Merge branch 'docker:main' into main

content/compose/environment-variables/envvars.md

@@ -161,7 +161,7 @@ When enabled, Compose displays a navigation menu where you can choose to open th
 * Supported values:
   * `true` or `1`, to enable,
   * `false` or `0`, to disable.
-* Defaults to: `0`.
+* Defaults to: `1` if you obtained Docker Compose through Docker Desktop, otherwise default is `0`.
 
 > **Note**
 >

content/desktop/extensions-sdk/quickstart.md

@@ -18,6 +18,8 @@ Follow this guide to get started with creating a basic Docker extension. The Qui
 >
 > NodeJS and Go are only required when you follow the quickstart guide to create an extension. It uses the `docker extension init` command to automatically generate boilerplate files. This command uses a template based on a ReactJS and Go application.
 
+In Docker Desktop settings, ensure you can install the extension you're developing. You may need to navigate to the **Extensions** tab in Docker Desktop settings and deselect **Allow only extensions distributed through the Docker Marketplace**.
+
 ## Step one: Set up your directory
 
 To set up your directory, use the `init` subcommand and provide a name for your extension.

content/desktop/hardened-desktop/air-gapped-containers.md

@@ -6,13 +6,9 @@ aliases:
 - /desktop/hardened-desktop/settings-management/air-gapped-containers/
 ---
 
-> **Beta feature**
->
-> This feature is in [Beta](../../release-lifecycle.md/#beta).
-> It's available with Docker Desktop version 4.29 and later.
-{ .experimental }
+{{< introduced desktop 4.29.0 "../release-notes.md#4290" >}}
 
-Air-gapped containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
+Air-Gapped Containers allows administrators to restrict containers from accessing network resources, limiting where data can be uploaded to or downloaded from.
 
 Docker Desktop can apply a custom set of proxy rules to network traffic from containers. The proxy can be configured to:
 

content/desktop/hardened-desktop/settings-management/_index.md

@@ -45,7 +45,7 @@ Using the `admin-settings.json` file, admins can:
 - Turn off Docker Desktop's onboarding survey
 - Control the file sharing implementation for your developers on macOS
 - Specify which paths your developers can add file shares to
-- Configure air-gapped containers (Beta)
+- Configure Air-Gapped Containers
 
 For more details on the syntax and options admins can set, see [Configure Settings Management](configure.md).
 

content/desktop/hardened-desktop/settings-management/configure.md

@@ -183,7 +183,7 @@ The following `admin-settings.json` code and table provides an example of the re
 | `exposeDockerAPIOnTCP2375` | Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
 | `proxy` |   |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
 |        `windowsDockerdPort`  | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. Note: This is available for Windows containers only. |
-| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-gapped containers](../air-gapped-containers.md).|
+| `containersProxy` (Beta) | | Allows you to create air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).|
 | `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md).|
 |        `dockerSocketMount` |  | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This allows admins to relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. |
 |               `imageList` |  | Indicates which container images are allowed to bind-mount the Docker Engine socket. |

content/desktop/install/windows-install.md

@@ -27,14 +27,15 @@ aliases:
 
 This page contains the download URL, information about system requirements, and instructions on how to install Docker Desktop for Windows.
 
-{{< button text="Docker Desktop for Windows" url="https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe" >}}
+{{< button text="Docker Desktop for Windows - x86_64" url="https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-amd64" >}}
+{{< button text="Docker Desktop for Windows - Arm (Beta)" url="https://desktop.docker.com/win/main/arm64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-arm64" >}}
 
 _For checksums, see [Release notes](../release-notes.md)_
 
 ## System requirements
 
 {{< tabs >}}
-{{< tab name="WSL 2 backend" >}}
+{{< tab name="WSL 2 backend, x86_64" >}}
 
 - WSL version 1.1.3.0 or later.
 - Windows 11 64-bit: Home or Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
@@ -45,7 +46,6 @@ _For checksums, see [Release notes](../release-notes.md)_
   [Microsoft documentation](https://docs.microsoft.com/en-us/windows/wsl/install-win10).
 - The following hardware prerequisites are required to successfully run
   WSL 2 on Windows 10 or Windows 11:
-
   - 64-bit processor with [Second Level Address Translation (SLAT)](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)
   - 4GB system RAM
   - Enable hardware virtualization in BIOS. For more information, see
@@ -64,15 +64,12 @@ For more information on setting up WSL 2 with Docker Desktop, see [WSL](../wsl/_
 > Docker only supports Docker Desktop on Windows for those versions of Windows that are still within [Microsoft’s servicing timeline](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet). Docker Desktop is not supported on server versions of Windows, such as Windows Server 2019 or Windows Server 2022. For more information on how to run containers on Windows Server, see [Microsoft's official documentation](https://learn.microsoft.com/virtualization/windowscontainers/quick-start/set-up-environment).
 
 {{< /tab >}}
-{{< tab name="Hyper-V backend and Windows containers" >}}
+{{< tab name="Hyper-V backend, x86_64" >}}
 
-- Windows 11 64-bit: Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
+- Windows 11 64-bit: Home or Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
 - Windows 10 64-bit:
   - We recommend Home or Pro 22H2 (build 19045) or higher, or Enterprise or Education 22H2 (build 19045) or higher. 
   - Minimum required is Home or Pro 21H2 (build 19044) or higher, or Enterprise or Education 21H2 (build 19044) or higher.
-
-  For Windows 10 and Windows 11 Home, see the system requirements in the WSL 2 backend tab.
-
 - Turn on Hyper-V and Containers Windows features.
 - The following hardware prerequisites are required to successfully run Client
   Hyper-V on Windows 10:
@@ -93,6 +90,32 @@ For more information on setting up WSL 2 with Docker Desktop, see [WSL](../wsl/_
 >
 > Docker only supports Docker Desktop on Windows for those versions of Windows that are still within [Microsoft’s servicing timeline](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet). Docker Desktop is not supported on server versions of Windows, such as Windows Server 2019 or Windows Server 2022. For more information on how to run containers on Windows Server, see [Microsoft's official documentation](https://learn.microsoft.com/virtualization/windowscontainers/quick-start/set-up-environment).
 
+{{< /tab >}}
+{{< tab name="WSL 2 backend, Arm (Beta)" >}}
+
+- WSL version 1.1.3.0 or later.
+- Windows 11 64-bit: Home or Pro version 21H2 or higher, or Enterprise or Education version 21H2 or higher.
+- Windows 10 64-bit: 
+  - We recommend Home or Pro 22H2 (build 19045) or higher, or Enterprise or Education 22H2 (build 19045) or higher. 
+  - Minimum required is Home or Pro 21H2 (build 19044) or higher, or Enterprise or Education 21H2 (build 19044) or higher.
+- Turn on the WSL 2 feature on Windows. For detailed instructions, refer to the
+  [Microsoft documentation](https://docs.microsoft.com/en-us/windows/wsl/install-win10).
+- The following hardware prerequisites are required to successfully run
+  WSL 2 on Windows 10 or Windows 11:
+  - 64-bit processor with [Second Level Address Translation (SLAT)](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)
+  - 4GB system RAM
+  - Enable hardware virtualization in BIOS. For more information, see
+    [Virtualization](../troubleshoot/topics.md#virtualization).
+
+> **Important**
+>
+> The installer and the [privileged service](../windows/permission-requirements.md#privileged-helper) are still built for `x86_64`. These are not performance critical components and currently run with [`x86` emulation](https://learn.microsoft.com/en-us/windows/arm/apps-on-arm-x86-emulation#wow64-apis).
+> 
+> Also, the following features are not supported:
+> - Hyper-V backend
+> - Windows containers
+{ .important }
+
 {{< /tab >}}
 {{< /tabs >}}
 

content/desktop/release-notes.md

@@ -21,11 +21,82 @@ Docker Desktop versions older than 6 months from the latest release are not avai
 
 Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1) to see what's coming next.
 
+## 4.31.0
+
+{{< release-date date="2024-06-06" >}}
+
+{{< desktop-install all=true beta_win_arm=true version="4.31.0" build_path="/153195/" >}}
+
+### New
+
+- [Air-Gapped Containers](desktop/hardened-desktop/air-gapped-containers.md) is now generally available. 
+- Docker Compose File Viewer shows your Compose YAML with syntax highlighting and contextual links to relevant docs (Beta, progressive rollout).
+- New Sidebar user experience.
+
+### Upgrades
+
+- [Docker Engine and CLI v26.1.4](https://github.com/moby/moby/releases/tag/v26.1.4).
+- [Docker Scout CLI v1.9.1](https://github.com/docker/scout-cli/releases/tag/v1.9.1)
+- [Docker Compose v2.27.1](https://github.com/docker/compose/releases/tag/v2.27.1)
+- [Docker Buildx v0.14.1](https://github.com/docker/buildx/releases/tag/v0.14.1)
+- [Containerd v1.6.33](https://github.com/containerd/containerd/releases/tag/v1.6.33)
+- [Credential Helpers v0.8.2](https://github.com/docker/docker-credential-helpers/releases/tag/v0.8.2)
+- [NVIDIA Container Toolkit v1.15.0](https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.15.0)
+- [Go 1.22.4](https://github.com/golang/go/releases/tag/go1.22.4)
+- Linux kernel `v6.6.31`
+
+### Bug fixes and enhancements
+
+#### For all platforms
+
+- Newer releases are now displayed in the **Software updates** settings tab when an update has already been downloaded.
+- Added `proxyEnableKerberosNTLM` config to `settings.json` to enable fallback to basic proxy authentication if Kerberos/NTLM environment is not properly set up.
+- Fixed a bug where Docker Debug was not working properly with Enhanced Container Isolation enabled.
+- Fixed a bug where UDP responses were not truncated properly.
+- Fixed a bug where the **Update** screen was hidden when using [Settings Management](hardened-desktop/settings-management/_index.md).
+- Fixed a bug where proxy settings defined in `admin-settings.json` were not applied correctly on startup.
+- Fixed a bug where the **Manage Synchronized file shares with Compose** toggle did not correctly reflect the value with the feature.
+- Fixed a bug where a bind mounted file modified on host is not updated after the container restarts, when gRPC FUSE file sharing is used on macOS and on Windows with Hyper-V. Fixes [docker/for-mac#7274](https://github.com/docker/for-mac/issues/7274), [docker/for-win#14060](https://github.com/docker/for-win/issues/14060).
+
+#### For Windows
+
+- Changed the `--allowed-org` installer flag to write a policy registry key instead of to the `registry.json`.
+
+#### For Mac
+
+- Moved the setting **Automatically check configuration** from **Advanced** settings to **General** settings.
+- Improved VirtioFS caching by implementing longer attributes timeout and invalidation.
+
+#### For Linux
+
+- Added Linux headers to the VM, to ease the compilation of custom kernel modules.
+
+### Security
+
+#### For all platforms
+
+- Fixed a security bug in Enhanced Container Isolation (ECI) mode where a user could create Docker volumes sourced from restricted directories inside the Docker Desktop VM and mount them into containers, thereby giving the container access to such restricted VM directories.
+- By default, only extensions listed in the marketplace can be installed in Docker Desktop. This can be changed in Docker Desktop's settings. Extension developers will need to change this option in order to test their extensions.
+
+### For Windows
+
+- Fixed [CVE-2024-5652](https://www.cve.org/cverecord?id=CVE-2024-5652) in which a user in the `docker-users` group can cause a Windows Denial-of-Service through the `exec-path` Docker daemon config option in Windows containers mode. This vulnerability was discovered by Hashim Jawad ([@ihack4falafel](https://github.com/ihack4falafel)) working with Trend Micro Zero Day Initiative.
+
+### Deprecation
+
+#### For all platforms
+
+- The CLI binary that used to be shipped as `com.docker.cli` is now shipped simply as `docker`. This release leaves the CLI binary as `com.docker.cli`, but it will be removed next release.
+
+#### For Windows
+
+- Removed support for legacy version packs from the WSL2 engine.
+
 ## 4.30.0
 
 {{< release-date date="2024-05-06" >}}
 
-{{< desktop-install all=true version="4.30.0" build_path="/149282/" >}}
+{{< desktop-install all=true beta_win_arm=true version="4.30.0" build_path="/149282/" >}}
 
 ### New
 

content/desktop/settings/mac.md

@@ -75,6 +75,15 @@ If you choose the integrated terminal, you can run commands in a running contain
 
 - **Enable background SBOM indexing**. When this option is enabled, Docker Scout automatically analyzes images that you build or pull.
 
+- **Automatically check configuration**. Regularly checks your configuration to ensure no unexpected changes have been made by another application.
+
+  Docker Desktop checks if your setup, configured during installation, has been altered by external apps like Orbstack. Docker Desktop checks:
+    - The symlinks of Docker binaries to `/usr/local/bin`.
+    - The symlink of the default Docker socket. 
+  Additionally, Docker Desktop ensures that the context is switched to `desktop-linux` on startup.
+
+  You are notified if changes are found and are able to restore the configuration directly from the notification.
+
 ## Resources
 
 The **Resources** tab allows you to configure CPU, memory, disk, proxies,
@@ -322,13 +331,6 @@ On the **Advanced** tab, you can reconfigure your initial installation settings:
 
   For more information on each configuration and use case, see [Permission requirements](../mac/permission-requirements.md).
 
-- **Automatically check configuration**. Regularly checks your configuration to ensure no unexpected changes have been made by another application.
 
-  Docker Desktop checks if your setup, configured during installation, has been altered by external apps like Orbstack. Docker Desktop checks:
-    - The symlinks of Docker binaries to `/usr/local/bin`.
-    - The symlink of the default Docker socket. 
-  Additionally, Docker Desktop ensures that the context is switched to `desktop-linux` on startup.
-
-  You are notified if changes are found and are able to restore the configuration directly from the notification.
 
 

content/security/faqs/single-sign-on/idp-faqs.md

@@ -42,12 +42,7 @@ Yes, bot accounts need a seat, similar to a regular end user, having a non-alias
 
 ### Does SAML SSO use Just-in-Time provisioning?
 
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. Otherwise, JIT is enabled by default.
-{ .experimental }
-
-The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM. See [Just-in-Time provisioning](/security/for-admins/provisioning/just-in-time/).
+The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT in the Admin Console if you enable auto-provisioning using SCIM. See [Just-in-Time provisioning](/security/for-admins/provisioning/just-in-time/).
 
 ### Is IdP-initiated sign-in available?
 

content/security/faqs/single-sign-on/users-faqs.md

@@ -59,11 +59,6 @@ When SSO is enabled and enforced, your users just have to sign in using the veri
 
 ### Is Docker SSO fully synced with the IdP?
 
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console. Otherwise, JIT is enabled by default.
-{ .experimental }
-
 Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.
 
 [SCIM](../../../security/for-admins/provisioning/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.
@@ -72,12 +67,7 @@ Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to compl
 
 ### How does disabling Just-in-Time provisioning impact user sign-in?
 
-> **Beta feature**
->
-> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. Otherwise, JIT is enabled by default.
-{ .experimental }
-
-If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.
+The option to disable JIT is available when you use the Admin Console and enable SCIM. If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.
 
 See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).