forked from docker/docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ECI doc improvements ... (docker#19976)
* Improve subtitle in ECI limitations page. Signed-off-by: Cesar Talledo <[email protected]> * Move ECI faqs from security/faqs -> ECI section. Signed-off-by: Cesar Talledo <[email protected]> * Improve security FAQ and mention ECI. Signed-off-by: Cesar Talledo <[email protected]> * Fix a couple of links in ECI FAQ. Signed-off-by: Cesar Talledo <[email protected]> * Fix ECI FAQ in TOC. * Add a dedicated container FAQ to teh security FAQs section. Signed-off-by: Cesar Talledo <[email protected]> * Apply suggestions from code review --------- Signed-off-by: Cesar Talledo <[email protected]> Co-authored-by: Allie Sadler <[email protected]>
- Loading branch information
1 parent
2e8c70b
commit 449cd2f
Showing
8 changed files
with
88 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| --- | ||
| description: Find the answers to container security related FAQs | ||
| keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, platform, Docker Scout, admin, security | ||
| title: Container security FAQs | ||
| tags: [FAQ] | ||
| aliases: | ||
| - /faq/security/containers/ | ||
| --- | ||
|
|
||
| ### How are containers isolated from the host in Docker Desktop? | ||
|
|
||
| Docker Desktop runs all containers inside a customized / minimal Linux virtual | ||
| machine (except for native Windows containers). This adds a strong layer of | ||
| isolation between containers and the host the machine, even if containers are | ||
| running rootful. | ||
|
|
||
| However note the following: | ||
|
|
||
| * Containers have access to host files configured for file sharing via Settings | ||
| -> Resources -> File Sharing (see the next FAQ question below for more info). | ||
|
|
||
| * By default, containers run as root but with limited capabilities inside the | ||
| Docker Desktop VM. Containers running with elevated privileges (e.g., | ||
| `--privileged`, `--pid=host`, `--cap-add`, etc.) run as root with elevated | ||
| privileges inside the Docker Desktop VM which gives them access to Docker | ||
| Desktop VM internals, including the Docker Engine. Thus, users must be careful | ||
| which containers they run with such privileges to avoid security breaches by | ||
| malicious container images. | ||
|
|
||
| * If [Enhanced Container Isolation (ECI)](../../desktop/hardened-desktop/enhanced-container-isolation/_index.md) | ||
| mode is enabled, then each container runs within a dedicated Linux User | ||
| Namespace inside the Docker Desktop VM, which means the container has no | ||
| privileges within the Docker Desktop VM. Even when using the `--privileged` | ||
| flag or similar, the container processes will only be privileged within the | ||
| container's logical boundary, but unprivileged otherwise. In addition, ECI protects | ||
| uses other advanced techniques to ensure they can't easily breach | ||
| the Docker Desktop VM and Docker Engine within (see the ECI section for more | ||
| info). No changes to the containers or user workflows are required as the | ||
| extra protection is added under the covers. | ||
|
|
||
| ### To which portions of the host filesystem do containers have read and write access? | ||
|
|
||
| Containers can only access host files if these are shared via Settings -> Resources -> File Sharing, | ||
| and only when such files are bind-mounted into the container (e.g., `docker run -v /path/to/host/file:/mnt ...`). | ||
|
|
||
| ### Can containers running as root gain access to admin-owned files or directories on the host? | ||
|
|
||
| No; host file sharing (bind mount from the host filesystem) uses a user-space crafted | ||
| file server (running in `com.docker.backend` as the user running Docker | ||
| Desktop), so containers can’t gain any access that the user on the host doesn’t | ||
| already have. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| --- | ||
| description: Find the answers to common security related FAQs | ||
| keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform, Docker Scout, admin, security | ||
| keywords: Docker, Docker Hub, Docker Desktop security FAQs, platform, Docker Scout, admin, security | ||
| title: General security FAQs | ||
| tags: [FAQ] | ||
| aliases: | ||
|
|
@@ -11,19 +11,19 @@ aliases: | |
|
|
||
| If you’ve discovered a security vulnerability in Docker, we encourage you to report it responsibly. Report security issues to [email protected] so that they can be quickly addressed by our team. | ||
|
|
||
| ### How are passwords managed when SSO isn't used? | ||
| ### How are passwords managed when SSO isn't used? | ||
|
|
||
| Passwords are encrypted and salt-hashed. If you use application-level passwords instead of SSO, you are responsible for ensuring that your employees know how to pick strong passwords, don't share passwords, and don't reuse passwords across multiple systems. | ||
| Passwords are encrypted and salt-hashed. If you use application-level passwords instead of SSO, you are responsible for ensuring that your employees know how to pick strong passwords, don't share passwords, and don't reuse passwords across multiple systems. | ||
|
|
||
| ### Does Docker require password resets when SSO isn't used? | ||
| ### Does Docker require password resets when SSO isn't used? | ||
|
|
||
| Passwords aren't required to be periodically reset. NIST no longer recommends password resets as part of best practice. | ||
|
|
||
| ### Does Docker lockout users after failed sign-ins? | ||
| ### Does Docker lockout users after failed sign-ins? | ||
|
|
||
| Docker Hub’s global setting for system lockout is after 10 failed sign in attempts in a period of 5 minutes, and the lockout duration is 5 minutes. The same global policy applies to authenticated Docker Desktop users and Docker Scout, both of which use Docker Hub for authentication. | ||
|
|
||
| ### Do you support physical MFA with YubiKeys? | ||
| ### Do you support physical MFA with YubiKeys? | ||
|
|
||
| You can configure this through SSO using your IdP. Check with your IdP if they support physical MFA. | ||
|
|
||
|
|
@@ -35,33 +35,33 @@ In Docker Hub, you need to re-authenticate after 24 hours. If users are authenti | |
|
|
||
| Custom settings per organization for sessions aren't supported. | ||
|
|
||
| ### How does Docker attribute downloads to us and what data is used to classify or verify the user is part of our organization? | ||
| ### How does Docker attribute downloads to us and what data is used to classify or verify the user is part of our organization? | ||
|
|
||
| Docker Desktop downloads are linked to a specific organization by the user's email containing the customer's domain. Additionally, we use IP addresses to correlate users with organizations. | ||
|
|
||
| ### How do you attribute that number of downloads to us from IP data if most of our engineers work from home and aren’t allowed to use VPNs? | ||
| ### How do you attribute that number of downloads to us from IP data if most of our engineers work from home and aren’t allowed to use VPNs? | ||
|
|
||
| We attribute users and their IP addresses to domains using 3rd party data enrichment software, where our provider analyzes activity from public and private data sources related to that specific IP address, then uses that activity to identify the domain and map it to the IP address. | ||
|
|
||
| Some users authenticate by signing in to Docker Desktop and joining their domain's Docker organization, which allows us to map them with a much higher degree of accuracy and report on direct feature usage for you. We highly encourage you to get your users authenticated so we can provide you with the most accurate data. | ||
|
|
||
| ### How does Docker distinguish between employee users and contractor users? | ||
| ### How does Docker distinguish between employee users and contractor users? | ||
|
|
||
| Organizations set up in Docker use verified domains and any team member with an email domain other than what's verified is noted as a "Guest" in that organization. | ||
|
|
||
| ### How long are Docker Hub logs available? | ||
| ### How long are Docker Hub logs available? | ||
|
|
||
| Docker provides various types of audit logs and log retention varies. For example, Docker Hub Activity logs are available for 90 days. You are responsible for exporting logs or setting up drivers to their own internal systems. | ||
| Docker provides various types of audit logs and log retention varies. For example, Docker Hub Activity logs are available for 90 days. You are responsible for exporting logs or setting up drivers to their own internal systems. | ||
|
|
||
| ### Can I export a list of all users with their assigned roles and privileges and if so, in what format? | ||
|
|
||
| Using the [Export Members](../../admin/organization/members.md#export-members) feature, you can export to CSV a list of your organization's users with role and team information. | ||
| Using the [Export Members](../../admin/organization/members.md#export-members) feature, you can export to CSV a list of your organization's users with role and team information. | ||
|
|
||
| ### How does Docker Desktop handle and store authentication information? | ||
|
|
||
| Docker Desktop utilizes the host operating system's secure key management for handling and storing authentication tokens necessary for authenticating with image registries. On macOS, this is [Keychain](https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web); on Windows, this is [Security and Identity API via Wincred](https://learn.microsoft.com/en-us/windows/win32/api/wincred/); and on Linux, this is [Pass](https://www.passwordstore.org/). | ||
| Docker Desktop utilizes the host operating system's secure key management for handling and storing authentication tokens necessary for authenticating with image registries. On macOS, this is [Keychain](https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web); on Windows, this is [Security and Identity API via Wincred](https://learn.microsoft.com/en-us/windows/win32/api/wincred/); and on Linux, this is [Pass](https://www.passwordstore.org/). | ||
|
|
||
| ### How does Docker Hub secure passwords in storage and in transit? | ||
| ### How does Docker Hub secure passwords in storage and in transit? | ||
|
|
||
| This is applicable only when using Docker Hub's application-level password versus SSO/SAML. When using SSO, Docker Hub doesn't store passwords. Application-level passwords are hashed in storage (SHA-256) and encrypted in transit (TLS). | ||
|
|
||
|
|
@@ -73,17 +73,12 @@ If SCIM isn't enabled, you have to manually remove PAT users from the organizati | |
|
|
||
| For information about the metadata stored by Docker Scout, see [Data handling](../../scout/data-handling.md). | ||
|
|
||
| ### To which portions of the host filesystem do containers have read and write access? Can containers running as root gain access to admin-owned files or directories on the host? | ||
| ### How are extensions within the Marketplace vetted for security prior to placement? | ||
|
|
||
| File sharing (bind mount from the host filesystem) uses a user-space crafted file server (running in `com.docker.backend` as the user running Docker Desktop), so containers can’t gain any access that the user on the host doesn’t already have. | ||
|
|
||
| ### How are extensions within the Marketplace vetted for security prior to placement? | ||
|
|
||
| Security vetting for extensions is on our roadmap however this vetting isn't currently done. | ||
| Security vetting for extensions is on our roadmap however this vetting isn't currently done. | ||
|
|
||
| Extensions are not covered as part of Docker’s Third-Party Risk Management Program. | ||
|
|
||
| ### Can I disable private repos in my organization via a setting to make sure nobody is pushing images into Docker Hub? | ||
|
|
||
| No. With [Registry Access Management](../../security/for-admins/registry-access-management.md) (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard on Docker Hub. | ||
| ### Can I disable private repos in my organization via a setting to make sure nobody is pushing images into Docker Hub? | ||
|
|
||
| No. With [Registry Access Management](../../security/for-admins/registry-access-management.md) (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard on Docker Hub. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,36 +1,36 @@ | ||
| --- | ||
| description: Find the answers to FAQs related to networking and virtualization | ||
| keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform, networks, vms | ||
| keywords: Docker, Docker Hub, Docker Desktop security FAQs, security, platform, networks, vms | ||
| title: Network and VM FAQs | ||
| tags: [FAQ] | ||
| aliases: | ||
| - /faq/security/networking-and-vms/ | ||
| --- | ||
|
|
||
| ### How can I limit the type of internet access allowed by the container when it runs, to prevent it from being able to exfiltrate data or download malicious code? | ||
| ### How can I limit the type of internet access allowed by the container when it runs, to prevent it from being able to exfiltrate data or download malicious code? | ||
|
|
||
| There is no built-in mechanism for that but it can be addressed by process-level firewall on the host. Hook into the `com.docker.vpnkit` user-space process and apply rules where it can connect to (DNS URL white list; packet/payload filter) and which ports/protocols it is allowed to use. | ||
|
|
||
| ### Can I prevent users binding ports on 0.0.0.0? | ||
| ### Can I prevent users binding ports on 0.0.0.0? | ||
|
|
||
| There is no direct way to enforce that through Docker Desktop but it would inherit any firewall rules enforced on the host. | ||
|
|
||
| ### What options exist to lock containerized network settings to a system? If not supported, are there any consequences to manipulating the settings? | ||
| ### What options exist to lock containerized network settings to a system? If not supported, are there any consequences to manipulating the settings? | ||
|
|
||
| The Docker network settings are entirely local within the VM and have no effect on the system. | ||
|
|
||
| ### Can I apply rules on container network traffic via a local firewall or VPN client? | ||
|
|
||
| For network connectivity, Docker Desktop uses a user-space process (`com.docker.vpnkit`), which inherits constraints like firewall rules, VPN, HTTP proxy properties etc, from the user that launched it. | ||
|
|
||
| ### Does running Docker Desktop for Windows with Hyper-V backend allow users to create arbitrary VMs? | ||
| ### Does running Docker Desktop for Windows with Hyper-V backend allow users to create arbitrary VMs? | ||
|
|
||
| No. The `DockerDesktopVM` name is hard coded in the service code, so you cannot use Docker Desktop to create or manipulate any other VM. | ||
|
|
||
| ### Can I prevent our users creating other VMs when using Docker Desktop on Mac? | ||
| ### Can I prevent our users creating other VMs when using Docker Desktop on Mac? | ||
|
|
||
| On Mac it is an unprivileged operation to start a VM, so that is not enforced by Docker Desktop. | ||
|
|
||
| ### How does Docker Desktop achieve network level isolation when Hyper-V and/or WSL2 is used? | ||
| ### How does Docker Desktop achieve network level isolation when Hyper-V and/or WSL2 is used? | ||
|
|
||
| The VM processes are the same for both WSL 2 (running inside the `docker-desktop` distro) and Hyper-V (running inside the `DockerDesktopVM`). Host/VM communication uses `AF_VSOCK` hypervisor sockets (shared memory). It does not use Hyper-V network switches or network interfaces. All host networking is performed using normal TCP/IP sockets from the `com.docker.vpnkit.exe` and `com.docker.backend.exe` processes. For more information see [How Docker Desktop networking works under the hood](https://www.docker.com/blog/how-docker-desktop-networking-works-under-the-hood/). | ||
| The VM processes are the same for both WSL 2 (running inside the `docker-desktop` distro) and Hyper-V (running inside the `DockerDesktopVM`). Host/VM communication uses `AF_VSOCK` hypervisor sockets (shared memory). It does not use Hyper-V network switches or network interfaces. All host networking is performed using normal TCP/IP sockets from the `com.docker.vpnkit.exe` and `com.docker.backend.exe` processes. For more information see [How Docker Desktop networking works under the hood](https://www.docker.com/blog/how-docker-desktop-networking-works-under-the-hood/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters