From 1b989d7e57339d8ec72c09e5baeee89eae15aa65 Mon Sep 17 00:00:00 2001 From: Stephanie Aurelio <133041642+stephaurelio@users.noreply.github.com> Date: Mon, 20 Nov 2023 09:09:52 -0800 Subject: [PATCH] Tier 1 freshness updates for security and faqs part one (#18718) * freshness updates * fix typo * Implement feedback Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --------- Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/billing/faqs.md | 10 +++--- content/compose/faq.md | 32 +++++++++---------- content/security/_index.md | 2 +- .../security/for-admins/configure-sign-in.md | 14 ++++---- content/security/for-admins/domain-audit.md | 6 ++-- content/security/for-admins/group-mapping.md | 6 ++-- .../for-admins/image-access-management.md | 2 +- .../for-admins/registry-access-management.md | 4 +-- .../for-admins/roles-and-permissions.md | 2 +- content/security/for-admins/scim.md | 8 ++--- .../for-admins/single-sign-on/_index.md | 10 +++--- 11 files changed, 47 insertions(+), 49 deletions(-) diff --git a/content/billing/faqs.md b/content/billing/faqs.md index 7d38c14d12a..99d6cd3a85c 100644 --- a/content/billing/faqs.md +++ b/content/billing/faqs.md @@ -1,12 +1,12 @@ --- title: Billing FAQs -description: Common FAQs related to billing -keywords: billing, renewal, payments +description: Frequently asked questions related to billing +keywords: billing, renewal, payments, faq --- ### Where can I view my billing date? -Navigate to the **Plan** tab in your billing settings. The billing date is located near the bottom-right. +Navigate to the **Plan** tab in your billing settings to view your current plan. You can find the billing date near the bottom-right of your plan details. ### What credit and debit cards are supported? @@ -28,7 +28,7 @@ If your subscription payment fails, there is a grace period of 15 days, includin Docker also sends an email notification `Action Required - Credit Card Payment Failed` with an attached unpaid invoice after each failed payment attempt. -Once the grace period is over and the invoice is still not paid, the subscription is downgraded to a free plan and all paid features are disabled. +Once the grace period is over and the invoice is still not paid, the subscription downgrades to a free plan and all paid features are disabled. ### What billing-related emails will I receive from Docker Hub? @@ -59,7 +59,7 @@ A coupon can be used when you: You are asked to enter your coupon code when you confirm or enter your payment method. -If you use a coupon to pay for a subscription, when the coupon expires, your payment method is charged the full cost of your subscription. If you do not have a saved payment method, your account is downgraded to a free subscription. +If you use a coupon to pay for a subscription, when the coupon expires, your payment method is charged the full cost of your subscription. If you don't have a saved payment method, your account downgrades to a free subscription. ### How do I include my VAT number on my invoice? diff --git a/content/compose/faq.md b/content/compose/faq.md index f82f5324747..85afb907af4 100644 --- a/content/compose/faq.md +++ b/content/compose/faq.md @@ -12,12 +12,12 @@ Docker Compose is under active development. If you need help, would like to contribute, or simply want to talk about the project with like-minded individuals, we have a number of open channels for communication. -* To report bugs or file feature requests, use the [issue tracker on Github](https://github.com/docker/compose/issues). +- To report bugs or file feature requests, use the [issue tracker on Github](https://github.com/docker/compose/issues). -* To talk about the project with people in real time, join the +- To talk about the project with people in real time, join the `#docker-compose` channel on the [Docker Community Slack](https://dockr.ly/slack). -* To contribute code submit a [pull request on Github](https://github.com/docker/compose/pulls). +- To contribute code submit a [pull request on Github](https://github.com/docker/compose/pulls). ### Where can I find example Compose files? @@ -55,7 +55,7 @@ containers. The `docker compose stop` command attempts to stop a container by sending a `SIGTERM`. It then waits for a [default timeout of 10 seconds](../engine/reference/commandline/compose_stop.md). After the timeout, -a `SIGKILL` is sent to the container to forcefully kill it. If you +a `SIGKILL` is sent to the container to forcefully kill it. If you are waiting for this timeout, it means that your containers aren't shutting down when they receive the `SIGTERM` signal. @@ -65,7 +65,7 @@ in containers. To fix this problem, try the following: -* Make sure you're using the exec form of `CMD` and `ENTRYPOINT` +- Make sure you're using the exec form of `CMD` and `ENTRYPOINT` in your Dockerfile. For example use `["program", "arg1", "arg2"]` not `"program arg1 arg2"`. @@ -73,19 +73,19 @@ in your Dockerfile. doesn't handle signals properly. Compose always uses the JSON form, so don't worry if you override the command or entrypoint in your Compose file. -* If you are able, modify the application that you're running to +- If you are able, modify the application that you're running to add an explicit signal handler for `SIGTERM`. -* Set the `stop_signal` to a signal which the application knows how to handle: +- Set the `stop_signal` to a signal which the application knows how to handle: -```yaml -services: - web: - build: . - stop_signal: SIGINT -``` + ```yaml + services: + web: + build: . + stop_signal: SIGINT + ``` -* If you can't modify the application, wrap the application in a lightweight init +- If you can't modify the application, wrap the application in a lightweight init system (like [s6](https://skarnet.org/software/s6/)) or a signal proxy (like [dumb-init](https://github.com/Yelp/dumb-init) or [tini](https://github.com/krallin/tini)). Either of these wrappers takes care of @@ -98,7 +98,7 @@ Yes, see [Controlling startup order](startup-order.md). ### How do I run multiple copies of a Compose file on the same host? Compose uses the project name to create unique identifiers for all of a -project's containers and other resources. To run multiple copies of a project, +project's containers and other resources. To run multiple copies of a project, set a custom project name using the [`-p` command line option](reference/index.md) or the [`COMPOSE_PROJECT_NAME` environment variable](environment-variables/envvars.md#compose_project_name). @@ -119,7 +119,7 @@ You can add your code to the image using `COPY` or `ADD` directive in a Docker image, for example when you're sending code to another environment (production, CI, etc). -You should use a `volume` if you want to make changes to your code and see them +Use a `volume` if you want to make changes to your code and see them reflected immediately, for example when you're developing code and your server supports hot code reloading or live-reload. diff --git a/content/security/_index.md b/content/security/_index.md index fd7b99ee74f..a04bc3424ce 100644 --- a/content/security/_index.md +++ b/content/security/_index.md @@ -81,7 +81,7 @@ grid_resources: Docker provides security guardrails for both administrators and developers. -If you are an administrator, you can enforce sign in across Docker products for your developers, and +If you're an administrator, you can enforce sign in across Docker products for your developers, and scale, manage, and secure your instances of Docker Desktop with DevOps security controls like Enhanced Container Isolation and Registry Access Management. For both administrators and developers, Docker provides security-specific products such as Docker Scout, for securing your software supply chain with proactive image vulnerability monitoring and remediation strategies. diff --git a/content/security/for-admins/configure-sign-in.md b/content/security/for-admins/configure-sign-in.md index 2e7ce0db33e..0ba3af3cccf 100644 --- a/content/security/for-admins/configure-sign-in.md +++ b/content/security/for-admins/configure-sign-in.md @@ -98,7 +98,7 @@ To create a `registry.json` file when installing Docker Desktop, use the followi To automatically create a `registry.json` file when installing Docker Desktop, download `Docker Desktop Installer.exe` and run one of the following commands from the directory containing `Docker Desktop Installer.exe`. Replace `myorg` -with your organization's name and you must use lowercase letters for your +with your organization's name. You must use lowercase letters for your organization's name. If you're using PowerShell: @@ -118,8 +118,7 @@ C:\Users\Admin> "Docker Desktop Installer.exe" install --allowed-org=myorg To automatically create a `registry.json` file when installing Docker Desktop, download `Docker.dmg` and run the following commands in a terminal from the -directory containing `Docker.dmg`. Replace `myorg` with your organization's name -and you must use lowercase letters for your organization's name. +directory containing `Docker.dmg`. Replace `myorg` with your organization's name. You must use lowercase letters for your organization's name. ```console $ sudo hdiutil attach Docker.dmg @@ -148,8 +147,7 @@ PS> Set-Content /ProgramData/DockerDesktop/registry.json '{"allowedOrgs":["myor This creates the `registry.json` file at `C:\ProgramData\DockerDesktop\registry.json` and includes the organization -information the user belongs to. Make sure this file can't be edited by the -user, only by the administrator: +information the user belongs to. Make sure that the user can't edit this file, but only the administrator can: ```console PS C:\ProgramData\DockerDesktop> Get-Acl .\registry.json @@ -178,8 +176,8 @@ $ echo '{"allowedOrgs":["myorg"]}' | sudo tee "/Library/Application Support/com. This creates (or updates, if the file already exists) the `registry.json` file at `/Library/Application Support/com.docker.docker/registry.json` and includes -the organization information the user belongs to. Make sure the file has the -expected content and can't be edited by the user, only by the administrator. +the organization information the user belongs to. Make sure that the file has the +expected content, and that the user can't edit this file, but only the administrator can. Verify that the content of the file contains the correct information: @@ -212,7 +210,7 @@ $ echo '{"allowedOrgs":["myorg"]}' | sudo tee /usr/share/docker-desktop/registry This creates (or updates, if the file already exists) the `registry.json` file at `/usr/share/docker-desktop/registry/registry.json` and includes the organization information to which the user belongs. Make sure the file has the -expected content and can't be edited by the user, only by root. +expected content and that the user can't edit this file, only the root can. Verify that the content of the file contains the correct information: diff --git a/content/security/for-admins/domain-audit.md b/content/security/for-admins/domain-audit.md index 19dd58b7a6d..b1191871640 100644 --- a/content/security/for-admins/domain-audit.md +++ b/content/security/for-admins/domain-audit.md @@ -1,6 +1,6 @@ --- -description: Audit your domains for uncaptured users. -keywords: domain audit, security +description: Learn how to audit your domains for uncaptured users. +keywords: domain audit, security, identify users, manage users title: Domain audit aliases: - /docker-hub/domain-audit/ @@ -21,7 +21,7 @@ Although domain audit can't identify all Docker users in your environment, you c ## Prerequisites -Before you audit your domains, the following prerequisites are required: +Before you audit your domains, review the following required prerequisites: - Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../subscription/upgrade.md). - You must add and verify your domains. diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md index 691f9b817b9..c70a1c81450 100644 --- a/content/security/for-admins/group-mapping.md +++ b/content/security/for-admins/group-mapping.md @@ -17,7 +17,7 @@ With directory group-to-team provisioning from your IdP, user updates will autom ## How group mapping works -IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. These attributes are used by Just-In-Time (JIT) Provisioning to create or update the user’s Docker profile and their associations with organizations and teams on Docker Hub. +IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. Just-In-Time (JIT) Provisioning uses these attributes to create or update the user’s Docker profile and their associations with organizations and teams on Docker Hub. Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times. @@ -33,7 +33,7 @@ After every successful SSO sign-in authentication, the JIT provisioner performs a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings. - b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user is not a member, it adds the user to the default team and organization configured in the SSO connection. + b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user isn't a member, it adds the user to the default team and organization configured in the SSO connection. ![JIT provisioning](../images/group-mapping.png) @@ -47,7 +47,7 @@ You can use this format to add a user to multiple organizations. For example, if >**Tip** > ->Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesn’t already exist. +>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, this creates a group if it doesn’t already exist. { .tip} The following lists the supported group mapping attributes: diff --git a/content/security/for-admins/image-access-management.md b/content/security/for-admins/image-access-management.md index 35f72695344..6728a243849 100644 --- a/content/security/for-admins/image-access-management.md +++ b/content/security/for-admins/image-access-management.md @@ -1,6 +1,6 @@ --- description: Image Access Management -keywords: image, access, management +keywords: image, access, management, trusted content, permissions, Docker Business feature title: Image Access Management aliases: - /docker-hub/image-access-management/ diff --git a/content/security/for-admins/registry-access-management.md b/content/security/for-admins/registry-access-management.md index 82f065c81e4..0432b0899b7 100644 --- a/content/security/for-admins/registry-access-management.md +++ b/content/security/for-admins/registry-access-management.md @@ -1,6 +1,6 @@ --- description: Registry Access Management -keywords: registry, access, management +keywords: registry, access, management, permissions, Docker Business feature title: Registry Access Management aliases: - /desktop/hardened-desktop/registry-access-management/ @@ -12,7 +12,7 @@ aliases: > > Registry Access Management is available to [Docker Business](../../subscription/details.md) customers only. -With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. +With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access allowed registries. This is done through the Registry Access Management dashboard on Docker Hub. Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: - Docker Hub. This is enabled by default. diff --git a/content/security/for-admins/roles-and-permissions.md b/content/security/for-admins/roles-and-permissions.md index 22ceb5776ed..f5e83e5be00 100644 --- a/content/security/for-admins/roles-and-permissions.md +++ b/content/security/for-admins/roles-and-permissions.md @@ -74,7 +74,7 @@ The following outlines organization management permissions for member, editor, o | Image Access Management | ❌ | ❌ | ✅ | ✅ | | Registry Access Management | ❌ | ❌ | ✅ | ✅ | | Set up Single Sign-On (SSO) and SCIM | ❌ | ❌ | ✅ \* | ✅ | -| Require Desktop login | ❌ | ❌ | ✅ \* | ✅ | +| Require Desktop sign-in | ❌ | ❌ | ✅ \* | ✅ | | Manage billing information (e.g. billing address) | ❌ | ❌ | ✅ | ✅ | | Manage payment methods (e.g. credit card or invoice) | ❌ | ❌ | ✅ | ✅ | | View billing history | ❌ | ❌ | ✅ | ✅ | diff --git a/content/security/for-admins/scim.md b/content/security/for-admins/scim.md index 21d3e9db6ae..c23ec363d79 100644 --- a/content/security/for-admins/scim.md +++ b/content/security/for-admins/scim.md @@ -13,9 +13,9 @@ This section is for administrators who want to enable System for Cross-domain Id SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company. -Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the user’s first name and last name. +Similarly, if a user gets unassigned from the Docker application in the IdP, this removes the user from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for example the user’s first name and last name. -The following provisioning features are supported: +The following lists the supported provisioning features: - Creating new users - Push user profile updates - Remove users @@ -27,7 +27,7 @@ The following table lists the supported attributes. Note that your attribute map | Attribute | Description |:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------| -| userName | User's primary email address. This is used as the unique identifier of the user. | +| userName | User's primary email address. This is the unique identifier of the user. | | name.givenName | User’s first name | | name.familyName | User’s surname | | active | Indicates if a user is enabled or disabled. Can be set to false to de-provision the user. | @@ -36,7 +36,7 @@ For additional details about supported attributes and SCIM, see [Docker Hub API ## Set up SCIM -You must make sure you have [configured SSO](single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO is not required. +You must make sure you have [configured SSO](single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO isn't required. {{< tabs >}} {{< tab name="Docker Hub" >}} diff --git a/content/security/for-admins/single-sign-on/_index.md b/content/security/for-admins/single-sign-on/_index.md index 345e6e55e1b..46fad8dd4c8 100644 --- a/content/security/for-admins/single-sign-on/_index.md +++ b/content/security/for-admins/single-sign-on/_index.md @@ -12,7 +12,7 @@ SSO allows users to authenticate using their identity providers (IdPs) to access ## How it works -When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. +When you enable SSO, this redirects to your IdP's authentication page to sign in. They can't authenticate using their Docker login credentials (Docker ID and password). Docker supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP. @@ -22,21 +22,21 @@ The following diagram shows how SSO operates and is managed in Docker Hub and Do Before enabling SSO in Docker, administrators must first configure their IdP to work with Docker. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. -After establishing the connection between the IdP server and Docker, administrators sign in to Docker Hub or Docker Admin and complete the SSO enablement process. +After establishing the connection between the IdP server and Docker, administrators sign in to Docker Hub or Docker Admin and complete SSO enablement. When you enable SSO for your company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company, assigned to an organization, and optionally assigned to a team. -Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual company. +Administrators can then choose to enforce SSO sign-in and manage SSO connections for their individual company. ### SSO attributes When a user signs in using SSO, Docker obtains the following attributes from the IdP: -- **Email address** - this is the unique identifier of the user +- **Email address** - unique identifier of the user - **Full name** - name of the user - **Groups (optional)** - list of groups to which the user belongs -If you use SAML for your SSO connection, Docker obtains these attributes from the SAML assertion message. Your IdP may use different naming for SAML attributes than those listed above. The following table lists the possible SAML attributes that can be present in order for your SSO connection to work. +If you use SAML for your SSO connection, Docker obtains these attributes from the SAML assertion message. Your IdP may use different naming for SAML attributes than those in the previous list. The following table lists the possible SAML attributes that can be present in order for your SSO connection to work. You can also configure attributes to override default values, such as default team or organization. See [role mapping](../scim.md#set-up-role-mapping).