docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lint: enable markdownlint MD022 / blanks-around-headings 

Headings should be surrounded by blank lines

Rationale: Aside from aesthetic reasons, some parsers, including kramdown, will not parse headings that don't have a blank line before, and will parse them as regular text.

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2024-04-17 09:36:28 +02:00
parent 3b25805488
commit b75fe78d4f
26 changed files with 290 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.markdownlint.json
View File

@ -1,5 +1,6 @@
{
"default": false,
"blanks-around-headings": true,
"hr-style": true,
"heading-start-left": true,
"single-h1": true,

3
content/admin/organization/members.md
View File

@ -45,6 +45,7 @@ To add a member to a team:
> **Note**
>
> The invitee must first accept the invitation to join the organization before being added to the team.
### Remove a member from a team
To remove a member from a specific team:
@ -52,4 +53,4 @@ To remove a member from a specific team:
1. Sign in to [Docker Hub](https://hub.docker.com).
2. Select **Organizations**, your organization, **Teams**, and then the team.
3. Select the **X** next to the users name to remove them from the team.
4. When prompted, select **Remove** to confirm.
4. When prompted, select **Remove** to confirm.

2
content/compose/compose-file/05-services.md
View File

@ -872,6 +872,7 @@ external_links:
`extra_hosts` adds hostname mappings to the container network interface configuration (`/etc/hosts` for Linux).
### Short syntax
Short syntax uses plain strings in a list. Values must set hostname and IP address for additional hosts in the form of `HOSTNAME=IP`.
```yml
@ -897,6 +898,7 @@ extra_hosts:
```
### Long syntax
Alternatively, `extra_hosts` can be set as a mapping between hostname(s) and IP(s)
```yml

1
content/compose/compose-file/compose-file-v3.md
View File

@ -595,6 +595,7 @@ credential_spec:
```
#### Example gMSA configuration
When configuring a gMSA credential spec for a service, you only need
to specify a credential spec with `config`, as shown in the following example:

2
content/compose/environment-variables/env-file.md
View File

@ -15,6 +15,7 @@ For more information, see [Environment variables precedence](envvars-precedence.
{ .important }
## Syntax
The following syntax rules apply to environment files:
- Lines beginning with `#` are processed as comments and ignored.
@ -42,6 +43,7 @@ The following syntax rules apply to environment files:
- `VAR=some\tvalue` -> `some\tvalue`
### Interpolation
Compose supports interpolation in environment files.
Interpolation is applied for unquoted and double-quoted values.
Both braced (`${VAR}`) and unbraced (`$VAR`) expressions are supported.

6
content/compose/environment-variables/set-environment-variables.md
View File

@ -104,6 +104,7 @@ web:
See [`environment` attribute](../compose-file/05-services.md#environment) for more examples on how to use it.
#### Additional information
- You can choose not to set a value and pass the environment variables from your shell straight through to your containers. It works in the same way as `docker run -e VARIABLE ...`:
```yaml
web:
@ -132,7 +133,9 @@ web:
env_file:
- web-variables.env
```
#### Additional information
- If multiple files are specified, they are evaluated in order and can override values set in previous files.
- Environment variables declared in the `.env` file cannot then be referenced again separately in the Compose file.
- If you use both the `env_file` and `environment` attribute, environment variables set by `environment` take precedence.
@ -188,6 +191,7 @@ $ docker compose --env-file ./config/.env.dev up
```
#### Additional information
- This method is useful if you want to temporarily override an `.env` file that is already referenced in your `compose.yml` file. For example you may have different `.env` files for production ( `.env.prod`) and testing (`.env.test`).
In the following example, there are two environment files, `.env` and `.env.dev`. Both have different values set for `TAG`.
@ -246,6 +250,7 @@ Similar to `docker run --env`, you can set environment variables temporarily wit
```console
$ docker compose run -e DEBUG=1 web python console.py
```
#### Additional information
- You can also pass a variable from the shell by not giving it a value:
@ -257,6 +262,7 @@ $ docker compose run -e DEBUG=1 web python console.py
The value of the `DEBUG` variable in the container is taken from the value for the same variable in the shell in which Compose is run.
## Further resources
- [Understand environment variable precedence](envvars-precedence.md).
- [Set or change predefined environment variables](envvars.md)
- [Explore best practices](best-practices.md)

1
content/compose/install/standalone.md
View File

@ -12,6 +12,7 @@ aliases:
On this page you can find instructions on how to install Compose standalone on Linux or Windows Server, from the command line.
### On Linux
> **Compose standalone**
>
> Note that Compose standalone uses the `-compose` syntax instead of the current standard syntax `compose`.

3
content/compose/intro/features-uses.md
View File

@ -63,6 +63,7 @@ For details on using production-oriented features, see
[Compose in production](../production.md).
## What's next?
- [Learn about the history of Compose](history.md)
- [Understand how Compose works](../compose-application-model.md)
- [Try Compose](../gettingstarted.md)
- [Try Compose](../gettingstarted.md)

3
content/compose/migrate.md
View File

@ -131,6 +131,7 @@ Yes. You can still download and install Compose V1 packages, but you won't get s
{ .warning }
## Additional Resources
- [docker-compose V1 on PyPI](https://pypi.org/project/docker-compose/1.29.2/)
- [docker/compose V1 on Docker Hub](https://hub.docker.com/r/docker/compose)
- [docker-compose V1 source on GitHub](https://github.com/docker/compose/releases/tag/1.29.2)
- [docker-compose V1 source on GitHub](https://github.com/docker/compose/releases/tag/1.29.2)

248
content/compose/release-notes.md
View File

File diff suppressed because it is too large Load Diff

3
content/contribute/ui.md
View File

@ -26,6 +26,7 @@ When practical, state instructions in terms of what the user should accomplish,
## Refer to UI elements
Don't use UI elements as if they were English verbs or nouns.
|Correct |Incorrect |
@ -40,4 +41,4 @@ When documenting the UI, use the following prepositions.
|Preposition |UI element | Example |
|:-----------|:------------|:-----------|
|in | dialogs <br>fields <br>lists <br>menus <br>panes <br>windows <br>| In the **Alert** dialog, select **OK**. <br> In the **Name** field, enter `wsfc-1`. <br> In the **Item** list, select **Desktop**. <br>In the **File** menu, click **Tools**.<br> In the **Metrics** pane, select **New**. <br>In the **Task** window, select **Start**. |
| on |pages <br>tabs <br>toolbars | On the **Create an instance** page, select **Add**. <br> On the **Edit** tab, select **Save**.<br> On the **Dashboard toolbar**, select **Edit**.<br>|
| on |pages <br>tabs <br>toolbars | On the **Create an instance** page, select **Add**. <br> On the **Edit** tab, select **Save**.<br> On the **Dashboard toolbar**, select **Edit**.<br>|

1
content/desktop/extensions-sdk/extensions/publish.md
View File

@ -20,6 +20,7 @@ Whenever you are [ready to publish](./DISTRIBUTION.md) your extension in the Mar
>
> The Docker manual review process for extensions is paused at the moment. Submit your extension through the [automated submission process](https://github.com/docker/extensions-submissions/issues/new?assignees=&labels=&template=1_automatic_review.yaml&title=%5BSubmission%5D%3A+)
{ .important }
### Before you submit
Before you submit your extension, it must pass the [validation](validate.md) checks.

3
content/desktop/faqs/linuxfaqs.md
View File

@ -86,6 +86,7 @@ a group with the new GID and adding our user to it, or by setting a recursive
ACL (see `setfacl(1)`) for folders shared with the Docker Desktop VM.
### Where does Docker Desktop store Linux containers?
Docker Desktop stores Linux containers and images in a single, large "disk image" file in the Linux filesystem. This is different from Docker on Linux, which usually stores containers and images in the `/var/lib/docker` directory on the host's filesystem.
#### Where is the disk image file?
@ -174,4 +175,4 @@ To reduce the maximum size of the disk image file:
3. Select **Apply & Restart**.
When you reduce the maximum size, the current disk image file is deleted, and therefore, all containers and images are lost.
When you reduce the maximum size, the current disk image file is deleted, and therefore, all containers and images are lost.

2
content/desktop/faqs/macfaqs.md
View File

@ -25,6 +25,7 @@ runs in the background. The process does not consume any resources unless
`Docker.app` connects to it, so it's safe to ignore.
### Where does Docker Desktop store Linux containers and images?
Docker Desktop stores Linux containers and images in a single, large "disk image" file in the Mac filesystem. This is different from Docker on Linux, which usually stores containers and images in the `/var/lib/docker` directory.
#### Where is the disk image file?
@ -178,6 +179,7 @@ Desktop `xhyve` virtual machine).
> under insecure registries, and does not send client certificates. Commands
> like `docker run` that attempt to pull from the registry produce error
> messages on the command line, as well as on the registry.
#### Directory structures for certificates
If you have this directory structure, you do not need to manually add the CA

5
content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md
View File

@ -57,24 +57,29 @@ Windows hosts and access Docker from within (see Docker Desktop's WSL distro
integration feature, enabled via the Dashboard's **Settings** > **Resources** > **WSL Integration**).
### Docker Build and Buildx have some restrictions
With ECI enabled, Docker build `--network=host` and Docker Buildx entitlements
(`network.host`, `security.insecure`) are not allowed. Builds that require
these won't work properly.
### Kubernetes pods are not yet protected
Kubernetes pods are not yet protected by ECI. A malicious or privileged pod can
compromise the Docker Desktop Linux VM and bypass security controls.
### Extension containers are not yet protected
Extension containers are also not yet protected by ECI. Ensure you extension
containers come from trusted entities to avoid issues.
### Docker Desktop dev environments are not yet protected
Containers launched by the Docker Desktop Dev Environments feature are not yet
protected either. We expect to improve on this in future versions of Docker
Desktop.
### Use in production
In general users should not experience differences between running a container
in Docker Desktop with ECI enabled, which uses the Sysbox runtime, and running
that same container in production, through the standard OCI `runc` runtime.

1
content/desktop/hardened-desktop/settings-management/configure.md
View File

@ -205,6 +205,7 @@ The following `admin-settings.json` code and table provides an example of the re
### Step three: Re-launch Docker Desktop
>**Note**
>
>Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.

1
content/desktop/install/ubuntu.md
View File

@ -34,6 +34,7 @@ To install Docker Desktop successfully, you must:
```console
$ sudo apt install gnome-terminal
```
## Install Docker Desktop
Recommended approach to install Docker Desktop on Ubuntu:

5
content/desktop/release-notes.md
View File

@ -310,9 +310,11 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re
### Known issues
#### For all platforms
- When using Setting Management, the settings that are not set in the `admin-settings.json` will be reset to default when Docker Desktop starts.
#### For Mac
- Updating to 4.27.0 from the **Software updates** sometimes hangs. As a workaround, use the 4.27.0 installer from this page.
## 4.26.1
@ -516,6 +518,7 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re
- **Switch to Windows containers** option in the tray menu may not show up on Windows. As a workaround, edit the [`settings.json` file](https://docs.docker.com/desktop/settings/windows/) and set `"displaySwitchWinLinContainers": true`.
#### For all platforms
- Docker operations, such as pulling images or logging in, fail with 'connection refused' or 'timeout' errors if the Swap file size is set to 0MB. As a workaround, configure the swap file size to a non-zero value in the **Resources** tab in **Settings**.
## 4.24.2
@ -611,11 +614,13 @@ For frequently asked questions about Docker Desktop releases, see [FAQs](faqs/re
#### For Mac
- Creating a container with the port 53 fails with the error address `already in use`. As a workaround, deactivate network acceleration by adding `"kernelForUDP": false`, in the `settings.json` file located at `~/Library/Group Containers/group.com.docker/settings.json`.
## 4.23.0
{{< release-date date="2023-09-11" >}}
### Upgrades
- [Compose v2.21.0](https://github.com/docker/compose/releases/tag/v2.21.0)
- [Docker Engine v24.0.6](https://docs.docker.com/engine/release-notes/24.0/#2406)
- [Docker Scout CLI v0.24.1](https://github.com/docker/scout-cli/releases/tag/v0.24.1).

3
content/desktop/use-desktop/container.md
View File

@ -126,6 +126,7 @@ can also:
- Download files and folders from the container straight to the host
## Additional resources
- [What is a container](../../guides/walkthroughs/what-is-a-container.md)
- [Run a container](../../guides/walkthroughs/run-a-container.md)
- [Run multi-container applications](../../guides/walkthroughs/multi-container-apps.md)
- [Run multi-container applications](../../guides/walkthroughs/multi-container-apps.md)

1
content/desktop/use-desktop/images.md
View File

@ -101,5 +101,6 @@ Hovering over an image tag reveals two options:
- **View in Hub**: Open the Docker Hub page and display detailed information about the image.
## Additional resources
- [Run Docker Hub images](../../guides/walkthroughs/run-hub-images.md)
- [Publish your image](../../guides/walkthroughs/publish-your-image.md)

3
content/docker-hub/release-notes.md
View File

@ -201,6 +201,7 @@ to `hub.docker.com`. You can access the page at its new URL: [https://hub.docker
## 2019-10-21
### New features
* **Beta:** Docker Hub now supports two-factor authentication (2FA). Enable it in your account settings, under the **[Security](https://hub.docker.com/settings/security)** section.
> If you lose both your 2FA authentication device and recovery code, you may
@ -208,6 +209,7 @@ to `hub.docker.com`. You can access the page at its new URL: [https://hub.docker
{ .important }
### Enhancements
* As a security measure, when two-factor authentication is enabled, the Docker CLI requires a personal access token instead of a password to log in.
### Known Issues
@ -218,6 +220,7 @@ to `hub.docker.com`. You can access the page at its new URL: [https://hub.docker
## 2019-10-02
### Enhancements
* You can now manage teams and members straight from your [organization page](https://hub.docker.com/orgs).
Each organization page now breaks down into these tabs:
* **New:** Members - manage your members directly from this page (delete,

4
content/engine/security/rootless.md
View File

@ -161,6 +161,7 @@ testuser:231072:65536
- NFS mounts as the docker "data-root" is not supported. This limitation is not specific to rootless mode.
## Install
> **Note**
>
> If the system-wide Docker daemon is already running, consider disabling it:
@ -377,6 +378,7 @@ Or add `net.ipv4.ip_unprivileged_port_start=0` to `/etc/sysctl.conf` (or
`/etc/sysctl.d`) and run `sudo sysctl --system`.
### Limiting resources
Limiting resources with cgroup-related `docker run` flags such as `--cpus`, `--memory`, `--pids-limit`
is supported only when running with cgroup v2 and systemd.
See [Changing cgroup version](../../config/containers/runmetrics.md) to enable cgroup v2.
@ -409,6 +411,7 @@ EOF
> Delegating `cpuset` requires systemd 244 or later.
#### Limiting resources without cgroup
Even when cgroup is not available, you can still use the traditional `ulimit` and [`cpulimit`](https://github.com/opsengine/cpulimit),
though they work in process-granularity rather than in container-granularity,
and can be arbitrarily disabled by the container process.
@ -688,6 +691,7 @@ For more information about networking options for RootlessKit, see:
- [Port drivers](https://github.com/rootless-containers/rootlesskit/blob/v2.0.0/docs/port.md)
### Tips for debugging
**Entering into `dockerd` namespaces**
The `dockerd-rootless.sh` script executes `dockerd` in its own user, mount, and network namespaces.

1
content/get-started/overview.md
View File

@ -189,6 +189,7 @@ the default registry configuration):
stops but isn't removed. You can start it again or remove it.
## The underlying technology
Docker is written in the [Go programming language](https://golang.org/) and takes
advantage of several features of the Linux kernel to deliver its functionality.
Docker uses a technology called `namespaces` to provide the isolated workspace

3
content/network/network-tutorial-macvlan.md
View File

@ -217,6 +217,7 @@ be physically attached to the network.
```
## Other networking tutorials
- [Standalone networking tutorial](network-tutorial-standalone.md)
- [Overlay networking tutorial](network-tutorial-overlay.md)
- [Host networking tutorial](network-tutorial-host.md)
- [Host networking tutorial](network-tutorial-host.md)

7
content/samples/_index.md
View File

@ -15,16 +15,21 @@ aliases:
Learn how to containerize different types of services by walking through Official Docker samples.
## Databases
[MariaDB](../samples/mariadb.md) \| [MongoDB](../samples/mongodb.md) \| [MS-SQL](../samples/ms-sql.md) \| [MySQL](../samples/mysql.md) \| [PostgreSQL](../samples/postgres.md) \| [Redis](../samples/redis.md)
## Frameworks
[.NET](../samples/dotnet.md) \| [Angular](../samples/angular.md) \| [Django](../samples/django.md) \| [Express](../samples/express.md) \|[FastAPI](../samples/fastapi.md) \| [Flask](../samples/flask.md) \| [Node.js](../samples/nodejs.md) \| [React](../samples/react.md) \| [Rails](../samples/rails.md) \| [Spark](../samples/spark.md) \| [Spring Boot](../samples/spring.md) \| [Vue.js](../samples/vuejs.md)
## Languages
[Go](../samples/go.md) \| [Java](../samples/java.md) \| [JavaScript](../samples/javascript.md) \| [PHP](../samples/php.md) \| [Python](../samples/python.md) \| [Ruby](../samples/ruby.md) \| [Rust](../samples/rust.md) \| [TypeScript](../samples/typescript.md)
## Platforms
[Gitea](../samples/gitea.md) \| [Nextcloud](../samples/nextcloud.md) \| [Portainer](../samples/portainer.md) \| [Prometheus](../samples/prometheus.md) \| [WordPress](../samples/wordpress.md)
## Other samples
[AI/ML](../samples/ai-ml.md) \| [Cloudflared](../samples/cloudflared.md) \| [Elasticsearch / Logstash / Kibana](../samples/elasticsearch.md) \| [Minecraft](../samples/minecraft.md) \| [NGINX](../samples/nginx.md) \| [Pi-hole](../samples/pi-hole.md) \| [Plex](../samples/plex.md) \| [Traefik](../samples/traefik.md) \| [WireGuard](../samples/wireguard.md)
[AI/ML](../samples/ai-ml.md) \| [Cloudflared](../samples/cloudflared.md) \| [Elasticsearch / Logstash / Kibana](../samples/elasticsearch.md) \| [Minecraft](../samples/minecraft.md) \| [NGINX](../samples/nginx.md) \| [Pi-hole](../samples/pi-hole.md) \| [Plex](../samples/plex.md) \| [Traefik](../samples/traefik.md) \| [WireGuard](../samples/wireguard.md)

9
content/security/security-announcements.md
View File

@ -46,31 +46,37 @@ If you are unable to update to an unaffected version promptly, follow these best
### Technical details and impact
#### CVE-2024-21626 (High)
In runc v1.1.11 and earlier, due to certain leaked file descriptors, an attacker can gain access to the host filesystem by causing a newly-spawned container process (from `runc exec`) to have a working directory in the host filesystem namespace, or by tricking a user to run a malicious image and allow a container process to gain access to the host filesystem through `runc run`. The attacks can also be adapted to overwrite semi-arbitrary host binaries, allowing for complete container escapes. Note that when using higher-level runtimes (such as Docker or Kubernetes), this vulnerability can be exploited by running a malicious container image without additional configuration or by passing specific workdir options when starting a container. The vulnerability can also be exploited from within Dockerfiles in the case of Docker.
_The issue has been fixed in runc v1.1.12._
#### CVE-2024-23651 (High)
In BuildKit <= v0.12.4, two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition, leading to files from the host system being accessible to the build container. This will only occur if a user is trying to build a Dockerfile of a malicious project.
_The issue has been fixed in BuildKit v0.12.5._
#### CVE-2024-23652 (High)
In BuildKit <= v0.12.4, a malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container from the host system. This will only occur if a user is using a malicious Dockerfile.
_The issue has been fixed in BuildKit v0.12.5._
#### CVE-2024-23653 (High)
In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. In BuildKit <= v0.12.4, it is possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.
_The issue has been fixed in BuildKit v0.12.5._
#### CVE-2024-23650 (Medium)
In BuildKit <= v0.12.4, a malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.
_The issue has been fixed in BuildKit v0.12.5._
#### CVE-2024-24557 (Medium)
In Moby <= v25.0.1 and <= v24.0.8, the classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss. An attacker with knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered a valid cache candidate for some build steps.
_The issue has been fixed in Moby >= v25.0.2 and >= v24.0.9._
@ -78,16 +84,19 @@ _The issue has been fixed in Moby >= v25.0.2 and >= v24.0.9._
### How are Docker products affected?
#### Docker Desktop
Docker Desktop v4.27.0 and earlier are affected. Docker Desktop v4.27.1 was released on February 1 and includes runc, BuildKit, and dockerd binaries patches. In addition to updating to this new version, we encourage all Docker users to diligently use Docker images and Dockerfiles and ensure you only use trusted content in your builds.
As always, you should check Docker Desktop system requirements for your operating system ([Windows](../desktop/install/windows-install.md#system-requirements), [Linux](../desktop/install/linux-install.md#general-system-requirements), [Mac](../desktop/install/mac-install.md#system-requirements)) before updating to ensure full compatibility.
#### Docker Build Cloud
Any new Docker Build Cloud builder instances will be provisioned with the latest Docker Engine and BuildKit versions and will, therefore, be unaffected by these CVEs. Updates have also been rolled out to existing Docker Build Cloud builders.
_No other Docker products are affected by these vulnerabilities._
### Advisory links
* Runc
* [CVE-2024-21626](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv)
* BuildKit