diff --git a/.markdownlint.json b/.markdownlint.json index e4df3c8ee..93b3f1de5 100644 --- a/.markdownlint.json +++ b/.markdownlint.json @@ -1,6 +1,9 @@ { "default": false, "hr-style": true, + "heading-start-left": true, + "single-h1": true, + "no-trailing-punctuation": true, "no-missing-space-atx": true, "no-multiple-space-atx": true, "no-missing-space-closed-atx": true, @@ -8,10 +11,13 @@ "no-space-in-emphasis": true, "no-space-in-code": true, "no-space-in-links": true, + "no-empty-links": true, "ol-prefix": {"style": "ordered"}, "no-reversed-links": true, "reference-links-images": { "shortcut_syntax": true }, - "fenced-code-language": true + "fenced-code-language": true, + "table-pipe-style": true, + "table-column-count": true } diff --git a/content/admin/company/owners.md b/content/admin/company/owners.md index 352a86275..229bbd10b 100644 --- a/content/admin/company/owners.md +++ b/content/admin/company/owners.md @@ -15,14 +15,14 @@ As a company owner, you can configure [Single Sign-on (SSO)](../../security/for- 1. Sign in to [Docker Hub](https://hub.docker.com/), navigate to the **Organizations** page, and select your company. 2. In the **Overview** tab, select **Add owner** and enter their Docker ID or email address. -3. Once you've selected **Add Owner**, you can view the user in the **Company Owners** table. +3. After you find the user, select **Add company owner**. - ![company-overview](../images/company-overview.png) +Once you've added the new owner, you can view the user in the **Company owners** table. ## Remove a company owner 1. Sign in to [Docker Hub](https://hub.docker.com/), navigate to the **Organizations** page, and select your company. -2. In the **Overview** tab, find the **Company Owner** you want to remove. +2. In the **Overview** tab, find the company owner you want to remove. 3. Select the **Action** icon and remove the owner. ![remove-owner](../images/remove-owner.png) @@ -36,18 +36,18 @@ As a company owner, you can configure [Single Sign-on (SSO)](../../security/for- 1. Sign in to the [Admin Console](https://admin.docker.com). 2. In the left navigation, select your company in the drop-down menu. -3. Select **Company Owners**. -4. Select **Add Owner**. +3. Select **Company owners**. +4. Select **Add owner**. 5. Specify the user's Docker ID to search for the user. -6. After you find the user, select **Add Company Owner**. +6. After you find the user, select **Add company owner**. ## Remove a company owner 1. Sign in to the [Admin Console](https://admin.docker.com). 2. In the left navigation, select your company in the drop-down menu. -3. Select **Company Owners**. +3. Select **Company owners**. 4. Select the **Action** icon in the row of the company owner that your want to remove. -5. Select **Remove as Company Owner**. +5. Select **Remove as company owner**. {{< /tab >}} {{< /tabs >}} \ No newline at end of file diff --git a/content/admin/company/users.md b/content/admin/company/users.md index 8f5f79136..5144baa44 100644 --- a/content/admin/company/users.md +++ b/content/admin/company/users.md @@ -12,4 +12,4 @@ You can manage users at the company-level in the Docker Admin Console. ## Manage members on a team -Use Docker Hub to add a member to a team or remove a member from a team. For more details, see [Manage members in Docker Hub](#). \ No newline at end of file +Use Docker Hub to add a member to a team or remove a member from a team. For more details, see [Manage members in Docker Hub](../organization/members.md#manage-members-on-a-team). diff --git a/content/admin/images/company-overview.png b/content/admin/images/company-overview.png deleted file mode 100644 index 1304ded01..000000000 Binary files a/content/admin/images/company-overview.png and /dev/null differ diff --git a/content/build/cache/_index.md b/content/build/cache/_index.md index 42507216f..ac2abe6d7 100644 --- a/content/build/cache/_index.md +++ b/content/build/cache/_index.md @@ -243,7 +243,7 @@ stages in parallel. Only the instructions in the `site` stage will end up as layers in the final image. The entire `git` history doesn't get embedded into the final result, which helps keep the image small and secure. -#### Combine commands together wherever possible. +#### Combine commands together wherever possible Most Dockerfile commands, and `RUN` commands in particular, can often be joined together. For example, instead of using `RUN` like this: diff --git a/content/compose/gpu-support.md b/content/compose/gpu-support.md index e7f8a553c..e82f71980 100644 --- a/content/compose/gpu-support.md +++ b/content/compose/gpu-support.md @@ -31,7 +31,7 @@ This provides more granular control over a GPU reservation as custom values can For more information on these properties, see the [Compose Deploy Specification](compose-file/deploy.md#devices). -### Example of a Compose file for running a service with access to 1 GPU device: +### Example of a Compose file for running a service with access to 1 GPU device ```yaml services: diff --git a/content/compose/release-notes.md b/content/compose/release-notes.md index b788c94de..c1fadfb0d 100644 --- a/content/compose/release-notes.md +++ b/content/compose/release-notes.md @@ -2865,7 +2865,7 @@ naming scheme accordingly before upgrading. ## 1.6.0 (2016-01-15) -### Major Features: +### Major Features - Compose 1.6 introduces a new format for `docker-compose.yml` which lets you define networks and volumes in the Compose file as well as services. It @@ -2913,7 +2913,7 @@ naming scheme accordingly before upgrading. `docker-compose up SERVICE` on a service with dependencies, those are started as well. -### New Features: +### New Features - Added a new command `config` which validates and prints the Compose configuration after interpolating variables, resolving relative paths, and diff --git a/content/compose/use-secrets.md b/content/compose/use-secrets.md index 27c373550..36b9eea71 100644 --- a/content/compose/use-secrets.md +++ b/content/compose/use-secrets.md @@ -81,7 +81,7 @@ In the advanced example above: > > The `_FILE` environment variables demonstrated here are a convention used by some images, including Docker Official Images like [mysql](https://hub.docker.com/_/mysql) and [postgres](https://hub.docker.com/_/postgres). -## Resources: +## Resources - [Secrets top-level element](compose-file/09-secrets.md) -- [Secrets attribute for services top-level element](compose-file/05-services.md#secrets) \ No newline at end of file +- [Secrets attribute for services top-level element](compose-file/05-services.md#secrets) diff --git a/content/config/formatting.md b/content/config/formatting.md index ca95c8d1d..8ac2fb77b 100644 --- a/content/config/formatting.md +++ b/content/config/formatting.md @@ -97,7 +97,7 @@ $ docker inspect --format "{{upper .Name}}" container $ docker inspect --format='{{range .NetworkSettings.Networks}}{{println .IPAddress}}{{end}}' container ``` -# Hint +## Hint To find out what data can be printed, show all content as json: diff --git a/content/contribute/style/formatting.md b/content/contribute/style/formatting.md index 662bd386e..850ebd3ed 100644 --- a/content/contribute/style/formatting.md +++ b/content/contribute/style/formatting.md @@ -9,7 +9,7 @@ toc_max: 2 Readers pay fractionally more attention to headings, bulleted lists, and links, so it's important to ensure the first two to three words in those items "front load" information as much as possible. -### Best practice: +### Best practice - Headings and subheadings should let the reader know what they will find on the page. - They should describe succinctly and accurately what the content is about. @@ -21,7 +21,7 @@ Readers pay fractionally more attention to headings, bulleted lists, and links, Page titles should be action orientated. For example: - _Enable SCIM_ - _Install Docker Desktop_ -### Best practice: +### Best practice - Make sure the title of your page and the table of contents (TOC) entry matches. - If you want to use a ‘:’ in a page title in the table of contents (\_toc.yaml), you must wrap the entire title in “” to avoid breaking the build. @@ -31,7 +31,7 @@ Page titles should be action orientated. For example: - _Enable SCIM_ - _Install Images, including screenshots, can help a reader better understand a concept. However, you should use them sparingly as they tend to go out-of-date. -### Best practice: +### Best practice - When you take screenshots: - Don’t use lorem ipsum text. Try to replicate how someone would use the feature in a real-world scenario, and use realistic text. @@ -52,7 +52,7 @@ When people follow links, they can often lose their train of thought and fail to The best links offer readers another way to scan information. -### Best practice: +### Best practice - Use plain language that doesn't mislead or promise too much. - Be short and descriptive (around five words is best). @@ -72,7 +72,7 @@ To apply inline code style, wrap the text in a single backtick (`). For information on how to add code blocks to your content, see [Useful component and formatting examples](../components/code-blocks.md). -### Best practice for commands: +### Best practice for commands - Command prompt and shell: - For a non-privileged shell, prefix commands in code blocks with the $ prompt symbol. @@ -89,7 +89,7 @@ For information on how to add code blocks to your content, see [Useful component - Use pipes ( \| ) between mutually exclusive arguments. - Use three dots ( ... ) after repeated arguments. -### Best practice for code: +### Best practice for code - Indent code blocks by 3 spaces when you nest a code block under a list item. - Use three dots ( ... ) when you omit code. @@ -98,7 +98,7 @@ For information on how to add code blocks to your content, see [Useful component Use callouts to emphasize selected information on a page. -### Best practice: +### Best practice - Format the word Warning, Important, or Note in bold. Don't bold the content within the callout. - It's good practice to avoid placing a lot of text callouts on one page. They can create a cluttered appearance if used to excess, and you'll diminish their impact. @@ -110,7 +110,7 @@ Use callouts to emphasize selected information on a page. | Important | Use an Important tag to signal to the reader where actions may cause issues of a lower magnitude. | Yellow | | | ✅ Example: Update to the Docker Desktop terms | | | Note | Use the Note tag for information that may not apply to all readers, or if the information is tangential to a topic. | Blue | -| | ✅ Example: Deleting a repository deletes all the images it contains and its build settings. This action cannot be undone. | +| | ✅ Example: Deleting a repository deletes all the images it contains and its build settings. This action cannot be undone. | | For information on how to add callouts to your content, see [Useful component and formatting examples](../components/call-outs.md). @@ -149,7 +149,7 @@ Use tables to describe complex information in a straightforward manner. Note that in many cases, an unordered list is enough to describe a list of items with a single, simple description per item. But, if you have data that’s best described by a matrix, tables are the best choice. -### Best practice: +### Best practice - Use sentence case for table headings. - To keep tables accessible and scannable, tables shouldn't have any empty cells. If there is no otherwise meaningful value for a cell, consider entering N/A for ‘not applicable’ or None. @@ -173,4 +173,4 @@ When you're referring to units of measurement, use the abbreviated form in all c | --- | --- | | 10 GB | 10GB | | 10 GB | 10 gb | - | 10 GB | 10 gigabytes | \ No newline at end of file + | 10 GB | 10 gigabytes | diff --git a/content/contribute/style/grammar.md b/content/contribute/style/grammar.md index b6c9a868a..1b3d985e2 100644 --- a/content/contribute/style/grammar.md +++ b/content/contribute/style/grammar.md @@ -13,7 +13,7 @@ An acronym is an abbreviation you would speak as a word, for example, ROM (for r An initialism is a type of acronym that comprises a group of initial letters used as an abbreviation for a name or expression. If you were using the acronym in a spoken conversation, you would enunciate each letter: H-T-M-L for Hypertext Markup Language. -### Best practice: +### Best practice - Spell out lesser-known acronyms or initialisms on first use, then follow with the acronym or initialism in parentheses. After this, throughout the rest of your page or document, use the acronym or initialism alone. > ‘You can use single sign-on (SSO) to sign in to Notion. You may need to ask your administrator to enable SSO.’ @@ -26,7 +26,7 @@ An initialism is a type of acronym that comprises a group of initial letters use Unless you're referring to UI text or user-defined text, you shouldn't add emphasis to text. Clear, front-loaded wording makes the subject of a sentence clear. -### Best practice: +### Best practice - Don't use bold to refer to a feature name. - Use italics sparingly, as this type of formatting can be difficult to read in digital experiences. @@ -63,7 +63,7 @@ A contraction results from letters being left out from the original word or phra Following our conversational approach, it's acceptable to use contractions in almost all content types. Just don't get carried away. Too many contractions in a sentence can make it difficult to read. -### Best practice: +### Best practice - Stay consistent - don't switch between contractions and their spelled-out equivalents in body copy or UI text. - Avoid negative contractions (can't, don't, wouldn't, and shouldn't) whenever possible. Try to rewrite your sentence to align with our helpful approach that puts the focus on solutions, not problems. @@ -79,7 +79,7 @@ When possible, use the month's full name (October 1, 2022). If there are space c In all UI content and technical documentation, use decimals instead of fractions. -### Best practice: +### Best practice - Always carry decimals to at least the hundredth place (33.76). - In tables, align decimals on the decimal point. @@ -89,7 +89,7 @@ In all UI content and technical documentation, use decimals instead of fractions Lists are a great way to break down complex ideas and make them easier to read and scan. -### Best practice: +### Best practice - Bulleted lists should contain relatively few words or short phrases. For most content types, limit the number of items in a list to five. - Don’t add commas (,) or semicolons (;) to the ends of list items. @@ -168,4 +168,4 @@ Don't use parentheses in technical documentation. They can reduce the readabilit ## Third party documentation -If you are documenting a task that requires the use of a third-party product, link out to the third-party's documentation. Don't copy the content because it might violate copyright. It can also result in an unnecessary maintenance burden of having to keep the docs up-to-date when the third-party changes or updates their product. It is best practice to link to the single source of truth. \ No newline at end of file +If you are documenting a task that requires the use of a third-party product, link out to the third-party's documentation. Don't copy the content because it might violate copyright. It can also result in an unnecessary maintenance burden of having to keep the docs up-to-date when the third-party changes or updates their product. It is best practice to link to the single source of truth. diff --git a/content/contribute/style/recommended-words.md b/content/contribute/style/recommended-words.md index 994899adb..74ea06a20 100644 --- a/content/contribute/style/recommended-words.md +++ b/content/contribute/style/recommended-words.md @@ -86,8 +86,12 @@ _In Docker Desktop 4.1 and lower._ What might be easy for you might not be easy for others. Try eliminating this word from the sentence because usually the same meaning can be conveyed without it. + + #### e.g. + + Don't use. Instead, use phrases like `for example` or `such as`. #### enable @@ -160,9 +164,9 @@ _Turn on the dark mode toggle._ Use `upgrade` when describing a higher subscription tier -#### vs. +#### vs -Don't use `vs.` as an abbreviation for versus; instead, use the unabbreviated `versus`. +Don't use `vs` or `vs.` as an abbreviation for versus; instead, use the unabbreviated `versus`. #### we @@ -178,4 +182,4 @@ _We created a feature for you to add widgets._ #### wish -Don't use. Use `want` instead. \ No newline at end of file +Don't use. Use `want` instead. diff --git a/content/desktop/extensions-sdk/design/design-guidelines.md b/content/desktop/extensions-sdk/design/design-guidelines.md index a7e0f41a4..a142e748f 100644 --- a/content/desktop/extensions-sdk/design/design-guidelines.md +++ b/content/desktop/extensions-sdk/design/design-guidelines.md @@ -12,7 +12,7 @@ Here is a simple checklist to go through when creating your extension: - Is it easy to get help when needed? -## Create a consistent experience with Docker Desktop. +## Create a consistent experience with Docker Desktop Use the [Docker Material UI Theme](https://www.npmjs.com/package/@docker/docker-mui-theme) and the [Docker Extensions Styleguide](https://www.figma.com/file/U7pLWfEf6IQKUHLhdateBI/Docker-Design-Guidelines?node-id=1%3A28771) to ensure that your extension feels like it is part of Docker Desktop to create a seamless experience for users. @@ -68,4 +68,4 @@ When creating your extension, ensure that first time users of the extension and - Explore our [design principles](design-principles.md). - Take a look at our [UI styling guidelines](index.md). -- Learn how to [publish your extension](../extensions/index.md). \ No newline at end of file +- Learn how to [publish your extension](../extensions/index.md). diff --git a/content/desktop/faqs/releases.md b/content/desktop/faqs/releases.md index c05a5841b..519463812 100644 --- a/content/desktop/faqs/releases.md +++ b/content/desktop/faqs/releases.md @@ -12,6 +12,6 @@ New releases are available roughly every month, unless there are critical fixes Previously you had to manage this yourself. Now, it happens automatically as a side effect of all users being on the latest version. -### My colleague has got a new version but I haven’t got it yet. +### My colleague has got a new version but I haven’t got it yet Sometimes we may roll out a new version gradually over a few days. Therefore, if you wait, it will turn up soon. Alternatively, you can select **Check for Updates** from the Docker menu to jump the queue and get the latest version immediately. diff --git a/content/desktop/hardened-desktop/settings-management/configure.md b/content/desktop/hardened-desktop/settings-management/configure.md index 8cde902ea..27c8465c7 100644 --- a/content/desktop/hardened-desktop/settings-management/configure.md +++ b/content/desktop/hardened-desktop/settings-management/configure.md @@ -147,18 +147,18 @@ The following `admin-settings.json` code and table provides an example of the re | `configurationFileVersion` | |Specifies the version of the configuration file format. | | `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| | `proxy` | |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | -       `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. | +|        `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. | | `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md).| |        `dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | |               `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | |               `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | | `linuxVM` | |Parameters and settings related to Linux VM options - grouped together here for convenience. | -|        `wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=` flag. +|        `wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=` flag. | |       `dockerDaemonOptions`| |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | |       `vpnkitCIDR` | |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | |`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the UI and when you run `docker ps`. `imagesRepository` allows you to specify which repository Docker Desktop pulls the Kubernetes images from. For example, `"imagesRepository": "registry-1.docker.io/docker"`. | | `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | -|        `dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/engine/reference/commandline/dockerd/#daemon-configuration-file).| | +|        `dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/engine/reference/commandline/dockerd/#daemon-configuration-file).| |`disableUpdate`| |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.| |`analyticsEnabled`| |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | |`extensionsEnabled`| |If `value` is set to false, Docker extensions are disabled. | diff --git a/content/develop/develop-images/dockerfile_best-practices.md b/content/develop/develop-images/dockerfile_best-practices.md index 78f4469e1..f626a77f9 100644 --- a/content/develop/develop-images/dockerfile_best-practices.md +++ b/content/develop/develop-images/dockerfile_best-practices.md @@ -44,7 +44,7 @@ When you run an image and generate a container, you add a new writable layer, al the running container, such as writing new files, modifying existing files, and deleting files, are written to this writable container layer. -## Additional resources: +## Additional resources * [Dockerfile reference](../../engine/reference/builder.md) * [More about Automated builds](../../docker-hub/builds/index.md) diff --git a/content/engine/reference/commandline/README.md b/content/engine/reference/commandline/README.md index 8c72c20fc..aaa2ff548 100644 --- a/content/engine/reference/commandline/README.md +++ b/content/engine/reference/commandline/README.md @@ -1,5 +1,8 @@ --- -{} +_build: + list: never + publishResources: false + render: never --- # About these files @@ -22,7 +25,7 @@ The output files are composed from two sources: Specifically, the Markdown inside the `## Description` and `## Examples` headings are parsed. Submit corrections to the text in those repositories. -# Updating the YAML files +## Updating the YAML files The process for generating the YAML files is still in flux. Check with @thaJeztah. Be sure to generate the YAML files with the correct @@ -30,4 +33,4 @@ release branch of `docker/cli`, for example, the `19.03` branch. After generating the YAML files, replace the YAML files in [https://github.com/docker/docs/tree/main/_data/engine-cli](https://github.com/docker/docs/tree/main/_data/engine-cli) -with the newly-generated files. Submit a pull request. \ No newline at end of file +with the newly-generated files. Submit a pull request. diff --git a/content/engine/security/https/README.md b/content/engine/security/https/README.md index bd7cb5e5b..85562d083 100644 --- a/content/engine/security/https/README.md +++ b/content/engine/security/https/README.md @@ -1,5 +1,8 @@ --- -published: false +_build: + list: never + publishResources: false + render: never --- This is an initial attempt to make it easier to test the TLS (HTTPS) examples in the protect-access.md @@ -26,4 +29,4 @@ Start another terminal: root@boot2docker:/# cd docker/docs/articles/https root@boot2docker:/# make client -The last connects first with `--tls` and then with `--tlsverify`, both should succeed. \ No newline at end of file +The last connects first with `--tls` and then with `--tlsverify`, both should succeed. diff --git a/content/engine/tutorials/_index.md b/content/engine/tutorials/_index.md index 73920f628..9934c6c64 100644 --- a/content/engine/tutorials/_index.md +++ b/content/engine/tutorials/_index.md @@ -7,9 +7,9 @@ aliases: - /engine/userguide/containers/ --- -# Learn by example +Learn by example: * [Network containers](networkingcontainers.md) * [Manage data in containers](../../storage/volumes.md) * [Samples](../../samples/index.md) -* [Get Started](../../get-started/index.md) \ No newline at end of file +* [Get Started](../../get-started/index.md) diff --git a/content/faq/security/general.md b/content/faq/security/general.md index f7ee6ae8c..00720fdbe 100644 --- a/content/faq/security/general.md +++ b/content/faq/security/general.md @@ -60,7 +60,7 @@ Docker Desktop utilizes the host operating system's secure key management for ha This is applicable only when using Docker Hub's application-level password versus SSO/SAML. When using SSO, Docker Hub doesn't store passwords. Application-level passwords are hashed in storage (SHA-256) and encrypted in transit (TLS). -### How do we de-provision access to CLI users who use personal access tokens instead of our IdP? We use SSO but not SCIM. +### How do we de-provision access to CLI users who use personal access tokens instead of our IdP? We use SSO but not SCIM If SCIM isn't enabled, you have to manually remove PAT users from the organization in our system. Using SCIM automates this. diff --git a/content/security/for-admins/scim.md b/content/security/for-admins/scim.md index 323e2ead5..0ffc7afe1 100644 --- a/content/security/for-admins/scim.md +++ b/content/security/for-admins/scim.md @@ -25,7 +25,7 @@ The following lists the supported provisioning features: The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members. -| Attribute | Description +| Attribute | Description | |:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------| | userName | User's primary email address. This is the unique identifier of the user. | | name.givenName | User’s first name | diff --git a/content/security/for-admins/single-sign-on/manage/_index.md b/content/security/for-admins/single-sign-on/manage/_index.md index a68dd9c4d..a265f0641 100644 --- a/content/security/for-admins/single-sign-on/manage/_index.md +++ b/content/security/for-admins/single-sign-on/manage/_index.md @@ -45,7 +45,7 @@ aliases: {{< /tab >}} {{< /tabs >}} - ## What's next? +## What's next? - [Set up SCIM](../../scim.md) - [Enable Group mapping](../../group-mapping.md) diff --git a/content/security/security-announcements.md b/content/security/security-announcements.md index 99e3f9663..5e4938f5c 100644 --- a/content/security/security-announcements.md +++ b/content/security/security-announcements.md @@ -6,6 +6,98 @@ toc_min: 1 toc_max: 2 --- +## Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby + +_Last updated February 2, 2024_ + +We at Docker prioritize the security and integrity of our software and the trust of our users. Security researchers at Snyk Labs identified and reported four security vulnerabilities in the container ecosystem. One of the vulnerabilities, [CVE-2024-21626](https://scout.docker.com/v/CVE-2024-21626), concerns the runc container runtime, and the other three affect BuildKit ([CVE-2024-23651](https://scout.docker.com/v/CVE-2024-23651), [CVE-2024-23652](https://scout.docker.com/v/CVE-2024-23652), and [CVE-2024-23653](https://scout.docker.com/v/CVE-2024-23653)). We want to assure our community that our team, in collaboration with the reporters and open source maintainers, has been diligently working on coordinating and implementing necessary remediations. + +We are committed to maintaining the highest security standards. We have published patched versions of runc, BuildKit, and Moby on January 31 and released an update for Docker Desktop on February 1 to address these vulnerabilities. Additionally, our latest BuildKit and Moby releases included fixes for [CVE-2024-23650](https://scout.docker.com/v/CVE-2024-23650) and [CVE-2024-24557](https://scout.docker.com/v/CVE-2024-24557), discovered respectively by an independent researcher and through Docker’s internal research initiatives. + +| | Versions Impacted | +|:-----------------------|:--------------------------| +| `runc` | <= 1.1.11 | +| `BuildKit` | <= 0.12.4 | +| `Moby (Docker Engine)` | <= 25.0.1 and <= 24.0.8 | +| `Docker Desktop` | <= 4.27.0 | + +### What should I do if I’m on an affected version? + +If you are using affected versions of runc, BuildKit, Moby, or Docker Desktop, make sure to update to the latest versions, linked in the following table: + +| | Patched Versions | +|:-----------------------|:--------------------------| +| `runc` | >= [1.1.12](https://github.com/opencontainers/runc/releases/tag/v1.1.12) | +| `BuildKit` | >= [0.12.5](https://github.com/moby/buildkit/releases/tag/v0.12.5) | +| `Moby (Docker Engine)` | >= [25.0.2](https://github.com/moby/moby/releases/tag/v25.0.2) and >= [24.0.9](https://github.com/moby/moby/releases/tag/v24.0.9) | +| `Docker Desktop` | >= [4.27.1](../desktop/release-notes.md#4271) | + + +If you are unable to update to an unaffected version promptly, follow these best practices to mitigate risk: + +* Only use trusted Docker images (such as [Docker Official Images](../trusted-content/official-images.md)). +* Don’t build Docker images from untrusted sources or untrusted Dockerfiles. +* If you are a Docker Business customer using Docker Desktop and unable to update to v4.27.1, make sure to enable [Hardened Docker Desktop](../desktop/hardened-desktop/_index.md) features such as: + * [Enhanced Container Isolation](../desktop/hardened-desktop/enhanced-container-isolation/_index.md), which mitigates the impact of CVE-2024-21626 in the case of running containers from malicious images. + * [Image Access Management](./for-admins/image-access-management.md), and [Registry Access Management](./for-admins/registry-access-management.md), which give organizations control over which images and repositories their users can access. +* For CVE-2024-23650, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, avoid using BuildKit frontend from an untrusted source. A frontend image is usually specified as the #syntax line on your Dockerfile, or with `--frontend` flag when using the `buildctl build` command. +* To mitigate CVE-2024-24557, make sure to either use BuildKit or disable caching when building images. From the CLI this can be done via the `DOCKER_BUILDKIT=1` environment variable (default for Moby >= v23.0 if the buildx plugin is installed) or the `--no-cache flag`. If you are using the HTTP API directly or through a client, the same can be done by setting `nocache` to `true` or `version` to `2` for the [/build API endpoint](https://docs.docker.com/engine/api/v1.44/#tag/Image/operation/ImageBuild). + +### Technical details and impact + +#### CVE-2024-21626 (High) +In runc v1.1.11 and earlier, due to certain leaked file descriptors, an attacker can gain access to the host filesystem by causing a newly-spawned container process (from `runc exec`) to have a working directory in the host filesystem namespace, or by tricking a user to run a malicious image and allow a container process to gain access to the host filesystem through `runc run`. The attacks can also be adapted to overwrite semi-arbitrary host binaries, allowing for complete container escapes. Note that when using higher-level runtimes (such as Docker or Kubernetes), this vulnerability can be exploited by running a malicious container image without additional configuration or by passing specific workdir options when starting a container. The vulnerability can also be exploited from within Dockerfiles in the case of Docker. + +_The issue has been fixed in runc v1.1.12._ + +#### CVE-2024-23651 (High) +In BuildKit <= v0.12.4, two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition, leading to files from the host system being accessible to the build container. This will only occur if a user is trying to build a Dockerfile of a malicious project. + +_The issue has been fixed in BuildKit v0.12.5._ + +#### CVE-2024-23652 (High) +In BuildKit <= v0.12.4, a malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container from the host system. This will only occur if a user is using a malicious Dockerfile. + +_The issue has been fixed in BuildKit v0.12.5._ + +#### CVE-2024-23653 (High) +In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. In BuildKit <= v0.12.4, it is possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. + +_The issue has been fixed in BuildKit v0.12.5._ + +#### CVE-2024-23650 (Medium) +In BuildKit <= v0.12.4, a malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. + +_The issue has been fixed in BuildKit v0.12.5._ + +#### CVE-2024-24557 (Medium) +In Moby <= v25.0.1 and <= v24.0.8, the classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being `HEALTHCHECK` and `ONBUILD`) would not cause a cache miss. An attacker with knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered a valid cache candidate for some build steps. + +_The issue has been fixed in Moby >= v25.0.2 and >= v24.0.9._ + +### How are Docker products affected? + +#### Docker Desktop +Docker Desktop v4.27.0 and earlier are affected. Docker Desktop v4.27.1 was released on February 1 and includes runc, BuildKit, and dockerd binaries patches. In addition to updating to this new version, we encourage all Docker users to diligently use Docker images and Dockerfiles and ensure you only use trusted content in your builds. + +As always, you should check Docker Desktop system requirements for your operating system ([Windows](../desktop/install/windows-install.md#system-requirements), [Linux](../desktop/install/linux-install.md#general-system-requirements), [Mac](../desktop/install/mac-install.md#system-requirements)) before updating to ensure full compatibility. + +#### Docker Build Cloud +Any new Docker Build Cloud builder instances will be provisioned with the latest Docker Engine and BuildKit versions and will, therefore, be unaffected by these CVEs. Updates have also been rolled out to existing Docker Build Cloud builders. + +_No other Docker products are affected by these vulnerabilities._ + +### Advisory links +* Runc + * [CVE-2024-21626](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv) +* BuildKit + * [CVE-2024-23650](https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx) + * [CVE-2024-23651](https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv) + * [CVE-2024-23652](https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8) + * [CVE-2024-23653](https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g) +* Moby + * [CVE-2024-24557](https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc) + ## Text4Shell CVE-2022-42889 _Last updated October 2022_ @@ -32,7 +124,7 @@ may contain the vulnerable versions of Apache Commons Text: - [Couchbase](https://hub.docker.com/_/couchbase) - [Geonetwork](https://hub.docker.com/_/geonetwork) - [neo4j](https://hub.docker.com/_/neo4j) -- sliverpeas](https://hub.docker.com/_/sliverpeas) +- [sliverpeas](https://hub.docker.com/_/sliverpeas) - [solr](https://hub.docker.com/_/solr) - [xwiki](https://hub.docker.com/_/xwiki) diff --git a/content/trusted-content/insights-analytics.md b/content/trusted-content/insights-analytics.md index 4e565e00b..3218830d8 100644 --- a/content/trusted-content/insights-analytics.md +++ b/content/trusted-content/insights-analytics.md @@ -160,19 +160,19 @@ The following table describes the rules applied for determining intent behind pulls. To provide feedback or ask questions about these rules, [fill out the Google Form](https://forms.gle/nb7beTUQz9wzXy1b6). -| Starting event | Reference | Followed by | Resulting action | Use case(s) | Notes | -| :------------- | :-------- | :-------------------------------------------------------------- | :--------------- | :------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Starting event | Reference | Followed by | Resulting action | Use case(s) | Notes | +| :------------- | :-------- | :-------------------------------------------------------------- | :--------------- | :------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | HEAD | tag | N/A | Version check | User already has all layers existing on local machine | This is similar to the use case of a pull by tag when the user already has all the image layers existing locally, however, it differentiates the user intent and classifies accordingly. | -| GET | tag | N/A | Pull by tag | User already has all layers existing on local machine and/or the image is single-arch | -| GET | tag | Get by different digest | Pull by tag | Image is multi-arch | Second GET by digest must be different from the first. | -| HEAD | tag | GET by same digest | Pull by tag | Image is multi-arch but some or all image layers already exist on the local machine | The HEAD by tag sends the most current digest, the following GET must be by that same digest. There may occur an additional GET, if the image is multi-arch (see the next row in this table). If the user doesn't want the most recent digest, then the user performs HEAD by digest. | +| GET | tag | N/A | Pull by tag | User already has all layers existing on local machine and/or the image is single-arch | | +| GET | tag | Get by different digest | Pull by tag | Image is multi-arch | Second GET by digest must be different from the first. | +| HEAD | tag | GET by same digest | Pull by tag | Image is multi-arch but some or all image layers already exist on the local machine | The HEAD by tag sends the most current digest, the following GET must be by that same digest. There may occur an additional GET, if the image is multi-arch (see the next row in this table). If the user doesn't want the most recent digest, then the user performs HEAD by digest. | | HEAD | tag | GET by the same digest, then a second GET by a different digest | Pull by tag | Image is multi-arch | The HEAD by tag sends the most recent digest, the following GET must be by that same digest. Since the image is multi-arch, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | | HEAD | tag | GET by same digest, then a second GET by different digest | Pull by tag | Image is multi-arch | The HEAD by tag sends the most current digest, the following GET must be by that same digest. Since the image is multi-arch, there is a second GET by a different digest. If the user doesn't want the most recent digest, then the user performs HEAD by digest. | -| GET | digest | N/A | Pull by digest | User already has all layers existing on local machine and/or the image is single-arch | -| HEAD | digest | N/A | Pull by digest | User already has all layers existing on their local machine | -| GET | digest | GET by different digest | Pull by digest | Image is multi-arch | The second GET by digest must be different from the first. | -| HEAD | digest | GET by same digest | Pull by digest | Image is single-arch and/or image is multi-arch but some part of the image already exists on the local machine | -| HEAD | digest | GET by same digest, then a second GET by different digest | Pull by Digest | Image is multi-arch | +| GET | digest | N/A | Pull by digest | User already has all layers existing on local machine and/or the image is single-arch | | +| HEAD | digest | N/A | Pull by digest | User already has all layers existing on their local machine | | +| GET | digest | GET by different digest | Pull by digest | Image is multi-arch | The second GET by digest must be different from the first. | +| HEAD | digest | GET by same digest | Pull by digest | Image is single-arch and/or image is multi-arch but some part of the image already exists on the local machine | | +| HEAD | digest | GET by same digest, then a second GET by different digest | Pull by Digest | Image is multi-arch | | ## Changes in data over time diff --git a/layouts/shortcodes/admin-org-audit-log.html b/layouts/shortcodes/admin-org-audit-log.html index 004223fe4..726b0f467 100644 --- a/layouts/shortcodes/admin-org-audit-log.html +++ b/layouts/shortcodes/admin-org-audit-log.html @@ -2,7 +2,7 @@ {{ $audit_navigation := "Select **Organizations**, your organization, and then **Activity**." }} {{ if eq (.Get "product") "admin" }} {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} - {{ $audit_navigation = "Select your organization in the left navigation drop-down menu, and then select **Activity Logs**." }} + {{ $audit_navigation = "Select your organization in the left navigation drop-down menu, and then select **Activity logs**." }} {{ end }} ## View the activity logs