From ad2999db445bc77f59481183727c2dd47e1de812 Mon Sep 17 00:00:00 2001 From: Gavin Date: Tue, 18 Nov 2025 11:06:20 +0000 Subject: [PATCH 1/4] Add info about port binding controls --- content/manuals/desktop/settings-and-maintenance/settings.md | 4 +++- .../settings-management/configure-json-file.md | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/content/manuals/desktop/settings-and-maintenance/settings.md b/content/manuals/desktop/settings-and-maintenance/settings.md index f798e977589a..def72e579fca 100644 --- a/content/manuals/desktop/settings-and-maintenance/settings.md +++ b/content/manuals/desktop/settings-and-maintenance/settings.md @@ -315,6 +315,8 @@ On Windows and Mac, you can also set the default networking mode and DNS resolut On Mac, you can also select the **Use kernel networking for UDP** setting. This lets you use a more efficient kernel networking path for UDP. This may not be compatible with your VPN software. +You can also define the behavior of port bindings. By default Docker Desktop binds all ports on containers to `0.0.0.0` on the host, though this can be overridden by providing a specific IP. You can change this default behavior by changing the **Port binding behavior** setting, allowing you to either bind to localhost (`127.0.0.1`) by default, or only allow containers to bind to localhost under any circumstances, even if requested otherwise. + ### WSL Integration On Windows in WSL 2 mode, you can configure which WSL 2 distributions will have the Docker @@ -534,4 +536,4 @@ Use the **Docker Offload** tab to: - Toggle **Enable Docker Offload**. When enabled, you can start Offload sessions. - Select **Idle timeout**. This is the duration of time between no activity and Docker Offload entering idle mode.For details about idle timeout, see [Active and idle states](../../offload/configuration.md#understand-active-and-idle-states) -- Check **Enable GPU support**. When enabled, workloads can use cloud GPU if available. \ No newline at end of file +- Check **Enable GPU support**. When enabled, workloads can use cloud GPU if available. diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md index a1b03fdd2e6f..9b342e9002f7 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md @@ -239,6 +239,10 @@ The following sample is an `admin-settings.json` file with common enterprise set "enableInferenceGPUVariant": { "locked": true, "value": true + }, + "portBindingBehavior": { + "locked": true, + "value": "default-port-binding" } } ``` @@ -357,6 +361,7 @@ The following tables describe all available settings in the `admin-settings.json |:-------------------------------|---|:-------------------------------|---| | `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. | | `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none`| Docker Desktop version 4.43 and later. | +| `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. | For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows). From a9042ad937fa035567f6ac783879e4edf6842968 Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Wed, 19 Nov 2025 11:28:18 +0000 Subject: [PATCH 2/4] Update content/manuals/desktop/settings-and-maintenance/settings.md --- content/manuals/desktop/settings-and-maintenance/settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/desktop/settings-and-maintenance/settings.md b/content/manuals/desktop/settings-and-maintenance/settings.md index def72e579fca..7cf51f43b707 100644 --- a/content/manuals/desktop/settings-and-maintenance/settings.md +++ b/content/manuals/desktop/settings-and-maintenance/settings.md @@ -315,7 +315,7 @@ On Windows and Mac, you can also set the default networking mode and DNS resolut On Mac, you can also select the **Use kernel networking for UDP** setting. This lets you use a more efficient kernel networking path for UDP. This may not be compatible with your VPN software. -You can also define the behavior of port bindings. By default Docker Desktop binds all ports on containers to `0.0.0.0` on the host, though this can be overridden by providing a specific IP. You can change this default behavior by changing the **Port binding behavior** setting, allowing you to either bind to localhost (`127.0.0.1`) by default, or only allow containers to bind to localhost under any circumstances, even if requested otherwise. +You can also define the behavior of port bindings. By default Docker Desktop binds all ports on containers to `0.0.0.0` on the host, though this can be overridden by providing a specific IP. You can change this default behavior by changing the **Port binding behavior** setting, allowing you to either bind to `localhost` (`127.0.0.1`) by default, or only allow containers to bind to `localhost` under any circumstances, even if requested otherwise. ### WSL Integration From 01011ab9c731a8d7e846ec3de5605d9ed1f67b5e Mon Sep 17 00:00:00 2001 From: Gavin Date: Wed, 19 Nov 2025 12:12:26 +0000 Subject: [PATCH 3/4] Add a link to the network settings to features/networking ports guide --- content/manuals/desktop/features/networking/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/desktop/features/networking/_index.md b/content/manuals/desktop/features/networking/_index.md index 5ef5f18bb667..0e8cfe6bd5b1 100644 --- a/content/manuals/desktop/features/networking/_index.md +++ b/content/manuals/desktop/features/networking/_index.md @@ -61,7 +61,7 @@ For example, with `docker run -p 80:80 nginx`: - Inside the VM, the connection is routed to the container’s internal IP address and port, for example `172.17.0.2:80`. - The container responds through the same path, so you can access it from your host just like any other local service. -By default, `docker run -p` listens on all network interfaces (`0.0.0.0`), but you can restrict it to a specific address, such as `127.0.0.1` (localhost) or a particular network adapter. +By default, `docker run -p` listens on all network interfaces (`0.0.0.0`), but you can restrict it to a specific address, such as `127.0.0.1` (localhost) or a particular network adapter. This behavior can be modified to bind to localhost by default in [Docker Desktop's network settings](/manuals/desktop/settings-and-maintenance/settings.md#network) Host firewalls can permit or deny inbound connections by filtering on `com.docker.backend`. From 9fd3cda499f99df3998e9cca22cbd40a57bf06c5 Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Wed, 19 Nov 2025 12:28:24 +0000 Subject: [PATCH 4/4] Update content/manuals/desktop/features/networking/_index.md --- content/manuals/desktop/features/networking/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/desktop/features/networking/_index.md b/content/manuals/desktop/features/networking/_index.md index 0e8cfe6bd5b1..9a81a9c14fdb 100644 --- a/content/manuals/desktop/features/networking/_index.md +++ b/content/manuals/desktop/features/networking/_index.md @@ -61,7 +61,7 @@ For example, with `docker run -p 80:80 nginx`: - Inside the VM, the connection is routed to the container’s internal IP address and port, for example `172.17.0.2:80`. - The container responds through the same path, so you can access it from your host just like any other local service. -By default, `docker run -p` listens on all network interfaces (`0.0.0.0`), but you can restrict it to a specific address, such as `127.0.0.1` (localhost) or a particular network adapter. This behavior can be modified to bind to localhost by default in [Docker Desktop's network settings](/manuals/desktop/settings-and-maintenance/settings.md#network) +By default, `docker run -p` listens on all network interfaces (`0.0.0.0`), but you can restrict it to a specific address, such as `127.0.0.1` (`localhost`) or a particular network adapter. This behavior can be modified to bind to `localhost` by default in [Docker Desktop's network settings](/manuals/desktop/settings-and-maintenance/settings.md#network) Host firewalls can permit or deny inbound connections by filtering on `com.docker.backend`.