diff --git a/content/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md b/content/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md index a34248a54dd7..2652148e8cf1 100644 --- a/content/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md +++ b/content/manuals/enterprise/security/hardened-desktop/air-gapped-containers.md @@ -1,11 +1,12 @@ --- title: Air-gapped containers -description: Control container network access with air-gapped containers using custom proxy rules and network restrictions -keywords: air gapped containers, network security, proxy configuration, container isolation, docker desktop +description: Restrict outbound container traffic using proxy rules, PAC files, and network isolation with Docker Desktop air-gapped containers +keywords: air gapped containers, network security, proxy configuration, container isolation, docker desktop, PAC file, network isolation aliases: - /desktop/hardened-desktop/settings-management/air-gapped-containers/ - /desktop/hardened-desktop/air-gapped-containers/ - /security/for-admins/hardened-desktop/air-gapped-containers/ +weight: 30 --- {{< summary-bar feature_name="Air-gapped containers" >}} @@ -14,17 +15,13 @@ Air-gapped containers let you restrict container network access by controlling w Docker Desktop can configure container network traffic to accept connections, reject connections, or tunnel through HTTP or SOCKS proxies. You control which TCP ports the policy applies to and whether to use a single proxy or per-destination policies via Proxy Auto-Configuration (PAC) files. -This page provides an overview of air-gapped containers and configuration steps. - ## Who should use air-gapped containers? -Air-gapped containers help organizations maintain security in restricted environments: +Use air-gapped containers if: -- Secure development environments: Prevent containers from accessing unauthorized external services -- Compliance requirements: Meet regulatory standards that require network isolation -- Data loss prevention: Block containers from uploading sensitive data to external services -- Supply chain security: Control which external resources containers can access during builds -- Corporate network policies: Enforce existing network security policies for containerized applications +- Your organization requires containers to communicate only with approved internal services +- You need to meet compliance standards that mandate network isolation (such as SOC 2, ISO 27001, or PCI DSS) +- You want to prevent containers from leaking data or reaching unapproved external endpoints during builds or at runtime ## How air-gapped containers work @@ -47,8 +44,7 @@ Before configuring air-gapped containers, you must have: - [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) enabled to ensure users authenticate with your organization - A Docker Business subscription -- Configured [Settings Management](/manuals/enterprise/security/hardened-desktop/settings-management/_index.md) to manage organization policies -- Downloaded Docker Desktop 4.29 or later +- Configured [Settings Management](/manuals/enterprise/security/hardened-desktop/settings-management/_index.md) with the `admin-settings.json` file to manage organization policies ## Configure air-gapped containers @@ -144,8 +140,8 @@ function FindProxyForURL(url, host) { ### General considerations - - `FindProxyForURL` function URL parameter format is http://host_or_ip:port or https://host_or_ip:port - - If you have an internal container trying to access https://docs.docker.com/enterprise/security/hardened-desktop/air-gapped-containers the docker proxy service will submit docs.docker.com for the host value and https://docs.docker.com:443 for the url value to FindProxyForURL, if you are using `shExpMatch` function in your PAC file as follows: + - `FindProxyForURL` function URL parameter format is `http://host_or_ip:port` or `https://host_or_ip:port` + - If you have an internal container trying to access `https://docs.docker.com/enterprise/security/hardened-desktop/air-gapped-containers` the Docker proxy service will submit docs.docker.com for the host value and https://docs.docker.com:443 for the url value to `FindProxyForURL`, if you are using `shExpMatch` function in your PAC file as follows: ```console if(shExpMatch(url, "https://docs.docker.com:443/enterprise/security/*")) return "DIRECT"; @@ -230,3 +226,7 @@ $ docker run --rm alpine wget -O- https://docker.io - PAC file management: Host PAC files on reliable internal infrastructure. Failed PAC downloads result in blocked container network access. - Performance considerations: Complex PAC files with many rules may impact container network performance. Keep rules simple and efficient. +## Next steps + +- [Explore Enhanced Container Isolation](/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/_index.md) to further restrict what containers can do at runtime +- [Understand how Docker Desktop handles host and container networking](/manuals/desktop/features/networking/_index.md) \ No newline at end of file diff --git a/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/enable-eci.md b/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/enable-eci.md index 45a01c0c636a..f7e65940bdb9 100644 --- a/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/enable-eci.md +++ b/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/enable-eci.md @@ -17,7 +17,6 @@ This page shows you how to turn on Enhanced Container Isolation (ECI) and verify Before you begin, you must have: - A Docker Business subscription -- Docker Desktop 4.13 or later - [Enforced sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) (for administrators managing organization-wide settings only) ## Enable Enhanced Container Isolation diff --git a/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/limitations.md b/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/limitations.md index 2419fc369a9c..9dc37b4ea27a 100644 --- a/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/limitations.md +++ b/content/manuals/enterprise/security/hardened-desktop/enhanced-container-isolation/limitations.md @@ -142,17 +142,6 @@ $ docker image rm $ docker pull ``` -## Version compatibility - -ECI features have been introduced across different Docker Desktop versions: - -- Docker Desktop 4.36 and later: Wildcard allowlist support (`"*"`) and improved derived images handling -- Docker Desktop 4.34 and later: Derived images support (`allowDerivedImages`) -- Docker Desktop 4.30 and later: Docker Build protection with default driver (except WSL 2) -- Docker Desktop 4.13 and later: Core ECI functionality - -For the latest feature availability, use the most recent Docker Desktop version. - ## Production compatibility ### Container behavior differences diff --git a/content/manuals/enterprise/security/hardened-desktop/image-access-management.md b/content/manuals/enterprise/security/hardened-desktop/image-access-management.md index fcab28c48c54..95cc1e96842d 100644 --- a/content/manuals/enterprise/security/hardened-desktop/image-access-management.md +++ b/content/manuals/enterprise/security/hardened-desktop/image-access-management.md @@ -1,7 +1,7 @@ --- title: Image Access Management description: Control which Docker Hub images developers can access with Image Access Management for enhanced supply chain security -keywords: image access management, docker official images, verified publisher, supply chain security, docker business, allow list +keywords: image access management, docker official images, verified publisher, supply chain security, docker business, allow list, image restrictions, pull restrictions tags: [admin] aliases: - /docker-hub/image-access-management/ @@ -9,7 +9,7 @@ aliases: - /admin/organization/image-access/ - /security/for-admins/image-access-management/ - /security/for-admins/hardened-desktop/image-access-management/ -weight: 40 +weight: 50 --- {{< summary-bar feature_name="Hardened Docker Desktop" >}} @@ -23,7 +23,7 @@ With Image Access Management, you can restrict access to: - Organization images: Your organization's private repositories - Community images: Public images from individual developers -You can also use a repository allow list to approve specific repositories that bypass all other access controls. +You can also use a repository allowlist to approve specific repositories that bypass all other access controls. ## Who should use Image Access Management? @@ -36,7 +36,7 @@ Common security scenarios include: - Control access to commercial third-party images - Maintain consistent security standards across development teams -Use the repository allow list when you need to: +Use the repository allowlist when you need to: - Grant access to specific vetted community images - Allow essential third-party tools that don't fall under official categories @@ -46,16 +46,16 @@ Use the repository allow list when you need to: Before configuring Image Access Management, you must: -- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) to ensure users authenticate with your organization +- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md). Image Access Management only takes effect when users are signed in to Docker Desktop with organization credentials. - Use [personal access tokens (PATs)](/manuals/security/access-tokens.md) for authentication (Organization access tokens aren't supported) - Have a Docker Business subscription -> [!IMPORTANT] -> -> Image Access Management only takes effect when users are signed in to Docker Desktop with organization credentials. - ## Configure image access +> [!NOTE] +> +> Image Access Management is turned off by default for organization members. Organization owners always have access to all images regardless of policy settings. + To configure Image Access Management: 1. Sign in to [Docker Home](https://app.docker.com) and select your organization from the top-left account drop-down. @@ -66,22 +66,18 @@ To configure Image Access Management: - **Community images**: Images contributed by various users that may pose security risks. This category includes Docker-Sponsored Open Source images and is turned off by default. - **Docker Verified Publisher Images**: Images from Docker partners in the Verified Publisher program, qualified for secure supply chains. - **Docker Official Images**: Curated Docker repositories that provide OS repositories, best practices for Dockerfiles, drop-in solutions, and timely security updates. - - **Repository allow list**: A list of specific repositories that should be + - **Repository allowlist**: A list of specific repositories that should be allowed. Configure in the next step. -1. Optionally, when **Repository allow list** is enabled in the previous step, +1. If **Repository allowlist** is enabled in the previous step, you can add or remove specific repositories in the allow list: - - To add repositories, in the **Repository allow list** section, select - **Add repositories to allow list** and follow the on-screen instructions. - - To remove a repository, in the **Repository allow list** section, select + - To add repositories, in the **Repository allowlist** section, select + **Add repositories to allowlist** and follow the on-screen instructions. + - To remove a repository, in the **Repository allowlist** section, select the trashcan icon next to it. Repositories in the allow list are accessible to all organization members regardless of the image type restrictions configured in the previous steps. -Once restrictions are applied, organization members can view the permissions page in read-only format. - -> [!NOTE] -> -> Image Access Management is turned off by default. Organization owners have access to all images regardless of policy settings. +After restrictions are applied, organization members can view the permissions page in read-only format. ## Verify access restrictions @@ -103,23 +99,22 @@ Error response from daemon: image access denied: community images not allowed Image access restrictions apply to all Docker Hub operations including pulls, builds using `FROM` instructions, and Docker Compose services. -## Security implementation - -Start with the most restrictive policy and gradually expand based on legitimate business needs: - -1. Start with: Docker Official Images and Organization images -2. Add if needed: Docker Verified Publisher Images for commercial tools -3. Carefully evaluate: Community images only for specific, vetted use cases -4. Use the repository allow list sparingly: Only add repositories that have been thoroughly vetted and approved through your organization's security review process - -Other security recommendations include: +## Best practices +- Start with the most restrictive policy and gradually expand based on legitimate business needs: + 1. Start with Docker Official Images and Organization images + 2. If needed, add Docker Verified Publisher Images for commercial tools + 3. Carefully evaluate community images only for specific, vetted use cases + 4. Use the repository allowlist sparingly. Only add repositories that have been thoroughly vetted and approved through your organization's security review process - Monitor usage patterns: Review which images developers are attempting to pull, identify legitimate requests for additional image types, regularly audit approved image categories for continued relevance, and use Docker Desktop analytics to monitor usage patterns. -- Regularly review the repository allow list: Periodically audit the repositories in your allow list to ensure they remain necessary and trustworthy, and remove any that are no longer needed or maintained. -- Layer security controls: Image Access Management works best with Registry Access Management to control which registries developers can access, Enhanced Container Isolation to secure containers at runtime, and Settings Management to control Docker Desktop configuration. +- Regularly review the repository allow list: Periodically audit the repositories in your allowlist to ensure they remain necessary and trustworthy, and remove any that are no longer needed or maintained. ## Scope and bypass considerations - Image Access Management only controls access to Docker Hub images. Images from other registries aren't affected by these policies. Use [Registry Access Management](/manuals/enterprise/security/hardened-desktop/registry-access-management.md) to control access to other registries. - Users can potentially bypass Image Access Management by signing out of Docker Desktop (unless sign-in is enforced), using images from other registries that aren't restricted, or using registry mirrors or proxies. Enforce sign-in and combine with Registry Access Management for comprehensive control. - Image restrictions apply to Dockerfile `FROM` instructions, Docker Compose services using restricted images will fail, multi-stage builds may be affected if intermediate images are restricted, and CI/CD pipelines using diverse image types may be impacted. + +## Next steps + +- Layer security controls: Image Access Management works best with [Registry Access Management](registry-access-management.md) to control which registries developers can access, [Enhanced Container Isolation](enhanced-container-isolation/_index.md) to secure containers at runtime, and [Settings Management](settings-management/_index.md) to control Docker Desktop configuration. \ No newline at end of file diff --git a/content/manuals/enterprise/security/hardened-desktop/namespace-access.md b/content/manuals/enterprise/security/hardened-desktop/namespace-access.md index cb78550e4ee9..b40593eeea9f 100644 --- a/content/manuals/enterprise/security/hardened-desktop/namespace-access.md +++ b/content/manuals/enterprise/security/hardened-desktop/namespace-access.md @@ -4,7 +4,7 @@ linkTitle: Namespace access description: Control whether organization members can push content to their personal namespaces on Docker Hub keywords: namespace access, docker hub, personal namespace, organization security, docker business tags: [admin] -weight: 50 +weight: 60 --- {{< summary-bar feature_name="Namespace access" >}} @@ -16,7 +16,7 @@ outside of approved, governed locations. When namespace access control is enabled, organization members can still view and pull images from their personal namespaces and continue accessing all existing repositories -and content. However, they will no longer be able to create new repositories or +and content. However, they're unable to create new repositories or push new images to their personal namespace. > [!IMPORTANT] @@ -36,7 +36,7 @@ To configure namespace access control: 4. Select **Save changes**. Once namespace access control is enabled, organization members can still view their -personal namespace and existing repositories but they will not be able to create +personal namespace and existing repositories but they are not able to create any new repositories or push any new images to existing repositories. ### Verify access restrictions diff --git a/content/manuals/enterprise/security/hardened-desktop/registry-access-management.md b/content/manuals/enterprise/security/hardened-desktop/registry-access-management.md index fada06b01245..de5c2dd326d2 100644 --- a/content/manuals/enterprise/security/hardened-desktop/registry-access-management.md +++ b/content/manuals/enterprise/security/hardened-desktop/registry-access-management.md @@ -9,7 +9,7 @@ aliases: - /docker-hub/registry-access-management/ - /security/for-admins/registry-access-management/ - /security/for-admins/hardened-desktop/registry-access-management/ -weight: 30 +weight: 40 --- {{< summary-bar feature_name="Registry access management" >}} @@ -22,8 +22,8 @@ RAM works with all registry types including cloud services, on-premises registri Registry Access Management works with any container registry, including: - - Docker Hub (allowed by default) -- Cloud registries: Amazon ECR, Google Container Registry, Azure Container Registry +- Docker Hub (allowed by default) +- Cloud registries: Amazon ECR, Google Artifact Registry, Azure Container Registry - Git-based registries: GitHub Container Registry, GitLab Container Registry - On-premises solutions: Nexus, Artifactory, Harbor - Registry mirrors: Including Docker Hub mirrors @@ -32,14 +32,10 @@ Registry Access Management works with any container registry, including: Before configuring Registry Access Management, you must: -- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) to ensure users authenticate with your organization +- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md). Registry Access Management only takes effect when users are signed in to Docker Desktop with organization credentials. - Use [personal access tokens (PATs)](/manuals/security/access-tokens.md) for authentication (Organization access tokens aren't supported) - Have a Docker Business subscription -> [!IMPORTANT] -> -> Registry Access Management only takes effect when users are signed in to Docker Desktop with organization credentials. - ## Configure registry permissions To configure registry permissions: @@ -52,18 +48,16 @@ in the registry list. a **Registry address** and **Registry nickname**. 1. Select **Create**. You can add up to 100 registries. 1. Verify your registry appears in the registry list and select **Save changes**. + >[!NOTE] + > + > Policy changes can take up to 24 hours to propagate. To apply changes immediately, ask developers to sign out and back in to Docker Desktop. -Changes can take up to 24 hours to take effect. To apply them sooner, -have developers sign out and back in to Docker Desktop. - -> [!IMPORTANT] -> -> Starting with Docker Desktop 4.36, if a developer belongs to multiple organizations with different RAM policies, only the policy for the first organization in the configuration file is enforced. +If a developer belongs to multiple organizations with different RAM policies, only the policy for the first organization in the configuration file is enforced. > [!TIP] > > RAM restrictions also apply to Dockerfile `ADD` instructions that fetch content via URL. Include trusted registry domains in your allowlist when using `ADD` with URLs. ->

+> > RAM is designed for container registries, not general-purpose URLs like package mirrors or storage services. Adding too many domains may cause errors or hit system limits. @@ -103,7 +97,7 @@ Registry Access Management has these limits and platform-specific behaviors: These scenarios are not restricted by Registry Access Management: - Docker buildx with Kubernetes driver -- Docker buildx with custom docker-container driver +- Docker buildx with custom Docker-container driver - Some Docker Debug and Kubernetes image pulls (even if Docker Hub is blocked) - Images previously cached by registry mirrors may still be blocked if the source registry is restricted diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md index 71bcb57f3408..8734baaccffd 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md @@ -56,7 +56,7 @@ When multiple policies exist, Docker Desktop applies them in this order: 1. User-specific policies: Highest priority 1. Organization default policy: Applied when no user-specific policy exists 1. Local `admin-settings.json` file: Lowest priority, overridden by Admin Console policies -1. [Configuration profiles](/manuals/enterprise/security/enforce-sign-in/methods.md#configuration-profiles-method-mac-only): Super-set of Docker Admin Console policies. Available with Docker Desktop version 4.48 and later. +1. [Configuration profiles](/manuals/enterprise/security/enforce-sign-in/methods.md#configuration-profiles-method-mac-only): Super-set of Docker Admin Console policies. ## Set up Settings Management diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md index 97db0ff639a3..40c4d2554753 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md @@ -16,16 +16,12 @@ Desktop settings reporting tracks user compliance with Docker Desktop settings p Before you can use Docker Desktop settings reporting, make sure you have: -- [Docker Desktop 4.37.1 or later](/manuals/desktop/release-notes.md) installed across your organization +- [Docker Desktop](/manuals/desktop/release-notes.md) installed across your organization - [A verified domain](/manuals/enterprise/security/single-sign-on/connect.md) - [Enforced sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) for your organization - A Docker Business subscription - At least one settings policy configured -> [!WARNING] -> -> Users on Docker Desktop versions older than 4.40 may appear non-compliant because older versions can't report compliance status. For accurate reporting, update users to Docker Desktop version 4.40 or later. - ## Access the reporting dashboard To view compliance reporting: diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md index 2c48b47ca066..fe2a1ce8f345 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md @@ -16,7 +16,7 @@ Use the Docker Admin Console to create and manage settings policies for Docker D Before you begin, make sure you have: -- [Docker Desktop 4.37.1 or later](/manuals/desktop/release-notes.md) installed +- [Docker Desktop](/manuals/desktop/release-notes.md) installed - [A verified domain](/enterprise/security/single-sign-on/connect/#step-1-add-a-domain) - [Enforced sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) for your organization - A Docker Business subscription diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md index 34e19289a864..b418bdaa7f3d 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md @@ -22,20 +22,16 @@ Before you begin, make sure you have: your organization - A Docker Business subscription -Docker Desktop only applies settings from the `admin-settings.json` file when both authentication and Docker Business license checks succeed. +The presence of the `admin-settings.json` file enforces sign-in on Docker Desktop. This is intended for business features that require authentication. -> [!IMPORTANT] -> -> The presence of the `admin-settings.json` file enforces sign-in on Docker Desktop (behavior since version 4.29). This is intended for business features that require authentication. -> -> Users must be signed in and part of a Docker Business organization. If either condition isn't met, the settings file is ignored. +Users must be signed in and part of a Docker Business organization. If either condition isn't met, the settings file is ignored. ## Step one: Create the settings file You can create the `admin-settings.json` file in two ways: - Use the `--admin-settings` installer flag to auto-generate the file: - - [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) installation guide + - [Mac](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) installation guide - [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) installation guide - Create it manually (UTF-8 without BOM) and place it in the following locations: - Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json` @@ -283,10 +279,10 @@ The following tables describe all available settings in the `admin-settings.json | `analyticsEnabled` | | If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | | | `disableUpdate` | | If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled. | | | `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to. | | -| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | Docker Desktop version 4.30 and later | +| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | | | `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | | | `exposeDockerAPIOnTCP2375` | Windows only | Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules. | | -| `silentModulesUpdate` | | If `value` is set to `true`, Docker Desktop automatically updates components that don't require a restart. For example, the Docker CLI or Docker Scout components. | Docker Desktop version 4.46 and later. | +| `silentModulesUpdate` | | If `value` is set to `true`, Docker Desktop automatically updates components that don't require a restart. For example, the Docker CLI or Docker Scout components. | | ### Extensions @@ -304,7 +300,7 @@ The following tables describe all available settings in the `admin-settings.json | `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | | | `useVirtualizationFrameworkVirtioFS` | macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | | | `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | | -| `useVirtualizationFrameworkRosetta` | macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | Docker Desktop version 4.29 and later. | +| `useVirtualizationFrameworkRosetta` | macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | | ### Docker Scout @@ -318,17 +314,17 @@ The following tables describe all available settings in the `admin-settings.json | :------------------- | ------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | | `proxy` | | If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores any values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | | | `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | | -| `enableKerberosNtlm` | | When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. | +| `enableKerberosNtlm` | | When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | | | `pac` | | Specifies a PAC file URL. For example, `"pac": "http://proxy/proxy.pac"`. | | -| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. | +| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | | ### Container proxy | Parameter | OS | Description | Version | | :---------------- | --- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md). | Docker Desktop version 4.29 and later. | +| `containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md). | | | `pac` | | Specifies a PAC file URL. For example, `"pac": "http://containerproxy/proxy.pac"`. | | -| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"PROXY 192.168.92.1:2003\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. | +| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"PROXY 192.168.92.1:2003\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | | ### Linux VM settings @@ -369,8 +365,8 @@ The following tables describe all available settings in the `admin-settings.json | Parameter | OS | Description | Version | | :---------------------- | --------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. | -| `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none` | Docker Desktop version 4.43 and later. | +| `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | | +| `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none` | | | `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. | For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows). @@ -396,7 +392,7 @@ For more information, see [Networking](/manuals/desktop/features/networking.md#n | `allowBetaFeatures` | | If `value` is set to `true`, beta features are enabled. | | | `enableDockerAI` | | If `allowBetaFeatures` is true, setting `enableDockerAI` to `true` enables [Gordon](/manuals/ai/gordon/_index.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | | | `enableDockerMCPToolkit` | | If `allowBetaFeatures` is true, setting `enableDockerMCPToolkit` to `true` enables the [MCP Toolkit feature](/manuals/ai/mcp-catalog-and-toolkit/toolkit.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | | -| `allowExperimentalFeatures` | | If `value` is set to `true`, experimental features are enabled. | Docker Desktop version 4.41 and earlier | +| `allowExperimentalFeatures` | | If `value` is set to `true`, experimental features are enabled. | | ### Enhanced Container Isolation diff --git a/data/summary.yaml b/data/summary.yaml index 33c618e1e3c6..e446079a30a0 100644 --- a/data/summary.yaml +++ b/data/summary.yaml @@ -8,7 +8,8 @@ Admin orgs: subscription: [Team, Business] for: Administrators Air-gapped containers: - requires: Docker Desktop [4.29.0](/manuals/desktop/release-notes.md#4290) and later + subscription: [Business] + for: Administrators Allow list: for: Administrators Amazon S3 cache: