diff --git a/content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md b/content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md index 8c7220b21e40..8e10af43a437 100644 --- a/content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md +++ b/content/desktop/hardened-desktop/enhanced-container-isolation/limitations.md @@ -56,6 +56,24 @@ and it's an excellent way for users to run their favorite Linux distro on Windows hosts and access Docker from within (see Docker Desktop's WSL distro integration feature, enabled via the Dashboard's **Settings** > **Resources** > **WSL Integration**). +### Docker Builds with the "Docker" driver are not protected by ECI + +Prior to Docker Desktop 4.30, `docker build` commands that use the buildx +`docker` driver (the default) are not protected by ECI (i.e., the build runs +rootful inside the Docker Desktop VM). + +Starting with Docker Desktop 4.30, `docker build` commands that use the buildx +`docker` driver are protected by ECI (i.e., the build runs rootless inside +the Docker Desktop VM), except when Docker Desktop is configured to use WSL 2 +(on Windows hosts). We expect to improve on this in future versions of Docker +Desktop. + +Note that `docker build` commands that use the `docker-container` driver are +always protected by ECI (i.e., the build runs inside a rootless Docker +container). This is true since Docker Desktop 4.19 (when ECI was introduced) and +on all platforms where Docker Desktop is supported (Windows with WSL or Hyper-V, +Mac, and Linux). + ### Docker Build and Buildx have some restrictions With ECI enabled, Docker build `--network=host` and Docker Buildx entitlements diff --git a/content/security/faqs/eci-faq.md b/content/security/faqs/eci-faq.md index d08221948fb2..461ad75584e8 100644 --- a/content/security/faqs/eci-faq.md +++ b/content/security/faqs/eci-faq.md @@ -67,11 +67,19 @@ See [ECI Docker socket mount permissions](../../desktop/hardened-desktop/enhance ### Does ECI protect all containers launched with Docker Desktop? Not yet. It protects all containers launched by users via `docker create` and -`docker run`. In addition, it protects containers implicitly used by `docker build`, when -using the [docker-container build driver](../../build/drivers/_index.md). +`docker run`. -It does not yet protect containers implicitly used by `docker build` with the -`docker` build driver, nor Docker Desktop Kubernetes pods, Extension containers, +Prior to Docker Desktop 4.30, it did not protect containers implicitly used by +`docker build` with the `docker` build driver (the default driver). Starting +with Docker Desktop 4.30, it protects such containers, except for Docker Desktop +on WSL 2 (Windows hosts). + +Note that ECI always protects containers used by `docker build`, when using the +[docker-container build driver](../../build/drivers/_index.md), since Docker +Desktop 4.19 and on all supported platforms (Windows with WSL 2 or Hyper-V, Mac, +and Linux). + +ECI does not yet protect Docker Desktop Kubernetes pods, Extension containers, and [Dev Environments containers](../../desktop/dev-environments/_index.md). ### Does ECI protect containers launched prior to enabling ECI? diff --git a/data/toc.yaml b/data/toc.yaml index 5506541bd6a0..0cfcea20dd7c 100644 --- a/data/toc.yaml +++ b/data/toc.yaml @@ -1122,7 +1122,7 @@ Manuals: section: - path: /desktop/ title: Overview - - sectiontitle: Install + - sectiontitle: Install section: - path: /desktop/install/mac-install/ title: Mac @@ -1184,6 +1184,8 @@ Manuals: title: Key features and benefits - path: /desktop/hardened-desktop/enhanced-container-isolation/config/ title: Advanced configuration options + - path: /desktop/hardened-desktop/enhanced-container-isolation/limitations/ + title: Limitations - sectiontitle: Dev Environments (Beta) section: - path: /desktop/dev-environments/