diff --git a/_vale/Docker/Acronyms.yml b/_vale/Docker/Acronyms.yml index 08a81fb0731c..476d8937d5b9 100644 --- a/_vale/Docker/Acronyms.yml +++ b/_vale/Docker/Acronyms.yml @@ -8,6 +8,7 @@ first: '\b([A-Z]{2,5})\b' second: '(?:\b[A-Z][a-z]+ )+\(([A-Z]{2,5})s?\)' # ... with the exception of these: exceptions: + - ACH - AGPL - AI - API diff --git a/_vendor/github.com/docker/compose/v2/docs/reference/compose_build.md b/_vendor/github.com/docker/compose/v2/docs/reference/compose_build.md index 98d573e44c38..5589a46934c6 100644 --- a/_vendor/github.com/docker/compose/v2/docs/reference/compose_build.md +++ b/_vendor/github.com/docker/compose/v2/docs/reference/compose_build.md @@ -17,6 +17,7 @@ run `docker compose build` to rebuild it. |:----------------------|:--------------|:--------|:------------------------------------------------------------------------------------------------------------| | `--build-arg` | `stringArray` | | Set build-time variables for services | | `--builder` | `string` | | Set builder to use | +| `--check` | `bool` | | Check build configuration | | `--dry-run` | `bool` | | Execute command in dry run mode | | `-m`, `--memory` | `bytes` | `0` | Set memory limit for the build container. Not supported by BuildKit. | | `--no-cache` | `bool` | | Do not use cache when building the image | diff --git a/_vendor/github.com/docker/compose/v2/docs/reference/compose_config.md b/_vendor/github.com/docker/compose/v2/docs/reference/compose_config.md index 9e87efd29cbc..78c1835a5278 100644 --- a/_vendor/github.com/docker/compose/v2/docs/reference/compose_config.md +++ b/_vendor/github.com/docker/compose/v2/docs/reference/compose_config.md @@ -15,7 +15,7 @@ the canonical format. |:--------------------------|:---------|:--------|:----------------------------------------------------------------------------| | `--dry-run` | `bool` | | Execute command in dry run mode | | `--environment` | `bool` | | Print environment used for interpolation. | -| `--format` | `string` | `yaml` | Format the output. Values: [yaml \| json] | +| `--format` | `string` | | Format the output. Values: [yaml \| json] | | `--hash` | `string` | | Print the service config hash, one per line. | | `--images` | `bool` | | Print the image names, one per line. | | `--no-consistency` | `bool` | | Don't check model consistency - warning: may produce invalid Compose output | diff --git a/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_build.yaml b/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_build.yaml index 3f53dcf73628..1197d5314c47 100644 --- a/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_build.yaml +++ b/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_build.yaml @@ -33,6 +33,16 @@ options: experimentalcli: false kubernetes: false swarm: false + - option: check + value_type: bool + default_value: "false" + description: Check build configuration + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false - option: compress value_type: bool default_value: "true" diff --git a/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_config.yaml b/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_config.yaml index 15b1e7dc3989..7ec479b2000b 100644 --- a/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_config.yaml +++ b/_vendor/github.com/docker/compose/v2/docs/reference/docker_compose_config.yaml @@ -21,7 +21,6 @@ options: swarm: false - option: format value_type: string - default_value: yaml description: 'Format the output. Values: [yaml | json]' deprecated: false hidden: false diff --git a/_vendor/modules.txt b/_vendor/modules.txt index ca334bf0d1a8..1a4ad2197dfa 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/moby/moby v28.1.0-rc.2+incompatible -# github.com/moby/buildkit v0.21.0 +# github.com/moby/buildkit v0.21.1 # github.com/docker/buildx v0.23.0 -# github.com/docker/cli v28.1.0+incompatible -# github.com/docker/compose/v2 v2.35.1 +# github.com/docker/cli v28.1.1+incompatible +# github.com/docker/compose/v2 v2.36.0 # github.com/docker/scout-cli v1.15.0 diff --git a/content/get-started/docker-concepts/the-basics/what-is-a-container.md b/content/get-started/docker-concepts/the-basics/what-is-a-container.md index 89af955717ed..aeedde7fbd20 100644 --- a/content/get-started/docker-concepts/the-basics/what-is-a-container.md +++ b/content/get-started/docker-concepts/the-basics/what-is-a-container.md @@ -84,7 +84,7 @@ This container runs a web server that displays a simple website. When working wi When you launched the container, you exposed one of the container's ports onto your machine. Think of this as creating configuration to let you to connect through the isolated environment of the container. -For this container, the frontend is accessible on port `8080`. To open the website, select the link in the **Port(s)** column of your container or visit [http://localhost:8080](https://localhost:8080) in your browser. +For this container, the frontend is accessible on port `8080`. To open the website, select the link in the **Port(s)** column of your container or visit [http://localhost:8080](http://localhost:8080) in your browser. ![Screenshot of the landing page coming from the running container](images/access-the-frontend.webp?border) diff --git a/content/manuals/ai/mcp-catalog-and-toolkit/_index.md b/content/manuals/ai/mcp-catalog-and-toolkit/_index.md new file mode 100644 index 000000000000..ef550dacb32f --- /dev/null +++ b/content/manuals/ai/mcp-catalog-and-toolkit/_index.md @@ -0,0 +1,43 @@ +--- +title: Docker MCP Catalog and Toolkit +linkTitle: MCP Catalog and Toolkit +params: + sidebar: + group: AI + badge: + color: green + text: New +weight: 30 +description: Learn about Docker's MCP catalog on Docker Hub and how to use it with the MCP Toolkit extension +keywords: Docker, ai, mcp servers, ai agents, extension, docker desktop, llm, docker hub +grid: + - title: MCP Catalog + description: Learn about the benefits of the MCP Catalog, how you can use it, and how you can contribute + icon: hub + link: /ai/mcp-catalog-and-toolkit/catalog/ + - title: MCP Toolkit + description: Learn about how to use the MCP Toolkit extension on Docker Desktop + icon: manufacturing + link: /ai/mcp-catalog-and-toolkit/toolkit/ +--- + +The Model Context Protocol (MCP) is a modern standard that transforms AI agents from passive responders into action-oriented systems. By standardizing how tools are described, discovered, and invoked, MCP enables agents to securely query APIs, access data, and execute services across diverse environments. + +As agents move into production, MCP solves common integration challenges — interoperability, reliability, and security — by providing a consistent, decoupled, and scalable interface between agents and tools. Just as containers redefined software deployment, MCP is reshaping how AI systems interact with the world. + +## What is Docker MCP Catalog and Toolkit? + +Docker MCP Catalog and Toolkit is a comprehensive solution for securely building, sharing, and running MCP tools. It simplifies the developer experience across four key areas: + +- Discovery: A central catalog with verified, versioned tools +- Credential Management: OAuth-based and secure by default +- Execution: Tools run in isolated, containerized environments +- Portability: Use MCP tools across Claude, Cursor, VS Code, and more — no code changes needed + +With Docker Hub and the Docker Desktop extension, you can: + +- Launch MCP servers in seconds +- Add tools via CLI or GUI +- Rely on Docker’s pull-based infrastructure for trusted delivery + +{{< grid >}} diff --git a/content/manuals/ai/mcp-catalog-and-toolkit/catalog.md b/content/manuals/ai/mcp-catalog-and-toolkit/catalog.md new file mode 100644 index 000000000000..388f3925d707 --- /dev/null +++ b/content/manuals/ai/mcp-catalog-and-toolkit/catalog.md @@ -0,0 +1,94 @@ +--- +title: Docker MCP Catalog +description: Learn about the benefits of the MCP Catalog, how you can use it, and how you can contribute +keywords: docker hub, mcp, mcp servers, ai agents, calatog, docker +--- + +The [Docker MCP Catalog](https://hub.docker.com/catalogs/mcp) is a centralized, trusted registry for discovering, sharing, and running MCP-compatible tools. Seamlessly integrated into Docker Hub, it offers verified, versioned, and curated MCP servers packaged as Docker images. + +The catalog also solves common MCP server challenges: + +- Environment conflicts: Tools often need specific runtimes that may clash with existing setups. +- Lack of isolation: Traditional setups risk exposing the host system. +- Setup complexity: Manual installation and configuration result in slow adoption. +- Inconsistency across platforms: Tools may behave unpredictably on different OSes. + +With Docker, each MCP server runs as a self-contained container so it is portable, isolated, and consistent. You can launch tools instantly using Docker CLI or Docker Desktop, without worrying about dependencies or compatibility. + +## Key features + +- Over 100 verified MCP servers in one place +- Publisher verification and versioned releases +- Pull-based distribution using Docker’s infrastructure +- Tools provided by partners such as New Relic, Stripe, Grafana, and more + +## How it works + +Each tool in the MCP Catalog is packaged as a Docker image with metadata. Developers can: + +- Discover tools via Docker Hub under the mcp/ namespace. +- Connect tools to their preferred agents with simple configuration through the [MCP Toolkit](toolkit.md) +- Pull and run tools using Docker Desktop or the CLI. + +Each catalog entry provides: + +- Tool description and metadata +- Version history +- Example configuration for agent integration + +## Example: How to use an MCP server from Docker Hub + +The following example uses the Puppeteer MCP server to take a screenshot of a website and invert the colors using Claude Desktop. + +{{< tabs >}} +{{< tab name="Using the MCP Toolkit (Recommended)" >}} + +1. Make sure you have [installed the Docker Desktop Docker MCP Toolkit extension](toolkit.md). +2. From the extension, search for the Puppeteer MCP server in the **MCP Servers** tab, and toggle it on to enable. +3. From the **MCP Clients** tab, select the **Connect** button for Claude Desktop. +4. Within Claude Desktop, submit the following prompt using the Sonnet 3.5 model: + + ```text + Take a screenshot of docs.docker.com and then invert the colors + ``` + +{{< /tab >}} +{{< tab name="Manually set it up" >}} + +1. Update the `claude_desktop_config.json` file to include the following configuration: + + ```json + { + "mcpServers": { + "puppeteer": { + "command": "docker", + "args": [ + "run", + "-i", + "--rm", + "-e", + "DOCKER_CONTAINER", + "mcp/puppeteer" + ], + "env": { + "DOCKER_CONTAINER": "true" + } + } + } + } + ``` +2. Restart Claude Desktop to apply the changed config file. +3. Submit the following prompt using the Sonnet 3.5 model: + + ```text + Take a screenshot of docs.docker.com and then invert the colors + ``` + +Once you've given your consent to use the new tools, Claude spins up the Puppeteer MCP server inside a container, navigates to the target URL, captures and modify the page, and returns the screenshot. + +{{< /tab >}} +{{< /tabs >}} + +## Contribute an MCP server to the catalog + +If you would like to add you MCP server to the Docker MCP Catalog, fill out the Docker [MCP submission form](https://www.docker.com/products/mcp-catalog-and-toolkit/#get_updates). \ No newline at end of file diff --git a/content/manuals/ai/mcp-catalog-and-toolkit/toolkit.md b/content/manuals/ai/mcp-catalog-and-toolkit/toolkit.md new file mode 100644 index 000000000000..3af9971dbab9 --- /dev/null +++ b/content/manuals/ai/mcp-catalog-and-toolkit/toolkit.md @@ -0,0 +1,53 @@ +--- +title: MCP Toolkit +description: +keywords: +--- + +The Docker MCP Toolkit is a Docker Desktop extension local that enables seamless setup, management, and execution of containerized MCP servers and their connections to AI agents. It removes the friction from tool usage by offering secure defaults, one-click setup, and support for a growing ecosystem of LLM-based clients. It is the fastest path from MCP tool discovery to local execution. + +## Key features + +- Cross-LLM compatibility: Works out of the box with Claude Desktop, Cursor, Continue.dev, and [Gordon](/manuals/ai/gordon/_index.md). +- Integrated tool discovery: Browse and launch MCP servers that are available in the Docker MCP Catalog, directly from Docker Desktop. +- No manual setup: Skip dependency management, runtime setup, and manual server configuration. + +## How it works + +The **MCP Servers** tab lists all available servers from the Docker MCP Catalog. Each entry includes: + +- Tool name and description +- Partner/publisher +- Number of callable tools and what they are + +To enable an MCP server, simply use the toggle switch to toggle it on. + +> [!NOTE] +> +> Some MCP servers requires secrets or tokens to be configured before it can be enabled. Instructions on how to do this can be found on each MCP servers' repository. + +The **MCP Clients** tab lets you connect your enabled MCP servers to supported agents. Connection is as simple as selecting **Connect**, so you can switch between LLM providers without altering your MCP server integrations or security configurations. + +## Installation + +To install the Docker MCP Toolkit extension: + +1. In the Docker Desktop Dashboard, select the **Extensions** view, and then select **Manage**. +2. Select the **Browse** tab and search for **Docker MCP Toolkit**. +3. On the **Docker MCP Toolkit** result, select install. + +The extension then appears under the **My extensions** tab. + +### Example + +The following example assumes you have already installed and set up Claude Desktop. + +1. In the Docker MCP Toolkit extension, search for the Puppeteer MCP server in the **MCP Servers** tab, and toggle it on to enable. +2. From the **MCP Clients** tab, select the **Connect** button for Claude Desktop. +3. Within Claude Desktop, submit the following prompt using the Sonnet 3.5 model: + + ```text + Take a screenshot of docs.docker.com and then invert the colors + ``` + +Once you've given your consent to use the new tools, Claude spins up the Puppeteer MCP server inside a container, navigates to the target URL, captures and modify the page, and returns the screenshot. \ No newline at end of file diff --git a/content/manuals/ai/model-runner.md b/content/manuals/ai/model-runner.md index 1f8aab071af9..84898f989dd5 100644 --- a/content/manuals/ai/model-runner.md +++ b/content/manuals/ai/model-runner.md @@ -11,6 +11,7 @@ description: Learn how to use Docker Model Runner to manage and run AI models. keywords: Docker, ai, model runner, docker deskotp, llm aliases: - /desktop/features/model-runner/ + - /ai/model-runner/ --- {{< summary-bar feature_name="Docker Model Runner" >}} diff --git a/content/manuals/billing/cycle.md b/content/manuals/billing/cycle.md index a8f5b2e09c5f..e3e98563ff5c 100644 --- a/content/manuals/billing/cycle.md +++ b/content/manuals/billing/cycle.md @@ -39,6 +39,11 @@ To change your billing cycle: 5. Select **Continue to payment**. 6. Verify payment information and select **Upgrade subscription**. +> [!NOTE] +> +> If you choose to pay using a US bank account, you must verify the account. For +> more information, see [Verify a bank account](manuals/billing/payment-method.md#verify-a-bank-account). + The billing plans and usage page will now reflect your new annual plan details. {{< /tab >}} @@ -73,6 +78,11 @@ To change your organization's billing cycle: 5. Select **Continue to payment**. 6. Verify payment information and select **Upgrade subscription**. +> [!NOTE] +> +> If you choose to pay using a US bank account, you must verify the account. For +> more information, see [Verify a bank account](manuals/billing/payment-method.md#verify-a-bank-account). + {{< /tab >}} {{< tab name="Legacy Docker plan" >}} diff --git a/content/manuals/billing/faqs.md b/content/manuals/billing/faqs.md index 4bc962db7c13..d9212c8b50f7 100644 --- a/content/manuals/billing/faqs.md +++ b/content/manuals/billing/faqs.md @@ -17,6 +17,7 @@ weight: 60 - Diners - UnionPay - Link +- ACH transfer with a [verified](manuals/billing/payment-method.md#verify-a-bank-account) US bank account ### What currency is supported? diff --git a/content/manuals/billing/payment-method.md b/content/manuals/billing/payment-method.md index cfe74510ffb5..f4c2ad3e2a96 100644 --- a/content/manuals/billing/payment-method.md +++ b/content/manuals/billing/payment-method.md @@ -17,14 +17,18 @@ You can add a payment method or update your account's existing payment method at The following payment methods are supported: -- Visa -- MasterCard -- American Express -- Discover -- JCB -- Diners -- UnionPay -- Link +- Cards + - Visa + - MasterCard + - American Express + - Discover + - JCB + - Diners + - UnionPay +- Wallets + - Stripe Link +- Bank accounts + - ACH transfer with a [verified](manuals/billing/payment-method.md#verify-a-bank-account) US bank account All currency, for example the amount listed on your billing invoice, is in United States dollar (USD). @@ -44,15 +48,26 @@ To add a payment method: 3. Select **Payment methods** from the left-hand menu. 4. Select **Add payment method**. 5. Enter your new payment information: - - If you are adding a card, fill out the card information form. - - If you are adding a Link payment, select **Secure, 1-click checkout with Link** - and enter your Link **email address** and **phone number**. If you are not - an existing Link customer, you must fill out the card information form to - store a card for Link payments. + - If you are adding a card: + - Select **Card** and fill out the card information form. + - If you are adding a Link payment: + - Select **Secure, 1-click checkout with Link** and enter your Link **email address** and **phone number**. + - If you are not an existing Link customer, you must fill out the card information form to store a card for Link payments. + - If you are adding a bank account: + - Select **US bank account**. + - Verify your **Email** and **Full name**. + - If your bank is listed, select your bank's name. + - If your bank is not listed, select **Search for your bank**. + - To verify your bank account, see [Verify a bank account](manuals/billing/payment-method.md#verify-a-bank-account). 6. Select **Add payment method**. 7. Optional. You can set a new default payment method by selecting the **Set as default** action. 8. Optional. You can remove non-default payment methods by selecting the **Delete** action. +> [!NOTE] +> +> If you want to set a US bank account as your default payment method, you must +> verify the account first. + {{< /tab >}} {{< tab name="Legacy Docker plan" >}} @@ -64,11 +79,11 @@ To add a payment method: 4. Select the **Payment methods and billing history** link. 5. In the **Payment method** section, select **Add payment method**. 6. Enter your new payment information: - - If you are adding a card, fill out the card information form. - - IIf you are adding a Link payment, select **Secure, 1-click checkout with Link** - and enter your Link **email address** and **phone number**. If you are not - an existing Link customer, you must fill out the card information form to - store a card for Link payments. + - If you are adding a card: + - Select **Card** and fill out the card information form. + - If you are adding a Link payment: + - Select **Secure, 1-click checkout with Link** and enter your Link **email address** and **phone number**. + - If you are not an existing Link customer, you must fill out the card information form to store a card for Link payments. 7. Select **Add**. 8. Select the **Actions** icon, then select **Make default** to ensure that your new payment method applies to all purchases and subscriptions. 9. Optional. You can remove non-default payment methods by selecting the **Actions** icon. Then, select **Delete**. @@ -93,14 +108,26 @@ To add a payment method: 4. Select **Payment methods** from the left-hand menu. 5. Select **Add payment method**. 6. Enter your new payment information: - - If you are adding a card, fill out the card information form. - - If you are adding a Link payment, select **Secure, 1-click checkout with Link** - and enter your Link **email address** and **phone number**. If you are not - an existing Link customer, you must fill out the card information form to - store a card for Link payments. + - If you are adding a card: + - Select **Card** and fill out the card information form. + - If you are adding a Link payment: + - Select **Secure, 1-click checkout with Link** and enter your Link **email address** and **phone number**. + - If you are not an existing Link customer, you must fill out the card information form to store a card for Link payments. + - If you are adding a bank account: + - Select **US bank account**. + - Verify your **Email** and **Full name**. + - If your bank is listed, select your bank's name. + - If your bank is not listed, select **Search for your bank**. + - To verify your bank account, see [Verify a bank account](manuals/billing/payment-method.md#verify-a-bank-account). 7. Select **Add payment method**. -8. Optional. You can set a new default payment method by selecting the **Set as default** action. -9. Optional. You can remove non-default payment methods by selecting the **Delete** action. +8. Select **Add payment method**. +9. Optional. You can set a new default payment method by selecting the **Set as default** action. +10. Optional. You can remove non-default payment methods by selecting the **Delete** action. + +> [!NOTE] +> +> If you want to set a US bank account as your default payment method, you must +> verify the account first. {{< /tab >}} {{< tab name="Legacy Docker plan" >}} @@ -114,11 +141,11 @@ To add a payment method: 5. Select the **Payment methods and billing history** link. 6. In the **Payment Method** section, select **Add payment method**. 7. Enter your new payment information: - - If you are adding a card, fill out the card information form. - - If you are adding a Link payment, select **Secure, 1-click checkout with Link** - and enter your Link **email address** and **phone number**. If you are not - an existing Link customer, you must fill out the card information form to - store a card for Link payments. + - If you are adding a card: + - Select **Card** and fill out the card information form. + - If you are adding a Link payment: + - Select **Secure, 1-click checkout with Link** and enter your Link **email address** and **phone number**. + - If you are not an existing Link customer, you must fill out the card information form to store a card for Link payments. 8. Select **Add payment method**. 9. Select the **Actions** icon, then select **Make default** to ensure that your new payment method applies to all purchases and subscriptions. 10. Optional. You can remove non-default payment methods by selecting the **Actions** icon. Then, select **Delete**. @@ -126,6 +153,42 @@ To add a payment method: {{< /tab >}} {{< /tabs >}} +## Verify a bank account + +There are two ways to verify a bank account as a payment method: + +- Instant verification: Docker supports several major banks for instant verification. +- Manual verification: All other banks must be verified manually. + +### Instant verification + +To verify your bank account instantly, you must sign in to your bank account +from the Docker billing flow: + +1. Choose **US bank account** as your payment method. +2. Verify your **Email** and **Full name**. +3. If your bank is listed, select your bank's name or select **Search for your bank**. +4. Sign in to your bank and review the terms and conditions. This agreement +allows Docker to debit payments from your connected bank account. +5. Select **Agree and continue**. +6. Select an account to link and verify, and select **Connect account**. + +When the account is verified, you will see a success message in the pop-up modal. + +### Manual verification + +To verify your bank account manually, you must enter the micro-deposit amount from your bank statement: + +1. Choose **US bank account** as your payment method. +2. Verify your **Email** and **First and last name**. +3. Select **Enter bank details manually instead**. +4. Enter your bank details: **Routing number** and **Account number**. +5. Select **Submit**. +6. You will receive an email with instructions on how to manually verify. + +Manual verification uses micro-deposits. You should see a small deposit +(e.g. $-0.01) in your bank account in 1-2 business days. Open your manual verification email and enter the amount of this deposit to verify your account. + ## Failed payments > [!NOTE] diff --git a/content/manuals/build-cloud/ci.md b/content/manuals/build-cloud/ci.md index 71a709f30328..f51931381830 100644 --- a/content/manuals/build-cloud/ci.md +++ b/content/manuals/build-cloud/ci.md @@ -29,30 +29,53 @@ See [Loading build results](./usage/#loading-build-results) for details. > [!NOTE] > -> Builds on Docker Build Cloud have a timeout limit of two hours. Builds that -> run for longer than two hours are automatically cancelled. +> Builds on Docker Build Cloud have a timeout limit of 90 minutes. Builds that +> run for longer than 90 minutes are automatically cancelled. -## CI platform examples +## Setting up credentials for CI/CD -### GitHub Actions +To enable your CI/CD system to build and push images using Docker Build Cloud, provide both an access token and a username. The type of token and the username you use depend on your account type and permissions. + +- If you are an organization administrator or have permission to create [organization access tokens (OAT)](../security/for-admins/access-tokens.md), use an OAT and set `DOCKER_USER` to your Docker Hub organization name. +- If you do not have permission to create OATs or are using a personal account, use a [personal access token (PAT)](/security/for-developers/access-tokens/) and set `DOCKER_USER` to your Docker Hub username. + +### Creating access tokens + +#### For organization accounts + +If you are an organization administrator: + +1. Create an [organization access token (OAT)](../security/for-admins/access-tokens.md): + - The token must have these permissions: + - **cloud-connect** scope + - **Read public repositories** permission + - **Repository access** with **Image push** permission for the target repository: + - Expand the **Repository** drop-down. + - Select **Add repository** and choose your target repository. + - Set the **Image push** permission for the repository. + +If you are not an organization administrator: + +- Ask your organization administrator for an access token with the permissions listed above, or use a personal access token. + +#### For personal accounts + +1. Create a [personal access token (PAT)](/security/for-developers/access-tokens/): + - Create a new token with **Read & write** access. + - Note: Building with Docker Build Cloud only requires read access, but you need write access to push images to a Docker Hub repository. + + +## CI platform examples > [!NOTE] > -> Version 4.0.0 and later of `docker/build-push-action` and -> `docker/bake-action` builds images with [provenance attestations by -> default](/manuals/build/ci/github-actions/attestations.md#default-provenance). Docker -> Build Cloud automatically attempts to load images to the local image store if -> you don't explicitly push them to a registry. -> -> This results in a conflicting scenario where if you build a tagged image -> without pushing it to a registry, Docker Build Cloud attempts to load images -> containing attestations. But the local image store on the GitHub runner -> doesn't support attestations, and the image load fails as a result. +> In your CI/CD configuration, set the following variables: +> - `DOCKER_PAT` — your access token (PAT or OAT) +> - `DOCKER_USER` — your Docker Hub username (for PAT) or organization name (for OAT) > -> If you want to load images built with `docker/build-push-action` together -> with Docker Build Cloud, you must disable provenance attestations by setting -> `provenance: false` in the GitHub Action inputs (or in `docker-bake.hcl` if -> you use Bake). +> This ensures your builds authenticate correctly with Docker Build Cloud. + +### GitHub Actions ```yaml name: ci @@ -381,7 +404,7 @@ mkdir -vp ~/.docker/cli-plugins/ curl --silent -L --output ~/.docker/cli-plugins/docker-buildx $BUILDX_URL chmod a+x ~/.docker/cli-plugins/docker-buildx -# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/security/for-developers/access-tokens/ +# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/build-cloud/ci/#creating-access-tokens echo "$DOCKER_PAT" | docker login --username $DOCKER_USER --password-stdin # Connect to your builder and set it as the default builder @@ -426,7 +449,7 @@ curl --silent -L --output ~/.docker/cli-plugins/docker-compose $COMPOSE_URL chmod a+x ~/.docker/cli-plugins/docker-buildx chmod a+x ~/.docker/cli-plugins/docker-compose -# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/security/for-developers/access-tokens/ +# Login to Docker Hub. For security reasons $DOCKER_PAT should be a Personal Access Token. See https://docs.docker.com/build-cloud/ci/#creating-access-tokens echo "$DOCKER_PAT" | docker login --username $DOCKER_USER --password-stdin # Connect to your builder and set it as the default builder diff --git a/content/manuals/compose/how-tos/dependent-images.md b/content/manuals/compose/how-tos/dependent-images.md index 238f27efb40a..d62668548acf 100644 --- a/content/manuals/compose/how-tos/dependent-images.md +++ b/content/manuals/compose/how-tos/dependent-images.md @@ -9,12 +9,12 @@ weight: 50 To reduce push/pull time and image weight, a common practice for Compose applications is to have services share base layers as much as possible. You will typically select the same operating system base image for -all services. But you also can get one step further sharing image layers when your images share the same +all services. But you can also get one step further by sharing image layers when your images share the same system packages. The challenge to address is then to avoid repeating the exact same Dockerfile instruction in all services. For illustration, this page assumes you want all your services to be built with an `alpine` base -image and install system package `openssl`. +image and install the system package `openssl`. ## Multi-stage Dockerfile @@ -161,4 +161,4 @@ Bake can also be selected as the default builder by editing your `$HOME/.docker/ } ... } -``` \ No newline at end of file +``` diff --git a/content/manuals/compose/how-tos/environment-variables/envvars.md b/content/manuals/compose/how-tos/environment-variables/envvars.md index 88410e4ce6d9..67d5929673fa 100644 --- a/content/manuals/compose/how-tos/environment-variables/envvars.md +++ b/content/manuals/compose/how-tos/environment-variables/envvars.md @@ -50,7 +50,7 @@ Compose can set the project name in different ways. The level of precedence (fro 1. The `-p` command line flag 2. `COMPOSE_PROJECT_NAME` -3. The top level `name:` variable from the config file (or the last `name:` from +3. The top-level `name:` variable from the config file (or the last `name:` from a series of config files specified using `-f`) 4. The `basename` of the project directory containing the config file (or containing the first config file specified using `-f`) @@ -78,7 +78,7 @@ Specifies the path to a Compose file. Specifying multiple Compose files is suppo ``` The path separator can also be customized using [`COMPOSE_PATH_SEPARATOR`](#compose_path_separator). -See also the [command-line options overview](/reference/cli/docker/compose/_index.md#command-options-overview-and-help) and [using `-f` to specify name and path of one or more Compose files](/reference/cli/docker/compose/_index.md#use--f-to-specify-name-and-path-of-one-or-more-compose-files). +See also the [command-line options overview](/reference/cli/docker/compose/_index.md#command-options-overview-and-help) and [using `-f` to specify name and path of one or more Compose files](/reference/cli/docker/compose/_index.md#use--f-to-specify-the-name-and-path-of-one-or-more-compose-files). ### COMPOSE\_PROFILES @@ -86,18 +86,18 @@ Specifies one or more profiles to be enabled when `docker compose up` is run. Services with matching profiles are started as well as any services for which no profile has been defined. -For example, calling `docker compose up`with `COMPOSE_PROFILES=frontend` selects services with the +For example, calling `docker compose up` with `COMPOSE_PROFILES=frontend` selects services with the `frontend` profile as well as any services without a profile specified. If specifying multiple profiles, use a comma as a separator. -This following example enables all services matching both the `frontend` and `debug` profiles and services without a profile. +The following example enables all services matching both the `frontend` and `debug` profiles and services without a profile. ```console COMPOSE_PROFILES=frontend,debug ``` -See also [Using profiles with Compose](../profiles.md) and the [`--profile` command-line option](/reference/cli/docker/compose/_index.md#use---profile-to-specify-one-or-more-active-profiles). +See also [Using profiles with Compose](../profiles.md) and the [`--profile` command-line option](/reference/cli/docker/compose/_index.md#use-profiles-to-enable-optional-services). ### COMPOSE\_CONVERT\_WINDOWS\_PATHS @@ -179,7 +179,7 @@ When enabled, Compose displays a navigation menu where you can choose to open th - Supported values: - `true` or `1`, to enable - `false` or `0`, to disable -- Defaults to: `1` if you obtained Docker Compose through Docker Desktop, otherwise default is `0` +- Defaults to: `1` if you obtained Docker Compose through Docker Desktop, otherwise the default is `0` ### COMPOSE\_EXPERIMENTAL diff --git a/content/manuals/compose/how-tos/file-watch.md b/content/manuals/compose/how-tos/file-watch.md index 5cef4963916e..e59386d267eb 100644 --- a/content/manuals/compose/how-tos/file-watch.md +++ b/content/manuals/compose/how-tos/file-watch.md @@ -31,8 +31,8 @@ Compose supports sharing a host directory inside service containers. Watch mode More importantly, `watch` allows for greater granularity than is practical with a bind mount. Watch rules let you ignore specific files or entire directories within the watched tree. For example, in a JavaScript project, ignoring the `node_modules/` directory has two benefits: -* Performance. File trees with many small files can cause high I/O load in some configurations -* Multi-platform. Compiled artifacts cannot be shared if the host OS or architecture is different to the container +* Performance. File trees with many small files can cause a high I/O load in some configurations +* Multi-platform. Compiled artifacts cannot be shared if the host OS or architecture is different from the container For example, in a Node.js project, it's not recommended to sync the `node_modules/` directory. Even though JavaScript is interpreted, `npm` packages can contain native code that is not portable across platforms. @@ -88,12 +88,12 @@ If `action` is set to `rebuild`, Compose automatically builds a new image with B The behavior is the same as running `docker compose up --build `. -Rebuild is ideal for compiled languages or as fallbacks for modifications to particular files that require a full +Rebuild is ideal for compiled languages or as a fallback for modifications to particular files that require a full image rebuild (e.g. `package.json`). #### Sync + Restart -If `action` is set to `sync+restart`, Compose synchronizes your changes with the service containers and restarts it. +If `action` is set to `sync+restart`, Compose synchronizes your changes with the service containers and restarts them. `sync+restart` is ideal when the config file changes, and you don't need to rebuild the image but just restart the main process of the service containers. It will work well when you update a database configuration or your `nginx.conf` file, for example. diff --git a/content/manuals/compose/how-tos/model-runner.md b/content/manuals/compose/how-tos/model-runner.md index 36d27b2b7eba..2a7fca43ca83 100644 --- a/content/manuals/compose/how-tos/model-runner.md +++ b/content/manuals/compose/how-tos/model-runner.md @@ -33,21 +33,21 @@ services: chat: image: my-chat-app depends_on: - - ai-runner + - ai_runner - ai-runner: + ai_runner: provider: type: model options: model: ai/smollm2 ``` -Notice the dedicated `provider` attribute in the `ai-runner` service. +Notice the dedicated `provider` attribute in the `ai_runner` service. This attribute specifies that the service is a model provider and lets you define options such as the name of the model to be used. There is also a `depends_on` attribute in the `chat` service. -This attribute specifies that the `chat` service depends on the `ai-runner` service. -This means that the `ai-runner` service will be started before the `chat` service to allow injection of model information to the `chat` service. +This attribute specifies that the `chat` service depends on the `ai_runner` service. +This means that the `ai_runner` service will be started before the `chat` service to allow injection of model information to the `chat` service. ## How it works @@ -56,8 +56,8 @@ It also sends Compose the model tag name and the URL to access the model runner. This information is then passed to services which declare a dependency on the model provider. In the example above, the `chat` service receives 2 environment variables prefixed by the service name: - - `AI-RUNNER_URL` with the URL to access the model runner - - `AI-RUNNER_MODEL` with the model name which could be passed with the URL to request the model. + - `AI_RUNNER_URL` with the URL to access the model runner + - `AI_RUNNER_MODEL` with the model name which could be passed with the URL to request the model. This lets the `chat` service to interact with the model and use it for its own purposes. diff --git a/content/manuals/compose/how-tos/oci-artifact.md b/content/manuals/compose/how-tos/oci-artifact.md index 33ce8042fc22..0791df4e6f6b 100644 --- a/content/manuals/compose/how-tos/oci-artifact.md +++ b/content/manuals/compose/how-tos/oci-artifact.md @@ -141,3 +141,9 @@ Do you want to continue? [y/N]: y Your compose stack "oci://registry.example.com/stack:latest" is stored in "~/Library/Caches/docker-compose/964e715660d6f6c3b384e05e7338613795f7dcd3613890cfa57e3540353b9d6d" ``` + +The `docker compose publish` command supports non-interactive execution, letting you skip the confirmation prompt by including the `-y` (or `--yes`) flag: + +```console +$ docker compose publish -y username/my-compose-app:latest +``` diff --git a/content/manuals/compose/how-tos/provider-services.md b/content/manuals/compose/how-tos/provider-services.md new file mode 100644 index 000000000000..fa1ddbb3dad7 --- /dev/null +++ b/content/manuals/compose/how-tos/provider-services.md @@ -0,0 +1,125 @@ +--- +title: Use provider services +description: Learn how to use provider services in Docker Compose to integrate external capabilities into your applications +keywords: compose, docker compose, provider, services, platform capabilities, integration, model runner, ai +weight: 112 +params: + sidebar: + badge: + color: green + text: New +--- + +{{< summary-bar feature_name="Compose provider services" >}} + +Docker Compose supports provider services, which allow integration with services whose lifecycles are managed by third-party components rather than by Compose itself. +This feature enables you to define and utilize platform-specific services without the need for manual setup or direct lifecycle management. + + +## What are provider services? + +Provider services are a special type of service in Compose that represents platform capabilities rather than containers. +They allow you to declare dependencies on specific platform features that your application needs. + +When you define a provider service in your Compose file, Compose works with the platform to provision and configure +the requested capability, making it available to your application services. + +## Using provider services + +To use a provider service in your Compose file, you need to: + +1. Define a service with the `provider` attribute +2. Specify the `type` of provider you want to use +3. Configure any provider-specific options +4. Declare dependencies from your application services to the provider service + +Here's a basic example: + +```yaml +services: + database: + provider: + type: awesomecloud + options: + type: mysql + foo: bar + app: + image: myapp + depends_on: + - database +``` + +Notice the dedicated `provider` attribute in the `database` service. +This attribute specifies that the service is managed by a provider and lets you define options specific to that provider type. + +The `depends_on` attribute in the `app` service specifies that it depends on the `database` service. +This means that the `database` service will be started before the `app` service, allowing the provider information +to be injected into the `app` service. + +## How it works + +During the `docker compose up` command execution, Compose identifies services relying on providers and works with them to provision +the requested capabilities. The provider then populates Compose model with information about how to access the provisioned resource. + +This information is passed to services that declare a dependency on the provider service, typically through environment +variables. The naming convention for these variables is: + +```env +<>_<> +``` + +For example, if your provider service is named `database`, your application service might receive environment variables like: + +- `DATABASE_URL` with the URL to access the provisioned resource +- `DATABASE_TOKEN` with an authentication token +- Other provider-specific variables + +Your application can then use these environment variables to interact with the provisioned resource. + +## Provider types + +The `type` field in a provider service references the name of either: + +1. A Docker CLI plugin (e.g., `docker-model`) +2. A binary available in the user's PATH + +When Compose encounters a provider service, it looks for a plugin or binary with the specified name to handle the provisioning of the requested capability. + +For example, if you specify `type: model`, Compose will look for a Docker CLI plugin named `docker-model` or a binary named `model` in the PATH. + +```yaml +services: + ai-runner: + provider: + type: model # Looks for docker-model plugin or model binary + options: + model: ai/example-model +``` + +The plugin or binary is responsible for: + +1. Interpreting the options provided in the provider service +2. Provisioning the requested capability +3. Returning information about how to access the provisioned resource + +This information is then passed to dependent services as environment variables. + +## Benefits of using provider services + +Using provider services in your Compose applications offers several benefits: + +1. Simplified configuration: You don't need to manually configure and manage platform capabilities +2. Declarative approach: You can declare all your application's dependencies in one place +3. Consistent workflow: You use the same Compose commands to manage your entire application, including platform capabilities + +## Creating your own provider + +If you want to create your own provider to extend Compose with custom capabilities, you can implement a Compose plugin that registers provider types. + +For detailed information on how to create and implement your own provider, refer to the [Compose Extensions documentation](https://github.com/docker/compose/blob/main/docs/extension.md). +This guide explains the extension mechanism that allows you to add new provider types to Compose. + +## Reference + +- [Docker Model Runner documentation](/manuals/ai/model-runner.md) +- [Compose Extensions documentation](https://github.com/docker/compose/blob/main/docs/extension.md) \ No newline at end of file diff --git a/content/manuals/compose/releases/release-notes.md b/content/manuals/compose/releases/release-notes.md index b90bed1afe75..a37c97ff2048 100644 --- a/content/manuals/compose/releases/release-notes.md +++ b/content/manuals/compose/releases/release-notes.md @@ -13,6 +13,25 @@ aliases: For more detailed information, see the [release notes in the Compose repo](https://github.com/docker/compose/releases/). +## 2.36.0 + +{{< release-date date="2025-05-07" >}} + +### Bug fixes and enhancements + +- Introduced `networks.interface_name` +- Added support for `COMPOSE_PROGRESS` env variable +- Added `service.provider` to external binaries +- Introduced build `--check` flag +- Fixed multiple panic issues when parsing Compose files + +### Update + +- Dependencies upgrade: bump compose-go to v2.6.2 +- Dependencies upgrade: bump docker engine and cli to v28.1.0 +- Dependencies upgrade: bump containerd to 2.0.5 +- Dependencies upgrade: bump buildkit to v0.21.1 + ## 2.35.1 {{< release-date date="2025-04-17" >}} diff --git a/content/manuals/desktop/features/dev-box.md b/content/manuals/desktop/features/dev-box.md new file mode 100644 index 000000000000..31f7b7822cd9 --- /dev/null +++ b/content/manuals/desktop/features/dev-box.md @@ -0,0 +1,55 @@ +--- +Title: Docker Desktop in Microsoft Dev Box +description: Learn about the benefits of and how to setup Docker Desktop in Microsoft Dev Box +keywords: desktop, docker, windows, microsoft dev box +--- + +Docker Desktop is available as a pre-configured image in the Microsoft Azure Marketplace for use with Microsoft Dev Box, allowing developers to quickly set up consistent development environments in the cloud. + +Microsoft Dev Box provides cloud-based, pre-configured developer workstations that allow you to code, build, and test applications without configuring a local development environment. The Docker Desktop image for Microsoft Dev Box comes with Docker Desktop and its dependencies pre-installed, giving you a ready-to-use containerized development environment. + +## Key benefits + +- Pre-configured environment: Docker Desktop, WSL2, and other requirements come pre-installed and configured +- Consistent development: Ensure all team members work with the same Docker environment +- Powerful resources: Access more compute power and storage than might be available on local machines +- State persistence: Dev Box maintains your state between sessions, similar to hibernating a local machine +- Seamless licensing: Use your existing Docker subscription or purchase a new one directly through Azure Marketplace + +## Setup + +### Prerequisites + +- An Azure subscription +- Access to Microsoft Dev Box +- A Docker subscription (Pro, Team, or Business). You can use Docker Desktop in Microsoft Dev Box with any of the following subscription options: + - An existing or new Docker subscription + - A new Docker subscription purchased through Azure Marketplace + - A Docker Business subscription with SSO configured for your organization + +### Set up Docker Desktop in Dev Box + +1. Navigate to the [Docker Desktop for Microsoft Dev Box](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/dockerinc1694120899427.devbox_azuremachine?tab=Overview) listing in Azure Marketplace. +2. Select **Get It Now** to add the virtual machine image to your subscription. +3. Follow the Azure workflow to complete the setup. +4. Use the image to create VMs, assign to Dev Centers, or create Dev Box Pools according to your organization's setup. + +### Activate Docker Desktop + +Once your Dev Box is provisioned with the Docker Desktop image: + +1. Start your Dev Box instance. +2. Launch Docker Desktop. +3. Sign in with your Docker ID. + +## Support + +For issues related to: + +- Docker Desktop configuration, usage, or licensing: Create a support ticket through [Docker Support](https://hub.docker.com/support). +- Dev Box creation, Azure portal configuration, or networking: Contact Azure Support. + +## Limitations + +- Microsoft Dev Box is currently only available on Windows 10 and 11 (Linux VMs are not supported). +- Performance may vary based on your Dev Box configuration and network conditions. diff --git a/content/manuals/desktop/features/kubernetes.md b/content/manuals/desktop/features/kubernetes.md index 1a7f77313e15..6319a7955a2e 100644 --- a/content/manuals/desktop/features/kubernetes.md +++ b/content/manuals/desktop/features/kubernetes.md @@ -81,14 +81,6 @@ The following table summarizes this comparison. | Works with containerd image store | Yes | Yes | | Works with Docker image store | Yes | No | -### Additional settings - -#### Viewing system containers - -By default, Kubernetes system containers are hidden. To inspect these containers, enable **Show system containers (advanced)**. - -You can now view the running Kubernetes containers with `docker ps` or in the Docker Desktop Dashboard. - ## Using the kubectl command Kubernetes integration automatically installs the Kubernetes CLI command @@ -131,6 +123,104 @@ For more information about `kubectl`, see the Kubernetes clusters are not automatically upgraded with Docker Desktop updates. To upgrade the cluster, you must manually select **Reset Kubernetes Cluster** in settings. +## Additional settings + +### Viewing system containers + +By default, Kubernetes system containers are hidden. To inspect these containers, enable **Show system containers (advanced)**. + +You can now view the running Kubernetes containers with `docker ps` or in the Docker Desktop Dashboard. + +### Configuring a custom image registry for Kubernetes control plane images + +Docker Desktop uses containers to run the Kubernetes control plane. By default, Docker Desktop pulls +the associated container images from Docker Hub. The images pulled depend on the [cluster provisioning mode](#cluster-provisioning-method). + +For example, in `kind` mode it requires the following images: + +```console +docker.io/kindest/node: +docker.io/docker/desktop-cloud-provider-kind: +docker.io/docker/desktop-containerd-registry-mirror: +``` + +In `kubeadm` mode it requires the following images: + +```console +docker.io/registry.k8s.io/kube-controller-manager: +docker.io/registry.k8s.io/kube-apiserver: +docker.io/registry.k8s.io/kube-scheduler: +docker.io/registry.k8s.io/kube-proxy +docker.io/registry.k8s.io/etcd: +docker.io/registry.k8s.io/pause: +docker.io/registry.k8s.io/coredns/coredns: +docker.io/docker/desktop-storage-provisioner: +docker.io/docker/desktop-vpnkit-controller: +docker.io/docker/desktop-kubernetes: +``` + +The image tags are automatically selected by Docker Desktop based on several +factors, including the version of Kubernetes being used. The tags vary for each image. + +To accommodate scenarios where access to Docker Hub is not allowed, admins can +configure Docker Desktop to pull the above listed images from a different registry (e.g., a mirror) +using the [KubernetesImagesRepository](../../security/for-admins/hardened-desktop/settings-management/configure-json-file.md#kubernetes) setting as follows. + +An image name can be broken into `[registry[:port]/][namespace/]repository[:tag]` components. +The `KubernetesImagesRepository` setting allows users to override the `[registry[:port]/][namespace]` +portion of the image's name. + +For example, if Docker Desktop Kubernetes is configured in `kind` mode and +`KubernetesImagesRepository` is set to `my-registry:5000/kind-images`, then +Docker Desktop will pull the images from: + +```console +my-registry:5000/kind-images/node: +my-registry:5000/kind-images/desktop-cloud-provider-kind: +my-registry:5000/kind-images/desktop-containerd-registry-mirror: +``` + +These images should be cloned/mirrored from their respective images in Docker Hub. The tags must +also match what Docker Desktop expects. + +The recommended approach to set this up is the following: + +1) Start Docker Desktop. + +2) In Settings > Kubernetes, enable the *Show system containers* setting. + +3) In Settings > Kubernetes, start Kubernetes using the desired cluster provisioning method: `kubeadm` or `kind`. + +4) Wait for Kubernetes to start. + +5) Use `docker ps` to view the container images used by Docker Desktop for the Kubernetes control plane. + +6) Clone or mirror those images (with matching tags) to your custom registry. + +7) Stop the Kubernetes cluster. + +8) Configure the `KubernetesImagesRepository` setting to point to your custom registry. + +9) Restart Docker Desktop. + +10) Verify that the Kubernetes cluster is using the custom registry images using the `docker ps` command. + +> [!NOTE] +> +> The `KubernetesImagesRepository` setting only applies to control plane images used by Docker Desktop +> to set up the Kubernetes cluster. It has no effect on other Kubernetes pods. + +> [!NOTE] +> +> When using `KubernetesImagesRepository` and [Enhanced Container Isolation (ECI)](../../security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md) +> is enabled, add the following images to the [ECI Docker socket mount image list](../../security/for-admins/hardened-desktop/settings-management/configure-json-file.md#enhanced-container-isolation): +> +> * [imagesRepository]/desktop-cloud-provider-kind:* +> * [imagesRepository]/desktop-containerd-registry-mirror:* +> +> These containers mount the Docker socket, so you must add the images to the ECI images list. If not, +> ECI will block the mount and Kubernetes won't start. + ## Troubleshooting - If Kubernetes fails to start, make sure Docker Desktop is running with enough allocated resources. Check **Settings** > **Resources**. diff --git a/content/manuals/desktop/release-notes.md b/content/manuals/desktop/release-notes.md index 986e9ba778ef..48295917df0b 100644 --- a/content/manuals/desktop/release-notes.md +++ b/content/manuals/desktop/release-notes.md @@ -29,6 +29,34 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo > > If you're experiencing malware detection issues on Mac, follow the steps documented in [docker/for-mac#7527](https://github.com/docker/for-mac/issues/7527). +## 4.41.2 + +{{< release-date date="2025-05-06" >}} + +{{< desktop-install-v2 all=true beta_win_arm=true version="4.41.2" build_path="/191736/" >}} + +### Bug fixes and enhancements + +#### For all platforms + +- Fixed an issue where the `Models` menu was displayed in the GUI even when Docker Model Runner was not supported or not enabled. + +## 4.41.1 + +{{< release-date date="2025-04-30" >}} + +{{< desktop-install-v2 all=true beta_win_arm=true version="4.41.1" build_path="/191279/" >}} + +### Bug fixes and enhancements + +#### For all platforms + +- Fixed an issue where Docker Desktop failed to start when a proxy configuration was specified in the `admin-settings.json` file. + +#### For Windows + +- Fixed possible conflict with 3rd party tools (for example, Ollama) by avoiding placing `llama.cpp` DLLs in a directory included in the system `PATH`. + ## 4.41.0 {{< release-date date="2025-04-28" >}} @@ -51,9 +79,11 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo - [Docker Scout CLI v1.17.1](https://github.com/docker/scout-cli/releases/tag/v1.17.1) - [Compose Bridge v0.0.19](https://github.com/docker/compose-bridge-binaries/releases/tag/v0.0.19) -### Security +### Security - Fixed [CVE-2025-3224](https://www.cve.org/CVERecord?id=CVE-2025-3224) allowing an attacker with access to a user machine to perform an elevation of privilege when Docker Desktop updates. +- Fixed [CVE-2025-4095](https://www.cve.org/CVERecord?id=CVE-2025-4095) where Registry Access Management (RAM) policies were not enforced when using a MacOS configuration profile, allowing users to pull images from unapproved registries. +- Fixed [CVE-2025-3911](https://www.cve.org/CVERecord?id=CVE-2025-3911) allowing an attacker with read access to a user's machine to obtain sensitive information from Docker Desktop log files, including environment variables configured for running containers. ### Bug fixes and enhancements diff --git a/content/manuals/desktop/setup/vm-vdi.md b/content/manuals/desktop/setup/vm-vdi.md index 37333024258e..b51978247761 100644 --- a/content/manuals/desktop/setup/vm-vdi.md +++ b/content/manuals/desktop/setup/vm-vdi.md @@ -64,3 +64,7 @@ Docker Desktop follows the VDI support definitions outlined [previously](#virtua ### Support scope and responsibilities For WSL 2-related issues, contact Nutanix support. For Docker Desktop-specific issues, contact Docker support. + +## Aditional resources + +- [Docker Desktop on Microsoft Dev Box](/manuals/desktop/features/dev-box.md) \ No newline at end of file diff --git a/content/manuals/engine/containers/resource_constraints.md b/content/manuals/engine/containers/resource_constraints.md index 09e04a4a37e4..5f9efc616eba 100644 --- a/content/manuals/engine/containers/resource_constraints.md +++ b/content/manuals/engine/containers/resource_constraints.md @@ -69,8 +69,8 @@ You can mitigate the risk of system instability due to OOME by: Docker can enforce hard or soft memory limits. -- Hard limits lets the container use no more than a fixed amount of memory. -- Soft limits lets the container use as much memory as it needs unless certain +- Hard limits let the container use no more than a fixed amount of memory. +- Soft limits let the container use as much memory as it needs unless certain conditions are met, such as when the kernel detects low memory or contention on the host machine. @@ -162,7 +162,7 @@ a container. Consider the following scenarios: an OOM error. If the kernel memory limit is higher than the user memory limit, the kernel limit doesn't cause the container to experience an OOM. -When you enable kernel memory limits, the host machine tracks "high water mark" +When you enable kernel memory limits, the host machine tracks the "high water mark" statistics on a per-process basis, so you can track which processes (in this case, containers) are using excess memory. This can be seen per process by viewing `/proc//status` on the host machine. @@ -186,7 +186,7 @@ the container's cgroup on the host machine. | :--------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--cpus=` | Specify how much of the available CPU resources a container can use. For instance, if the host machine has two CPUs and you set `--cpus="1.5"`, the container is guaranteed at most one and a half of the CPUs. This is the equivalent of setting `--cpu-period="100000"` and `--cpu-quota="150000"`. | | `--cpu-period=` | Specify the CPU CFS scheduler period, which is used alongside `--cpu-quota`. Defaults to 100000 microseconds (100 milliseconds). Most users don't change this from the default. For most use-cases, `--cpus` is a more convenient alternative. | -| `--cpu-quota=` | Impose a CPU CFS quota on the container. The number of microseconds per `--cpu-period` that the container is limited to before throttled. As such acting as the effective ceiling. For most use-cases, `--cpus` is a more convenient alternative. | +| `--cpu-quota=` | Impose a CPU CFS quota on the container. The number of microseconds per `--cpu-period` that the container is limited to before being throttled. As such acting as the effective ceiling. For most use-cases, `--cpus` is a more convenient alternative. | | `--cpuset-cpus` | Limit the specific CPUs or cores a container can use. A comma-separated list or hyphen-separated range of CPUs a container can use, if you have more than one CPU. The first CPU is numbered 0. A valid value might be `0-3` (to use the first, second, third, and fourth CPU) or `1,3` (to use the second and fourth CPU). | | `--cpu-shares` | Set this flag to a value greater or less than the default of 1024 to increase or reduce the container's weight, and give it access to a greater or lesser proportion of the host machine's CPU cycles. This is only enforced when CPU cycles are constrained. When plenty of CPU cycles are available, all containers use as much CPU as they need. In that way, this is a soft limit. `--cpu-shares` doesn't prevent containers from being scheduled in Swarm mode. It prioritizes container CPU resources for the available CPU cycles. It doesn't guarantee or reserve any specific CPU access. | @@ -234,7 +234,7 @@ for real-time tasks per runtime period. For instance, with the default period of containers using the real-time scheduler can run for 950000 microseconds for every 1000000-microsecond period, leaving at least 50000 microseconds available for non-real-time tasks. To make this configuration permanent on systems which use -`systemd`, create a systemd unit file for the `docker` service. For an example, +`systemd`, create a systemd unit file for the `docker` service. For example, see the instruction on how to configure the daemon to use a proxy with a [systemd unit file](../daemon/proxy.md#systemd-unit-file). @@ -343,6 +343,6 @@ environment variables. More information on valid variables can be found in the [nvidia-container-toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/docker-specialized.html) documentation. These variables can be set in a Dockerfile. -You can also use CUDA images which sets these variables automatically. See the +You can also use CUDA images, which set these variables automatically. See the official [CUDA images](https://catalog.ngc.nvidia.com/orgs/nvidia/containers/cuda) NGC catalog page. diff --git a/content/manuals/engine/network/_index.md b/content/manuals/engine/network/_index.md index 048834851b57..97583dfe8af1 100644 --- a/content/manuals/engine/network/_index.md +++ b/content/manuals/engine/network/_index.md @@ -160,8 +160,8 @@ Here are some examples: > > > [!WARNING] > > -> > Hosts within the same L2 segment (for example, hosts connected to the same -> > network switch) can reach ports published to localhost. +> > In releases older than 28.0.0, hosts within the same L2 segment (for example, +> > hosts connected to the same network switch) can reach ports published to localhost. > > For more information, see > > [moby/moby#45610](https://github.com/moby/moby/issues/45610) diff --git a/content/manuals/engine/network/packet-filtering-firewalls.md b/content/manuals/engine/network/packet-filtering-firewalls.md index 2ca6cea12a1d..99f28b38df99 100644 --- a/content/manuals/engine/network/packet-filtering-firewalls.md +++ b/content/manuals/engine/network/packet-filtering-firewalls.md @@ -126,6 +126,17 @@ the source and destination. For instance, if the Docker host has addresses `2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to `2001:db8:1111::2` and leave `2001:db8:2222::2` open. +You may need to allow responses from servers outside the permitted external address +ranges. For example, containers may send DNS or HTTP requests to hosts that are +not allowed to access the container's services. The following rule accepts any +incoming or outgoing packet belonging to a flow that has already been accepted +by other rules. It must be placed before `DROP` rules that restrict access from +external address ranges. + +```console +$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT +``` + `iptables` is complicated. There is a lot more information at [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html). ### Direct routing @@ -223,14 +234,14 @@ $ docker run --network=mynet -p 8080:80 myimage ``` Then: -- Only container port 80 will be open, for IPv4 and IPv6. It is accessible - from anywhere, if there is routing to the container's address, and access - is not blocked by the host's firewall. +- Only container port 80 will be open, for IPv4 and IPv6. - For IPv6, using `routed` mode, port 80 will be open on the container's IP address. Port 8080 will not be opened on the host's IP addresses, and outgoing packets will use the container's IP address. - For IPv4, using the default `nat` mode, the container's port 80 will be - accessible via port 8080 on the host's IP addresses, as well as directly. + accessible via port 8080 on the host's IP addresses, as well as directly + from within the Docker host. But, container port 80 cannot be accessed + directly from outside the host. Connections originating from the container will masquerade, using the host's IP address. diff --git a/content/manuals/security/for-admins/domain-management.md b/content/manuals/security/for-admins/domain-management.md new file mode 100644 index 000000000000..8a2e99a454fa --- /dev/null +++ b/content/manuals/security/for-admins/domain-management.md @@ -0,0 +1,158 @@ +--- +description: Learn how to manage domains and users in the Admin Console +keywords: domain management, security, identify users, manage users +title: Domain management +weight: 55 +--- + +{{< summary-bar feature_name="Domain management" >}} + +Domain management lets you add and verify domains, and enable +auto-provisioning for users. Auto-provisioning adds users to your +organization when they sign in with an email address that matches a verified +domain. + +This simplifies user management, ensures consistent security settings, and +reduces the risk of unmanaged users accessing Docker without visibility +or control. + +## Add a domain + +1. Sign in to the [Admin Console](https://admin.docker.com/). +2. Select your organization or company from the **Choose profile** page. +If your organization is part of a company, select the company +and configure the domain for the organization at the company level. +3. Under **Security and access**, select **Domain management**. +4. Select **Add a domain**. +5. Enter your domain and select **Add domain**. +6. In the pop-up modal, copy the **TXT Record Value** to verify your domain. + +## Verify a domain + +Verifying your domain confirms that you own it. To verify, add a TXT record to +your Domain Name System (DNS) host using the value provided by Docker. This +value proves ownership and instructs your DNS to publish the record. + +It can take up to 72 hours for the DNS change to propagate. Docker automatically +checks for the record and confirms ownership once the change is recognized. + +Follow your DNS provider’s documentation to add the **TXT Record Value**. If +your provider isn't listed, use the steps for other providers. + +> [!TIP] +> +> The record name field determines where the TXT record is added in your domain +(root or subdomain). In general, refer to the following tips for +adding a record name: +> +> - Use `@` or leave the record name empty for root domains like `example.com`, +depending on your provider. +> - Don't enter values like `docker`, `docker-verification`, `www`, or your +domain name. These values may direct to the wrong place. +> +> Check your DNS provider's documentation to verify record name requirements. + +{{< tabs >}} +{{< tab name="AWS Route 53" >}} + +1. To add your TXT record to AWS, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html). +2. TXT record verification can take 72 hours. Once you have waited for +TXT record verification, return to the **Domain management** page of the +[Admin Console](https://app.docker.com/admin) and select **Verify** next to +your domain name. + +{{< /tab >}} +{{< tab name="Google Cloud DNS" >}} + +1. To add your TXT record to Google Cloud DNS, see [Verifying your domain with a TXT record](https://cloud.google.com/identity/docs/verify-domain-txt). +2. TXT record verification can take 72 hours. Once you have waited for TXT +record verification, return to the **Domain management** page of the +[Admin Console](https://app.docker.com/admin) and select **Verify** next to +your domain name. + +{{< /tab >}} +{{< tab name="GoDaddy" >}} + +1. To add your TXT record to GoDaddy, see [Add a TXT record](https://www.godaddy.com/help/add-a-txt-record-19232). +2. TXT record verification can take 72 hours. Once you have waited for TXT +record verification, return to the **Domain management** page of the +[Admin Console](https://app.docker.com/admin) and select **Verify** next to your +domain name. + +{{< /tab >}} +{{< tab name="Other providers" >}} + +1. Sign in to your domain host. +2. Add a TXT record to your DNS settings and save the record. +3. TXT record verification can take 72 hours. Once you have waited for TXT +record verification, return to the **Domain management** page of the +[Admin Console](https://app.docker.com/admin) and select **Verify** next to +your domain name. + +{{< /tab >}} +{{< /tabs >}} + +## Delete a domain + +Deleting a domain removes the assigned TXT record value. To delete a domain: + +1. Sign in to the [Admin Console](https://admin.docker.com/). +2. Select your organization or company from the **Choose profile** page. +If your organization is part of a company, select the company +and configure the domain for the organization at the company level. +3. Under **Security and access**, select **Domain management**. +4. For the domain you want to delete, section the **Actions** menu, then +**Delete domain**. +5. To confirm, select **Delete domain** in the pop-up modal. + +## Auto-provisioning + +You must add and verify a domain before enabling auto-provisioning. This +confirms your organization owns the domain. Once a domain is verified, +Docker can automatically associate matching users with your organization. +Auto-provisioning does not require an SSO connection. + +> [!IMPORTANT] +> +> For domains that are part of an SSO connection, Just-in-Time (JIT) overrides +auto-provisioning to add users to an organization. + +### How it works + +When auto-provisioning is enabled for a verified domain, the next time a user +signs into Docker with an email address that is associated with your verified +domain, they are automatically added to your organization. Auto-provisioning +does not create accounts for new users, it adds existing unassociated users to +your organization. Users will *not* experience any sign in or user experience +changes. + +When a new user is auto-provisioned, company and organization owners will +receive an email notifying them that a new user has been added to their +organization. If you need to add more seats to your organization to +to accomodate new users, see [Manage seats](/manuals/subscription/manage-seats.md). + +### Enable auto-provisioning + +Auto-provisioning is enabled per user. To enable +auto-provisioning: + +1. Open the [Admin Console](https://app.docker.com/admin). +2. Select **Domain management** from the left-hand navigation. +3. Select the **Actions menu** next to the user you want to enable +auto-provisioning for. +4. Select **Enable auto-provisioning**. +5. Optional. If enabling auto-provisioning at the company level, select an +organization for the user. +6. Select **Enable** to confirm. + +The **Auto-provisioning** column will update to **Enabled**. + +### Disable auto-provisioning + +To disable auto-provisioning for a user: + +1. Open the [Admin Console](https://app.docker.com/admin). +2. Select **Domain management** from the left-hand navigation. +3. Select the **Actions menu** next to your user. +4. Select **Disable auto-provisioning**. +5. Select **Disable**. diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md index 48fc13100a01..f6e512504645 100644 --- a/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/_index.md @@ -12,48 +12,41 @@ weight: 10 {{< summary-bar feature_name="Hardened Docker Desktop" >}} -Settings Management helps you control key Docker Desktop settings, like proxies and network configurations, on your developers' machines within your organization. +Settings Management helps you control key Docker Desktop settings, like proxies +and network configurations, on your developers' machines within your +organization. -For an extra layer of security, you can also use Settings Management to enable and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md), which prevents containers from modifying any Settings Management configurations. +For an extra layer of security, you can also use Settings Management to enable +and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md), +which prevents containers from modifying any Settings Management configurations. ## Who is it for? -- For organizations that want to configure Docker Desktop to be within their organization's centralized control. -- For organizations that want to create a standardized Docker Desktop environment at scale. -- For Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments. +- For organizations that want centralized control over Docker Desktop. +- For organizations that want to create a standardized Docker Desktop +environment at scale. +- For Docker Business customers who want to confidently manage their use of +Docker Desktop within tightly regulated environments. ## How does it work? -You can configure several Docker Desktop settings using either: +With Settings Management, you can configure Docker Desktop settings using: - - An `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by developers with root or administrator privileges. + - An `admin-settings.json` file. This file is located on the Docker Desktop + host and can only be accessed by developers with root or administrator + privileges. - Creating a settings policy in the Docker Admin Console. -Settings that are defined by an administrator override any previous values set by developers and ensure that these cannot be modified. +Settings that are defined by an administrator override any previous values set +by developers and ensure that these cannot be modified. ## What features can I configure with Settings Management? -Using the `admin-settings.json` file, you can: - -- Turn on and lock in [Enhanced Container Isolation](../enhanced-container-isolation/_index.md) -- Configure HTTP proxies -- Configure network settings -- Configure Kubernetes settings -- Enforce the use of WSL 2 based engine or Hyper-V -- Enforce the use of Rosetta for x86_64/amd64 emulation on Apple Silicon -- Configure Docker Engine -- Turn off Docker Desktop's ability to checks for updates -- Turn off Docker Extensions -- Turn off Docker Scout SBOM indexing -- Turn off beta and experimental features -- Turn off Docker AI ([Ask Gordon](/manuals/ai/gordon/_index.md)) -- Turn off Docker Desktop's onboarding survey -- Control whether developers can use the Docker terminal -- Control the file sharing implementation for your developers on macOS -- Specify which paths your developers can add file shares to -- Configure Air-gapped containers - -For more details on the syntax and options, see [Configure Settings Management](configure-json-file.md). +You can configure a wide range of features, from proxies and Kubernetes settings +to Enhanced Container isolation. For more information, view the [Settings reference](/manuals/security/for-admins/hardened-desktop/settings-management/settings-reference.md). + +The settings reference outlines what settings can be configured with the [Admin +Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) or [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md). ## How do I set up and enforce Settings Management? diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md index 646685fc950a..ff48f668615b 100644 --- a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md @@ -18,6 +18,10 @@ This page contains information for administrators on how to configure Settings M subscription, therefore your Docker Desktop users must authenticate to your organization for configurations to take effect. +> [!IMPORTANT] +> +> For settings to take effect, users must be added to your verified domain. + ## Create a settings policy 1. Within the [Docker Admin Console](https://app.docker.com/admin) navigate to the company or organization you want to define a settings policy for. diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md index 0096692d5a89..b643c04d56bf 100644 --- a/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md @@ -17,15 +17,13 @@ Settings Management is designed specifically for organizations who don’t give ## Prerequisites -You must [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop users authenticate with your organization. - -Settings management requires a Docker Business subscription. Docker Desktop verifies the user's authentication and licensing before applying any settings from the `admin-settings.json` file. The settings file will not take effect unless both authentication and license checks pass. These checks ensure that only licensed users receive managed settings. +- You must [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md) to ensure that all Docker Desktop users authenticate with your organization. +- Settings management requires a Docker Business subscription. Docker Desktop verifies the user's authentication and licensing before applying any settings from the `admin-settings.json` file. The settings file will not take effect unless both authentication and license checks pass. These checks ensure that only licensed users receive managed settings. > [!IMPORTANT] > > If a user is not signed in, or their Docker ID does not belong to an organization with a Docker Business subscription, Docker Desktop ignores the `admin-settings.json` file. - ## Known limitations The `admin-settings.json` file requires users to authenticate with Docker Hub and be a member @@ -34,8 +32,7 @@ of an organization with a Docker Business subscription. This means the file does - Air-grapped or offline environments where Docker Desktop can't authenticate with Docker Hub. - Restricted environments where SSO and cloud-based authentication are not permitted. - -## Step one: Create the `admin-settings.json` file and save it in the correct location +## Step one: Create the `admin-settings.json` file and save it You can either use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location, or set it up manually. @@ -52,7 +49,7 @@ To set it up manually: > > It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE). -## Step two: Configure the settings you want to lock in +## Step two: Configure settings > [!NOTE] > @@ -64,7 +61,6 @@ If `locked: true`, users aren't able to edit this setting from Docker Desktop or If `locked: false`, it's similar to setting a factory default in that: - For new installs, `locked: false` pre-populates the relevant settings in the Docker Desktop Dashboard, but users are able to modify it. - - If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting, which in turn will have been written to the relevant config file, for example the `settings-store.json` (or `settings.json` for Docker Desktop versions 4.34 and earlier) or `daemon.json`. In these instances, the user's preferences are respected and the values aren't altered. These can be controlled by setting `locked: true`. The following `admin-settings.json` code and table provides an example of the required syntax and descriptions for parameters and values: @@ -264,14 +260,14 @@ The following `admin-settings.json` code and table provides an example of the re |Parameter|OS|Description|Version| |:-------------------------------|---|:-------------------------------|---| -|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. `imagesRepository` lets you specify which repository Docker Desktop pulls the Kubernetes images from. For example, `"imagesRepository": "registry-1.docker.io/docker"`. | | +|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. The [imagesRepository](../../../../desktop/features/kubernetes.md#configuring-a-custom-image-registry-for-kubernetes-control-plane-images) setting lets you specify which repository Docker Desktop pulls control-plane Kubernetes images from. | | > [!NOTE] > > When using the `imagesRepository` setting and Enhanced Container Isolation (ECI), add the following images to the [ECI Docker socket mount image list](#enhanced-container-isolation): > -> `/desktop-cloud-provider-kind:*` -> `/desktop-containerd-registry-mirror:*` +> * [imagesRepository]/desktop-cloud-provider-kind:* +> * [imagesRepository]/desktop-containerd-registry-mirror:* > > These containers mount the Docker socket, so you must add the images to the ECI images list. If not, ECI will block the mount and Kubernetes won't start. @@ -301,10 +297,11 @@ The following `admin-settings.json` code and table provides an example of the re For settings to take effect: - On a new install, developers need to launch Docker Desktop and authenticate to their organization. - On an existing install, developers need to quit Docker Desktop through the Docker menu, and then re-launch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect. + > [!IMPORTANT] > > Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop. -So as not to disrupt your developers' workflow, Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made. +To avoid disrupting your developers' workflow, Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made. In Docker Desktop, developers see the relevant settings grayed out. diff --git a/content/manuals/security/for-admins/hardened-desktop/settings-management/settings-reference.md b/content/manuals/security/for-admins/hardened-desktop/settings-management/settings-reference.md new file mode 100644 index 000000000000..1250175e13e1 --- /dev/null +++ b/content/manuals/security/for-admins/hardened-desktop/settings-management/settings-reference.md @@ -0,0 +1,934 @@ +--- +description: Reference for all settings and features that are configured with Settings Management +keywords: admin, controls, settings management, reference +title: Settings reference +linkTitle: Settings reference +--- + +This reference lists all Docker Desktop settings, including where they live, +which operating systems they apply to, and whether they're configurable via the +Docker Desktop GUI, the Docker Admin Console, or the `admin-settings.json` file. +Settings are organized to match the structure of the Docker Desktop GUI. + +Each setting includes: + +- Desktop setting name +- A values table that includes the default value, accepted values, and format +- Description +- OS compatibility +- Use cases +- How to configure the setting: With [Docker Desktop](/manuals/desktop/settings-and-maintenance/settings.md) or Settings Management (Admin Console or `admin-settings.json` file) + +For details on the format and usage of the `admin-settings.json` file, see +[Configure Settings Management with a JSON file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md). + +## General + +### Start Docker Desktop when you sign in to your computer + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Start Docker Desktop automatically when booting machine. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Ensure Docker Desktop is always running after boot. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Open Docker Dashboard when Docker Desktop starts + +| Default value | Accepted values | Format | +|---------------|----------------------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Open the Docker Dashboard automatically when Docker Desktop starts. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Quickly access containers, images, and volumes in the Docker Dashboard after starting Docker Desktop. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Choose theme for Docker Desktop + +| Default value | Accepted values | Format | +|---------------|----------------------------|--------| +| `system` | `light`, `dark`, `system` | Enum | + +- **Description:** Choose the Docker Desktop GUI theme. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Personalize Docker Desktop appearance. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Configure shell completions + +| Default value | Accepted values | Format | +|---------------|-------------------------|--------| +| `integrated` | `integrated`, `system` | String | + +- **Description:** If installed, automatically edits your shell configuration. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Customize developer experience with shell completions. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Choose container terminal + +| Default value | Accepted values | Format | +|---------------|-------------------------|--------| +| `integrated` | `integrated`, `system` | String | + +- **Description:** Select default terminal for launching Docker CLI from Docker +Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Customize developer experience with preferred terminal. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Enable Docker terminal + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable access to the Docker Desktop integrated terminal. If +the value is set to `false`, users can't use the Docker terminal to interact +with the host machine and execute commands directly from Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Allow or restrict developer access to the built-in terminal. +- **Configure this setting with:** + - **General** setting in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `desktopTerminalEnabled` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### Enable Docker Debug by default + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable debug logging by default for Docker CLI commands. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Assist with debugging support issues. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Include VM in Time Machine backup + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Back up the Docker Desktop virtual machine. +- **OS:** {{< badge color=blue text="Mac only" >}} +- **Use case:** Manage persistence of application data. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Use containerd for pulling and storing images + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Use containerd native snapshotter instead of legacy +snapshotters. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Improve image handling performance and compatibility. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Choose Virtual Machine Manager + +#### Docker VMM + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +#### Apple Virtualization framework + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Use Apple Virtualization Framework to run Docker containers. +- **OS:** {{< badge color=blue text="Mac only" >}} +- **Use case:** Improve VM performance on Apple Silicon. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +#### Rosetta + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Use Rosetta to emulate `amd64` on Apple Silicon. If value +is set to `true`, Docker Desktop turns on Rosetta to accelerate +x86_64/amd64 binary emulation on Apple Silicon. +- **OS:** {{< badge color=blue text="Mac only" >}} 13+ +- **Use case:** Run Intel-based containers on Apple Silicon hosts. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management:`useVirtualizationFrameworkRosetta` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Use Rosetta for x86_64/amd64 emulation on Apple Silicon** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +> [!NOTE] +> +> Rosetta requires enabling Apple Virtualization framework. + +#### QEMU + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +### Choose file sharing implementation + +#### VirtioFS + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Use VirtioFS for fast, native file sharing between host and +containers. If value is set to `true`, VirtioFS is set as the file sharing +mechanism. If both VirtioFS and gRPC are set to `true`, VirtioFS takes +precedence. +- **OS:** {{< badge color=blue text="Mac only" >}} 12.5+ +- **Use case:** Improve volume mount performance and compatibility. +- **Configure this setting with:** + - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `useVirtualizationFrameworkVirtioFS` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Use VirtioFS for file sharing** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +#### gRPC FUSE + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Enable gRPC FUSE for macOS file sharing. If value is set to +`true`, gRPC Fuse is set as the file sharing mechanism. +- **OS:** {{< badge color=blue text="Mac only" >}} +- **Use case:** Improve performance and compatibility of file mounts. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `useGrpcfuse` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Use gRPC FUSE for file sharing** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +#### osxfs + +### Send usage statistics + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Send usage statistics and crash reports to Docker. If set to +`false`, Docker Desktop doesn't send usage statistics to Docker. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enable analytics to help Docker improve the product based on +usage data. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `analyticsEnabled` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Send usage statistics** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Use Enhanced Container Isolation + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable Enhanced Container Isolation for secure container +execution. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Prevent containers from modifying configuration or sensitive +host areas. +- **Configure this setting with:** + - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `enhancedContainerIsolation` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Enable enhanced container isolation** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Show CLI hints + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Display helpful CLI tips in the terminal when using Docker commands. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Help users discover and learn Docker CLI features through inline suggestions. +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Enable Scout image analysis + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Enable Docker Scout to generate and display SBOM data for container images. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Turn on Docker Scout analysis features to view vulnerabilities, packages, and metadata associated with images. +- **Configure this setting with:** + - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `sbomIndexing` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **SBOM indexing** settings in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Enable background Scout SBOM indexing + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Automatically index SBOM data for images in the background without requiring user interaction. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Keep image metadata up to date by allowing Docker to perform SBOM indexing during idle time or after image pull operations. +- **Configure this setting with:** + - **General settings** in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Automatically check configuration + +| Default value | Accepted values | Format | +|-----------------------|-----------------|---------| +| `CurrentSettingsVersions` | Integer | Integer | + +- **Description:** Regularly checks your configuration to ensure no unexpected changes have been made by another application +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Track versions for compatibility +- **Configure this setting with:** + - **General** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `configurationFileVersion` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +## Resources + +### CPU limit + +| Default value | Accepted values | Format | +|-----------------------------------------------|-----------------|---------| +| Number of logical CPU cores available on host | Integer | Integer | + +- **Description:** Number of CPUs assigned to the Docker Desktop virtual machine. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Resource allocation control. +- **Configure this setting with:** + - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Memory limit + +| Default value | Accepted values | Format | +|---------------------------|-----------------|---------| +| Based on system resources | Integer | Integer | + +- **Description:** Amount of RAM (in MiB) assigned to the Docker virtual machine. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Control how much memory Docker can use on the host. +- **Configure this setting with:** + - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Swap + +| Default value | Accepted values | Format | +|---------------|-----------------|---------| +| `1024` | Integer | Integer | + +- **Description:** Amount of swap space (in MiB) assigned to the Docker virtual machine +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Extend memory availability via swap +- **Configure this setting with:** + - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Disk usage limit + +| Default value | Accepted values | Format | +|-------------------------------|-----------------|---------| +| Default disk size of machine. | Integer | Integer | + +- **Description:** Maximum disk size (in MiB) allocated for Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Constrain Docker's virtual disk size for storage management. +- **Configure this setting with:** + - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Disk image location + +| Default value | Accepted values | Format | +|--------------------------------------------------|-----------------|--------| +| macOS: `~/Library/Containers/com.docker.docker/Data/vms/0`
Windows: `%USERPROFILE%\AppData\Local\Docker\wsl\data` | File path | String | + +- **Description:** Path where Docker Desktop stores virtual machine data. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Redirect Docker data to a custom location. +- **Configure this setting with:** + - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Enable Resource Saver + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Enable Docker Desktop to pause when idle. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Save system resources during periods of inactivity. +- **Configure this setting with:** + - **Advanced** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### File sharing directories + +| Default value | Accepted values | Format | +|----------------------------------------|---------------------------------|--------------------------| +| Varies by OS | List of file paths as strings | Array list of strings | + +- **Description:** List of allowed directories shared between the host and +containers. When a path is added, its subdirectories are allowed. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Restrict or define what file paths are available to containers. +- **Configure this setting with:** + - **File sharing** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `filesharingAllowedDirectories` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Allowed file sharing directories** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Proxy exclude + +| Default value | Accepted values | Format | +|---------------|--------------------|--------| +| `""` | List of addresses | String | + +- **Description:** Configure addresses that containers should bypass from proxy +settings. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Fine-tune proxy exceptions for container networking. +- **Configure this setting with:** + - **Proxies** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `proxy` setting with `manual` and `exclude` modes in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### Docker subnet + +| Default value | Accepted values | Format | +|-------------------|-----------------|--------| +| `192.168.65.0/24` | IP address | String | + +- **Description:** Overrides the network range used for vpnkit DHCP/DNS for +`*.docker.internal`. +- **OS:** {{< badge color=blue text="Mac only" >}} +- **Use case:** Customize the subnet used for Docker container networking. +- **Configure this setting with:** + - Settings Management: `vpnkitCIDR` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **VPN Kit CIDR** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Use kernel networking for UDP + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Use the host’s kernel network stack for UDP traffic instead of Docker’s virtual network driver. This enables faster and more direct UDP communication, but may bypass some container isolation features. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Improve performance or compatibility for workloads that rely heavily on UDP traffic, such as real-time media, DNS, or game servers. +- **Configure this setting with:** + - **Network** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Enable host networking + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable experimental host networking support. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Allow containers to use the host network stack. +- **Configure this setting with:** + - **Network** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Enable WSL engine + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** If the value is set to `true`, Docker Desktop uses the WSL2 +based engine. This overrides anything that may have been set at installation +using the `--backend=` flag. +- **OS:** {{< badge color=blue text="Windows only" >}} + WSL +- **Use case:** Enable Linux containers via WSL 2 backend. +- **Configure this setting with:** + - **WSL Integration** Resources settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `wslEngineEnabled` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Windows Subsystem for Linux (WSL) Engine** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +## Docker Engine + +The Docker Engine settings let you configure low-level daemon settings through a raw JSON object. These settings are passed directly to the dockerd process that powers container management in Docker Desktop. + +| Key | Example | Description | Accepted values / Format | Default | +| --------------------- | --------------------------- | -------------------------------------------------- | ------------------------------ | ------- | +| `debug` | `true` | Enable verbose logging in the Docker daemon | Boolean | `false` | +| `experimental` | `true` | Enable experimental Docker CLI and daemon features | Boolean | `false` | +| `insecure-registries` | `["myregistry.local:5000"]` | Allow pulling from HTTP registries without TLS | Array of strings (`host:port`) | `[]` | +| `registry-mirrors` | `["https://mirror.gcr.io"]` | Define alternative registry endpoints | Array of URLs | `[]` | + +- **Description:** Customize the behavior of the Docker daemon using a structured JSON config passed directly to dockerd. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Fine-tune registry access, enable debug mode, or opt into experimental features. +- **Configure this setting with:** + - **Docker Engine** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +> [!NOTE] +> +> Values for this setting are passed as-is to the Docker daemon. Invalid or unsupported fields may prevent Docker Desktop from starting. + +## Builders + +Builders settings lets you manage Buildx builder instances for advanced image-building scenarios, including multi-platform builds and custom backends. + +| Key | Example | Description | Accepted values / Format | Default | +| ----------- | -------------------------------- | -------------------------------------------------------------------------- | ------------------------- | --------- | +| `name` | `"my-builder"` | Name of the builder instance | String | — | +| `driver` | `"docker-container"` | Backend used by the builder (`docker`, `docker-container`, `remote`, etc.) | String | `docker` | +| `platforms` | `["linux/amd64", "linux/arm64"]` | Target platforms supported by the builder | Array of platform strings | Host arch | + +- **Description:** Configure custom Buildx builders for Docker Desktop, including driver type and supported platforms. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Set up advanced build configurations like cross-platform images or remote builders. +- **Configure this setting with:** + - **Builders** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +> [!NOTE] +> +> Builder definitions are structured as an array of objects, each describing a builder instance. Conflicting or unsupported configurations may cause build errors. + +## Kubernetes + +### Enable Kubernetes + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable the integrated Kubernetes cluster in Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enable or disable Kubernetes support for developers. +- **Configure this setting with:** + - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `kubernetes` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Allow Kubernetes** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Choose cluster provisioning method + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `kubeadm` | `kubeadm`, `kind` | String | + +- **Description:** Set the Kubernetes node mode (single-node or multi-node). +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Control the topology of the integrated Kubernetes cluster. +- **Configure this setting with:** + - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Kubernetes node count (kind provisioning) + +| Default value | Accepted values | Format | +|---------------|-----------------|---------| +| `1` | Integer | Integer | + +- **Description:** Number of nodes to create in a multi-node Kubernetes cluster. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Scale the number of Kubernetes nodes for development or testing. +- **Configure this setting with:** + - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Kubernetes node version (kind provisioning) + +| Default value | Accepted values | Format | +|---------------|-------------------------------|--------| +| `1.31.1` | Semantic version (e.g., 1.29.1) | String | + +- **Description:** Version of Kubernetes used for cluster node creation. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Pin a specific Kubernetes version for consistency or +compatibility. +- **Configure this setting with:** + - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Show system containers + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Show Kubernetes system containers in the Docker Dashboard container list +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Allow developers to view kube-system containers for debugging +- **Configure this setting with:** + - **Kubernetes** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +## Software updates + +### Automatically check for updates + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Disable automatic update polling for Docker Desktop. If the +value is set to `true`, checking for updates and notifications about Docker +Desktop updates are disabled. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Freeze the current version in enterprise environments. +- **Configure this setting with:** + - Settings Management: `disableUpdate` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Disable update** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Always download updates + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Automatically download Docker Desktop updates when available. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Manage auto update behavior. +- **Configure this setting with:** + - **Software updates** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: **Disable updates** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +## Extensions + +### Enable Docker extensions + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Enable or disable Docker Extensions. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Control access to the Extensions Marketplace and installed +extensions. +- **Configure this setting with:** + - **Extensions** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `extensionsEnabled` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **Allow Extensions** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Allow only extensions distributed through the Docker Marketplace + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Restrict Docker Desktop to only run Marketplace extensions. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Prevent running third-party or local extensions. +- **Configure this setting with:** + - **Extensions** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Show Docker Extensions system containers + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Show system containers used by Docker Extensions in the container list +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Help developers troubleshoot or view extension system containers +- **Configure this setting with:** + - **Extensions** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +## Features in development + +### Enable Docker AI + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable Docker AI features in the Docker Desktop experience. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enable or disable AI features like "Ask Gordon". +- **Configure this setting with:** + - **Features in development** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `enableDockerAI` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### Enable Docker Model Runner + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Enable Docker Model Runner features in Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enable or disable Docker Model Runner features. +- **Configure this setting with:** + - **Features in development** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Enable host-side TCP support + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable Docker Model Runner features in Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enable or disable Docker Model Runner features. +- **Configure this setting with:** + - **Features in development** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +> [!NOTE] +> +> This setting requires Docker Model Runner setting to be enabled first. + +## Notifications + +### Status updates on tasks and processes + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Display general informational messages inside Docker Desktop +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Customize in-app communication visibility +- **Configure this setting with:** + - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Recommendations from Docker + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Display promotional announcements and banners inside Docker Desktop +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Control exposure to Docker news and feature promotion +- **Configure this setting with:** + - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Docker announcements + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Display general announcements inside Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enable or suppress Docker-wide announcements in the GUI. +- **Configure this setting with:** + - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Docker surveys + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Display notifications inviting users to participate in surveys +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enable or disable in-product survey prompts +- **Configure this setting with:** + - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Docker Scout Notification pop-ups + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Enable Docker Scout popups inside Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Show or hide vulnerability scan notifications +- **Configure this setting with:** + - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Docker Scout OS notifications + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable Docker Scout notifications through the operating system. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Push Scout updates via system notification center +- **Configure this setting with:** + - **Notifications** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +## Advanced + +### Configure installation of Docker CLI + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `system` | File path | String | + +- **Description:** Install location for Docker CLI binaries. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Customize CLI install location for compliance or tooling. +- **Configure this setting with:** + - **Advanced** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +### Allow the default Docker socket to be used + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** By default, enhanced container isolation blocks bind-mounting +the Docker Engine socket into containers +(e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets +you relax this in a controlled way. See ECI Configuration for more info. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Allow containers to access the Docker socket for scenarios like +Docker-in-Docker or containerized CI agents. +- **Configure this setting with:** + - **Advanced** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + - Settings Management: `dockerSocketMount` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### Allow privileged port mapping + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `true` | `true`, `false` | Boolean | + +- **Description:** Starts the privileged helper process which binds privileged ports that are between 1 and 1024 +- **OS:** {{< badge color=blue text="Mac only" >}} +- **Use case:** Enforce elevated privileges for networking support +- **Configure this setting with:** + - **Advanced** settings in [Docker Desktop GUI](/manuals/desktop/settings-and-maintenance/settings.md) + +## Settings not available in the Docker Desktop GUI + +The following settings aren’t shown in the Docker Desktop GUI. You can only configure them using Settings Management with the Admin Console or the `admin-settings.json` file. + +### Block `docker load` + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Prevent users from loading local Docker images using the `docker load` command. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Enforce image provenance by restricting local image imports. +- **Configure this setting with:** + - Settings Management: `blockDockerLoad` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### Expose Docker API on TCP 2375 + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Exposes the Docker API over an unauthenticated TCP socket on port 2375. Only recommended for isolated and protected environments. +- **OS:** {{< badge color=blue text="Windows only" >}} +- **Use case:** Required for legacy integrations or environments without named pipe support. +- **Configure this setting with:** + - Settings Management: `exposeDockerAPIOnTCP2375` in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### Air-gapped container proxy + +| Default value | Accepted values | Format | +| ------------- | --------------- | ----------- | +| See example | Object | JSON object | + +- **Description:** Configure a manual HTTP/HTTPS proxy for containers. Useful in air-gapped environments where containers need restricted access. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Redirect or block container networking to comply with offline or secured network environments. +- **Configure this setting with:** + - Settings Management: `containersProxy` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +#### Example + +```json +"containersProxy": { + "locked": true, + "mode": "manual", + "http": "", + "https": "", + "exclude": [], + "pac": "", + "transparentPorts": "" +} +``` + +Docker socket access control (ECI exceptions) + +| Default value | Accepted values | Format | +| ------------- | --------------- | ----------- | +| - | Object | JSON object | + +- **Description:** Allow specific images or commands to use the Docker socket when Enhanced Container Isolation is enabled. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Support tools like Testcontainers or LocalStack that need Docker socket access while maintaining secure defaults. +- Configure this setting with: + - Settings Management: `enhancedContainerIsolation` > `dockerSocketMount` in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +#### Example + +```json +"enhancedContainerIsolation": { + "locked": true, + "value": true, + "dockerSocketMount": { + "imageList": { + "images": [ + "docker.io/localstack/localstack:*", + "docker.io/testcontainers/ryuk:*" + ] + }, + "commandList": { + "type": "deny", + "commands": ["push"] + } + } +} +``` + +### Allow beta features + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enable access to beta features in Docker Desktop. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Give developers early access to features that are in public beta. +- **Configure this setting with:** + - Settings Management: `allowBetaFeatures` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### Docker daemon options (Linux or Windows) + +| Default value | Accepted values | Format | +|---------------|-----------------|----------| +| `{}` | JSON object | Stringified JSON | + +- **Description:** Override the Docker daemon configuration used in Linux or Windows containers. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Configure low-level Docker daemon options (e.g., logging, storage drivers) without editing the local config files. +- **Configure this setting with:** + - Settings Management: `linuxVM.dockerDaemonOptions` or `windowsContainers.dockerDaemonOptions` in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + +### VPNKit CIDR + +| Default value | Accepted values | Format | +|-------------------|-----------------|--------| +| `192.168.65.0/24` | CIDR notation | String | + +- **Description:** Set the subnet used for internal VPNKit DHCP/DNS services. +- **OS:** {{< badge color=blue text="Mac only" >}} +- **Use case:** Prevent IP conflicts in environments with overlapping subnets. +- **Configure this setting with:** + - Settings Management: `vpnkitCIDR` setting in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + - Settings Management: **VPN Kit CIDR** setting in the [Admin Console](/manuals/security/for-admins/hardened-desktop/settings-management/configure-admin-console.md) + +### Enable Kerberos and NTLM authentication + +| Default value | Accepted values | Format | +|---------------|-----------------|--------| +| `false` | `true`, `false` | Boolean | + +- **Description:** Enables Kerberos and NTLM proxy authentication for enterprise environments. +- **OS:** {{< badge color=blue text="All" >}} +- **Use case:** Allow users to authenticate with enterprise proxy servers that require Kerberos or NTLM. +- **Configure this setting with:** + - Settings Management: `proxy.enableKerberosNtlm` in the [`admin-settings.json` file](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md) + diff --git a/content/manuals/subscription/change.md b/content/manuals/subscription/change.md index b2e6a5d6033e..5844598f1ba2 100644 --- a/content/manuals/subscription/change.md +++ b/content/manuals/subscription/change.md @@ -46,6 +46,11 @@ To upgrade your Docker subscription: 5. Select **Upgrade**. 6. Follow the on-screen instructions to complete your upgrade. +> [!NOTE] +> +> If you choose to pay using a US bank account, you must verify the account. For +> more information, see [Verify a bank account](manuals/billing/payment-method.md#verify-a-bank-account). + {{< /tab >}} {{< tab name="Legacy Docker plan" >}} diff --git a/content/manuals/subscription/manage-seats.md b/content/manuals/subscription/manage-seats.md index f0ec03e90269..bfe663080969 100644 --- a/content/manuals/subscription/manage-seats.md +++ b/content/manuals/subscription/manage-seats.md @@ -36,6 +36,11 @@ To add seats to your subscription: 4. Select **Add seats**. 5. Follow the on-screen instructions to complete adding seats. +> [!NOTE] +> +> If you choose to pay using a US bank account, you must verify the account. For +> more information, see [Verify a bank account](manuals/billing/payment-method.md#verify-a-bank-account). + You can now add more members to your organization. For more information, see [Manage organization members](../admin/organization/members.md). {{< /tab >}} diff --git a/data/engine-cli/docker_image_build.yaml b/data/engine-cli/docker_image_build.yaml index 2c7c1f28d455..eb62cfecb37c 100644 --- a/data/engine-cli/docker_image_build.yaml +++ b/data/engine-cli/docker_image_build.yaml @@ -51,7 +51,7 @@ long: |- file to exclude files and directories that you don't require in your build from being sent as part of the build context. - #### Accessing paths outside the build context + #### Access paths outside the build context The legacy builder will error out if you try to access files outside of the build context using relative paths in your Dockerfile. diff --git a/data/redirects.yml b/data/redirects.yml index 522b02e8f380..aedd6f60ea0b 100644 --- a/data/redirects.yml +++ b/data/redirects.yml @@ -297,6 +297,6 @@ # Desktop DMR -"/ai/model-runner/": +"/model-runner/": - /go/model-runner/ \ No newline at end of file diff --git a/data/summary.yaml b/data/summary.yaml index 3f5953caf82b..5246f3899d9f 100644 --- a/data/summary.yaml +++ b/data/summary.yaml @@ -109,6 +109,8 @@ Compose model runner: requires: Docker Compose [2.35.0](/manuals/compose/releases/release-notes.md#2300) and later, and Docker Desktop 4.41 and later Compose OCI artifact: requires: Docker Compose [2.34.0](/manuals/compose/releases/release-notes.md#2340) and later +Compose provider services: + requires: Docker Compose [2.36.0](/manuals/compose/releases/release-notes.md) and later Compose replace file: requires: Docker Compose [2.24.4](/manuals/compose/releases/release-notes.md#2244) and later Compose required: @@ -165,6 +167,9 @@ Docker Scout Mount Permissions: Domain audit: subscription: [Business] for: Administrators +Domain management: + subscription: [Business] + for: Administrators Enforce sign-in: subscription: [Business] for: Administrators diff --git a/go.mod b/go.mod index 155f635ef101..26a9c60f1984 100644 --- a/go.mod +++ b/go.mod @@ -6,17 +6,17 @@ toolchain go1.24.1 require ( github.com/docker/buildx v0.23.0 // indirect - github.com/docker/cli v28.1.0+incompatible // indirect - github.com/docker/compose/v2 v2.35.1 // indirect + github.com/docker/cli v28.1.1+incompatible // indirect + github.com/docker/compose/v2 v2.36.0 // indirect github.com/docker/scout-cli v1.15.0 // indirect - github.com/moby/buildkit v0.21.0 // indirect + github.com/moby/buildkit v0.21.1 // indirect github.com/moby/moby v28.1.0-rc.2+incompatible // indirect ) replace ( github.com/docker/buildx => github.com/docker/buildx v0.23.0 github.com/docker/cli => github.com/docker/cli v28.1.0-rc.2+incompatible - github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.35.1 + github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.36.0 github.com/docker/scout-cli => github.com/docker/scout-cli v1.15.0 github.com/moby/buildkit => github.com/moby/buildkit v0.20.0 github.com/moby/moby => github.com/moby/moby v28.1.0-rc.2+incompatible diff --git a/go.sum b/go.sum index e0d9918a4407..8e4053f2ce26 100644 --- a/go.sum +++ b/go.sum @@ -231,6 +231,8 @@ github.com/docker/compose/v2 v2.35.0 h1:bU23OeFrbGyHYrKijMSEwkOeDg2TLhAGntU2F3hw github.com/docker/compose/v2 v2.35.0/go.mod h1:S5ejUILn9KTYC6noX3IxznWu3/sb3FxdZqIYbq4seAk= github.com/docker/compose/v2 v2.35.1 h1:oRt5EE22een6DEAkNNQcuzJGhBS2rcMtEKdbfMhFIgk= github.com/docker/compose/v2 v2.35.1/go.mod h1:Ydd9ceg7VBOPSVAsDDKfyGGAkjejH3cD91GSmHjuRhI= +github.com/docker/compose/v2 v2.36.0 h1:MACSfQ2xqcwgCwAtsHVoQkFbHi2nNfNAsd5EWFg164k= +github.com/docker/compose/v2 v2.36.0/go.mod h1:kFPppTinl2Q0Lv3Dy9titIL41oWYoUkNxoKQZb/lfSU= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= diff --git a/hugo.yaml b/hugo.yaml index 3250af12955a..fb1c962215aa 100644 --- a/hugo.yaml +++ b/hugo.yaml @@ -140,7 +140,7 @@ params: # (Used to show e.g., "latest" and "latest"-1 in engine install examples docker_ce_version_prev: "28.1.0" # Latest Docker Compose version - compose_version: "v2.35.1" + compose_version: "v2.36.0" # Latest BuildKit version buildkit_version: "0.21.0" diff --git a/hugo_stats.json b/hugo_stats.json index 0ba8fdcc0a2b..27020353d8d5 100644 --- a/hugo_stats.json +++ b/hugo_stats.json @@ -80,6 +80,7 @@ "Mac-with-Apple-silicon", "Mac-with-Intel-chip", "Manually-create-assets", + "Manually-set-it-up", "NetworkManager", "Node", "Non-compliant", @@ -113,6 +114,7 @@ "Use-OpenAI", "Using-the-CLI", "Using-the-GUI", + "Using-the-MCP-Toolkit-Recommended", "VS-Code", "Vue", "WSL-2-backend-Arm-Beta",