From 7b9471d4b2dd3a34bf39a2766ec393eb2c4be40b Mon Sep 17 00:00:00 2001 From: Albert Tanure Date: Wed, 23 Apr 2025 23:28:06 +0200 Subject: [PATCH 1/5] Add: Add quickstart.md improvements (#22272) ## Description I did some improvements to the quickstart.md file, adding images and improve some descriptions to be albe to helo learners to find the references mentioned in the file. ## Related issues or tickets No related issues or ticket. ## Reviews - [ ] Technical review - [ ] Editorial review - [ ] Product review --------- Co-authored-by: Craig Osterhout <103533812+craig-osterhout@users.noreply.github.com> --- content/manuals/scout/quickstart.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/content/manuals/scout/quickstart.md b/content/manuals/scout/quickstart.md index 86d58151ea4b..7a1da8ae022c 100644 --- a/content/manuals/scout/quickstart.md +++ b/content/manuals/scout/quickstart.md @@ -84,10 +84,9 @@ Learn more about the `docker scout cves` command in the ## Step 4: Fix application vulnerabilities -The fix suggested by Docker Scout is to update -the underlying vulnerable express version to 4.17.3 or later. +After the Docker Scout analysis, a high vulnerability CVE-2022-24999 was found, caused by an outdated version of the **express** package. -1. Update the `package.json` file with the new package version. +The version 4.17.3 of the express package fixes the vulnerability. Therefore, update the `package.json` file to the new version: ```diff "dependencies": { @@ -95,15 +94,14 @@ the underlying vulnerable express version to 4.17.3 or later. + "express": "4.17.3" } ``` - -2. Rebuild the image with a new tag and push it to your Docker Hub repository: + +Rebuild the image with a new tag and push it to your Docker Hub repository: ```console $ docker build --push -t /scout-demo:v2 . ``` -Now, viewing the latest tag of the image in Docker Desktop, the Docker Scout -Dashboard, or CLI, you can see that you have fixed the vulnerability. +Run the `docker scout` command again and verify that HIGH CVE-2022-24999 is no longer present: ```console $ docker scout cves --only-package express @@ -154,7 +152,7 @@ $ docker scout config organization Now you can run the `quickview` command to get an overview of the compliance status for the image you just built. -The image is evaluated against the default policy configurations. +The image is evaluated against the default policy configurations. You'll see output similar to the following: ```console $ docker scout quickview @@ -209,7 +207,7 @@ The classic image store doesn't support manifest lists, which is how the provenance attestations are attached to an image. Open **Settings** in Docker Desktop. Under the **General** section, make sure -that the **Use containerd for pulling and storing images** option is checked. +that the **Use containerd for pulling and storing images** option is checked, then select **Apply & Restart**. Note that changing image stores temporarily hides images and containers of the inactive image store until you switch back. @@ -230,7 +228,9 @@ results through a different lens: the Docker Scout Dashboard. 3. Select **Images** in the left-hand navigation. The images page lists your Scout-enabled repositories. -Select the image in the list to open the **Image details** sidebar. + +Select the row for the image you want to view, anywhere in the row except on a link, to open the **Image details** sidebar. + The sidebar shows a compliance overview for the last pushed tag of a repository. > [!NOTE] @@ -239,13 +239,15 @@ The sidebar shows a compliance overview for the last pushed tag of a repository. > It might take a few minutes before the results appear if this is your > first time using the Docker Scout Dashboard. -Inspect the **Up-to-Date Base Images** policy. +Go back to the image list and select the image version, available in the **Most recent image** column. +Then, at the top right of the page, select the **Update base image** button to inspect the policy. + This policy checks whether base images you use are up-to-date. It currently has a non-compliant status, because the example image uses an old version `alpine` as a base image. -Select the **View fix** button next to the policy name for details about the violation, -and recommendations on how to address it. +Close the **Recommended fixes for base image** modal. In the policy listing, select **View fixes** button, next to the policy name for details about the violation, and recommendations on how to address it. + In this case, the recommended action is to enable [Docker Scout's GitHub integration](./integrations/source-code-management/github.md), which helps keep your base images up-to-date automatically. From d0e601bc89ef444cda0e02597e73c03261d9bbaa Mon Sep 17 00:00:00 2001 From: Monica Chao Date: Thu, 24 Apr 2025 05:24:38 -0500 Subject: [PATCH 2/5] Merge pull request #22474 from chaomonica/SEG-1124 docs: Added section explaining how RAM configurations restricting Docker hub interacts with mirror registries --- .../manuals/docker-hub/image-library/mirror.md | 15 +++++++++++++++ .../registry-access-management.md | 1 + 2 files changed, 16 insertions(+) diff --git a/content/manuals/docker-hub/image-library/mirror.md b/content/manuals/docker-hub/image-library/mirror.md index 427ee68f5f7d..9ab5fdf7b4e6 100644 --- a/content/manuals/docker-hub/image-library/mirror.md +++ b/content/manuals/docker-hub/image-library/mirror.md @@ -45,6 +45,21 @@ Hub can be mirrored. The Registry can be configured as a pull through cache. In this mode a Registry responds to all normal docker pull requests but stores all content locally. +### Using Registry Access Management (RAM) with a registry mirror + +If Docker Hub access is restricted via your Registry Access Management (RAM) configuration, you will not be able to pull images originating from Docker Hub even if the images are available in your registry mirror. + +You will encounter the following error: +```console +Error response from daemon: Access to docker.io has been restricted by your administrators. +``` + +If you are unable to allow access to Docker Hub, you can manually pull from your registry mirror and optionally, retag the image. For example: +```console +docker pull [:]/library/busybox +docker tag [:]/library/busybox:latest busybox:latest +``` + ## How does it work? The first time you request an image from your local registry mirror, it pulls diff --git a/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md b/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md index cf3892b1a54f..75f194954906 100644 --- a/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md +++ b/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md @@ -89,6 +89,7 @@ earlier Linux kernel series). This will be resolved in the updated 5.15 series Linux kernel. - Images pulled by Docker Desktop when Docker Debug or Kubernetes is enabled, are not restricted by default even if Docker Hub is blocked by RAM. +- If Docker Hub access is restricted by RAM, pulls on images originating from Docker Hub are restricted even if the image has been previously cached by a registry mirror. See [Using Registry Access Management (RAM) with a registry mirror](/manuals/docker-hub/image-library/mirror.md). Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain From 9683207107284d1e29ad7ced3752e2ee53d6b3c4 Mon Sep 17 00:00:00 2001 From: Andrey Sobolev Date: Thu, 24 Apr 2025 14:55:25 +0300 Subject: [PATCH 3/5] Fix a few typos in the "Environment variables precedence in Compose" manual (#22485) ## Description This pull request fixes a few minor typos in the "Environment variables precedence in Docker Compose" manual. --- .../how-tos/environment-variables/envvars-precedence.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/manuals/compose/how-tos/environment-variables/envvars-precedence.md b/content/manuals/compose/how-tos/environment-variables/envvars-precedence.md index 7ac4474984f4..f5e14549472d 100644 --- a/content/manuals/compose/how-tos/environment-variables/envvars-precedence.md +++ b/content/manuals/compose/how-tos/environment-variables/envvars-precedence.md @@ -83,7 +83,7 @@ Result 1: The local environment takes precedence, but the Compose file is not se Result 2: The `env_file` attribute in the Compose file defines an explicit value for `VALUE` so the container environment is set accordingly. -Result 3: The `environment` attribute in the Compose file defines an explicit value for `VALUE`, so the container environment is set accordingly/ +Result 3: The `environment` attribute in the Compose file defines an explicit value for `VALUE`, so the container environment is set accordingly. Result 4: The image's `ENV` directive declares the variable `VALUE`, and since the Compose file is not set to override this value, this variable is defined by image @@ -91,15 +91,15 @@ Result 5: The `docker compose run` command has the `--env` flag set which an exp Result 6: The `docker compose run` command has the `--env` flag set to replicate the value from the environment. Host OS value takes precedence and is replicated into the container's environment. -Result 7: The `docker compose run` command has the `--env` flag set to replicate the value from the environment. Value from `.env` file is the selected to define the container's environment. +Result 7: The `docker compose run` command has the `--env` flag set to replicate the value from the environment. Value from `.env` file is selected to define the container's environment. Result 8: The `env_file` attribute in the Compose file is set to replicate `VALUE` from the local environment. Host OS value takes precedence and is replicated into the container's environment. -Result 9: The `env_file` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is the selected to define the container's environment. +Result 9: The `env_file` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is selected to define the container's environment. Result 10: The `environment` attribute in the Compose file is set to replicate `VALUE` from the local environment. Host OS value takes precedence and is replicated into the container's environment. -Result 11: The `environment` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is the selected to define the container's environment. +Result 11: The `environment` attribute in the Compose file is set to replicate `VALUE` from the local environment. Value from `.env` file is selected to define the container's environment. Result 12: The `--env` flag has higher precedence than the `environment` and `env_file` attributes and is to set to replicate `VALUE` from the local environment. Host OS value takes precedence and is replicated into the container's environment. From 675c90866e0012a98b03014f27d3a705be59d7ff Mon Sep 17 00:00:00 2001 From: Andrey Sobolev Date: Thu, 24 Apr 2025 14:55:59 +0300 Subject: [PATCH 4/5] Fix a few typos in the "Base images" manual (#22486) ## Description The pull request fixes a few minor typos in the "Base images" manual. --- content/manuals/build/building/base-images.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/manuals/build/building/base-images.md b/content/manuals/build/building/base-images.md index 17770a834eb7..2e11b0ba540b 100644 --- a/content/manuals/build/building/base-images.md +++ b/content/manuals/build/building/base-images.md @@ -22,7 +22,7 @@ For most cases, you don't need to create your own base image. Docker Hub contains a vast library of Docker images that are suitable for use as a base image in your build. [Docker Official Images](../../docker-hub/image-library/trusted-content.md#docker-official-images) -have clear documentation, promote best practices, and are regularly updated +have clear documentation, promote best practices, and are regularly updated. There are also [Docker Verified Publisher](../../docker-hub/image-library/trusted-content.md#verified-publisher-images) images, created by trusted publishing partners, verified by Docker. @@ -77,7 +77,7 @@ To run your new image, use the `docker run` command: $ docker run --rm hello ``` -This example image can only successfully execute as long as the `hello` binary +This example image can only be successfully executed as long as the `hello` binary doesn't have any runtime dependencies. Computer programs tend to depend on certain other programs or resources to exist in the runtime environment. For example: From 633830abc8fffd3f049015494ade591a2cfc3786 Mon Sep 17 00:00:00 2001 From: karman <110832017+karman-docker@users.noreply.github.com> Date: Thu, 24 Apr 2025 11:57:01 +0000 Subject: [PATCH 5/5] update configuration profile section (#22479) ## Description context: https://docker.slack.com/archives/C027X59V596/p1745407376922009 ## Related issues or tickets ## Reviews - [ ] Technical review - [x] Editorial review - [ ] Product review --------- Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- content/manuals/security/for-admins/enforce-sign-in/methods.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/manuals/security/for-admins/enforce-sign-in/methods.md b/content/manuals/security/for-admins/enforce-sign-in/methods.md index 4269aec0fa35..2f590b64c442 100644 --- a/content/manuals/security/for-admins/enforce-sign-in/methods.md +++ b/content/manuals/security/for-admins/enforce-sign-in/methods.md @@ -121,6 +121,8 @@ tampered with by the users. 4. Use a MDM solution to distribute your modified `.mobileconfig` file to your macOS clients. +5. Verify that the profile is added to **Device (Managed)** profiles list (**System Settings** > **General** > **Device Management**) on your macOS clients. + ## plist method (Mac only) > [!NOTE]