diff --git a/content/includes/gordondhi.md b/content/includes/gordondhi.md deleted file mode 100644 index b807b94db35b..000000000000 --- a/content/includes/gordondhi.md +++ /dev/null @@ -1,24 +0,0 @@ -1. Ensure Gordon is [enabled](/manuals/ai/gordon.md#enable-ask-gordon). -1. In Gordon's Toolkit, ensure Gordon's [Developer MCP toolkit is enabled](/manuals/ai/gordon/mcp/built-in-tools.md#configuration). -1. In the terminal, navigate to the directory containing your Dockerfile. -1. Start a conversation with Gordon: - ```bash - docker ai - ``` -1. Type: - ```console - "Migrate my dockerfile to DHI" - ``` -1. Follow the conversation with Gordon. When it requests access to the filesystem and more, - type `yes` to enable it to update your Dockerfile. - -When the migration is complete, you see a success message: - -```text -The migration to Docker Hardened Images (DHI) is complete. The updated Dockerfile -successfully builds the image, and no vulnerabilities were detected in the final image. -The functionality and optimizations of the original Dockerfile have been preserved. -``` - -> [!IMPORTANT] -> As with any AI tool, you must verify Gordon's edits and test your image. diff --git a/content/manuals/ai/compose/model-runner.md b/content/manuals/ai/compose/model-runner.md index 29c4a87448e5..bf82c7fbfeba 100644 --- a/content/manuals/ai/compose/model-runner.md +++ b/content/manuals/ai/compose/model-runner.md @@ -40,7 +40,7 @@ services: models: smollm2: - image: ai/smollm2 + model: ai/smollm2 ``` ### How it works @@ -70,7 +70,7 @@ services: models: smollm2: - image: ai/smollm2 + model: ai/smollm2 ``` With this configuration, your `my-chat-app` service will receive: diff --git a/content/manuals/ai/compose/models-and-compose.md b/content/manuals/ai/compose/models-and-compose.md index 01c895cc7a49..f657715c1eaf 100644 --- a/content/manuals/ai/compose/models-and-compose.md +++ b/content/manuals/ai/compose/models-and-compose.md @@ -42,7 +42,7 @@ services: models: llm: - image: ai/smollm2 + model: ai/smollm2 ``` This example defines: @@ -56,7 +56,7 @@ Models support various configuration options: ```yaml models: llm: - image: ai/smollm2 + model: ai/smollm2 context_size: 1024 runtime_flags: - "--a-flag" @@ -87,9 +87,9 @@ services: models: llm: - image: ai/smollm2 + model: ai/smollm2 embedding-model: - image: ai/all-minilm + model: ai/all-minilm ``` With short syntax, the platform automatically generates environment variables based on the model name: @@ -116,9 +116,9 @@ services: models: llm: - image: ai/smollm2 + model: ai/smollm2 embedding-model: - image: ai/all-minilm + model: ai/all-minilm ``` With this configuration, your service receives: @@ -142,7 +142,7 @@ services: models: llm: - image: ai/smollm2 + model: ai/smollm2 ``` Docker Model Runner will: @@ -163,9 +163,9 @@ services: models: llm: - image: ai/smollm2 + model: ai/smollm2 # Cloud-specific configurations - labels: + x-cloud-options: - "cloud.instance-type=gpu-small" - "cloud.region=us-west-2" ``` diff --git a/content/manuals/ai/gordon/_index.md b/content/manuals/ai/gordon/_index.md index 403ff7a561dc..eaa6685b0d1e 100644 --- a/content/manuals/ai/gordon/_index.md +++ b/content/manuals/ai/gordon/_index.md @@ -20,13 +20,12 @@ of the Docker ecosystem. ## Key features -Ask Gordon provides AI-powered assistance in Docker tools. It can: +Ask Gordon provides AI-powered assistance within Docker tools. It can: - Improve Dockerfiles - Run and troubleshoot containers - Interact with your images and code - Find vulnerabilities or configuration issues -- Migrate a Dockerfile to use [Docker Hardened Images](/manuals/dhi/_index.md) It understands your local environment, including source code, Dockerfiles, and images, to provide personalized and actionable guidance. @@ -105,10 +104,9 @@ If you have concerns about data collection or usage, you can ## Using Ask Gordon -You can access Gordon: - -- In Docker Desktop, in the **Ask Gordon** view. -- Via the Docker CLI, with the `docker ai` CLI command. +The primary interfaces to Docker's AI capabilities are through the **Ask +Gordon** view in Docker Desktop, or if you prefer to use the CLI: the `docker +ai` CLI command. Once you've enabled the Docker AI features, you'll also find references to **Ask Gordon** in various other places throughout the Docker Desktop user interface. @@ -124,7 +122,6 @@ ways things you can try: - [Troubleshoot a crashed container](#troubleshoot-a-crashed-container) - [Get help with running a container](#get-help-with-running-a-container) - [Improve a Dockerfile](#improve-a-dockerfile) -- [Migrate a Dockerfile to DHI](#migrate-a-dockerfile-to-dhi) For more examples, try asking Gordon directly. For example: @@ -200,17 +197,6 @@ across several dimensions: - Portability - Resource efficiency -### Migrate a Dockerfile to DHI - -Migrating your Dockerfile to use [Docker Hardened Images](/manuals/dhi/_index.md) helps you build -more secure, minimal, and production-ready containers. DHIs are designed to -reduce vulnerabilities, enforce best practices, and simplify compliance, making -them a strong foundation for secure software supply chains. - -To request Gordon's help for the migration: - -{{% include "gordondhi.md" %}} - ## Disable Ask Gordon ### For individual users diff --git a/content/manuals/desktop/release-notes.md b/content/manuals/desktop/release-notes.md index de4d87aca52c..a4a81ffbd8cb 100644 --- a/content/manuals/desktop/release-notes.md +++ b/content/manuals/desktop/release-notes.md @@ -46,6 +46,10 @@ For more frequently asked questions, see the [FAQs](/manuals/desktop/troubleshoo - [Docker Engine v28.3.0](https://docs.docker.com/engine/release-notes/28/#2830) - [NVIDIA Container Toolkit v1.17.8](https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.17.8) +### Security + +- Fixed [CVE-2025-6587](https://www.cve.org/CVERecord?id=CVE-2025-6587) where sensitive system environment variables were included in Docker Desktop diagnostic logs, allowing for potential secret exposure. + ### Bug fixes and enhancements #### For all platforms diff --git a/content/manuals/dhi/features/integration.md b/content/manuals/dhi/features/integration.md index b33a20ad8166..9ab6340ff2c2 100644 --- a/content/manuals/dhi/features/integration.md +++ b/content/manuals/dhi/features/integration.md @@ -78,4 +78,4 @@ and CI to scanning and deployment. They: - Include security metadata that plugs into your existing compliance systems This means you can adopt stronger security controls without disrupting your -engineering workflows. +engineering workflows. \ No newline at end of file diff --git a/content/manuals/dhi/how-to/migrate.md b/content/manuals/dhi/how-to/migrate.md index 22b1d825d35f..ba1710767f23 100644 --- a/content/manuals/dhi/how-to/migrate.md +++ b/content/manuals/dhi/how-to/migrate.md @@ -9,9 +9,7 @@ keywords: migrate dockerfile, hardened base image, multi-stage build, non-root c {{< summary-bar feature_name="Docker Hardened Images" >}} This guide helps you migrate your existing Dockerfiles to use Docker Hardened -Images (DHIs) [manually](#step-1-update-the-base-image-in-your-dockerfile), -or with [Gordon](#use-gordon). -DHIs are minimal and security-focused, which may require +Images (DHIs). DHIs are minimal and security-focused, which may require adjustments to your base images, build process, and runtime configuration. This guide focuses on migrating framework images, such as images for building @@ -242,10 +240,3 @@ ENTRYPOINT [ "python", "/app/image.py" ] {{< /tab >}} {{< /tabs >}} - -### Use Gordon - -Alternatively, you can request assistance to -[Gordon](/manuals/ai/gordon/_index.md), Docker's AI-powered assistant, to migrate your Dockerfile: - -{{% include "gordondhi.md" %}} diff --git a/content/manuals/security/security-announcements.md b/content/manuals/security/security-announcements.md index eed5615e4512..5735a62cbe22 100644 --- a/content/manuals/security/security-announcements.md +++ b/content/manuals/security/security-announcements.md @@ -7,30 +7,38 @@ toc_min: 1 toc_max: 2 --- +## Docker Desktop 4.43.0 Security Update: CVE-2025-6587 + +_Last updated July 03, 2025_ + +A vulnerability in Docker Desktop was fixed on July 03 in the [4.43.0](/manuals/desktop/release-notes.md#4430) release: + +- Fixed [CVE-2025-6587](https://www.cve.org/CVERecord?id=CVE-2025-6587) where sensitive system environment variables were included in Docker Desktop diagnostic logs, allowing for potential secret exposure. + ## Docker Desktop 4.41.0 Security Update: CVE-2025-3224, CVE-2025-4095, and CVE-2025-3911 _Last updated May 15, 2025_ -Three vulnerabilities in Docker Desktop were fixed on April 28 in the [4.41.0](https://docs.docker.com/desktop/release-notes/#4410) release. +Three vulnerabilities in Docker Desktop were fixed on April 28 in the [4.41.0](/manuals/desktop/release-notes.md#4410) release. - Fixed [CVE-2025-3224](https://www.cve.org/CVERecord?id=CVE-2025-3224) allowing an attacker with access to a user machine to perform an elevation of privilege when Docker Desktop updates. - Fixed [CVE-2025-4095](https://www.cve.org/CVERecord?id=CVE-2025-4095) where Registry Access Management (RAM) policies were not enforced when using a MacOS configuration profile, allowing users to pull images from unapproved registries. - Fixed [CVE-2025-3911](https://www.cve.org/CVERecord?id=CVE-2025-3911) allowing an attacker with read access to a user's machine to obtain sensitive information from Docker Desktop log files, including environment variables configured for running containers. -We strongly encourage you to update to Docker Desktop [4.41.0](https://docs.docker.com/desktop/release-notes/#4410). +We strongly encourage you to update to Docker Desktop [4.41.0](/manuals/desktop/release-notes.md#4410). ## Docker Desktop 4.34.2 Security Update: CVE-2024-8695 and CVE-2024-8696 _Last updated September 13, 2024_ -Two remote code execution (RCE) vulnerabilities in Docker Desktop related to Docker Extensions were reported by [Cure53](https://cure53.de/) and were fixed on September 12 in the [4.34.2](https://docs.docker.com/desktop/release-notes/#4342) release. +Two remote code execution (RCE) vulnerabilities in Docker Desktop related to Docker Extensions were reported by [Cure53](https://cure53.de/) and were fixed on September 12 in the [4.34.2](/manuals/desktop/release-notes.md#4342) release. - [CVE-2024-8695](https://www.cve.org/cverecord?id=CVE-2024-8695): A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. [Critical] - [CVE-2024-8696](https://www.cve.org/cverecord?id=CVE-2024-8696): A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. [High] No existing extensions exploiting the vulnerabilities were found in the Extensions Marketplace. The Docker team will be closely monitoring and diligently reviewing any requests for publishing new extensions. -We strongly encourage you to update to Docker Desktop [4.34.2](https://docs.docker.com/desktop/release-notes/#4342). If you are unable to update promptly, you can [disable Docker Extensions](https://docs.docker.com/extensions/settings-feedback/#turn-on-or-turn-off-extensions) as a workaround. +We strongly encourage you to update to Docker Desktop [4.34.2](/manuals/desktop/release-notes.md#4342). If you are unable to update promptly, you can [disable Docker Extensions](/manuals/extensions/settings-feedback.md#turn-on-or-turn-off-extensions) as a workaround. ## Deprecation of password logins on CLI when SSO enforced @@ -87,7 +95,7 @@ If you are unable to update to an unaffected version promptly, follow these best * [Enhanced Container Isolation](/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/_index.md), which mitigates the impact of CVE-2024-21626 in the case of running containers from malicious images. * [Image Access Management](for-admins/hardened-desktop/image-access-management.md), and [Registry Access Management](/manuals/security/for-admins/hardened-desktop/registry-access-management.md), which give organizations control over which images and repositories their users can access. * For CVE-2024-23650, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, avoid using BuildKit frontend from an untrusted source. A frontend image is usually specified as the #syntax line on your Dockerfile, or with `--frontend` flag when using the `buildctl build` command. -* To mitigate CVE-2024-24557, make sure to either use BuildKit or disable caching when building images. From the CLI this can be done via the `DOCKER_BUILDKIT=1` environment variable (default for Moby >= v23.0 if the buildx plugin is installed) or the `--no-cache flag`. If you are using the HTTP API directly or through a client, the same can be done by setting `nocache` to `true` or `version` to `2` for the [/build API endpoint](https://docs.docker.com/engine/api/v1.44/#tag/Image/operation/ImageBuild). +* To mitigate CVE-2024-24557, make sure to either use BuildKit or disable caching when building images. From the CLI this can be done via the `DOCKER_BUILDKIT=1` environment variable (default for Moby >= v23.0 if the buildx plugin is installed) or the `--no-cache flag`. If you are using the HTTP API directly or through a client, the same can be done by setting `nocache` to `true` or `version` to `2` for the [/build API endpoint](https://docs.docker.com/reference/api/engine/version/v1.44/#tag/Image/operation/ImageBuild). ### Technical details and impact