From f759cfd0976a7ca926cc9a1e1b92fc141841d27c Mon Sep 17 00:00:00 2001 From: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Wed, 29 Jan 2025 21:18:29 -0500 Subject: [PATCH 1/6] Improve security documentation with warning around windows containers Some background dialog between security, desktop, moby teams and some security researchers. At the present time, this is an accepted risk in Docker Desktop installations for Windows and should be clarified in better detail. --- content/manuals/desktop/setup/install/windows-install.md | 2 +- .../setup/install/windows-permission-requirements.md | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/content/manuals/desktop/setup/install/windows-install.md b/content/manuals/desktop/setup/install/windows-install.md index 21f4e77111c8..17c63735fea2 100644 --- a/content/manuals/desktop/setup/install/windows-install.md +++ b/content/manuals/desktop/setup/install/windows-install.md @@ -210,7 +210,7 @@ By default, Docker Desktop is installed at `C:\Program Files\Docker\Docker`. The `install` command accepts the following flags: - `--quiet`: Suppresses information output when running the installer - `--accept-license`: Accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement) now, rather than requiring it to be accepted when the application is first run -- `--no-windows-containers`: Disables the Windows containers integration +- `--no-windows-containers`: Disables the Windows containers integration. For more information, please read this [important security consideration](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers). - `--allowed-org=`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application - `--backend=`: Selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default) - `--installation-dir=`: Changes the default installation location (`C:\Program Files\Docker\Docker`) diff --git a/content/manuals/desktop/setup/install/windows-permission-requirements.md b/content/manuals/desktop/setup/install/windows-permission-requirements.md index aded11b07d40..cb13dab4839e 100644 --- a/content/manuals/desktop/setup/install/windows-permission-requirements.md +++ b/content/manuals/desktop/setup/install/windows-permission-requirements.md @@ -67,7 +67,11 @@ isolated from the Docker daemon and other services running inside the VM. ## Windows Containers -Unlike the Linux Docker engine and containers which run in a VM, Windows containers are an operating system feature, and run directly on the Windows host with `Administrator` privileges. For organizations who don't want their developers to run Windows containers, a `–no-windows-containers` installer flag is available from version 4.11 to disable their use. +> [!WARNING] +> **Enabling Windows Containers has important security implications.** +{ .warning } + +Unlike the Linux Docker engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows Containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows Containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-–no-windows-containers` installer flag is available from version 4.11 to disable their use. ## Networking From 23ca06d24c1d8e950915e4fc6aecba4f0aaa9b34 Mon Sep 17 00:00:00 2001 From: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Thu, 30 Jan 2025 07:26:38 -0500 Subject: [PATCH 2/6] Update warning disclaimer style Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- .../desktop/setup/install/windows-permission-requirements.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/manuals/desktop/setup/install/windows-permission-requirements.md b/content/manuals/desktop/setup/install/windows-permission-requirements.md index cb13dab4839e..71b6d06e8086 100644 --- a/content/manuals/desktop/setup/install/windows-permission-requirements.md +++ b/content/manuals/desktop/setup/install/windows-permission-requirements.md @@ -68,7 +68,8 @@ isolated from the Docker daemon and other services running inside the VM. ## Windows Containers > [!WARNING] -> **Enabling Windows Containers has important security implications.** +> +> Enabling Windows containers has important security implications. { .warning } Unlike the Linux Docker engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows Containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows Containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-–no-windows-containers` installer flag is available from version 4.11 to disable their use. From 201f0b3b53efffcd9bc97686db81735ac18ecf09 Mon Sep 17 00:00:00 2001 From: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Thu, 30 Jan 2025 07:27:24 -0500 Subject: [PATCH 3/6] Update description Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- .../desktop/setup/install/windows-permission-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/desktop/setup/install/windows-permission-requirements.md b/content/manuals/desktop/setup/install/windows-permission-requirements.md index 71b6d06e8086..13eb9504665c 100644 --- a/content/manuals/desktop/setup/install/windows-permission-requirements.md +++ b/content/manuals/desktop/setup/install/windows-permission-requirements.md @@ -72,7 +72,7 @@ isolated from the Docker daemon and other services running inside the VM. > Enabling Windows containers has important security implications. { .warning } -Unlike the Linux Docker engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows Containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows Containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-–no-windows-containers` installer flag is available from version 4.11 to disable their use. +Unlike the Linux Docker Engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-–no-windows-containers` installer flag is available to disable their use. ## Networking From ccced6e16c3025999de0bd43fe379a9a1d501cda Mon Sep 17 00:00:00 2001 From: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Thu, 30 Jan 2025 07:28:46 -0500 Subject: [PATCH 4/6] Update option documentation Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- content/manuals/desktop/setup/install/windows-install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/desktop/setup/install/windows-install.md b/content/manuals/desktop/setup/install/windows-install.md index 17c63735fea2..b55a97bf5f9f 100644 --- a/content/manuals/desktop/setup/install/windows-install.md +++ b/content/manuals/desktop/setup/install/windows-install.md @@ -210,7 +210,7 @@ By default, Docker Desktop is installed at `C:\Program Files\Docker\Docker`. The `install` command accepts the following flags: - `--quiet`: Suppresses information output when running the installer - `--accept-license`: Accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement) now, rather than requiring it to be accepted when the application is first run -- `--no-windows-containers`: Disables the Windows containers integration. For more information, please read this [important security consideration](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers). +- `--no-windows-containers`: Disables the Windows containers integration. This can have security implication. For more information, see [Windows containers](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers). - `--allowed-org=`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application - `--backend=`: Selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default) - `--installation-dir=`: Changes the default installation location (`C:\Program Files\Docker\Docker`) From 1d0c81d8e0535c7cf5ddd973b94baed7dbc4aaba Mon Sep 17 00:00:00 2001 From: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Thu, 30 Jan 2025 07:29:08 -0500 Subject: [PATCH 5/6] Replace warning with note Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- .../desktop/setup/install/windows-permission-requirements.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/manuals/desktop/setup/install/windows-permission-requirements.md b/content/manuals/desktop/setup/install/windows-permission-requirements.md index 13eb9504665c..32917e4210ac 100644 --- a/content/manuals/desktop/setup/install/windows-permission-requirements.md +++ b/content/manuals/desktop/setup/install/windows-permission-requirements.md @@ -70,7 +70,6 @@ isolated from the Docker daemon and other services running inside the VM. > [!WARNING] > > Enabling Windows containers has important security implications. -{ .warning } Unlike the Linux Docker Engine and containers which run in a VM, Windows containers are implemented using operating system features, and run directly on the Windows host. If you enable Windows containers during installation, the `ContainerAdministrator` user used for administration inside the container is a local administrator on the host machine. Enabling Windows containers during installation makes it so that members of the `docker-users` group are able to elevate to administrators on the host. For organizations who don't want their developers to run Windows containers, a `-–no-windows-containers` installer flag is available to disable their use. From 854fbd0a06b7a6dc09dcfead1c7cd102e0c753e2 Mon Sep 17 00:00:00 2001 From: twelsh-aw <84401379+twelsh-aw@users.noreply.github.com> Date: Thu, 30 Jan 2025 08:46:46 -0500 Subject: [PATCH 6/6] Clarify option text --- content/manuals/desktop/setup/install/windows-install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/desktop/setup/install/windows-install.md b/content/manuals/desktop/setup/install/windows-install.md index b55a97bf5f9f..2e416eecbfc0 100644 --- a/content/manuals/desktop/setup/install/windows-install.md +++ b/content/manuals/desktop/setup/install/windows-install.md @@ -210,7 +210,7 @@ By default, Docker Desktop is installed at `C:\Program Files\Docker\Docker`. The `install` command accepts the following flags: - `--quiet`: Suppresses information output when running the installer - `--accept-license`: Accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement) now, rather than requiring it to be accepted when the application is first run -- `--no-windows-containers`: Disables the Windows containers integration. This can have security implication. For more information, see [Windows containers](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers). +- `--no-windows-containers`: Disables the Windows containers integration. This can improve security. For more information, see [Windows containers](/manuals/desktop/setup/install/windows-permission-requirements.md#windows-containers). - `--allowed-org=`: Requires the user to sign in and be part of the specified Docker Hub organization when running the application - `--backend=`: Selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default) - `--installation-dir=`: Changes the default installation location (`C:\Program Files\Docker\Docker`)