repo-url" %}

install/windows/docker-ee.md

@@ -7,13 +7,13 @@ redirect_from:
 - /engine/installation/windows/docker-ee/
 ---
 
+> BETA DISCLAIMER
+>
+> This is beta content. It is not yet complete and should be considered a work in progress. This content is subject to change without notice.
+
 {% capture filename %}{{ page.win_latest_build }}.zip{% endcapture %} {% capture download_url %}https://download.docker.com/components/engine/windows-server/{{ site.docker_ee_version }}/{{ filename }}{% endcapture %}
 
-Docker Enterprise Edition for Windows Server (*Docker EE*) enables native
+Docker Enterprise Edition for Windows Server (*Docker EE*) enables native Docker containers on Windows Server. Windows Server 2016 and later versions are supported. The Docker EE installation package includes everything you need to run Docker on Windows Server.  This topic describes pre-install considerations, and how to download and install Docker EE.
-Docker containers on Windows Server. Windows Server 2016 and later versions are supported. The Docker EE installation package
-includes everything you need to run Docker on Windows Server.
-This topic describes pre-install considerations, and how to download and
-install Docker EE.
 
 > Release notes
 >
@@ -73,6 +73,37 @@ sconfig
 
 Select option `6) Download and Install Updates`.
 
+
+### FIPS 140-2 cryptographic module support
+
+[Federal Information Processing Standards (FIPS) Publication 140-2](https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf) is a United States Federal security requirement for cryptographic modules.
+
+With Docker EE Basic license for versions 18.09 and later, Docker provides FIPS 140-2 support in Windows Server 2016. This includes a FIPS supported cryptographic module. If the Windows implementation already has FIPS support enabled, FIPS is automatically enabled in the Docker engine.
+
+**NOTE:** FIPS 140-2 is only supported in the Docker EE engine. UCP and DTR currently do not have support for FIPS 140-2.
+
+To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, do the following in PowerShell:
+
+```
+[System.Environment]::SetEnvironmentVariable("DOCKER_FIPS", "1", "Machine") 
+```
+
+Restart the Docker service by running the following command.
+
+```
+net stop docker
+net start docker
+```
+
+To confirm Docker is running with FIPS-140-2 enabled, run the `docker info` command:
+
+```
+Labels:    
+ com.docker.security.fips=enabled 
+```
+
+**NOTE:** If the system has the FIPS-140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance. To disable FIPS-140-2 in Docker but not the operating system, set the value `"DOCKER_FIPS","0"` in the `[System.Environment]`.`
+
 ## Use a script to install Docker EE
 
 Use the following steps when you want to install manually, script automated