Sync from docker/docs@d6f51e6 by PCIT

SUMMARY.md

@@ -337,6 +337,7 @@
       * [Start The Daemon](content/config/daemon/start.md)
       * [Configure The Daemon With Systemd](content/config/daemon/systemd.md)
       * [Troubleshooting The Docker Daemon](content/config/daemon/troubleshoot.md)
+    * [CLI Completion](content/config/completion.md)
     * [Filter Commands](content/config/filter.md)
     * [Format Command And Log Output](content/config/formatting.md)
     * [Docker Object Labels](content/config/labels-custom-metadata.md)
@@ -466,9 +467,9 @@
         * [Limitations](content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md)
       - Settings Management
         * [What Is Settings Management](content/desktop/hardened-desktop/settings-management/_index.md)
-        * [Configure Air Gapped Containers With Settings Management](content/desktop/hardened-desktop/settings-management/air-gapped-containers.md)
         * [Configure Settings Management](content/desktop/hardened-desktop/settings-management/configure.md)
       * [Overview Of Hardened Docker Desktop](content/desktop/hardened-desktop/_index.md)
+      * [Air Gapped Containers](content/desktop/hardened-desktop/air-gapped-containers.md)
     - Install
       * [Install Docker Desktop On Arch Based Distributions](content/desktop/install/archlinux.md)
       * [Install Docker Desktop On Debian](content/desktop/install/debian.md)

content/config/completion.md

@@ -0,0 +1,104 @@
+---
+title: CLI completion
+description: Set up your shell to get autocomplete for Docker commands and flags
+keywords: cli, shell, fish, bash, zsh, completion, options
+---
+
+You can generate a shell completion script for the Docker CLI using the `docker
+completion` command. The completion script gives you word completion for
+commands, flags, and Docker objects (such as container and volume names) when
+you hit `<Tab>` as you type into your terminal.
+
+You can generate completion scripts for the following shells:
+
+- [Bash](#bash)
+- [Zsh](#zsh)
+- [fish](#fish)
+
+## Bash
+
+To get Docker CLI completion with Bash, you first need to install the
+`bash-completion` package which contains a number of Bash functions for shell
+completion.
+
+```bash
+# Install using APT:
+sudo apt install bash-completion
+
+# Install using Homebrew (Bash version 4 or later):
+brew install bash-completion@2
+# Homebrew install for older versions of Bash:
+brew install bash-completion
+
+# With pacman:
+sudo pacman -S bash-completion
+```
+
+After installing `bash-completion`, source the script in your shell
+configuration file (in this example, `.bashrc`):
+
+```bash
+# On Linux:
+cat <<EOT >> ~/.bashrc
+if [ -f /etc/bash_completion ]; then
+    . /etc/bash_completion
+fi
+EOT
+
+# On macOS / with Homebrew:
+cat <<EOT >> ~/.bash_profile
+[[ -r "$(brew --prefix)/etc/profile.d/bash_completion.sh" ]] && . "$(brew --prefix)/etc/profile.d/bash_completion.sh"
+EOT
+```
+
+And reload your shell configuration:
+
+```console
+$ source ~/.bashrc
+```
+
+Now you can generate the Bash completion script using the `docker completion` command:
+
+```console
+$ mkdir -p ~/.local/share/bash-completion/completions
+$ docker completion bash > ~/.local/share/bash-completion/completions/docker
+```
+
+## Zsh
+
+The Zsh [completion system](http://zsh.sourceforge.net/Doc/Release/Completion-System.html)
+takes care of things as long as the completion can be sourced using `FPATH`.
+
+If you use Oh My Zsh, you can install completions without modifying `~/.zshrc`
+by storing the completion script in the `~/.oh-my-zsh/completions` directory.
+
+```console
+$ mkdir -p ~/.oh-my-zsh/completions
+$ docker completion zsh > ~/.oh-my-zsh/completions/_docker
+```
+
+If you're not using Oh My Zsh, store the completion script in a directory of
+your choice and add the directory to `FPATH` in your `.zshrc`.
+
+```console
+$ mkdir -p ~/.docker/completions
+$ docker completion zsh > ~/.docker/completions/_docker
+```
+
+```console
+$ cat <<EOT >> ~/.zshrc
+fpath=(~/.docker/completions \\$fpath)
+autoload -Uz compinit
+compinit
+EOT
+```
+
+## Fish
+
+fish shell supports a [completion system](https://fishshell.com/docs/current/#tab-completion) natively.
+To activate completion for Docker commands, copy or symlink the completion script to your fish shell `completions/` directory:
+
+```console
+$ mkdir -p ~/.config/fish/completions
+$ docker completion fish > ~/.config/fish/completions/docker.fish
+```

content/desktop/faqs/macfaqs.md

@@ -220,70 +220,3 @@ To learn more about how to install a CA root certificate for the registry and
 how to set the client TLS certificate for verification, see
 [Verify repository client with certificates](../../engine/security/certificates.md)
 in the Docker Engine topics.
-
-### How do I install shell completion?
-
-Docker Desktop comes with scripts to enable completion for the `docker` and `docker compose` commands. The completion scripts may be
-found inside `Docker.app`, in the `Contents/Resources/etc/` directory and can be
-installed both in Bash and Zsh.
-
-#### Bash
-
-Bash has [built-in support for
-completion](https://www.debian-administration.org/article/316/An_introduction_to_bash_completion_part_1) To activate completion for Docker commands, these files need to be
-copied or symlinked to your `bash_completion.d/` directory. For example, if you
-installed bash via [Homebrew](https://brew.sh):
-
-```bash
-etc=/Applications/Docker.app/Contents/Resources/etc
-ln -s $etc/docker.bash-completion $(brew --prefix)/etc/bash_completion.d/docker
-ln -s $etc/docker-compose.bash-completion $(brew --prefix)/etc/bash_completion.d/docker-compose
-```
-
-Add the following to your `~/.bash_profile`:
-
-```bash
-[ -f /usr/local/etc/bash_completion ] && . /usr/local/etc/bash_completion
-```
-
-OR
-
-```bash
-if [ -f $(brew --prefix)/etc/bash_completion ]; then
-. $(brew --prefix)/etc/bash_completion
-fi
-```
-
-#### Zsh
-
-In Zsh, the [completion
-system](http://zsh.sourceforge.net/Doc/Release/Completion-System.html)
-takes care of things. To activate completion for Docker commands,
-these files need to be copied or symlinked to your Zsh `site-functions/`
-directory. For example, if you installed Zsh via [Homebrew](https://brew.sh):
-
-```bash
-etc=/Applications/Docker.app/Contents/Resources/etc
-ln -s $etc/docker.zsh-completion /usr/local/share/zsh/site-functions/_docker
-ln -s $etc/docker-compose.zsh-completion /usr/local/share/zsh/site-functions/_docker-compose
-```
-
-#### Fish-Shell
-
-Fish-shell also supports tab completion [completion
-system](https://fishshell.com/docs/current/#tab-completion). To activate completion for Docker commands,
-these files need to be copied or symlinked to your Fish-shell `completions/`
-directory.
-
-Create the `completions` directory:
-
-```console
-$ mkdir -p ~/.config/fish/completions
-```
-
-Now add fish completions from docker.
-
-```console
-$ ln -shi /Applications/Docker.app/Contents/Resources/etc/docker.fish-completion ~/.config/fish/completions/docker.fish
-$ ln -shi /Applications/Docker.app/Contents/Resources/etc/docker-compose.fish-completion ~/.config/fish/completions/docker-compose.fish
-```

content/desktop/hardened-desktop/_index.md

@@ -8,19 +8,23 @@ grid:
   - title: "Settings Management"
     description: Learn how Settings Management can secure your developers' workflows.
     icon: shield_locked
-    link: "/desktop/hardened-desktop/settings-management/"
+    link: /desktop/hardened-desktop/settings-management/
   - title: "Enhanced Container Isolation"
     description: Understand how Enhanced Container Isolation can prevent container attacks.
     icon: "security"
-    link: "/desktop/hardened-desktop/enhanced-container-isolation/"
+    link: /desktop/hardened-desktop/enhanced-container-isolation/
   - title: "Registry Access Management"
     description: Control the registries developers can access while using Docker Desktop.
     icon: "home_storage"
-    link: "/security/for-admins/registry-access-management/"
+    link: /security/for-admins/registry-access-management/
   - title: "Image Access Management"
     description: Control the images developers can pull from Docker Hub.
     icon: "photo_library"
-    link: "/security/for-admins/image-access-management/"
+    link: /security/for-admins/image-access-management/
+  - title: "Air-Gapped Containers"
+    description: Restrict containers from accessing unwanted network resources.
+    icon: "vpn_lock"
+    link: /desktop/hardened-desktop/air-gapped-containers/
 ---
 
 > **Note**
@@ -45,17 +49,20 @@ It is for security conscious organizations who:
 ### What does Hardened Docker Desktop include?
 
 It includes:
+
 - Settings Management, which helps admins to confidently manage and control the usage of Docker Desktop within their organization.
 - Enhanced Container Isolation (ECI), a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that any configurations set using Settings Management cannot be bypassed or modified by containers.
 - Registry Access Management (RAM), which allows admins to control the registries developers can access.
 - Image Access Management (IAM), which gives admins control over which images developers can pull from Docker Hub.
+- Air-gapped containers, which restricts containers from accessing unwanted network resources.
 
 ### How does it help my organisation?
 
 Hardened Desktop features work independently but collectively to create a defense-in-depth strategy, safeguarding developer workstations against potential attacks across various functional layers, such as configuring Docker Desktop, pulling container images, and running container images. This multi-layered defense approach ensures comprehensive security.
 
 It helps mitigate against threats such as:
- - Malware and supply chain attacks. RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
- - Insider threats. Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally.
+ - **Malware and supply chain attacks:** RAM and IAM prevent developers from accessing certain container registries and image types, significantly lowering the risk of malicious payloads. Additionally, ECI restricts the impact of containers with malicious payloads by running them without root privileges inside a Linux user namespace.
+ - **Lateral movement:** Air gapped containers allows admins to configure network access restrictions for containers, thereby preventing malicious containers from performing lateral movement within the organization's network.
+ - **Insider threats:** Settings Management configures and locks various Docker Desktop settings, such as proxy settings, ECI, and prevents exposure of the Docker API. This helps admins enforce company policies and prevents developers from introducing insecure configurations, intentionally or unintentionally.
 
 {{< grid >}}

content/desktop/hardened-desktop/settings-management/air-gapped-containers.md → content/desktop/hardened-desktop/air-gapped-containers.md

@@ -1,12 +1,12 @@
 ---
-description: Learn how to create air-gapped containers with Settings Management
-title: Configure air-gapped containers with Settings Management
-keywords: settings management, air gapped, security, Docker Desktop, configuration, proxy, network
+title: Air-gapped containers
+description: Air-gapped containers - What it is, benefits, and how to configure it.
+keywords: air gapped, security, Docker Desktop, configuration, proxy, network
 ---
 
 > **Beta feature**
 >
-> This feature is in [Beta](../../../release-lifecycle.md/#beta).
+> This feature is in [Beta](../../release-lifecycle.md/#beta).
 > It's available with Docker Desktop version 4.29 and later.
 { .experimental }
 
@@ -25,7 +25,7 @@ You can choose:
 
 ## Configuration
 
-Assuming [enforced sign-in](../../../security/for-admins/configure-sign-in.md) and Settings Management are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
+Assuming [enforced sign-in](../../security/for-admins/configure-sign-in.md) and [Settings Management](settings-management/_index.md) are enabled, add the new proxy configuration to the `admin-settings.json` file. For example:
 
 ```json
 {
@@ -86,4 +86,4 @@ The `FindProxyForURL` can return the following values:
 
 In this particular example, HTTP and HTTPS requests for `internal.corp` are sent via the HTTP proxy `10.0.0.1:3128`. Requests to connect to IPs on the subnet `192.168.0.0/24` connect directly. All other requests are blocked.
 
-To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).
+To restrict traffic connecting to ports on the developers local machine, [match the special hostname `host.docker.internal`](../networking.md#i-want-to-connect-from-a-container-to-a-service-on-the-host).

content/desktop/hardened-desktop/settings-management/configure.md

@@ -157,24 +157,24 @@ The following `admin-settings.json` code and table provides an example of the re
       "path":"$TMP",
       "sharedByDefault": false
     }
-  ], 
+  ],
   "useVirtualizationFrameworkVirtioFS": {
     "locked": true,
-    "value": true 
+    "value": true
   },
   "useVirtualizationFrameworkRosetta": {
     "locked": true,
-    "value": true 
+    "value": true
   },
   "useGrpcfuse": {
     "locked": true,
-    "value": true 
+    "value": true
   },
   "displayedOnboarding": {
     "locked": true,
-    "value": true 
+    "value": true
   }
-} 
+}
 ```
 
 | Parameter                        |   | Description                      |
@@ -183,7 +183,7 @@ The following `admin-settings.json` code and table provides an example of the re
 | `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
 | `proxy` |   |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
 |        `windowsDockerdPort`  | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. |
-| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Configure air-gapped containers with Settings Management](air-gapped-containers.md).|
+| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-gapped containers](../air-gapped-containers.md).|
 | `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md).|
 |        `dockerSocketMount` |  | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. |
 |               `imageList` |  | Indicates which container images are allowed to bind-mount the Docker Engine socket. |

content/desktop/install/ubuntu.md

@@ -28,8 +28,11 @@ _For checksums, see [Release notes](../release-notes.md)_
 To install Docker Desktop successfully, you must:
 
 - Meet the [system requirements](linux-install.md#system-requirements)
-- Have a 64-bit version of either the latest LTS version (Ubuntu Jammy Jellyfish 22.04) or the current non-LTS version (Ubuntu Mantic Minotaur 23.10).
-  Docker Desktop is supported on `x86_64` (or `amd64`) architecture.
+- Have a 64-bit version of either the LTS version Ubuntu Jammy Jellyfish 22.04, or the current non-LTS version (Ubuntu Mantic Minotaur 23.10). Docker Desktop is supported on `x86_64` (or `amd64`) architecture.
+   > **Note**
+   >
+   > The latest Ubuntu 24.04 LTS is not yet supported. Docker Desktop will fail to start. Due to a change in how the latest Ubuntu release restricts the unprivileged namespaces, `sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0` needs to be run at least once. Refer to the [Ubuntu Blog](https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces) for more details.
+  
 - For non-Gnome Desktop environments, `gnome-terminal` must be installed:
   ```console
   $ sudo apt install gnome-terminal