From e6bfca79d5acbfabfcfa157d27b566f1bb44d686 Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:53:09 +0000 Subject: [PATCH 1/5] release note clarity (#21467) ## Description ## Related issues or tickets ## Reviews - [ ] Technical review - [ ] Editorial review - [ ] Product review --------- Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/manuals/desktop/release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/desktop/release-notes.md b/content/manuals/desktop/release-notes.md index 9f9abf00e33..9a60ca78eee 100644 --- a/content/manuals/desktop/release-notes.md +++ b/content/manuals/desktop/release-notes.md @@ -60,7 +60,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec - Fixed an issue where if Docker Desktop is configured to use a proxy, it fails to start due to an internal timeout while fetching authentication tokens. - Added a recovery banner to retry an update if the download failed. - Fixed an issue where if the `umask` is set to `577` it would cause `rpmbuild` failure. Fixes [docker/for-mac#6511](https://github.com/docker/for-mac/issues/6511). -- Fixed a bug that caused ports open on the host to 18 for containers started with `--network=host`. +- Fixed a bug that restricted containers using `--network=host` to 18 open host ports. - Fixed bind mount ownership for non-root containers. Fixes [docker/for-mac#6243](https://github.com/docker/for-mac/issues/6243). - Docker Desktop will not unpause automatically after a manual pause. The system will stay paused until you manually resume the Docker engine. This fixes a bug where other software would accidentally trigger a resume by running a CLI command in the background. Fixes [for-mac/#6908](https://github.com/docker/for-mac/issues/6908) From 3025a049297e5d85f3ccd96c8446e617d548a7e6 Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Tue, 19 Nov 2024 10:00:48 -0800 Subject: [PATCH 2/5] OATs support for APIs --- content/manuals/security/for-admins/access-tokens.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/manuals/security/for-admins/access-tokens.md b/content/manuals/security/for-admins/access-tokens.md index c99888979bd..f19bcedb9d9 100644 --- a/content/manuals/security/for-admins/access-tokens.md +++ b/content/manuals/security/for-admins/access-tokens.md @@ -16,6 +16,7 @@ The organization access tokens feature is currently in [Beta](../../release-life > > - Docker Build Cloud > - Docker Scout +> - Docker REST APIs > > If you use these services, you must use personal access tokens instead. From aa68ba26271fb9e0a4857cc89392fce5e24efc1e Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Wed, 20 Nov 2024 08:55:44 +0000 Subject: [PATCH 3/5] ENGDOCS-2320 (#21463) ## Description A few new Compose Spec additions https://docker.atlassian.net/browse/ENGDOCS-2320 ## Related issues or tickets ## Reviews - [ ] Technical review - [ ] Editorial review - [ ] Product review --------- Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- .../set-environment-variables.md | 1 + .../reference/compose-file/interpolation.md | 4 ++ content/reference/compose-file/services.md | 56 +++++++++++++++---- 3 files changed, 49 insertions(+), 12 deletions(-) diff --git a/content/manuals/compose/how-tos/environment-variables/set-environment-variables.md b/content/manuals/compose/how-tos/environment-variables/set-environment-variables.md index 55db221e9e3..929a7c3eec3 100644 --- a/content/manuals/compose/how-tos/environment-variables/set-environment-variables.md +++ b/content/manuals/compose/how-tos/environment-variables/set-environment-variables.md @@ -93,6 +93,7 @@ The paths to your `.env` file, specified in the `env_file` attribute, are relati - path: ./override.env required: false ``` +- As of Docker Compose version 2.30.0, you can use an alternative file format for the `env_file` with the `format` attribute. For more information, see [`format`](/reference/compose-file/services.md#format). - Values in your `.env` file can be overridden from the command line by using [`docker compose run -e`](#set-environment-variables-with-docker-compose-run---env). ## Set environment variables with `docker compose run --env` diff --git a/content/reference/compose-file/interpolation.md b/content/reference/compose-file/interpolation.md index 6db6f88f468..b897bcd8923 100644 --- a/content/reference/compose-file/interpolation.md +++ b/content/reference/compose-file/interpolation.md @@ -31,6 +31,10 @@ Interpolation can also be nested: Other extended shell-style features, such as `${VARIABLE/foo/bar}`, are not supported by Compose. +Compose processes any string following a `$` sign as long as it makes it +a valid variable definition - either an alphanumeric name (`[_a-zA-Z][_a-zA-Z0-9]*`) +or a braced string starting with `${`. In other circumstances, it will be preserved without attempting to interpolate a value. + You can use a `$$` (double-dollar sign) when your configuration needs a literal dollar sign. This also prevents Compose from interpolating a value, so a `$$` allows you to refer to environment variables that you don't want processed by diff --git a/content/reference/compose-file/services.md b/content/reference/compose-file/services.md index 78222054d8a..90999a93bf9 100644 --- a/content/reference/compose-file/services.md +++ b/content/reference/compose-file/services.md @@ -618,6 +618,12 @@ i.e. overridden to be empty. env_file: .env ``` +Relative paths are resolved from the Compose file's parent folder. As absolute paths prevent the Compose +file from being portable, Compose warns you when such a path is used to set `env_file`. + +Environment variables declared in the [environment](#environment) section override these values. This holds true even if those values are +empty or undefined. + `env_file` can also be a list. The files in the list are processed from the top down. For the same variable specified in two env files, the value from the last file in the list stands. @@ -627,9 +633,14 @@ env_file: - ./b.env ``` -List elements can also be declared as a mapping, which then lets you set an additional -attribute `required`. This defaults to `true`. When `required` is set to `false` and the `.env` file is missing, -Compose silently ignores the entry. +List elements can also be declared as a mapping, which then lets you set additional +attributes. + +#### required + +{{< introduced compose 2.24.0 "/manuals/compose/releases/release-notes.md#2240" >}} + +The `required` attribute defaults to `true`. When `required` is set to `false` and the `.env` file is missing, Compose silently ignores the entry. ```yml env_file: @@ -638,13 +649,21 @@ env_file: - path: ./override.env required: false ``` -> `required` attribute is available with Docker Compose version 2.24.0 or later. -Relative path are resolved from the Compose file's parent folder. As absolute paths prevent the Compose -file from being portable, Compose warns you when such a path is used to set `env_file`. +#### format -Environment variables declared in the [environment](#environment) section override these values. This holds true even if those values are -empty or undefined. +{{< introduced compose 2.30.0 "/manuals/compose/releases/release-notes.md#2300" >}} + +The `format` attribute lets you use an alternative file format for the `env_file`. When not set, `env_file` is parsed according to the Compose rules outlined in [Env_file format](#env_file-format). + +`raw` format lets you use an `env_file` with key=value items, but without any attempt from Compose to parse the value for interpolation. +This let you pass values as-is, including quotes and `$` signs. + +```yml +env_file: + - path: ./default.env + format: raw +``` #### Env_file format @@ -1772,13 +1791,26 @@ parameters (sysctls) at runtime](/reference/cli/docker/container/run.md#sysctl). `tmpfs` mounts a temporary file system inside the container. It can be a single value or a list. ```yml -tmpfs: /run +tmpfs: + - + - : ``` +- : The path inside the container where the tmpfs will be mounted. +- : Comma-separated list of options for the tmpfs mount. + +Available options: + +- `mode`: Sets the file system permissions. +- `uid`: Sets the user ID that owns the mounted tmpfs. +- `gid`: Sets the group ID that owns the mounted tmpfs. + ```yml -tmpfs: - - /run - - /tmp +services: + app: + tmpfs: + - /data:mode=755,uid=1009,gid=1009 + - /run ``` ### tty From 5c12f4f1ede6dc48e69bce1b3a921cc73ee6ae6e Mon Sep 17 00:00:00 2001 From: Cesar Talledo Date: Thu, 21 Nov 2024 00:53:17 -0800 Subject: [PATCH 4/5] Fix ECI text in the DD 4.36 release notes. (#21477) ## Description Fix vague / misleading text regarding ECI in the Docker Desktop 4.36 release notes. ## Related issues or tickets ## Reviews - [ ] Technical review - [X] Editorial review - [ ] Product review --------- Signed-off-by: Cesar Talledo Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- content/manuals/desktop/release-notes.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/manuals/desktop/release-notes.md b/content/manuals/desktop/release-notes.md index 9a60ca78eee..0af142be4f8 100644 --- a/content/manuals/desktop/release-notes.md +++ b/content/manuals/desktop/release-notes.md @@ -32,13 +32,14 @@ Take a look at the [Docker Public Roadmap](https://github.com/orgs/docker/projec ### New - Existing Docker Desktop installations using the WSL2 engine on Windows are now automatically migrated to a unified single-distribution architecture for enhanced consistency and performance. -- Enhance Container Isolation (ECI) has been improved to support images with wildcard tags. - Administrators can now: - - Allow any container to mount the Docker socket with ECI. - Enforce sign-in with macOS [configuration profiles](/manuals/security/for-admins/enforce-sign-in/methods.md#configuration-profiles-method-mac-only) (Early Access). - Enforce sign-in for more than one organization at a time (Early Access). - Deploy Docker Desktop for Mac in bulk with the [PKG installer](/manuals/desktop/setup/install/enterprise-deployment/pkg-install-and-configure.md) (Early Access). - Use Desktop Settings Management to manage and enforce defaults via admin.docker.com (Early Access). +- Enhance Container Isolation (ECI) has been improved to: + - Allow admins to [turn off Docker socket mount restrictions](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md#allowing-all-containers-to-mount-the-docker-socket). + - Support wildcard tags when using the [`allowedDerivedImages` setting](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md#docker-socket-mount-permissions-for-derived-images). ### Upgrades From 42d97aacf8789a4b11cb772b454cbf57075251da Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Thu, 21 Nov 2024 14:59:22 +0000 Subject: [PATCH 5/5] ENGDOCS-2181c (#21419) ## Description Replaces https://github.com/docker/docs/pull/20646 that was so old it was still using the `toc.yaml` file. SME reviews complete. Just need editorial ## Related issues or tickets ## Reviews - [ ] Technical review - [x] Editorial review - [ ] Product review --- .../admin-set-up/comms-and-info-gathering.md | 2 +- content/manuals/desktop/release-notes.md | 6 +- content/manuals/scout/release-notes/cli.md | 2 +- .../enhanced-container-isolation/_index.md | 6 +- .../enhanced-container-isolation/config.md | 6 +- .../settings-management/_index.md | 17 ++-- .../configure-admin-console.md | 81 +++++++++++++++++++ .../{configure.md => configure-json-file.md} | 15 ++-- 8 files changed, 117 insertions(+), 18 deletions(-) create mode 100644 content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md rename content/manuals/security/for-admins/hardened-desktop/settings-management/{configure.md => configure-json-file.md} (96%) diff --git a/content/guides/admin-set-up/comms-and-info-gathering.md b/content/guides/admin-set-up/comms-and-info-gathering.md index a70f525ab16..87349a6022e 100644 --- a/content/guides/admin-set-up/comms-and-info-gathering.md +++ b/content/guides/admin-set-up/comms-and-info-gathering.md @@ -26,7 +26,7 @@ Some companies may have more than one [Docker organization](/manuals/admin/organ Through [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md), Docker provides numerous configuration parameters that can be preset. The Docker organization owner, development lead, and infosec representative should review these settings to establish the company’s baseline configuration, including security features and [enforcing sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) for Docker Desktop users. Additionally, they should decide whether to take advantage of free trials for other Docker products, such as [Docker Scout](/manuals/scout/_index.md), which is included in the subscription. -To view the parameters that can be preset, see [Configure Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md#step-two-configure-the-settings-you-want-to-lock-in). +To view the parameters that can be preset, see [Configure Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md#step-two-configure-the-settings-you-want-to-lock-in). ## Optional step four: Meet with the Docker Implementation team diff --git a/content/manuals/desktop/release-notes.md b/content/manuals/desktop/release-notes.md index 0af142be4f8..ff285bfe1e4 100644 --- a/content/manuals/desktop/release-notes.md +++ b/content/manuals/desktop/release-notes.md @@ -615,7 +615,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st ### New -- You can now enforce Rosetta usage via [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md). +- You can now enforce Rosetta usage via [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md). - [Docker socket mount restrictions](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md) with ECI is now generally available. - Docker Engine and CLI updated to [Moby 26.0](https://github.com/moby/moby/releases/tag/v26.0.0). This includes Buildkit 0.13, sub volumes mounts, networking updates, and improvements to the containerd multi-platform image store UX. - New and improved Docker Desktop error screens: swift troubleshooting, easy diagnostics uploads, and actionable remediation. @@ -913,7 +913,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st ### New -- Administrators can now control access to beta and experimental features in the **Features in development** tab with [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md). +- Administrators can now control access to beta and experimental features in the **Features in development** tab with [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md). - Introduced four new version update states in the footer. - `docker init` (Beta) now supports PHP with Apache + Composer. - The [**Builds** view](use-desktop/builds.md) is now GA. You can now inspect builds, troubleshoot errors, and optimize build speed. @@ -1023,7 +1023,7 @@ This can be resolved by adding the user to the **docker-users** group. Before st - Rosetta is now Generally Available for all users on macOS 13 or later. It provides faster emulation of Intel-based images on Apple Silicon. To use Rosetta, see [Settings](/manuals/desktop/settings-and-maintenance/settings.md). Rosetta is enabled by default on macOS 14.1 and later. - Docker Desktop now detects if a WSL version is out of date. If an out dated version of WSL is detected, you can allow Docker Desktop to automatically update the installation or you can manually update WSL outside of Docker Desktop. - New installations of Docker Desktop for Windows now require a Windows version of 19044 or later. -- Administrators now have the ability to control Docker Scout image analysis in [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md). +- Administrators now have the ability to control Docker Scout image analysis in [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md). ### Upgrades diff --git a/content/manuals/scout/release-notes/cli.md b/content/manuals/scout/release-notes/cli.md index c43e69e0081..1ed667573f5 100644 --- a/content/manuals/scout/release-notes/cli.md +++ b/content/manuals/scout/release-notes/cli.md @@ -410,7 +410,7 @@ Discarded in favor of [1.9.1](#191). instance by Docker Desktop there's no need anymore to re-index it on WSL2 side. - Indexing is now blocked in the CLI if it has been disabled using - [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure.md) feature. + [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/_index.md) feature. - Fix a panic that would occur when analyzing a single-image `oci-dir` input - Improve local attestation support with the containerd image store diff --git a/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md b/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md index a8228d4a6a3..d4b1941e610 100644 --- a/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md +++ b/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md @@ -106,7 +106,7 @@ Enforcing sign-in ensures that your Docker Desktop developers always authenticat ##### Setup -[Create and configure the `admin-settings.json` file](../settings-management/configure.md) and specify: +[Create and configure the `admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) and specify: ```json { @@ -135,6 +135,10 @@ For this to take effect: > > Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop. +> [!TIP] +> +> You can now also configure these settings in the [Docker Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md). + ### What do users see when this setting is enforced by an admin? When Enhanced Container Isolation is enabled, users see: diff --git a/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md b/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md index dee207690e1..c377a3030ee 100644 --- a/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md +++ b/content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md @@ -39,7 +39,7 @@ Starting with Docker Desktop 4.27, admins can optionally configure ECI to allow bind mounting the Docker Engine socket into containers, but in a controlled way. This can be done via the Docker Socket mount permissions section in the -[admin-settings.json](../settings-management/configure.md) file. For example: +[admin-settings.json](../settings-management/_index.md) file. For example: ```json { @@ -64,6 +64,10 @@ This can be done via the Docker Socket mount permissions section in the } ``` +> [!TIP] +> +> You can now also configure these settings in the [Docker Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md). + As shown above, there are two configurations for bind-mounting the Docker socket into containers: the `imageList` and the `commandList`. These are described below. diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md index 7df4022e8d6..2d5b2051474 100644 --- a/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md @@ -25,9 +25,11 @@ For an extra layer of security, you can also use Settings Management to enable a ## How does it work? -You can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or administrator privileges. +You can configure several Docker Desktop settings using either: + - An `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or administrator privileges. + - Creating a settings policy in the Docker Admin Console -Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by developers and ensure that these cannot be modified. For more information, see [Configure Settings Management](configure.md#step-two-configure-the-settings-you-want-to-lock-in). +Settings that are defined by an administrator override any previous values set by developers and ensure that these cannot be modified. ## What features can I configure with Settings Management? @@ -50,13 +52,15 @@ Using the `admin-settings.json` file, you can: - Specify which paths your developers can add file shares to - Configure Air-gapped containers -For more details on the syntax and options, see [Configure Settings Management](configure.md). +For more details on the syntax and options, see [Configure Settings Management](configure-json-file.md). ## How do I set up and enforce Settings Management? You first need to [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop developers authenticate with your organization. Since the Settings Management feature requires a Docker Business subscription, enforced sign-in guarantees that only authenticated users have access and that the feature consistently takes effect across all users, even though it may still work without enforced sign-in. -Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location. +Next, you must either: + - Manually [create and configure the `admin-settings.json` file](configure-json-file.md), or use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location. + - Fill out the **Settings policy** creation form in the [Docker Admin Console](configure-admin-console.md). Once this is done, Docker Desktop developers receive the changed settings when they either: - Quit, re-launch, and sign in to Docker Desktop @@ -72,6 +76,7 @@ In addition, if Enhanced Container Isolation is enforced, developers can't use p ![Proxy settings grayed out](/assets/images/grayed-setting.png) -## More resources +## What's next? -- [Video: Settings Management](https://www.youtube.com/watch?v=I9oJOJ1P9PQ) +- [Configure Settings Management with a `.json` file](configure-json-file.md) +- [Configure Settings Management with the Docker Admin Console](configure-admin-console.md) \ No newline at end of file diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md new file mode 100644 index 00000000000..11a6f052970 --- /dev/null +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md @@ -0,0 +1,81 @@ +--- +description: How to configure Settings Management for Docker Desktop using the Docker Admin Console +keywords: admin, controls, rootless, enhanced container isolation +title: Configure Settings Management with the Admin Console +linkTitle: Use the Admin Console +weight: 20 +params: + sidebar: + badge: + color: violet + text: EA +--- + +{{% restricted title="Early Access" %}} +Settings Management in the Docker Admin Console is an [early access](/release-lifecycle#early-access-ea) feature and is available to Docker Business customers only. +{{% /restricted %}} + +This page contains information for administrators on how to configure Settings Management with the Docker Admin Console. You can specify and lock configuration parameters to create a standardized Docker Desktop environment across your Docker company or organization. + +## Prerequisites + +- [Download and install Docker Desktop 4.36.0 or later](/manuals/desktop/release-notes.md). +- [Verify your domain](/manuals/security/for-admins/single-sign-on/configure.md#step-one-add-and-verify-your-domain). +- [Enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md). The Settings Management feature requires a Docker Business +subscription, therefore your Docker Desktop users must authenticate to your +organization for configurations to take effect. + +## Create a settings policy + +1. Within the [Docker Admin Console](https://admin.docker.com/) navigate to the company or organization you want to define a settings policy for. +2. Under the **Security and access** section, select **Desktop Settings Management**. +3. In the top-right corner, select **Create a settings policy**. +4. Give your settings policy a name and an optional description. + + > [!TIP] + > + > If you have already configured Settings Management with an `admin-settings.json` file for an organization, you can upload it using the **Upload existing settings** button which then automatically populates the form for you. + > + > Settings policies deployed via the Docker Admin Console take precedence over manually deployed `admin-settings.json` files. + +5. Assign the setting policy to all your users within the company or organization, or specific users. + + > [!NOTE] + > + > If a settings policy is assigned to all users, it sets the policy as the global default policy. You can only have one global settings policy at a time. + > If a user already has a user-specific settings policy assigned, the user-specific policy takes precedence over a global policy. + + > [!TIP] + > + > Before setting a global settings policy, it is recommended that you first test it as a user-specific policy to make sure you're happy with the changes before proceeding. + +6. Configure the settings for the policy. Go through each setting and select your chosen setting state. You can choose: + - **User-defined**. Your developers are able to control and change this setting. + - **Always enabled**. This means the setting is turned on and your users won't be able to edit this setting from Docker Desktop or the CLI. + - **Enabled**. The setting is turned on and users can edit this setting from Docker Desktop or the CLI. + - **Always disabled**. This means the setting is turned off and your users won't be able to edit this setting from Docker Desktop or the CLI. + - **Disabled**. The setting is turned off and users can edit this setting from Docker Desktop or the CLI. +7. Select **Create** + +For the settings policy to take effect: +- On a new install, users need to launch Docker Desktop and authenticate to their organization. +- On an existing install, users need to quit Docker Desktop through the Docker menu, and then re-launch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect. + + > [!IMPORTANT] + > + > Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop. + +To avoid disrupting your users' workflows, Docker doesn't automatically require that users re-launch once a change has been made. + +> [!NOTE] +> +> Settings are synced to Docker Desktop and the CLI when a user is signed in and starts Docker Desktop, and then every 60 minutes. + +If your settings policy needs to be rolled back, either delete the policy or edit the policy to set individual settings to **User-defined**. + +## Settings policy actions + +From the **Actions** menu on the **Desktop Settings Management** page in the Docker Admin Console, you can: +- Edit or delete an existing settings policy. +- Export a settings policy as an `admin-settings.json` file. +- Promote a policy that is applied to a select group of users, to be the new global default policy for all users. \ No newline at end of file diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md similarity index 96% rename from content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md rename to content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md index cde1009502a..d52ff4315e7 100644 --- a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure.md +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md @@ -1,18 +1,19 @@ --- description: How to configure Settings Management for Docker Desktop keywords: admin, controls, rootless, enhanced container isolation -title: Configure Settings Management -linkTitle: Configure -toc_min: 4 +title: Configure Settings Management with a JSON file +linkTitle: Use a JSON file +weight: 10 aliases: - /desktop/hardened-desktop/settings-management/configure/ + - /security/for-admins/hardened-desktop/settings-management/configure/ --- > [!NOTE] > > Settings Management is available to Docker Business customers only. -This page contains information on how to configure Settings Management to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization. +This page contains information on how to configure Settings Management with an `admin-settings.json` file. You can specify and lock configuration parameters to create a standardized Docker Desktop environment across your company or organization. Settings Management is designed specifically for organizations who don’t give developers root access to their machines. @@ -41,7 +42,7 @@ To set it up manually: > [!NOTE] > -> Some of the configuration parameters only apply to Windows or to specific Docker Desktop versions. This is highlighted in the following table. +> Some of the configuration parameters only apply to certain platforms or to specific Docker Desktop versions. This is highlighted in the following table. The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the `locked` parameter. You can add or remove configuration parameters as per your requirements. @@ -241,6 +242,10 @@ The following `admin-settings.json` code and table provides an example of the re | `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | | |        `dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file).| | +> [!NOTE] +> +> This setting is not available to configure via the Docker Admin Console. + ### Kubernetes |Parameter|OS|Description|Version|